Advanced File Analysis System

CREATED / DROPPED FILES

File Path	Type and Hashes
C:\Users\user\AppData\Local\Temp\is-PGN10.tmp\_isetup\_isdecmp.dll	Type : PE32 executable (DLL) (GUI) Intel 80386, for MS Windows MD5 : 77d6d961f71a8c558513bed6fd0ad6f1 SHA-1 : 122bb9ed6704b72250e4e31b5d5fc2f0476c4b6a SHA-256 : 5da7c8d33d3b7db46277012d92875c0b850c8abf1eb3c8c9c5b9532089a0bcf0 SHA-512 : b0921e2442b4cdec8cc479ba3751a01c0646a4804e2f4a5d5632fa2dbf54cc45d4cccffa4d5b522d42afc2f6a622e07882ed7e663c8462333b082e82503f335a Size : 24.24 Kilobytes.
C:\Users\user\AppData\Local\Temp\is-PGN10.tmp\idp.dll	Type : PE32 executable (DLL) (GUI) Intel 80386, for MS Windows MD5 : b37377d34c8262a90ff95a9a92b65ed8 SHA-1 : faeef415bd0bc2a08cf9fe1e987007bf28e7218d SHA-256 : e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f SHA-512 : 69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc Size : 221.184 Kilobytes.
C:\Users\user\AppData\Local\Temp\4H89P7ZWCO\OneTwo.exe	Type : PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows MD5 : 3e35f3245ee25a530e947a0d5797fe38 SHA-1 : bfa03fdb3860250529ddf1d5d1d695addbc36642 SHA-256 : 5056cb54c48aeead1737d5d332d2aa3c60de34fd3c6da6db0c9ee72cd4076bfb SHA-512 : fd6ff0b4302ee73932c4d1ed959ff7727852e989c91bd23cd433c1162f77faf764ec0439962d1dee83ee30448526b3d2831abe599824c5f284f7445f6e95877f Size : 212.48 Kilobytes.
C:\Users\user\AppData\Local\Temp\is-VGP26.tmp\oqm5r5hfdcd.tmp	Type : PE32 executable (GUI) Intel 80386, for MS Windows MD5 : 5ec267509d2517e79d53c66f6e9b94ce SHA-1 : 35cc1afe77807a44d58c887c5a4c9682f12d2a56 SHA-256 : c42453b4837c30061b3df704c1c26492d4de10a2a5030fc6d929bb512434058e SHA-512 : 5e8614d84a92885b085edce797349e05a8906fb5394c1112027ae013413078422e2e5c5f5888ce5cddd3cc3e85c000ac2e732874b7bd56c5adf572b6f7b1b71b Size : 782.336 Kilobytes.
C:\Program Files\2VCLXBBP8J\uninstaller.exe	Type : PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows MD5 : 371b854dd3ebdd97d2d426130d048d02 SHA-1 : 82020110a0d4d1503be0e39beefa61f9dad37d45 SHA-256 : 65cf43d67312e75fbe5f0f21bc51872a8fc7968df854d913c235656bf9cf74a8 SHA-512 : 3b22970337f244fceb52091b4c5008e6d15aea62a825d3bdee6f4dfdd9e53b9754beccb6cd03fea07efa0114cfb05cb1ab80dba11735702e111859508468a53d Size : 202.24 Kilobytes.
C:\Users\user\AppData\Local\Temp\is-PGN10.tmp\psvince.dll	Type : PE32 executable (DLL) (GUI) Intel 80386, for MS Windows MD5 : d726d1db6c265703dcd79b29adc63f86 SHA-1 : f471234fa142c8ece647122095f7ff8ea87cf423 SHA-256 : 0afdfed86b9e8193d0a74b5752a693604ab7ca7369d75136899ff8b08b8c5692 SHA-512 : 8cccbff39939bea7d6fe1066551d65d21185cef68d24913ea43f24b8f4e08a5581a9f662061611b15b5248f5f0d541e98d6f70164aaaad14d0856e76fabbfaa4 Size : 43.52 Kilobytes.
C:\Users\user\AppData\Local\Temp\config.conf	Type : ASCII text, with CRLF line terminators MD5 : ba58fc124f9bb6195535ffdb94e23bdd SHA-1 : 547b1db522800d27fd1efe611e2eebd9904f7391 SHA-256 : ab1a4e466b00aaaeba5cd02db9f2e234c22901c4a50a28f5c1d7214c5a1c825e SHA-512 : eba8697278179879023541d5d524ff94de072ba882a0cc2c228f722e7d0803c43473b596d0e5a9031a484fb647b874842d4dada1e2445d5905650490cf4ad9e7 Size : 0.047 Kilobytes.
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch.2732.15278875 C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch.2732.15278875 C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch.2732.15278890	Type : data MD5 : 72a0f232c8a859615d9c622044bbd772 SHA-1 : 69b040918049c86db02dc9f7a440a2cfb7ac1809 SHA-256 : 74f6952474381681d0061a9d053964a0aebaf59068b2500a2fdbc3513daf18a7 SHA-512 : d771814315a2b89ae8c7f40f5bd3d6d16dda0c25b0ac3200f9ffb6abe42c1250f4b874b61427263571cfb8fb38ad38f449f24615764a6226cde6ccab8db48a38 Size : 1.246 Kilobytes.
C:\Users\user\AppData\Local\Temp\is-PGN10.tmp\_isetup\_setup64.tmp	Type : PE32+ executable (console) x86-64, for MS Windows MD5 : e4211d6d009757c078a9fac7ff4f03d4 SHA-1 : 019cd56ba687d39d12d4b13991c9a42ea6ba03da SHA-256 : 388a796580234efc95f3b1c70ad4cb44bfddc7ba0f9203bf4902b9929b136f95 SHA-512 : 17257f15d843e88bb78adcfb48184b8ce22109cc2c99e709432728a392afae7b808ed32289ba397207172de990a354f15c2459b6797317da8ea18b040c85787e Size : 6.144 Kilobytes.
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch	Type : data MD5 : 0d86c45b85ca7126c48f5b87eb9f55cd SHA-1 : fa1348ec3093f8f2eac424d78977adc4854987df SHA-256 : 1ecc75866038b9751ab491f04916728f9873f87678c1c205dcf8707463cc4425 SHA-512 : 5c011a00464c7b63dff9619b301f522d5759bf885bb70eb37c0d6a993c92a1a4304cc8eb2b88331dfde1af5aaebaccb32f25d4c55286d8385a2a811505a35028 Size : 1.244 Kilobytes.
C:\Users\user\AppData\Local\Temp\4H89P7ZWCO\up.exe	Type : PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows MD5 : dbbc41352104e471080d25bea7a93455 SHA-1 : 4a173ed8964a000078cefb7549bc7b8b2d8da00b SHA-256 : 50f1be7efd73353859177946b79670c55226279e0135ed3a7942b66fb5548dca SHA-512 : d523004a62e59ff7ea0d14d97b9193202870c03fdcae548fd7d1d0d4c8df17571b4490cbb358e13e8a62a3496c00e465d2aeb41e360dab8b65bdfb63eac8ba92 Size : 2553.344 Kilobytes.
C:\Program Files\2VCLXBBP8J\2VCLXBBP8.exe	Type : PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows MD5 : 3d6a321e3ee3a216223111c12a1470bc SHA-1 : 1cf13277e9b74440e8e5a76d1b8a5114990a3757 SHA-256 : b8f4f117bb2691279f56098b4eafd59ae89d1a7844303bfd8cd1d9a4768c63e6 SHA-512 : 2777fdad68e111a6d2a8e495798f0fe4dd80e32ed5922fc57f2c2fb9911a715c3ea4e5e57d6f81c2cfb42c70577fd0f702067f28a6ba83013ac9544424b5e8b0 Size : 840.704 Kilobytes.
C:\Users\user\AppData\Roaming\a022yqeqrbb\oqm5r5hfdcd.exe	Type : PE32 executable (GUI) Intel 80386, for MS Windows MD5 : 331f4648a2f6cfacb0f84ace8fd05f62 SHA-1 : bec6b9ecd372953703f181c025249036427e73f3 SHA-256 : 6dcadcf2a0f6e1ae7195d6352ec62458a484bc92306be8f01a7021f8afe26c35 SHA-512 : 488495c713e006a4e5e1e13cb0986435991cf74ae8561a39f8989a32683d7d253bce7f879e3ebc56a89f89e99ec9021e854d1a0e5e01104deb78f08b04bc5e5b Size : 615.251 Kilobytes.
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch.2596.15277078 C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch.2596.15277093 C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch.2596.15277093	Type : data MD5 : 5062ce9faa704829e92f42e0196f33f9 SHA-1 : 4f5c6de00638b7ccf9e1427a709e7eb89501f15c SHA-256 : c6aa1ca55aa2aa0e15fff8f6c3a5c644f2bb176824c0b940b2b0ecf6c2f51d60 SHA-512 : 783fce9ced6851f29f5b930bbcde4fbb27eb9f4e236a660a088d04887ad456cd5520de8ef22636a74a8f4bf18ca93d088bdc83879a421ac732589bd3acb316ff Size : 1.236 Kilobytes.
C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\jdm2a1on.default\cache2\index	Type : data MD5 : 5759064c3510519bddd7be7d28b0f97c SHA-1 : 876a2531dc24196c342fc1f6ed08d45dd8287c7c SHA-256 : 7fd86697e202fe0e78e80d40a3ca8b3af7a0d328f08ebd1934254c1052fe721d SHA-512 : b440311d385bedd08c1e069c05a22a2107148068905dc6385a9c7ec55f9037df29bcfa35a24798a52becfced8e3b9808035c1f1343731b4e7985de295700b050 Size : 1.564 Kilobytes.
C:\Users\user\AppData\Local\Temp\4H89P7ZWCO\SecondL.exe	Type : PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows MD5 : 72c5089576d10d0d6ab9d7518c72a8f2 SHA-1 : 8afca3e42d3cfa6af0dedd5c99262de4efc1b98c SHA-256 : 539fe97cbec2242284054f38b40d67aa9adebce55360a86717301da524d192b6 SHA-512 : 835813484e19f2fe121c88cd3161721f45d5a76868f4197ab30e73d06d10f977b6abf84ecd84d3c6a78b9c1ecc61a6efdfe89b4025a80ee2350663e8d931823a Size : 7.168 Kilobytes.
C:\Program Files\2VCLXBBP8J\cast.config	Type : ASCII text, with CRLF line terminators MD5 : 55c3ef7d7a2552fc1405eba10e2731b4 SHA-1 : 079f85eee67b822c34092d052f90eb472f71b6e2 SHA-256 : b23be6853e2a8db3c482f0aded8516cc1cb3b60a761705999a41706615b5016e SHA-512 : a1a42ff09c8a455f082551dda8d934cd2071500daefe10671235705b52abdfcdfe5f63a123a23f58d8ab990009dab67e0a0eeb52cf758103eebedfaeab666e59 Size : 0.037 Kilobytes.
C:\Users\user\AppData\Local\Temp\4H89P7ZWCO\SecondL.exe.config C:\Users\user\AppData\Local\Temp\4H89P7ZWCO\OneTwo.exe.config C:\Users\user\AppData\Local\Temp\4H89P7ZWCO\up.exe.config C:\Program Files\2VCLXBBP8J\2VCLXBBP8.exe.config C:\Program Files\2VCLXBBP8J\uninstaller.exe.config	Type : XML document text MD5 : a2ebf843442988ee2d667e9c7fc28ce1 SHA-1 : 7f24c475bb217c448090dce593abee8957b7b1d4 SHA-256 : 8a0d5d6c5ab131bab9c8a29a7bcc81d6470ec515f2e4bca977a4fe62fd156acc SHA-512 : 1b56db588131023f427e0476582e3381a818d9659c75b34d094630909482d1a540480f95cf663c1700b2d54431c5539d969ebd332a3f017be29a8212872d2b84 Size : 1.81 Kilobytes.
C:\Users\user\AppData\Local\Temp\is-PGN10.tmp\itdownload.dll	Type : PE32 executable (DLL) (GUI) Intel 80386, for MS Windows MD5 : d82a429efd885ca0f324dd92afb6b7b8 SHA-1 : 86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea SHA-256 : b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3 SHA-512 : 5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df Size : 205.312 Kilobytes.

MATCH YARA RULES

Match Rules

STATIC FILE INFO

File Name:	None
File Type:
SHA1:	44ee549bd481f02c6c0edc02da5fe6fe5af442f0
MD5:	250bf6b3516e0849ab35549372f622a8
First Seen Date:	2018-08-21 00:47:53.262477 ( 2018-08-21 00:47:53.262477 )
Number of Clients Seen:	2
Last Analysis Date:	2018-08-21 00:47:53.262477 ( 2018-08-21 00:47:53.262477 )
Human Expert Analysis Date:	2022-05-09 19:02:37.048312 ( 2022-05-09 19:02:37.048312 )
Human Expert Analysis Result:	Malware

PE Headers

Property	Value
file type enum	0
debug artifacts	[{u'Path': u'C:\\Users\\Wizzlabs\\Documents\\Elukton\\Elukton\\obj\\Release\\MacroMicro.pdb\x00', u'GUID': u'{993db8f5-5700-4f31-b894-62ba89ad3a70}', u'timestamp': u'2018-07-31 12:24:08'}]
imphash	f34d5f2d4577ed6d9ceec516c1f5a744
number of sections	3
trid	[[81.0, u'Generic CIL Executable (.NET, Mono, etc.)'], [7.2, u'Win32 Dynamic Link Library (generic)'], [4.9, u'Win32 Executable (generic)'], [2.2, u'OS/2 Executable (generic)'], [2.2, u'Generic Win/DOS Executable']]
compilation time stamp	0x5B6054E8 [Tue Jul 31 12:24:08 2018 UTC]
Translation	0x0000 0x04b0
LegalCopyright	Copyright \xa9 6378
Assembly Version	0.5.2.2
InternalName	MacroMicro.exe
FileVersion	0.0.2.5
CompanyName	BG8
LegalTrademarks
Comments	BG
ProductName	BG
ProductVersion	0.0.2.5
FileDescription
OriginalFilename	MacroMicro.exe
entry point	0x40d962 (.text)
machine type	Intel 386 or later - 32Bit
file size	242176
ssdeep
sha256	35d9f4e3091cd87ade7842b87569531fe0381e582ee7f9623178153cc9894374
exifinfo	[]
mime type	application/x-dosexec

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	MD5
.text	0x2000	0xb970	0xba00	6.22606572129	724b92d2a2349fb7facaa13947f8d995
.rsrc	0xe000	0x2f234	0x2f400	4.7740758669	6d5590f02dc64f083705086ebc341a2c
.reloc	0x3e000	0xc	0x200	0.0815394123432	82f8c53d9cf996b39a00741b48506085

{u'lang': u'LANG_NEUTRAL', u'name': u'RT_ICON', u'offset': 57856, u'sha256': u'f5157ab852e8a7a5896b060175a3f728d9a1941f0e0ac204608a99c6be57556b', u'type': u'PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced', u'size': 26812}

{u'lang': u'LANG_NEUTRAL', u'name': u'RT_ICON', u'offset': 84684, u'sha256': u'2b3c98cd70d973e5c20b5b76be0f9911a6d31df6d925db03200fd343c6cff5b5', u'type': u'dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0', u'size': 67624}

{u'lang': u'LANG_NEUTRAL', u'name': u'RT_ICON', u'offset': 152324, u'sha256': u'2d7580b8acc471fde88738117ef461cbdf50546d89ad039e7e39be9538d5eca2', u'type': u'data', u'size': 38056}

{u'lang': u'LANG_NEUTRAL', u'name': u'RT_ICON', u'offset': 190396, u'sha256': u'23969152addc2eed5b3a2e2c9cb10b29e462967bf0bb6f1e3b528f8ae7ec2148', u'type': u'data', u'size': 21640}

{u'lang': u'LANG_NEUTRAL', u'name': u'RT_ICON', u'offset': 212052, u'sha256': u'4adee163931cfedb94a94f0e4a3a3362b49635e2cb81f92ac0ac5c2dbb9ed0e5', u'type': u'dBase IV DBT of \\200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 12648447, next used block 4294902528', u'size': 16936}

{u'lang': u'LANG_NEUTRAL', u'name': u'RT_ICON', u'offset': 229004, u'sha256': u'0bb4c270c5ac5f790c381131832ce7bafda81f08a74e9a3cd0d0bcecfc5af764', u'type': u'data', u'size': 9640}

{u'lang': u'LANG_NEUTRAL', u'name': u'RT_ICON', u'offset': 238660, u'sha256': u'cd0c36b80bc23ad6d48bfafb1294704e91495caa42676040161511e587912787', u'type': u'data', u'size': 4264}

{u'lang': u'LANG_NEUTRAL', u'name': u'RT_ICON', u'offset': 242940, u'sha256': u'd3245c19c2ee1d46edaf3508840f774eeb32bf1242e889ef08f706a6e14885f6', u'type': u'data', u'size': 2440}

{u'lang': u'LANG_NEUTRAL', u'name': u'RT_ICON', u'offset': 245396, u'sha256': u'fa5edead672f9724f52a9e1f152c5afe37495f35f32b060a8206efa9bfa07307', u'type': u'GLS_BINARY_LSB_FIRST', u'size': 1128}

{u'lang': u'LANG_NEUTRAL', u'name': u'RT_GROUP_ICON', u'offset': 246540, u'sha256': u'6cdda0ae2c406383536535df01e40871d7ba15b85db35dd09155ae6f876ea37e', u'type': u'MS Windows icon resource - 9 icons, 256x256', u'size': 132}

{u'lang': u'LANG_NEUTRAL', u'name': u'RT_VERSION', u'offset': 246688, u'sha256': u'5c0eadfb950e865c5f5078cd3064e1285528385d99cd7bdc3e3037f8db9ecdb7', u'type': u'data', u'size': 784}

{u'lang': u'LANG_NEUTRAL', u'name': u'RT_MANIFEST', u'offset': 247488, u'sha256': u'8b7d33b2f2ac9e8461a6390fc340499216b49ef6ca4dc7b9fea97fbe13820dd8', u'type': u'XML 1.0 document, ASCII text, with CRLF line terminators', u'size': 2927}

File Name: None

File Type:

SHA1: 44ee549bd481f02c6c0edc02da5fe6fe5af442f0

MD5: 250bf6b3516e0849ab35549372f622a8

CREATED / DROPPED FILES

MATCH YARA RULES

STATIC FILE INFO

ADDITIONAL FILE INFORMATION

PE Headers

PE Sections

PE Imports

PE Resources

CERTIFICATE VALIDATION